The regulation, adopted on 22 March 2005, is aimed at tightening information systems security across the European Union's 25 member states. Paying agencies associated with the European Agricultural Guidance and Guarantee Fund (EAGGF) are now required to select either COBIT, ISO Standard 17799 or the Bundesamt fur Sicherheit in der Informationstechnik: IT-Grundschutzhandbuch/IT Baseline Protection Manual (BSI) as the basis for their information systems security. "This regulation is a strong step toward greatly improved information systems security throughout the EU," said Georges Ataya, a member of the IT Governance Institute (ITGI) Steering Committee and a professor at the Solvay Business School in Brussels. "All organizations-whether in the public or private sector-should follow international standards to protect their customers, constituents, employees, vendors and other stakeholders. COBIT has been used by the Directorate General of Agriculture since 2001, when we were given the opportunity to train the teams that audit operations related to nearly half of the EU's total budget (approximately EUR 98 billion for 2004)."
The EU regulation directs that one of the three standards must be used retroactively from 16 October 2004. From financial year 2008, starting 16 October 2007, auditors must provide a statement on the security measures in place based on the chosen standard.
During the period 2004-2007, the annual auditors' reports are required to include a score for each domain of the chosen standard based on a maturity model developed directly from COBIT's Generic Process Maturity Model. Even if a member state chooses one of the other two standards, the auditor still needs to use the COBIT-based maturity model as part of the reporting mechanism.
COBIT(R) (Control Objectives for Information and related Technology) issued by the IT Governance Institute (ITGI) and in its third edition, is internationally accepted as good practice for control over information, IT and related risks. COBIT is used to implement governance over IT and improve controls. COBIT can be downloaded on a complimentary basis from www.isaca.org.
The IT Governance Institute was established in 1998 to advance international thinking and standards in directing and controlling an enterprise's IT. ITGI offers symposia, original research and case studies to assist enterprise leaders and boards of directors in their IT governance responsibilities.
Quelle: Publictechnology, 06.05.2005
