Security Management Strategies for the CIOCOBIT
Control Objectives for Information and related Technology (COBIT) was created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI). It is a framework that outlines information technology control objectives to ensure that technology is properly governed and that it maps and supports business processes. COBIT is process oriented but IT driven, which means that it focuses on the success of business processes through the proper use of IT resources.
COBIT has been used mainly by the IT industry and in 1998 Management Guidelines were added, which expanded its relevance and use to today's business needs. It contains four domains, 34 processes, 318 control objectives, and close to 1,600 control practices. The four domains are groupings of processes that map to the following organizational responsibilities:
- Planning and Organization
- Acquisition and Implementation
- Delivery and Support
- Monitoring
- Define a strategic IT plan
- Define the information architecture
- Determine the technological direction
- Define the IT organisation and relationships
- Manage the IT investment
- Communicate management aims and direction
- Manage human resources
- Ensure compliance with external requirements
- Assess risks
- Manage projects
- Manage quality
It is considered a true framework that allows for IT governance and is in its fourth edition. The main goal of COBIT is to accomplish business needs, through processes using IT resources in a controllable and measurable manner. It provides a criteria of key performance indicators (KPI) to evaluate the success of identified processes:
- Effectiveness
- Efficiency
- Confidentiality
- Integrity
- Availability
- Compliance
Although this framework was not asked about, it is an important component when comparing and contrasting current industry best practices. It is considered the de facto standard for IT service management and concentrates on how to provide consistent, documented, and repeatable processes to ensure quality.
None of these frameworks are in competition with each other, in fact, it is best if they are used together. Although they may seem at first to have overlaps, they do have distinct differences, pros and cons:
- ISO 17799 outlines security controls, but does not focus on how to integrate them into business processes
- ITIL focuses on IT processes, not on security
- COBIT focuses on controls and metrics, not as much on security
So, a combination of all three is usually the best approach. COBIT can be used to determine if the company's needs (including security) are being properly supported by IT. ISO 17799 can be used to determine and improve upon the company's security posture. And ITIL can be used to improve IT processes to meet the company's goals (including security).
Resources:
Good places to start for COBIT
http://www.isaca.org/Template.cfm?Section=COBIT6&CONTENTID=22368&TEMPLATE=/ContentManagement/ContentDisplay.cfm
http://www.isaca.org/Template.cfm?Section=COBIT6&Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=55&ContentID=7981
ISO 17799
csrc.nist.gov/publications/ secpubs/otherpubs/reviso-faq.pdf
http://www.iso.org/iso/en/prods-services/popstds/informationsecurity.html
http://www.gammassl.co.uk/bs7799/works.html
Information Technology Infrastructure Library (ITIL)
http://www.itil.co.uk/
http://www.ogc.gov.uk/index.asp?id=2261
This was first published in November 2005
Join the conversationComment
Share
Comments
Results
Contribute to the conversation