How BS7799 and COBIT differ, part two

Continued from part one

COBIT

Control Objectives for Information and related Technology (COBIT) was created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI). It is a framework that outlines information technology control objectives to ensure that technology is properly governed and that it maps and supports business processes. COBIT is process oriented but IT driven, which means that it focuses on the success of business processes through the proper use of IT resources.

COBIT has been used mainly by the IT industry and in 1998 Management Guidelines were added, which expanded its relevance and use to today's business needs. It contains four domains, 34 processes, 318 control objectives, and close to 1,600 control practices. The four domains are groupings of processes that map to the following organizational responsibilities:

• Planning and Organization
• Acquisition and Implementation
• Delivery and Support
• Monitoring

• Define a strategic IT plan
• Define the information architecture
• Determine the technological direction
• Define the IT organisation and relationships
• Manage the IT investment
• Communicate management aims and direction
• Manage human resources
• Ensure compliance with external requirements
• Assess risks
• Manage projects
• Manage quality

It is considered a true framework that allows for IT governance and is in its fourth edition. The main goal of COBIT is to accomplish business needs, through processes using IT resources in a controllable and measurable manner. It provides a criteria of key performance indicators (KPI) to evaluate the success of identified processes:

• Effectiveness
• Efficiency
• Confidentiality
• Integrity
• Availability
• Compliance

Although this framework was not asked about, it is an important component when comparing and contrasting current industry best practices. It is considered the de facto standard for IT service management and concentrates on how to provide consistent, documented, and repeatable processes to ensure quality.

None of these frameworks are in competition with each other, in fact, it is best if they are used together. Although they may seem at first to have overlaps, they do have distinct differences, pros and cons:

• ISO 17799 outlines security controls, but does not focus on how to integrate them into business processes
• ITIL focuses on IT processes, not on security
• COBIT focuses on controls and metrics, not as much on security

So, a combination of all three is usually the best approach. COBIT can be used to determine if the company's needs (including security) are being properly supported by IT. ISO 17799 can be used to determine and improve upon the company's security posture. And ITIL can be used to improve IT processes to meet the company's goals (including security).

Resources:

Good places to start for COBIT
http://www.isaca.org/Template.cfm?Section=COBIT6&CONTENTID=22368&TEMPLATE=/ContentManagement/ContentDisplay.cfm
http://www.isaca.org/Template.cfm?Section=COBIT6&Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=55&ContentID=7981

ISO 17799
csrc.nist.gov/publications/ secpubs/otherpubs/reviso-faq.pdf

http://www.iso.org/iso/en/prods-services/popstds/informationsecurity.html

http://www.gammassl.co.uk/bs7799/works.html

Information Technology Infrastructure Library (ITIL)

http://www.itil.co.uk/ http://www.ogc.gov.uk/index.asp?id=2261

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT COBIT COSO and COBIT: The value of compliance frameworks for SOX ISO 17799: A methodical approach to partner and service provider security management Mapping the path toward information security program maturity RSA Conference 2006 Introduction to COBIT for SOX compliance Standards-based compliance: A how-to guide Competing regulations clog road to compliance COBIT Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary COBIT  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary