Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

4/10/2012
02:32 AM
50%
50%

Are Today's Risk Management Frameworks Antiquated?

Five ways ISACA is updating its compliance framework, COBIT, to keep up with business and risk demands

It has been 16 years since ISACA blazed a trail with its first incarnation of the COBIT IT governance framework, and a decade since Sarbanes Oxley catapulted it into the limelight as a reliable way to develop IT governance and management programs that could keep organizations compliant.

A lot has changed in the intervening years -- not just with the mounting number of regulations organizations seek to comply with, but also with how firmly enmeshed IT has become within everyday business processes. Though ISACA has shepherded COBIT through numerous refreshes in the past, the organization knows that the time has come: COBIT is due for a reboot.

[Whether it is through a framework or not, tying together compliance initiatives must be done to maintain your sanity and valuable dollars. See Unifying Compliance Initiatives To Make Budgets Last.]

According to Robert Stroud, member of ISACA's Strategic Advisory Council and of the ISACA Framework Committee, ISACA this week delivers on an overhaul of the framework that's two years in the making.

"What we've gone and done is basically not just refresh the framework, but we took a complete look at it again to make sure it is relevant and applicable to become a business framework for the governance and management of enterprise IT," says Stroud, who is also vice president of strategy and innovation and a service management and governance evangelist for CA Technologies. "So we've taken a top-down approach to the governance from the business right down through all the capability that IT will often need to deliver through technology, process, people, culture, and aspects like that."

In anticipation of the launch, Dark Reading spoke with Stroud, who discussed five main ways ISACA is rewriting the rules for the GRC rule-makers. According to him, the changes make COBIT 5 more robust, reliable, and repeatable as a process capability assessment method than its predecessors.

1. IT-Enabled Business Processes
The driving force behind the revamp of COBIT was to join IT governance and risk management with business governance and risk management, Stroud says.

"Instead of just being an IT governance framework, we've moved upscale in reflection to the industry," he explains. "It's now a business framework for the governance and management of the enterprise. That's the fundamental difference."

As a result, it better delineates business stakeholder involvement and responsibility in the use of IT. More importantly, it's designed to make it easier to fold in both business and IT activities for more holistic development of best practices that reflect the enterprise-wide nature of IT use.

In order to accomplish the goal of creating this business framework, ISACA merged three of its existing process reference models -- COBIT, ValIT, and RiskIT -- under the COBIT umbrella.

"We've effectively built this framework to help people understand what the right top-down business processes you want to put in place are so that you can govern your business and enable IT effectively," Stroud says.

2. Governance And Management Phases Split
ISACA further remodeled the foundation of COBIT by distinguishing between the governance and management of business and IT.

"Where we've differentiated from previous versions is really through separated governance and management so that COBIT recognizes them as different phases," Stroud says. "First there's the governance phase that will involve following an evaluate, direct, monitor model. And at the lower level there's a management framework so you can instrument management processes that are logical and practical."

According to Stroud, ISACA built the new COBIT like most organizations build their security policy or risk management policy: on principles rather than specific rules.

"We've become a principle-based framework rather than setting 'Thou shalt' rules," he says. "That's the way of practical management these days."

3. Value-Based Decisions
Not only is the new framework principle-based, it's also value-based.

"We acknowledge value up front. And I just don't mean return on investments. We're talking about a real value realization phase when any major enterprise initiative is developed," Stroud says. "You're going to understand and articulate what the value is, otherwise the organization wouldn't invest in it. We've driven that top-down linkage of business value so that IT can understand what it is and then use the management framework to represent that back."

COBIT 5 now does that by including requirements in the governance part of the framework that mandates organizations do benefits identification for new projects, whether they're designed for innovation, security, or compliance.

Taking compliance as an example, an organization would state one of the major benefits as the opportunity to experience a stretch without paying fines or penalties, Stroud says.

"If you articulate that upfront in a value-proposition, you can quickly do an estimation of the fines and penalties you are avoiding by effective execution of the framework. I think that's the thinking that IT and the business needs to inherit," he says. "If you logically do that analysis then you can get to a situation where you can actually do a risk assessment and say 'Well, if the fine is 10 cents, do I care?' The answer is yes if there's a billion of them."

4. New Process For Enterprise Architecture
Stroud says that as the ISACA committee worked on COBIT 5, one of the important items on the radar was continuing the commitment to helping organizations develop processes that would feed into their compliance objectives.

That meant not only including compliance framework components in the governance phase, but also reworking the management phase to mesh with the compliance processes of the future. This meant adding a new process for enterprise architecture.

"In forward-thinking enterprises now, compliance requirements are going to be part of their enterprise architecture. They're making them part of the company DNA. It becomes far more a part of business-as-usual rather than an exception to the process," he says. "We've now enshrined a process for going through and ensuring that you've got a lot of those metrics consistently being collected for the organization and alerted back up to management so they can make sound decisions and understand when compliance boundaries have been exceeded."

5. Collaborative And Customizable Content
Created in a time before Internet ubiquity, much less social mediam and blogs, COBIT is changing dramatically, not just with its content but also how it is delivered. According to Stroud, the release of materials this week is just the start of the effort to roll out COBIT and keep it fresh in the coming years. Enterprises with ISACA member should expect to be able to lean on a new COBIT online collaborative effort that will allow individuals to customize content for their needs and connect with their peers.

"It won't matter what your role is -- you'll be able to take a view of the online repository and effectively generate your own COBIT output based on your role, your function, and what business problem you're trying to solve," Stroud says. "We're getting modern. We've got this great community of over 100,000 ISACA members worldwide, and we absolutely want to leverage that community, to drive through not just the way they choose content, but really drive the development we do going forward."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19037
PUBLISHED: 2019-11-21
ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero.
CVE-2019-19036
PUBLISHED: 2019-11-21
btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because rcu_dereference(root->node) can be zero.
CVE-2019-19039
PUBLISHED: 2019-11-21
__btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program.
CVE-2019-6852
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
CVE-2019-6853
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.