Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

4/10/2012
02:32 AM
50%
50%

Are Today's Risk Management Frameworks Antiquated?

Five ways ISACA is updating its compliance framework, COBIT, to keep up with business and risk demands

It has been 16 years since ISACA blazed a trail with its first incarnation of the COBIT IT governance framework, and a decade since Sarbanes Oxley catapulted it into the limelight as a reliable way to develop IT governance and management programs that could keep organizations compliant.

A lot has changed in the intervening years -- not just with the mounting number of regulations organizations seek to comply with, but also with how firmly enmeshed IT has become within everyday business processes. Though ISACA has shepherded COBIT through numerous refreshes in the past, the organization knows that the time has come: COBIT is due for a reboot.

[Whether it is through a framework or not, tying together compliance initiatives must be done to maintain your sanity and valuable dollars. See Unifying Compliance Initiatives To Make Budgets Last.]

According to Robert Stroud, member of ISACA's Strategic Advisory Council and of the ISACA Framework Committee, ISACA this week delivers on an overhaul of the framework that's two years in the making.

"What we've gone and done is basically not just refresh the framework, but we took a complete look at it again to make sure it is relevant and applicable to become a business framework for the governance and management of enterprise IT," says Stroud, who is also vice president of strategy and innovation and a service management and governance evangelist for CA Technologies. "So we've taken a top-down approach to the governance from the business right down through all the capability that IT will often need to deliver through technology, process, people, culture, and aspects like that."

In anticipation of the launch, Dark Reading spoke with Stroud, who discussed five main ways ISACA is rewriting the rules for the GRC rule-makers. According to him, the changes make COBIT 5 more robust, reliable, and repeatable as a process capability assessment method than its predecessors.

1. IT-Enabled Business Processes
The driving force behind the revamp of COBIT was to join IT governance and risk management with business governance and risk management, Stroud says.

"Instead of just being an IT governance framework, we've moved upscale in reflection to the industry," he explains. "It's now a business framework for the governance and management of the enterprise. That's the fundamental difference."

As a result, it better delineates business stakeholder involvement and responsibility in the use of IT. More importantly, it's designed to make it easier to fold in both business and IT activities for more holistic development of best practices that reflect the enterprise-wide nature of IT use.

In order to accomplish the goal of creating this business framework, ISACA merged three of its existing process reference models -- COBIT, ValIT, and RiskIT -- under the COBIT umbrella.

"We've effectively built this framework to help people understand what the right top-down business processes you want to put in place are so that you can govern your business and enable IT effectively," Stroud says.

2. Governance And Management Phases Split
ISACA further remodeled the foundation of COBIT by distinguishing between the governance and management of business and IT.

"Where we've differentiated from previous versions is really through separated governance and management so that COBIT recognizes them as different phases," Stroud says. "First there's the governance phase that will involve following an evaluate, direct, monitor model. And at the lower level there's a management framework so you can instrument management processes that are logical and practical."

According to Stroud, ISACA built the new COBIT like most organizations build their security policy or risk management policy: on principles rather than specific rules.

"We've become a principle-based framework rather than setting 'Thou shalt' rules," he says. "That's the way of practical management these days."

3. Value-Based Decisions
Not only is the new framework principle-based, it's also value-based.

"We acknowledge value up front. And I just don't mean return on investments. We're talking about a real value realization phase when any major enterprise initiative is developed," Stroud says. "You're going to understand and articulate what the value is, otherwise the organization wouldn't invest in it. We've driven that top-down linkage of business value so that IT can understand what it is and then use the management framework to represent that back."

COBIT 5 now does that by including requirements in the governance part of the framework that mandates organizations do benefits identification for new projects, whether they're designed for innovation, security, or compliance.

Taking compliance as an example, an organization would state one of the major benefits as the opportunity to experience a stretch without paying fines or penalties, Stroud says.

"If you articulate that upfront in a value-proposition, you can quickly do an estimation of the fines and penalties you are avoiding by effective execution of the framework. I think that's the thinking that IT and the business needs to inherit," he says. "If you logically do that analysis then you can get to a situation where you can actually do a risk assessment and say 'Well, if the fine is 10 cents, do I care?' The answer is yes if there's a billion of them."

4. New Process For Enterprise Architecture
Stroud says that as the ISACA committee worked on COBIT 5, one of the important items on the radar was continuing the commitment to helping organizations develop processes that would feed into their compliance objectives.

That meant not only including compliance framework components in the governance phase, but also reworking the management phase to mesh with the compliance processes of the future. This meant adding a new process for enterprise architecture.

"In forward-thinking enterprises now, compliance requirements are going to be part of their enterprise architecture. They're making them part of the company DNA. It becomes far more a part of business-as-usual rather than an exception to the process," he says. "We've now enshrined a process for going through and ensuring that you've got a lot of those metrics consistently being collected for the organization and alerted back up to management so they can make sound decisions and understand when compliance boundaries have been exceeded."

5. Collaborative And Customizable Content
Created in a time before Internet ubiquity, much less social mediam and blogs, COBIT is changing dramatically, not just with its content but also how it is delivered. According to Stroud, the release of materials this week is just the start of the effort to roll out COBIT and keep it fresh in the coming years. Enterprises with ISACA member should expect to be able to lean on a new COBIT online collaborative effort that will allow individuals to customize content for their needs and connect with their peers.

"It won't matter what your role is -- you'll be able to take a view of the online repository and effectively generate your own COBIT output based on your role, your function, and what business problem you're trying to solve," Stroud says. "We're getting modern. We've got this great community of over 100,000 ISACA members worldwide, and we absolutely want to leverage that community, to drive through not just the way they choose content, but really drive the development we do going forward."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Now this is the worst micromanagment I've seen.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17210
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
CVE-2019-12934
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
CVE-2019-9229
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address 169.254.254.253 allows attackers in the local network to access multiple quagga VTYs. Attackers can...
CVE-2019-12815
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
CVE-2019-13569
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.