Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


02:32 AM

Are Today's Risk Management Frameworks Antiquated?

Five ways ISACA is updating its compliance framework, COBIT, to keep up with business and risk demands

It has been 16 years since ISACA blazed a trail with its first incarnation of the COBIT IT governance framework, and a decade since Sarbanes Oxley catapulted it into the limelight as a reliable way to develop IT governance and management programs that could keep organizations compliant.

A lot has changed in the intervening years -- not just with the mounting number of regulations organizations seek to comply with, but also with how firmly enmeshed IT has become within everyday business processes. Though ISACA has shepherded COBIT through numerous refreshes in the past, the organization knows that the time has come: COBIT is due for a reboot.

[Whether it is through a framework or not, tying together compliance initiatives must be done to maintain your sanity and valuable dollars. See Unifying Compliance Initiatives To Make Budgets Last.]

According to Robert Stroud, member of ISACA's Strategic Advisory Council and of the ISACA Framework Committee, ISACA this week delivers on an overhaul of the framework that's two years in the making.

"What we've gone and done is basically not just refresh the framework, but we took a complete look at it again to make sure it is relevant and applicable to become a business framework for the governance and management of enterprise IT," says Stroud, who is also vice president of strategy and innovation and a service management and governance evangelist for CA Technologies. "So we've taken a top-down approach to the governance from the business right down through all the capability that IT will often need to deliver through technology, process, people, culture, and aspects like that."

In anticipation of the launch, Dark Reading spoke with Stroud, who discussed five main ways ISACA is rewriting the rules for the GRC rule-makers. According to him, the changes make COBIT 5 more robust, reliable, and repeatable as a process capability assessment method than its predecessors.

1. IT-Enabled Business Processes
The driving force behind the revamp of COBIT was to join IT governance and risk management with business governance and risk management, Stroud says.

"Instead of just being an IT governance framework, we've moved upscale in reflection to the industry," he explains. "It's now a business framework for the governance and management of the enterprise. That's the fundamental difference."

As a result, it better delineates business stakeholder involvement and responsibility in the use of IT. More importantly, it's designed to make it easier to fold in both business and IT activities for more holistic development of best practices that reflect the enterprise-wide nature of IT use.

In order to accomplish the goal of creating this business framework, ISACA merged three of its existing process reference models -- COBIT, ValIT, and RiskIT -- under the COBIT umbrella.

"We've effectively built this framework to help people understand what the right top-down business processes you want to put in place are so that you can govern your business and enable IT effectively," Stroud says.

2. Governance And Management Phases Split
ISACA further remodeled the foundation of COBIT by distinguishing between the governance and management of business and IT.

"Where we've differentiated from previous versions is really through separated governance and management so that COBIT recognizes them as different phases," Stroud says. "First there's the governance phase that will involve following an evaluate, direct, monitor model. And at the lower level there's a management framework so you can instrument management processes that are logical and practical."

According to Stroud, ISACA built the new COBIT like most organizations build their security policy or risk management policy: on principles rather than specific rules.

"We've become a principle-based framework rather than setting 'Thou shalt' rules," he says. "That's the way of practical management these days."

3. Value-Based Decisions
Not only is the new framework principle-based, it's also value-based.

"We acknowledge value up front. And I just don't mean return on investments. We're talking about a real value realization phase when any major enterprise initiative is developed," Stroud says. "You're going to understand and articulate what the value is, otherwise the organization wouldn't invest in it. We've driven that top-down linkage of business value so that IT can understand what it is and then use the management framework to represent that back."

COBIT 5 now does that by including requirements in the governance part of the framework that mandates organizations do benefits identification for new projects, whether they're designed for innovation, security, or compliance.

Taking compliance as an example, an organization would state one of the major benefits as the opportunity to experience a stretch without paying fines or penalties, Stroud says.

"If you articulate that upfront in a value-proposition, you can quickly do an estimation of the fines and penalties you are avoiding by effective execution of the framework. I think that's the thinking that IT and the business needs to inherit," he says. "If you logically do that analysis then you can get to a situation where you can actually do a risk assessment and say 'Well, if the fine is 10 cents, do I care?' The answer is yes if there's a billion of them."

4. New Process For Enterprise Architecture
Stroud says that as the ISACA committee worked on COBIT 5, one of the important items on the radar was continuing the commitment to helping organizations develop processes that would feed into their compliance objectives.

That meant not only including compliance framework components in the governance phase, but also reworking the management phase to mesh with the compliance processes of the future. This meant adding a new process for enterprise architecture.

"In forward-thinking enterprises now, compliance requirements are going to be part of their enterprise architecture. They're making them part of the company DNA. It becomes far more a part of business-as-usual rather than an exception to the process," he says. "We've now enshrined a process for going through and ensuring that you've got a lot of those metrics consistently being collected for the organization and alerted back up to management so they can make sound decisions and understand when compliance boundaries have been exceeded."

5. Collaborative And Customizable Content
Created in a time before Internet ubiquity, much less social mediam and blogs, COBIT is changing dramatically, not just with its content but also how it is delivered. According to Stroud, the release of materials this week is just the start of the effort to roll out COBIT and keep it fresh in the coming years. Enterprises with ISACA member should expect to be able to lean on a new COBIT online collaborative effort that will allow individuals to customize content for their needs and connect with their peers.

"It won't matter what your role is -- you'll be able to take a view of the online repository and effectively generate your own COBIT output based on your role, your function, and what business problem you're trying to solve," Stroud says. "We're getting modern. We've got this great community of over 100,000 ISACA members worldwide, and we absolutely want to leverage that community, to drive through not just the way they choose content, but really drive the development we do going forward."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I can't find the back door.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-25
The MediaWiki "Report" extension has a Cross-Site Request Forgery (CSRF) vulnerability. Before fixed version, there was no protection against CSRF checks on Special:Report, so requests to report a revision could be forged. The problem has been fixed in commit f828dc6 by making use of Medi...
PUBLISHED: 2021-01-25
ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0, there is a "zip-slip" vulnerability. The directory support feature allows the ...
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting