Aligning IT Control Frameworks:
CobiT, ISO17799 and ITIL
Executive Summary
Organizations are adopting Best Practice policies to govern their IT Departments at an ever growing rate. However, if this process is done piece-meal, or hap hazard more harm can be done than good. And if the organization faces regulatory compliance, the very real concern exists that they may fail the audit even after they a large investment of time and money. The purpose of this, the third paper in this series, is to provide the IT Manager with a practical guide to implementing Security Frameworks. For this paper, we assume that Management has chosen CobiT as the IT Control Framework and that ITIL or ISO17799 (individually or together) have been chosen as the Security Methodologies. This paper takes these decisions and attempts to show how to implement them together. Here is what happens “when the rubber hits the road”.
Introduction
Executive management has decided on CobiT as the IT Control Framework for the organization. Perhaps they even chose a Security Methodology, like ITIL or ISO17799 (soon to be renamed ISO27001). Or perhaps they even “delegated” the responsibility of making CobiT work. Either way there’s no need for concern. This paper will take you step by step through the process of implementing Security Methodologies within CobiT.
Contrary to what many so called “experts” in this field say, CobiT is an IT Control Framework. As such, it deals with large, enterprise wide areas. It maps business processes to IT and overlays a structure how IT can better meet help the overall organization. But CobiT does not actually provide the Security Methodology component necessary for implementation. For this we need ITIL and ISO17799. There are other methodologies that try to address the entire spectrum of IT Security, but these 2 fit together well and provide a very tight security implementation.
Why ISO17799 and ITIL together?
Probably the first question on your mind is, “Do I have to implement 2 Security Methodologies? Isn’t there one that does the same thing?” The simple answers are: “yes” and “yes”.
The more in depth answers to the above questions cut right to the very heart of the current IT Control Framework/ Security Methodology quagmire. There are currently over a dozen (perhaps as many as 20) different Frameworks and Methodologies. They come from all over the world, from government agencies and from private organizations, with varying degrees of maturity, implementation and market acceptance. And of course there is a LOT of overlap. After all, best practices are best practices regardless of who’s Framework they are included in. But no one Security Methodology covers all the possible problem areas within IT; the best available today cover roughly 70 – 75% of IT security issues. Whether by conscious omission, or because of the length of the revision cycle, most of the Methodologies don’t even mention Malware, Root Kits or any other of the latest security scourges. This is why a combination of 2 complementary Methodologies provides the best implementation option currently available. And choosing ISO17799 and ITIL, brings the added benefits of:
• international acceptance
• auditable
• certification
• complete IT coverage
• frequent revisions to the Methodologies
• training
• easily maps to regulatory audits (especially SOX)
• mature methodologies
• consulting firms with experience with these standards
• vast quantity of published information
• wide international adoption
ITIL and ISO17799 are not as odd a pairing as you at first believe. Both standards owe their origins to agencies of the British Government, ISO1779 was BS7799 and ITIL used to be BS15000 (developed from the CCTA standard). While ISO17799 deals with best practices for information security, there are some noticeable holes in the ISO coverage. For example, ISO17799 has no method to report to monitor the CobiT Control Objective PO9.1 (Business Risk Assessment). All tolled, there are 46 CobiT Control Objectives that are not handled by ISO17799 alone, but that which are covered by ITIL . The major areas of weakness in ISO17799 happen to be the strengths of ITIL, namely IT service and support.
ITIL (the Information Technology Infrastructure Library), as the name implies, has a vast number of books, publications and articles in its library. While the sheer size of the library may at first seem daunting, each ITIL service delivery process is divided into its own category with its own associated publications. The title “Introduction to ITIL” currently sells for about US$65 (but the price fluctuates depending on the exchange rate to the British Pound) . Other titles in other disciplines more expensive but none appear to be outrageously priced. There is also a new category called “ITIL - Small Scale Implementation” which was written and released in January of 2006. This publication (also available for US$65) provides an “adapted ITIL approach to delivering an improved service, using all aspects of the guidance tailored to the smaller implementation.”
Acceptance of ITIL in the United States has lagged behind the rest of the world. However, this situation is changing quickly. A study by Evergreen Systems of over 100 attendees at the 9th Annual International IT Service Management Conference in 2005 found 75% of respondents planning to spend money on ITIL implementation within the next 6 months. Many enterprises in the US see ITIL simply as a method to improve Help Desk services, and bring them compliant with CobiT controls. ITIL can of course be applied to a specific area like help desk. However, ITIL is a much more full featured and robust framework with over 8 areas devoted to improving IT service management. Service modules such as: ICT Infrastructure Management, Application Management, Security Management, Software Asset Management and Business Perspective give ITIL a very broad coverage area.
In order to implement a Security Framework at an organization using a predetermined Security Framework, some "customization" must be done. In our particular case, we will be customizing 2 frameworks, with most of the "tailoring" being done to ITIL solely because it is more flexible than ISO17799.
Implementation and Customization
Begin your implementation of the Security Framework by reading and taking appropriate notes on the ISO17799 standard. Because each organization is different, the various sections of ISO17799 will apply differently. Some sections may not apply at all while others may be overflowing with appropriate recommendations. While the ISO document is far from being the most difficult technical document that IT managers are likely to read, a company called Praxiom has taken the ISO standard and "simplified" it. Their website even offers a sample document complete with checklist and start/finish dates. While this approach might not appeal to every IT manager, we like their approach for shops that are over-worked and under-staffed because it eliminates several steps that would otherwise be performed by staff members.
Once
CobiT, ISO17799 and ITIL
Executive Summary
Organizations are adopting Best Practice policies to govern their IT Departments at an ever growing rate. However, if this process is done piece-meal, or hap hazard more harm can be done than good. And if the organization faces regulatory compliance, the very real concern exists that they may fail the audit even after they a large investment of time and money. The purpose of this, the third paper in this series, is to provide the IT Manager with a practical guide to implementing Security Frameworks. For this paper, we assume that Management has chosen CobiT as the IT Control Framework and that ITIL or ISO17799 (individually or together) have been chosen as the Security Methodologies. This paper takes these decisions and attempts to show how to implement them together. Here is what happens “when the rubber hits the road”.
Introduction
Executive management has decided on CobiT as the IT Control Framework for the organization. Perhaps they even chose a Security Methodology, like ITIL or ISO17799 (soon to be renamed ISO27001). Or perhaps they even “delegated” the responsibility of making CobiT work. Either way there’s no need for concern. This paper will take you step by step through the process of implementing Security Methodologies within CobiT.
Contrary to what many so called “experts” in this field say, CobiT is an IT Control Framework. As such, it deals with large, enterprise wide areas. It maps business processes to IT and overlays a structure how IT can better meet help the overall organization. But CobiT does not actually provide the Security Methodology component necessary for implementation. For this we need ITIL and ISO17799. There are other methodologies that try to address the entire spectrum of IT Security, but these 2 fit together well and provide a very tight security implementation.
Why ISO17799 and ITIL together?
Probably the first question on your mind is, “Do I have to implement 2 Security Methodologies? Isn’t there one that does the same thing?” The simple answers are: “yes” and “yes”.
The more in depth answers to the above questions cut right to the very heart of the current IT Control Framework/ Security Methodology quagmire. There are currently over a dozen (perhaps as many as 20) different Frameworks and Methodologies. They come from all over the world, from government agencies and from private organizations, with varying degrees of maturity, implementation and market acceptance. And of course there is a LOT of overlap. After all, best practices are best practices regardless of who’s Framework they are included in. But no one Security Methodology covers all the possible problem areas within IT; the best available today cover roughly 70 – 75% of IT security issues. Whether by conscious omission, or because of the length of the revision cycle, most of the Methodologies don’t even mention Malware, Root Kits or any other of the latest security scourges. This is why a combination of 2 complementary Methodologies provides the best implementation option currently available. And choosing ISO17799 and ITIL, brings the added benefits of:
• international acceptance
• auditable
• certification
• complete IT coverage
• frequent revisions to the Methodologies
• training
• easily maps to regulatory audits (especially SOX)
• mature methodologies
• consulting firms with experience with these standards
• vast quantity of published information
• wide international adoption
ITIL and ISO17799 are not as odd a pairing as you at first believe. Both standards owe their origins to agencies of the British Government, ISO1779 was BS7799 and ITIL used to be BS15000 (developed from the CCTA standard). While ISO17799 deals with best practices for information security, there are some noticeable holes in the ISO coverage. For example, ISO17799 has no method to report to monitor the CobiT Control Objective PO9.1 (Business Risk Assessment). All tolled, there are 46 CobiT Control Objectives that are not handled by ISO17799 alone, but that which are covered by ITIL . The major areas of weakness in ISO17799 happen to be the strengths of ITIL, namely IT service and support.
ITIL (the Information Technology Infrastructure Library), as the name implies, has a vast number of books, publications and articles in its library. While the sheer size of the library may at first seem daunting, each ITIL service delivery process is divided into its own category with its own associated publications. The title “Introduction to ITIL” currently sells for about US$65 (but the price fluctuates depending on the exchange rate to the British Pound) . Other titles in other disciplines more expensive but none appear to be outrageously priced. There is also a new category called “ITIL - Small Scale Implementation” which was written and released in January of 2006. This publication (also available for US$65) provides an “adapted ITIL approach to delivering an improved service, using all aspects of the guidance tailored to the smaller implementation.”
Acceptance of ITIL in the United States has lagged behind the rest of the world. However, this situation is changing quickly. A study by Evergreen Systems of over 100 attendees at the 9th Annual International IT Service Management Conference in 2005 found 75% of respondents planning to spend money on ITIL implementation within the next 6 months. Many enterprises in the US see ITIL simply as a method to improve Help Desk services, and bring them compliant with CobiT controls. ITIL can of course be applied to a specific area like help desk. However, ITIL is a much more full featured and robust framework with over 8 areas devoted to improving IT service management. Service modules such as: ICT Infrastructure Management, Application Management, Security Management, Software Asset Management and Business Perspective give ITIL a very broad coverage area.
In order to implement a Security Framework at an organization using a predetermined Security Framework, some "customization" must be done. In our particular case, we will be customizing 2 frameworks, with most of the "tailoring" being done to ITIL solely because it is more flexible than ISO17799.
Implementation and Customization
Begin your implementation of the Security Framework by reading and taking appropriate notes on the ISO17799 standard. Because each organization is different, the various sections of ISO17799 will apply differently. Some sections may not apply at all while others may be overflowing with appropriate recommendations. While the ISO document is far from being the most difficult technical document that IT managers are likely to read, a company called Praxiom has taken the ISO standard and "simplified" it. Their website even offers a sample document complete with checklist and start/finish dates. While this approach might not appeal to every IT manager, we like their approach for shops that are over-worked and under-staffed because it eliminates several steps that would otherwise be performed by staff members.
Once
76270-060531-679833-46
© 2006 All Rights Reserved.
posted by Chaz at 5:36 AM
0 Comments:
Post a Comment
<< Home