Business Frameworks and
Regulatory Standards
“The good thing about standards is that there are so many to choose from.” A. Tanenbaum
Introduction
You breathe a sigh of relief as the audit team finally leaves your facility. Your organization has just gone through a regulatory compliance audit. Regardless of the particular regulation (HIPAA, SOX, GLBA, Basel II, etc) all audits are disruptions to normal business operations. The sheer fact of having a dozen or so strangers walking around the organization alone is enough to distract workers. And then the truly intrusive part begins: the auditors go through page after page of interview questions with your staff; they pore over the financial information; and a team of computer auditors inspect all aspects of the data processing system.
You may be wondering if there is a way to turn this annual regulatory necessity into a positive experience. Can the impact on staff performance and productivity be lessened? Is there a way to prepare your organization so that future audits proceed more smoothly? Is there a way that these audits could give your company a competitive advantage?
The answer to all these questions is: YES. If you are asking these questions you are in very good company. The majority of large corporations are already using regulatory compliance as a motivator to improve business processes within their organizations. The Gartner Group states that fully 70% of Fortune 500 Companies wll have implemented some type of Corporate Program Management (CPM) by the end of this year. Additionally, over 64% of private companies are using SOX guidelines as a catalyst for change even though they are exempt from the regulation . Of the three major benefits that accrue to companies with a strong, ongoing approach to SOX reviews , we will address the last: accelerating revenue growth through streamlined business practices.
Streamlining business processes
Opportunities for change exist in every corner of every enterprise. But the area with the biggest potential for progress is almost always the IT Department. In most mature organizations Information Management grew organically from humble beginnings, perhaps from the adding machines of the accounting department or even from the equipment maintenance department that used to take care of the typewriters. “Its always been done that way” is a common saying in IT departments even though the process being performed may be obsolete or redundant (is there really a need to fill out paperwork in triplicate in the day of email, electronic requisitions and internet connections to vendors?). Not surprisingly, most of the business frameworks deal with the IT Department and attempt to impose order onto a mostly chaotic realm.
Solutions fall into two large and difficult to define categories: Security Methodologies and Business Frameworks. As this paper is being written, there are 3 major business frameworks for IT Governance, 14 Security Methodologies, numerous others with lots and lots of overlap between them all. In the next section we will attempt to provide an overview of the major players in this field and some of the strengths and weaknesses of each.
Business Frameworks
Executives can easily find themselves confused by the myriad of products that bill themselves as “Security Frameworks”. What we will attempt to do is distill the essence of the most popular solutions into an easy to understand comparison. And to start the process let us define our terms. Regardless of the verbage used in their own product literature we will endeavor to provide a common language to all the products (ISO27001 defines itself as a framework that: “specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization's overall business risks” ). In plain English we have defined the field into 2 large overlapping categories: Security Methodologies and Business Frameworks.
Business Frameworks is the smallest field as far as number of qualifying products, but also the most “nebulous”. By their very nature, they attempt to be all things to all users. Business Frameworks attempt to provide a general, overarching structure to an entire organization, including business processes, risk management as well as provide IT governance and controls. If we use the analogy of building a skyscraper as an example, then Business Frameworks are the steel skeleton. All the weight of the building will be carried on the infrastructure: the floors, walls, windows, and of course tenants. While all buildings have certain traits in common, there also exist a large number of differences. A building that is suitable for a hospital would not be appropriate for a high rise office structure. And here you begin to see the inherent problem with these overarching frameworks, it is a daunting task to design a “one size fits all” approach to business processes. Of course the best frameworks have methods to “customize” their solutions, and of these the most commonly adopted is CobiT.
CobiT is currently the market leader in the US primarily because of the Sarbanes-Oxley Act. When the law passed in 2002, publicly traded companies scrambled to put into place the business frameworks that they had nebegan to search for a framework that organized IT. CobiT was the choice that most decided upon. Subsequently, auditors and increasing numbers of Executives are befriending CobiT. The strength of the standard is its very general framework which gives organizations a certain flexibility in implementation. CobiT also happens to be the standard that most SOX auditors are familiar with, and this factor alone may be enough for a business to choose CobiT.
There does exist a large and formidable competitor to CobiT however. The Information Security Foundation (ISF) claims that it “is the world's leading independent authority on information security” and that “50% of Fortune 100 companies” utilize their framework. While the CobiT standard is a “maturity model”, ISF instead focuses on “best practices” . ISF members have invested $75 million dollars over 16 years to develop this standard to the point where it is today. They have additionally adopted and used the better parts of other standards, including ISO17799 and CobiT. And with the weight of multi-national corporations such as Alcatel, BASF, Boeing, British Airways, ING, KPMG, Proctor & Gamble, Verizon, Volvo, (and many others) this standard may gain traction among smaller companies.
Of course, there exist many other standards out there, ranging from very specific IT security practices to overarching enterprise frameworks. Certain specific industries have already more-or-less settled upon a standard: software development companies have CMMI; financial institutions have FFIEC; manufacturers have ISO9000; US government entities have the very extensive NIST standards; computer service entities use ITIL; and on and on. There are also a few other general Business Framework models that we include for the sake of completeness.
OCTAVE is a new standard from the Software Engineering Institute (SEI) of Carnegie Mellon. The same folks that created CMMI and CERT have launched a new Business Methodology based on Best Practices. The standard is brand new, which means cuts both ways. On the plus side is the fact that OCTAVE takes into consideration factors that weren’t even on the horizon 2 years ago when the last revisions of the other standards were written. However, with the number of standards increasily almost daily, organiozations may be hesitant to adopt a standard that may not be supported in a few years.
And of course the elephant in the room that we have ignored until now is COSO. The grand-daddy of Business Frameworks is COSO (also sometimes referred to as the “Treadway Committee”). The organization was founded in 1985 in response to problems of fraudulent financial reporting at public corporations. Although COSO predates Sarbanes-Oxley legislation by at least a decade, it wasn’t until the legislation’s full adoption that COSO gained its current stature. Before SOX became law, accounting compliance had been loosely governed by GAAP and a company's auditors had final approval. Enron, Worldcom and Global Crossing were the result of these voluntary standards. IT compliance and auditing did not exist. COSO provides an all encompassing enterprise wide framework that reaches into all departments and divisions of an organization. And even though there exists a good deal of overlap in standards and policies, CobiT fits nicely within the overarching COSO framework.
SUMMARY
In order to assist you in your choice of a Business Framework, we have provided these thumbnail outlines of the three major competitors in this field: CobiT, COSO and ISF.
CobiT
Pros: Cons:
Good alignment with business processes Costly: One survey found that
adoption costs can run to 17%
of total IT budget
A view, understandable to management
of what IT does Framework requires additional
security controls to “plug in”
Clear ownership and responsibilities
of processes based on “ownership” Framework difficult to read
Commonly accepted and recognized among Dates between releases can be
third parties, regulators and auditors very long: 5 years between
CobiT 3.0 and CobiT 4.0
Fulfillment of COSO requirements for the
IT control environment (34 IT Processes) Framework must be “adapted”
to each individual organization
Shared understanding among all stakeholders
based upon a common set of terms
COSO
Pros: Cons:
Very mature product, originally Current version over 2 years
founded in 1985 old: released in Sept 2004
Broadest and most “all encompassing” “All encompassing” requires
standard; includes all enterprise depts.. much “customizing”
Industry recognized and accepted Very expensive and time
enterprise risk management consuming to implement
The only product in this space (perhaps Membership is costly and the
Six Sigma could be considered a rival) amount of free documentation
Is very limited
ISF
Pros: Cons:
Very thorough standard Aimed at VERY large
organizations
Easy to read, understand and implement Membership in ISF is very
limited and for organizations
Backed by 50% of the Fortune 100 only (no individuals allowed)
Latest release is the newest of any Lacks “traction” with smaller
of those reviewed here (Jan 2005) non-global organizations
Framework is provided FREE Is not as commonly accepted
among auditors as CobiT
Has over $75 million dollars and
16 years of time invested into making Has no method of certification
the standard the best it can be
Which business process model you decide on ultimately depends on your individual organization, regulatory compliance factors (if any) and a host of other factors. The good news about this process is that all three of the Business Frameworks in this paper have a lot of overlap (best practices are after all, best practices). And after your organization fully implements a Framework, along with the necessary IT controls, you will be able to turn the regulatory compliance process into a business advantage.
For guidance on choosing an IT Control Framework, see the next paper in this series, entitled "IT Controls: Which Standard?"
Regulatory Standards
“The good thing about standards is that there are so many to choose from.” A. Tanenbaum
Introduction
You breathe a sigh of relief as the audit team finally leaves your facility. Your organization has just gone through a regulatory compliance audit. Regardless of the particular regulation (HIPAA, SOX, GLBA, Basel II, etc) all audits are disruptions to normal business operations. The sheer fact of having a dozen or so strangers walking around the organization alone is enough to distract workers. And then the truly intrusive part begins: the auditors go through page after page of interview questions with your staff; they pore over the financial information; and a team of computer auditors inspect all aspects of the data processing system.
You may be wondering if there is a way to turn this annual regulatory necessity into a positive experience. Can the impact on staff performance and productivity be lessened? Is there a way to prepare your organization so that future audits proceed more smoothly? Is there a way that these audits could give your company a competitive advantage?
The answer to all these questions is: YES. If you are asking these questions you are in very good company. The majority of large corporations are already using regulatory compliance as a motivator to improve business processes within their organizations. The Gartner Group states that fully 70% of Fortune 500 Companies wll have implemented some type of Corporate Program Management (CPM) by the end of this year. Additionally, over 64% of private companies are using SOX guidelines as a catalyst for change even though they are exempt from the regulation . Of the three major benefits that accrue to companies with a strong, ongoing approach to SOX reviews , we will address the last: accelerating revenue growth through streamlined business practices.
Streamlining business processes
Opportunities for change exist in every corner of every enterprise. But the area with the biggest potential for progress is almost always the IT Department. In most mature organizations Information Management grew organically from humble beginnings, perhaps from the adding machines of the accounting department or even from the equipment maintenance department that used to take care of the typewriters. “Its always been done that way” is a common saying in IT departments even though the process being performed may be obsolete or redundant (is there really a need to fill out paperwork in triplicate in the day of email, electronic requisitions and internet connections to vendors?). Not surprisingly, most of the business frameworks deal with the IT Department and attempt to impose order onto a mostly chaotic realm.
Solutions fall into two large and difficult to define categories: Security Methodologies and Business Frameworks. As this paper is being written, there are 3 major business frameworks for IT Governance, 14 Security Methodologies, numerous others with lots and lots of overlap between them all. In the next section we will attempt to provide an overview of the major players in this field and some of the strengths and weaknesses of each.
Business Frameworks
Executives can easily find themselves confused by the myriad of products that bill themselves as “Security Frameworks”. What we will attempt to do is distill the essence of the most popular solutions into an easy to understand comparison. And to start the process let us define our terms. Regardless of the verbage used in their own product literature we will endeavor to provide a common language to all the products (ISO27001 defines itself as a framework that: “specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization's overall business risks” ). In plain English we have defined the field into 2 large overlapping categories: Security Methodologies and Business Frameworks.
Business Frameworks is the smallest field as far as number of qualifying products, but also the most “nebulous”. By their very nature, they attempt to be all things to all users. Business Frameworks attempt to provide a general, overarching structure to an entire organization, including business processes, risk management as well as provide IT governance and controls. If we use the analogy of building a skyscraper as an example, then Business Frameworks are the steel skeleton. All the weight of the building will be carried on the infrastructure: the floors, walls, windows, and of course tenants. While all buildings have certain traits in common, there also exist a large number of differences. A building that is suitable for a hospital would not be appropriate for a high rise office structure. And here you begin to see the inherent problem with these overarching frameworks, it is a daunting task to design a “one size fits all” approach to business processes. Of course the best frameworks have methods to “customize” their solutions, and of these the most commonly adopted is CobiT.
CobiT is currently the market leader in the US primarily because of the Sarbanes-Oxley Act. When the law passed in 2002, publicly traded companies scrambled to put into place the business frameworks that they had nebegan to search for a framework that organized IT. CobiT was the choice that most decided upon. Subsequently, auditors and increasing numbers of Executives are befriending CobiT. The strength of the standard is its very general framework which gives organizations a certain flexibility in implementation. CobiT also happens to be the standard that most SOX auditors are familiar with, and this factor alone may be enough for a business to choose CobiT.
There does exist a large and formidable competitor to CobiT however. The Information Security Foundation (ISF) claims that it “is the world's leading independent authority on information security” and that “50% of Fortune 100 companies” utilize their framework. While the CobiT standard is a “maturity model”, ISF instead focuses on “best practices” . ISF members have invested $75 million dollars over 16 years to develop this standard to the point where it is today. They have additionally adopted and used the better parts of other standards, including ISO17799 and CobiT. And with the weight of multi-national corporations such as Alcatel, BASF, Boeing, British Airways, ING, KPMG, Proctor & Gamble, Verizon, Volvo, (and many others) this standard may gain traction among smaller companies.
Of course, there exist many other standards out there, ranging from very specific IT security practices to overarching enterprise frameworks. Certain specific industries have already more-or-less settled upon a standard: software development companies have CMMI; financial institutions have FFIEC; manufacturers have ISO9000; US government entities have the very extensive NIST standards; computer service entities use ITIL; and on and on. There are also a few other general Business Framework models that we include for the sake of completeness.
OCTAVE is a new standard from the Software Engineering Institute (SEI) of Carnegie Mellon. The same folks that created CMMI and CERT have launched a new Business Methodology based on Best Practices. The standard is brand new, which means cuts both ways. On the plus side is the fact that OCTAVE takes into consideration factors that weren’t even on the horizon 2 years ago when the last revisions of the other standards were written. However, with the number of standards increasily almost daily, organiozations may be hesitant to adopt a standard that may not be supported in a few years.
And of course the elephant in the room that we have ignored until now is COSO. The grand-daddy of Business Frameworks is COSO (also sometimes referred to as the “Treadway Committee”). The organization was founded in 1985 in response to problems of fraudulent financial reporting at public corporations. Although COSO predates Sarbanes-Oxley legislation by at least a decade, it wasn’t until the legislation’s full adoption that COSO gained its current stature. Before SOX became law, accounting compliance had been loosely governed by GAAP and a company's auditors had final approval. Enron, Worldcom and Global Crossing were the result of these voluntary standards. IT compliance and auditing did not exist. COSO provides an all encompassing enterprise wide framework that reaches into all departments and divisions of an organization. And even though there exists a good deal of overlap in standards and policies, CobiT fits nicely within the overarching COSO framework.
SUMMARY
In order to assist you in your choice of a Business Framework, we have provided these thumbnail outlines of the three major competitors in this field: CobiT, COSO and ISF.
CobiT
Pros: Cons:
Good alignment with business processes Costly: One survey found that
adoption costs can run to 17%
of total IT budget
A view, understandable to management
of what IT does Framework requires additional
security controls to “plug in”
Clear ownership and responsibilities
of processes based on “ownership” Framework difficult to read
Commonly accepted and recognized among Dates between releases can be
third parties, regulators and auditors very long: 5 years between
CobiT 3.0 and CobiT 4.0
Fulfillment of COSO requirements for the
IT control environment (34 IT Processes) Framework must be “adapted”
to each individual organization
Shared understanding among all stakeholders
based upon a common set of terms
COSO
Pros: Cons:
Very mature product, originally Current version over 2 years
founded in 1985 old: released in Sept 2004
Broadest and most “all encompassing” “All encompassing” requires
standard; includes all enterprise depts.. much “customizing”
Industry recognized and accepted Very expensive and time
enterprise risk management consuming to implement
The only product in this space (perhaps Membership is costly and the
Six Sigma could be considered a rival) amount of free documentation
Is very limited
ISF
Pros: Cons:
Very thorough standard Aimed at VERY large
organizations
Easy to read, understand and implement Membership in ISF is very
limited and for organizations
Backed by 50% of the Fortune 100 only (no individuals allowed)
Latest release is the newest of any Lacks “traction” with smaller
of those reviewed here (Jan 2005) non-global organizations
Framework is provided FREE Is not as commonly accepted
among auditors as CobiT
Has over $75 million dollars and
16 years of time invested into making Has no method of certification
the standard the best it can be
Which business process model you decide on ultimately depends on your individual organization, regulatory compliance factors (if any) and a host of other factors. The good news about this process is that all three of the Business Frameworks in this paper have a lot of overlap (best practices are after all, best practices). And after your organization fully implements a Framework, along with the necessary IT controls, you will be able to turn the regulatory compliance process into a business advantage.
For guidance on choosing an IT Control Framework, see the next paper in this series, entitled "IT Controls: Which Standard?"
59238-060524-509514-29
© 2006 All Rights Reserved.
posted by Chaz at 4:11 AM
0 Comments:
Post a Comment
<< Home