DOMAIN 3: Information Security Governance and Risk

Management# 3.02

CISSPills Table of Contents

Security and Audit Frameworks and Methodologies

COSO

CobiT

Frameworks Relationship

ITIL

ISO/IEC 27000 Series

CISSPills Security and Audit Frameworks and Methodologies

A lot of frameworks and methodologies have been developed in order to

support security, auditing and risk assessment of implemented security controls.

These resources are helpful to assist during the design and testing of a Security

Program (ISMS) (see CISSPills #3.01).

Some of the frameworks, even if not initially intended for Information Security,

have proved to be valuable tools for the security professionals and

consequently were adopted in such context.

CISSPills COSO

The Committee of Sponsoring Organizations (COSO) of the Tradeway

Commission developed this framework in 1985.

COSO is a corporate governance model which deals with non-IT topics, such

as board of director responsibilities, internal communications, etc. It is focused

on fraudulent financial reporting and provides companies, auditors, SEC and

other regulators with recommendations to address financial reporting and

disclosure objectives.

The Sarbanes-Oxley Act (SOX) is a U.S. Federal Law that sets new or enhanced

standards related to the accuracy of the financial information of a public

company as well as the penalties for fraudulent financial activities.

SOX is based upon the COSO model, so companies have to follow this model

in order to be SOX-compliant.

CISSPills CobiT

The Control Objectives for Information and related Technology (CobiT) is a

control-based framework developed by the Information Systems Audit and

Control Association (ISACA) and the IT Governance Institute (ITGI). CobiT is

derived from the COSO framework and deals with IT governance.

The main goal of the framework is providing process owners with a toolset for

the governance and the management of the Enterprise IT, so that it maps to

business needs.

IT Governance allows to:

Achieve strategic goals and experience business benefits through the

effective use of IT;

Achieve operational excellence through a reliable and efficient

application of the technology;

Maintain IT-related risk at an acceptable level;

Optimize the cost of IT services and technology;

Support compliance with relevant laws, regulations and policies.

CISSPills CobiT (cont’d)

CobiT provides a toolset containing:

A set of generic processes to manage IT;

A set of tools related to the processes (controls, metrics, analytical tools and

maturity models).

and allows to accomplish the following:

Linking IT goals with business requirements;

Arranging the IT function according to a generally accepted model of

processes;

Defining the control objectives;

Providing a maturity model to measure the achievements;

Defining measurable goals based upon Balanced Scorecard principles.

CISSPills CobiT (cont’d)

CobiT is made up of the following components:

Framework: IT governance objectives and good practices arranged by IT

domains, while processes and linked to business requirements;

Processes: set of generally accepted processes in which IT Function can be

split. CobiT defines 34 processes and each of them is associated to one of

the 4 domains CobiT breaks down IT: Plan and Organize, Acquire and

Implement, Deliver and Support and Monitor and Evaluate;

Control objectives: set of objectives, arranged by process, that chosen

controls (e.g. account management) have to meet;

Management guidelines: resources to help assigning responsibility, agreeing

on objectives, measuring performance and illustrating interrelationship with

other processes;

Maturity models: tools to assess maturity and capability per process and tohelp addressing gaps.

CISSPills Frameworks Relationship

SOX

(Federal Law)

COSO

(Corporate Governance)

CobiT

(IT Governance)

used to comply with

mapped by ITGI

with COSO

used to comply with

CISSPills ITIL

The Information Technology Infrastructure Library (ITIL) is the most used

framework for IT Service Management. It’s based on

best practices and allows to:

Identify

Plan

Deliver

Support

the IT services business relies on.

ITIL was developed because of the ever-increasing dependency between IT

and business.

CISSPills ITIL (cont’d)

A service is something providing a “value” to the customers (internal or

external). One example is the payroll service, which depends on an IT

infrastructure (storage, DBs, etc.). ITIL handles services in a holistic fashion, so

that also IT architecture is taken into account. This kind of approach, allows to

consider every aspect of a service and allows to assure proper service levels.

Services must be aligned with business and have to sustain its fundamental

processes. ITIL helps organization to use IT for easing the changes, the

transformations and the growth of the business.

CISSPills ISO/IEC 27000 Series

ISO/IEC 27000 series (formerly known as BS7799) is a set of standards that

outlines how to develop and maintain an ISMS. Its goal is helping organization

in managing centrally the security controls deployed throughout the

enterprise. Without an ISMS, controls are implemented individually and don’t

follow a holistic approach.

The series is split in several standards, each of them addressing a specific

requirement (e.g. 27033-1 - network security, 27035 - incident management

handling, etc.).

ISO/IEC 27001:2005 are the standards organizations have to follow (and areassessed against) if they want their ISMS to adhere to ISO 27001. Being

compliant means that the organization has put in place an effective ISMS able

to assure the security of the information from several standpoints (physical,

logical, organizational, etc.) and the reduction and/or prevention of the

threats.

CISSPills ISO/IEC 27000 Series (cont’d)

This framework relies on PDCA (Plan-Do-Check-Act), a four-step iterative cycle

which allows a continuous improvement of the process: the results of a step

can be used to feed the next one, which each cycle leading closer to the

goal.

Plan: aimed at establishing goals and plans;

Do: aimed at implementing the plans identified

in the previous step;

Check: aimed at measuring the results in order

to understand if objectives are met;

Act: aimed at determining where to apply changes in

order to achieve improvements.

CISSPills That’s all Folks!

We are done, thank you for the interest! Hope you have enjoyed these pills as

much as I have had fun in writing them.

For comments, typos, complains or whatever your want, drop me an e-mail to:

cisspills <at> gmail <dot> com

More resources:

Stay tuned on for the next issues;

Join ”CISSP Study Group Italia” if you are preparing your exam.

Brought to you by Pierluigi Falcone. More info about me at