Download - Cobit for Iso27000
![Page 1: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/1.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
COBIT for COBIT for ISO27001 UsersISO27001 Users
Concepts, Myths and Concepts, Myths and MisconceptionsMisconceptions
Anton J Aylward, CISSP, CISA
![Page 2: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/2.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
COBIT is not ISO27000COBIT is not ISO27000
What they have in commonBased on Experience
Continuous Refinement
Committee to make 'general'
How they differAudit is not implementation
There's more to IT than ISMSThere's more to audit than IT!
COBIT is more than an ISMS
Quick side-by-side
![Page 3: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/3.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
How they differHow they differ
Audit is not implementation
There's more to IT than ISMSThere's more to audit than IT!
COBIT is different from an ISMS
Quick side-by-sideGoals
Paradigm
Maturity levels
InfoSec Paradigm
Organization Model
Inputs
Outputs
Certifiable
![Page 4: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/4.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
GoalsGoals
CobIT ISO27001Many. Strategic Alignment, ITResource Management &Optimizations, Governance,Performance Measurement"Dashboard", Compliance, budgeting,reporting ...Identification of Processes,Value Delivery. Oh, and RiskManagement - at many levels.
“Absolute” Security?
"Security" can easily end up as managing by FUD, especially when dealing with absolutes - yes/no.
Granularity makes for better management,
![Page 5: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/5.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
ParadigmParadigm
CobIT ISO27001IT Process Based Focus on Security Controls
"Process Based" is aligned with ISO9000 and ITIL
Controls and Process can be audited by testing
Controls don't have a defined output. Processes do.
Processes can be controlled and measured in terms of their I/O
A (malfunctioning) control produces no output to tell what is wrong with it
![Page 6: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/6.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
Maturity Levels Maturity Levels
CobIT ISO27001Five None (or just one)
"Process Based" is aligned with ISO9000 and ITIL
ISO27001 is a selective "Do everything or Do Nothing". This has economic implications as well as management implications.
Granularity and maturity levels can show progress, ROI, justify further investment; audit process supplies this management focus
Does ISO27001 need maturity Levels if the audit supplies it?
![Page 7: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/7.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
Infosec ParadigmInfosec Paradigm
CobIT ISO270011. Corporate Values2.CIA + Effectiveness + Efficiency
+ Compliance +Reliability/Robustness
3. Errors & Omissions, Accidents,Attacks (not just infosec)
4. ISMS5. CIA6. Attacks
![Page 8: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/8.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
Organisational Model Organisational Model
CobIT ISO27001All stakeholders. All RACIEntities (Responsible, Accountable,
Consulted, Informed) Board,executive, operations,procurement, support,development, audit, security(including GGGD)
Management / non-management
Granularity and specific responsibilities and inputs
![Page 9: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/9.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
Inputs Inputs
CobIT ISO27001Most CobIT process haveinputs from other processes
No
![Page 10: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/10.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
Outputs Outputs
CobIT ISO27001CobIT metrics (KPIs etc)are based on defined outputsthat are measureable andwhich makes managing therelevant processes possible
No
![Page 11: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/11.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
Certifiable? Certifiable?
CobIT ISO27001No Yes
ISO-17799 -- “Code of Practice”
ISO-27001 -- Standard
CobIT -- Methodology
![Page 12: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/12.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
CobIT DocumentationCobIT Documentation
![Page 13: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/13.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
CobIT DocumentationCobIT Documentation
![Page 14: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/14.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
CobIT DocumentationCobIT Documentation
![Page 15: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/15.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
What is an Audit?What is an Audit?
Uh Oh! Audit Time!
Everyone be on their best behaviour
![Page 16: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/16.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
Types of AuditTypes of Audit
Financial
Complianceagainst 'self defined’ requirements
against outside requirements
by internal audit
by external auditors
RiskScope?
Types of RiskBusiness
Technological
![Page 17: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/17.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
Financial ?Financial ?
Remember: These are all different!
Financial Risk
Security Risk
Business Risk
InfoSec Risk
![Page 18: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/18.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
Value of COBITValue of COBIT
On the face of it, only TWO of the 34 top level COBIT control objectives map to security.
PO9 - Asses and manage IT Risks
DS5 - Ensure Systems Security
In reality: a) these take input from and supply output to many other
processes
b) there are many of the 318 second-level control objectives that supply input to the security processes
![Page 19: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/19.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
Value of COBIT. Continue.Value of COBIT. Continue.
See also "Aligning COBIT, ITIL and ISO 17799 for Business Benefit" http://www.isaca.org/Template.cfm?Section=Home&Template=/ContentManagement/ContentDisplay.cfm&ContentID=22490
![Page 20: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/20.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
Process OrientedProcess Oriented
Business Processes Driven in terms of Business Outcomes
Four DomainsLike the Deming/Shewhart Cycle
Plan & Organize
Acquire and Implement
Deliver and Support
Monitor and Evaluate
![Page 21: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/21.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
Business Processes Business Processes
![Page 22: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/22.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
Driven in terms of Business Driven in terms of Business OutcomesOutcomes
![Page 23: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/23.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
Deming Cycle Deming Cycle - at all levels- at all levels
![Page 24: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/24.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
Four DomainsFour Domains
![Page 25: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/25.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
Plan & OrganizePlan & Organize
This domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives. Furthermore, the realization of the strategic vision needs to be planned, communicated and managed for different perspectives.
Finally, a proper organisation as well as technological domain infrastructure should be put in place.
![Page 26: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/26.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
Plan & Organize...Plan & Organize...
This typically addresses the following management questions:
Are IT and the business strategy aligned?
Is the enterprise achieving optimum use of its resources?
Does everyone in the organization understand the IT objectives?
Are IT risks understood and being managed?
Is the quality of IT systems appropriate for business needs?
![Page 27: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/27.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
Acquire and ImplementAcquire and Implement
To realize the IT strategy, IT solutions need to be identified, developed or acquired, as well as implemented and integrated into the business process. In addition, changes in and maintenance of existing systems are covered by this domain to make sure the solutions continue to meet business objectives.
![Page 28: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/28.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
Acquire and Implement...Acquire and Implement...
This domain typically addresses the following management questions:
Are new projects likely to deliver solutions that meet business needs?
Are new projects likely to be delivered on time and within budget?
Will the new systems work properly when implemented?
Will changes be made without upsetting current business operations?
![Page 29: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/29.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
Deliver and SupportDeliver and Support
This domain is concerned with the actual delivery of required services, which includes service delivery, management of security and continuity, service support for users, and management of data and the operational facilities.
![Page 30: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/30.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
Deliver and Support...Deliver and Support...
It typically addresses the following management questions:
Are IT services being delivered in line with business priorities?
Are IT costs optimised?
Is the workforce able to use the IT systems productively and safely?
Are adequate confidentiality, integrity and availability in place?
![Page 31: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/31.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
Monitor and EvaluateMonitor and Evaluate
All IT processes need to be regularly assessed over time for their quality and compliance with control requirements. This domain addresses performance management, monitoring of internal control, regulatory compliance and providing governance.
![Page 32: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/32.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
Monitor and Evaluate...Monitor and Evaluate...
It typically addresses the following management questions:
Is IT?s performance measured to detect problems before it is too late?
Does management ensure that internal controls are effective and efficient?
Can IT performance be linked back to business goals?
Are risk, control, compliance and performance measured and reported?
![Page 33: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/33.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
Control BasedControl Based
Ownership & ResponsibilityData
ProcessesIncluding inputs
Business Controls vs IT ControlsConsistent
Consistent Results
Efficient and Effective
![Page 34: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/34.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
Measurement DrivenMeasurement Driven
Maturity ModelConsistent Benchmarking
Measure Improvement
Identify Areas of Concern
Dimensions of Maturity
Performance GoalsCapabilities not absolutes
Key Goal Indicators
Key Performance Indicators
Activity Goals
Key Indicators
![Page 35: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/35.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
Dimensions of MaturityDimensions of Maturity
![Page 36: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/36.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
MisconceptionsMisconceptions
About the Role of Audit
Only Two?PO9
PO9 Inputs
PO9 Outputs
PO9 RACI
DS5DS5 Inputs
DS5 Outputs
DS5 RACI
DS5 Relationship Between Goals and Metrics
Pez will go into details about ITIL
![Page 37: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/37.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
Only Two?Only Two?
Only Two?That doesn’t seem right
![Page 38: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/38.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
PO9PO9
PO9 InputsPO9 Outputs
PO9 RACI
![Page 39: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/39.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
PO9 InputsPO9 Inputs
![Page 40: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/40.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
PO9 OutputsPO9 Outputs
![Page 41: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/41.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
PO9 RACIPO9 RACI
![Page 42: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/42.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
DS5DS5
DS5 Inputs
DS5 Outputs
DS5 RACI
DS5 Relationship Between Goals and Metrics
![Page 43: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/43.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
DS5 InputsDS5 Inputs
![Page 44: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/44.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
DS5 OutputsDS5 Outputs
![Page 45: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/45.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
DS5 RACIDS5 RACI
![Page 46: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/46.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
DS5 Relationship DS5 Relationship between between Goals Goals andand Metrics Metrics
![Page 47: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/47.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
More Information on COBITMore Information on COBIT
■ ISACAInformation Systems Audit and Control Associationhttp://www.isaca.org/cobit/COBIT-Online
■ ITGIIT Governance Institutehttp://www.itgi.org/Case Studies, Best Practices, … more ...
![Page 48: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/48.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
Pez will go into details about ITILPez will go into details about ITIL
![Page 49: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/49.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
![Page 50: Cobit for Iso27000](https://reader031.vdocument.in/reader031/viewer/2022013114/5451c0c8b1af9f04078b45a1/html5/thumbnails/50.jpg)
System Integrity Toronto, Ontario
30 Nov 2006/ Page [email protected]
The Fourth Annual Canadian ISO17799/ISO17001 Conference
Anton J Aylward, CISSP [email protected]
http://www.si.on.ca P: (416) 497-0201C: (416) 509 9649
Blog: InfoSecBlog.antonaylward.com
Contact Information
“Security is not something that comes in a self-contained box. It requires a conscientious an continuous commitment that permeates every aspect of your enterprise and strategies. It is about understanding risks and managing them”