Page 163 - DCAP309_INFORMATION_SECURITY_AND_PRIVACY
P. 163
Unit 11: Security Models & Frameworks and Methodologies for Information System Security
framework has been generally produced and adopted by the Big N audit houses as a solution to Notes
most IT audit, compliance, and control “problems.”
The framework offers maturity models, critical success factors, main goal indicators, and
performance indicators, all for use in organizing Information and associated Technology.
Additionally, COBIT defines control aims and audit guidelines to hold up its implementation.
These practice statements go into adequate detail to teach an IT or audit practitioner in how to
best execute the framework.
At the core of COBIT is a repeated procedure that circles about “Information” and “IT Resources.”
The four stages (or domains, as COBIT calls them) of the cycle are “Planning & Organization,”
“Acquisition & Implementation,” “Delivery & Support,” and “Monitoring.” The cycle begins
with “Information” that has ties to COBIT and “IT Resources,” and then directs to P&O, which
leads to A&I, which leads to D&S, which leads to Monitoring. Each of the four domains defines
detailed, particular practices for execution.
COBIT is best defined by this process-flow statement “The control of IT Processes which convince
Business Requirements is enabled by Control Statements allowing for Control Practices.”
At its finest, COBIT is a very methodical framework for defining, implementing, and reviewing
IT controls. For audit organizations, either internal or external, those are hoping to get their
hands around the often times demanding task of assuring that effective controls are in position
on key systems (“monetarily significant” in the SOX vocabulary), then COBIT is precisely what
the doctor ordered.
Unfortunately, COBIT can be a very confusing framework for information security practitioners.
For beginners, COBIT is not an information safety framework. It is an IT controls framework, of
which infosec displays one (1) practice out of 34. Moreover, to execute COBIT inside an
organization means dedicating an extraordinarily significant amount of resources to the task. In
this day and age of decreasing functional budgets and increasing threats and narrow burden, it
is not sensible to suppose that an organization can readily execute all of COBIT.
Furthermore, there is no understandable security advantage for an organization to execute
COBIT. Information security, being a holistic difficulty that must be addressed at all levels of an
organization, is not IT specific.
As such, any on the whole framework executed to improve the information security posture of
an organization requires to speak to those different levels, and not be bound painfully to one
focus (IT). If one were to listen to the leadership of public accounting firms, one might think that
COBIT was the best solution for solving security difficulties.
What one would want to bear in mind, however, is that COBIT was produced by the Big N audit
firms, for the Big N audit firms. Deployment of COBIT across an organization offers the added
advantage to the audit firms of being able to decrease total hours spent on an yearly audit,
therefore reducing the investment in personnel necessary, optimizing the productivity of the
engagement. Whether or not the association being audited will see any price savings from
executing COBIT is debatable. And, in the end, the association will not have addressed information
security, but as an alternative addressed the audit ability of its IT resources.
COBIT (Control Objectives for Information and Related Technology) is an global open standard
that defines needs for the control and safety of sensitive data and offers a reference framework.
COBIT, which offers a reference framework, was produced in the 1990s by the IT Governance
Institute.
LOVELY PROFESSIONAL UNIVERSITY 157
