Within the world of risk management for IT, much has been said lately about governance, risk and compliance and the need for a GRC "framework." The truth is that there is nothing new about any of this, but we live in a world that loves to continue to put new ribbons on old packages. Nevertheless, when it comes to IT governance, much can be said for a structured, methodical approach to managing risk, and in that context a GRC framework...
may be helpful under the right circumstances. The purpose of this tip is to attempt to demystify some of the so-called frameworks available and discuss where each might be useful or appropriate.
If we are going to talk about IT governance, risk and compliance, we need to clarify a little bit about what this means. While GRC may be the fleeting buzzword of the day, what we're really talking about here is managing risk, not just controls. This is where some frameworks often come up short, with a heavy emphasis on internal controls but not necessar... ily a balanced look at the underlying risks as well as the ultimate strength of those controls. Therefore, a good GRC program means the coordination of many people and processes, which is where a risk management framework can at times be helpful.
Framework is quite possibly the most abused word in history. Anybody who has built anything from a checklist to a protocol calls what they have a framework, which has rendered the term virtually useless. The vast majority of so-called "frameworks" available today are little more than standards. What is just as important as whether a framework is utilized is whether or not the organization has a mechanism to actually assess risk. A control is only relevant within a risk context, and if you don't have a clear understanding of the inherent risks (the "why" of a control), it is impossible to determine whether the control is effective. Because every organization is unique, there is no such thing as a "one-size-fits-all" framework.
But love them or hate them, the reality is that the larger and more complex an organization becomes, the more valuable a framework can be, as long as one is used appropriately. Remember, framework is just another word for a structured approach to common sense -- a frame in which you build a program. In the end, it is the program that brings value, not the framework itself.
In this article we will look briefly at seven different tools, some that are true GRC frameworks and some that are simply standards. In part one we will examine COSO, COBIT (and Risk IT and Val IT) and ITIL. In part two, we will look at MOF, ISO 2700x, PCI DSS and NISTSP800-53.
For most of this article, will provide an overview of the standard or framework, and then notes on the strengths, weaknesses, applicability and some other related comments.
COSO: The Committee of Sponsoring Organizations of the Treadway Commission ("Treadway" referring to James C. Treadway, the original committee chairman) was formed in 1985 to focus on systems of controls around fraudulent financial reporting. The COSO framework is the leading risk management framework with an emphasis on control effectiveness, efficiency of operations, reliable financial reporting and compliance with applicable laws and regulations. The COSO framework is enterprise-wide and is, therefore, well beyond the boundaries of IT governance. However, it is worth mentioning here because many of the IT-specific frameworks and standards were designed with integration into the COSO framework in mind.
COBIT: When it comes to IT governance, the current gold standard in risk frameworks is unquestionably COBIT, or Control Objectives for Information and Related Technology. COBIT is owned and published by the IT Governance Institute (ITGA) a nonprofit research entity created by ISACA in 1998. COBIT comprises 34 high-level control objectives within four specific domains:
- Plan and organize
- Acquire and implement
- Deliver and support
- Monitor and evaluate
First released in 1996, COBIT is often perceived as merely an audit framework. However, if implemented correctly, it can serve as an effective risk management framework.
- COBIT is arguably the most widely used IT governance framework available today.
- It is an essential tool for companies seeking compliance with the Sarbanes-Oxley Act (SOX) .
- It integrates fairly easily (although not perfectly) with COSO and the ISO standards.
- It is very inexpensive and is available to all ISACA members.
- COBIT implementation requires a significant amount of time and effort, and maintenance can be burdensome.
- The framework is not strong on information security, which must be supplemented with other standards like ISO 27002.
- Like many standards and frameworks, COBIT provides a great deal of "what" to do, without a lot of information on "how" to do it.
- Any organization with a large IT department (although smaller organizations can certainly use the "spirit" of the framework) .
- Organizations with formalized processes or high-risk environments.
- Any organization seeking SOX compliance.
- ISACA provides mapping documents to many other major standards and frameworks.
ISACA also has two related products, Val IT and Risk IT, which integrate with COBIT. Val IT is focused on governance related to IT investments, and is therefore helpful in strategic planning. Risk IT, as the name implies, is designed to address in more detail the risks associated with information technology.
More information can be found at ISACA.org.
ITIL: The IT Infrastructure Library (ITIL) was published in the early 1980s by the U.K.'s Office of Government Commerce, and is primarily focused on the service aspects of IT. ITIL is generally considered a set of "best practices" and not a GRC framework, but it's still heavily utilized in the United States. The library consists of core books covering services strategy, service design, service transition, service operation and continual service improvement.
- Provides strong guidance in the service aspect of IT, which is significant since IT is designed to support the business units.
- There is an ITIL certification process.
- The standard provides good support for the "availability" aspect of IT governance.
- The ITIL Small Scale Implementation version is available for smaller organizations.
- ITIL is not a governance framework and addresses only part of IT governance.
- Has been referred to as "uneven."
- Does not address enterprise architecture.
- Midsized to large companies with large IT departments.
- Organizations with formalized processes or high-risk environments.
- Industries in which availability of IT services are critical (e.g., financial services, health care, energy, etc.).
- The five books cost approximately $1,000.
- Related training can run $10,000 or more.
- There are additional costs for related ITIL-compatible tracking software.
- ITIL is not all or nothing -- parts can be implemented.
More information can be found at www.itil-officialsite.com.
Learn more in part two, "What MOF, ISO 2700x and PCI DSS can mean for your compliance strategy."
Eric Holmquist is president of Holmquist Advisory LLC, which provides consulting to the financial services industry in risk management, operations, IT, information security and business continuity planning. Contact him at firstname.lastname@example.org.