In part one of this look at GRC frameworks, we examined COSO, COBIT and ITIL. In the second part of this tip we will look at MOF, ISO 2700x, PCI DSS and NIST SP800-53.
Not to miss an opportunity, Microsoft has entered the IT governance arena with its Microsoft Operations Framework. MOF is designed to closely integrate with the IT Infrastructure Library (ITIL) and is targeted at smaller organizations. It is grounded in integrating governance, risk and compliance and is focused on the entire IT lifecycle, which cannot be said for many of the other standards and frameworks. While MOF is not a true framework, it does try to provide guidance in aligning IT with the business.
- MOF is provided free.
- It does contain a very logical, intuitive approach.
- MOF is not comprehensive enough for larger, more complex organizations.
- It is heavily focused on Windows-based companies.
- It does not address risk assessment, a critical component for any GRC framework.
- Smaller organizations that choose not to implement a larger framework.
- While attempting to be an IT governance framework, it is possible it may evolve over time.
- Microsoft does provide cross-reference materials to ITIL and the Control Objectives for Information and related Technology (COBIT).
For more information, go to the Microsoft Operations Framework page.
Originally created in 2000 (first as the British standard BS 7799 and then the American standard ISO 17799) and subsequently updated in 2005 and 2007, the standards in the 2700x series are very strong tools for information security. ISO 27002 is a standard, not a framework, and is built on the three pillars of confidentiality, availability and integrity. Essentially, this is a checklist for information security controls, and one of the best available. This document can be found in the roots of most other information security guidance, particularly in the banking industry.
- It's a very strong standard and should be part of any information security officer's standard toolkit.
- It correctly uses a risk-based approach to prioritize activities.
- It has a strong emphasis on the security policy.
- It contains very good, practical data control strategies.
- The standard is very technology centric and requires a larger governance framework so that information security is managed as a business issue, not a technology issue.
- The addition of availability and integrity does cloud the information security aspects, but these are risks as well and should be managed as part of a data governance strategy.
- All organizations with confidential information systems.
- It costs less than $200 for 27002 and $300 for 27002 and 27001 (implementation guide).
- Because it is so comprehensive, organizations need to be careful to not just go through the checklist and say "that's all there is."
For more information, go to ANSI's standards store.
The Payment Card Industry Data Security Standard (PCI DSS), like ISO 27002, is a certification standard, not a framework. It was developed as a supplement to other standards to address controls related to handling cardholder data and third parties. However, despite the specific industry focus, most of the elements translate easily into any security environment. Because the standard is free, it is worth downloading and using as one additional tool to evaluate security controls and awareness.
- No cost to download.
- Contains good data control strategies.
- Provides a reasonable self-assessment, although many parts are painfully elementary.
- It does not provide a risk governance structure.
- It has been described as a "minimum" set of security standards.
- It is a very high-level standard, with very little specifics on risks or controls.
- The language for validating third parties is very ambiguous.
- Companies that originate, gather, store, process or transmit cardholder data.
- Other organizations that need a secondary standard to help validate their information security programs.
- Encourages a "checklist" approach to information security, rather than sound, comprehensive governance.
For more information, go to the PCI Security Standards Council.
Also worth mentioning from the National Institute of Standards and Technology, NIST SP800-53 is a set of security controls for federal information systems and organizations, and compliance is required for all federal information systems other than those designated as national security systems. Like ISO 27002, it is focused on confidentiality, availability and integrity but comes closer to being a framework than ISO. NIST is not widely used in general commerce, but it is free to download, and, like PCI, may be worth reviewing.
Overall, for a pure IT governance framework, COBIT remains the dominant choice among most organizations. However, much can be learned from these other standards for evaluating and testing the IT governance program. It is important to remember that GRC is about managing risk, not just controls, which means creating awareness of risk, building accountability to manage those risks and creating systems designed to take action when things inevitably go wrong.
Before implementing any IT standard or framework, ask three questions:
- Why do you need one? What are you trying to accomplish?
- Will your culture support it?
- Could it be that you are already using a "framework" of sorts if you are effectively identifying and mitigating risk to within acceptable tolerance levels?
Remember: Never implement a framework purely for the sake of a framework. Do so only with clear objectives and with the intent of building better means to identify and manage risk.
Eric Holmquist is president of Holmquist Advisory LLC, which provides consulting to the financial services industry in risk management, operations, IT, information security and business continuity planning. Contact him at firstname.lastname@example.org.
This was first published in March 2010