In delivering IT security consulting services to large enterprises in Australia, particularly in the health care, utility and large government sectors, Information Systems Group has used the International Organization for Standardization (ISO) standards extensively, for example ISO 27001 for security and ISO 20000 for IT service management. In advising clients on the best way to apply the standards, the question that has consistently arisen is, “How far does the application of these standards need to be taken?”
The ISO standards are good in that they apply a consistent and internationally agreed-upon definition; however, the Information Systems Group wanted a way to be able to describe to its clients how far they should take the application of the detailed controls within these standards. The ISO standards tend to be binary in their application; enterprises either comply, or do not comply, with the detailed control-level statements. The ISO standards are also not good at linking the application of these controls back to a business-focused framework that can answer “Why?’’ at a level that a business executive can understand and support.
The consultancy undertook an engagement to evaluate the quality of its client’s implementation of ISO 27001. In this case, IT represented approximately 100 staff members out of a work force of 2,500, so IT initially adopted a pragmatic approach to the application of the standards, which left quite a few gaps when benchmarked against a rigorous technical application of the ISO 27001 standard.
The COBIT governance framework would be used with the associated process assessment techniques to create a maturity model as that measuring stick.
Following the review, the consultancy was asked how it would address these gaps and why doing so would deliver benefits to the enterprise. ISO 27001 pertains to the domain of security, and while it is important, it is only one of many modern businesses areas that need to be addressed. The client had identified that it also wanted to address the Information Technology Infrastructure Library (ITIL), and it had an existing access control initiative that had good sponsorship. Last, the client’s internal audit division used COBIT and was a significant sponsor for the implementation of ISO 27001. Accordingly, there was a desire to understand how all of these competing initiatives could work together practically.
To address this challenge, the consultancy determined that an important step would be to obtain an assessment of the current state of IT governance using a nontechnical, business-focused measuring stick that was independent of the various competing control frameworks that it had been asked to integrate. After some discussion within the consulting business, it was agreed that the COBIT governance framework would be used with the associated process assessment techniques to create a maturity model as that measuring stick. This initiative began in 2009 and extended through to 2011, with implementation extending beyond 2011 through to the end of 2012. Thus, the framework development was based on COBIT 4.1, as COBIT 5 was released in April 2012. Since this case example, COBIT 5 has been released and offers an optimized approach to coordinate various standards.
In the case at hand, a series of executive briefings that set out the implementation program was developed and, through a sequence of discussions, formulated an approach that the client felt would deliver benefits for its business. A project manager from the business was engaged to work with the consultant’s team of four to scope out, in detail, the tasks and deliverables to be developed.
The decision was made to start with information security initially to understand the various implementation models that were commonly in use. Many of these models were quite detailed and addressed security with respect to the requirements of technology, usually leading to very expensive programs of work for implementing security that were technology-focused, rather than business-focused.
There had been the use of other models, including limiting the scope to individual-sensitive business units or considering the scope in terms of the business processes of the enterprise.
Upon sharing these models with the client, it was discovered that the enterprise’s appetite for security aligned with the process-centric view. However, the consultancy needed a way to push down security into business units and address device-level security. At this point, the consultancy looked to ITIL for some guidance and began to think of security as a process within ITIL.
The consultancy developed the IT governance model shown in figure 1 to describe the theoretical underpinnings of the approach. The model starts with the COBIT 4.1 Maturity Attributed Table1 and finishes with COBIT 4.1 using the RACI (Responsible, Accountable, Consulted and Informed) controls embedment process. In between these two COBIT techniques, the consultancy implemented the control framework for ISO 27001 and relevant parts of ITIL to deliver an operational information security system as shown in figure 2.
Figure 1—Information Security Model
View Large Graphic
Figure 2—Information Security Program Architecture
View Large Graphic
The integration of the IT governance maturity model, COBIT 4.1, ISO 27001 and ITIL was achieved at a process level within the standards and frameworks rather than at a control objective level. Key ITIL processes for change management and release management were mapped into the ISO 27001 process model and then presented within a conventional EPM program management structure for ongoing reporting and management. Every security concept, construct or device type that had a change dimension associated with it was identified within this model using a concept similar to the 20 SANS Critical Security Controls2 process. Finally, all changes were traced back into the ITIL change management system (CMS or CMDB) to manage traceability of key configuration items related to security.
Because the system started and ended with COBIT, the consultancy effectively employed COBIT as a “container” or “wrapper’’ to allow it to integrate and enforce various competing standards within the enterprise/client. The consultancy found this to be a much more constructive approach than trying to reconcile standards at a detailed control level. Information security at a business-unit level is centered around and enforced by using information security agreements (similar to operating level agreements [OLAs] in ITIL), but using content from ISO 27001. The information security management system (ISMS) enforces the information security agreements with business unit managers, which in turn drives the application of detailed security controls and evidence collection. In this way, the detailed activities of information security are devolved to managers, rather than managed centrally within a management system.
This use of COBIT to coordinate various standards is optimized within COBIT 5. Refer to the COBIT 5 Principles within COBIT 5 for Information Security3. This client’s plan in the revision of the implemented frameworks is that the COBIT 5 framework will be used to introduce new concepts for management of information security as set forth in COBIT 5 for Information Security.
One of the main advantages of this top-down approach to designing the IT governance initiatives is that it permits the organization to tackle the detailed controls embedment process in a measured way and ensure that it is aligned to the risk appetite of the business. With the overall ISMS in place, controls and supporting education programs can be added at a rate that the business can absorb.
Currently, one of the main challenges limiting the use and implementation of an ISMS is the inability to integrate multiple programs across the enterprise systems. With systems for ITIL service management becoming more widespread, the capability to automate the IT side of information security systems is now readily available to organizations.
On the business controls side, project and program management (PPM) and governance, risk and control (GRC) software linked to enterprise workflow solutions provide a platform for managing the rollout of information security programs and the regular review and reporting of controls and evidence collection. A typical program component view looks like what’s shown in figure 3. The security forum is the body that reviews reporting from the ISMS and directs the focus of the initiatives to manage all aspects of the organization’s security posture and response to information security threats.
Figure 3—Information Security Program Elements
For this client, the consultancy undertook a detailed design of the operational ISMS and a specification was developed for implementation. The solution was built in a document management system, housing the detailed policies and a calendar for establishing the program of reviews, training and reporting.
This was an initial starting point for this client given that other ISO systems used this system as well. In the consultancy’s experience, the ISMS can be built on top of detailed ITIL or application life cycle management (ALM) systems and integrated using a dashboard reporting tool similar to those available with enterprise tools, such as SAP or Oracle enterprise resource planning (ERP) applications, PPM tools, or enterprise document management (EDM) tools. All these tools usually incorporate enterprise workflow technologies that permit linkages into ITIL or ALM technologies and permit activities to be assigned and allocated to personnel within the enterprise.
The strength of the COBIT framework is its business-focused framework and pragmatic tools for the alignment of policy down to detailed controls embedment. By utilising COBIT, the company was able to provide answers to the questions of how and why organizations should protect information within the enterprise, aligning the cost of controls to the perceived risk at a business process level rather than based on technical controls.
This case study has been developed based on a real client situation in Australia. The name of the organization and some other identifying information have been removed. All material is either owned by Information Systems Group Pty Limited or used with permission.
John Frisken, CA
Is an application development specialist with a distinguished career in both professional practice with Ernst & Young and, subsequently, as founder and owner of the Information Systems Group. Since establishing ISG in 1996, Frisken has overseen the development of ISG’s services through delivery of complex applications leveraging advanced messaging and secure platform technologies in NSW Health and Toyota Motor Corporation. He is currently the director, professional services for ISGroup, an international systems integration and applications development company headquartered in Sydney, New South Wales, Australia.
1 IT Governance Institute, COBIT 4.1, USA, 2007
2 SANS, Critical Security Controls Version 5
3 ISACA, COBIT 5 for Information Security, USA, 2012