Other Blogs
There are no items in this list.
Knowledge & Insights > ISACA Now > Categories
Managing IT in Clinical Environments

Raef MeeuwisseWorking in healthcare technology is about as exciting as IT gets. Between the rapid evolution in healthcare technology and the increase in cyber threats, there has never been a sector with a greater need to balance effective governance with lean but agile delivery of new technologies.

You might have noticed that most of us now carry or wear devices capable of accurately measuring our physical activity, heart rate, blood oxygen levels and more. Most of us wear these for fun or to help promote a healthier lifestyle. However, have you ever stopped to consider the consequences if critical technologies in clinical environments were not functioning or became unavailable when they were needed?

Just how much care has to go into designing, developing and delivering a modern pacemaker? How robust does a pharmacy software system need to be to help ensure that nobody is given the wrong prescription due to the technology?

Managing information technology in clinical environments is somewhat different to other environments because the consequences of errors can be much greater. It may seem overly dramatic to state that people sometimes die when clinical technology does not function as it should or when it should, but that is the reality. It’s a statistical fact measured by various regulatory agencies around the world.

Just what are the potential consequences if a hospital has its vital systems taken down by ransomware or any other form of cyber attack?

To find out how different the governance of enterprise information technology (GEIT) in clinical environments can be, ISACA recently commissioned a new paper on clinical GEIT. It aims to provide ISACA members with a concise introduction to this topic.

What can you expect to learn if you read this new ISACA paper? GEIT for Health Care aims to provide an overview of the principles behind the key regulations and standards that the management of a clinical environment often has to consider. After all, clinical environments can be dealing with life critical equipment, highly sensitive medical information and even financial transactions. That means these environments can find their governance needing to efficiently comply with clinical, financial and privacy regulations, sometimes within a single system.

For example, remember that pharmacy system? That could easily be required to manage the prescription of life critical drugs, the personal details of the people they are prescribed to and the financial information required to take payments.

All clinical technologies are expected to be fit for their intended purpose. The paper includes a summary of the principles of Good Clinical Practice (GCP) – the rules that help to ensure processes and technologies are appropriate. It also looks at how the use of electronic signatures is regulated, as well as efficiency tips on how some organizations manage their governance model.

How do the small clinical environments cope? Well, they mostly buy in commoditized technologies that are designed to meet the required standards. The more a clinical environment develops, designs and utilizes technology innovatively, the greater the amount of due diligence required to ensure those technologies are fit for purpose.

The ISACA paper can also be useful for people working in other highly regulated environments. It provides some valuable insight for all ISACA members into just how complex and sensitive some IT environments can be. The clinical GEIT publication also sets out to demonstrate how a controlled and efficient approach, using policies and procedures, is a fundamental requirement to effective compliance in highly regulated environments.

Many people fear the complexity of environments where large amounts of regulation exist. The reality is that by applying a structured but efficient governance model, regulatory standards can be met with far more efficiency than you might think. After all, the difference between the controls we use for safe financial processing and for managing human health are more closely related than you might think.

If you want to find out the basics of how to manage the governance of enterprise information technology in clinical environments, this new ISACA guidance is well worth a read (and I’d say that even if I weren’t the author).

Build a Small Business with GEIT and Security in Mind

Ammett WilliamsDespite the prominence of larger companies, the growth of small businesses and entrepreneurs also is critical to a society’s development. Entrepreneurship can drive the growth of new businesses, provide solutions for various market niches, foster innovation and generate job creation. The entrepreneurial activities of today can impact the Fortune 500 of tomorrow.

Small businesses or start-ups serve as the beginning point for many who are seeking to navigate the complexities of modern enterprise. One of the things that may be overlooked at the beginning are the implications of IT governance and security on an enterprise’s future health. Regardless of the sector, both factors have important roles to play in continued success. Below are some standard considerations for both areas.

General security perspectives needing consideration:

  • What industry/market sector is being entered? It helps to understand the product/service to be developed.
  • What are the sector’s regulations? It is critical to understand compliance and mandatory obligations.
  • What are the risks? Understanding existing constraints and future possibilities provides essential context.
  • What is the overall strategy and security strategy? Understand and build the risk appetite at the start. 

General IT perspectives needing consideration:

  • What existing technologies can we leverage at this time? Cloud; small, in-house data centers; and outsourcing options—all are considerations.
  • What type of information is needed from customers? Basic information required to create mailing lists, personally identifiable information (PII) and or payment information may be required.
  • How can IT work with and support the business plan/strategy? Ensure the correct investment is made based on business requirements.
  • How does IT grow with the business? Explore digital avenues that can enhance the customer experience and increase the customer base.

There is a certain excitement for an entrepreneur entering into the market–the joys of prospects unknown and the hope of building a satisfied, stable customer base. However, cash flow can be a major challenge, so many things can be overlooked in order to get the business off the ground. This can be problematic and result in problems down the road, such as regulatory fines, data breaches and compliance issues, just to name a few.

The alignment of the entrepreneurial vision, security and IT can provide a strong foundation to build out the enterprise. GEIT principles can be helpful in the smallest of enterprises since they can be tailored as business expands and provide the necessary checks and balances to mitigate risk. A little time at the start can be helpful in the long run to face the digital disruption roller coaster of the future.

COBIT 5 and the NIST Cybersecurity Framework – A Simplified Framework Solution

Picking the right frameworks to support your organization’s governance, risk, compliance and cyber security efforts is overwhelming. Do you pick the most popular framework for each area, or assemble a collection of applicable frameworks that all drive toward a common goal? There are literally dozens of frameworks to choose from, but the common underlying theme is this: create value for the enterprise.  A realistic solution is to create a common core governing model that can link to the myriad standards, models and best practices available while meeting stakeholder needs.

As a former CIO of a managed service provider in North America, I’ve experienced the above. Our company provided outsourced IT services to more than 100 client companies, and we experienced some major issues. Chief among those issues was navigating through the multitude of standards, requirements and compliance needs for each of our tenant organizations. Everyone had different needs, and our charter was to satisfy those needs. Enter the growing demand for a strong cyber security program, and the formula became even more complicated.

We had a gap in our framework architecture that was exposing vulnerabilities in our cyber security posture. At the enterprise level, we used the balanced scorecard and COSO to determine the correct balance of performance and conformance, which was good. Now, skip down to the operational level.  Here, we were haphazardly applying ‘checklists’ from the various popular frameworks and guidance.  These included NIST Special Publications, ISO/IEC 27001, and the CIS Critical Security Controls. As you can probably guess, this is where we became overwhelmed. We had duplicate controls, wasted resources and pressure to meet every part of every security checklist.

There was a gap between enterprise governance and operations; we were missing a vital link. This was the perfect spot to consider the governance of enterprise IT, or GEIT. We needed a mechanism to link the frameworks between the enterprise level and operational level. From our cyber security perspective, we needed this link to be a “framework to manage our frameworks,” and that solution was leveraging the COBIT 5 and NIST Cybersecurity frameworks. This was important because by using risk scenarios as a driver, we could use COBIT and the NIST framework as the critical link, or what I call ‘middleware’ between our enterprise drivers and operational tasks.

This solution allowed our organization to focus our cyber security practices that supported stakeholder needs based on key areas that created value by optimizing our risks and resources. By following the implementation guidance in both COBIT and NIST, we were able to effectively govern and manage our cyber security risks and resources. What were the key benefits to adopting these two frameworks together? Here are the three top reasons for our organization: 

  1. Both have solid implementation guidance. Although each framework has a suggested implementation methodology, they are easily mapped to each other and would be best used together for cyber security adoption. The COBIT implementation method offers a step-by-step approach to adopting good governance practices, while the NIST Cybersecurity Framework implementation guidance focuses specifically on the cyber security-related practices.
  2. The frameworks reference each other. Each of these frameworks notes where the other complements them. COBIT refers to the appropriate NIST publications at the process level, and NIST refers to COBIT practices as informative references. This allows for better mapping, reduced duplication, and a broader view of a cyber security program as a part of an overall GEIT initiative.
  3. They both provide a holistic approach. One of the COBIT principles is called “Applying a Holistic Approach,” and focuses on a set of enablers. Think about these enablers as the ingredients to a holistic GEIT program. The NIST Cybersecurity Framework, on the other hand, is what I consider a holistic approach to a solid cyber security program by providing a framework core consisting of five functions (Identify, Protect, Detect, Respond and Recover), and includes activities, desired outcomes, and applicable references.

If you are overwhelmed with all of the cyber security options facing your organization and you’re not quite sure where to start, give this formula some thought. You may find that it is a great way to get a central governing model for your cyber security efforts.

Editor’s note: For more guidance on implementing the NIST Cybersecurity Framework using COBIT 5, view a new ISACA white paper here.

Internal Control System – Whose System Is It Anyway?

Auditors have a wealth of knowledge acquired through engagement with employees at all levels of the organization, but they can never replace the role management and the business process owner play in ensuring that controls are adequately designed, implemented and are continuously functioning. No matter how many ‘red’ audit reports auditors issue, as long as management is not on board, the role of an auditor is of no value to the organization.

It is quite interesting to evaluate the significant impact that each of the players in the three lines of defense have in ensuring a sound system of internal controls. To analyse this and dispel some of the myths about the role of auditors in the internal control system, I reviewed the COBIT 5 process MEA02 – Monitor, Evaluate and Assess System of Internal Controls. I will first start by defining the RACI model, which shows the pieces each player has.

The RACI model outlines the roles and responsibility of each actor in the process being reviewed. I will describe it the way I tell my auditees. This is, to simplify and get them to clearly understand how our work affects one another (see Table 1)

Table 1

RACI Acronyms


Responsible The guy or girl whose hands get dirty.
Accountable The wind breaker or simply the fall guy or girl.
Consulted I am not getting my hands dirty but I can share my knowledge.
Informed Just want to know what you are up to.

See Table 2 below for proposed roles and responsibility of actors in internal control systems

COBIT 5 MEA02 Monitor, Evaluate and Assess System of Internal Controls

Table 2

Management Practice
Chief Executive Officer Business Executive Business Process Owners Chief Risk Officer Audit Chief Information Officer
Monitor internal controls
 I     R   R   R   A 
Review business process controls effectiveness
 I   A   R   I   R   C 
Perform control self-assessments
 I     R   R   R   A 
Identify and report control deficiencies
 I     R    I   R   A 
Ensure that assurance providers are independent and qualified
     R     A   R 
Plan assurance initiatives
 A     R     C   R 
Scope assurance initiatives
     R     A   R 
Execute assurance initiatives
     R     A   R 

To analyze the internal control system, I will discuss five keys about the responsibility of audit, risk and management.

Internal auditors are not accountable for ensuring that controls are monitored. Auditors are only responsible for ascertaining that controls have been adequately designed, implemented and are operating effectively, thus including assurance on the monitoring of controls by IT management. It’s a fact that auditors can get their hands dirty but they are not the fall people. The accountability and responsibility role in monitoring of controls does not seem to be clear. The majority of controls relating to monitoring of certain controls by management are almost always in the audit report; for example, the monitoring of user access, audit logs and activities carried out by users with high privileges. The accountability of management over internal controls should not be considered mitigating control, as many have relegated it to be.

Auditors and business process owners share the same responsibility of reviewing the effectiveness of the controls. Refer to table two above, MEA02.02. A prudent manager always carries out a self-audit and reports on the department’s weaknesses. I have sat in meetings where the manager of a division would say, “I am worried about this area. Could you ensure that you focus on it?” It’s not wrong for management to request internal audit to scrutinize a certain area in his or her division, but it’s always worrying when the tone appears to suggest that the manager has no idea of the processes followed in that particular area. That shows that the manager is not aware of his or her responsibility to ensure effective controls. The auditor’s role in assuring effectiveness is only for reporting purposes, while the process owner’s role is for operational purposes and is far more imperative than the auditor’s report. Likewise, self-control assessments coordinated by the risk division are the responsibility of the process owner.

IT management has a right to ensure that qualified internal auditors carry out audit assignments in a professional manner. A balance needs to be found when training auditors, especially on complex assignments. I know this is potentially stepping on my own toes, but after management gives time and resources to the auditor to carry out their work, it is disappointing for management to receive a report that does not show that the auditor understood the process being audited. It is not surprising then, when reviewing Table 2 above MEA02.05, to note that the process owner and IT management have been tasked with responsibility of ensuring that qualified assurers are engaged.

The business process owners’ fingerprints are all over the entire internal control system. From Table 2 above, it is clear that the process owner is responsible for all controls within the process of monitoring the internal control system. This why it’s imperative for internal auditors to work hand-in-hand with the process owner, as the latter’s input is required in all aspects of the system. The notion that we will only disclose information that the auditors ask for does not hurt the internal auditor but, rather, hurts the process owner. Auditors merely provide feedback on the status of the system while the process owner builds the system.

In an analysis of the roles that audit, risk, process owner and chief information officer play in monitoring the internal control system, it is clear that all players have their hands dirty. Those with a quantitative mindset can count the R’s listed in table 2 under each player. It then becomes quite clear that all actors have a role to play. For the internal control system to mature, each player needs to understand their role and support others where their input is required, even if it is just to receive information. The goal of the system is not to police, expose gaps, or show faults but rather to ensure that collective efforts lead to a more sustainable operation environment.

Connecting Business and IT Goals Through COBIT 5

Business leaders must take accountability for governing and managing IT-related assets within their units and functions just as they would other assets, such as those involving physical plant or human resources.

This is critical as achieving enterprise goals becomes increasingly interconnected with successfully managing and governing its technology. COBIT 5 provides the framework needed to connect business goals with IT goals while utilizing non-technical, business language, as explored in a recent ISACA podcast. John Jasinski, a COBIT certified assessor, discusses the framework’s core principles and enablers, and ways in which enterprises can successfully leverage them.

“The main purpose of the governance of enterprise IT is to achieve strategic alignment of information and related technology with the goals of the enterprise,” Jasinski said. “However, a continuing challenge for enterprises is how to achieve and maintain the alignment as stakeholder needs and enterprise goals change. The COBIT goals cascade provides context, structure and content for consistency of goals and meeting stakeholder needs.”

The COBIT 5 goals cascade provides a model to define and link enterprise goals and IT goals in support of stakeholder needs.

Decisions on how to utilize IT assets and resources should be made by business managers in an overall governance and management context, according to Jasinski. Directors should govern IT through three main tasks:

  1. Evaluate the current and future use of IT;
  2. Direct implementation of plans and policies to ensure the use of IT meets business objectives;
  3. Monitor conformance to policies and performance against the plans.

COBIT 5, which aligns with other relevant standards and frameworks used worldwide, provides a technology-agnostic common language to more effectively address information and cyber security, risk, vendor management, cloud controls and many other challenges faced by enterprises. Distinctions between governance and management also are addressed.

“If you’re looking for context, structure and content to address your biggest digital business challenges and opportunities, you must have an understanding the COBIT goals cascade, enabling processes and the entire COBIT library,” Jasinski said. “COBIT can help you understand how to connect all the dots, and fit the puzzle pieces together. This is important stuff.”

Further ISACA insights on the topic can be found in the white paper, “COBIT 5 Principles: Where Did They Come From?

Editor’s note: The ISACA Podcast is now available on iTunes, Google Play and SoundCloud. Listen to experts in cyber security, audit, governance and more as they explain the latest trends and issues facing professionals.

New COBIT 5/CMMI Tool Goes Beyond Traditional Mapping

ISACA and CMMI each have a deep well of expertise and rich sources of guidance and leading models in the areas they cover: ISACA in the world of governance of enterprise IT (GEIT) with COBIT, and CMMI in the world of enterprise process maturity.

Together, we have teamed up to create a new product that leverages the deep guidance available within each of the models. Specifically, COBIT 5 and the CMMI maturity models each have extensive guidance in establishing practices that permit users to better align stakeholder requirements with the utilization of IT-enabled investments; using them both together can yield a resultant value that is greater than the sum of their respective parts.

Many users of framework products look for mapping tools to assist them in using both models or to reduce initial planning and implementation resources needed to bring the second model into use. Mapping tools serve a useful purpose in that regard but have always had one significant drawback: They only attempt to reveal direct connection points between the models being mapped. That serves to speed up implementation time for the second model, but is limiting in the degree to which it unlocks the additional value that using that second model could bring.

The other issue that comes up with traditional mapping tools is that they are designed to be used in one direction only. That is, a user looks up an element in model A and finds which element or elements in model B relate are related. What if you want to start with an element in model B? That element likely exists in multiple places throughout the map and isn’t easy to isolate to determine what in model A is related. These traditional maps are unidirectional.

ISACA and CMMI saw an opportunity in this gap to produce a tool between COBIT 5 and the CMMI maturity model. Called the COBIT 5 CMMI Practices Pathway Tool, users will now be able to quickly and easily navigate from either COBIT 5 or CMMI and uncover relevant guidance in the other model. This bidirectional capability is unique and will permit users greater flexibility in deriving value from the tool.

The tool is built in Excel to provide access to a larger number of people. It takes advantage of native functionality in Excel and uses filtering to provide a quick and easy means of selecting elements of interest. There also is a guidance document with the tool to better describe its function and use.

The end result will be the ability for business IT practitioners to deliver additional value to their stakeholders.

Integrated Content Libraries – What You Should Know and Questions to Ask

Having worked for most of the “Big Four” as well as several boutique consultancies, I have witnessed a well-marketed shift and the birth of a new industry as it pertains to integrated regulatory content. When I refer to integrated regulatory content, I mean taking statements from individual sources and mapping those to a single control statement. For example, PCI 3.2, Requirement 2.1 states that default account passwords for accounts shipped with a Commercial Off The Shelf (COTS) product should be changed.

Similarly, supplemental guidance from control enhancement 5, of the SA-4 control family of NIST SP 800-53r4, mentions very similar control language. In an integrated framework, one would have a single control named something such as “Access Management – Password Management – Default Accounts,” and both the language from NIST 800-53r4 and PCI would be mapped to that single integrated requirement as opposed to managing similar requirements independently across frameworks. This mapping would ostensibly allow one to create controls and control procedures that could reduce testing and compliance efforts within most organizations.

What used to exist in separate, industry-centric silos has now been ported into frameworks with the promise of “test once and satisfy many.” Every risk consulting firm I worked for had a matrix that we tried to leverage to help our customers consolidate controls and testing efforts. Now, we have companies such as the HITRUST Alliance and the Unified Compliance Framework that base their entire business off the integrated content they produce.

We also have consortiums of volunteers such as those that support the Cloud Security Alliance’s Common Controls Matrix. Integrated content is generating tens of millions of dollars a year in content and professional services work, but for 95 percent of the regulatory content out there, it is free to use.

Companies now exist with business based solely upon integrated framework content. As I look at the landscape, there are many attributes of content libraries that one should question before investing in an integrated content library. The list I have generated is as follows:

Who Mapped This?

You want mappings to be done by people that know IT risk, security and controls. Having credible personnel can reduce mismappings and reduce potential doubt as your integrated library further permeates your organization.

Are there proprietary sources in use? If so, do you have the proper licensing with the source bodies?

I have worked for multiple firms that baked ISO, COBIT 5 and other proprietary frameworks into their source content. Companies need to ensure they have more than a single purchased license of documents that are to be purchased on an individual basis. Ask the question so there are no surprises or lawsuits as you move forward.

Are there other integrated source libraries mapped?

HITRUST and the CSA CCM are already integrated , so effectively mapping those frameworks to another integrated framework is not feasible. Be wary of anyone that is mapping already integrated frameworks into a proprietary framework as they likely do not understand the impact of issues to the data model.

How does content get updated?

Will you receive an email? Will you receive the update in XML or CSV? Is it a feed or manually provided? Will you have to have someone take the data and apply it to your GRC environment and then perform testing to ensure it was applied correctly?

How frequent are updates implemented?

Some content providers do not provide updates. Any upkeep is the responsibility of the client. Others provide quarterly updates and some use an ad-hoc schedule. If you have to be PCI compliant and need that mapped into your framework by a specific timeline, you need to have a good understanding of the timing for when the PCI update will hit your framework or you may have to map manually.

What is your QA process?

What tools and techniques are used to ensure that mappings are comprehensive? What personnel do you have who are qualified to perform content-specific mapping quality assurance? Do you look for issues in copy and paste translations, or do you search for syntax errors? Do you embed HTML in your mapping content? All of these are questions to ask about the quality of what you get from a library.

How many customers do you have in my industry?

Many libraries are heavy on financial services content because they are one of the most highly regulated industries. If you are a healthcare entity or industrial power supply organization, ask how many other peer companies use their content and request to speak with representatives of those companies to help reduce headaches down the road.

I do not use 70 percent of the mappings in your library, so why am I paying for them?

Often, I have seen companies paying for a library of 200 sources, but they really only use 30 of those. Ask what the cost is if you just pay for the 30 that you need, as you should not be held to paying for a universe of content that does not apply to your company. Also, I have seen companies using sliding pricing models based upon the company size. A Fortune 50 company may be paying 100 percent more than a smaller entity in some cases. This is another area where speaking with a broad swath of the customer base before you buy can be critical.

Aside from cost, also inquire about how to reduce the noise of the library. Most robust sources have hundreds or thousands of regulatory sources mapped to them. It is likely your organization only needs a percentage of those, so ask how you can ensure that unnecessarily mapped content does not show up in your content universe.

How do new sources get vetted for evaluation into your framework?

Gaining an understanding of the evaluation and mapping process for new sources is important. Often, it’s critical mass that drives a mapping priority, but sometimes it is a high-profile client of the integrated library content provider that gets mapping moved up on the docket. Know the process that applies to your library and get an understanding of what you may need to make your requirements a priority.

What is the data model as it pertains to sources, source sections and control statements?

Understand the relationships that are in place among the decomposed layers of the content library. Some content providers try to differentiate on their library content data model. Getting perspective from a technical resource that understands database relationships can be very useful in this scenario, as they can help to analyze and validate the layout of the content from a relational perspective. This can be important if the data model is overly complex.

What if any subjective work has been performed on the content that is not germane to the content itself?

The question likely does not make sense upon first reading it, but knowing the answer can be impactful. Once you buy content and begin to integrate it, if you learn facts about the content along the way, it may be too difficult to turn back. For example, some content libraries provide subjective key and non-key control delineations for integrated requirements out of the box. If one begins to implement using those delineations without any rationalization for the control based upon the environment or the system at hand, those definitions could impact testing cycles and associated level of effort. Ask your provider if they have subjectively done anything to their library that may impact your organization’s implementation of the content.

How searchable and filterable is the content?

Get clarity on how the content is presented for consumption and analysis. UCF has a very nice front end that they use to create cuts of library content and produce filterable results. Most libraries I have seen in the past exist in large Excel files where filtering and reporting is limited to Excel’s capabilities. To make effective use of the content, you will likely need to port it into a GRC tool or a database. Make sure to gain perspective on searching and filtering as content is extended to the user.

What are the licensing terms?

If you are paying more than US $10,000 a year in content that is largely free, you are getting taken. When feasible, do not sign up for multi-year agreements, especially initially. Take your first year and learn how the content will impact your organization. Ask if you can try the content for a period of time before purchasing. This gives you time to investigate and perform due diligence.

Will the content stand up in a court of law?

I have spoken to peers who believe that integrated regulatory content, especially from those one-off sources, may have trouble being defended in a court of law should due diligence, due care and compliance questions come into play. Many of my peers feel that in a court system, only those well-respected and industry-vetted sources would be resolute enough to endure scrutiny, so ask your content provider if they have perspective to share on that topic.

Mapping can be difficult and time-intensive. Companies are fearful of a mismapping or a missed mapping, which could call their libraries into question from completeness and accuracy perspectives. Before purchasing integrated content, ask to speak with current customers of the content and dig into the details. You may be surprised at what you find.

Support Design Should Begin at the Start

Everyone can think of a moment when they have experienced a problem with goods or services. Everyone can also think of a moment after the problem that…wait for it (drumroll)…there was poor customer support or no support at all.

So where does the disconnect between an enterprise’s strategic objectives and its failure in the eyes of the customer begin? Could this failure have been avoided from the start?

Here’s how it happens:  Oftentimes an enterprise reviews its strategic plan, which is a process that often generates new ideas and a new focus on how to achieve its objectives. A critical factor in achieving these objectives is IT. As part of this effort business cases are created and reviewed with due diligence and care, focusing on risk analysis, costing and other key planning issues. Approvals are given at various levels, and once the green light is reached, we then develop the product/service/upgrade, with implementation to follow.

Imagine that all of the above stages are completed and the enterprise has just successfully launched a new service to customers through its digital channel. The product is marketed well and it is disruptive, so this results in huge demand from customers. At this point it may seem that all is well and good; however, as with all things, problems are going to occur and customers (internal/external) will be affected.

This is where the true test begins and where many enterprises fail because proper support systems were not put in place at the start. There are several reasons why this can occur, including a lack of foresight at the beginning, a focus on being first to market over competition, improper resource analysis, a lack of training, a poorly developed service level agreement (SLA) or no SLA review.

Just as security and risk are key considerations, proper support mechanisms should be considered when implementing your enterprise IT governance structure since this is a form of risk mitigation in itself. You can implement the most state of the art IT infrastructure that strategically aligns with your enterprise’s objectives and delivers super-fast service; however, if there is no support for the 100 percent certainty that something will go wrong, then all becomes useless. Design your framework so that failures are welcomed and not left to chance.

The Future of COBIT—We Need Your Input

It is time to consider the next evolution of the COBIT framework beyond COBIT 5—and here is your chance to play an important role.

As you are well aware, COBIT is the premier IT governance framework, helping organizations around the world realize significant value. ISACA is seeking your help to ensure that COBIT continues to evolve as a vibrant framework that encompasses the new capabilities and threats (Internet of Things, big data, cyber security, DevOps, etc.) constantly arising in the world of IT governance.

We are in the process of evaluating and fundamentally changing COBIT to better serve COBIT users and would like to get your feedback and thoughts. A key part of the evaluation process is our belief that, to fully enable organizations worldwide, we recommend changing the delivery model by providing COBIT-as-a-Service (CaaS).

As a starting point, we have considered usage feedback and market data of existing COBIT 5 and COBIT 4.1 frameworks, as well as enhancements leveraging the recent acquisition of the CMMI Institute.

What We Know:

  • COBIT is highly regarded as the single comprehensive IT framework and has excellent brand recognition globally.
  • There are no direct competitors with “like” products that include IT audit, cyber security, IT risk, IT governance and business principles.
  • COBIT 5 is 5 years old and it needs to be dynamically updated going forward.
  • Key industry trends of crowdsourcing and open sourcing solutions improve relevance of products.

We Want Your Input on This New Idea—Providing COBIT-as-a-Service (CaaS):

  • Provide a fully-online, interactive COBIT framework, COBIT Implementation, COBIT Enabling Processes and COBIT Enabling Information to ALL. Crowdsource to members and non-members to ensure currency in a dynamic and changing environment through frequent content refresh.
  • Determine whether we need to provide oversight to updates or leave it up to the practitioner base to address any issues that arise.
  • Add additional domains and industry-specific content with data tags to allow users to create a custom/tailored COBIT to allow many different views of COBIT—e.g., by subject area, by role, by industries, etc.
  • Partner with internal (e.g., CMMI) and external organizations to go deeper in areas of expertise (e.g., cyber security), and also with organizations that go outside the traditional areas of focus for COBIT (e.g., IT supporting product development).
  • Provide cross-linkage to externally referenced frameworks (e.g., ITIL).
  • Create unique and relevant principles, policies, processes, practices and tools for specific industries (e.g., health care) and audiences (e.g., privacy).
  • Develop a digital platform (mobile/web) for viewing, updating and using COBIT content.
  • Build a broader community of experts and involve them in thought leadership.

We Need Your Help to Achieve This Future State
Please provide your thoughts and comments on the vision for COBIT by 1 December, and let us know what else you would like by emailing [email protected].

About the authors:

John Lainhart, CISA, CISM, CGEIT, CRISC, CIPP/G, CIPP/US, serves as the Cybersecurity Fellow, emeritus for IBM’s Center for the Business of Government. He is also on the Board of Directors of George Washington University’s Center for Cyber and Homeland Security, serves on the Cyber Maryland Advisory Board and as an advisor to the ISACA Board of Directors.

Matthew Conboy, CISA, is a strategic operations manager at Cigna, and has over 10 years of experience leading and consulting within the strategy, project execution and risk/audit domains, with special focus on the bridge between IT and Business. Since 2008 he has been on the board of his local Greater Hartford Connecticut (GHC) ISACA chapter, and currently is the chapter’s vice president and chair of the Education and Marketing and Communications Committees.

Frank Schettini, MBA, is Chief Innovation Officer of ISACA. Prior to joining ISACA, he worked as vice president of information technology at Project Management Institute (PMI). His experience includes more than 30 years in various industries in the areas of strategic planning; project, program and portfolio management; process improvement; enterprise architecture; and change management.

Poland’s Supreme Audit Office Chooses COBIT 4.1 To Assess IT Security

In a testament to COBIT's universal acceptance, the Supreme Audit Office of Poland (NIK) recently used the COBIT 4.1 framework to assess the level of security of the major IT systems used by Poland’s government agencies.

The process began in 2014 when the NIK reviewed the involvement and performance of Poland’s government agencies to ensure IT security. The results of the review, published last year, showed that Poland, at the state level, was not prepared to deal with the serious threats coming from cyberspace.

To address this major cybersecurity shortcoming, the NIK decided to verify the security of the information processed in the information systems the state relies upon to operate. The audit, using COBIT 4.1, included 6 systems managed by different ministries and government agencies.

To achieve an objective and comparable assessment of the level of security management of the selected systems, the NIK decided to use the control objectives of process DS5 Ensure Systems Security, as the source of the control objectives and process maturity model for the audit. The COBIT framework is recommended to supreme audit institutions in the "INTOSAI GOV 9100 Guidelines for Internal Control Standards for the Public Sector" and the "WGITA – IDI Handbook on IT Audit for Supreme Audit Institutions" developed by the INTOSAI Development Initiative (IDI).

The audit found only one government agency’s systems security was assessed to be at level 3, meaning it had a defined DS5 process (see diagram below). Three agencies were at level 2, meaning the process was repeatable. Two were at level 1, which are initial or ad hoc processes.

The results of the audit were recently published in Polish on the NIK's web site. They were also presented by Krzysztof Kwiatkowski, president of the Supreme Audit Office of Poland during CyberGOV, an important conference on cyber security for the public sector in Poland.

In its report, the NIK also included conclusions on its findings and recommendations for the audited organizations as well as specific recommendations for the Ministry of Digitization, which is responsible for coordinating cybersecurity in Poland. The significance of the findings has been widely commented on and analyzed by stakeholders responsible for implementing the NIK’s recommendations.

Since the report was completed, there has been a rise in interest in the COBIT framework and the ISACA Cybersecurity Nexus (CSX) program in Poland. Poland’s two ISACA chapters have been busy answering questions and providing guidance on how to implement governance and security processes that can enable Poland to deal with cyber security threats.

ISACA has since released COBIT 5 in Polish. The following processes are recommended to prepare an audit of Information Security:
APO13 Manage Security
DSS05 Manage Security Services
MEA02 Monitor, Evaluate and Assess the System of Internal Control

COBIT publications in Polish include COBIT 5 Framework, COBIT 5 for Risk, COBIT 5 for Information Security, COBIT Process Assessment Model (PAM):  Using COBIT 5, and COBIT Self-assessment Guide:  Using COBIT 5. In addition to English, COBIT materials are also available in the following languages:


View Large Graphic.


COBIT recently celebrated its 20th anniversary. For fun graphics, highlights and more information click here.

1 - 10 Next