Other Blogs
There are no items in this list.
Knowledge & Insights > ISACA Now > Categories
Cyber Security and Risk Should Be Standing Items on Board Agendas

Emily Manganyi AmukelaniThe world has seen a surge of attention regarding cyber activity, and it has not been in a positive light.

Many organizations have experienced the threat that accompanies the adverse intentions these activities come with, especially organizations that have not prioritized nor made cyber risk part of their risk management agenda.  Being exposed to cyber threats is no longer something that only affects big multinationals with massive data centers. Cyber threats are applicable to any organization that operates on, and is connected to the Internet grid.  A cyber breach, which almost always would have adverse impact to an organization, is no longer a matter of if; it is a matter of when.

The question that leadership of organizations should be asking is how prepared they are from a risk management perspective to deal with risks that come with the use of information and technology. Is this a prominent and standing agenda item on the board’s and executive committee’s meetings? If the answer to each of these questions in not affirmative, then the organization is more exposed to the risk of a cyberattack, and of not being able to recover operations as quickly as would be required to enable business to carry on as usual.

To ensure the continuity of business, the board should ensure that the organization’s risk management framework addresses cyber risks. Cyber risks must be identified, quantified in relation to the organization’s environment, and appropriate actions taken to minimize the impact of cyber-related incidents.  The leadership of the organization should ensure that business continuity plans and arrangements are in place for incidents that may result from a cyberattack.

It is no longer the responsibility of only the operational staff in the IT department to deal with cyber risks. Cyber threats are too great to not afford them the level of attention they require at board and senior leadership levels.

Cyber security, risk management and business continuity planning must be standing items on the board and executive committee’s agendas. This will ensure that appropriate attention is given to areas where gaps may exist. This way, commitment will be afforded to enable the implementation of the required processes and solutions to address identified gaps and minimize risk exposure, as well as the impact that risk poses to the business.

Editor’s note: See more commentary on this topic from Emily, as well as from several other leading industry experts, at www.isaca.org/tech-governance-impact.

A Cyber Perception Gap? What Directors Want to Believe about Cyber Security vs. Real Cyber Risk

Dottie SchindlingerDirectors and executives want to believe their companies are adequately protected against cyber threats. ISACA’s recent survey of leadership teams reinforces the notion that most corporate leadership teams recognize cyber risk is a material threat to their businesses. As the research points out, 55% of respondents agree that their organization’s leadership team or board is doing everything it can to safeguard the organization’s digital assets. But, does this perception represent reality?

In a recent study conducted earlier this year by NYSE Governance Services and Diligent, 381 directors of public companies were surveyed regarding their secure communication practices and their level of awareness of how those practices might impact the company’s level of cyber risk. The results were sobering – and indicate a disconnect between what directors and executives believe about cyber security and the cyber risk created by their own communication practices.

To illustrate this point, consider that 92% of respondents use personal email accounts – including unsecured systems like Yahoo! Mail, Gmail, and AOL – at least occasionally to conduct board business.  While 74% reported using secure board communication software to receive and transmit sensitive documents, 54% regularly download these documents onto personal devices or drives. Even when companies use secure board communication software, only 8% ask the IT, IS or data security team to sanction directors’ communication methods. Worse still, 62% indicated their company doesn’t require directors to participate in any cyber security training, and in ISACA’s new research, only 15% of respondents expect their organizations will fund an increase in cyber security training for board members in the next year.

Why does this matter? The job of a director requires access to extremely sensitive company data. Yet, directors don’t often receive direct oversight from the IT or data security team. Hackers have clearly figured this out. Consider this report on China’s APT 10 hacking group, which specifically targets corporate directors as an easy entry point to high-value information. Even someone as sophisticated as former Secretary of State Colin Powell, a director of Salesforce, was successfully hacked when a slide deck for an upcoming Salesforce board meeting was stolen from a personal email account. The data from the slide deck was leaked to the Wall Street Journal in advance of the board meeting, negatively impacting both Salesforce’s business strategy and its share price.

Meanwhile, a number of new regulations are cracking down on corporate negligence on cyber security and data privacy, and are holding directors and executives responsible for breaches. In March 2017, new regulations took effect with the New York State Department of Financial Services that require board members (or senior officers) to personally certify that the company has adequate cyber security programs in place, and that those programs are regularly tested and reviewed. While this regulation is at the state level, it applies to any financial services firm – and any vendors serving those firms – that conducts business in New York. Another case in point is the EU’s new General Data Protection Regulation (GDPR) – set to take full effect in May 2018. This new regulation includes fines as high as 4% of annual worldwide turnover in the event of a major breach, as well as potential jail time for the directors or executives who are responsible. GDPR doesn’t just apply to EU companies; rather, any company that stores, processes, or accesses the data of EU citizens is liable.

Both of these regulations reinforce the idea that directors and top executives hold the ultimate responsibility for overseeing cyber security and risk management for their organizations. Not only must they be aware of the cyber security programs and risk profile of their companies, they must also set the right tone for the rest of the company’s employees – demonstrating by their adherence to secure communication policies and practices that cyber security is important enough to warrant the regular time and attention of the company’s leaders.

This all begs the question … why are corporate leaders so bullish on their level of cyber security? Perhaps one culprit is the approach we generally take to raising cyber security issues in our boardrooms.  Most board discussions on cyber risk include a “briefing” by the CSO/IT security team on what the company is doing to secure customer data and internal systems. Rarely do these briefings include a review of director communication methods, raising directors’ awareness of their own cyber risk, and training on how to handle sensitive data.

It’s time for us to help directors understand their real level of cyber risk and provide them with the secure tools, training and support to keep their communication – and our companies’ data – safe. An easy first step is to provide this article to your directors and add some time on the next board meeting agenda to discuss it. Get directors’ concerns out in the open. Only by candidly reviewing what’s happening now – and what should be happening – can any change be implemented.

Board Leadership Critical in Effectively Leveraging Technology

Robert ClydeThere is little doubt that better governance of technology leads to better business outcomes. More than 9 in 10 respondents in ISACA’s new Better Tech Governance is Better for Business research affirmed that reality.

But how can organizations ensure that they’re leveraging technology successfully, beginning with effective oversight from the board of directors?

The majority of ISACA’s survey respondents identified ensuring alignment between IT and stakeholder needs and establishing a clearer connection between business goals and IT goals as leading priorities that should drive organizations’ governance of technology.

That starts with a firm commitment to strong governance at the board level. This approach is an absolute necessity for all enterprises that intend to compete – and survive – in today’s technology-driven business landscape.

It can be challenging, however, for organizations to bring in board directors with the level of technology savvy needed to make sure that the right issues are being addressed and the right questions are being asked when it comes to making technology-related investments, and addressing key business imperatives such as cyber security, risk management and digital transformation.

Finding at least one board member with technology expertise can be a real difference-maker for the organization. This will naturally become easier over time, as digital natives grow into leadership positions, but can be a real challenge for now. Organizations should aggressively leverage their networks and tap into industry professional associations to find prospective board directors with much sought-after technology backgrounds.

What organizations must not do is bring aboard a “token geek” – that is, a person who is well-versed in technology but otherwise thoroughly unqualified to serve as a board director. Companies that have tried going this route end up with somebody who is ill-suited to be a board director and needs to be educated around the majority of discussions, detracting from the board’s overall efficiency and leadership capabilities.

A better option, provided an organization is struggling to secure quality board directors who are tech-savvy, is to work with outside experts who can bring that level of expertise to the board room. Organizations seeking technology consultants with instant credibility often turn to large, global firms that regularly provide this type of guidance to boards of directors.

An encouraging trend in enterprise governance of technology has been the evolution of CIOs and CISOs. In recent years, these leaders have elevated beyond technology honchos to become true business leaders, as well as excellent resources for boards of directors. The CIO or CISO should regularly be updating the board of directors about front-burner technology threats and opportunities that require board oversight. With the explosion of cyber security and emerging technology risks in recent years, the relationship between the CIO or CISO and the board of directors is one that organizations have to get right, or the consequences can be dire.

Aside from the board’s composition, organizations striving toward that critical connection between business goals and IT goals can benefit from governance frameworks such as COBIT. ISACA research participants identified risk management, cyber security and business and IT integration as the top three areas that benefit from a governance framework.

Effectively leveraging technology is the common denominator in today’s global economy. Beginning at the board level, organizations must determine their path to strong governance and prepare for the flurry of technology-centered challenges and opportunities that will only accelerate in the years to come.

Managing IT in Clinical Environments

Raef MeeuwisseWorking in healthcare technology is about as exciting as IT gets. Between the rapid evolution in healthcare technology and the increase in cyber threats, there has never been a sector with a greater need to balance effective governance with lean but agile delivery of new technologies.

You might have noticed that most of us now carry or wear devices capable of accurately measuring our physical activity, heart rate, blood oxygen levels and more. Most of us wear these for fun or to help promote a healthier lifestyle. However, have you ever stopped to consider the consequences if critical technologies in clinical environments were not functioning or became unavailable when they were needed?

Just how much care has to go into designing, developing and delivering a modern pacemaker? How robust does a pharmacy software system need to be to help ensure that nobody is given the wrong prescription due to the technology?

Managing information technology in clinical environments is somewhat different to other environments because the consequences of errors can be much greater. It may seem overly dramatic to state that people sometimes die when clinical technology does not function as it should or when it should, but that is the reality. It’s a statistical fact measured by various regulatory agencies around the world.

Just what are the potential consequences if a hospital has its vital systems taken down by ransomware or any other form of cyber attack?

To find out how different the governance of enterprise information technology (GEIT) in clinical environments can be, ISACA recently commissioned a new paper on clinical GEIT. It aims to provide ISACA members with a concise introduction to this topic.

What can you expect to learn if you read this new ISACA paper? GEIT for Health Care aims to provide an overview of the principles behind the key regulations and standards that the management of a clinical environment often has to consider. After all, clinical environments can be dealing with life critical equipment, highly sensitive medical information and even financial transactions. That means these environments can find their governance needing to efficiently comply with clinical, financial and privacy regulations, sometimes within a single system.

For example, remember that pharmacy system? That could easily be required to manage the prescription of life critical drugs, the personal details of the people they are prescribed to and the financial information required to take payments.

All clinical technologies are expected to be fit for their intended purpose. The paper includes a summary of the principles of Good Clinical Practice (GCP) – the rules that help to ensure processes and technologies are appropriate. It also looks at how the use of electronic signatures is regulated, as well as efficiency tips on how some organizations manage their governance model.

How do the small clinical environments cope? Well, they mostly buy in commoditized technologies that are designed to meet the required standards. The more a clinical environment develops, designs and utilizes technology innovatively, the greater the amount of due diligence required to ensure those technologies are fit for purpose.

The ISACA paper can also be useful for people working in other highly regulated environments. It provides some valuable insight for all ISACA members into just how complex and sensitive some IT environments can be. The clinical GEIT publication also sets out to demonstrate how a controlled and efficient approach, using policies and procedures, is a fundamental requirement to effective compliance in highly regulated environments.

Many people fear the complexity of environments where large amounts of regulation exist. The reality is that by applying a structured but efficient governance model, regulatory standards can be met with far more efficiency than you might think. After all, the difference between the controls we use for safe financial processing and for managing human health are more closely related than you might think.

If you want to find out the basics of how to manage the governance of enterprise information technology in clinical environments, this new ISACA guidance is well worth a read (and I’d say that even if I weren’t the author).

Build a Small Business with GEIT and Security in Mind

Ammett WilliamsDespite the prominence of larger companies, the growth of small businesses and entrepreneurs also is critical to a society’s development. Entrepreneurship can drive the growth of new businesses, provide solutions for various market niches, foster innovation and generate job creation. The entrepreneurial activities of today can impact the Fortune 500 of tomorrow.

Small businesses or start-ups serve as the beginning point for many who are seeking to navigate the complexities of modern enterprise. One of the things that may be overlooked at the beginning are the implications of IT governance and security on an enterprise’s future health. Regardless of the sector, both factors have important roles to play in continued success. Below are some standard considerations for both areas.

General security perspectives needing consideration:

  • What industry/market sector is being entered? It helps to understand the product/service to be developed.
  • What are the sector’s regulations? It is critical to understand compliance and mandatory obligations.
  • What are the risks? Understanding existing constraints and future possibilities provides essential context.
  • What is the overall strategy and security strategy? Understand and build the risk appetite at the start. 

General IT perspectives needing consideration:

  • What existing technologies can we leverage at this time? Cloud; small, in-house data centers; and outsourcing options—all are considerations.
  • What type of information is needed from customers? Basic information required to create mailing lists, personally identifiable information (PII) and or payment information may be required.
  • How can IT work with and support the business plan/strategy? Ensure the correct investment is made based on business requirements.
  • How does IT grow with the business? Explore digital avenues that can enhance the customer experience and increase the customer base.

There is a certain excitement for an entrepreneur entering into the market–the joys of prospects unknown and the hope of building a satisfied, stable customer base. However, cash flow can be a major challenge, so many things can be overlooked in order to get the business off the ground. This can be problematic and result in problems down the road, such as regulatory fines, data breaches and compliance issues, just to name a few.

The alignment of the entrepreneurial vision, security and IT can provide a strong foundation to build out the enterprise. GEIT principles can be helpful in the smallest of enterprises since they can be tailored as business expands and provide the necessary checks and balances to mitigate risk. A little time at the start can be helpful in the long run to face the digital disruption roller coaster of the future.

COBIT 5 and the NIST Cybersecurity Framework – A Simplified Framework Solution

Picking the right frameworks to support your organization’s governance, risk, compliance and cyber security efforts is overwhelming. Do you pick the most popular framework for each area, or assemble a collection of applicable frameworks that all drive toward a common goal? There are literally dozens of frameworks to choose from, but the common underlying theme is this: create value for the enterprise.  A realistic solution is to create a common core governing model that can link to the myriad standards, models and best practices available while meeting stakeholder needs.

As a former CIO of a managed service provider in North America, I’ve experienced the above. Our company provided outsourced IT services to more than 100 client companies, and we experienced some major issues. Chief among those issues was navigating through the multitude of standards, requirements and compliance needs for each of our tenant organizations. Everyone had different needs, and our charter was to satisfy those needs. Enter the growing demand for a strong cyber security program, and the formula became even more complicated.

We had a gap in our framework architecture that was exposing vulnerabilities in our cyber security posture. At the enterprise level, we used the balanced scorecard and COSO to determine the correct balance of performance and conformance, which was good. Now, skip down to the operational level.  Here, we were haphazardly applying ‘checklists’ from the various popular frameworks and guidance.  These included NIST Special Publications, ISO/IEC 27001, and the CIS Critical Security Controls. As you can probably guess, this is where we became overwhelmed. We had duplicate controls, wasted resources and pressure to meet every part of every security checklist.

There was a gap between enterprise governance and operations; we were missing a vital link. This was the perfect spot to consider the governance of enterprise IT, or GEIT. We needed a mechanism to link the frameworks between the enterprise level and operational level. From our cyber security perspective, we needed this link to be a “framework to manage our frameworks,” and that solution was leveraging the COBIT 5 and NIST Cybersecurity frameworks. This was important because by using risk scenarios as a driver, we could use COBIT and the NIST framework as the critical link, or what I call ‘middleware’ between our enterprise drivers and operational tasks.

This solution allowed our organization to focus our cyber security practices that supported stakeholder needs based on key areas that created value by optimizing our risks and resources. By following the implementation guidance in both COBIT and NIST, we were able to effectively govern and manage our cyber security risks and resources. What were the key benefits to adopting these two frameworks together? Here are the three top reasons for our organization: 

  1. Both have solid implementation guidance. Although each framework has a suggested implementation methodology, they are easily mapped to each other and would be best used together for cyber security adoption. The COBIT implementation method offers a step-by-step approach to adopting good governance practices, while the NIST Cybersecurity Framework implementation guidance focuses specifically on the cyber security-related practices.
  2. The frameworks reference each other. Each of these frameworks notes where the other complements them. COBIT refers to the appropriate NIST publications at the process level, and NIST refers to COBIT practices as informative references. This allows for better mapping, reduced duplication, and a broader view of a cyber security program as a part of an overall GEIT initiative.
  3. They both provide a holistic approach. One of the COBIT principles is called “Applying a Holistic Approach,” and focuses on a set of enablers. Think about these enablers as the ingredients to a holistic GEIT program. The NIST Cybersecurity Framework, on the other hand, is what I consider a holistic approach to a solid cyber security program by providing a framework core consisting of five functions (Identify, Protect, Detect, Respond and Recover), and includes activities, desired outcomes, and applicable references.

If you are overwhelmed with all of the cyber security options facing your organization and you’re not quite sure where to start, give this formula some thought. You may find that it is a great way to get a central governing model for your cyber security efforts.

Editor’s note: For more guidance on implementing the NIST Cybersecurity Framework using COBIT 5, view a new ISACA white paper here.

Internal Control System – Whose System Is It Anyway?

Auditors have a wealth of knowledge acquired through engagement with employees at all levels of the organization, but they can never replace the role management and the business process owner play in ensuring that controls are adequately designed, implemented and are continuously functioning. No matter how many ‘red’ audit reports auditors issue, as long as management is not on board, the role of an auditor is of no value to the organization.

It is quite interesting to evaluate the significant impact that each of the players in the three lines of defense have in ensuring a sound system of internal controls. To analyse this and dispel some of the myths about the role of auditors in the internal control system, I reviewed the COBIT 5 process MEA02 – Monitor, Evaluate and Assess System of Internal Controls. I will first start by defining the RACI model, which shows the pieces each player has.

The RACI model outlines the roles and responsibility of each actor in the process being reviewed. I will describe it the way I tell my auditees. This is, to simplify and get them to clearly understand how our work affects one another (see Table 1)

Table 1

RACI Acronyms

Definitions

Responsible The guy or girl whose hands get dirty.
Accountable The wind breaker or simply the fall guy or girl.
Consulted I am not getting my hands dirty but I can share my knowledge.
Informed Just want to know what you are up to.


See Table 2 below for proposed roles and responsibility of actors in internal control systems

COBIT 5 MEA02 Monitor, Evaluate and Assess System of Internal Controls

Table 2



Management Practice
Chief Executive Officer Business Executive Business Process Owners Chief Risk Officer Audit Chief Information Officer
MEA02.01
Monitor internal controls
 I     R   R   R   A 
MEA02.02
Review business process controls effectiveness
 I   A   R   I   R   C 
MEA02.03
Perform control self-assessments
 I     R   R   R   A 
MEA02.04
Identify and report control deficiencies
 I     R    I   R   A 
MEA02.05
Ensure that assurance providers are independent and qualified
     R     A   R 
MEA02.06
Plan assurance initiatives
 A     R     C   R 
MEA02.07
Scope assurance initiatives
     R     A   R 
MEA02.08
Execute assurance initiatives
     R     A   R 


To analyze the internal control system, I will discuss five keys about the responsibility of audit, risk and management.

Internal auditors are not accountable for ensuring that controls are monitored. Auditors are only responsible for ascertaining that controls have been adequately designed, implemented and are operating effectively, thus including assurance on the monitoring of controls by IT management. It’s a fact that auditors can get their hands dirty but they are not the fall people. The accountability and responsibility role in monitoring of controls does not seem to be clear. The majority of controls relating to monitoring of certain controls by management are almost always in the audit report; for example, the monitoring of user access, audit logs and activities carried out by users with high privileges. The accountability of management over internal controls should not be considered mitigating control, as many have relegated it to be.

Auditors and business process owners share the same responsibility of reviewing the effectiveness of the controls. Refer to table two above, MEA02.02. A prudent manager always carries out a self-audit and reports on the department’s weaknesses. I have sat in meetings where the manager of a division would say, “I am worried about this area. Could you ensure that you focus on it?” It’s not wrong for management to request internal audit to scrutinize a certain area in his or her division, but it’s always worrying when the tone appears to suggest that the manager has no idea of the processes followed in that particular area. That shows that the manager is not aware of his or her responsibility to ensure effective controls. The auditor’s role in assuring effectiveness is only for reporting purposes, while the process owner’s role is for operational purposes and is far more imperative than the auditor’s report. Likewise, self-control assessments coordinated by the risk division are the responsibility of the process owner.

IT management has a right to ensure that qualified internal auditors carry out audit assignments in a professional manner. A balance needs to be found when training auditors, especially on complex assignments. I know this is potentially stepping on my own toes, but after management gives time and resources to the auditor to carry out their work, it is disappointing for management to receive a report that does not show that the auditor understood the process being audited. It is not surprising then, when reviewing Table 2 above MEA02.05, to note that the process owner and IT management have been tasked with responsibility of ensuring that qualified assurers are engaged.

The business process owners’ fingerprints are all over the entire internal control system. From Table 2 above, it is clear that the process owner is responsible for all controls within the process of monitoring the internal control system. This why it’s imperative for internal auditors to work hand-in-hand with the process owner, as the latter’s input is required in all aspects of the system. The notion that we will only disclose information that the auditors ask for does not hurt the internal auditor but, rather, hurts the process owner. Auditors merely provide feedback on the status of the system while the process owner builds the system.

In an analysis of the roles that audit, risk, process owner and chief information officer play in monitoring the internal control system, it is clear that all players have their hands dirty. Those with a quantitative mindset can count the R’s listed in table 2 under each player. It then becomes quite clear that all actors have a role to play. For the internal control system to mature, each player needs to understand their role and support others where their input is required, even if it is just to receive information. The goal of the system is not to police, expose gaps, or show faults but rather to ensure that collective efforts lead to a more sustainable operation environment.

Connecting Business and IT Goals Through COBIT 5

Business leaders must take accountability for governing and managing IT-related assets within their units and functions just as they would other assets, such as those involving physical plant or human resources.

This is critical as achieving enterprise goals becomes increasingly interconnected with successfully managing and governing its technology. COBIT 5 provides the framework needed to connect business goals with IT goals while utilizing non-technical, business language, as explored in a recent ISACA podcast. John Jasinski, a COBIT certified assessor, discusses the framework’s core principles and enablers, and ways in which enterprises can successfully leverage them.

“The main purpose of the governance of enterprise IT is to achieve strategic alignment of information and related technology with the goals of the enterprise,” Jasinski said. “However, a continuing challenge for enterprises is how to achieve and maintain the alignment as stakeholder needs and enterprise goals change. The COBIT goals cascade provides context, structure and content for consistency of goals and meeting stakeholder needs.”

The COBIT 5 goals cascade provides a model to define and link enterprise goals and IT goals in support of stakeholder needs.

Decisions on how to utilize IT assets and resources should be made by business managers in an overall governance and management context, according to Jasinski. Directors should govern IT through three main tasks:

  1. Evaluate the current and future use of IT;
  2. Direct implementation of plans and policies to ensure the use of IT meets business objectives;
  3. Monitor conformance to policies and performance against the plans.

COBIT 5, which aligns with other relevant standards and frameworks used worldwide, provides a technology-agnostic common language to more effectively address information and cyber security, risk, vendor management, cloud controls and many other challenges faced by enterprises. Distinctions between governance and management also are addressed.

“If you’re looking for context, structure and content to address your biggest digital business challenges and opportunities, you must have an understanding the COBIT goals cascade, enabling processes and the entire COBIT library,” Jasinski said. “COBIT can help you understand how to connect all the dots, and fit the puzzle pieces together. This is important stuff.”

Further ISACA insights on the topic can be found in the white paper, “COBIT 5 Principles: Where Did They Come From?

Editor’s note: The ISACA Podcast is now available on iTunes, Google Play and SoundCloud. Listen to experts in cyber security, audit, governance and more as they explain the latest trends and issues facing professionals.

New COBIT 5/CMMI Tool Goes Beyond Traditional Mapping

ISACA and CMMI each have a deep well of expertise and rich sources of guidance and leading models in the areas they cover: ISACA in the world of governance of enterprise IT (GEIT) with COBIT, and CMMI in the world of enterprise process maturity.

Together, we have teamed up to create a new product that leverages the deep guidance available within each of the models. Specifically, COBIT 5 and the CMMI maturity models each have extensive guidance in establishing practices that permit users to better align stakeholder requirements with the utilization of IT-enabled investments; using them both together can yield a resultant value that is greater than the sum of their respective parts.

Many users of framework products look for mapping tools to assist them in using both models or to reduce initial planning and implementation resources needed to bring the second model into use. Mapping tools serve a useful purpose in that regard but have always had one significant drawback: They only attempt to reveal direct connection points between the models being mapped. That serves to speed up implementation time for the second model, but is limiting in the degree to which it unlocks the additional value that using that second model could bring.

The other issue that comes up with traditional mapping tools is that they are designed to be used in one direction only. That is, a user looks up an element in model A and finds which element or elements in model B relate are related. What if you want to start with an element in model B? That element likely exists in multiple places throughout the map and isn’t easy to isolate to determine what in model A is related. These traditional maps are unidirectional.

ISACA and CMMI saw an opportunity in this gap to produce a tool between COBIT 5 and the CMMI maturity model. Called the COBIT 5 CMMI Practices Pathway Tool, users will now be able to quickly and easily navigate from either COBIT 5 or CMMI and uncover relevant guidance in the other model. This bidirectional capability is unique and will permit users greater flexibility in deriving value from the tool.

The tool is built in Excel to provide access to a larger number of people. It takes advantage of native functionality in Excel and uses filtering to provide a quick and easy means of selecting elements of interest. There also is a guidance document with the tool to better describe its function and use.

The end result will be the ability for business IT practitioners to deliver additional value to their stakeholders.

Integrated Content Libraries – What You Should Know and Questions to Ask

Having worked for most of the “Big Four” as well as several boutique consultancies, I have witnessed a well-marketed shift and the birth of a new industry as it pertains to integrated regulatory content. When I refer to integrated regulatory content, I mean taking statements from individual sources and mapping those to a single control statement. For example, PCI 3.2, Requirement 2.1 states that default account passwords for accounts shipped with a Commercial Off The Shelf (COTS) product should be changed.

Similarly, supplemental guidance from control enhancement 5, of the SA-4 control family of NIST SP 800-53r4, mentions very similar control language. In an integrated framework, one would have a single control named something such as “Access Management – Password Management – Default Accounts,” and both the language from NIST 800-53r4 and PCI would be mapped to that single integrated requirement as opposed to managing similar requirements independently across frameworks. This mapping would ostensibly allow one to create controls and control procedures that could reduce testing and compliance efforts within most organizations.

What used to exist in separate, industry-centric silos has now been ported into frameworks with the promise of “test once and satisfy many.” Every risk consulting firm I worked for had a matrix that we tried to leverage to help our customers consolidate controls and testing efforts. Now, we have companies such as the HITRUST Alliance and the Unified Compliance Framework that base their entire business off the integrated content they produce.

We also have consortiums of volunteers such as those that support the Cloud Security Alliance’s Common Controls Matrix. Integrated content is generating tens of millions of dollars a year in content and professional services work, but for 95 percent of the regulatory content out there, it is free to use.

Companies now exist with business based solely upon integrated framework content. As I look at the landscape, there are many attributes of content libraries that one should question before investing in an integrated content library. The list I have generated is as follows:

Who Mapped This?

You want mappings to be done by people that know IT risk, security and controls. Having credible personnel can reduce mismappings and reduce potential doubt as your integrated library further permeates your organization.

Are there proprietary sources in use? If so, do you have the proper licensing with the source bodies?

I have worked for multiple firms that baked ISO, COBIT 5 and other proprietary frameworks into their source content. Companies need to ensure they have more than a single purchased license of documents that are to be purchased on an individual basis. Ask the question so there are no surprises or lawsuits as you move forward.

Are there other integrated source libraries mapped?

HITRUST and the CSA CCM are already integrated , so effectively mapping those frameworks to another integrated framework is not feasible. Be wary of anyone that is mapping already integrated frameworks into a proprietary framework as they likely do not understand the impact of issues to the data model.

How does content get updated?

Will you receive an email? Will you receive the update in XML or CSV? Is it a feed or manually provided? Will you have to have someone take the data and apply it to your GRC environment and then perform testing to ensure it was applied correctly?

How frequent are updates implemented?

Some content providers do not provide updates. Any upkeep is the responsibility of the client. Others provide quarterly updates and some use an ad-hoc schedule. If you have to be PCI compliant and need that mapped into your framework by a specific timeline, you need to have a good understanding of the timing for when the PCI update will hit your framework or you may have to map manually.

What is your QA process?

What tools and techniques are used to ensure that mappings are comprehensive? What personnel do you have who are qualified to perform content-specific mapping quality assurance? Do you look for issues in copy and paste translations, or do you search for syntax errors? Do you embed HTML in your mapping content? All of these are questions to ask about the quality of what you get from a library.

How many customers do you have in my industry?

Many libraries are heavy on financial services content because they are one of the most highly regulated industries. If you are a healthcare entity or industrial power supply organization, ask how many other peer companies use their content and request to speak with representatives of those companies to help reduce headaches down the road.

I do not use 70 percent of the mappings in your library, so why am I paying for them?

Often, I have seen companies paying for a library of 200 sources, but they really only use 30 of those. Ask what the cost is if you just pay for the 30 that you need, as you should not be held to paying for a universe of content that does not apply to your company. Also, I have seen companies using sliding pricing models based upon the company size. A Fortune 50 company may be paying 100 percent more than a smaller entity in some cases. This is another area where speaking with a broad swath of the customer base before you buy can be critical.

Aside from cost, also inquire about how to reduce the noise of the library. Most robust sources have hundreds or thousands of regulatory sources mapped to them. It is likely your organization only needs a percentage of those, so ask how you can ensure that unnecessarily mapped content does not show up in your content universe.

How do new sources get vetted for evaluation into your framework?

Gaining an understanding of the evaluation and mapping process for new sources is important. Often, it’s critical mass that drives a mapping priority, but sometimes it is a high-profile client of the integrated library content provider that gets mapping moved up on the docket. Know the process that applies to your library and get an understanding of what you may need to make your requirements a priority.

What is the data model as it pertains to sources, source sections and control statements?

Understand the relationships that are in place among the decomposed layers of the content library. Some content providers try to differentiate on their library content data model. Getting perspective from a technical resource that understands database relationships can be very useful in this scenario, as they can help to analyze and validate the layout of the content from a relational perspective. This can be important if the data model is overly complex.

What if any subjective work has been performed on the content that is not germane to the content itself?

The question likely does not make sense upon first reading it, but knowing the answer can be impactful. Once you buy content and begin to integrate it, if you learn facts about the content along the way, it may be too difficult to turn back. For example, some content libraries provide subjective key and non-key control delineations for integrated requirements out of the box. If one begins to implement using those delineations without any rationalization for the control based upon the environment or the system at hand, those definitions could impact testing cycles and associated level of effort. Ask your provider if they have subjectively done anything to their library that may impact your organization’s implementation of the content.

How searchable and filterable is the content?

Get clarity on how the content is presented for consumption and analysis. UCF has a very nice front end that they use to create cuts of library content and produce filterable results. Most libraries I have seen in the past exist in large Excel files where filtering and reporting is limited to Excel’s capabilities. To make effective use of the content, you will likely need to port it into a GRC tool or a database. Make sure to gain perspective on searching and filtering as content is extended to the user.

What are the licensing terms?

If you are paying more than US $10,000 a year in content that is largely free, you are getting taken. When feasible, do not sign up for multi-year agreements, especially initially. Take your first year and learn how the content will impact your organization. Ask if you can try the content for a period of time before purchasing. This gives you time to investigate and perform due diligence.

Will the content stand up in a court of law?

I have spoken to peers who believe that integrated regulatory content, especially from those one-off sources, may have trouble being defended in a court of law should due diligence, due care and compliance questions come into play. Many of my peers feel that in a court system, only those well-respected and industry-vetted sources would be resolute enough to endure scrutiny, so ask your content provider if they have perspective to share on that topic.


Mapping can be difficult and time-intensive. Companies are fearful of a mismapping or a missed mapping, which could call their libraries into question from completeness and accuracy perspectives. Before purchasing integrated content, ask to speak with current customers of the content and dig into the details. You may be surprised at what you find.

1 - 10 Next