ISACA Now: Posts

COBIT...the meta-framework

ISACA News — Tue, 21 May 2013 20:10:51 GMT

Body:

My default source of IT good practice is COBIT. It is my meta-framework: the framework I use to structure all other bodies of knowledge. As a consultant, COBIT is my first choice for my engagements. I go to it first to assess, to frame, to define, to justify, to audit. I turn to other bodies of knowledge (BoKs) such as ITIL, Prince2, PMBOK, e-CF, or USMBOK when I need more detail.

For me, it is a no-brainer to reach for COBIT first and most often:

Purpose. COBIT is an IT practice (and now governance) framework. It is intended to be a comprehensive description of all IT practices. It may not do that perfectly, but it comes much closer than other BoKs, which all have their own particular bias or slant or area of interest. Which leads us to...
Coverage. COBIT covers more practices than any other BoKs except USMBOK.
Rigour. Not all BoKs are as systematically structured as COBIT. For example, ITIL's narrative style (no…really…compared to other frameworks, ITIL is downright chatty) may appeal, but as a foundation for my consulting activities, the rigour and structure of COBIT is more dependable and useful. COBIT is systematically numbered, and every entity has a consistent structure. I actually find the formal COBIT structure much easier to use: I find answers more quickly, I get clearer concepts with less confusion, and I frame things readily.
Benchmark. You can assess against COBIT; it has clearly defined requirements.
Credibility. COBIT is written by a team, not a couple of authors per book. The same team for all the books. And then the list of all COBIT contributors and reviewers runs to pages. It is owned and published by a not-for-profit membership body set up and run by auditors, process geeks and security wonks. Its governance (and discretion) rocks.
Accessibility. COBIT is low cost. There are fairly loose copyright and trademark constraints for use by consultants and vendors. You can subscribe to an interactive personalised online version (only COBIT 4.1 for now).
Novelty. COBIT is of course not "new" any more than ITIL was when the world "discovered" it a decade ago. But COBIT has yet to be a fad, and the world is ready for a new fad. I think COBIT is IT's next silver bullet. That is, of course, not a good thing and will need to be managed, but if it is true it will certainly kick along COBIT adoption.
Governance. COBIT will be embraced because the realisation is dawning that cloud and SaaS and BYOD are business decisions—not IT decisions—and that therefore it is high time the organisation as a whole stepped up to its responsibilities for IT instead of abdicating and blaming IT. Organisations have failed their IT like bad parents. The road to redemption is better enterprise-level governance of IT, and that's what COBIT 5 is all about. ITIL V3 Service Strategy actually talks about governance quite a lot but, seemingly, nobody has read it. COBIT has the governance high ground.

I encourage everyone in IT to have a copy of COBIT 5 at hand. I use COBIT:

As a structure for framing any IT/management/thinking
To assess or audit, as it is a checklist for any form of review (process-capability assessment, current-state review, document audit, process audit, etc.)
To define descriptions of practices and their deliverables; to define an input to role descriptions, especially the RACI responsibility matrices; to define management and governance mechanisms (fleshed out, when necessary, with other sources such as ITIL)
To justify, as it is an authoritative reference for IT "best practice"

Rob England B.Sc., MIITP, ITCP
Independent IT management consultant
Author
The IT Skeptic blogger

Continue the conversation…engage with your peers in the COBIT 5-Use It Effectively topic in ISACA’s Knowledge Center.

Category: Audit-Assurance

Published: 5/21/2013 3:54 PM

Big data defined

ISACA News — Fri, 17 May 2013 18:28:21 GMT

Body:

There are a number of definitions of big data presently being used. The origins of the term come from a 2001 paper by Doug Laney of Meta Group. In the paper, Laney defines big data as data sets where the three Vs—volume, velocity and variety—present specific challenges in managing these data sets.

Velocity refers to the speed with which data is created. And, this speed has been increasing dramatically. Looking at the infographic below, we can see some staggering examples of data velocity: each minute, 48 hours of video are uploaded to YouTube, Twitter users send 100,000 tweets and Instagram users share 3,600 photos.

Figure 1 (Source: Domo.com)

Velocity is also quickly becoming the key aspect of big data that warrants management. Visitors to LinkedIn, for example, are not prepared to wait more than a few seconds for the “People You May Know” screen to display. For speedy results, LinkedIn needs to process terabytes of data (and do it fast).

Variety, as we can see, is the result of all this activity not limited to certain types of data. We, as connected citizens of the world, now create and consume video, audio and photos in various formats. We tweet. We blog.

At the same time, various organisations are collecting and storing more and more of the data produced by their corporate systems in order to get better insights into their businesses and to enable easier interaction with partners and customers. And, a number of “intelligent” devices, such as water- or electricity-meters, generate types of data specific to their industry, application or design.

Variety of data requires new ways of storing and accessing it. Traditional databases are no longer adequate for a number of these tasks and that’s the reason new tools and frameworks are coming onto the market. Examples include Hadoop, Cassandra and MongoDB.

Volume is the natural consequence of velocity and variety and is somewhat of a moving target. Often we expect to be able to nominate a specific boundary, e.g. 5TB, 1PB*, etc., beyond which we can start talking about big data. But with ever-increasing “creator” activity and, consequently, data volumes, it is difficult to say, “We have accumulated 1.5PB of data, so we now need to start thinking about big data.” If we do this, we will have to change definitions every few months and it will be almost impossible to write business cases and get them approved.

In my view, quite often, big data is in the eye of the beholder. If an organisation is starting to encounter limitations from its current data-processing infrastructure, then it is time to get involved with big data, especially when these challenges cannot be addressed through “brute force”, e.g. buying more storage, RAM, etc.

Here is a personal example—a number of years ago, I was responsible for the implementation of a high-volume transaction-monitoring system for a lottery. As part of the project, we wanted to store the sales information for each product line, product, day and location separately, enabling us to quicken the production of various reports and allow for drill-downs along the above parameters.

Initially, I decided to put everything into a four-dimensional array and use it to produce necessary reports. One small problem—the compiler could not process the source code. We simply hit some hardware limitations and using “brute force” by just throwing more RAM wouldn’t suffice. This was a very similar situation to today’s big data challenges, although the volumes were not as high as today.

What is big data? Simply put, it is data sets that—due to their size (volume), the speed they are created with (velocity), and the type of information they contain (variety)—are pushing the existing infrastructure to its limits.

In subsequent ISACA Now Blog posts, I will address the rise of big data and explore how it is changing our lives in some unusual ways.

Mario Bojilov
Meta Business Systems founder
President, Board of ISACA-Brisbane

*1PB = 1,024TB = 1,048,576GB

Note: For more information on big data, download ISACA’s free white paper here or visit the Big Data topic in ISACA’s Knowledge Center.

Category: Audit-Assurance

Published: 5/17/2013 1:54 PM

Meet Your Board Members: Christos Dimitriadis

ISACA News — Tue, 14 May 2013 19:50:09 GMT

Body:

Today’s ISACA Now post profiles International Vice President Christos Dimitriadis, Ph.D., CISA, CISM, CRISC, the head of information security at Greece’s INTRALOT GROUP. Christos is chair of ISACA’s COBIT Security Task Force and has served as chair of ISACA’s External Relations Committee and as a member of the Relations Board, Academic Relations Committee, ISACA Journal Editorial Committee and Business Model for Information Security Work Group.

ISACA: Describe your professional background.
Christos: I have been conducting research in information security since 1996, when studying at the University of Patras, Greece. When developing my diploma thesis, I studied risks for mobile operators, assessing companies and developing case studies. This was more or less my initiation in the profession. When I completed my five-year studies and received my diploma, I decided to gain more expertise through Ph.D. studies on 3G and 4G security, also involving research in identity management, biometrics, honeynets and gaming theory in mobile security.

In 2000, I started working for a consultancy company, providing services in information security in Europe. And in 2007 I decided to take a CISO position at INTRALOT, a multinational supplier of gaming and transactional systems.

ISACA: What are your duties at INTRALOT?
Christos: My responsibilities include managing information security at a group level in 53 countries in all continents. I develop the corporate information security strategy and I coordinate departments around the world in order for information security to act as a business enabler. This covers all business processes of INTRALOT, from operational security to products and technology.

ISACA: Why are you an ISACA member?
Christos: I became an ISACA member when I realized the need to continually update my expertise and collaborate with security professionals around the world. ISACA gives me the opportunity to learn the state of the art, to get answers to problems that trouble me and for which other ISACA members have practical solutions. One very important reason is the understanding of cultures around the world that give different perspectives to information security. Since becoming a volunteer, I have enjoyed even more benefits, since I have had the opportunity to shape the profession and cooperate with high-profile experts from around the world. My CISA, CISM and CRISC certifications have added to my expertise and are greatly appreciated by my employers and their clients.

ISACA: How long have you been on ISACA’s board?
Christos: I was originally elected vice president in 2010. This term, 2012-2013 is my third. I am really honored.

ISACA: Why did you want to be an ISACA board member?
Christos: The main reason for serving on the board is my strong belief that ISACA is a unique association that provides huge benefits and opportunities to professionals, the organizations they are working for, as well as the information technology community as a whole. Serving on the board gives me the opportunity to contribute to ISACA and the community at a strategic level, shaping the future of the association based on the needs of the community.

ISACA: Describe your life outside of work.
Christos: Most of the time I travel around the world, visiting INTRALOT companies and participating in ISACA meetings and events. When at home in Greece, my hobbies include sailing, kite-boarding and snowboarding. These sports help me clear my mind and relax. They are also activities that require high discipline, training, preparation and study of new technologies and configuration in equipment and handling. (Sound familiar? They follow the same principles with IT and information security and one’s ability to be proactive and prepared makes a difference when it comes to threats. A well-governed organization makes difficult tasks look smooth and easy. The same can be seen in a professional athlete…nothing is left to luck. It’s all about being ready.) I also enjoy is spending time with family and friends.

ISACA: You travel a great deal. Do you see different approaches to IT in different parts of the world?
Christos: Although the main principles are the same, there are two factors that make a huge difference—culture and regulation. The way companies operate and do business depends on the national, corporate and societal culture they operate in. Regulation is also diverse, dictating different needs. These factors alone, since they are primary business drivers, impact IT, operations, processes and security.

ISACA: What advice do you give to young professionals entering this field?
Christos: My advice is to continuously try and gain access to information and trends. Be well-informed and try to understand and estimate what is coming in the future. Participate in international networks. Exchange opinions. Be active. This is why I believe ISACA makes a difference—because it provides tools to knowledge by deploying an international network.

ISACA: What unique opportunities and challenges do you see over the next year?
Christos: I believe that this year we will be facing even more challenges that one should see as opportunities. The economic crisis, for example, is still a problem that many organizations have to deal with. There is a huge opportunity in 2013 to achieve a balance in risk and value by providing governance, management, IT and security solutions that are more cost-effective and efficient. If this is achieved, professionals and their organizations will realize huge benefits.

For a full list of ISACA board members and their biographies, visit www.isaca.org/board. To view past board profiles, click on a name below:

Juan Luis Carselle
Ramsés Gallego
Krysten McCabe

We welcome your comments! Please log in using the Sign In link at the top right of this page and then leave your comment in the box at the end of the post. To view all blog posts, please click on the ISACA Now link in the blue box on the left.

Category: Audit-Assurance

Published: 5/14/2013 4:20 PM