Nell’iperspazio con Rocket: il Framework Web di Rust!
Comparison of it governance framework-COBIT, ITIL, BS7799
1. Comparative Analysis of IT Governance
Frameworks
Kanika Vyas | Meghna Verma | Mounica Janupala | Navanita
2. ®
COBIT is a Road Map to Good IT Governance
•
•
•
•
•
COBIT originally stood for "Control Objectives for Information and Related
Technology,"
Created by IT Governance Institute and the Information Systems Audit and Control
Association (ISACA) in 1994
Framework and knowledge repository
Provides common language to communicate goals, objectives and expected results
to all stakeholders
Based on, and integrates, industry standards and good practices in:
–
–
–
–
–
Strategic alignment of IT with business goals
Value delivery of services and new projects
Risk management
Resource management
Performance measurement
3. Features of COBIT
Business Oriented
Process Oriented
Control Objectives
Measurement Driven
Note: I don’t own the rights of images used
6. The COBIT Framework
Plan and Organize
(PO)
Acquire and
Implement (AI)
Deliver and
Support (DS)
Monitor and
Evaluate (ME)
• Provides
direction to
solution delivery
(AI) and service
delivery (DS)
• Provides the
solutions and
passes them to
be turned into
services
• Receives the
solutions and
makes them
usable for end
users
• Monitors all
processes to
ensure that the
direction
provided is
followed
8. COBIT Defines Processes, Goals and Metrics-Example
Relationship
Amongst
Process, Goa
ls and
Metrics
(DS5)
Source: COBIT website
9. Information Technology Infrastructure Library(ITIL)
•
•
•
The Information Technology Infrastructure Library (ITIL) is a set of guidance developed by the United
Kingdom’s Office Of Government Commerce (OGC)
The guidance describes an integrated, process based, best practice framework for managing IT services.
ITIL consists of 5 core strategies
Service Strategy
Service Design
Service Transition
Service Operation
•This strategy looks at
the overall business
aims
and
expectations, ensuring
that the IT strategy are
mapped appropriately
•Service Design begins
with a set of new or
changed
business
requirements
and
ends with a solution
designed to meet the
documented needs of
the business
•Looks at managing
change,
risk
and
quality
assurance
during the deployment
of service designs so
that
service
operations
can
manage the services
and
supporting
infrastructure in a
controlled manner
•Service Operation is
concerned
with
business-as-usual
activities of keeping
services going once
they transition into
the
production
environment
Continual Service
Operation
•Continual
Service
Improvement
(CSI)
provides an overall
view of all the
elements from the
other books and looks
for ways to improve
the overall process
and service provision
12. ITIL Core Service Management Functions and Processes
•
Core of ITIL comprises six
service support processes
and five service delivery
processes
•
Service support processes
are used by the operational
level of the organization
whereas
the
service
delivery processes are
tactical in nature
13. Benefits of ITIL
•
•
•
•
•
•
•
•
•
•
•
•
Improve Resource Utilization
Be More Competitive
Decrease Rework
Eliminate Redundant Work
Improve upon project deliverables and time
Improve availability, reliability and security of mission critical IT services
Justify the cost of service quality
Provide services that meet business, customer and user demands
Integrate central processes
Document and communicate roles and responsibilities in service provision
Learn from previous experience
Provide demonstrable performance indicators
14. BS7799
1993 - 1995
Consultation
COP Becomes
BS7799:1995
(Implementation,
Audit, Programme)
ISO/IEC 17799: 2000
Recognition as a
suitable
platform for ISM
BS7799: PART 2
ISMS
15. BS7799
“A comprehensive set of controls comprising best practices in information security”
Comprises TWO parts - a code of practice (ISO 17799) and a specification for an
information security management system (ISO 27001)
Basically… an internationally recognized generic information security standard
Key Terminology
Policy – General regulations everyone must follow; should be short, clear
Standard – Collection of system-specific requirements that must be met
Guidelines – Collection of system-specific suggestions for best practice. They are not
required, but are strongly recommended
Procedures – A series of steps to accomplish a task
16. Why is it needed
•
“It is intended to serve as a single reference point for identifying a range of
controls needed for most situations where information systems are used in
industry and commerce”
•
Framework for comprehensive IT security program
•
International standard
•
Meshes well with EDUCAUSE/I2 direction
•
Certification for institution available
17. Sections (Clauses)
•
•
•
•
•
•
•
•
•
•
•
Security Policy
Organizing Information Security
Asset Management
Human Resources Security
Physical and Environmental Security
Communications and Operations
Management
Access Control
Information
Systems
Acquisition, Development, and
Maintenance
Information
Security
Incident
Management
Business Continuity Management
Compliance
Control in each clause
•Control objective stating what is to
be achieved
•One or more controls to achieve the
objective
•Each control contains:
Control statement
Implementation guidance (the
details)
Other information
18. BS7799 Part 1 is now ISO/IEC 17799:2000
– Incorporates good security practice, with 127 security guidelines
(which can be drilled down to provide over 600 other controls)
BS7799 Part 2
– A framework for an ISMS, which is the means by which Senior
Management monitor and control their security, minimise risk and
ensures compliance
19. Management Framework: ISMS
Policy Document
Step 1
Define the Policy
Step 2
Define Scope
of ISMS
Step 3
Undertake RA
Scope of ISMS
Information Assets
Risk Assessment
Results & Conclusions
Step 4
Manage Risk
Step 5
Select Controls
Select Control Objectives
Additional Controls
Step 6
Statement of
Applicability
Statement
20. Other Benefits:
Enables ISM to be addressed in practical, cost-effective, realistic
and comprehensive manner
Establishes mutual trust between networked sites
Enhances Quality Assurance
Demonstrates a high, and appropriate, standard of security
Increases the ability to manage and survive a disaster
21. Benefits
• Define responsibilities, assess risk, cheaper Insurance premiums;
• Higher quality of service to LIC as processes thought through with
risk assessments;
• Continuous assessment and more efficient operations
• Higher staff moral and greater sense of knowing what to do in the
event of a crisis
• Is it necessary to seek ISO17799 Accreditation? – some Registries
have done it but it is not essential to be accredited but useful to
follow the guidelines
22. Companies Using BS7799
• Financial Service Sector
• Management of Medical Organization Information Security
• Newcastle Building Society
23. Comparison
AREA
COBIT
ITIL
ISO27001
Function
Mapping IT Process
Mapping IT
ServiceLevel
Management
Information
Security Framework
Area
4 Process and 34
Domain
9 Process
10 Domain
Issuer
ISACA
OGC
ISO Board
Implementation
Information System
Audit
Manage Service
Level
Compliance to
securitystandard
Consultant
Accounting Firm, IT
Consulting Firm
IT Consulting firm
IT Consulting firm,
Security Firm,
Network Consultant
24. COBIT vs ITIL [In Conjunction]
• ITIL was designed as a service management framework to help you understand how you
support processes, how you deliver services
• COBIT was designed as an IT governance model, particularly and initially with audit in
mind to give you control objectives and control practices on how that process should
behave
• The difference between the two is, COBIT tells you what you should be doing, while
ITIL tells you how you should be doing it
• Put them together, and you have a very powerful model of what you need to be doing and
how you need to be doing it, when it comes to your process management
25. None of these frameworks are in competition with each other, in fact, it is best if
they are used together.
– ISO 17799 outlines security controls, but does not focus on how to integrate them into business
processes
– ITIL focuses on IT processes, not on security
– COBIT focuses on controls and metrics, not as much on security
So, a combination of all three is usually the best approach. COBIT can be used to determine
if the company's needs (including security) are being properly supported by IT. ISO 17799
can be used to determine and improve upon the company's security posture. And ITIL can be
used to improve IT processes to meet the company's goals (including security).