SlideShare ist ein Scribd-Unternehmen logo

Comparison of it governance framework-COBIT, ITIL, BS7799

Meghna Verma
Meghna Verma
Technologie
1 von 26
Comparative Analysis of IT Governance Frameworks Kanika Vyas | Meghna Verma | Mounica Janupala | Navanita
® COBIT is a Road Map to Good IT Governance • • • • • COBIT originally stood for "Control Objectives for Information and Related Technology," Created by IT Governance Institute and the Information Systems Audit and Control Association (ISACA) in 1994 Framework and knowledge repository Provides common language to communicate goals, objectives and expected results to all stakeholders Based on, and integrates, industry standards and good practices in: – – – – – Strategic alignment of IT with business goals Value delivery of services and new projects Risk management Resource management Performance measurement
Features of COBIT Business Oriented Process Oriented Control Objectives Measurement Driven Note: I don’t own the rights of images used
Harmonizing the Elements of IT Governance IT Governan ce Resource Management
The COBIT Framework Source: COBIT website
The COBIT Framework Plan and Organize (PO) Acquire and Implement (AI) Deliver and Support (DS) Monitor and Evaluate (ME) • Provides direction to solution delivery (AI) and service delivery (DS) • Provides the solutions and passes them to be turned into services • Receives the solutions and makes them usable for end users • Monitors all processes to ensure that the direction provided is followed
The COBIT Framework – 34 processes
COBIT Defines Processes, Goals and Metrics-Example Relationship Amongst Process, Goa ls and Metrics (DS5) Source: COBIT website
Information Technology Infrastructure Library(ITIL) • • • The Information Technology Infrastructure Library (ITIL) is a set of guidance developed by the United Kingdom’s Office Of Government Commerce (OGC) The guidance describes an integrated, process based, best practice framework for managing IT services. ITIL consists of 5 core strategies Service Strategy Service Design Service Transition Service Operation •This strategy looks at the overall business aims and expectations, ensuring that the IT strategy are mapped appropriately •Service Design begins with a set of new or changed business requirements and ends with a solution designed to meet the documented needs of the business •Looks at managing change, risk and quality assurance during the deployment of service designs so that service operations can manage the services and supporting infrastructure in a controlled manner •Service Operation is concerned with business-as-usual activities of keeping services going once they transition into the production environment Continual Service Operation •Continual Service Improvement (CSI) provides an overall view of all the elements from the other books and looks for ways to improve the overall process and service provision
Service Lifecycle & Positioning
SOA-ITIL Governance Synergy
ITIL Core Service Management Functions and Processes • Core of ITIL comprises six service support processes and five service delivery processes • Service support processes are used by the operational level of the organization whereas the service delivery processes are tactical in nature
Benefits of ITIL • • • • • • • • • • • • Improve Resource Utilization Be More Competitive Decrease Rework Eliminate Redundant Work Improve upon project deliverables and time Improve availability, reliability and security of mission critical IT services Justify the cost of service quality Provide services that meet business, customer and user demands Integrate central processes Document and communicate roles and responsibilities in service provision Learn from previous experience Provide demonstrable performance indicators
BS7799 1993 - 1995 Consultation COP Becomes BS7799:1995 (Implementation, Audit, Programme) ISO/IEC 17799: 2000 Recognition as a suitable platform for ISM BS7799: PART 2 ISMS
BS7799  “A comprehensive set of controls comprising best practices in information security”  Comprises TWO parts - a code of practice (ISO 17799) and a specification for an information security management system (ISO 27001)  Basically… an internationally recognized generic information security standard Key Terminology  Policy – General regulations everyone must follow; should be short, clear  Standard – Collection of system-specific requirements that must be met  Guidelines – Collection of system-specific suggestions for best practice. They are not required, but are strongly recommended  Procedures – A series of steps to accomplish a task
Why is it needed • “It is intended to serve as a single reference point for identifying a range of controls needed for most situations where information systems are used in industry and commerce” • Framework for comprehensive IT security program • International standard • Meshes well with EDUCAUSE/I2 direction • Certification for institution available
Sections (Clauses) • • • • • • • • • • • Security Policy Organizing Information Security Asset Management Human Resources Security Physical and Environmental Security Communications and Operations Management Access Control Information Systems Acquisition, Development, and Maintenance Information Security Incident Management Business Continuity Management Compliance Control in each clause •Control objective stating what is to be achieved •One or more controls to achieve the objective •Each control contains: Control statement Implementation guidance (the details) Other information
BS7799 Part 1 is now ISO/IEC 17799:2000 – Incorporates good security practice, with 127 security guidelines (which can be drilled down to provide over 600 other controls) BS7799 Part 2 – A framework for an ISMS, which is the means by which Senior Management monitor and control their security, minimise risk and ensures compliance
Management Framework: ISMS Policy Document Step 1 Define the Policy Step 2 Define Scope of ISMS Step 3 Undertake RA Scope of ISMS Information Assets Risk Assessment Results & Conclusions Step 4 Manage Risk Step 5 Select Controls Select Control Objectives Additional Controls Step 6 Statement of Applicability Statement
Other Benefits:  Enables ISM to be addressed in practical, cost-effective, realistic and comprehensive manner  Establishes mutual trust between networked sites  Enhances Quality Assurance  Demonstrates a high, and appropriate, standard of security  Increases the ability to manage and survive a disaster
Benefits • Define responsibilities, assess risk, cheaper Insurance premiums; • Higher quality of service to LIC as processes thought through with risk assessments; • Continuous assessment and more efficient operations • Higher staff moral and greater sense of knowing what to do in the event of a crisis • Is it necessary to seek ISO17799 Accreditation? – some Registries have done it but it is not essential to be accredited but useful to follow the guidelines
Companies Using BS7799 • Financial Service Sector • Management of Medical Organization Information Security • Newcastle Building Society
Comparison AREA COBIT ITIL ISO27001 Function Mapping IT Process Mapping IT ServiceLevel Management Information Security Framework Area 4 Process and 34 Domain 9 Process 10 Domain Issuer ISACA OGC ISO Board Implementation Information System Audit Manage Service Level Compliance to securitystandard Consultant Accounting Firm, IT Consulting Firm IT Consulting firm IT Consulting firm, Security Firm, Network Consultant
COBIT vs ITIL [In Conjunction] • ITIL was designed as a service management framework to help you understand how you support processes, how you deliver services • COBIT was designed as an IT governance model, particularly and initially with audit in mind to give you control objectives and control practices on how that process should behave • The difference between the two is, COBIT tells you what you should be doing, while ITIL tells you how you should be doing it • Put them together, and you have a very powerful model of what you need to be doing and how you need to be doing it, when it comes to your process management
None of these frameworks are in competition with each other, in fact, it is best if they are used together. – ISO 17799 outlines security controls, but does not focus on how to integrate them into business processes – ITIL focuses on IT processes, not on security – COBIT focuses on controls and metrics, not as much on security So, a combination of all three is usually the best approach. COBIT can be used to determine if the company's needs (including security) are being properly supported by IT. ISO 17799 can be used to determine and improve upon the company's security posture. And ITIL can be used to improve IT processes to meet the company's goals (including security).
Comparison of it governance framework-COBIT, ITIL, BS7799

Empfohlen

2020-12-21 data strategy in Japan
2020-12-21 data strategy in Japan2020-12-21 data strategy in Japan
2020-12-21 data strategy in JapanKenji Hiramoto
 
Case study on cyber crime
Case study on cyber crimeCase study on cyber crime
Case study on cyber crimeishmecse13
 
Togaf introduction and core concepts
Togaf introduction and core conceptsTogaf introduction and core concepts
Togaf introduction and core conceptsPaul Sullivan
 
IT Enterprise architecture ppt
IT Enterprise architecture pptIT Enterprise architecture ppt
IT Enterprise architecture pptMonsif sakienah
 
Information Technology Infrastructure Library
Information Technology Infrastructure LibraryInformation Technology Infrastructure Library
Information Technology Infrastructure LibraryCOEPD HR
 
Initial Coin Offering
Initial Coin OfferingInitial Coin Offering
Initial Coin OfferingLawPlus Ltd.
 
A Brief Introduction to Enterprise Architecture
A Brief Introduction to Enterprise Architecture A Brief Introduction to Enterprise Architecture
A Brief Introduction to Enterprise Architecture Daljit Banger
 
TOGAF 9.2 - Transforming Business
TOGAF 9.2 - Transforming BusinessTOGAF 9.2 - Transforming Business
TOGAF 9.2 - Transforming BusinessReal IRM
 

Empfohlen

2020-12-21 data strategy in Japan
2020-12-21 data strategy in Japan2020-12-21 data strategy in Japan
2020-12-21 data strategy in JapanKenji Hiramoto
 
Case study on cyber crime
Case study on cyber crimeCase study on cyber crime
Case study on cyber crimeishmecse13
 
Togaf introduction and core concepts
Togaf introduction and core conceptsTogaf introduction and core concepts
Togaf introduction and core conceptsPaul Sullivan
 
IT Enterprise architecture ppt
IT Enterprise architecture pptIT Enterprise architecture ppt
IT Enterprise architecture pptMonsif sakienah
 
Information Technology Infrastructure Library
Information Technology Infrastructure LibraryInformation Technology Infrastructure Library
Information Technology Infrastructure LibraryCOEPD HR
 
Initial Coin Offering
Initial Coin OfferingInitial Coin Offering
Initial Coin OfferingLawPlus Ltd.
 
A Brief Introduction to Enterprise Architecture
A Brief Introduction to Enterprise Architecture A Brief Introduction to Enterprise Architecture
A Brief Introduction to Enterprise Architecture Daljit Banger
 
TOGAF 9.2 - Transforming Business
TOGAF 9.2 - Transforming BusinessTOGAF 9.2 - Transforming Business
TOGAF 9.2 - Transforming BusinessReal IRM
 
Qap cobit2019-20181111
Qap cobit2019-20181111Qap cobit2019-20181111
Qap cobit2019-20181111Patrick Soenen
 
Cobit 2019 framework by ISACA
Cobit 2019 framework by ISACACobit 2019 framework by ISACA
Cobit 2019 framework by ISACAMDFazlaRabbiAbir
 
Ict Vision And Strategy Development
Ict Vision And Strategy DevelopmentIct Vision And Strategy Development
Ict Vision And Strategy DevelopmentAlan McSweeney
 
Dss construction: Development Process (SDLC and Prototyping)
Dss construction: Development Process (SDLC and Prototyping)Dss construction: Development Process (SDLC and Prototyping)
Dss construction: Development Process (SDLC and Prototyping)Tawish Lone
 
NFT Explained
NFT ExplainedNFT Explained
NFT Explained101 Blockchains
 
Internet of things (iot)
Internet of things (iot)Internet of things (iot)
Internet of things (iot)shubhamyadav613
 
IT Governance Framework
IT Governance FrameworkIT Governance Framework
IT Governance FrameworkSherri Booher
 
A strategy framework for the risk assessment and mitigation for large e-Gover...
A strategy framework for the risk assessment and mitigation for large e-Gover...A strategy framework for the risk assessment and mitigation for large e-Gover...
A strategy framework for the risk assessment and mitigation for large e-Gover...Arab Federation for Digital Economy
 
Introduction to cyber law.
Introduction to cyber law. Introduction to cyber law.
Introduction to cyber law. PROF. PUTTU GURU PRASAD
 
Non Fungible Tokens (NFT) Yearly Report - 2018
Non Fungible Tokens (NFT) Yearly Report - 2018Non Fungible Tokens (NFT) Yearly Report - 2018
Non Fungible Tokens (NFT) Yearly Report - 2018NonFungible.com
 
CMMi & IT Governance
CMMi & IT GovernanceCMMi & IT Governance
CMMi & IT GovernanceRaveesh Goswami
 
Iot-Internet-of-Things-ppt.pptx
Iot-Internet-of-Things-ppt.pptxIot-Internet-of-Things-ppt.pptx
Iot-Internet-of-Things-ppt.pptxTata321168
 
HSC IT - Cyber Law and Ethics part 2
HSC IT - Cyber Law and Ethics part 2HSC IT - Cyber Law and Ethics part 2
HSC IT - Cyber Law and Ethics part 2Vikas Saw
 
INDIAN CYBERLAW AND SECURITY
INDIAN CYBERLAW AND SECURITYINDIAN CYBERLAW AND SECURITY
INDIAN CYBERLAW AND SECURITYpattok
 
Cyber security , an Analysis of State Security in Sri Lanka
Cyber security , an Analysis of State Security in Sri LankaCyber security , an Analysis of State Security in Sri Lanka
Cyber security , an Analysis of State Security in Sri LankaEvan Pathiratne
 
DOD EA conference DoDAF in Action
DOD EA conference DoDAF in ActionDOD EA conference DoDAF in Action
DOD EA conference DoDAF in ActionPaul W. Johnson
 
Iot and ethics
Iot and ethicsIot and ethics
Iot and ethicsErling Hesselberg
 
IT Act 2000 & IT Act 2008
IT Act 2000 & IT Act 2008IT Act 2000 & IT Act 2008
IT Act 2000 & IT Act 2008Amity University | FMS - DU | IMT | Stratford University | KKMI International Institute | AIMA | DTU
 
Security and Privacy considerations in Internet of Things
Security and Privacy considerations in Internet of ThingsSecurity and Privacy considerations in Internet of Things
Security and Privacy considerations in Internet of ThingsSomasundaram Jambunathan
 
SABSA overview
SABSA overviewSABSA overview
SABSA overviewSABSAcourses
 
Frameworks For Predictability
Frameworks For PredictabilityFrameworks For Predictability
Frameworks For Predictabilitytlknecht
 
20180530123152_PPT8-TOPIK8-R0-IT Governance Instruments.pptx
20180530123152_PPT8-TOPIK8-R0-IT Governance Instruments.pptx20180530123152_PPT8-TOPIK8-R0-IT Governance Instruments.pptx
20180530123152_PPT8-TOPIK8-R0-IT Governance Instruments.pptxBambangEkoSantoso
 

Weitere ähnliche Inhalte

Was ist angesagt?

Qap cobit2019-20181111
Qap cobit2019-20181111Qap cobit2019-20181111
Qap cobit2019-20181111Patrick Soenen
 
Cobit 2019 framework by ISACA
Cobit 2019 framework by ISACACobit 2019 framework by ISACA
Cobit 2019 framework by ISACAMDFazlaRabbiAbir
 
Ict Vision And Strategy Development
Ict Vision And Strategy DevelopmentIct Vision And Strategy Development
Ict Vision And Strategy DevelopmentAlan McSweeney
 
Dss construction: Development Process (SDLC and Prototyping)
Dss construction: Development Process (SDLC and Prototyping)Dss construction: Development Process (SDLC and Prototyping)
Dss construction: Development Process (SDLC and Prototyping)Tawish Lone
 
Internet of things (iot)
Internet of things (iot)Internet of things (iot)
Internet of things (iot)shubhamyadav613
 
IT Governance Framework
IT Governance FrameworkIT Governance Framework
IT Governance FrameworkSherri Booher
 
A strategy framework for the risk assessment and mitigation for large e-Gover...
A strategy framework for the risk assessment and mitigation for large e-Gover...A strategy framework for the risk assessment and mitigation for large e-Gover...
A strategy framework for the risk assessment and mitigation for large e-Gover...Arab Federation for Digital Economy
 
Non Fungible Tokens (NFT) Yearly Report - 2018
Non Fungible Tokens (NFT) Yearly Report - 2018Non Fungible Tokens (NFT) Yearly Report - 2018
Non Fungible Tokens (NFT) Yearly Report - 2018NonFungible.com
 
Iot-Internet-of-Things-ppt.pptx
Iot-Internet-of-Things-ppt.pptxIot-Internet-of-Things-ppt.pptx
Iot-Internet-of-Things-ppt.pptxTata321168
 
HSC IT - Cyber Law and Ethics part 2
HSC IT - Cyber Law and Ethics part 2HSC IT - Cyber Law and Ethics part 2
HSC IT - Cyber Law and Ethics part 2Vikas Saw
 
INDIAN CYBERLAW AND SECURITY
INDIAN CYBERLAW AND SECURITYINDIAN CYBERLAW AND SECURITY
INDIAN CYBERLAW AND SECURITYpattok
 
Cyber security , an Analysis of State Security in Sri Lanka
Cyber security , an Analysis of State Security in Sri LankaCyber security , an Analysis of State Security in Sri Lanka
Cyber security , an Analysis of State Security in Sri LankaEvan Pathiratne
 
DOD EA conference DoDAF in Action
DOD EA conference DoDAF in ActionDOD EA conference DoDAF in Action
DOD EA conference DoDAF in ActionPaul W. Johnson
 
Security and Privacy considerations in Internet of Things
Security and Privacy considerations in Internet of ThingsSecurity and Privacy considerations in Internet of Things
Security and Privacy considerations in Internet of ThingsSomasundaram Jambunathan
 

Was ist angesagt? (20)

Qap cobit2019-20181111
Qap cobit2019-20181111Qap cobit2019-20181111
Qap cobit2019-20181111
 
Cobit 2019 framework by ISACA
Cobit 2019 framework by ISACACobit 2019 framework by ISACA
Cobit 2019 framework by ISACA
 
Ict Vision And Strategy Development
Ict Vision And Strategy DevelopmentIct Vision And Strategy Development
Ict Vision And Strategy Development
 
Dss construction: Development Process (SDLC and Prototyping)
Dss construction: Development Process (SDLC and Prototyping)Dss construction: Development Process (SDLC and Prototyping)
Dss construction: Development Process (SDLC and Prototyping)
 
NFT Explained
NFT ExplainedNFT Explained
NFT Explained
 
Internet of things (iot)
Internet of things (iot)Internet of things (iot)
Internet of things (iot)
 
IT Governance Framework
IT Governance FrameworkIT Governance Framework
IT Governance Framework
 
A strategy framework for the risk assessment and mitigation for large e-Gover...
A strategy framework for the risk assessment and mitigation for large e-Gover...A strategy framework for the risk assessment and mitigation for large e-Gover...
A strategy framework for the risk assessment and mitigation for large e-Gover...
 
Introduction to cyber law.
Introduction to cyber law. Introduction to cyber law.
Introduction to cyber law.
 
Non Fungible Tokens (NFT) Yearly Report - 2018
Non Fungible Tokens (NFT) Yearly Report - 2018Non Fungible Tokens (NFT) Yearly Report - 2018
Non Fungible Tokens (NFT) Yearly Report - 2018
 
CMMi & IT Governance
CMMi & IT GovernanceCMMi & IT Governance
CMMi & IT Governance
 
Iot-Internet-of-Things-ppt.pptx
Iot-Internet-of-Things-ppt.pptxIot-Internet-of-Things-ppt.pptx
Iot-Internet-of-Things-ppt.pptx
 
HSC IT - Cyber Law and Ethics part 2
HSC IT - Cyber Law and Ethics part 2HSC IT - Cyber Law and Ethics part 2
HSC IT - Cyber Law and Ethics part 2
 
INDIAN CYBERLAW AND SECURITY
INDIAN CYBERLAW AND SECURITYINDIAN CYBERLAW AND SECURITY
INDIAN CYBERLAW AND SECURITY
 
Cyber security , an Analysis of State Security in Sri Lanka
Cyber security , an Analysis of State Security in Sri LankaCyber security , an Analysis of State Security in Sri Lanka
Cyber security , an Analysis of State Security in Sri Lanka
 
DOD EA conference DoDAF in Action
DOD EA conference DoDAF in ActionDOD EA conference DoDAF in Action
DOD EA conference DoDAF in Action
 
Iot and ethics
Iot and ethicsIot and ethics
Iot and ethics
 
IT Act 2000 & IT Act 2008
IT Act 2000 & IT Act 2008IT Act 2000 & IT Act 2008
IT Act 2000 & IT Act 2008
 
Security and Privacy considerations in Internet of Things
Security and Privacy considerations in Internet of ThingsSecurity and Privacy considerations in Internet of Things
Security and Privacy considerations in Internet of Things
 
SABSA overview
SABSA overviewSABSA overview
SABSA overview
 

Ähnlich wie Comparison of it governance framework-COBIT, ITIL, BS7799

Frameworks For Predictability
Frameworks For PredictabilityFrameworks For Predictability
Frameworks For Predictabilitytlknecht
 
20180530123152_PPT8-TOPIK8-R0-IT Governance Instruments.pptx
20180530123152_PPT8-TOPIK8-R0-IT Governance Instruments.pptx20180530123152_PPT8-TOPIK8-R0-IT Governance Instruments.pptx
20180530123152_PPT8-TOPIK8-R0-IT Governance Instruments.pptxBambangEkoSantoso
 
Integrating sms and isms
Integrating sms and ismsIntegrating sms and isms
Integrating sms and ismsSeptafiansyah P
 
Msp It Goverance And Service Delivery Process
Msp It Goverance And Service Delivery ProcessMsp It Goverance And Service Delivery Process
Msp It Goverance And Service Delivery Processkadhar_masthan
 
Virtualization infrastructure governance policies Gargee S Hiray
Virtualization infrastructure governance policies Gargee S HirayVirtualization infrastructure governance policies Gargee S Hiray
Virtualization infrastructure governance policies Gargee S HirayGargee Hiray
 
Taming the DCIM Wave with ITIL
Taming the DCIM Wave with ITILTaming the DCIM Wave with ITIL
Taming the DCIM Wave with ITILAFCOM
 
COBIT Approach to Maintain Healthy Cyber Security Status Using NIST - CSF
COBIT Approach to Maintain Healthy Cyber Security Status Using NIST - CSF COBIT Approach to Maintain Healthy Cyber Security Status Using NIST - CSF
COBIT Approach to Maintain Healthy Cyber Security Status Using NIST - CSF aqel aqel
 
How Your Organization Can Become ISO Certified...It's easier than you think
How Your Organization Can Become ISO Certified...It's easier than you thinkHow Your Organization Can Become ISO Certified...It's easier than you think
How Your Organization Can Become ISO Certified...It's easier than you thinkITSM Academy, Inc.
 
ITIL version 2: Foundation Training
ITIL version 2: Foundation TrainingITIL version 2: Foundation Training
ITIL version 2: Foundation Trainingjogemwind
 
02. cobit 41 dan iso 17799
02. cobit 41 dan iso 1779902. cobit 41 dan iso 17799
02. cobit 41 dan iso 17799Mulyadi Yusuf
 
Allstate- Cathy Kirch- Release -Final
Allstate- Cathy Kirch- Release -FinalAllstate- Cathy Kirch- Release -Final
Allstate- Cathy Kirch- Release -FinalCathy Kirch
 
IT Management Toolkit - ITIL Is Not Enough
IT Management Toolkit - ITIL Is Not EnoughIT Management Toolkit - ITIL Is Not Enough
IT Management Toolkit - ITIL Is Not EnoughAhmed Al-Hadidi
 

Ähnlich wie Comparison of it governance framework-COBIT, ITIL, BS7799 (20)

Frameworks For Predictability
Frameworks For PredictabilityFrameworks For Predictability
Frameworks For Predictability
 
20180530123152_PPT8-TOPIK8-R0-IT Governance Instruments.pptx
20180530123152_PPT8-TOPIK8-R0-IT Governance Instruments.pptx20180530123152_PPT8-TOPIK8-R0-IT Governance Instruments.pptx
20180530123152_PPT8-TOPIK8-R0-IT Governance Instruments.pptx
 
Integrating sms and isms
Integrating sms and ismsIntegrating sms and isms
Integrating sms and isms
 
Msp It Goverance And Service Delivery Process
Msp It Goverance And Service Delivery ProcessMsp It Goverance And Service Delivery Process
Msp It Goverance And Service Delivery Process
 
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
 
Cobit 4.1 indri
Cobit 4.1 indriCobit 4.1 indri
Cobit 4.1 indri
 
Virtualization infrastructure governance policies Gargee S Hiray
Virtualization infrastructure governance policies Gargee S HirayVirtualization infrastructure governance policies Gargee S Hiray
Virtualization infrastructure governance policies Gargee S Hiray
 
Taming the DCIM Wave with ITIL
Taming the DCIM Wave with ITILTaming the DCIM Wave with ITIL
Taming the DCIM Wave with ITIL
 
CISSPills #3.02
CISSPills #3.02CISSPills #3.02
CISSPills #3.02
 
COBIT Approach to Maintain Healthy Cyber Security Status Using NIST - CSF
COBIT Approach to Maintain Healthy Cyber Security Status Using NIST - CSF COBIT Approach to Maintain Healthy Cyber Security Status Using NIST - CSF
COBIT Approach to Maintain Healthy Cyber Security Status Using NIST - CSF
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security Framework
 
How Your Organization Can Become ISO Certified...It's easier than you think
How Your Organization Can Become ISO Certified...It's easier than you thinkHow Your Organization Can Become ISO Certified...It's easier than you think
How Your Organization Can Become ISO Certified...It's easier than you think
 
standards1.pdf
standards1.pdfstandards1.pdf
standards1.pdf
 
Donna Febriani
Donna FebrianiDonna Febriani
Donna Febriani
 
ITIL version 2: Foundation Training
ITIL version 2: Foundation TrainingITIL version 2: Foundation Training
ITIL version 2: Foundation Training
 
Co5bit
Co5bitCo5bit
Co5bit
 
Itil,cobit and ıso27001
Itil,cobit and ıso27001Itil,cobit and ıso27001
Itil,cobit and ıso27001
 
02. cobit 41 dan iso 17799
02. cobit 41 dan iso 1779902. cobit 41 dan iso 17799
02. cobit 41 dan iso 17799
 
Allstate- Cathy Kirch- Release -Final
Allstate- Cathy Kirch- Release -FinalAllstate- Cathy Kirch- Release -Final
Allstate- Cathy Kirch- Release -Final
 
IT Management Toolkit - ITIL Is Not Enough
IT Management Toolkit - ITIL Is Not EnoughIT Management Toolkit - ITIL Is Not Enough
IT Management Toolkit - ITIL Is Not Enough
 

Mehr von Meghna Verma

Global Talent Crisis
Global Talent CrisisGlobal Talent Crisis
Global Talent CrisisMeghna Verma
 
Book Review-Blue Ocean Strategy
Book Review-Blue Ocean StrategyBook Review-Blue Ocean Strategy
Book Review-Blue Ocean StrategyMeghna Verma
 
Study on the organizational design of bharti airtel
Study on the organizational design of bharti airtelStudy on the organizational design of bharti airtel
Study on the organizational design of bharti airtelMeghna Verma
 
Strategic analysis of apple
Strategic analysis of appleStrategic analysis of apple
Strategic analysis of appleMeghna Verma
 
Ibm mentorship program analysis
Ibm mentorship program analysisIbm mentorship program analysis
Ibm mentorship program analysisMeghna Verma
 
Cross Cultural Analysis- Canada
Cross Cultural Analysis- CanadaCross Cultural Analysis- Canada
Cross Cultural Analysis- CanadaMeghna Verma
 

Mehr von Meghna Verma (6)

Global Talent Crisis
Global Talent CrisisGlobal Talent Crisis
Global Talent Crisis
 
Book Review-Blue Ocean Strategy
Book Review-Blue Ocean StrategyBook Review-Blue Ocean Strategy
Book Review-Blue Ocean Strategy
 
Study on the organizational design of bharti airtel
Study on the organizational design of bharti airtelStudy on the organizational design of bharti airtel
Study on the organizational design of bharti airtel
 
Strategic analysis of apple
Strategic analysis of appleStrategic analysis of apple
Strategic analysis of apple
 
Ibm mentorship program analysis
Ibm mentorship program analysisIbm mentorship program analysis
Ibm mentorship program analysis
 
Cross Cultural Analysis- Canada
Cross Cultural Analysis- CanadaCross Cultural Analysis- Canada
Cross Cultural Analysis- Canada
 

Kürzlich hochgeladen

Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 

Kürzlich hochgeladen (20)

Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 

Comparison of it governance framework-COBIT, ITIL, BS7799

  • 1. Comparative Analysis of IT Governance Frameworks Kanika Vyas | Meghna Verma | Mounica Janupala | Navanita
  • 2. ® COBIT is a Road Map to Good IT Governance • • • • • COBIT originally stood for "Control Objectives for Information and Related Technology," Created by IT Governance Institute and the Information Systems Audit and Control Association (ISACA) in 1994 Framework and knowledge repository Provides common language to communicate goals, objectives and expected results to all stakeholders Based on, and integrates, industry standards and good practices in: – – – – – Strategic alignment of IT with business goals Value delivery of services and new projects Risk management Resource management Performance measurement
  • 3. Features of COBIT Business Oriented Process Oriented Control Objectives Measurement Driven Note: I don’t own the rights of images used
  • 4. Harmonizing the Elements of IT Governance IT Governan ce Resource Management
  • 6. The COBIT Framework Plan and Organize (PO) Acquire and Implement (AI) Deliver and Support (DS) Monitor and Evaluate (ME) • Provides direction to solution delivery (AI) and service delivery (DS) • Provides the solutions and passes them to be turned into services • Receives the solutions and makes them usable for end users • Monitors all processes to ensure that the direction provided is followed
  • 7. The COBIT Framework – 34 processes
  • 8. COBIT Defines Processes, Goals and Metrics-Example Relationship Amongst Process, Goa ls and Metrics (DS5) Source: COBIT website
  • 9. Information Technology Infrastructure Library(ITIL) • • • The Information Technology Infrastructure Library (ITIL) is a set of guidance developed by the United Kingdom’s Office Of Government Commerce (OGC) The guidance describes an integrated, process based, best practice framework for managing IT services. ITIL consists of 5 core strategies Service Strategy Service Design Service Transition Service Operation •This strategy looks at the overall business aims and expectations, ensuring that the IT strategy are mapped appropriately •Service Design begins with a set of new or changed business requirements and ends with a solution designed to meet the documented needs of the business •Looks at managing change, risk and quality assurance during the deployment of service designs so that service operations can manage the services and supporting infrastructure in a controlled manner •Service Operation is concerned with business-as-usual activities of keeping services going once they transition into the production environment Continual Service Operation •Continual Service Improvement (CSI) provides an overall view of all the elements from the other books and looks for ways to improve the overall process and service provision
  • 10. Service Lifecycle & Positioning
  • 12. ITIL Core Service Management Functions and Processes • Core of ITIL comprises six service support processes and five service delivery processes • Service support processes are used by the operational level of the organization whereas the service delivery processes are tactical in nature
  • 13. Benefits of ITIL • • • • • • • • • • • • Improve Resource Utilization Be More Competitive Decrease Rework Eliminate Redundant Work Improve upon project deliverables and time Improve availability, reliability and security of mission critical IT services Justify the cost of service quality Provide services that meet business, customer and user demands Integrate central processes Document and communicate roles and responsibilities in service provision Learn from previous experience Provide demonstrable performance indicators
  • 14. BS7799 1993 - 1995 Consultation COP Becomes BS7799:1995 (Implementation, Audit, Programme) ISO/IEC 17799: 2000 Recognition as a suitable platform for ISM BS7799: PART 2 ISMS
  • 15. BS7799  “A comprehensive set of controls comprising best practices in information security”  Comprises TWO parts - a code of practice (ISO 17799) and a specification for an information security management system (ISO 27001)  Basically… an internationally recognized generic information security standard Key Terminology  Policy – General regulations everyone must follow; should be short, clear  Standard – Collection of system-specific requirements that must be met  Guidelines – Collection of system-specific suggestions for best practice. They are not required, but are strongly recommended  Procedures – A series of steps to accomplish a task
  • 16. Why is it needed • “It is intended to serve as a single reference point for identifying a range of controls needed for most situations where information systems are used in industry and commerce” • Framework for comprehensive IT security program • International standard • Meshes well with EDUCAUSE/I2 direction • Certification for institution available
  • 17. Sections (Clauses) • • • • • • • • • • • Security Policy Organizing Information Security Asset Management Human Resources Security Physical and Environmental Security Communications and Operations Management Access Control Information Systems Acquisition, Development, and Maintenance Information Security Incident Management Business Continuity Management Compliance Control in each clause •Control objective stating what is to be achieved •One or more controls to achieve the objective •Each control contains: Control statement Implementation guidance (the details) Other information
  • 18. BS7799 Part 1 is now ISO/IEC 17799:2000 – Incorporates good security practice, with 127 security guidelines (which can be drilled down to provide over 600 other controls) BS7799 Part 2 – A framework for an ISMS, which is the means by which Senior Management monitor and control their security, minimise risk and ensures compliance
  • 19. Management Framework: ISMS Policy Document Step 1 Define the Policy Step 2 Define Scope of ISMS Step 3 Undertake RA Scope of ISMS Information Assets Risk Assessment Results & Conclusions Step 4 Manage Risk Step 5 Select Controls Select Control Objectives Additional Controls Step 6 Statement of Applicability Statement
  • 20. Other Benefits:  Enables ISM to be addressed in practical, cost-effective, realistic and comprehensive manner  Establishes mutual trust between networked sites  Enhances Quality Assurance  Demonstrates a high, and appropriate, standard of security  Increases the ability to manage and survive a disaster
  • 21. Benefits • Define responsibilities, assess risk, cheaper Insurance premiums; • Higher quality of service to LIC as processes thought through with risk assessments; • Continuous assessment and more efficient operations • Higher staff moral and greater sense of knowing what to do in the event of a crisis • Is it necessary to seek ISO17799 Accreditation? – some Registries have done it but it is not essential to be accredited but useful to follow the guidelines
  • 22. Companies Using BS7799 • Financial Service Sector • Management of Medical Organization Information Security • Newcastle Building Society
  • 23. Comparison AREA COBIT ITIL ISO27001 Function Mapping IT Process Mapping IT ServiceLevel Management Information Security Framework Area 4 Process and 34 Domain 9 Process 10 Domain Issuer ISACA OGC ISO Board Implementation Information System Audit Manage Service Level Compliance to securitystandard Consultant Accounting Firm, IT Consulting Firm IT Consulting firm IT Consulting firm, Security Firm, Network Consultant
  • 24. COBIT vs ITIL [In Conjunction] • ITIL was designed as a service management framework to help you understand how you support processes, how you deliver services • COBIT was designed as an IT governance model, particularly and initially with audit in mind to give you control objectives and control practices on how that process should behave • The difference between the two is, COBIT tells you what you should be doing, while ITIL tells you how you should be doing it • Put them together, and you have a very powerful model of what you need to be doing and how you need to be doing it, when it comes to your process management
  • 25. None of these frameworks are in competition with each other, in fact, it is best if they are used together. – ISO 17799 outlines security controls, but does not focus on how to integrate them into business processes – ITIL focuses on IT processes, not on security – COBIT focuses on controls and metrics, not as much on security So, a combination of all three is usually the best approach. COBIT can be used to determine if the company's needs (including security) are being properly supported by IT. ISO 17799 can be used to determine and improve upon the company's security posture. And ITIL can be used to improve IT processes to meet the company's goals (including security).