Comparison of it governance framework-COBIT, ITIL, BS7799

32,010 views

Published on

Published in: Technology

Comparison of it governance framework-COBIT, ITIL, BS7799

  1. 1. Comparative Analysis of IT Governance Frameworks Kanika Vyas | Meghna Verma | Mounica Janupala | Navanita
  2. 2. ® COBIT is a Road Map to Good IT Governance • • • • • COBIT originally stood for "Control Objectives for Information and Related Technology," Created by IT Governance Institute and the Information Systems Audit and Control Association (ISACA) in 1994 Framework and knowledge repository Provides common language to communicate goals, objectives and expected results to all stakeholders Based on, and integrates, industry standards and good practices in: – – – – – Strategic alignment of IT with business goals Value delivery of services and new projects Risk management Resource management Performance measurement
  3. 3. Features of COBIT Business Oriented Process Oriented Control Objectives Measurement Driven Note: I don’t own the rights of images used
  4. 4. Harmonizing the Elements of IT Governance IT Governan ce Resource Management
  5. 5. The COBIT Framework Source: COBIT website
  6. 6. The COBIT Framework Plan and Organize (PO) Acquire and Implement (AI) Deliver and Support (DS) Monitor and Evaluate (ME) • Provides direction to solution delivery (AI) and service delivery (DS) • Provides the solutions and passes them to be turned into services • Receives the solutions and makes them usable for end users • Monitors all processes to ensure that the direction provided is followed
  7. 7. The COBIT Framework – 34 processes
  8. 8. COBIT Defines Processes, Goals and Metrics-Example Relationship Amongst Process, Goa ls and Metrics (DS5) Source: COBIT website
  9. 9. Information Technology Infrastructure Library(ITIL) • • • The Information Technology Infrastructure Library (ITIL) is a set of guidance developed by the United Kingdom’s Office Of Government Commerce (OGC) The guidance describes an integrated, process based, best practice framework for managing IT services. ITIL consists of 5 core strategies Service Strategy Service Design Service Transition Service Operation •This strategy looks at the overall business aims and expectations, ensuring that the IT strategy are mapped appropriately •Service Design begins with a set of new or changed business requirements and ends with a solution designed to meet the documented needs of the business •Looks at managing change, risk and quality assurance during the deployment of service designs so that service operations can manage the services and supporting infrastructure in a controlled manner •Service Operation is concerned with business-as-usual activities of keeping services going once they transition into the production environment Continual Service Operation •Continual Service Improvement (CSI) provides an overall view of all the elements from the other books and looks for ways to improve the overall process and service provision
  10. 10. Service Lifecycle & Positioning
  11. 11. SOA-ITIL Governance Synergy
  12. 12. ITIL Core Service Management Functions and Processes • Core of ITIL comprises six service support processes and five service delivery processes • Service support processes are used by the operational level of the organization whereas the service delivery processes are tactical in nature
  13. 13. Benefits of ITIL • • • • • • • • • • • • Improve Resource Utilization Be More Competitive Decrease Rework Eliminate Redundant Work Improve upon project deliverables and time Improve availability, reliability and security of mission critical IT services Justify the cost of service quality Provide services that meet business, customer and user demands Integrate central processes Document and communicate roles and responsibilities in service provision Learn from previous experience Provide demonstrable performance indicators
  14. 14. BS7799 1993 - 1995 Consultation COP Becomes BS7799:1995 (Implementation, Audit, Programme) ISO/IEC 17799: 2000 Recognition as a suitable platform for ISM BS7799: PART 2 ISMS
  15. 15. BS7799  “A comprehensive set of controls comprising best practices in information security”  Comprises TWO parts - a code of practice (ISO 17799) and a specification for an information security management system (ISO 27001)  Basically… an internationally recognized generic information security standard Key Terminology  Policy – General regulations everyone must follow; should be short, clear  Standard – Collection of system-specific requirements that must be met  Guidelines – Collection of system-specific suggestions for best practice. They are not required, but are strongly recommended  Procedures – A series of steps to accomplish a task
  16. 16. Why is it needed • “It is intended to serve as a single reference point for identifying a range of controls needed for most situations where information systems are used in industry and commerce” • Framework for comprehensive IT security program • International standard • Meshes well with EDUCAUSE/I2 direction • Certification for institution available
  17. 17. Sections (Clauses) • • • • • • • • • • • Security Policy Organizing Information Security Asset Management Human Resources Security Physical and Environmental Security Communications and Operations Management Access Control Information Systems Acquisition, Development, and Maintenance Information Security Incident Management Business Continuity Management Compliance Control in each clause •Control objective stating what is to be achieved •One or more controls to achieve the objective •Each control contains: Control statement Implementation guidance (the details) Other information
  18. 18. BS7799 Part 1 is now ISO/IEC 17799:2000 – Incorporates good security practice, with 127 security guidelines (which can be drilled down to provide over 600 other controls) BS7799 Part 2 – A framework for an ISMS, which is the means by which Senior Management monitor and control their security, minimise risk and ensures compliance
  19. 19. Management Framework: ISMS Policy Document Step 1 Define the Policy Step 2 Define Scope of ISMS Step 3 Undertake RA Scope of ISMS Information Assets Risk Assessment Results & Conclusions Step 4 Manage Risk Step 5 Select Controls Select Control Objectives Additional Controls Step 6 Statement of Applicability Statement
  20. 20. Other Benefits:  Enables ISM to be addressed in practical, cost-effective, realistic and comprehensive manner  Establishes mutual trust between networked sites  Enhances Quality Assurance  Demonstrates a high, and appropriate, standard of security  Increases the ability to manage and survive a disaster
  21. 21. Benefits • Define responsibilities, assess risk, cheaper Insurance premiums; • Higher quality of service to LIC as processes thought through with risk assessments; • Continuous assessment and more efficient operations • Higher staff moral and greater sense of knowing what to do in the event of a crisis • Is it necessary to seek ISO17799 Accreditation? – some Registries have done it but it is not essential to be accredited but useful to follow the guidelines
  22. 22. Companies Using BS7799 • Financial Service Sector • Management of Medical Organization Information Security • Newcastle Building Society
  23. 23. Comparison AREA COBIT ITIL ISO27001 Function Mapping IT Process Mapping IT ServiceLevel Management Information Security Framework Area 4 Process and 34 Domain 9 Process 10 Domain Issuer ISACA OGC ISO Board Implementation Information System Audit Manage Service Level Compliance to securitystandard Consultant Accounting Firm, IT Consulting Firm IT Consulting firm IT Consulting firm, Security Firm, Network Consultant
  24. 24. COBIT vs ITIL [In Conjunction] • ITIL was designed as a service management framework to help you understand how you support processes, how you deliver services • COBIT was designed as an IT governance model, particularly and initially with audit in mind to give you control objectives and control practices on how that process should behave • The difference between the two is, COBIT tells you what you should be doing, while ITIL tells you how you should be doing it • Put them together, and you have a very powerful model of what you need to be doing and how you need to be doing it, when it comes to your process management
  25. 25. None of these frameworks are in competition with each other, in fact, it is best if they are used together. – ISO 17799 outlines security controls, but does not focus on how to integrate them into business processes – ITIL focuses on IT processes, not on security – COBIT focuses on controls and metrics, not as much on security So, a combination of all three is usually the best approach. COBIT can be used to determine if the company's needs (including security) are being properly supported by IT. ISO 17799 can be used to determine and improve upon the company's security posture. And ITIL can be used to improve IT processes to meet the company's goals (including security).

×