Monday, September 8, 2014

Chapter 2: Security Controls Development

The Control Objectives for Information and related Technology (Cobit):
Cobit is a framework and set of control objectives developed by the Information Systems Audit and Control Association (ISACA) and IT Governance Institute (ITGI) (Harris, 55). So, basically, Cobit defines goals for controls that need to be used properly to manage IT and it helps to ensure IT alines with the business goals.

Cobit can be broken down into four domains:

  1. Acquire and Maintain Application Software
  2. Acquire and Maintain Technology Infrastructure
  3. Install and Accredit Systems
  4. Manage Changes
The positive aspect of Cobit is that it helps with providing goals and guidance for companies to follow when they purchase, install, test, and accredit IT products. Cobit operates by a "checklist," it provides a list of things companies can thing through accomplish when they carry out different IT functions. It is like a roadmap that companies can follow. A majority of the security compliance auditing practices used in industries today are based off of Cobit.

COSO:
Cobit was actually derived from the Committee of Sponsoring Organization (COSO) framework. The framework is made up of the following components:

  • Control Environment:
    • The control environment is basically management's philosophy and operating style and the companies culture pertaining to ethics and fraud.
  • Risk Assessment :
    • Risk assessment establishes risk objectives and the ability to manage internal and external change.
  • Control Activities:
    • Control activities are policies, procedures, and practices put in place to reduce risk.
  • Information and Communication:
    • Is structure that ensures the right people get the right information at the right time.
  • Monitoring:
    • Monitoring detects and responds to control deficiencies. 
ITIL:
Information Technology Infrastructure Library (ITIL) are best practices for IT service management. Companies have a hard time communicating between business and IT therefore, they inefficiently blend their business objectives and IT functions. This creates confusion, misunderstandings, missed headlines and opportunities, but most importantly it increase cost in time and labor. All this confusion can be frustrating and they is why ITIL was created. ITIL is a customized framework that provides goals, general activities necessary to achieve the goals, and the input and output values for each process required to meet the goals. But, ITIL is more focused toward internal services level agreements between IT and the "customers" it serves. 

Six Sigma:
Six Sigma is a process improvement methodology of Total Quality Management (TQM).  Six sigma is used to improve process quality and it uses statistics to measure operation efficiencies and reduce variations, defects, and waste. 

Security Program Life Cycle:
A security program has a life cycle that is ALWAYS continuing. This is due to the fact that security should be constantly evaluated and improved upon. Harris describes the life cycle of a process as:
  1. Plan and organize
  2. Implement
  3. Operate and maintain
  4. Monitor and evaluate


            


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)