Are Todays Risk Management Frameworks Antiquated?

Five ways ISACA is updating its compliance framework, COBIT, to keep up with business and risk demands

It has been 16 years since ISACA blazed a trail with its first incarnation of the COBIT IT governance framework, and a decade since Sarbanes Oxley catapulted it into the limelight as a reliable way to develop IT governance and management programs that could keep organizations compliant.
A lot has changed in the intervening years -- not just with the mounting number of regulations organizations seek to comply with, but also with how firmly enmeshed IT has become within everyday business processes. Though ISACA has shepherded COBIT through numerous refreshes in the past, the organization knows that the time has come: COBIT is due for a reboot.
[Whether it is through a framework or not, tying together compliance initiatives must be done to maintain your sanity and valuable dollars. See
Unifying Compliance Initiatives To Make Budgets Last
.]
According to Robert Stroud, member of ISACAs Strategic Advisory Council and of the ISACA Framework Committee, ISACA this week delivers on an overhaul of the framework thats two years in the making.
What weve gone and done is basically not just refresh the framework, but we took a complete look at it again to make sure it is relevant and applicable to become a business framework for the governance and management of enterprise IT, says Stroud, who is also vice president of strategy and innovation and a service management and governance evangelist for CA Technologies. So weve taken a top-down approach to the governance from the business right down through all the capability that IT will often need to deliver through technology, process, people, culture, and aspects like that.
In anticipation of the launch,
Dark Reading
spoke with Stroud, who discussed five main ways ISACA is rewriting the rules for the GRC rule-makers. According to him, the changes make COBIT 5 more robust, reliable, and repeatable as a process capability assessment method than its predecessors.
1. IT-Enabled Business Processes
The driving force behind the revamp of COBIT was to join IT governance and risk management with business governance and risk management, Stroud says.
Instead of just being an IT governance framework, weve moved upscale in reflection to the industry, he explains. Its now a business framework for the governance and management of the enterprise. Thats the fundamental difference.
As a result, it better delineates business stakeholder involvement and responsibility in the use of IT. More importantly, its designed to make it easier to fold in both business and IT activities for more holistic development of best practices that reflect the enterprise-wide nature of IT use.
In order to accomplish the goal of creating this business framework, ISACA merged three of its existing process reference models -- COBIT, ValIT, and RiskIT -- under the COBIT umbrella.
Weve effectively built this framework to help people understand what the right top-down business processes you want to put in place are so that you can govern your business and enable IT effectively, Stroud says.
2. Governance And Management Phases Split
ISACA further remodeled the foundation of COBIT by distinguishing between the governance and management of business and IT.
Where weve differentiated from previous versions is really through separated governance and management so that COBIT recognizes them as different phases, Stroud says. First theres the governance phase that will involve following an evaluate, direct, monitor model. And at the lower level theres a management framework so you can instrument management processes that are logical and practical.
According to Stroud, ISACA built the new COBIT like most organizations build their security policy or risk management policy: on principles rather than specific rules.
Weve become a principle-based framework rather than setting Thou shalt rules, he says. Thats the way of practical management these days.
3. Value-Based Decisions
Not only is the new framework principle-based, its also value-based.
We acknowledge value up front. And I just dont mean return on investments. Were talking about a real value realization phase when any major enterprise initiative is developed, Stroud says. Youre going to understand and articulate what the value is, otherwise the organization wouldnt invest in it. Weve driven that top-down linkage of business value so that IT can understand what it is and then use the management framework to represent that back.
COBIT 5 now does that by including requirements in the governance part of the framework that mandates organizations do benefits identification for new projects, whether theyre designed for innovation, security, or compliance.
Taking compliance as an example, an organization would state one of the major benefits as the opportunity to experience a stretch without paying fines or penalties, Stroud says.
If you articulate that upfront in a value-proposition, you can quickly do an estimation of the fines and penalties you are avoiding by effective execution of the framework. I think thats the thinking that IT and the business needs to inherit, he says. If you logically do that analysis then you can get to a situation where you can actually do a risk assessment and say Well, if the fine is 10 cents, do I care? The answer is yes if theres a billion of them.
4. New Process For Enterprise Architecture
Stroud says that as the ISACA committee worked on COBIT 5, one of the important items on the radar was continuing the commitment to helping organizations develop processes that would feed into their compliance objectives.
That meant not only including compliance framework components in the governance phase, but also reworking the management phase to mesh with the compliance processes of the future. This meant adding a new process for enterprise architecture.
In forward-thinking enterprises now, compliance requirements are going to be part of their enterprise architecture. Theyre making them part of the company DNA. It becomes far more a part of business-as-usual rather than an exception to the process, he says. Weve now enshrined a process for going through and ensuring that youve got a lot of those metrics consistently being collected for the organization and alerted back up to management so they can make sound decisions and understand when compliance boundaries have been exceeded.
5. Collaborative And Customizable Content
Created in a time before Internet ubiquity, much less social mediam and blogs, COBIT is changing dramatically, not just with its content but also how it is delivered. According to Stroud, the release of materials this week is just the start of the effort to roll out COBIT and keep it fresh in the coming years. Enterprises with ISACA member should expect to be able to lean on a new COBIT online collaborative effort that will allow individuals to customize content for their needs and connect with their peers.
It wont matter what your role is -- youll be able to take a view of the online repository and effectively generate your own COBIT output based on your role, your function, and what business problem youre trying to solve, Stroud says. Were getting modern. Weve got this great community of over 100,000 ISACA members worldwide, and we absolutely want to leverage that community, to drive through not just the way they choose content, but really drive the development we do going forward.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps