Frameworks: CobiT, COSO, and ISO 17799
Frameworks such as the Control Objectives for Information and related Technology (CobiT) and the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework aid regulatory compliance, but don't provide actual risk management methodologies. Instead they include some high-level goals for risk management as part of their overall scope. While CobiT helps a company define risk goals at an operational level, COSO helps a company define organizational risks at a business level.
Developed by the Information Systems Audit and Control Association and the IT Governance Institute, CobiT is a framework that defines goals for the controls used to properly manage IT and ensure that IT maps to business needs.
It is broken down into four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate. Each category drills down into subcategories. For example, the Acquire and Implement section includes information on acquiring and maintaining application software and managing changes.
Although CobiT is not a risk methodology, it does spell out the goals an organization should aim to accomplish in its risk management processes. These goals are outlined in these subcategories: business risk assessment; risk assessment approach; risk identification; risk measurement; risk action plan; risk acceptance; safeguard selection; and risk assessment commitment.
While CobiT is a model for IT governance, COSO is a model for corporate governance. CobiT was derived from the COSO framework, which was developed by the Committee of Sponsoring Organizations of the Treadway Commission in 1985 to deal with fraudulent financial activities and reporting.
COSO has these components:
- Control environment Management's philosophy and operating style; the company culture as it pertains to ethics and fraud
- Risk assessment Establishment of risk objectives; the ability to manage internal and external change
- Control activitiesPolicies, procedures, and practices put in place to mitigate risk
- Information and communicationA structure that ensures that the right people get the right information at the right time
- MonitoringDetecting and responding to control deficiencies
COSO focuses on the strategic level, while CobiT focuses more on the operational level. You can think of CobiT as a way to meet many of the COSO objectives, but only from the IT perspective.
Like CobiT and COSO, ISO 17799 includes some high-level risk management guidance, but doesn't provide an actual risk methodology.
Updated last year, ISO 17799 provides guidelines on how to set up a security program from A to Z. Where COSO and CobiT call out requirements for various security structures and countermeasures, ISO 17799 provides the details on how to develop and implement these components.
The newest version of this framework includes the following categories: security policy, asset management, physical and environmental security, communications and operations management, access control, and information security incident management.
These categories are controls that need to be put into place to reduce risk. For a company to know the right type and level of access control, incident management, and physical security, it must first understand its current risk level and its acceptable risk level.
Risk management is a foundational piece of each component of ISO 17799, but the framework does not specify what methodology an organization should use to accomplish it.