Next to my bed, I have the book, “Time Management for System Administrators” by Thomas A. Limoncelli. I highly recommend the book. I have to confess, I have not gotten very for into the book. I just have not had much time. I know, it sounds like a punch line. Well, as I write, it is past midnight Sunday morning, and I am going to have to get up in a few hours.
Life in IT can be complicated. There is alot of issues to deal with. This seems especially true in Security. Security is all about layers. There is no silver bullet. If there was, you would still have to layer it.
This is why, I find COBIT interesting. First, it provides structure. This helps organize and ensure that different areas of security and IT operations are addressed. It is too easy to focus on the immediate problem and because of time constraint miss other problems. It is the classic scene from a movie where the person being chased secures the front door while forgetting that the windows are wide open. COBIT basically provides the forest view. Second, along those lines, it helps align the work to business objectives and auditing requirements. That saves time both with the auditors and with management. As life becomes more complicated, it is important to get people on the same page.
I find it interesting when I see COBIT gaining recognition in various projects and press. In the Open Web Application Security Project (OWASP) documentation, “A Guide to Building Secure Web Applications and Web Services” most sections have a subsection, “Relevant COBIT Topics.” It is looking like OWASP is embracing COBIT. The ISACA site, has a section for COBIT mapping documents. It provides good information on how these different standards relate to COBIT. Unfortunately, some documents do require membership to ISACA. There is a good deal of interesting information available from ISACA. If you are interested in membership, information is available at their site. ISACA maps COBIT against the following standards:
No Login Required: 
Login Required: 
Member Only: 
- COBIT Mapping: Mapping of ITIL With COBIT 4.0 (PDF, 553K) Jan 2007
- COBIT Mapping: Mapping of PRINCE2 With COBIT 4.0 (PDF, 582K) Jan 2007
- COBIT Mapping: Mapping of ISO/IEC 17799: 2005 With COBIT 4.0 (PDF, 544K) Dec 2006
- COBIT Mapping: Mapping PMBOK to COBIT 4.0 (PDF, 669K) Aug 2006
- COBIT Mapping: Mapping SEI’s CMM for Software to COBIT 4.0 (PDF, 590K) Aug 2006
- COBIT Mapping to ISO/IEC 17799 :2000 With COBIT, 2nd Edition (PDF, 570K) May 2006
- COBIT Mapping Overview of International IT Guidance 2nd Edition (PDF, 444K) Apr 2006
- Aligning COBIT, ITIL and ISO 17799 for Business Benefit (PDF, 255K) Nov 2005
The article, “The 7 Best Practices for Network Security in 2007” from NetworkWorld, has the following statement:
If you don’t already have corporate security policies, now is the time. There are some excellent models out there for free or for a minimal charge. My favorites are the powerful COBIT model, the e-tail/retail-oriented PCI model from the PCI Security Standards Council and an extremely comprehensive international model called ISO 27001/17799.
COBIT helps provide the high level view. This is complimented with the material from NIST and SANS, which helps with the trees.
[...] this what the ISACA group is trying to establish? See my posting on COBIT in 2007. ISACA is definitely establishing a mapping of COBIT to various [...]
[...] this what the ISACA group is trying to establish? See my posting on COBIT in 2007. ISACA is definitely establishing a mapping of COBIT to various [...]