ISACA does a great job of mapping COBIT to other standards. It will be interesting to see how much alignment there is between COBIT 5 and the recent work being done by the National Institute of Standards and Technology (NIST). Just last month, NIST released Special Publication 800-37 Rev. 1, “Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach.” To quote Dan Phillpott over on the Guerilla CISO site, “This document describes the central processes involved in the authorization of information systems that support the federal government. Notice I didn’t say Certification and Accreditation? That’s because C&A is deader than a sheep at a wolf convention. Want to know what replaces it?” Dan suggest picking up a copy of NIST SP 800-37 Rev 1.
Much of the recent focus on risk management is fueled by the need to deal with changing technologies. NIST SP 800-37 rev 1 is not the first NIST document concerning risk management and it certainly will not be the last. Later this year NIST will release SP 800-39 Rev. 1, “Integrated Enterprise-Wide Risk Management: Organization, Mission, and Information System View” and NIST SP 800-30 Rev. 1, “Guide for Conducting Risk Assessments.” Dr. Ron Ross presented NIST’s view of the next generation of risk management in his talk, “Next Generation Risk Management Information Security Transformation for the Federal Governmen” at the 5th Annual Security Automation Conference.
Quoting from the “Changing Technologies and the Effects on Information System Boundaries” section of NIST SP 800-37 Rev 1.:
Changes to current information technologies and computing paradigms add complications to the traditional tasks of establishing information system boundaries and protecting the missions and business processes supported by organizational information systems. In particular, net-centric architectures (e.g., service-oriented architectures [SOAs], cloud computing) introduce two important concepts: (i) dynamic subsystems; and (ii) external subsystems. While the concepts of dynamic subsystems and external subsystems (described in the following sections) are not new, the pervasiveness and frequency of their invocation in net-centric architectures can present organizations with significant new challenges.
Focusing back to COBIT 5, the planned primary improvements will consist of:
- Aligning COBIT 5 with ISACA’s TGF initiative as well as recent global governmental and market-driven enterprise and IT governance initiatives, such as sustainability and green IT.
- Consolidating COBIT 5 into a single overarching framework and knowledge base, providing one consistent and integrated source of guidance.
- COBIT 5 will be described in a high-level framework publication, providing an explanation of the objectives, scope, format and usage of COBIT 5 and enabling enterprises to strategically plan adoption of COBIT 5 and how to migrate to the new framework.
- COBIT 5 will consist of a set of publications providing:
- The content of COBIT 5 required for enterprise implementation and assurance activities
- Focussed guidance publications on functional, responsibility and organisational views to help
COBIT users with a specific area of interest to better understand how COBIT can support their role.
- Clarifying the distinction between governance and management with a revised process model that distinguishes between these domains while also showing how they relate to each other, and with processes integrating both business and IT responsibilities.
- Aligning with the latest management practices as well as strengthening areas such as decision making, organisational structures, skill requirements, human factors, culture and change enablement. The new structure will be flexible, allowing future ISACA and non-ISACA standards, frameworks, regulations, etc., to be factored in.
If you want to learn more about risk management, a previous post “Risk Assessment: A Starting Point” provides a good starting point with links to some great information sources. Luke O’Connor over on Scribd, has provided some very nice graphics representation titled “How to Assess and Mitigate Risk” (a.k.a. “Six Risk Management Myths“):