International focus on it governance has created a proliferation of local and international standards for it management in general and it security in particular. This article helps clarify which of these standards adds value to IT, how to decide which standards add value to it and the pitfalls encountered during implementation.
International focus on it governance has created a proliferation of local and international standards for it management in general and it security in particular. This article helps clarify which of these standards adds value to IT, how to decide which standards add value to it and the pitfalls encountered during implementation.
International focus on it governance has created a proliferation of local and international standards for it management in general and it security in particular. This article helps clarify which of these standards adds value to IT, how to decide which standards add value to it and the pitfalls encountered during implementation.
I N F O R M A T I O N S Y S T E M S CO N T R O L J O U R N A L , VO L U M E 3 , 2 0 0 5
The Value to IT of Using International Standards
By Ernst Jan Oud, CISA T he international focus on IT governance has created a proliferation of local and international standards for IT management in general and IT security in particular. This article helps clarify which of these standards adds value to IT, how to decide which standards to implement and the pitfalls encountered during implementation. A recent publication by the American Institute of Certified Public Accountants (AICPA) 1 shows that, for the third consecutive year, information securitydefined as the hardware, software, processes and procedures in place to protect an organizations information systems from internal and external threatsis the number one technology concern within the US. Due to the dynamics of todays business processes, there is no time to reinvent the wheel; the use of best practice, including standards, must prevail. Standards for IT management and security are drafted by consensus or compromise from best practices discussed by a large group of individuals from various organisations. In most countries, standards are de factoregarded as the obligatory best way to actinstead of de jure, where a standard is more or less mandatory. IT management and IT security standards are best practices and, as such, are not based on scientific facts. The term folk art 2 describes this phenomenon best. At the start of the 20 th century, when practical uses for electricity were invented, it was internationally recognised that safety and international trade called for international standards for electrical appliances. This led to the foundation of the International Electronic Committee (IEC). Much later, with the need for international standards in other fields of interest quality systems amongst many othersthe International Organisation for Standardisation (ISO) 3 was founded. Since computer and telecommunication systems require attention for electrical issues as well as, for instance, quality, IEC and ISO work together on the Joint Technical Committee 1 on standards for this subject. 4 Apart from recognised international standards, many national standards exist for IT management and IT security. For instance, whilst Control Objectives for Information and related Technology (COBIT) is more frequently used for IT management in the US and other countries, the IT Infrastructure Library (ITIL) is more frequently used in the UK, The Netherlands and Australia. Most countries have local organisations that, for various reasons, publish standards. This may be because best practice is only available or applicable locally. For instance, the Dutch standard for the Dutch national flag will not be of much interest to a Mexican factory (unless it decides to step into the flag manufacturing business). However, this is not always the case. The need for project management best practice led to PRINCE2 5 in Europe and PMBOK 6 in the US. This is in spite of the fact that project management is not done much differently on both continents. Issues With Standards Since standards come about through discussions among individuals, wilfulness and cultural, political and (inter)national differences have led and will always lead to a proliferation of standards; the not invented here syndrome is prevalent. It should be understood that folk art and the wilfulness of individuals lead to an abundance of good practices. It has been said before that the good thing about standards is that there are so many of them. This is indeed good, because when there are many standards, it is likely that one of the many standards on a particular subject can be made to fit in a certain situation. This is particularly useful when a de facto standardan international best practice from the set of good practiceshas not yet been recognised. Since standards are sometimes regarded as straitjackets, it is nice to have a choice. If COBIT will not fit, one can go for an ITIL implementation; if the NIST Handbook on security is too overwhelming, one can try ISO 17799. Professionals should use the better parts of these standards as building blocks and be prepared to deconstruct standards. As Pablo Picasso said, Every act of creation is first of all an act of destruction. Value to IT The value of using standards lies in not having to reinvent the wheel, which saves resources, but the biggest value lies in using the best practice of others to ones own benefit. It would be difficult for an individual organisation to come up with a better IT management framework than COBIT or ITIL. Also, most governance regulations (such as the Sarbanes-Oxley Act in the US and Tabaksblat in The Netherlands) mention that the organisations to which such regulations apply must implement best practices. If the organisation then chooses a de facto standard, it will be compliant (i.e., the risks of using an internally developed standard with omissions or errors are reduced by using de facto standards). Larger organisations have learned that drafting their own policies for security is often much more costly and less successful than basing their polices on ISO 17799. Another benefit of using standards for IT management and IT security becomes obvious the moment an organisation decides to outsource part of its business; using a publicly available standard as the basis for service level agreements between the organisation and its business partners will lead to less misunderstanding and lower associated costs. Copyright 2005 Information Systems Audit and Control Association. All rights reserved. www.isaca.org. I N F O R M A T I O N S Y S T E M S CO N T R O L J O U R N A L , VO L U M E 3 , 2 0 0 5 Benefit to Auditors Auditors benefit substantially from using de facto standards. Whilst auditors in the past have created their own set of standards, audit programmes and checklists to audit against, the use of publicly available international standards (such as COBIT, ISO 17799 and ISO 9001) leads to lower costs to both auditor and auditee and helps the auditee to understand the auditor better. It also enables the auditee to use the same standard for internal auditing as that used by the external auditora basis for integrated auditing. Even the auditing process itself has been internationally standardised through standards such as ISO 19011 and EA 7/03. 7 The need for more attention to governance has also given rise to the need for certification. Judging quicklywithout a costly external auditing or review processwhether doing business with an organisation is advisable is easier when this organisation can show compliance by handing over its certificate from an external, independent party that has previously assessed the quality of security of that organisation. There are currently more than 1,000 organisations 8 certified against BS 7799, 9 the de facto standard for information security management systems. Other standards for which a certification scheme exists are BS 15000, ISO 9001, the European Foundation for Quality Management (EFQM) and TickIT. Summary of International Tactical Standards Within the scope of IT auditing (i.e., IT management, security, business continuity planning and the auditing process itself), the following tactical de facto standards are of particular interest: IT managementCOBIT, BS 15000, 10 Microsoft Operations Framework and ITIL Project managementPRINCE2 and the PMBOK Security managementISO 13335, ISO 13569 (banking and financial services), ISO 17799/BS 7799-2 (both translated in local versions in a number of countries), IT Baseline Protection Manual (Germany), ACSI-33 11 (Australia), numerous National Institute of Standards and Technology 12 standards from the NIST Handbook (SP800-12, USA), COBIT
Security Baseline, ENV12924 (Medical
Informatics) and the Information Security Forum Standard of Good Practice 13 Quality managementISO 9001, EFQM and Baldrige National Quality Plan Software developmentTickIT, Capability Maturity Model Integration (Software Engineering Institute) IT governanceCOBIT, IT Governance Implementation Guide, COSO Internal ControlIntegrated Framework and COSO Enterprise Risk ManagementIntegrated Framework, and the recent Australian standard AS 8015-2005 (corporate governance of information and communication technology) Risk managementAustralian standard AS/NZS 4360 14 BCPBritish Standards Institution PAS-56 and Australian standard HB 221-2004 AuditingCOBIT and ISO 19011 Figure 1 structures these standards into international, national and organisational standards. Operational Standards Next to this considerable number of tactical standards (i.e., standards describing processes and procedures), an even larger number of operational, technical standards exist. The ISO, European Telecommunications Standards Institute, and National Institute of Standards and Technology (NIST) have published standards on issues including encryption (FIPS 197), (technical) evaluation criteria for IT security (ISO 15408), contingency planning (FIPS 87) and password usage (FIPS 112). More information can be found at www.iso.ch, www.nist.gov and http://csrc.nist.gov/publications/fips/. It is not by accident that figure 1 mentions two recent standards for business continuity management: Publicly Available Specification 56 from the British Standards Organisational International National Standard or Standard Standard Guidelines IT Management BS 15000 COBIT MOF ITIL Project PMBOK Management PRINCE2 APMs Security ISO 13335 BS 7799-2 Baseline Protection Management ISO 13569 NIST standards Manual ISO 17799 ACSI-33 COBIT Security Baseline ENV12924 ISF Standard of Good Practice Software ISO 12207 TickIT CMMI Development/ ISO 15504 Bootstrap Acquisition Process Improvement Quality ISO 9001 EFQM Management Baldrige National Quality Plan IT Governance COSO Internal COBIT Control IT Governance Integrated Implementation Framework Guide Australian standard AS 8015 Risk AS/NZS 4360 Management COSO Enterprise Risk Management BCP PAS-56 AS/NZS 4360 and HB 221-2004 Auditing ISO 19011 COBIT Figure 1Structure Amongst Standards I N F O R M A T I O N S Y S T E M S CO N T R O L J O U R N A L , VO L U M E 3 , 2 0 0 5 Institution and Handbook 221, Business Continuity Management, by Standards Australia. Both standards describe the strategic and operational framework to implement resilience to disruption, interruption or loss in supplying products and services. The processes described in these standards go beyond IT disaster recovery planning. A recent Deloitte survey 15 showed that only about a third of the respondents felt they had a comprehensive BCM governance structure in place, and only half of these include executive involvement in setting and driving their programs. Two-thirds of those surveyed indicated that they still do not have a process to ensure that an appropriate BCM programme is maintained. There is an apparent need for best practice guidance. This is where these standards can be of much use. Implementation of any standard that is unfit for purpose can lead to projects running out of budget due to omissions in the standard or its lack of clarity. Successful standards leave room for interpretation but, at times, this interpretation leads to problems. A standard such as ISO 17799 describes the what of security but not the how. Especially during a certification process, this can lead to discussions with the external auditor on the question of when compliance has been reached. Families of Standards Some of the standards mentioned previously are part of a family of standards. For instance, BS 15000, the British Standard for IT Service Management, consists of two parts. Part one is the specification for service management, and part 2, the Code of Practice for Service Management, is one step lower in the hierarchy. Further down the hierarchy, ITIL gives best practice for the processes described in BS 15000, and the organisations in-house procedures are found below that. A similar hierarchy is found within BS 7799-2, the specification for security management; ISO 17799, the set of best practices; and ITIL Security Management, describing the IT security processes. Mapping Standards Because so many good standards exist and professionals need to have several standards within their toolkits, the need to map those standards onto each other has arisen. This calls for a metastandarda standard for standards. A metastandard enables semiscientific comparison amongst standards. Unfortunately, such a metastandard does not exist. Any comparison or mapping tends to compare apples and oranges. As the IT Governance Institute has experienced during its elaborate mapping of COBIT and ISO 17799, 16 mapping cannot always be one-on-one, because the COBIT control objectives operate at a higher level and the detail of ISO/IEC 17799:2000 is much closer to the level of detail of the COBIT control practices. Most of the standards mentioned previously describe process properties. Technical standards, such as ISO 15408, Evaluation Criteria for IT Security (previously called Common Criteria), describe systems properties in more detail. An example of a standard on process properties is ISO 9001, which describes the plan-do-check-act (PDCA) Deming Cycle for quality management. Standards and IT Governance Ryan Peterson 17 stresses that IT management deals with internal business orientation and short-term operational problems, whilst IT governance also focuses on external business orientation and has a longer-term perspective. ITGIs IT Governance Implementation Guide, available from the ISACA Bookstore, describes in great detail the steps to implementing IT governance. A number of these steps point the reader toward understanding existing preferred IT models, standards and best practices. The book explicitly mentions BS 7799 and ITIL for IT security and IT management. It also says (for IT governance implementation projects) to use available best practices and standards to further refine detailed improvement requirements, clearly pointing to PRINCE2 and the PMBOK. There clearly appears to be a need for standards when implementing IT governance. Mapping a number of the aforementioned standards on Petersons model leads to figure 2. ITGIs Board Briefing on IT Governance, 2 nd Edition, 18 proposes a framework (see figure 3) on which some of the standards mentioned can be mapped (see figure 4), indicating the focus area of IT governance for which they are pivotal. Development Good standards are revised regularly, whilst bad standards fade away. In this context, good means that the standard is used by a large number of organisations. The best standard will be the most successful. Betamax was the better video recorder standard, but VHS gained the market. The next paragraph describes the revision status of a number of important security process standards. In December 2000, part one of British Standard 7799 became ISO 17799. This standard contains more than a thousand best practice security controls grouped into 127 paragraphs. A number of countries were not positive on ISO 17799, which was understood by ISO and led to an Business Orientation Time Orientation IT Governance IT Management E x t e r n a l I n t e r n a l Future Present C O S O B S
1 5 0 0 0 C O B I T I S O
9 0 0 1 I S O
1 3 3 3 5 B S
7 7 9 9 P A S 5 6 H B 2 2 1 I T I L I S O
1 7 7 9 9 Figure 2Leading Management and Security Standards Mapped on Petersons IT Governance Model I N F O R M A T I O N S Y S T E M S CO N T R O L J O U R N A L , VO L U M E 3 , 2 0 0 5 immediate revision project. As a result, this year will see an improved update of this standard. Part two of BS 7799 was never released as an ISO standard. Part two describes the same 127 paragraphs but in normative form (i.e., all verbs should are changed into shall, turning guidance into specification). More important, it explains the plan-do-check-act cycle for information security management. With the 2002 revision of this standard, it is now fully in line with ISO quality standards. A project to turn part two of BS 7799 into a worldwide ISO standard for security management has been started. The five-part technical report ISO 13335Guidelines for the Management of IT Security (GMITS)is currently in a major revision process. It will be made more compact and more in line with ISO 17799. The result will be a two-part ISO standard (as opposed to a technical report containing data of a different kind from that which is normally published as an International Standard) on the management of information and communications technology security. ISO Technical Report 13569, Banking and Related Financial ServicesInformation Security Guidelines, is also under revision. It provides guidelines on the development of an information security programme for the financial services industry. It includes discussion of the policies; the organisation; and the structural, legal and regulatory components of such a programme. An overview of the revision status of all ISO SC27 standards is contained in the catalogue of SC27 projects and standards on the JTC1 web site. ITGIs Mapping Project Recognising the importance of well-recognized standards other than COBIT, the IT Governance Institute has defined a framework for comparing standards and collections of best practices. It has also used this framework to map at a high level a number of standards for IT management, security and quality onto COBIT. Recently the more detailed mapping of the control practices of COBIT to the controls of ISO 17799 has been published. Other organisations have also mapped various standards. The German Federal Office for Information Security 19 has mapped its IT Baseline Protection Manual to ISO 17799, and the itSMF web site contains an Excel spreadsheet mapping COBIT, ISO 17799 and ITIL. Annex C of part two of BS 7799 also maps BS 7799 to ISO 9001 and ISO 14001. Implementation Experiences No standard covers every subject in detail. The advice here is to pick and choose. Any professional in any subject should be familiar with the standards in his/her profession. The contents or philosophies behind them should be in his/her tool kit ready to be used where appropriate. For instance, ISO 17799 mentions the importance of security audits and reviews but contains no information on how to perform them. Here the COBIT audit guidelines can be used, especially now that the COBIT controls have been extensively mapped to ISO 17799. The strategic security management process itself is described in BS 7799, and the operational IT part of security management is described in ITILs Security Management. Security professionals should be able to build a security management system for their employers using the best of these standards. An organisation deciding to adopt a set of standards faces a number of challenges. First, it will take time to convince everyone to work according to these standards. This investment, as well as the cost of transferring from the old way of working to the new way, is often forgotten. A standard will not always fit; adaptation, if possible, will create costs. Implementing standards, due to their formal nature, will make processes more rigid and more static. In some organisations, this can lead to problems. The dynamics of todays business processes sometimes calls for more flexibility; standards do not always provide this. Conclusion The use of standards raises the value of IT, but there is no standard that covers all aspects of IT management, security and quality. COBIT covers a large subset of all possible aspects but may need to be complemented. This is also acknowledged by Stakeholder Value Drivers IT Resource Management IT Strategic Alignment Risk Management IT Value Delivery Performance Measurement Figure 3Focus Areas of IT Governance ITIL COBIT ISO 9001 BS 7799 BS 15000 ISO 17799 ISO 13335 PAS56 HB221 PRINCE2 PMBOK MOF COSO Figure 4Leading Standards Mapped to the Focus Areas of the IT Governance Framework I N F O R M A T I O N S Y S T E M S CO N T R O L J O U R N A L , VO L U M E 3 , 2 0 0 5 ITGI. To decide where extra standards are required, the recent publication of the ITGI mapping project can be of much benefit. Endnotes 1 American Institute of Certified Public Accountants (AICPA); 2005 Top Technologies Survey, USA, January 2005 2 This term was first used by Donn B. Parker in Fighting Computer Crime, John Wiley & Sons, USA, 1998. 3 www.iso.ch 4 Joint Technical Committee, www.jtc1.org 5 OGC; Managing Successful Projects with PRINCE2, The Stationery Office, London, revised edition 2002 6 Project Management Institute, www.pmi.org 7 European Cooperation for Accreditation, www.european-accreditation.org 8 See www.xisec.com for the unofficial international certificate register. 9 See www.bsi-global.com. 10 The two-part British Standard 15000 gives guidance and a specification for IT Service Management, www.bsi-global.com. 11 Australian Communications-Electronic Security Instruction 33, www.dsd.gov.au/infosec/publications/acsi33.html 12 www.nist.gov 13 www.isfsecuritystandard.com 14 Standards Australia, www.standards.com.au 15 CPM Global Assurance and Deloitte & Touche LLP, 2004 Benchmark Survey on Business Continuity Management 16 IT Governance Institute, COBIT MappingMapping of ISO/IEC 17799:2000 With COBIT, www.isaca.org/cobit 17 Peterson, Ryan R.; Information Strategies and Tactics for Information Technology Governance, Strategies for Information Technology Governance, edited by W. Van Grembergen, Idea Group Publishing, 2003 18 www.itgi.org 19 www.bsi.bund.de (German and English versions of the web site and documents are available). Ernst Jan Oud, CISA is senior manager with Deloitte Enterprise Risk Services. His areas of expertise are information security and business continuity management. Oud is a member of the standards committee responsible for BS 7799 in The Netherlands as well as the committee that developed and maintains the certification scheme. As a certified BS 7799 lead auditor, he is familiar with internal auditing against this standard. Oud teaches BS 7799 at NEN, the Dutch standards institute, and business continuity at TIAS Business School. In November 2002, he published a practical guide on BS 7799 implementation. He has published a number of articles and has spoken at ISACAs EuroCACS and Network Security Conference, and served as expert reviewer for the ITGI publication COBIT MappingOverview of International IT Guidance. He is writing a practical guide on business continuity management. Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal. Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content. Copyright 2004 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCA TM Information Systems Control Association TM Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. www.isaca.org