A Look at COBIT Security
This is the first installment in a two-part series. Read part two.
One of the biggest challenges currently facing administrators is regulatory compliance. Several acts, such as the Gramm-Leach-Blighly Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA), specifically address data security. So from a security administrators point of view, its fairly obvious what steps must be taken to be in compliance with these regulations.
Interestingly enough, Sarbanes-Oxley (SOX), an act thats probably causing administrators the most headaches these days, says nothing about data security. One could argue, however, that its heavily implied. In fact, weve seen data security requirements being mandated by the Sarbanes-Oxley auditors. This actually makes a lot of sense since many of these auditors come from one of the fallen auditing firms, most of which ran a security practice. Knowing that ensuring the accuracy and integrity of a companys financial data takes more than sound accounting practices, these Sarbanes-Oxley auditing firms are requiring that data security processes and practices be addressed before signing off on the SOX audit.
So what is being suggested by the SOX auditing firms? In many cases, COBIT.
What is COBIT?
COBIT, which stands for Control Objectives for Information and Related Technology, has been developed by the Information Systems Audit and Control Foundation (ISACF) to address the need for management and control of information and information technology (IT). The ISACFs point is that technology is a vital part of business processes and, as such, management must have an appreciation for and a basic understanding of the risks and constraints to IT so they can make appropriate business decisions to determine what technology to implement and how to control its use. Since Sarbanes-Oxley is all about appropriate processes and controls, you can see why the SOX auditors are recommending companies implement COBIT.
However, COBIT is not the brain-child of a U.S.-based firm. Numerous companies and organizations contributed to the information found in COBIT and the ISACF itself is based in the U.K. COBIT is based on numerous sources ranging from ISO standards, to Codes of Conduct issued by the Council of Europe, to various qualification criteria such as ITSEC and ISO 9000, Industry and government best practices such as NIST as well as emerging industry-specific requirements.