Explainer: Security standards and frameworks
Like pieces of a puzzle, frameworks help companies meet specific security goals. By Bob Violino
Computerworld - Many companies are using standards and frameworks to deal with certain aspects of information security. These models can help protect systems and data, but each plays a very different role in an overall security plan.
Some of the most popular ones, including the Control Objectives for Information and Related Technology (Cobit), ISO 27001, the IT Infrastructure Library (ITIL) and Statement on Auditing Standards (SAS) No. 70, offer guidelines for improving some elements of security. But experts say these models are more like pieces of a puzzle than comprehensive security standards.
"All of these frameworks supply IT with repeatable processes that are consistent across the various IT functions" and help technology executives provide better service, says Kimberly Sawyer, vice president of computing and network services at Lockheed Martin Corp.'s IT department, known as Enterprise Information Systems, in Orlando.
But none of the standards alone provides full security, Sawyer says. "They contain various information security concepts that must be interpreted, integrated and incorporated into the daily operations," she says. "Comprehensive security requires discipline and integration across all aspects of planning, service delivery, risk management architecture, tool selection, policy development and audits."
Lockheed Martin is using Cobit, ITIL and ISO 27001 for different purposes: Cobit for measuring and assessing IT controls, ITIL to improve internal IT services, and ISO 27001 for IT governance. Although each helps to bolster security, none is a stand-alone solution, Sawyer says. "IT organizations must integrate the frameworks to ensure [that] best practices are integrated across the information security discipline," she says.
Here's a look at some of the key standards and their roles in a security plan.
Developed in 1996 by the Information Systems Audit and Control Association and the IT Governance Institute, Cobit provides a framework for users and IT, security and auditing managers. It's gaining acceptance as a good practice for controlling data, systems and related risks.
"Cobit has enabled us to more systematically approach audit issues to identify root causes of deficiencies," says Sawyer.
Source: Exclusive Computerworld survey, March 2006
The framework includes tools to measure a company's capabilities in 34 IT processes. Among them are a list of critical success factors that provides best practices for each IT process, maturity models to help in benchmarking and performance-measurement elements. The standard is becoming vital as companies strive to comply with regulations such as the Sarbanes-Oxley Act.
"Cobit only has one security module, but when you look at [the standard] from a broad perspective, it addresses a lot of elements of security," says Mike Nelson, president of SecureNet Technologies Inc., a consulting firm in San Ramon, Calif., that focuses on information security. "Where it begins to break down is in providing details of the 'how.' It gives detail of controls and objectives of controls" but doesn't explain how to implement them, he says.
- EndPoint Interactive eGuide In this eGuide, Network World, Computerworld, and CIO examine two endpoint trends - BYOD and collaboration - and offer tips and advice on...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!