ISO, ITIL and COBIT triple play fosters optimal security management execution

Home Source: http://www.scmagazineuk.com/ISO-ITIL-and-COBIT-triple-play-fosters-optimal-security-management-execution/article/108620/

This information is a survey which about security professionals conducted for the recent research report Security Management Matures, ESG. The survey materials are the organizations with 1,000 or more employees, and what kind of the commercial frameworks which include ITIL, Cobit, ISO implement in the organization.

ESG discovered that 72 percent of North American enterprise-class organizations say they are implementing one or more formal IT best practice control and process models.

Among survey participants, 18 percent have simultaneously implemented ITIL, ISO and COBIT. Of those implementing just one set of standards, ITIL is the most frequently selected (16 percent) followed by ISO (11 percent). A significant 17 percent have not implemented any type of framework at this time. An additional 20 percent have implemented other best practices or did not know whether their organization used these types of frameworks.

Over three-quarters (76 percent) of the organizations implementing all three sets of guidelines indicate that demands to comply with external regulations were very influential in defining their security management requirements during the past year. In contrast, only 44 percent of those implementing ITIL alone and 51 percent of those with no frameworks in place felt the same way.

For those organizations implementing all three best practices guidelines, the data reveals that regulatory pressures impact multiple business activities, as these organizations are required to comply with diverse regulatory requirements, such as Sarbanes-Oxley, PIPEDA (Personal Information Protection and Electronic Documents Act, Canada), FISMA (Federal Information Security Management Act), HIPAA (Health Insurance Portability and Accountability Act) and PCI DSS (Payment Card Industry Data Security Standard). Across all of these different regulatory requirements, organizations implementing all three sets of best practices guidelines are significantly more likely to be subject to those requirements than are organizations with a lesser number of best practices frameworks currently in place.

Combined, these forces require organizations to promote extensive and ongoing communication, cooperation and reporting capabilities across information security groups, data center operations teams, e-mail administrators, facilities, human resources and other business groups in order to assure that information security control policies are implemented consistently across the business. By combining the detailed security specifications from ISO, IT operations and cross-IT workflow integration best practices from ITIL, and governance and control models from COBIT, the most sophisticated firms are able to address the full range of compliance and audit requirements set before them by government and industry compliance mandates.

ESG found interesting relationships between an organization's degree of implementation of security and governance standards and the amount of cooperation between different IT groups within that organization. Organizations implementing all three sets of best practices recommendations are most likely to report significant levels (62 percent) of cooperation between IT operations and information security groups, compared with 56 percent of those implementing ITIL only and just 46 percent of those that have not implemented any frameworks. Interestingly, those organizations that have not implemented any frameworks are most likely to have merged IT operations and information security groups (29 percent), compared to just 14 percent of those implementing multiple frameworks.

In my opinion, this time I understand more about why company implement more then one standard in the organization. Because of the complex requirement across business, security and IT teams, in facts these three groups are work together. As common sense, IT is support the business, but IT services can not without the security. As the summary which ESG made, inducts ITIL, ISO and COBIT for compliance requirements on governance, operational process and information security policy integration.