REVIEW OF IMPLEMENTING THE NIST CYBERSECURITY FRAMEWORK USING COBIT 2019.

I normally don’t do book reviews, but this blog focuses on my personal review of one of ISACA’s latest publications that personally, I really like.

Recently, ISACA published Implementing the NIST Cybersecurity Framework using COBIT 2019. This guide illustrates how these two very powerful frameworks to ensure proper governance and management over Information and Technology (I&T) and providing critical protection for information assets. Although COBIT 2019 and the NIST CSF 1.1 are separate frameworks, this helped me understand how to use more than one model in an overarching I&T governance program that focuses on what the most important factors are.

This video blog is not intended to teach you about each of these frameworks and the details about each implementation methodology. I recorded this to give you my impressions and evaluation of the guide. Before I begin, I need to be fully transparent with you here – I was one of the expert reviewers of this guide so give me a little leeway to brag.

This implementation guide synchronizes many areas: 1) the CSF Implementation Steps, 2) the COBIT Implementation Steps and 3) the COBIT Design Steps. It takes you through the various steps of adopting tailored I&T governance program with a strong focus on cybersecurity. Referring to the figure below (this is not from the book, but my version), this book takes three guides and puts them into a single adoption view.

I hope you learn something from this and of course, gain knowledge that you can take to work tomorrow.

ASSESSING POLICY FRAMEWORK MATURITY

In my last blog on policy frameworks I stressed the importance of principles, policies and procedures as an important ingredient to a governance framework. I mentioned that my quest for a policy framework maturity model came about when I was completing a process assessment for a client. They asked me to also provide them my opinion of the maturity level of their policy framework. I searched everywhere and could not find a definitive model specifically designed to measure policy frameworks.

Before I could measure the maturity of any policy framework, it makes sense that I identified practices and activities that support those policy frameworks. This is what I did before considering how to measure framework maturity. You can see that blog here.

This blog takes the results from the last and extends my policy framework journey to the next level – creating a method to measure policy framework maturity.

According to COBIT 2019, the latest framework for the governance and management of enterprise information and technology: “Performance management is an essential part of a governance and management system. Performance management represents a general term for all activities and methods. It expresses how well the governance and management system and all the components of an enterprise work, and how they can be improved to achieve the required level.” (COBIT 2019 Framework, Introduction and Methodology, ISACA).

Not surprisingly, I used COBIT as a major reference in this effort. COBIT’s performance management is relatively simple, it enables performance measurement of processes and governance components and it is repeatable and flexible.

Maturity model scenario

During the engagement I mentioned above, my client didn’t ask me to assess each policy individually, but the entire policy framework. My first place to go was COBIT and there was very little specific guidance on assessing a policy framework, so I built my own.

The following methodology is a suggested route for you to follow if you find yourself in the same place I was:

 

Step one, determine the scope and purpose

It is important to know why you need a maturity assessment. There are several reasons:

  • To create a basis for improvement on the assessed process, component, focus area or domain
  • To benchmark capabilities with common standards or frameworks
  • To benchmark capabilities with other organizations using a common model
  • To provide prioritization for resource allocation
  • To gain a competitive advantage in areas where you currently excel
  • To determine areas requiring more assurance efforts
  • To develop action plans for closing the gaps between current and desired states

Consider what you are actually trying to assess. Are you looking at your entire framework, individual policies, or the effectiveness and relevance of those policies? In this case, we were looking at the policy framework.

Step two, Identify practices and activities

Now that you understand the why and the what you are assessing, it’s time to figure out what I call evaluation attributes. These are the specific areas that you are assessing. For example, if you are doing a process assessment, you would use process practices and activities as evaluation attributes, the same way you would assess process performance.

In my situation, there were no specific examples for this. Therefore, I thought of a policy framework as a process. I determined evaluation attributes, and those came in the form of practices and activities. Now I had a way to measure maturity with consistent measurement objects. The following are the practices that were used:

Practice 1. A policy framework is documented, approved, and enforced

Practice 2. A policy lifecycle management system is approved and recognized

Practice 3. Policies are communicated and distributed to all stakeholders

Practice 4. Policies are monitored, enforced and maintained

Practice 5. Technology is used to support the policy framework

Practice 6. Each policy should meet good practice criteria

Of course, you can add, remove or change any of these to fit your needs. Each of these practices is supported by a set of activities which support the achievement of each practice. You can find these here or stay tuned because I’ll show you below.

Step three, determine the evaluation model

Just when you think the hard part is over, think again. There is no generally accepted or formal method for assessing policy frameworks in our industry. COBIT suggests that governance components such as policy frameworks can be assessed using a maturity model (using the CMMI based 1-5 ratings) if a set of criteria can be established to evaluate. Therefore, you should use the practices and activities that I have identified here and assign levels of capability to each.

A maturity model is an assessment tool for evaluating an organization’s level of progress towards target goals. This is essentially a grid that describes typical behaviors exhibited at each of the levels, where lower levels define entry level behaviors and higher levels define best practice behaviors. Organizations go from lower to higher levels as they become more capable (mature) in the area being assessed. Additionally, these models can be used for benchmarking as well as creating conditions for meaningful discussions on the steps required to attain desired capability levels.

Generally, these models start with an assessment that determines the current state of maturity, sometimes called “as-is.” The next part is to determine the “to-be,” or desired state. The result or outcome from this analysis will facilitate the identification of potential gaps to assist in determining where priorities should be. Generally, you can only progress in a linear fashion.

I’ve seen maturity models go drastically bad. If misused, they can cause inappropriate behaviors and bad decisions. It is very important to note here that you should not strive to be at a level 5 on everything. A very important lesson learned is that the outcome of a maturity model should help you create the list of things you need to focus on to improve.

There are many factors to be considered during your evaluation, such as the size of your organization (small, medium, or large), the type of industry (financial, retail, manufacturing, engineering, federal, state and local government), the level of regulations your organization is required to comply with and the penalties for non-compliance, etc. The model, practices, and activities below are meant to be generic enough to be applicable to all of these factors and provides a baseline to perform your evaluation and analysis.

There are many reference models available in our industry, but the most common maturity model is the Capability Maturity Model Integration, or CMMI, which is the basis for the COBIT 2019 performance management information. This is a relatively easy model to modify to meet specific needs, and in my case, I could use a 0-5 scale to measure the policy framework. The table below shows the titles and descriptions of those maturity levels. These levels of maturity can be applied to almost any view of the business.

COBIT 2019 Framework, Introduction and Methodology, ISACA

Step four, conduct the evaluation

There are many ways to conduct the evaluation. You can do this internally or hire external advisors to assist in the assessment. There are pros and cons to each and I won’t cover them here. In all cases, it is important that involvement and agreement between all direct stakeholders is considered. Regardless of how you approach it, there are several techniques that can be used: surveys, questionnaires, interviews, document reviews and brainstorming sessions.

During my engagement, we used all the techniques above and below is the result. Each of the six assessed practices consisted of many activities. Our entire stakeholder team agreed on the assessment level for each activity, and the maturity level for the practice is simply an average. If you want to get really complex, you can add weights to those activities that you feel are more important than others.

The following tables are the results of this evaluation. The actual maturity numbers have been changed for the purposes of this blog.

Finally, here’s a rollup that identifies the maturity level for each practice, with an overall maturity level for the policy framework.

Step five, report results to stakeholders and create action plans

It’s one thing to conduct the assessment, but if you don’t do anything with that assessment you have wasted your time. The intent of this evaluation and analysis process is to drive action, identify potential gaps, enhance a policy framework, and provide assurance that policies are current and relevant for the organization. Remediation activities to address gaps can be incorporated in tactical and/or strategic planning based upon their criticality. They should also be approved by senior governance and management leadership teams to obtain consensus and support from the top down.

The dashboard below outlines a high-level snapshot of the current and desired maturity levels for each of the policy framework practices. If you are wondering how desired maturity levels were determined, these were determined by analyzing how each of the practices: 1) supported overall business goals, 2) satisfied compliance requirements, 3) addressed organizational risk scenarios, and 4) met the specific needs of management.

Governance Component Maturity Assessment Dashboard, Escoute Consulting

This dashboard provided a visual representation of how all the policy framework practices were assessed. It also illustrated the gap between current and desired states. This tool enabled management to determine the approach towards closing the gaps. This resulted in a comprehensive list of initiatives and their priorities which ultimately drive how they assigned resources to the improvement effort.

Tips and conclusion

This is not always a collaborative and easy process. I hope this blog, alongside my previous blog on policies, can help you create, govern and manage a policy framework that truly creates value for your enterprise.

To summarize, below are some of my suggested tips and tricks that can help you in your journey:

  1. Use the practices and activities identified in this blog to create your own policy framework control objectives and assessment model
  2. Refer to industry standards and frameworks to help such as COBIT, CMMI and applicable ISO standards
  3. Understand that all stakeholders have different views, and consensus must be gained before finalizing practices, activities and maturity level
  4. This is not a one and done process. Integrate your policies with your continuous monitoring activities on a periodic basis, at least annually.
  5. Integrate new, updated, and modified policies and procedures with your training awareness program.
  6. Make it a mandatory activity that all employees must read and be held accountable for keeping up-to-date with policies and procedures on a periodic basis, usually annually. The enforcement of which can be scoped in any number of ways; the size of your organization, job related relevance, sensitive and critical policies, etc.
  7. Decide where within the organizational structure this process will be incorporated: internal audit, policy and assurance, compliance, risk management, etc.
  8. Create a technology platform to assist you in governing and managing your policy framework

As always, your thoughts and suggestions are welcomed.

DON’T LET YOUR DIGITAL TRANSFORMATION EFFORTS OUTPACE YOUR ABILITY TO GOVERN THEM – REVIEW AND ASSESS YOUR POLICY FRAMEWORK NOW

In today’s high velocity business environment, it’s easy to lose sight of some basic governing principles that might be viewed as cumbersome and restrictive. Be careful, because governance principles exist to ensure the proper balance of performance and conformance when achieving business objectives. If your organization ignores your essential internal controls, it can introduce vulnerabilities that were never intended. Those vulnerabilities can then expose you to risk scenarios that could thwart your achievement of business goals. One of the key components of your governance system is policies, and this blog post is a result of my thoughts and experience in this area.

Ready or not, digital transformation is here

The Fourth Industrial Revolution, often referred to as the “digital transformation” age is here. Whether you are on board or not, it is certainly going to affect your enterprise sooner than later. Going digital is on the tip of nearly every business and technology leaders’ tongues today. The term itself differs by industry and organization, but at a minimum you should define its value in business terms. It is, of course, impossible for business and IT leaders to devise and pursue an effective digital transformation strategy without a solid grasp of the term itself. Here’s my definition:

Any digital transformation effort should be focused on driving value. A major factor in this transformation requires new and innovative technologies that enhance user and customer experiences. However, as we extend our digital capabilities, we should also be mindful of our governance, risk and compliance structure. Now that we have evolved digitally…why haven’t we evolved our governance structures too?

Of course, there are some inherent obstacles to success: resource requirements, new vulnerabilities, organizational silos, thinking this is an IT responsibility, concerns over IT capabilities and failure to consider customer/user experience (CX/UX). All of these can be mitigated by updating your governance system which focuses on the value aspects of delivering benefits while optimizing risks and resources.

Time to take a look at your governance system over enterprise information and technology

Digitized enterprises are increasingly dependent on I&T for survival and growth. Given the importance of I&T to support the enterprise in achieving objectives, Enterprise Governance of Information and Technology (EGIT) is an integral part of any governance framework. According to the latest release of the COBIT Framework, COBIT 2019 by ISACA, a governance system should consist of the following governance components:

Components of a governance system: COBIT2019, ISACA

You may recognize these as enablers from an earlier version of COBIT, and these are finally getting the attention they deserve.

Think of these components as ingredients to a governance system. They can be addressed independently, but should be used as a collection of interconnected requirements. This helps to fully grasp how technology organizations can meet the various governance or management objectives to support a governance system. These complex interconnections between components can invalidate your efforts if you don’t understand their connections and dependencies. For example, if you make a major change to a PROCESS, then you should also look at how that affects, or is affected by, the other components.

Here is an example of a client who had great intentions, but completely misunderstand how this ecosystem works:

Policies are critical to the governance system

One very important governance component in today’s high velocity environments is policy. Too many organizations outpace their policies when aggressively pursuing a digital posture This creates more confusion and vulnerabilities than necessary. There are many elements involved when understanding policies, these are outlined below.

A principle is a clear expression of the core values of the enterprise. Principles should be limited in number and expressed in simple language. Principles influence policies and are driven by culture, legislation and regulations, standards, and most importantly, the enterprise values and vision.

A policy is a statement of principles that supports the achievement of the enterprise’s goals. Policies are the communication mechanisms to convey direction and instructions and are central to enterprise governance systems. They guide organizational principles or requirements that set directional tone and can be applied to an entire organization, department or specific area.

Finally, a procedure supports policies with more detailed activities. They should have an internal focus and can connect related functions and processes. Think of procedures as an established way of accomplishing the outcome of a policy. This can be through the use of processes, practices and activities.

Now that I’ve reviewed some basic definitions, it’s time to look at my thoughts on how you can either establish or review your policies to ensure they are not being left behind.

Step one, understand your policy “ecosystem”

My quest for policy framework guidance started when I was doing a COBIT process capability assessment for a client a few months ago. They asked me to assess their policy framework maturity. This organization was in an aggressive growth phase and actively funding a digital transformation effort. They wanted to ensure that their governance framework, more specifically, their policy component, was in pace with their modernization efforts. I searched everywhere, but the only framework with any substantive guidance of this level was COBIT. Of course, there are plenty of articles and whitepapers on do’s, don’ts and good practices, but nothing solid.

Based on my previous experiences and research, my first task was to determine what I call my altitudes of policy, as illustrated below:

Policy altitudes and ecosystem

These altitudes helped me understand where policies fit in the larger picture. Your organization may see this differently, but my advice for you is to really understand your terminology. Your ecosystem could look completely different from mine.

Step 2, Understand Key Practices and activities

My second task was to determine HOW I was going to set up the practices and activities within a policy framework to analyze and assess maturity. I decided to make my own guidance using the COBIT format. As you can see below, we have key practices supported by activities. I used these as a basis for my evaluation. You might think of these as control objectives. Of course, this is not an exhaustive list, but it provided a basis for my understanding of what should be accomplished.

Practice 1. A policy framework is documented, approved, and enforced

a. The policy framework includes dependencies and interrelationships with all other enterprise policies.

b. Appropriate KPIs are created for policy management and are tracked, monitored, reported and acted upon.

c. The policy framework includes a central system of record repository that is considered the source of authority for the enterprise’s policies and procedures.

d. The policy framework includes a mechanism for monitoring internal and external factors that may require policy framework modifications.

e. The policy framework aggregates and reconciles compliance with multiple regulations and requirements, the policies that result from them, and the processes that ultimately monitor and control them.

Practice 2. A policy lifecycle management system is approved and recognized

a. The processes for drafting, approval, implementation, continuous monitoring and retirement of policies is defined and adhered to.

b. Policies are developed in consultation with key stakeholders.

c. Ownership of the policy should be clearly identified and administration should occur collaboratively.

d. Changes and modifications to policies are subject to the enterprise governance approval process.

Practice 3. Policies are communicated and distributed to all stakeholders

a. Policies are published and distributed to all stakeholders, including employees and business partners whose actions they govern.

b. Policy training and awareness is conducted.

c. There is an established process of communicating changes to appropriate stakeholders, owners, and applicable practitioners.

Practice 4. Policies are monitored, enforced and maintained

a. The policy framework ensures that verification and validation of stakeholder training and understanding are an integral part of policy management.

b. Organizations should assess the level of non-compliance with any given policy to determine whether the policy should be amended or left in place without notification.

c. Compliance is monitored and violations investigated and addressed.

Practice 5. Technology is used to support the policy framework

a. A common technology platform is used to consolidate enterprise policies and procedures from various departments.

b. The most recent and approved versions of all policies and procedures should be stored and managed through a centralized policy repository.

c. Enterprise policies and procedures are readily available to all stakeholders, owners, and practitioners.

Practice 6. Each policy should meet good practice criteria

a. Policies have a purpose statement, owner or appointed steward.

b. Policies must be clearly aligned to an organizational principle or desired behavior.

c. Policies must provide references to any specific laws, regulations and standards they are intended to support.

d. Policies are linked to enterprise risk appetite and internal controls.

e. Policies must include scope, validity and an effective compliance date in which adherence will be monitored and enforced.

f. Policies must include consequences for failure to comply.

g. Policies must include escalation procedures for handling exceptions.

h. Policies are reviewed and approved on a consistent basis or updated as necessary.

i. Internal and external stakeholders are identified.

j. Policies should be effective—they achieve the stated purpose.

k. Policies should be efficient—they ensure that principles are implemented in the most efficient way.

Although the practices and activities identified above may need some updating or consolidation, they are a great start to determine the requirements for your policy environment and are not dependent on the size and type of organization. As far as I know, this is the first set of publicly available ”control objectives” for policy assurance in our industry today – so it’s a work in progress.

Step 3, Determine a consistent approach to measuring and assessing maturity

There is much confusion right now about maturity and capability models. As of this writing, I have not found a definitive resource to assist in assessing and rating the level of maturity for a policy framework.

My next step was to create a maturity model for the policy component. Since my client was asking for an assessment of their policy framework maturity, I chose to turn to CMMI to help me with this. Stay tuned, that is the subject of a future blog post.

Conclusion

The scope of this blog post is the policy framework associated with the enterprise’s governance over enterprise information and technology, not the entire organization. What you have just read is what I believe to be the first set of potential control objectives for policy frameworks. As mentioned earlier, they may exist somewhere but I couldn’t find anything clean and concise so I made my own based on many different standards, bodies of knowledge and client needs.

Look out for an upcoming blog on how to create a maturity assessment of your policies soon.

SOLVING FRAMEWORK FATIGUE. USING COBIT5 TO MANAGE FRAMEWORKS AND ACHIEVE BUSINESS VALUE

With a multitude of models, standards, bodies of knowledge and frameworks in our industry, it’s easy to see how navigating through these becomes utterly exhausting for an IT service organization. The jigsaw puzzle of frameworks is daunting. Frameworks, whether adopted from industry models or built internally, provide critical structure. Nonetheless, many feel that they are a hindrance.

If this sounds familiar, then take a look at COBIT.  COBIT is a framework that can assist the enterprise in not only creating a holistic approach to the Governance of Enterprise IT, but can also be effectively used as a framework to integrate other frameworks.

Understanding Value

A large challenge many organizations face is not realizing that there are several governing levels and areas that must be considered when selecting the most appropriate frameworks. In today’s environment, one single industry framework simply won’t suffice.

Looking through a governance lens, it is important to understand that adopting frameworks requires a solid understanding of the business environment as well as the value that each of these frameworks provides. Therefore, it is vital that frameworks are analyzed and adopted based on several factors, all of which should focus on one theme: create value for the enterprise. This means that IT enabled investments provide expected business benefits while optimizing resources and risks. Recognizing this is the first step towards creating a system of frameworks to support value.

 

The Framework Ecosystem

Consider looking at the framework ecosystem from multiple levels as illustrated below. These levels provide good starting point for determining what value is created by leveraging a framework. Stakeholder needs have many drivers, but these must have a balance between performance and conformance.

At the Enterprise Governance level, the Balanced Scorecard helps measure business performance, while COSO (Committee of Sponsoring Organizations) creates a system of internal controls for conformance. This is followed by the GEIT level (Governance of Enterprise IT) where frameworks such as COBIT exist. At the Standards and Good Practices levels, frameworks can be selected based on their ability to satisfy the stakeholder needs.

 

Shot of computer programmers looking through data in the office

Simply understanding these levels will not automatically select the right frameworks. Since every enterprise sees value differently, an inventory of appropriate solutions must be conducted.

An Inventory of Frameworks

Now that we have identified the layers, what are the specific frameworks that exist? First, it is important to understand that frameworks come in many shapes and sizes, and all have very specific business challenges and value propositions. The table below illustrates generic categories, and some of the more popular frameworks being adopted today to support them. Of course, these are not complete lists, but represents how many of these can be placed in the enterprise to provide the most value.

 

It is usually at this point where framework overload begins to emerge, and many organizations simply go right to the solution before truly understanding the reasons why, or jump to a single framework that appears to satisfy the most requirements.

It is impossible to simply pick a few frameworks and decide that they are the right fit because the industry says so. A key success factor to consider when integrating frameworks and standards is to strategically leverage several models based on their value contribution to the enterprise.

Integrating frameworks

There are a few myths about frameworks should be known before you start: First, a ‘best practice’ is only as good as how well it is adopted; Second, frameworks are suggestive not prescriptive; and finally, there is no such thing as a single silver bullet.

Therefore, it is no surprise that one of the top questions today regarding multiple frameworks is this: Is there a at least framework that will help me manage all of my frameworks? The answer is simple. Yes, and it is called COBIT. This comprehensive framework is part of the ISACA product family (www.isaca.org/cobit) and assists enterprises in achieving value through the governance and management of enterprise IT. At the core of the framework are five principles, which are major inputs to how an enterprise selects, adopts and leverages other frameworks.

  1. Meeting Stakeholder Needs. Creating value through benefits realization by optimizing costs and risks.
  2. Covering the Enterprise End to End. Include owners and stakeholders, a governing body, executive management, and operations and execution.
  3. Applying a Single Integrated Framework. Integrating all common industry frameworks and standards under a single model.
  4. Enabling a Holistic Approach. Using enablers to ensure that the governance objectives are met.
  5. Separating Governance from Management. Providing a clear separation between direction and the management of executing that direction.

Principle number four above consists of seven core enablers. Think of an enabler as an ingredient to success. Within the context of an initiative to integrate multiple frameworks, these factors can guide in the successful selection and integration of multiple frameworks. Although many frameworks today have a tendency to focus on processes (one of the seven enablers), it is important to consider a holistic approach to an IT governance initiative. This means connecting the dots between multiple areas that can have an effect on each other. The list of these enablers is below:

  1. Principles, Policies and Frameworks
  2. Processes
  3. Organizational Structures
  4. Culture, Ethics and Behavior
  5. Information
  6. Services, Infrastructure and Applications
  7. People, Skills and Competencies

How does COBIT become a framework to manage frameworks? From a holistic view, the enablers will not only help identify which frameworks are appropriate, but can also assist in determining the level of adoption as well. One of the powerful features of COBIT is that it references other frameworks. Within the COBIT Process Reference Model, there are 37 processes in 5 domains. Each process is further described with information noted below.

 

Developing programming and coding technologies. Website design. Cyber space concept.

In the Related Guidance section, COBIT refers to the applicable industry frameworks and standards that offer the most guidance from a best practice perspective. For example, if an organization is adopting formal practices for the process of managing changes COBIT suggests further guidance in both ITIL and ISO20000, and where to look. If enterprise architecture is the focus, the COBIT suggests TOGAF, etc. Therefore, it is not enough to just adopt COBIT, because there is further guidance in the form of other frameworks and standards that provide further good practices.

Adopting COBIT as a framework to integrate other frameworks is a good business decision. Since COBIT is first and foremost a business framework, it focuses on stakeholder needs and assists organizations in balancing performance and conformance when suggesting supporting frameworks.

Suggestions for success

Of course there are a few good practices to consider when selecting, integrating, and adopting multiple frameworks in this ecosystem. The list below are some of these good practices.

  1. Understand how the levels of governance interact. It is very important to understand how the enterprise sees the levels so that frameworks can be correctly positioned.
  2. Use COBIT as a framework integrator. COBIT uses a holistic approach to governance enablers, and assists in determining which industry frameworks and standards are applicable.
  3. Use more than one framework. They each have unique focus areas. The framework ecosystem must provide value for the enterprise, and one single framework cannot provide everything needed to accomplish this objective alone.
  4. Train the stakeholders on the utility and applicability of each framework. Companies love to train, but often fail to go to the next step of transforming the things learned from training into actual value. The lack of training and understanding of how frameworks help an organization is the number one silent killer of any adoption.

Regardless of industry or size, all companies need governance, and with that need comes multiple frameworks, models and standards. Using COBIT to assist in integrating a holistic approach to governance while managing multiple best practices will ultimately help meet the governance goal of meeting stakeholder needs. COBIT has many tools and techniques in the product architecture that can be adopted to reduce the exhaustion of managing multiple frameworks, and allow the enterprise to focus on value.

As always, this is my perspective and I welcome your comments.

Skip to content