January 10, 2011Executive Technology StrategiesETS 11-01-08

Leadership Series: Service Management

Key Service Management Models, Linkages, Inclusions

and Consequences

Senior Analyst: BJ Dooley

This is the first research note in a series that addresses the various elements of IT Leadership. Each month in 2011 a different element will be explored using research notes and webinars[1].

The ten Leadership elements are defined as follows:

  • Service Management
  • Compliance Management
  • Operational management
  • Portfolio Management
  • Organizational Effectiveness
  • Partner Management
  • Metrics and Marketing
  • Strategic Planning
  • IT Governance
  • Enterprise Leadership

For more detail on each element, reference research note – (ETS 10-12-02) Management - IT Leadership Pyramid Revisited.

Experture believesexecutives should unify Governance, Risk and Compliance (GRC) across the enterprise through mapping of frameworks, standards and controls. Lack of a unified strategy with appropriate mapping will result in inefficiency, added cost, and inability to meet the growing requirements of audits, regulations and certifications.

Business Imperatives

  • Compliance is often implemented in a haphazard manner, with significant variation between organizational units that result in inefficiencies and confusion. Regulations have become increasingly complex and their linkages to governance continue to spider-web. In this context, lack of a unified approach will put the organization at risk.
  • Enterprises need to optimize their response to the growing body of regulations, standards and frameworks by a “fix once, comply many times” solution that includes comprehensive mapping of external standards, models and frameworks to internal controls.
  • Inefficiency and cost are the inevitable results of poorly integrated GRC. There are also risks associated with beingout ofsynch with the demands of regulations and not applying timely controls across the enterprise.

Copyright © 2004-2011 Experture and Robert Frances Group, all rights reserved

649 Fairfield Beach Road, Fairfield, CT. 06824; (917) 597 6717;

Contact:

January 10, 2011Executive Technology StrategiesETS 11-01-08

Overview

Heightened security concerns, increasingly complex regulations, and the need to meet a wide range of initiatives in areas such as quality control, systems maturity, and governance have led to a proliferation of regulations, standards and frameworks with which organizations must comply.

General concern was sparked by Sarbanes-Oxley (SOX), which includes strong penalties for non-compliance, addresses a variety of issues in handling of financial information, and is linked to other framework initiatives, notably COSO and CobiT for assurances of compliance. SOX has been followed by equally wide-reaching regulatory initiatives, such as the European Union’s privacy directive, the US HIPAA legislation, and increasing body of law addressing issues such as privacy, transparency of operations, security of information, and the like.

Handling compliance by mapping regulations to management frameworks is becoming increasingly important, and is, in fact, encouraged or specified in some regulations. Use of a framework provides a number of advantages in meeting compliance requirements, including provision of a set of best practices, use of a common language, and potential for unification of multiple regulatory requirements. Basing compliance management around such a framework also provides an extensible solution, since additional components can easily be added from the framework libraries. Unification decreases redundant development, eliminates silos of compliance activity and opens the way for standardized measurement and reporting.

Frameworks guarantee a common language across different areas served by different internal controls. These areas might include internal audits or the compliance areas, or the risk area or administration itself. As a result of language standardization, implementation of internal controls can be properly communicated from strategic to operating layers and vice versa using the framework as a global reference for a corporate risk management process.

Certain frameworks have become popular for particular regulations or mandates. CobiT with COSO and/or ITIL have emerged as a popular solution for Sarbanes-Oxley, FFIEC is used as a de-facto specification for GLBA compliance initiatives, and ISO 27002 has been popular among organizations that ensure compliance with HIPAA (Health Insurance Portability and Accountability Act) requirements. ISO 27002 is also becoming increasingly important as a unifying framework, and is heavily relied upon in international operations.

As frameworks have become integrated with standards, they have increasingly come into range of other initiatives such as quality initiatives such as ISO 9000 and Six Sigma; and governance certifications such as CMMI. The areas of practice have created huge overlaps among existing models, making compliance increasingly difficult and auditing all but impossible.

Copyright © 2004-2011 Experture and Robert Frances Group, all rights reserved

649 Fairfield Beach Road, Fairfield, CT. 06824; (917) 597 6717;

Contact:

January 10, 2011Executive Technology StrategiesETS 11-01-08

Key Frameworks

The most important top-level frameworks today are COSO, CobiT, ITIL, and ISO/IEC 27002. There are numerous others, but these have special connections to compliance issues that make them stand out, and they often serve as the basis for integration of other models.

Copyright © 2004-2011 Experture and Robert Frances Group, all rights reserved

649 Fairfield Beach Road, Fairfield, CT. 06824; (917) 597 6717;

Contact:

January 10, 2011Executive Technology StrategiesETS 11-01-08

COSO

In its final rules on the Sarbanes-Oxley Act, the SEC made specific references to the COSO recommendations. COSO provides a financially oriented risk management framework designed to achieve strategic, operations, reporting and compliance objectives. COSO is a voluntary private sector organization, established in 1985 It contains representatives from industry, public accounting, investment firms and the New York Stock Exchange.

The COSO framework has become the broadly accepted standard for meeting reporting requirements. The overall effect of COSO is a focus on control activities and the monitoring of those activities. Figure 1 - The “New” COSO Cube[2]

CobiT

The IT Governance Institute, established in 1998, was set up to clarify and provide guidance on current and future issues pertaining to IT governance, security and assurance. The ITGI's main publication is Control Objectives for Information and Related Technology (CobiT). CobiT is becoming an internationally accepted guidance standard for IT governance. It provides a reference framework and common language for management, auditors, and security analysts across the IT sector. It is 100 percent compliant with COSO, and so may be used as an extension of COSO into the IT sector. Figure 2 - CobiT Cube[3]

CobiT is made up of four domains, 34 high-level control objectives and 318 detailed control objectives. It includes controls that address operational and compliance objectives across all aspects of IT.

ITIL

ITIL (IT Infrastructure Library) is a set of guidelines that defines multiple areas of focus from service management practices to security. It was developed initially in the 1980s by the UK's Office of Government Commerce OGC), and is a non-proprietary IT process framework, organized as a library that provides process guidance and best practices for managing IT services. ITIL is a set of best practices; it is not meant to describe pure processes, but rather to provide a kind of a template, which may be applied to the specific characteristics, and requirements of a businesses. Fig.3 - ITIL Svc Mgt Framework[4]

Attention has turned to ITIL due to widespread usage and alignment with both CobiT and ISO 2000, which is derived from ITIL. The OGC and the IT Governance Institute (developer of CobiT) have an ongoing project to integrate CobiT and ITIL principles.

ISO 27002

ISO 27002 is a broad, security-focused framework. It outlines hundreds of potential controls and control mechanisms, which businesses can implement under the guidance of the ISO 27001 standard. ISO 27002 defines a set of information security control objectives with best-practice security controls. Its objective is to specify “the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization’s overall business risks.” The CobiT framework has also been mapped to it.

Specifically, ISO 27002 addresses the following:

  • Structure
  • Risk Assessment and Treatment
  • Security Policy
  • Organization of Information Security
  • Asset Management
  • Human Resources Security
  • Physical Security
  • Communications and Ops Management
  • Access Control
  • Information Systems Acquisition, Development, Maintenance
  • Information Security Incident management
  • Business Continuity
  • Compliance

Related Standards and Auditing Models

In addition to the major frameworks, there are numerous models with which an organization must comply to satisfy audits, accreditations, standards, security issues, and quality initiatives. These include Six Sigma, CMMI, and ISO 9000, which address general issues, plus numerous others that are specific to areas such as finance and HR and to specific industries, such as Pharmaceuticals and Financial Services. There is substantial overlap between all of these models because they address issues of governance, specify rules for processes, and affect structural and IT areas that will have consequences throughout the organization.

The Unified Compliance Framework offers the following list of major current models[5]:

  1. AICPA/CICA Trust Services, Principles, and Criteria
  2. Carnegie Mellon University Software Engineering Institute (CMU/SEI) OCTAVE
  3. CICA CoCo -- Criteria of Control Framework
  4. CICA IT Control Guidelines
  5. CMMI -- Capability Maturity Model Integration
  6. CobiT -- Control Objectives for Information and related Technology
  7. COSO -- Internal Control Integrated Framework
  8. GAISP -- Generally Accepted Information Security Principles
  9. ISF Standard of Good Practice for Information Security
  10. ISO 17799:2005
  11. ISO 9000
  12. ITIL -- the IT Infrastructure Library
  13. Malcolm Baldridge National Quality Program
  14. Organization for Economic Cooperation and Development (OECD) Principles of Corporate Governance
  15. OPMMM -- Organizational Project Management Maturity Model
  16. Six Sigma
  17. Organization for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

Why Alignment is Important

The development of “islands of compliance” is a growing concern as models and frameworks proliferate. They all have the objective of improving processes, making them more transparent, more effective, and more efficient, but the specifics, definitions, and required practices can differ, often in subtle ways. Also, the basket of models to which an organization might wish to adhere can differ radically from one situation to the next. All of this becomes considerably more complex in corporate mergers and acquisitions. Without an attempt at alignment, chaos will ensue, and it will become impossible to meet audit and certification requirements.

Current compliance efforts are typically not well orchestrated. Organizations attempt to integrate multiple compliance frameworks using workarounds similar to the way in which ERP applications were deployed in the past. But the more systems are placed in use, the more fragmented the approach becomes and the less accurate it is likely to be. The result of this entropy is that companies waste time and effort where they should be looking for a unified solution that is integrated into IT infrastructure, or a SaaS solution.

The result of a lack of centralization and automated compliance include:

  • High compliance cost due to rework and poor utilization of compliance resources
  • Uncertainty as to audit readiness for various regulations
  • Lack of experienced staff qualified to provide compliant advice across multiple regulations and technologies
  • Difficulties in locating appropriate compliance process support, such as templates applicable to complex scenarios

Overcoming these challenges is one of motivations for developing a unified IT regulatory and compliance program. Such a program provides centralized handling of regulatory authorities and requirements across the organization.

Mapping and Alignment

Mapping is important to make sure business and/or data owners are aware of applicable standards, that management understand the impact of new lines of business or data and applicable standards, and in ensuring that all areas are adequately covered.

At the present time, the various bodies overseeing management frameworks are working on commonalities, and vendors of Governance Risk and Compliance (GRC) solutions such as Archer, Modulo, and RSA are creating their own mappings to present a unified solution.

Cross mapping between frameworks and internal controls is necessary because there are:

  • Multiple similarities, differences and overlaps between standards
  • Interpretation and language differences, with requirements for clarification
  • Different levels of control associated with each standard
  • Significant overlap and redundancy between standards, frameworks and controls, leading to inefficiency and confusion

There are a number of public efforts underway to unify compliance and management frameworks at organizations, the most popular of which is the Unified Compliance Framework (UCF). The UCF is probably the most comprehensive and the most widely adopted. It is being used by NetIQ, CA, RelSec, and other vendors in the GRC industry. It's available as a database, is consistent and well mapped.

The Unified Compliance Framework (UCF) rationalizes IT control from over 400 regulatory requirements, standards, and guidelines into a single set of straightforward controls that clearly shows where global, state and industry regulations overlap, which dramatically reduces time, effort and cost associated with regulatory compliance efforts. To cope with the frequency of regulatory revision, the UCF is updated on a regular basis. As one example, the fourth quarter 2009 release included 53 new or updated Authority documents.

Another interesting attempt to provide centralized access is the GRC-GRID. This is an open database of rules, regulations, policies, standards and government guidance artifacts and documents, and is an open project. It does not, however, provide mapping between its objects. However, the GRID can be integrated with software applications, document management and reporting tools, and other products through direct or indirect integration.

A Unified GRC strategy

Many companies have specialized compliance groups to interpret, plan, and implement regulatory requirements. These groups strive for coordination, but can struggle to achieve an optimal result without a unified compliance program.

The unified compliance program typically includes:

  • Corporate roles and responsibilities for compliance activities, ensuring global implementation
  • A common compliance approach, creating a culture of knowledge and best practice sharing within the organization—and across compliance, IT and business teams
  • Development and management of a repository of reusable information assets and artifacts such as checklists, templates, and training presentations
  • Definition and monitoring of metrics across the organization
  • Standardized documentation that eliminates loopholes and provides clear and immediate information on compliance issues
  • Continuous process improvement for compliance processes

Implementation of such a program relies upon an integrated and centralized view of standards, frameworks and controls. Automated mapping, whether through vendor databases, unifying frameworks, or constantly updated SaaS GRC, is implicit.

Summary

Bringing together the major service management models and frameworks and aligning them can be a difficult task, but it is essential to meeting today’s requirements for unified Governance, Risk and Compliance (GRC). Standards and regulations continue to evolve, stretching into every corner of the enterprise, and the need to satisfy auditing, quality, and security improvement initiatives has emphasized the use of frameworks as a unifying standard. Integration of these elements can become extremely complex, and they all continue to evolve. Although there are many commonalities, it is becoming clear that a centralized solution is imperative, and this makes it necessary to achieve a comprehensive mapping between standards, frameworks and controls. This mapping must be kept continuously up to date, and requires continuous review to ensure that objectives are being achieved.

Current solutions are beginning to evolve, including a number of public approaches and independent mappings produced by vendors in the GRC area. These solutions offer the beginnings of a universal vision of enterprise risk management that integrates the growing body of regulations as well as financial and IT risk within an organization.

Copyright © 2004-2011 Experture and Robert Frances Group, all rights reserved

649 Fairfield Beach Road, Fairfield, CT. 06824; (917) 597 6717;

Contact:

January 10, 2011Executive Technology StrategiesETS 11-01-08

Copyright © 2004-2011 Experture and Robert Frances Group, all rights reserved

649 Fairfield Beach Road, Fairfield, CT. 06824; (917) 597 6717;

Contact:

January 10, 2011Executive Technology StrategiesETS 11-01-08

The Bottom Line: Experture believes IT executives need to establish a unified strategy for handling the ever-expanding body of standards, regulations, frameworks and controls. This strategy must include a comprehensive mapping of these elements as they relate to the enterprise, and enable automation of compliance.

While there are a number of frameworks to choose from, a study should be conducted to determine which one is most closely aligned with your enterprise’s objectives.

Brian J. Dooley is an author, analyst, and journalist with more than 20 years' experience in analyzing and writing about trends in IT. He has written six books, numerous user manuals, hundreds of reports, and more than 2,000 magazine features.

Clients include research companies such as Seybold, IDC, Gartner Group, Falkner and PriceWaterhouse; publishers, such as TAB books, Heritage Books, Wordware, and IDG Comm; and a diverse range of hardware and software companies in IT and telecommunications.

If you have questions regarding this topic or would like to speak to the author, please contact customer service () to arrange a teleconference.

Copyright © 2004-2011 Experture and Robert Frances Group, all rights reserved

649 Fairfield Beach Road, Fairfield, CT. 06824; (917) 597 6717;

Contact:

[1] For information on webinars -

[2]

[3] CobiT 4.1, IT Governance Institute

[4]

[5] say_what_you_do/frameworks/the_major_frameworks_used_for.html