ISO, ITIL, & CobiT Together Foster Optimal Security Investment BY MARY JOHNSTON TURNER, JOE OLTSIK, JOHN MCKNIGHT Senior Analysts and Research Director, Enterprise Strategy Group

Sophisticated enterprise-security managers leverage multiple best practices.
In a survey of security professionals conducted for the recent research report "Security Management Matures," Enterprise Strategy Group (ESG) discovered that 72 percent of North American enterprise-class organizations (organizations with 1,000 or more employees) say they are implementing one or more formal IT best-practice control and process models. The most widely used commercial frameworks include:

• IT Infrastructure Library (ITIL): Provides recommendations for a wide range of IT operations and service delivery best practices, including security management. ITIL's information-security recommendations are based heavily on ISO/IEC 17999 and emphasize information confidentiality, integrity and availability.
• International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 17799/27002: Provides information-security specialists with specialized recommendations for risk assessment, physical and information-security policy, governance, development, compliance and access control. Originally labeled as ISO/IEC 17799, this set of best practices was renumbered as ISO/IEC 27002 in July 2007.
• Control Objectives for Information and Related Technology (CobiT): Provides 210 control objectives applied to 34 high-level IT processes, categorized in four domains: planning and organization, acquisition and implementation, delivery and support, and monitoring. CobiT recommendations include issues related to ensuring effectiveness and value of IT as well as information security and process governance.

ESG examined how the profile of an organization that uses multiple IT frameworks differs from that of an organization that implements just one set of process controls, or none at all. Our findings? Those organizations implementing multiple frameworks are subject to much more extensive regulatory and compliance pressures and are more likely to have developed operational environments that foster cooperation and collaboration across business, IT and security organizations. They are also more likely to have actively deployed advanced information-security management technologies.

Compliance Pressures Drive Adoption of Multiple Best-Practice Frameworks
Among survey participants, 18 percent have simultaneously implemented ITIL, ISO and CobiT. Of those implementing just one set of standards, ITIL is the most frequently selected (16percent) followed by ISO (11 percent). A significant 17 percent have not implemented any type of framework at this time. An additional 20 percent have implemented other best practices or did not know whether their organization used these types of frameworks.

Organizations making concurrent investments in ITIL, ISO and CobiT are often subject to significantly greater levels of external compliance pressure than are organizations choosing to focus on a single set of best practices. More than three-quarters (76 percent) of the organizations implementing all three sets of guidelines indicate that demands to comply with external regulations were very influential in defining their security-management requirements during the past year. In contrast, only 44 percent of those implementing ITIL alone and 51 percent of those with no frameworks in place felt the same way.

For those organizations implementing all three best practices guidelines, the data reveals that regulatory pressures impact multiple business activities, as these organizations are required to comply with diverse regulatory requirements such as the Sarbanes-Oxley Act (SOX), Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, Federal Information Security Management Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS).

Across all of these different regulatory requirements, organizations implementing all three sets of best-practices guidelines are significantly more likely to be subject to those requirements than are organizations with a lesser number of best-practices frameworks currently in place. For example, while 76 percent of organizations implementing all three best-practices guidelines must comply with SOX, just 56 percent of those electing to implement ITIL only report that they must do so.

Organizations focused exclusively on ITIL were also much less likely to be required to comply with information-security mandates associated with HIPAA, PCI DSS, PIPEDA and FISMA. Likewise, organizations that have not implemented any frameworks to date have relatively low levels of exposure to many information-security regulations. About half of the organizations that have not implemented any framework are subject to SOX (57 percent) and/or HIPAA (43 percent) but reports much lower levels of exposure to other regulations.

Successful Use of Multiple Frameworks Requires Business, IT and Security Cooperation
ESG believes that organizations experiencing the most external pressures are most likely to implement the broadest range of best practices for several reasons, including:

• The fact that different regulatory programs are likely to emphasize different aspects of physical, logical and virtual information and IT-security-management activities, requiring organizations to draw on best practices and reporting from multiple sources
• The need to align policies and priorities across many different decision makers representing a broad mix of business, security and IT stakeholders
• The need to better coordinate communications and workflow across many diverse IT and securityoperations groups
• The need to validate the information-security choices implemented with a broad range of end users, national and local government agencies and, in some cases, national and global networks of partners.

Combined, these forces require organizations to promote extensive and ongoing communication, cooperation and reporting capabilities across information security groups, data-center-operations teams, e-mail administrators, facilities, human resources and other business groups in order to assure that information-security control policies are implemented consistently across the business. By combining the detailed security specifications from ISO, IT operations and cross-IT workflow integration best practices from ITIL, and governance and control models from CobiT, the most sophisticated firms are able to address the full range of compliance and audit requirements set before them by government and industry compliance mandates.

Beyond regulatory compliance, ESG found interesting relationships between an organization's degree of implementation of security and governance standards and the amount of cooperation between different IT groups within that organization. Organizations implementing all three sets of best-practices recommendations are most likely to report significant levels (62 percent) of cooperation between IT-operations and information-security groups, compared with 56 percent of those implementing ITIL only and just 46 percent of those that have not implemented any frameworks.

Interestingly, those organizations that have not implemented any frameworks are most likely to have merged IT-operations and information-security groups (29 percent), compared with just 14 percent of those implementing multiple frameworks. This data suggests to ESG that those organizations choosing to merge organizations do so in order to improve communication and coordination across teams, albeit in a less formal way than dictated by best-practices recommendations.

Ultimately, given that organizations implementing all three frameworks are more likely to be subject to multiple, complex information-security regulations, the fact that they are less inclined to totally merge IT-operations and information-security groups indicates that the specialized expertise of information-security groups is highly valued.

These organizations do not want to distract those teams from their core missions. However, these same organizations recognize that execution of many information-security policies requires tight communication and cooperation across IT-operations and information-security teams, hence the high levels of cooperation reported.

Best Practices Help Users Extract Full Value From Security-Management Tools
Adoption of multiple IT best-practice recommendations also correlates with early adoption of advanced security-management tools. ESG believes the levels of cooperation and operational consistency enabled by the coordinated use of multiple frameworks enables organizations to harvest the greatest value possible from their security-management tool and service investments.

Organizations implementing all three frameworks show the highest levels of operational security and compliance-management tool/service deployment across the board. For example, the vast majority (92 percent) of organizations with all three frameworks in use report active deployment of desktop security-management tools or services, compared with just 77 percent for those organizations that have not implemented any frameworks. The pattern repeats itself with the multi-framework implementers having higher levels of deployment of patch management, vulnerability scanning, identity management and dedicated compliance-management tools and services.

Research Implications: Process and Policy Coordination Critical to Effective Information-Security Management
ESG believes one of the greatest benefits that results from implementing ITIL, ISO and CobiT in a coordinated manner is an improvement in cooperation and communication across business, security and IT teams. Today's information-security-management challenges are complex and require these three groups to work together in a coordinated manner, rather than struggle on alone as isolated pillars of excellence. Simply deploying sophisticated information-security-management tools isn't enough. To ensure that the tools effectively implement desired policies and fully satisfy regulatory-compliance requirements, organizations must promote extensive governance, operational process and information security-policy integration.