Compliance frameworks are the connection between regulatory mandates and software practices. In the following chapter, we explore the nature of compliance frameworks and best practices in an attempt to direct the identity professional toward standards that enable auditable stewardship and governance of identity-related information.
Management should perceive the self-assessment phase provided by the use of these tools as an opportunity for business process reengineering. For the manager, a regular self-assessment of control operations should also reveal potential improvements in process. The exceptions found in detective, back-end controls can recommend more appropriate front-end controls to reduce error correction and rework. Often, these exceptions can point to refinements for system input screens that shift the control function from detective or manual to preventative or automated and result in a net increase in value for the company.
Compliance Framework Taxonomy
Identity management has the greatest impact on a company's ability to achieve regulatory compliance. Operational transparency and financial accountability derive from the enterprise's ability to assign access and authority to the right people. Accountability also derives from the ability to track users' identity as expressed in the role and responsibility assigned by the company. As a result, companies are discovering that their ability to win and perform on contracts is as subject to investigation of their identity management processes as it is of their company's balance sheets or stock value.
Accompanying a flock of identity-related compliance mandates are multiple frameworks and methodologies for managing operational risk in a way that can be verified. This can be good or bad depending on perspective. Either way, these frameworks should not be unfamiliar to the identity management professional. The number of frameworks against which companies' processes are evaluated continues to increase; however, it is evident that companies may need to consider a daunting number of frameworks. The field truly is a quagmire in which compliance efforts can stall if an organization is not careful. The first step toward making sense of the regulatory quagmire is to categorize the frameworks by purpose and focus. In general, these frameworks define characteristics of good processes, but do not prescribe how they should be enacted.
Joint EU Framework
ISO/IEC 27001:2005, ITIL, and CobiT are the three most important best-practice IT-related frameworks. ISO/IEC 27001 is the international Code of Best Practice for Information Security from the International Standards Organization in Geneva. ITIL is the IT Infrastructure Library, created by the United Kingdom's Office of Government Commerce, and CobiT is Control Objectives for Information and Related Technology, from the IT Governance Institute, in the United States. ISO 17799, ITIL, and COBIT are all best-practice IT approaches to regulatory and corporate governance compliance. The challenge is to craft an integrated framework that encompasses all
three standards. The Joint Framework established by the IT Governance Institute and the British Office of Government Commerce forms one of the two most comprehensive frameworks. Aligning COBIT, ITIL and ISO 17799 for Business Benefit was published in 2005 and serves to formalize the relationship between these three best-practice frameworks. The recommendation is that COBIT should be used to provide \IT-process model\
? ? ? ? ? ?
ITIL describes how service management aspects should be handled.
ITIL and ISO 27001 are mapped to high-level COBIT process and control objectives. ISO 27001 defines what must be done in terms of information security controls. Appendix I maps CobiT controls to ITIL processes and ISO 27001 controls. Appendix II maps ITIL processes to COBIT control objectives.
ITIL, COBIT, and ISO 27001(17799) projects are enabled to be cross-linked/integrated.
Organizations that use the Joint Framework will have a single, integrated, compliance approach that delivers corporate governance general control objectives, meets the regulatory requirements of data-and privacy-related regulation, and enables the organization to prepare for external certification to ISO 27001 and ISO 20000, both of which demonstrate compliance. The Joint Framework prepares the enterprise for emerging regulatory requirements, enabling compliance with multiple regulations and meeting complex compliance requirements.
The Joint Framework helps organizations improve business performance; it focuses on business processes, as opposed to controls, and builds controls into the business processes. The Joint Framework enables a broad-based shift from reactive to proactive compliance operations. A benefit of increased standardization in compliance efforts is reduced costs, improved efficency, and increased quality. Because the framework applies across the enterprise, it reduces vertical silos of expertise and practice, improving communication and business effectiveness. In
observation, the framework can be deployed quickly and can reduce an organization's dependence on multitudes of experts and methodologies. Choosing the implementation of the Joint
Frame-work not only leads an enterprise toward effective regulatory compliance but also helps improve the organization's competitiveness.
Control Mapping—Joint EU Framework
ISO/IEC 27001:2005, ITIL, and CobiT make up the Joint EU Framework, addressing the domain control requirements of
? ? ? ? ?
Trusted access Change management
Business continuity and availability Operational monitoring Records management
? ?
Audit and risk management Operational controls
The standard concedes as out of its scope the control areas of
? ?
Operational transparency Segregation of duties
COBIT
CobiT, in its fourth edition, is widely adopted in North America and is increasingly being accepted in Europe. It is a broad principles-based framework that looks at the management of the IT organization and is aimed at board members, managers, and auditors. CobiT identifies 34 key information technology processes and a further 318 control objectives, each of which has an audit guideline. It maps to the specific requirements of the recommended internal control framework for Sarbanes-Oxley compliance and underpins the recommendations of the Turnbull Guidance. This framework has four major domains, which follow the general systems development life cycle:
?
Planning and organization (PO, plan and organize):The planning and organization domain has 11 high-level control objectives that cover everything from strategic IT planning and the creation of a corporate information architecture to the management of specific projects.
?
Acquisition and implementation (AI, acquire and implement): Companies need to acquire and implement information systems. This domain has six high-level control objectives.
?
Delivery and support (DS, deliver and support): Most of the IT project life cycle takes place after implementation. The CobiT framework has 13 high-level control objectives for delivery and support.
?
Monitoring (M, monitor and evaluate): Firms must monitor processes, assess the adequacy of internal controls, obtain independent assurance, and provide for independent auditing.
Each process is described by using the following information:
? ? ? ? ? ? ? ?
High-level control objectives Detailed control objectives
Information criteria affected by the process IT resources used by the process
Typical characteristics depending on the maturity level Critical success factors Key performance indicators Key goal indicators
Information Criteria
Information delivered to the core business processes has to fulfill certain criteria, categorized as follows:
?
Quality requirements
o o
?
Effectiveness: n The relevance and pertinence of information to the business process as well as the timely, correct, consistent, and usable delivery.
Effciency: The provision of information through the optimum (most productive and economical) use of resources.
Security requirements
o o o
Confidentiality: The protection of sensitive information from unauthorized disclosure.
Integrity: The accuracy and completeness of information, as well as its validity, in accordance with business values and expectations.
Availability: Information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.
?
Fiduciary requirements
o
Compliance: Deals with following those laws, regulations, and contractual arrangements to which the business process is subject (i.e., externally imposed business criteria).
o
Reliability: Relates to the provision of appropriate information for management to operate the entity and for management to exercise its financial and compliance-reporting responsibilities.
Control Mapping—COBIT
COBIT addresses the domain control requirements of
? ? ? ? ?
Trusted access
Business continuity and availability Operational monitoring Records management Operational controls
The standard concedes as out of its scope the control areas of
? ? ? ?
Change management Audit and risk management Operational transparency Segregation of duties
ISO 27001
This international standard promotes the adoption of a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an organization's information security management system (ISMS). An organization needs to identify and manage many activities to function effectively. Any activity using resources and managed so as to enable the transformation of inputs into outputs can be considered to be a process. Often, the output from one process directly forms the input of the following process.
ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of international standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other
international organizations, governmental and nongovernmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC. This international standard adopts the \process model, which is applied to structure all ISMS processes. This international standard is aligned with ISO 9001:2000 and ISO 14001:2004 to support consistent and integrated implementation and operation with related management standards.
The focus of ISO/IEC 17799:2005, the precursor to ISO 27001, is the assurance of the availability, confidentiality, and integrity of an organization's information. These principles are at the heart of all of today's information-related regulations. The standard's key controls all mapping to specific requirements of existing data protection legislation and, through ISO/IEC 27001:2005 (the ISMS specification standard), it is recognized as a means of complying with EU regulations on data protection and privacy.
Control Mapping—ISO 27001
ISO/IEC 27001:2005 addresses the domain control requirements of
? ? ? ? ? ?
Trusted access
Business continuity and availability Operational monitoring Records management Audit and risk management Operational controls
The standard concedes as out of its scope the control areas of
? ?
Change management Operational transparency