Importance of GRC for cybersecurity professionals
As mentioned earlier, the lack of an effective GRC program makes it difficult to collaborate across all teams. An effective GRC program is the prerequisite to an effective cybersecurity program.
With the continuously increasing emphasis on privacy in the form of GDPR, CCPA, HIPAA, LGPD, and other state, national, and international regulations, the cybersecurity and information assurance teams can’t work in silos. Compliance with these laws and regulatory requirements requires commitment and tenacity from all functions of the organization.
The following table shows the importance of implementing an overarching GRC framework for an organization in detail:
|
Non-GRC |
Effective GRC |
|
Lack of effective oversight |
Effective oversight across all departments |
|
Focus on achieving results only |
Achieving results with integrity and ethics |
|
Organizational and functional silos |
Integrated decision-making |
|
Lack of visibility |
Shared technology, services, and vocabulary |
|
Disjointed strategy |
Integrated strategy |
|
Duplication of efforts |
Create-once, use-multiple |
|
High costs |
Optimized costs |
|
Inefficient efforts |
Efficient efforts |
|
Lack of integrity |
Culture of integrity |
|
Wasted information |
Shared and common knowledge |
|
Fragmented information |
Continuous flow of information |
Table 1.1 – Importance of a GRC framework
In the next section, we’ll learn about how we can use ISACA COBIT to implement a GRC program and its relationship with ITIL.
Implementing GRC using COBIT
Now that we have a good understanding of GRC and what it entails, it’s important to understand how to translate this knowledge into practice.
ISACA, the certification body of CRISC, also provides a comprehensive framework called Control Objectives for Information and Related Technology (COBIT) to bridge the gap between governance, technical requirements, business objectives and risks, and control requirements.
The latest version of COBIT (COBIT 2019) guidance from ISACA focuses on providing elaborate guidance on managing risk, optimizing resources, and creating value by streamlining all business objectives.
There are four publications under the COBIT 2019 framework:
- Introduction and Methodology: This is the fundamental document for implementing the COBIT framework that details governance principles, provides key concepts and examples, and lays out the structure of the overall framework, including the COBIT Core Model.
- Governance and Management Objectives: This publication contains a detailed description of the COBIT Core Model and its 40 governance and management objectives. These are then defined and matched with the relevant processes, enterprise goals, and governance and management practices.
- Design Guide: Designing an Information and Technology Governance Solution: This publication provides essential guidance on how to put COBIT to practical use while offering perspectives for designing a tailored governance system for an organization.
- Implementation Guide: Implementing and Optimizing an Information and Technology Governance Solution: This document, combined with the COBIT 2019 Design Guide, provides a practical approach to specific governance requirements.
COBIT Core includes 40 governance and management objectives that have defined purposes that are mapped to specific core processes. These objectives are primarily divided into five categories:
- Evaluate, Direct, and Monitor (EDM): EDM has five objectives that focus on a few specific, governance-related, areas. These include alignment of enterprise and IT strategies, optimization of costs and efficiency, and stakeholder sponsorship.
- Align, Plan, and Organize (APO): APO’s 14 objectives include managing organizational structure and strategy, budgeting and costs, the HR aspect of IT, vendors, service-level agreements (SLAs), risk optimization, and data management.
- Build, Acquire, and Implement (BAI): The 11 BAI objectives are focused on managing changes to data and assets while ensuring end user availability and capacity needs are met.
- Deliver, Service, and Support (DSS): DSS contains six objectives and mostly aligns with the IT domains. DSS is focused on managing operations, problems, incidents, continuity, process controls, and security.
- Monitor, Evaluate, and Assess (MEA): MEA has four objectives related to creating a monitoring function that ensures compliance for APO, BAI, and DSS. These objectives include managing performance and conformance, internal control, external requirements, and assurance. Notably, MEA differs from EDM by concentrating on the monitoring function from an operational standpoint, whereas EDM monitors from a governance (or top-down) approach.
The following figure shows the five domains and 40 COBIT Core processes:
Figure 1.2 – COBIT 2019 Core Model (COBIT® 2019 Framework: Governance and Management Objectives ©2019 ISACA. All rights reserved. Used with permission.)
Important note
Detailed guidance on ISACA introduction and methodology is available at no cost to members and non-members on the ISACA website: https://www.isaca.org/resources/cobit.
COBIT and ITIL
This section would not be complete without understanding the relationship between COBIT and ITIL.
ITIL is a framework designed to standardize the selection, planning, delivery, and maintenance of IT services within an enterprise. The goal is to improve efficiency and achieve predictable service delivery.
ITIL and COBIT are both governance frameworks but serve different purposes. ITIL primarily aims to fulfil service management objectives, whereas COBIT is globally recognized for both enterprise governance and IT management.
On their own, each framework is extremely successful in offering custom governance while delivering quality service management. When paired together, however, COBIT and ITIL have the potential to dramatically increase value for customers as well as internal and external stakeholders.
The COBIT framework helps identify what IT should be doing to generate the most value for a business, ITIL prescribes how it should be done to maximize resource utilization within the IT purview. Even though the frameworks are different, they do have multiple touchpoints – for example, from the COBIT domain, BAI, process BAI06 Managed IT Changes is equivalent to ITIL Change Management; process BAI10 Managed Configuration is equivalent to ITIL Configuration Management, and so on.
A major differentiation between COBIT and ITIL is that COBIT covers the entire enterprise, ensuring that governance is achieved, stakeholder value is ensured, and holistic approaches to governing and managing IT are accomplished, whereas ITIL is focused entirely on IT service management. COBIT aims to achieve its objectives through policies, processes, people, information, and culture and organizational structures, services, and applications that are implemented and integrated under a single overarching framework for ease of integration and customization, whereas ITIL provides prescriptive guidance on implementing these objectives.
In the previous section, we learned about the importance of ISACA COBIT for implementing a GRC program and its relationship with ITIL. In the next section, we will learn about multiple cybersecurity domains and the NIST CSF.
