Search in ISMS Guides

Google
 

Tuesday, September 11, 2007

It security and Risk Management : ISO 17799 [PDF]

Madina Nurguzhina

Table of contents
1. Introduction
2. COBIT versus ISO 17799 in IT Governance
2.1. COBIT 4.0
2.2. ISO 17799
3. Implementation of ISO 17799
3.1. ISO 17799’s implementation example
3.2. Benefits of ISO17799
4. Conclusion
Reference

Introduction
In order to be compliant with current laws and regulations, to be competitive and successful a company in the big world must consider not only such things as profit, personnel, supply chain management, and so on, but also information technologies that play a very high role in aforementioned processes. Information is a very important element of every process within a company. If a company can successfully protect and manage information, it would contribute a lot into its business purposes as a whole.

In the global community there are many different types of standards and frameworks that help a company to manage and secure IT such as COSO, COBIT, ISO, ITIL and many others. In order to have a strong and sound IT governance, a company has to implement appropriate IT frameworks that would fit a company’s main processes.

COSO is a very broad group of standards that includes different financial and auditing institutions’ functions, while COBIT, ISO and ITIL are more specific and focuses more on IT security and risk management. As a part of my individual project, I want to narrow my search to COBIT and ISO standards. ISO standards are used globally more often than COBIT due to the fact that ISO fits more smoothly into different frameworks of most of the countries in terms of business processes since COBIT addresses standards only, while ISO concerns about both standards and processes (e.g. organizational security, personnel security, communications and operations management, business continuity management, and so on). I will show it in my report supporting my ideas with relevant cases and examples from certain companies.

Let us talk a little bit about COSO (the Committee of Sponsoring Organizations of the Treadway Commission) and its role in IT Governance. As was mentioned earlier COSO is a very broad set of standards (to be precise a private sector organization) that focuses not only on IT Governance control and improvement, but also and mostly focuses on financial reporting’ quality, internal control and corporate governance. This organization was formed in order to find out factors that lead to frauds in financial reporting as well as give recommendations how to prevent these factors for companies, auditors, educational institutions and so on. Among sponsoring organizations within the Committee there are “five major professional associations in the United States, the American Accounting Association, the American Institute of Certified Public Accountants, Financial Executives International, the Institute of Internal Auditors, and the National Association of Accountants (now the Institute of Management Accountants)” (1). In spite of the fact that there is a sponsorship deal, the Commission is independent from all of the sponsoring organizations, and has representatives from industry, public accounting, the New York Stock Exchange, and different investment firms.

COSO defines Internal Control as “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives” in such categories as effectiveness and efficiency of operations, reliability of financial reporting and compliance with applicable laws and regulations. IT Governance is part of internal control within the COSO framework. Therefore, different frameworks for IT security and management (COBIT, ITIL, ISO, and so on) should comply with COSO organization’s rules and requirements. While COSO is generally accepted as the internal control framework for enterprises, COBIT, ISO and other similar frameworks are the generally accepted internal control frameworks for IT.

Read More : http://citebm.business.uiuc.edu

No comments: