This document discusses several security frameworks and methodologies. It describes COSO as a corporate governance framework focused on fraudulent financial reporting. CobiT is derived from COSO and deals with IT governance, providing processes and control objectives. ITIL is the most used framework for IT service management, focusing on identifying, planning, delivering and supporting IT services businesses rely on. ISO/IEC 27000 is a series of standards that outlines developing and maintaining an information security management system to help organizations manage security controls centrally.

1. DOMAIN 3: Information Security Governance and Risk
Management
# 3.02

2. CISSPills Table of Contents
 Security and Audit Frameworks and Methodologies
 COSO
 CobiT
 Frameworks Relationship
 ITIL
 ISO/IEC 27000 Series

3. CISSPills Security and Audit Frameworks and Methodologies
A lot of frameworks and methodologies have been developed in order to support
security, auditing and risk assessment of implemented security controls.
These resources are helpful to assist during the design and testing of a Security
Program (ISMS) (see CISSPills #3.01).
Some of the frameworks, even if not initially intended for Information Security, have
proved to be valuable tools for the security professionals and consequently were
adopted in such context.

4. CISSPills COSO
The Committee of Sponsoring Organizations (COSO) of the Tradeway
Commission developed this framework in 1985.
COSO is a corporate governance model which deals with non-IT topics, such
as board of director responsibilities, internal communications, etc. It is
focused on fraudulent financial reporting and provides companies, auditors,
SEC and other regulators with recommendations to address financial
reporting and disclosure objectives.
The Sarbanes-Oxley Act (SOX) is a U.S. Federal Law that sets new or enhanced
standards related to the accuracy of the financial information of a public
company as well as the penalties for fraudulent financial activities.
SOX is based upon the COSO model, so companies have to follow this model
in order to be SOX-compliant.

5. CISSPills CobiT
The Control Objectives for Information and related Technology (CobiT) is a control-
based framework developed by the Information Systems Audit and Control
Association (ISACA) and the IT Governance Institute (ITGI). CobiT is derived from the
COSO framework and deals with IT governance.
The main goal of the framework is providing process owners with a toolset for the
governance and the management of the Enterprise IT, so that it maps to business
needs.
IT Governance allows to:
 Achieve strategic goals and experience business benefits through the effective use
of IT;
 Achieve operational excellence through a reliable and efficient application of the
technology;
 Maintain IT-related risk at an acceptable level;
 Optimize the cost of IT services and technology;
 Support compliance with relevant laws, regulations and policies.

6. CISSPills CobiT (cont’d)
CobiT provides a toolset containing:
 A set of generic processes to manage IT;
 A set of tools related to the processes (controls, metrics, analytical tools and
maturity models).
and allows to accomplish the following:
 Linking IT goals with business requirements;
 Arranging the IT function according to a generally accepted model of processes;
 Defining the control objectives;
 Providing a maturity model to measure the achievements;
 Defining measurable goals based upon Balanced Scorecard principles.

7. CISSPills CobiT (cont’d)
CobiT is made up of the following components:
 Framework: IT governance objectives and good practices arranged by IT
domains, while processes and linked to business requirements;
 Processes: set of generally accepted processes in which IT Function can be split.
CobiT defines 34 processes and each of them is associated to one of the 4
domains CobiT breaks down IT: Plan and Organize, Acquire and Implement,
Deliver and Support and Monitor and Evaluate;
 Control objectives: set of objectives, arranged by process, that chosen controls
(e.g. account management) have to meet;
 Management guidelines: resources to help assigning responsibility, agreeing on
objectives, measuring performance and illustrating interrelationship with other
processes;
 Maturity models: tools to assess maturity and capability per process and to help
addressing gaps.

8. CISSPills Frameworks Relationship
SOX
(Federal Law)
COSO
(Corporate Governance)
CobiT
(IT Governance)
used to comply with
mapped by ITGI
with COSO
used to comply with

9. CISSPills ITIL
The Information Technology Infrastructure Library (ITIL) is the most used framework
for IT Service Management. It’s based on
best practices and allows to:
 Identify
 Plan
 Deliver
 Support
the IT services business relies on.
ITIL was developed because of the ever-increasing dependency between IT and
business.

10. CISSPills ITIL (cont’d)
A service is something providing a “value” to the customers (internal or
external). One example is the payroll service, which depends on an IT
infrastructure (storage, DBs, etc.). ITIL handles services in a holistic fashion, so
that also IT architecture is taken into account. This kind of approach, allows to
consider every aspect of a service and allows to assure proper service levels.
Services must be aligned with business and have to sustain its fundamental
processes. ITIL helps organization to use IT for easing the changes, the
transformations and the growth of the business.

11. CISSPills ISO/IEC 27000 Series
ISO/IEC 27000 series (formerly known as BS7799) is a set of standards that outlines
how to develop and maintain an ISMS. Its goal is helping organization in managing
centrally the security controls deployed throughout the enterprise. Without an ISMS,
controls are implemented individually and don’t follow a holistic approach.
The series is split in several standards, each of them addressing a specific requirement
(e.g. 27033-1 - network security, 27035 - incident management handling, etc.).
ISO/IEC 27001:2005 are the standards organizations have to follow (and are assessed
against) if they want their ISMS to adhere to ISO 27001. Being compliant means that
the organization has put in place an effective ISMS able to assure the security of the
information from several standpoints (physical, logical, organizational, etc.) and the
reduction and/or prevention of the threats.

12. CISSPills ISO/IEC 27000 Series (cont’d)
This framework relies on PDCA (Plan-Do-Check-Act), a four-step iterative cycle
which allows a continuous improvement of the process: the results of a step can be
used to feed the next one, which each cycle leading closer to the goal.
 Plan: aimed at establishing goals and plans;
 Do: aimed at implementing the plans identified
in the previous step;
 Check: aimed at measuring the results in order
to understand if objectives are met;
 Act: aimed at determining where to apply changes in
order to achieve improvements.

13. CISSPills That’s all Folks!
We are done, thank you for the interest! Hope you have enjoyed these pills as much as
I have had fun writing them.
For comments, typos, complaints or whatever your want, drop me an e-mail at:
cisspills <at> outlook <dot> com
More resources:
 Stay tuned on for the next issues;
 Join ”CISSP Study Group Italia” if you are preparing your exam.
Brought to you by Pierluigi Falcone. More info about me on
Contact Details