Security Management Survey: ISO, ITIL and COBIT Triple Play Fosters Optimal Security Management Execution
Chrisan Herrod, our security and compliance expert, encouraged us to publish the results of this 2008 survey brief because of the importance of its findings. Special thanks to Brian Babineau of the Enterprise Strategy Group (ESG) for sharing the results with BSMReview.com.
Sophisticated Enterprise Security Managers Leverage Multiple Best Practices
In a survey of security professionals conducted for the research report Security Management Matures, ESG discovered that 72% of North American enterprise-class organizations (i.e., organizations with 1,000 or more employees) say they are implementing one or more formal IT best practice control and process models. The most widely-used commercial frameworks include:
ESG examined how the profile of an organization that uses multiple IT frameworks differs from that of an organization that implements just one set of process controls, or none at all.
Our findings? Those organizations implementing multiple frameworks are subject to much more extensive regulatory and compliance pressures and are more likely to have developed operational environments that foster cooperation and collaboration across business, IT and security organizations. They are also more likely to have actively deployed advanced information security management technologies.
Compliance Pressures Drive Adoption of Multiple Best Practice Frameworks
Among survey participants, 18% have simultaneously implemented ITIL, ISO and COBIT (see Figure 1). Of those implementing just one set of standards, ITIL is the most frequently selected (16%) followed by ISO (11%). A significant 17% have not implemented any type of framework at this time. An additional 20% have implemented other best practices or did not know whether their organization used these types of frameworks.
Organizations making concurrent investments in ITIL, ISO and COBIT are often subject to significantly greater levels of external compliance pressure than are organizations choosing to focus on a single set of best practices. As shown in Figure 2, over three-quarters (76%) of the organizations implementing all three sets of guidelines indicate that demands to comply with external regulations were very influential in defining their security management requirements during the past year. In contrast, only 44% of those implementing ITIL alone and 51% of those with no frameworks in place felt the same way.
Figure 2: Impact of Compliance on Selection of Security Management Best Practices
For those organizations implementing all three best practices guidelines, the data reveals that regulatory pressures impact multiple business activities, as these organizations are required to comply with diverse regulatory requirements such as Sarbanes-Oxley, PIPEDA (Personal Information Protection and Electronic Documents Act, Canada), FISMA (Federal Information Security Management Act), HIPAA (Health Insurance Portability and Accountability Act) and PCI DSS (Payment Card Industry Data Security Standard) (see Figure 3). Across all of these different regulatory requirements, organizations implementing all three sets of best practices guidelines are significantly more likely to be subject to those requirements than are organizations with a lesser number of best practices frameworks currently in place.
For example, while 76% of organizations implementing all three best practices guidelines must comply with Sarbanes-Oxley, just 56% of those electing to implement ITIL only report that they must do so. Organizations focused exclusively on ITIL were also much less likely to be required to comply with information security mandates associated with HIPAA, PCI DSS, PIPEDA and FISMA. Likewise, organizations that have not implemented any frameworks to date have relatively low levels of exposure to many information security regulations. About half of the organizations that have not implemented any framework are subject to Sarbanes-Oxley (57%) and/or HIPAA (43%), but report much lower levels of exposure to other regulations.
Figure 3: Compliance Requirements influencing Security Managment Best Practice Choices
Successful Use of Multiple Frameworks Requires Business, IT and Security Cooperation
ESG believes that organizations experiencing the most external pressures are most likely to implement the broadest range of best practices for several reasons, including:
Combined, these forces require organizations to promote extensive and ongoing communication, cooperation and reporting capabilities across information security groups, data center operations teams, e-mail administrators, facilities, human resources and other business groups in order to assure that information security control policies are implemented consistently across the business. By combining the detailed security specifications from ISO, IT operations and cross-IT workflow integration best practices from ITIL, and governance and control models from COBIT, the most sophisticated firms are able to address the full range of compliance and audit requirements set before them by government and industry compliance mandates.
Beyond regulatory compliance, ESG found interesting relationships between an organization’s degree of implementation of security and governance standards and the amount of cooperation between different IT groups within that organization. Organizations implementing all three sets of best practices recommendations are most likely to report significant levels (62%) of cooperation between IT operations and information security groups, compared with 56% of those implementing ITIL only and just 46% of those that have not implemented any frameworks. Interestingly, those organizations that have not implemented any frameworks are most likely to have merged IT operations and information security groups (29%), compared to just 14% of those implementing multiple frameworks. This data suggests to ESG that those organizations choosing to merge organizations do so in order to improve communication and coordination across teams, albeit in a less formal way than dictated by best practice recommendations.
Figure 4: Level of IT and Information Security Cooperation
Ultimately, given that organizations implementing all three frameworks are more likely to be subject to multiple, complex information security regulations, the fact that they are less inclined to totally merge IT operations and information security groups indicates that the specialized expertise of information security groups is highly valued. These organizations do not want to distract those teams from their core missions. However, these same organizations recognize that execution of many information security policies requires tight communication and cooperation across IT operations and information security teams, hence the high levels of cooperation reported.
Best Practices Help Users Extract Full Value from Security Management Tools
Adoption of multiple IT best practice recommendations also correlates with early adoption of advanced security management tools. ESG believes the levels of cooperation and operational consistency enabled by the coordinated use of multiple frameworks enables organizations to harvest the greatest value possible from their security management tool and service investments.
As shown in Figure 5, organizations implementing all three frameworks show the highest levels of operational security and compliance management tool/service deployment across the board. For example, the vast majority (92%) of organizations with all three frameworks in use report active deployment of desktop security management tools or services, compared to just 77% for those organizations that have not implemented any frameworks. The pattern repeats itself with the multi-framework implementers having higher levels of deployment of patch management, vulnerability scanning, identity management and dedicated compliance management tools and services.
Research Implications: Process and Policy Coordination Critical to Effective Information Security Management
ESG believes one of the greatest benefits that results from implementing ITIL, ISO and COBIT in a coordinated manner is an improvement in cooperation and communication across business, security and IT teams. Today’s information security management challenges are complex and require these three groups to work together in a coordinated manner, rather than struggle on alone as isolated pillars of excellence. Simply deploying sophisticated information security management tools isn’t enough. To ensure that the tools effectively implement desired policies and fully satisfy regulatory compliance requirements, organizations must promote extensive governance, operational process and information security policy integration.
All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of the Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at (508) 482-0188.
Copyright © 2009-2012 BSMReview.com or individual contributors.