My current conundrum that is keeping my productivity at an unacceptable level is on the recent trend of questions that clients are asking around standards, frameworks, and methodologies. Broadly my clients are seeking a swiss army knife document that provides all the answers for IT Controls / Risk Management / Compliance / and other such security concerns. Off the the cuff I am sure we would all say, "It Depends". This, of course, is worthless to anyone truly seeking an answer.
So, I pose the question to the world…with some conditions, of course.
"If you were stuck on a desert island and had to have one structured approach to managing risk at an organization, what would you want?"
If you were stuck on a desert island and had to have one structured approach to managing risk at an organization, what would you have in your sun burned hands. Of course, ignoring the complete absurdity of being without the “life line” known as a blackberry and the fact that even using smoke signals as a meaningful communication protocol will not provide sufficient response time to be a sufficient answer to this challenge.
So, without any means of outside communications and trying to not be blinded by the ball of fire above our heads (read: sun) that we haven’t seen in nearly a dozen years, what is the best approach? Of course, scope comes to mind and intent. I would propose that we only consider an enterprise that has to address multiple regulations (SOX, PCI) in the United States and a few international (Basel II, etc…).
Ok, so we have a pseudo company with pseudo requirements and a truly dire situation. If we focused on a broad framework perhaps we would choose ISO 17799. This one is a bit out of date, but does provide us some structure without any specifics. COSO is widely publicized and why not – it is only 14 years out of date! COBIT 4.0 is sufficiently thick to at least provide good fire starting materials, but is also the newest iteration of a broadly accepted framework. How about ITIL or is it ITEL? Then again the US government has done a fairly thorough, in verbose government fashion, publication series of NIST and FFIEC structures that cover nearly every Financial and government system. Alright so what do we choose? Today if I am looking for a structured standard that delineates a measurable improvement plan I would select COBIT 4.0. The clarity in 4.0 is unique across all the available standards as it is timely, quantitative and qualitative with the use of CMMi, and is specific enough to allow our enterprise to meet the requirements. Perhaps a giant discussion on this new standard is warranted? Another time…
Thoughts? Comments? Dissents?
James DeLuccia IV