SO, ITIL and COBIT triple play fosters optimal security management execution
Mary Johnston Turner, senior analyst; Jon Oltsik, senior analyst; and John
McKnight, research director, Enterprise Strategy Group (ESG)
April 02 2008
In a survey of security professionals conducted for the recent research
report Security Management Matures, ESG discovered that 72 percent of North
American enterprise-class organizations (i.e., organizations with 1,000 or
more employees) say they are implementing one or more formal IT best
practice control and process models. The most widely-used commercial
frameworks include:

* ITIL (IT Infrastructure Library): Provides recommendations for a wide
range of IT operations and service delivery best practices including
security management. ITIL's information security recommendations are based
heavily on ISO/IEC 17999 and emphasize information confidentiality,
integrity and availability.
* ISO/IEC 17799/27002 (Information technology - Security techniques -
Code of practice for information security management): Provides information
security specialists with specialized recommendations for risk assessment,
physical and information security policy, governance, development,
compliance and access control. Originally labeled as ISO/IEC 17799, this set
of best practices was renumbered as ISO/IEC 27002 in July 2007.
* COBIT (Control Objectives for Information and related Technology):
Provides 210 control objectives applied to 34 high-level IT processes,
categorized in four domains: Planning and Organization, Acquisition and
Implementation, Delivery and Support, and Monitoring. COBIT recommendations
include issues related to ensuring effectiveness and value of IT as well as
information security and process governance.

ESG examined how the profile of an organization that uses multiple IT
frameworks differs from that of an organization that implements just one set
of process controls, or none at all. Our findings? Those organizations
implementing multiple frameworks are subject to much more extensive
regulatory and compliance pressures and are more likely to have developed
operational environments that foster cooperation and collaboration across
business, IT and security organizations. They are also more likely to have
actively deployed advanced information security management technologies.

Compliance pressures drive adoption of multiple best practice frameworks

Among survey participants, 18 percent have simultaneously implemented ITIL,
ISO and COBIT. Of those implementing just one set of standards, ITIL is the
most frequently selected (16 percent) followed by ISO (11 percent). A
significant 17 percent have not implemented any type of framework at this
time. An additional 20 percent have implemented other best practices or did
not know whether their organization used these types of frameworks.

Organizations making concurrent investments in ITIL, ISO and COBIT are often
subject to significantly greater levels of external compliance pressure than
are organizations choosing to focus on a single set of best practices. Over
three-quarters (76 percent) of the organizations implementing all three sets
of guidelines indicate that demands to comply with external regulations were
very influential in defining their security management requirements during
the past year. In contrast, only 44 percent of those implementing ITIL alone
and 51 percent of those with no frameworks in place felt the same way.

For those organizations implementing all three best practices guidelines,
the data reveals that regulatory pressures impact multiple business
activities, as these organizations are required to comply with diverse
regulatory requirements, such as Sarbanes-Oxley, PIPEDA (Personal
Information Protection and Electronic Documents Act, Canada), FISMA (Federal
Information Security Management Act), HIPAA (Health Insurance Portability
and Accountability Act) and PCI DSS (Payment Card Industry Data Security
Standard). Across all of these different regulatory requirements,
organizations implementing all three sets of best practices guidelines are
significantly more likely to be subject to those requirements than are
organizations with a lesser number of best practices frameworks currently in

For example, while 76 percent of organizations implementing all three best
practices guidelines must comply with Sarbanes-Oxley, just 56 percent of
those electing to implement ITIL only report that they must do so.
Organizations focused exclusively on ITIL were also much less likely to be
required to comply with information security mandates associated with HIPAA,
PCI DSS, PIPEDA and FISMA. Likewise, organizations that have not implemented
any frameworks to date have relatively low levels of exposure to many
information security regulations. About half of the organizations that have
not implemented any framework are subject to Sarbanes-Oxley (57 percent)
and/or HIPAA (43 percent), but report much lower levels of exposure to other

Successful use of multiple frameworks requires business, IT and security

ESG believes that organizations experiencing the most external pressures are
most likely to implement the broadest range of best practices for several
reasons, including:

* The fact that different regulatory programs are likely to emphasize
different aspects of physical, logical and virtual information and IT
security management activities, requiring organizations to draw on best
practices and reporting from multiple sources.
* The need to align policies and priorities across many different
decision makers representing a broad mix of business, security and IT
* The need to better coordinate communications and workflow across many
diverse IT and security operations groups.
* The need to validate the information security choices implemented with
a broad range of end-users, national and local government agencies and, in
some cases, national and global networks of partners.

Combined, these forces require organizations to promote extensive and
ongoing communication, cooperation and reporting capabilities across
information security groups, data center operations teams, e-mail
administrators, facilities, human resources and other business groups in
order to assure that information security control policies are implemented
consistently across the business. By combining the detailed security
specifications from ISO, IT operations and cross-IT workflow integration
best practices from ITIL, and governance and control models from COBIT, the
most sophisticated firms are able to address the full range of compliance
and audit requirements set before them by government and industry compliance

Beyond regulatory compliance, ESG found interesting relationships between an
organization's degree of implementation of security and governance standards
and the amount of cooperation between different IT groups within that
organization. Organizations implementing all three sets of best practices
recommendations are most likely to report significant levels (62 percent) of
cooperation between IT operations and information security groups, compared
with 56 percent of those implementing ITIL only and just 46 percent of those
that have not implemented any frameworks. Interestingly, those organizations
that have not implemented any frameworks are most likely to have merged IT
operations and information security groups (29 percent), compared to just 14
percent of those implementing multiple frameworks. This data suggests to ESG
that those organizations choosing to merge organizations do so in order to
improve communication and coordination across teams, albeit in a less formal
way than dictated by best practice recommendations.

Ultimately, given that organizations implementing all three frameworks are
more likely to be subject to multiple, complex information security
regulations, the fact that they are less inclined to totally merge IT
operations and information security groups indicates that the specialized
expertise of information security groups is highly valued. These
organizations do not want to distract those teams from their core missions.
However, these same organizations recognize that execution of many
information security policies requires tight communication and cooperation
across IT operations and information security teams, hence the high levels
of cooperation reported.

Best practices help users extract full value from security management tools

Adoption of multiple IT best practice recommendations also correlates with
early adoption of advanced security management tools. ESG believes the
levels of cooperation and operational consistency enabled by the coordinated
use of multiple frameworks enables organizations to harvest the greatest
value possible from their security management tool and service investments.
Organizations implementing all three frameworks show the highest levels of
operational security and compliance management tool/service deployment
across the board.

For example, the vast majority (92 percent) of organizations with all three
frameworks in use report active deployment of desktop security management
tools or services, compared to just 77 percent for those organizations that
have not implemented any frameworks. The pattern repeats itself with the
multi-framework implementers having higher levels of deployment of patch
management, vulnerability scanning, identity management and dedicated
compliance management tools and services.

Research implications: process and policy coordination critical to effective
information security management

ESG believes one of the greatest benefits that results from implementing
ITIL, ISO and COBIT in a coordinated manner is an improvement in cooperation
and communication across business, security and IT teams. Today's
information security management challenges are complex and require these
three groups to work together in a coordinated manner, rather than struggle
on alone as isolated pillars of excellence. Simply deploying sophisticated
information security management tools isn't enough. To ensure that the tools
effectively implement desired policies and fully satisfy regulatory
compliance requirements, organizations must promote extensive governance,
operational process and information security policy integration.