Story

I have worked in the information assurance (IA) arena for well over a decade. But as happens to many professionals, I worked in one sector only. I became used to the specialized controls that only affected a small segment of the IA population in terms of information technology (IT) and IA processes.

Sure, I was offered the chance to study Information Technology Infrastructure Library (ITIL), but I did not understand the value of a standardized approach to IT management at that stage in my career.

Moral of the Story

Today, I am learning about NIST SP 800-53 controls, but the organization I am working for does not have a standardized approach. That is a long-term goal. In many ways, I wish I had looked at the IA and IT world from a higher vantage point earlier on so that I would understand how a framework could be used to map multiple types of controls. Instead, I am behind the times in catching up on this important work.

Note: The example companies, organizations, products, people, and events depicted herein are fictitious. No association with any real company, organization, product, person, or event is intended or should be inferred.

Assignment

The story you just read shows how difficult it can be to get started with a standardized approach to IT management and to ensure that controls and risk management are understood. For this discussion, research the library and Internet for information about Control Objectives for Information and related Technology (COBIT) and ISO 27002, and then respond to the questions. Consider the difficulties faced in the story and how some of these difficulties were overcome when responding to the assignment questions.

Primary Task Response: Within the Discussion Board area, write 400-600 words that respond to the following questions with your thoughts, ideas, and comments. This will be the foundation for future discussions by your classmates. Be substantive and clear, and use examples to reinforce your ideas.

Today, organizations require significant management oversight and IT governance to ensure that controls and risk management are enforced and understood. One of the IT frameworks for ensuring that there is a common language for both management and IT personnel to manage risks, IT services, and the delivery of value is COBIT. In your main post this week, describe the following:

• How does COBIT provide IT processes, goals, and metrics to mitigate security risks and develop a security policy?
• What is the purpose of the Responsible, Accountable, Consulted, and Informed (RACI) chart?
• How does COBIT integrate standards such as NIST SP 800-53, ITIL, ISO 27001, and ISO 27002?