COBIT and You

There are several frameworks for enterprise IT governance, but COBIT from ISACA is a favorite that yields great results when properly used. This bit is straight from the parent organization:

COBIT 5 is used globally by those who have the primary responsibility for business processes and technology, depend on technology for relevant and reliable information, and provide quality, reliability and control of information and related technology.

Key COBIT 5 users include enterprise executives and consultants in the following areas:

• Audit and Assurance
• Compliance
• IT Operations
• Governance
• Security and Risk Management

Even industry-specific regulations and risk scenarios are handled by the framework, which makes managing risk, security and compliance one heck of a lot easier than tackling each challenge individually. I've found it to be particularly good for assessing risk across the entire business, not just IT, though IT governance and management are certainly the focus. Using it, you create a centralized matrix to support business decisions and control risk while innovating the delivery of IT infrastructure. A great example is the special considerations given to vendor selection and management for Cloud Service Providers (CSPs) and Managed Service Providers (MSPs), right down to security audits of each prospective vendor.

One key component that is often misunderstood is the difference between Inherent and Residual risks. Inherent risk is an assessed level of raw or untreated risk; that is, the natural level of risk inherent in a process or activity without doing anything to reduce the likelihood (or mitigate the severity) of a mishap, or the amount of risk before the application of the risk reduction effects of controls. Residual risk is the risk or danger of an action or an event even if all (theoretically) possible safety measures would be applied; in other words, the amount of risk left over after natural or inherent risks have been reduced by controls. Ultimately, and particularly during audit, providing a rating of these is the goal in providing a holistic snapshot of the business.

A word of caution, though: self-assessment tools like those found in COBIT are great, but you need a sufficient sample size and cross-section of the organization to take these assessments in order to provide a reliable risk profile. It's a large commitment, but one that is ultimately worth it.