The Client Base of ISACA - Case Study Example

Security Governance Report 0. Overview ISACA is a globally functioning IT consulting company, which aims at delivering its services to governance professionals around the world. The company currently serves approximately 140,000 professionals from the global platform and is therefore, concerned with business-to-business services only (ISACA, 2015). In accordance to its operational area, the organization is observed to provide much significance in upholding its enterprise security plans to deliver a secure channel of governance to its client. In this report, the policies and the procedures practiced by ISACA will be critically reviewed to identify its limitations as well as strengths, based on its status of implementation at the current scenario. Correspondingly, recommendations will be drawn for the betterment of the policy measures to the intended level. 2.0. Policy Status The client base of ISACA is widely distributed among professionals in the information governance sector, in addition with professionals in the controlling, auditing and security fields of various large corporate organizations. It is due to this vividness that securing an effective security system in its IT services has remained crucial in order to attract valuable customers and retain profitability in the long run. The current policy status of the company thus can be observed as substantially effective with due significance to a multidimensional approach and continuous improvements. The enterprise security critique thus reflects the strategic objective of the organization to serve its members around the world with adequate educational and professional development through updated certifications. Correspondingly, the strategies of ISACA have also been developing on a constant basis valuing the participation of a growing membership base of IT professionals. The policy status of the company also exhibits the major attention delivered by the company towards anticipating the future needs of the market and developing its strategies on a continuous basis. In accordance, the company currently applies a strategic framework called Strategy 2022 (S22). S22 is noted as an extension to the pre-existing strategy of the company titled Strategy 1, which was introduced in the year 2009 and reframed later in 2012. This particular policy framework is asserted to have a slow evolution process extending over a 10 years horizon, befitting its name S22 (ISACA, 2015). It was with the strategic implementation of S22 that ISACA also emphasized developing its Control Objectives for Information and Related Technology (COBIT) framework to suffice the needs of its member IT professionals. As the company observed through its market research in response to S22, the value impeding its trust concepts have been inherent to its policies in practice that further widened the need for a far-ranging approach to business governance. Correspondingly, COBIT 5 was developed by the organization, which is currently a part of its policy measures in delivering security governance services worldwide. To be noted in this regard, the main characteristics of COBIT 5 garner its business-oriented nature and its assistance in implementing far-ranging as well as strategy-oriented objectives of businesses (ISACA, 2015). Appreciation concentrating on this particular policy measure, i.e. focusing COBIT 5 has been noteworthy and widely positive, principally owing to its wide applicability and efficiency in assuring trust to the user professionals. Overall, the framework intends to minimize complexities in relating the different paradigms of the current business related aspects in delivering highest possible assistance to IT Governance professionals around the world. Nevertheless, in reducing the complexities faced by governance professionals in conducting multidimensional business approaches have also increased complexities in the implementation process of COBIT 5, which has in turn mandated an educational program that is to be undertaken by its users. On a positive note however, this particular facet of the current policy status of ISACA also reflects on the high degree of security that COBIT 5 offers to its users making its effective implementation subjected to rigorous training process (ISACA, 2015). The framework of COBIT 5 can be accordingly observed from the diagrammatic representation below. Source: (ISACA, 2015) 3.0. Program Evaluation From the policy status of ISACA discussed above, it is apparent that the two major or key variables of its current security governance services is its strategy named S22, which also hosts its current innovation of COBIT 5 framework. As noteworthy aspects, the policy consideration of ISACA emphasizes the need of trust value in maintaining security in the information governance system of businesses besides accepting the influences of increasing complexities in the business approaches and requirement of far-ranging governance decision-making system. Reviewing the secondary data also concludes in agreement to the inferences drawn by the company in setting its policy measures. For instance, Duit and Galaz (2008), Aguilera, Filatotchev, Gospel and Jackson (2008) and Foss (2006) among others have all agreed to the conclusion that the modern application of governance deciphers a high degree of complexities and assurance of transparency besides a firm confirmation on its security, especially when concerning information channelization. According to Brown and Nasuti (2005) as well, maintaining soundness in the governance system of businesses when sharing information has never been more crucial than today at the onset of data forgery and accounting frauds. While these inferences reside in coherence with the features of ISACA’s S22 and subsequently to its development of COBIT 5 framework, there are also a few advantages and disadvantages related to the policy measure that needs to be evaluated from a third person point of view. With this objective, considering secondary data sources illustrating the positives and negatives associated with the policy implementation of ISACA’s S22 and COBIT 5 will be beneficial. As argued by Haes, Grembergen and Debreceny (2013), COBIT 5, which reflects the policy status of ISACA, holds considerable advantages in the modern context of IT governance practices. Primitively, it is the degree of consistency in performances and the quality assured with regard to security necessities that makes COBIT 5 an ideal framework for organizations emphasizing a secured IT governance system. From a critical perspective, COBIT 5 is also inferred to be able to build a productive alignment between perceived governance needs by its client organizations and the real world challenges, which increases its applicability and effectiveness within the domain (Haes et al., 2013). The evaluation of the policy also indicates its gradual development since its first initiation as COBIT 4. The learning drawn from the limitations of the previously launched models by ISACA as well as those launched by other organizations has also been apparently observable in COBIT 5 with reference to its competitive advantages. A better insight to these advantages of COBIT 5 can be observed from the diagram below. Source: (Haes et al., 2013) COBIT 5 has been appreciated by many organizations around the world, as a signature policy of ISACA. Its highest possible application was found to have taken shape within the global financial industries, which has but recently been observed to become increasingly passionate in maintaining safety in IT related infrastructure. It is worth mentioning in this context that the application of COBIT 5 has mostly been restricted within the industries those depend largely on IT concepts, which has been wide-ranging in the current context. Hence, applicability of the policies considered by ISACA in serving IT professionals around the world has also been phenomenal to a certain extent (Ridley, Young and Carroll, 2004). Nevertheless, its applicability has also been restricted at certain phases in the real life scenario. Taking the examples of Australian public sector firms, Omari, Barnes and Pitman (2012) noted that the framework is large in its entirety and hence, its application is often observed to be limited with time and complexities found when aligning business goals with governance related perceptions and IT processes. It is worth mentioning in this context that COBIT 5 operates with control objectives, as most of the policy initiatives taken by ISACA performed. A key reason to this particular limitation of COBIT 5 and ISACA in turn can be identified in terms of the intention of the organization to develop a framework in a versatile manner that shall be able and competitive enough to suffice the requirements of ISACA’s diverse client base. It is thus that the users of the framework also find it complex and time consuming besides attaining the advantages as mentioned above (Omari, Barnes and Pitman, 2012). The basic structure of COBIT also implies the multidimensional policy approaches taken by ISACA, which is although effective in imbibing the current governance demands of businesses with their increasingly dependent strategic framework on IT processes, lack in lieu of its own complexities and wide-ranging institutionalization (Bakry and Alfantookh, n.d.). (Source: Bakry and Alfantookh, n.d.) From the assessment tool (part 3), significant insight to the issue was identified. In accordance, the score chart depicted that ISACA had an aggregate score of 14 with regard to its Corporate Information Security Risk Management processes, while the organization carried the core of 15 in respect with its Security Technology Strategy and 41 in respect with its Corporate Information Security Functions. The overall score of the organization thus stood at 144, while the score of its business dependency scored 25. From these scores it is apparent that business dependency of ISACA is low on its IT governance functions but is maintained in a good manner. To state it precisely, the process score of the company (which was measured as 70) indicated a good score when business dependency is found to be low. Similarly, the overall score for ISACA also indicated its practice as good, which can also be supported from the findings obtained through literature reviews conducted in the previous section. A better insight to the assessment tool findings can be better obtained with reference to the data table presented in Appendix. 4.0. Governance Status With regard to the above discussion focused on the policy utilization of ISACA through its strategic framework of S22 and COBIT 5 accordingly, various strengths and limitations of the company can be inferred as concerned with its maturity level. The study depicts that the company has been emphasized on continuous up-gradation of its policy measures in providing services to IT professionals around the world. Constant development, with due significance to trust values and inclusion of concepts that relate with the changes occurring in the real life scenario have been the major components of governance system innovation of the company. The far-ranging applicability of COBIT 5 in lieu with S22 of ISACA also pronounces the maturity level of the organization. To be precise, the above conducted discussion indicates that the company has reached to its maturity level wherein it becomes crucial for ISACA to concentrate on the optimization of COBIT 5 to the next higher level (Omari, Barnes and Pitman, 2012). It is also noteworthy in this context that by reaching IT maturity, the organization also becomes probe to the strengths as well as weaknesses related with the “process” and “people” of cyber security, raising potential threats to the company. From a general point of view to the context, “people” and “process” both have been changing rapidly in the current phenomenon. Where on one hand, people have become increasingly aware of the IT needs and IT processes used by companies, on the other hand, IT processes have become progressively more versatile and complex. Such alterations in the external governance scenario are quite likely to impose considerable effects on ISACA, both in terms of strengths and weaknesses. For instance, rising awareness regarding IT functions among people have leveraged the usability of frameworks such as COBIT 5 but on the other hand, the same element has made security attempts taken by company fragile, which in turn demands for continuous upgradation of the entire system. In the similar context, the process in IT based industries have emerged as increasingly complex, in order to relate the characteristics of two or more industries without inhibiting of its overall competencies. The implications these changes also impose a dual effect on the policy functions of ISACA, wherein utilization of IT Governance frameworks becomes easier with the already interlinked functioning of different phases in the IT process. However simultaneously, it raises the limitations of time and cost, as apparent in the case of COBIT 5 (ISACA, 2015; Yan, Qian, Sharif and Tipper, 2011). These features further raise threats and risk factors for ISACA in its current operational domain, making its operation more complex than ever before. The most noteworthy threat that such changes cause to ISACA is the threat to the security of its governance framework. For instance, with increasing knowledge among the non-professional users regarding COBIT 5 might inhibit its secure application in organizations depending on their IT infrastructure. Considering such implications, it can further be justified that the governance framework is likely to reach its maturity before the forecasted period and hence, demand for renovation within frequent intervals. This in turn shall raise the burden of strategic cost on the company, forcing it to reinvent another IT governance framework, making COBIT 5 obsolete. In addition, with every next level of its IT governance framework getting more complex and advanced the client organizations will also have to invest more in training and advancement of its IT processes (Giacalone, Mammoliti, Massacci, Paci, Perugino and Selli, 2014). 5.0. Recommendations Considering the fact that ISACA has already been emphasizing the significance of continuous development and trust values in its policy implementations, the high order of competitive positioning held by the organization can be confirmed. Nevertheless, threats arising in the current context of the business are also not avoidable, especially when concerning the high degree of security required in the IT functioning, demanding integrity, trust, availability and privacy to the highest extent. It is in this context that ISACA must understand the lowering life cycle of its IT governance frameworks, and thus, emphasize on its continuous development at a greater frequency. Advisably, the company can emphasize on developing different frameworks as suitable for the operations of its different client groups rather than developing one framework, which shall reduce the complexities of the model too, which is supposed to hinder its application in its entirety. Accordingly, the company shall be able to balance its costs and manage the barriers identifiable in different industry sectors, wherein it has been serving. Overall, the fact that product maturity is reached within a furthermore shorter tenure of time should be considered by ISACA with greater significance to attain long-term success in the global platform. References Aguilera, R. V., Filatotchev, I., Gospel, H. and Jackson, G. (2008). An organizational approach to comparative corporate governance: Costs, contingencies, and complementarities. Organization Science, 19(3), 475-492. Bada, M. and Sasse, P. A. (2014). Cyber security awareness campaigns why do they fail to change behavior? Global Cyber Security Capacity Centre: Draft Working Paper, 1-35. Bakry, S. H. and Alfantookh, A. (n.d.). IT-governance practices: COBIT. Retrieved from http://repository.ksu.edu.sa/jspui/bitstream/123456789/2737/1/IT%20Governance%20Practices%20COBIT.pdf Brown, W. and Nasuti, F. (2004). Sarbanes–Oxley and Enterprise Security: IT Governance — what it takes to get the job done. Security Management Practices, 15-28. Duit, A. and Galaz, V. (2008). Governance and complexity—Emerging issues for governance theory. Governance: An International Journal of Policy, Administration, and Institutions, 21(3), 311-335. Foss, N. J. (2006). The emerging knowledge governance approach: Challenges and characteristics. Retrieved from http://brage.bibsys.no/xmlui/bitstream/handle/11250/164280/soldp200602.pdf?sequence=1 Giacalone, M., Mammoliti, R., Massacci, F., Paci, F., Perugino, R. and Selli, C. (2014). Security triage: A report of a lean security requirements methodology for cost-effective security analysis. IEEE, 25-27. Haes, S. D., Grembergen, W. V. and Debreceny, R. S. (2013). COBIT 5 and enterprise governance of information technology: Building blocks and research opportunities. Journal of Information Systems, 27(1), 307-324. ISACA. (2015). About ISACA. Retrieved from http://www.isaca.org/about-isaca/Pages/default.aspx ISACA. (2015). Strategy 2022. Retrieved from http://www.isaca.org/About-ISACA/Strategy/Pages/default.aspx ISACA. (2015). COBIT Case Study: Use of COBIT 5 for ISACA Strategy Implementation. Retrieved from http://www.isaca.org/COBIT/Pages/COBIT-Case-Study-Use-of-COBIT-5-for-ISACA-Strategy-Implementation.aspx Omari, L. A., Barnes, P. and Pitman, G. (2012). Optimising COBIT 5 for IT governance: Examples from the public sector. International Conference on Applied and Theoretical Information Systems Research, 1-13. Ridley, G., Young, J. and Carroll, P. (2004). COBIT and its utilization: A framework from the literature. Proceedings of the 37th Hawaii International Conference on System Sciences, 1-8. Yan, Y., Qian, Y., Sharif, H. and Tipper, D. (2012). A survey on cyber security for smart grid communications. IEEE Communications Surveys & Tutorials, Accepted For Publication, 1-13. Appendix Assessment Tool: Part 3 (for ISACA) Instructions: Rate each of the following items using the scale: 0 = not implemented 1 = planning stages 2 = partially implemented 3 = close to completion 4 = fully implemented Corporate Information Security Risk Management Score 3.1 Has your company conducted a risk assessment to identify the key business objectives that need to be supported by your corporate information security program? 4 3.2 Has your company identified critical corporate assets and the business functions that rely on them? 3 3.3 Have the information security threats and vulnerabilities associated with each of the critical assets and functions been identified? 2 3.4 Has a quantifiable cost been assigned to the loss of each critical asset or function? 0 3.5 Do you have a written information security strategy that seeks to cost-effectively reduce the risks to an acceptable level, with minimal business disruptions? 2 3.6 Is the strategy reviewed and updated at least annually, or more frequently when significant business changes require it? 3 3.7 Do you have a process in place to monitor federal, state, or international legislation or regulations and determine their applicability to your business? 0 Total Risk Management 14 Security Technology Strategy Score 3.8 As the security architecture of your enterprise evolves, is there a process to review existing systems and applications for compliance and for addressing cases of non-compliance? 4 3.9 Have you instituted processes and procedures for involving the security personnel in evaluating and addressing any security impacts before the purchase or introduction of new systems? 2 3.10 If a deployed system is found to be in non-compliance with your official architecture, is there a process and defined time frame to bring it into compliance or to remove it from service, applications or business processes? 2 3.11 Do you have a process to appropriately evaluate and classify the information and information assets that support the operations and assets under your control, to indicate the appropriate levels of information security? 3 3.12 Are there specific, documented, security related configuration settings for all systems and applications? 4 Total Security Technology Strategy 15 Instructions: Rate each of the following items using the scale: 0 = not implemented 1 = planning stages 2 = partially implemented 3 = close to completion 4 = fully implemented Corporate Information Security Function/Organization Score 3.13 Is there a person or organization that has information security as its primary duty, with responsibility for maintaining the security program and ensuring compliance? 4 3.14 Do the leaders and staff of your information security organization have the necessary experience and qualifications? (e.g., CISSP, CISM, CISA certification) 4 3.15 Does your information security function have the authority and resources it needs to manage and ensure compliance with the information security program? 4 3.16 Is responsibility clearly assigned for all areas of the information security architecture, compliance, processes and monitoring? 3 3.17 Has specific responsibility been assigned for the execution of business continuity and disaster recovery plans (either within or outside of the Information Security Department)? 2 3.18 Is someone in the information security organization function responsible for liaising with business units to identify any new security requirements based on changes to the business? 3 3.19 Does the information security function actively engage with other critical functions, such as Human Resources and Legal, to develop and enforce compliance with information security policies and practices? 4 3.20 Does the information security function report regularly to the executive staff and Board of Directors on the compliance of the business to and the effectiveness of the information security program and policies? 4 3.21 Is the executive staff ultimately responsible and accountable for the information security program, including approval of information security policies? 4 3.22 Do the business unit heads and senior managers have specific programs in place to comply with information security policies and standards with the goal of ensuring the security of information and systems that support the operations and assets under their control? 3 3.23 Have you implemented an information security education and awareness program such that all employees, contractors, and external providers know the information security policies that apply to them and understand their responsibilities? 2 3.24 Do you have an ongoing training program in place for information security staff? 4 Total Organization 41 Add: Total Risk Management 14 Total Security Technology Strategy 15 Total Organization 41 Total Processes Score 70 Total Policy/Admin Score (from Part 2) 74 Overall Score 144 Business Dependency (from Part 1) 25 Results for Processes Evaluation: Business Dependency Processes Score Assessment Processes Low High Very High 0 62 Poor 63 77 Needs Improvement 78 96 Good High 0 52 Poor 53 71 Needs Improvement 72 96 Good Medium 0 42 Poor 43 64 Needs Improvement 65 96 Good Low 0 36 Poor 37 58 Needs Improvement 59 96 Good Very Low 0 30 Poor 31 52 Needs Improvement 53 96 Good Results for Overall Evaluation: Business Dependency Overall Score Assessment Overall Low High Very High 0 132 Poor 133 164 Needs Improvement 165 204 Good High 0 111 Poor 112 152 Needs Improvement 153 204 Good Medium 0 91 Poor 92 137 Needs Improvement 138 204 Good Low 0 79 Poor 80 123 Needs Improvement 124 204 Good Very Low 0 64 Poor 65 111 Needs Improvement 112 204 Good Read More