Governance Archives - Deep Creek Center

NIST and the Art of Security Maintenance

Making IT Work: episode 9

I’ve been spending a lot of time this year working with clients beginning the long process of implementing security controls in support of the NIST Cybersecurity Framework. I’ve been feeling the need to share a few lessons learned from these early stage activities, and some implications for organizations as they progress.

Adoption starts at the top! Organizations having the best success with the framework begin by gaining buy-in and commitment from the highest levels of the organizations; Boards of Directors and senior C-level management. Fundamentally, the value proposition of using a framework like this is in facilitating business-centered conversations, about risk, risk optimization, and investment prioritization.

Computer Security Signpost Showin
Business-side stakeholders need enough awareness of the Framework to collaborate. Ultimately the purpose of a Cyber Security Company is to enable and protect business workflows, business processes, and business information. All of these are owned by business side stakeholders; process managers, line of business managers, and customer relationship managers. These key stakeholders need to have a clear voice alongside risk and audit on how to best optimize the cost/risk/value balance and enable the organization to successfully deliver value to stakeholders. Extensive conversations between business leadership and security practitioners is absolutely essential…and these conversations must take place in business language and reflect business priorities. The NIST Framework provides the necessary language and structure to enable these conversations without devolving into technical jargon.
An adaptive, Agile approach is necessary. Information security is necessarily always responding to new vulnerabilities, threats, risks, and issues. Security professionals benefit from adopting certain core Agile principles and practices in order to remain flexible and adaptive as the threat landscape evolves.
The NIST Framework -really- is useful to any size organization, and adapts readily to the realities of small/medium sized businesses. Many of my customers are not huge enterprises and don’t have dozens or hundreds of personnel focused on the implementation of security practices. Many more of them, with tens or hundreds of employees, are more likely to “have a guy” who is tasked with “doing security.” Eventually one of the main benefits to using a framework like the NIST Cybersecurity Framework is to provide any-size organization with an approach to help organizations recognize that security is an organization-wide problem, that real-world constraints can and do exist, and that the most effective approach is to assess current capabilities and prioritize needs, with the goal to be establishing a functional beachhead that enables the organization to do with the most critical issues, then work using a process of continuous improvement to start iteratively chipping away at other capabilities.

As we continue to work to help organizations adopt and adapt this framework, I expect I’ll have a lot more to share. Remember, be willing to “win a little,” consolidate your gains, and do it again!

One of the resources we provide is free access to our online LinkedIn Mentoring Community, where interested professionals can ask questions, share links and information, and support one another in adoption and adaptation of the NIST CSF and various Informative References.

To gain access to the community, follow the link https://www.linkedin.com/groups/12376016/

The Great Convergence

One of the spectacles of the past 20 or so years has been the competing approaches and frameworks for improving governance, streamlining workflows, and delivering services. Practices like LEAN, Agile, ITIL, DevOps, and even governance frameworks like CObIT all competed for attention in promising adopting organizations more efficient and more effective teams, better results, and improved quality and consistency.

Well, the winner is in…it is…drumroll…all of the above!

Each of these approaches brings with it native practices and capabilities, yet most organizations are by now seeing that the most appropriate approach was never an “either-or”, but of course a “both-and.” LEAN brought us a focus on value streams, waste identification, and creating continual improvement cultures. Agile practice like Scrum introduced lightweight approaches to requirements (focused on user experience through user stories, a core idea in design thinking), prioritization through the use of backlogs, and acknowledging the reality that we just don’t know what we don’t know, and that being adaptive as learning occurs creates better solutions and higher customer delight. ITIL established the focus on service delivery and value creation, over mere execution of processes, and encompasses how cross-functional we must act to support the collaboration models we need to operate as end-to-end service teams. DevOps leveraged many of the above practices to drive a focus on the value stream of delivery and deployment of IT applications, and improves the velocity of solutions while improving the overall risk management of IT through rigorous testing and validation, environment controls through infrastructure as code, and improving flow with feedback. Even in the updated version of CObIT, the focus is on integrating new sets of best practices into an overall IT governance and management framework that acknowledges the profound changes in how IT operates.

Implications: There’s a lot to learn…and real upside for organizations that make the effort.

Most IT organizations are trying to adopt some number of these core practices, but often without an integrated vision of how they will work together to gain efficiencies and improve overall quality of service. In our consulting practices, we often see siloed thinking from development or operations organizations, with concomitant inefficiencies and poor results. Rationalizing these practices together is critical to get the value you seek from any of them.

The good news: there are many successful approaches to making this work. Over the next few weeks we will be sharing a number of success stories from organizations that have successfully adopted and adapted these practices to improve their organizations.

CobiT 5.0 Foundation

[button color=”#000000″ background=”#ff9900″ size=”large” src=”./call-schedule”]Register Now![/button]
[button color=”#000000″ background=”#ff9900″ size=”large” src=”./shop”]Purchase E-Learning Course[/button]

Course Description

This three day, APMG Accredited course looks at the drivers for this latest version of COBIT, the five basic principles on which COBIT 5 is founded and the enablers for governance and management of enterprise IT which support the integration between the goals, objectives, controls and processes of the business and IT. The course includes an introduction to COBIT 5 implementation and the concepts relating to the Process Assessment Model.

This course features lectures, discussion, team exercises and quizzes. It culminates with an optional, one-hour certification examination. Courses are offered as Instructor-led, E-learning or Live-over-web opportunities.

Who Should Attend

The course is suitable for business managers, chief executives, IT/IS auditors, internal auditors, information security and IT practitioners, consultants and IT/IS managers requiring an insight into the enterprise governance of IT and who may also be requiring certification as a COBIT 5 implementer or assessor.

Course Length

3 days

Outline

Introduction
Overview and key features of COBIT 5

The drivers for the development of COBIT 5
The business needs of the enterprise and the benefits provided by COBIT 5.

The COBIT 5 Principles

Introduction to the framework principles, enablers and the process reference model
Principle 1 – Meeting stakeholder needs
Principle 2 – Covering the enterprise end-to-end
Principle 3 – Applying a single integrated framework
Principle 4 – Enabling a holistic approach
Principle 5 – Separating governance from management.

The COBIT 5 Enablers

Enabler 1 – Principles, policies and frameworks
Enabler 2 – Processes
Enabler 3 – Organizational structures
Enabler 4 – Culture, ethics and behavior
Enabler 5 – Information
Enabler 6 – Services, infrastructure and applications
Enabler 7 – People, skills and competencies.

An Introduction to COBIT 5 Implementation

The lifecycle model
Internal and external factors that influence change
Typical pain points and trigger events that drive change
The importance and good practice of the business case.

The Process Capability Model (The Process Assessment Model)

Introduction to the Process Capability Model based on ISO 15504
The concepts and scope of Process Capability Assessment using the COBIT 5 Process Assessment Model

Examination

Sample paper and review
Exam preparation
The APMG COBIT 5 Foundation examination.

Prerequisites

None.

Exam

An optional 40 minute closed-book examination of 50 multiple choice questions is administered examination at the end of the course by an independent proctor. Successful attendees will be awarded the APMG COBIT 5 Foundation Certificate. The qualification is a mandatory pre-requisite for further COBIT 5 Implementation and Assessor training courses.

CREDITS EARNED

18 PDU Credits

Course Director – Patrick von Schlag
Mr. von Schlag has more than 25 years of real-world experience managing IT and business organizations. He has served as a consultant, facilitator, and instructor in support of more than 200 ITSM program deployments, with a focus on practical benefits. He holds all 11 ITIL 2011 certifications and runs an accredited learning consultancy focused on “Making ITIL Work” in real organizations. He is a certified PRINCE2 Practitioner and has extensive experience integrating project management frameworks with other governance, service management, and quality frameworks. His customer list includes The Walt Disney Company, Microsoft, Nike, Sears, US Marine Corps, US Army, US Air Force, 2nd and 5th Fleet US Navy, DISA, IRS, Federal Reserve, The Hartford, Citigroup, Amgen, Los Angeles County, Port of Long Beach, GDIT, Accenture, Serco, Deloitte, and hundreds of other market-leading organizations.