Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: CoBIT a Security Audit Framework?
From: "J. Oquendo" <sil () infiltrated net>
Date: Mon, 1 Dec 2008 13:14:59 -0600

On Mon, 01 Dec 2008, Jon Kibler wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

<rant>

Who / what is driving this "CoBIT is the only acceptable IT Security
audit framework" mentality and what can we do to change it?

</rant>


Let me point out some of the modules that SPECIFICALLY
pertain to to security in summary fashion:


PC2 Process Ownership
PC4 Roles and Responsibilities
PC5 Policy, Plans and Procedures
AC1 Source Data Preparation and Authorisation
AC2 Source Data Collection and Entry
AC3 Accuracy, Completeness and Authenticity Checks
AC4 Processing Integrity and Validity
AC5 Output Review, Reconciliation and Error Handling
AC6 Transaction Authentication and Integrity

PO9 Assess and Manage IT Risks
PO2.3 Data Classification Scheme
PO2.4 Integrity Management

PO4.8 Responsibility for Risk, Security and Compliance
PO4.9 Data and System Ownership
PO4.10 Supervision
PO4.11 Segregation of Duties
PO9.1 IT Risk Management Framework
PO9.2 Establishment of Risk Context
PO9.3 Event Identification
PO9.4 Risk Assessment
PO9.5 Risk Response
PO9.6 Maintenance and Monitoring of a Risk Action Plan

But wait... That's not even breaking the ice. Of all the frameworks
in place, CoBIT overlaps many and exceeds them all by all means.

I suggest taking a peek at:
http://blog.eiqnetworks.com/2008/11/20/puzzle-pieces-the-relationship-between-sox-coso-and-cobit/

Why not go SEI-CMU, OCTAVE, etc.? Not your call it's up
to your client. I can tell you there are many bits and
pieces in ISACA's frameworks that many may not understand
or even know why they're placed there, but unless you've
read through the entire framework and compared it to
others, you will have a vague idea about its effectiveness.

PS: I'm an ISACA member so perhaps that could be seen as
somewhat of "biased" approach however, for those who know
me, know I could literally care less about certs, or who
is saying what, I call it how I see it. I've seen CoBIT,
OCTAVE and others in play and I've also seen how many
fall short, if there is a reason a company wants to be
compliant with the CoBIT framework, there is legitimacy
behind it not to mention the framework is built with a
business oriented focus first.

<fact>

Businesses bottom lines are financially driven

</fact>


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP

"Each player must accept the cards life deals him
or her: but once they are in hand, he or she alone
must decide how to play the cards in order to win
the game." Voltaire

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault