This chapter examined various IT security policy frameworks. The frameworks share many of the same concepts and goals of controlling risk; however, their approach and scope of coverage differ. The chapter discussed how these differences are not always in conflict, but rather create an opportunity to adopt strengths of multiple frameworks such as COBIT and ISO. The chapter walked through methods to identify which best practice is appropriate for an organization. The implementation approach to each framework will vary by the type of framework and the organization’s culture.
The chapter examined separation of duties from a roles and organizational view. The organizational view was used to create three lines of defense to enhance the risk management program. Finally, the importance of the frameworks was highlighted in case studies. These case studies illustrated how implementing a policies framework to control risk prevents breaches and ensures compliance. The case studies also showed how contractors and insiders can be as much of a threat as external hackers.
Committee of Sponsoring Organizations (COSO)
Control Objectives for Information and related Technology (COBIT)
Enterprise risk management (ERM)
Governance, risk management, and compliance (GRC)
Head of information management
International Organization for Standardization (ISO)
1. Office of the Comptroller of the Currency, “Supervisory Guidance on Operational Risk Advanced Measurement Approaches for Regulatory Capital,” July 2, 2003, http://www.occ.treas.gov/ftp/release/2003-53c.pdf, accessed April 30, 2010.