This article was originally posted on the IBM Center for the Business of Government Blog by Dan Chenok and John Lainhart.
In the face of ever-increasing cybersecurity risks, significant attention is being paid toward improving preparedness and response of agencies, vulnerabilities and threats. throughout the public sector. Two ways to go about supporting these activities involve addressing cybersecurity from a risk-based framework and engaging top-level leadership in addressing security as a strategic priority. A third a complementary imperative involves establishing an overall IT governance structure that includes cybersecurity as a key enabler to achieving programmatic outcomes. Fortunately, agencies have a number of tools at their disposal to enhance their governance framework.
OMB Policy Drivers for IT Governance
At the end of 2008, the Office of Management and Budget (OMB) reaffirmed and clarified the organizational, functional and operational governance framework required within the Executive Branch for managing and optimizing the effective use of IT, under OMB Memorandum 09-02. This OMB memorandum established an IT governance framework addressing the management structure, responsibilities and authorities of heads of Departments and Agencies and their Chief Information Officers (CIOs) in planning, acquiring, securing, operating and managing IT systems and assets within the department/agency.
The memorandum requires that Departments and Agencies designate an executive-level CIO reporting to the head of the organization, with formal and full responsibility for all requirements set forth in statues, regulations and Public Laws. This CIO also has ultimate responsibility for the governance, management and delivery of IT mission and business programs within the Department/Agency, and must have an effective operative means of meeting this responsibility. Furthermore, the CIO has the authority to set Department/Agency-wide IT policy, including all areas of IT Governance such as enterprise architecture and standards, IT capital planning and investment management, IT asset management, IT budgeting and acquisition, IT performance management, IT risk management, IT workforce management – as well as IT security and operations and IT information security, working with the agency Chief Information Security Officer and other security officials.
In August of 2011, OMB issued related guidance in Memorandum 11-29, which updated policy regarding the CIO’s role in IT Governance and explicitly discussed information security as part of the CIO’s responsibilities. Taken together, these two OMB Memos provide a strong framework for incorporating security considerations into overarching IT governance and strategy. This approach allows leaders in agencies to properly assess security risks in the context of risk and benefits from IT initiatives more broadly, and from the programs that leverage IT and require good security to be successful.
An Industry Framework for Implementation
One way to achieve the objectives of strong IT governance is to incorporate the COBIT© 5 framework as a guide to implementing sound IT governance at the Enterprise Level. COBIT (Control Objectives for Information and Related Technology) serves as a business framework for the governance and management of Enterprise IT and clearly defines IT governance as distinct from IT management, with the two requiring a different set of action items, organizational structures, and serving a different purpose at the Enterprise Level. According to the COBIT 5 framework:
“Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives.”
“Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives.”
As technology use continues to increase the spread and impact of IT and cyber vulnerabilities and incidents, so do the tools and techniques to improve controls to protect key resources for the enterprise. The COBIT 5 framework is one of those tools and the supporting enabler guides and professional guides, as well as COBIT 5 Online, provide detailed techniques as well. (COBIT 5 currently consists of the Framework, 2 Enabler Guides, 4 Professional Guides, and COBIT 5 Online.) Moreover, COBIT 5 is one of the Informative References contained in NIST’s Cybersecurity Framework.
COBIT 5 is built on five basic principles, and includes extensive guidance on enablers for governance and management of enterprise IT. Enterprises can use COBIT 5 framework principles to create optimal value by governing IT in a holistic manner, implementing comprehensive risk management and security controls and ensuring these controls are defined and implemented at a level appropriate to the increasing complexity of the enterprise.
The COBIT 5 framework delivers to its stakeholders the most complete and up-to-date guidance on governance and management of enterprise IT, as depicted in the graphic below.
COBIT has proved to be very effective for implementing IT governance and detailed security controls globally, in all sorts of institutions and a number of US federal and state government institutions, including the US Department of Veterans Affairs.
Sound IT Governance Can Make a Significant Difference
In light of the constant increase and changes in the IT environment, all enterprises should look to IT governance in efforts to secure information from the moment it is created to the time it is destroyed. This is why over the past decade, IT governance has moved to the forefront of enterprise efforts to effectively manage and appropriately protect IT systems and assets, contributing to the success of risk-based security and supporting strategic decisions made by C-level executives across the public and private sectors.