In its simplest terms, a framework is an arrangement of parts that provides a form, or structure, to the whole. A control framework is a structured way of categorizing controls to ensure the whole spectrum of control is covered adequately. The framework can be informal or formal. A formal approach will more readily satisfy the various regulatory or statutory requirements for organizations subject to them. Some frameworks focus solely on process maturity analysis and others focus more on standardized policies and checklists for IT controls.

The major control frameworks

Some of the frameworks mentioned here are publicly available and others are for purchase. There is no single framework that is all encompassing and "complete" in every sense of the word. The major players in the IT framework arena are:

1. AICPA/CICA Trust Services, Principles, and Criteria

2. Carnegie Mellon University Software Engineering Institute (CMU/SEI) OCTAVE

3. CICA CoCo - Criteria of Control Framework

4. CICA IT Control Guidelines

5. CMMI - Capability Maturity Model Integration

6. CobiT - Control Objectives for Information and related Technology

7. COSO - Internal Control Integrated Framework

8. GAISP - Generally Accepted Information Security Principles

9. ISF Standard of Good Practice for Information Security

10. ISO 17799:2005

11. ISO 9000

12. ITIL - the IT Infrastructure Library

13. Malcolm Baldridge National Quality Program

14. Organization for Economic Cooperation and Development (OECD) Principles of Corporate Governance

15. OPMMM - Organizational Project Management Maturity Model

16. Six Sigma

17. Organization for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

18. Recommended Security Controls for Federal Information Systems, NIST SP 800-53

19. The FFIEC Information Technology Examination Handbook series

This explanation of these various frameworks is derived from what we've read ourselves in the creation of the Unified Compliance Framework and also from what others have written specifically about IT frameworks.

AICPA/CICA Suitable Trust Services, Principles, and Criteria

The American Institute of Certified Public Accountants (AICPA) Assurance Services Executive Committee and the Canadian Institute of Chartered Accountants (CICA) Assurance Services Development Board developed the Trust Services Principles and Criteria. The principles are broad statements of objectives with specific criteria to be achieved in order to meet each principle. The principles and criteria are broken down into 1) policies, 2) communications, 3) procedures, and 4) monitoring.

Strengths

The Trust Services Principles and Criteria can be used to deliver branded SysTrust and WebTrust engagements which are assurance services designed for a wide variety of IT-based systems.

Weaknesses

The principles don't address all operational issues. Although system availability, functionality, and usability are connected, the availability principle does not address system functionality (the specific functions a system performs) and system usability (the ability of users to apply system functions to specific tasks or problems).

Carnegie Mellon University Software Engineering Institute (CMU/SEI) OCTAVE

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) is a massive self-directed, risk-based, strategic assessment and planning framework for organizations that want to understand their information security needs.

Strengths

OCTAVE focuses on organizational risk and strategic, practice-related issues, balancing operational risk, security practices, and technology.

Weaknesses

It is massive. Huge. Gigantic.

CICA CoCo - Criteria of Control Framework

The Canadian Institute of Chartered Accountants (CICA) produced the Criteria of Control Framework (CoCo) in 1992. This framework provides the groundwork for making organizational judgments about control effectiveness. In 1995, the same body produced the Guidance on Control in order to focus the organization toward a clear sense of shared purpose, collective commitment to achieve that purpose, the resources it needs to do the job, and the ability to learn from experience.

Strengths

CoCo's objectives are very similar to those of COSO, however CoCo adds the reliability of internal reporting and compliance with internal policies.

Weaknesses

CoCo's sweep is broad and its requirements for reporting are low.

CICA IT Control Guidelines

The IT Control Guidelines (currently in its 3^rd edition), is published by the CICA, and is a reference source for evaluating IT controls. Information Technology Control Guidelines provides a practical means of identifying, understanding, assessing and implementing information technology controls in all types of enterprise.

Strengths

Very easy to follow, very easy to read.

Weaknesses

Not many people know about it and use it compared to the other frameworks.

CMMI - Capability Maturity Model Integration

A process improvement approach developed by the software engineering institute (SEI) of Carnegie Mellon University. CMMI provides organizations with the essential elements of effective processes. It can be used to guide process improvement across a project, a division, or an entire organization. CMMI helps integrate traditionally separate organizational functions, set process improvement goals and priorities, provide guidance for quality processes, and provide a point of reference for appraising current processes. CMMI measures process maturity which progresses through five levels: 1) initial, 2) managed, 3) defined, 4) predictable, and 5) optimizing.

Strengths

The strength of CMMI is its focus on continuous improvement from one level to the next.

Weaknesses

The problems with the CMMI model come into play almost immediately. It doesn't address IT operational issues such as security, configuration and change management, continuity, capacity planning, incident response, etc. It also doesn't provide specific guidance on how to meet the goals at each step of the improvement cycle.

CobiT

A framework, control objectives, and audit guidelines developed as a generally applicable and accepted standard for good practices for controls over information technology. Developed in 1996 by the Information Systems Audit and Control Association (ISACA) and IT Governance Institute as a standard for IT security and control practices, with the most recent version 4.0 released in November 2005, CobiT provides a reference framework for IT, security, auditing managers, and users. CobiT addresses four domains: planning and organization, acquisition and implementation, delivery and support, and monitoring and evaluation. In assessing an organization's stage of implementation of each of these domains, it relies upon a six level maturity model derived from CMM; 1) nonexistent, 2) initial, 3) repeatable, 4) defined, 5) managed, and 6) optimized.

Strengths

It has solid high-level checklists for information professionals and it can integrate well with CMMI, ITIL, ISO, COSO and other frameworks and standards.

Weaknesses

It is comparatively high level and therefore doesn't reach down into the organizational policy and procedure level of control definition. It focuses more on what an auditor should be looking at, and so generally ignores control details for software development, IT services, and has scant information for continuity.

COSO

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control - Integrated Framework (1992) is accepted by the U.S. Public Company Accounting Oversight Board (PCAOB) for the purpose of reporting compliance with financial reporting provisions. However, it is not specific to most areas of information technology.

Strengths

It is a suitable and recognized framework for Sarbanes-Oxley compliance because it covers all area of IT implementation (at a high level of abstraction) for financial reporting and auditing.

Weaknesses

COSO is written at a very high level of abstraction for most organizations and most IT shops will not be able to translate the controls to actionable IT activities.

GAISP - Generally Accepted Information Security Principles

Developed in 1991, the Generally Accepted Information Security Principles (GAISP) culls best practices from similar frameworks. It divides principles into pervasive principles, broad functional principles, and detailed principles.

Strengths

The GAISP is now in the hands of the Information Systems Security Association which has many members, and it should be developed more fully in the future with this backing.

Weaknesses

The principles are high level and the GAISP needs an overhaul in a bad way.

ISF Standard of Good Practice for Information Security

The standard prepared by the Information Security Forum (ISF) global working groups is developed from research based on the actual practices of, and incidents experienced by, major organizations. This publicly available document is split into five key areas: 1) security management, 2) critical business applications, 3) computer installations, 4) networks, and 5) systems development. Each area is further broken down by areas and sections.

Strengths

It is comprehensive and easy to read, providing great detail in its lists of objectives.

Weaknesses

Objectives are limited to individual sentences such as "re-route network traffic automatically should critical nodes or links fail" without providing information about how to achieve the objective.

ISO 17799:2005 and the ISO 2700 series

ISO 17799:2005 is the code of practice for information security management from the International Organization for Standardization (ISO) and was updated in 2005. ISO 17799:2005 is a detailed security standard organized into major areas: business continuity planning, system access control, system development and maintenance, physical and environmental security, compliance, personnel security, security organization, computer and operations management, asset classification and control, and security policy. ISO/IEC 27001/2-2005 Code of practice for information security management will be the version that ISO uses going forward.

Strengths

ITIL's security management guidelines are based on ISO 17799. It is currently the de facto standard in the IT world. It is also comprehensive, independent, and an evolving body of knowledge. It is a great fit with ITIL and CobiT.

Weaknesses

It is not prescriptive, but rather, broad in its reach. It is also unclear about who owns IT governance in the organization.

ISO 9000

ISO 9000 is a high level, customer-focused, auditable standard for quality management systems developed by the International Organization for Standardization (ISO). ISO 9000, 9001, and 9004 are all intended to ensure the control, repeatability, and solid documentation of organizational processes.

Strengths

Well established and mature, ISO 9000 can be applied across the entire organization, covering development, services, operations, and the documentation of policies and procedures.

Weaknesses

ISO 9000 focuses on repeatability and consistency, not on quality. Its focus is broad and sweeping and not really adaptable for spotlighting issues in the way that Six Sigma does. It is not an analysis tool like ITIL that can focus on root-cause analysis. It is not specific to information security or IT.

ITIL

Published by the UK Office of Government Commerce (OGC), the IT Infrastructure Library is a set of guides on the management and provision of operational IT services. ITIL is owned by the OGC and is developed in conjunction with the IT Service Management Forum (itSMF). ITIL consists of a series of publications giving guidance on the provision of quality IT services and on the processes and facilities needed to support them. The itSMF, a global organization consisting of several thousand corporate and government members, is responsible for advancing IT best practices through the use of ITIL. One of its strengths is tracking problems and facilitating root-cause analysis in IT service areas such as help desk, applications support, software distribution, and customer-contact system support. It overlaps CMM in certain areas such as configuration management. ITIL is divided into two main areas, Service Support and Service Delivery. Included in Service Support are incident management, problem management, configuration management, change management, and release management. Included in Service Delivery are service level management, financial management, capacity management, availability management, and continuity management.

Strengths

ITIL is well established, mature, detailed, and focused on IT production and operational quality issues. For many, it is the tool of choice for modeling IT operations and infrastructure planning. It is quickly increasingly being used within U.S. organizations.

Weaknesses

ITIL doesn't address quality management or software development. While ITIL defines repeatable, auditable and verifiable practices, it does not provide a maturity model. The information security concepts are high-level, lacking prescriptive detail.

Malcolm Baldridge National Quality Program

Sponsored by the National Institute of Standards and Technology, the Malcolm Baldridge National Quality Program is a high-level quality framework. It focuses on seven areas across the organizational spectrum, rating them from 0 - 100 in terms of approach, execution, and results; 1) company leadership, 2) strategic planning, 3) customer and market focus, 4) information and analysis, 5) human resources, 6) process management, and 7) business results.

Strengths

The scope of this program is broad and results focused. It can bring IT into the strategic arena and give the CIO a seat at the leader's table.

Weaknesses

It doesn't provide prescriptive focus to which processes, policies, and procedures should be applied to the organization and doesn't focus on continuity or tie into any regulatory guidelines.

OECD Principles of Corporate Governance

Published in 1999 and amended in 2004, the OECD Principles of Corporate Governance set out a framework for good practice that has been agreed to by all 30 OECD member countries and has become a generally accepted standard. Although the OECD principles do not provide specific guidance on IT controls, other OECD units provide further guidance and research on information security and privacy.

Strengths

The OECD Principles of Corporate Governance are actively used by governments, regulators, investors, corporations, and stakeholders in both OECD and non-OECD countries and have been adopted by the Financial Stability Forum as one of the Twelve Key Standards for Sound Financial Systems.

Weaknesses

The OECD Principles of Corporate Governance address the actions required to align IT with enterprise objectives and ensure IT investment decisions and performance measures demonstrate the value of IT towards meeting these principles - which means that the principles are not very prescriptive in terms of actual controls and procedures that should be met.

OPMMM

The Organizational Project Management Maturity Model, developed by the Project Management Institute (PMI), is a staged maturity model like CMMI but focused primarily on project management. It is used to analyze organizational strategies and execution of multiple projects across the organization by examining activities that align projects to strategic priorities as well as the organizational infrastructure that enables project management. OPMMM encompasses four types of projects; 1) strategic, 2) operational, 3) capital expansion, and 4) product and market-related projects. OPMMM's maturity model has five phases like CMMI; 1) initial process, 2) repeatable process, 3) defined process, 4) managed process, and 5) optimized process.

Strengths

It is outstanding for analyzing an organization's project management capability.

Weaknesses

Its sole focus is project management.

Six Sigma

Developed by Motorola, Six Sigma is a statistical process improvement methodology that uses the lens of the end user to focus on quality. It defines service levels and measures variations in those levels through moving projects through five phases; 1) define, 2) measure, 3) analyze, 4) improve, and 5) control.

Strengths

Six Sigma uses a data-driven approach when analyzing the root cause of problems, taking into account the cost of quality. It is best applied to repeatable activities. Six Sigma and CMMI could easily complement each other.

Weaknesses

It is difficult to apply Six Sigma to processes that aren't already well defined with measurable quantification methods. It is only focused on improving existing processes and not on defining the correct processes that should be in place. It is not a maturity model, and does not include a process maturity model.

OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

Published in 1980, the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data have continued to represent international consensus among the 30 member countries and 70 participating countries on general guidance concerning the collection and management of personal information. This publication has accompanying documents that serve as the foundation for privacy protection at the global level: the 1980 OECD Privacy Guidelines, the 1985 Declaration on Transborder Data Flows and the 1998 Ministerial Declaration on the Protection of Privacy on Global Networks.

Strengths

The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data establish the core principles around which most international data protection laws have been established. They are actively used by governments, regulators, investors, corporations, and stakeholders in both OECD and non-OECD countries.

Weaknesses

The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data represent broad prescriptions for the issues organizations must address to help ensure the privacy of personally identifiable information, but do not address the specific actions necessary to align IT with enterprise objectives and ensure IT investment decisions and performance measures incorporate these principles. So, these principles, while providing the goals of good privacy governance do not provide the details for how to implement the actual controls or procedures to meet those goals.

Recommended Security Controls for Federal Information Systems, NIST SP 800-53

Special Publications in the US Department of Commerce's National Institute of Standards and Technology's Computer Security Division, Information Technology Laboratory (otherwise known as the NIST 800 series) present documents of general interest to the computer security community. The Special Publication 800 series was established in 1990 to provide a separate identity for information technology security publications. This Special Publication 800 series reports on Information Technology Laboratory's research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations.

Each publication within NIST's 800 series provides guidance for implementing the steps in the NIST Risk Management Framework. NIST Special Publication 800-53 covers the steps in the Risk Management Framework that address security control selection (i.e., determining what security controls are needed to protect organizational operations and assets, individuals, other organizations, and the US as a nation) in accordance with the security requirements in the US's FIPS 200-4 This includes:

• • selecting an initial set of baseline security controls based on a FIPS 199 worst-case, impact analysis;

  • tailoring the baseline security controls; and

  • supplementing the security controls, as necessary, based on an organizational assessment of risk.

Strengths

NIST 800-53 has become a cornerstone authority document for many organizations outside of the US Federal Government, such as the healthcare community with the adoption of the Centers for Medicaid and Medicare adapting their CMS Information Security Acceptable Risk Safeguards document to it, and having many of the same controls also appear within the payment card industry's PCI-DSS. NIST 800-53, unlike the ISO series and some of the others, also has its own audit guideline (Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems).

Weaknesses

While strong, the NIST series has really only been adopted within the United States and hasn't been adopted as well within other countries.

The FFIEC Information Technology Examination Handbook series

The FFIEC Information Technology Examination Handbook series currently consists of a suite of a dozen IT handbooks that can be found at the FFIEC IT Handbook InfoBase. The handbook list currently includes the following topics:

 

• • Audit describes the roles and responsibilities of the board of directors, management, and internal or external auditors; identifies effective practices for IT audit programs; and details examination objectives and procedures.

  • Business Continuity Planning provides guidance to assist examiners in evaluating financial institution and service provider risk management processes to ensure the availability of critical financial services. This booklet was also designed to provide helpful guidance to financial institutions regarding the implementation of their business continuity planning processes.

  • Development and Acquisition is defined as "an organization's ability to identify, acquire, install, and maintain appropriate information technology systems." The Development and Acquisition Booklet describes common project management activities and emphasizes the benefits of using well-structured project management techniques. The booklet details general project management standards, procedures, and controls and discusses various development, acquisition, and maintenance project risks.

  • E-Banking provides guidance on identifying and controlling the risks associated with electronic banking (e-banking) activities. The booklet primarily discusses e-banking risks from the perspective of the services or products provided to customers. This approach differs from other booklets that discuss risks from the perspective of the technology and systems that support automated information processing.

  • FedLine addresses the risks, risk management practices, and mitigating controls necessary to establish and maintain an appropriate operating environment for the FedLine Funds Transfer (FT) application. FedLine is the Federal Reserve Bank's proprietary electronic delivery channel for financial institution access to Federal Reserve financial services, and includes DOS-based FedLine and FedLine for the Web.

  • Information Security provides guidance to examiners and organizations on assessing the level of security risks to the organization and evaluating the adequacy of the organization's risk management.

  • Management assists examiners in evaluating financial institution risk management processes to ensure effective information technology (IT) management in order to maximize the benefits from technology and support enterprise-wide goals and objectives.

  • Operations provides the framework for examiners to evaluate an institution's controls and risk management processes relative to the risks of technology systems and operations that reside in, or are connected to the institution.

  • Outsourcing Technology Services provides guidance and examination procedures to assist examiners and bankers in evaluating a financial institution's risk management processes to establish, manage, and monitor IT outsourcing relationships.

  • Retail Payment Systems provides guidance to examiners, financial institutions, and technology service providers (TSP) on identifying and controlling information technology (IT)-related risks associated with retail payment systems and related banking activities.

  • Supervision of Technology Service Providers outlines the agencies' risk-based supervision approach, the supervisory process, and the examination ratings used for information technology (IT) service providers.

  • Wholesale Payment Systems provides guidance to examiners and financial institution management regarding the risks and risk-management practices when originating and transmitting large-value payments.

Strengths

Taken as a whole, the FFIEC IT Examination Handbook series is broader than all of the various payment card guidance from the PCI Security Standards Council and the various cardbrands put together, and yet less comprehensive than the NIST 800 series.

Each is written as an examination handbook with both general control guidance as well as specific audit guidance.

Weaknesses

Keep in mind that this series was developed jointly by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS). Once you understand that, and understand the focus that this group has, you'll be able to appreciate the depth of the offering that they have.

There is no single framework that covers all aspects of providing the information services and management team with the tools and direction they need to move from regulatory requirements to implementing policy, procedure, and process controls that meet those requirements. That's why Network Frontiers and Latham & Watkins have created the Unified Compliance Framework.