Years ago in my IT capstone class we learned that you can’t manage what you can’t measure. This ultimately led us to cram, yes cram the Zachman’s framework to regurgitate it on our test. Shhhh don’t tell my professor. Despite the cramming something obviously stayed with me. That is that even though our threats, risks, and IT security issues have escalated, when we’re managing IT security we must consider every segment of the enterprise. I dare say collaboration.
Looking at all the frameworks can be quite daunting but if we break them down and hone in on key components it makes it easier to understand. Let’s look at three of the main ones: The Balance Scorecard, CobIT Framework, and Zachman’s framework
Balance Score Card
All the components can apply to security compliance. Working backwards – a breach affects internal business processes as we try to retrieve lost data, erodes finances with legal fees and fines, affects customer churn, impedes learning and growth and impacts the businesses vision and strategy.
CobIT
The key pieces we can look at are governance and business objectives. IT security is the umbrella that governs every facet of the enterprise. When an organization understands this they make a giant leap into mastering security and compliance.
Zachman’s
I love the People and Scope components of this framework. People are the biggest and most difficult part of the equation.How do we control them and instill a security culture? It’s not enough to lay down policies and rules without training or ensuring that they are being followed.
The common elements in each IT framework are vision and strategy, business objectives and scope. All these equate to enterprise goals. So as the IT department plays a role in defining enterprise goals it behooves us to employ a holistic approach to IT security and compliance as it ultimately affects the entire enterprise. Looking at the other components of the different frameworks we pull in governance, business processes, finance, people, and customers. What connects all these elements? – Collaboration.
We absolutely cannot have continuous compliance and a secure enterprise without collaboration. Departments, business units, and divisions cannot operate blindly with the mindset that security and compliance rests on the shoulders of the Audit or IT department. IT must have open dialogue with the Operations department who needs to communicate with Finance, with Human Resources with Customer Service and the executive management team. No area in the enterprise is exempt from the collaboration chain. Collaboration is the common link that can pull all the pieces together, enable communication, increase transparency, allow for training, and create a culture of continuous compliance within an enterprise.
Now who wants to take on the challenge of creating a framework for continuous compliance? Let’s do it! To give us your feedback, leave a comment below or contact us here!