Penetration Testing mailing list archives
Re: CoBIT a Security Audit Framework?
From: "J. Oquendo" <sil () infiltrated net>
Date: Mon, 1 Dec 2008 13:14:59 -0600
On Mon, 01 Dec 2008, Jon Kibler wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, <rant> Who / what is driving this "CoBIT is the only acceptable IT Security audit framework" mentality and what can we do to change it? </rant>
Let me point out some of the modules that SPECIFICALLY pertain to to security in summary fashion: PC2 Process Ownership PC4 Roles and Responsibilities PC5 Policy, Plans and Procedures AC1 Source Data Preparation and Authorisation AC2 Source Data Collection and Entry AC3 Accuracy, Completeness and Authenticity Checks AC4 Processing Integrity and Validity AC5 Output Review, Reconciliation and Error Handling AC6 Transaction Authentication and Integrity PO9 Assess and Manage IT Risks PO2.3 Data Classification Scheme PO2.4 Integrity Management PO4.8 Responsibility for Risk, Security and Compliance PO4.9 Data and System Ownership PO4.10 Supervision PO4.11 Segregation of Duties PO9.1 IT Risk Management Framework PO9.2 Establishment of Risk Context PO9.3 Event Identification PO9.4 Risk Assessment PO9.5 Risk Response PO9.6 Maintenance and Monitoring of a Risk Action Plan But wait... That's not even breaking the ice. Of all the frameworks in place, CoBIT overlaps many and exceeds them all by all means. I suggest taking a peek at: http://blog.eiqnetworks.com/2008/11/20/puzzle-pieces-the-relationship-between-sox-coso-and-cobit/ Why not go SEI-CMU, OCTAVE, etc.? Not your call it's up to your client. I can tell you there are many bits and pieces in ISACA's frameworks that many may not understand or even know why they're placed there, but unless you've read through the entire framework and compared it to others, you will have a vague idea about its effectiveness. PS: I'm an ISACA member so perhaps that could be seen as somewhat of "biased" approach however, for those who know me, know I could literally care less about certs, or who is saying what, I call it how I see it. I've seen CoBIT, OCTAVE and others in play and I've also seen how many fall short, if there is a reason a company wants to be compliant with the CoBIT framework, there is legitimacy behind it not to mention the framework is built with a business oriented focus first. <fact> Businesses bottom lines are financially driven </fact> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "Each player must accept the cards life deals him or her: but once they are in hand, he or she alone must decide how to play the cards in order to win the game." Voltaire 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- CoBIT a Security Audit Framework? Jon Kibler (Dec 01)
- Re: CoBIT a Security Audit Framework? J. Oquendo (Dec 01)
- Re: CoBIT a Security Audit Framework? Jon Kibler (Dec 01)
- Re: CoBIT a Security Audit Framework? J. Oquendo (Dec 01)
- Re: CoBIT a Security Audit Framework? Andre Gironda (Dec 02)
- Re: CoBIT a Security Audit Framework? Jon Kibler (Dec 01)
- Re: CoBIT a Security Audit Framework? J. Oquendo (Dec 01)
- Re: CoBIT a Security Audit Framework? SD List (Dec 02)
- Re: CoBIT a Security Audit Framework? hightch0 (Dec 02)
- Re: CoBIT a Security Audit Framework? R. DuFresne (Dec 10)
- <Possible follow-ups>
- RE: CoBIT a Security Audit Framework? Katuruza, Patrick (Dec 02)
- Re: CoBIT a Security Audit Framework? J. Oquendo (Dec 01)