IT is complex. In order to keep the complexity under control it is wise to consider a framework to evaluate and plan your IT environment. A framework is defined as a basic structure underlying a system, concept, or text. While generally most frameworks are intended for larger organizations, it can also prove useful in smaller environments as a general guide. A small environment may not have the depth or complexity to warrant all aspects of a framework but having it as a reference can prove extremely valuable.
There are many frameworks available for IT but most have some similar concepts. Most have larger domains that are then broken down into criteria, terminology here varies but the concept is the same. To make an analogy to a house frame the domains would be like the floor, walls, and roof. The criteria would be like the joist, hangers, and beams in the floor or the studs and headers in a wall. In an IT framework they have domains like governance, security, availability, operations, etc. Then the criteria would be the parts that support those larger areas.
Here are some of the more common frameworks:
Trust Services Principles
The Trust Services Principles (TSP) was developed by AICPA and was the basis for the WebTrust and SysTrust services. The TSP is now the default framework used in SOC2 audits and continues to be used by our team in our SysTrust audits. It is probably used more from an examination perspective than an operational framework but so many service organizations rely on the SOC reports as their means of communicating their control environment to their clients, it is commonly relied on as their basic framework. AICPA Trust Services
NIST SP 800 Series
Developed by the US National Institute of Standards and Technology, this collection of information security standards and best practices is widely used in many industries. These frameworks were developed specifically for government agencies but have found a home in many industries, especially government contractors. NIST SP 800-53r4 is the most commonly used since it is focused on Security and Privacy. National Institute of Standards and Technology
Given the focus on Cybersecurity, I believe the most important Framework to consider is the NIST SP 800-171 R1, The Cybersecurity Framework. This Framework breaks down the processes into 5 functions: Identify, Protect, Detect, Respond, and Recover. This is an effective guide to preparing your infrastructure to protect your data. NIST Cybersecurity Framework
ISO 27000 Series
The ISO 27000 Series was developed by the International Standards Organization (ISO). The ISO is a standards body that is not a government agency but is supported by over 160 member nations. There are over a dozen standards with 27001 on information security management systems. The ISO 27000 series is gaining traction in the US but more common in larger companies and in Europe. International Standards Organization
COBIT
This framework is was developed by ISACA (formerly Information Systems Audit and Control Association) which is an international IT organization that is responsible for developing and maintaining this framework as well as administering the Certified Information Systems Auditor (CISA) credential and other popular IT Certifications (CISM, CRISC, CGEIT.) I hold a CISA and the RAS Team uses the COBIT framework in many of our IT Audits. This framework has moved towards an integrated governance and management framework to integrate IT into business optimization. ISACA COBIT
There are literally hundreds of Frameworks available. I have only touched on a few of the most common, in this article. There are industry specific frameworks you may want to consider or other more granular frameworks for specific areas you may need to work with. Whether you roll out an initiative to be compliant with one of these frameworks or just use them as a checklist of needed controls, I invite you to learn more about some of these and see if they can aid you in the oversight of your IT environment.
LEARN MORE ABOUT OUR RISK ADVISORY SERVICES
Throughout his time at YHB Curtis has provided IT audit and consulting to clients, even while holding the position of the firm’s IT director for several years. Now, as head of the YHB Risk Advisory Services Team, Curtis focuses on assisting organizations in a variety of industries with internal audits and IT-related audit and consulting services. Also, he frequently speaks and gives presentations on SOX compliance, internal controls, and data security.