<p class="title entry-title">헷갈릴 수 있는 부분을 잘 정리한 글이네요.</p> <p>일반적으로 COBIT은 business관점 중심, NIST는 미국 내 정부,기간 사업 중심, ISO27001은 Control of practice, ISO27002는 Practice of IS, ITIL은 Best Practice from UK but not limited to.</p> <p>어떤 관점에서 Information Security in planing and practice를 접근, 적용해야할까 또는 audit해야할때, 한번 읽어보고 standard나 policy를 검토할 때 도움이 되지 않을까 싶습니다.<br></p> <p><br></p> <h1 class="title entry-title"><br></h1> <h1 class="title entry-title"><a target="_blank" href="http://agnosticationater.blogspot.com/2013/12/a-comparison-of-cobit-itil-iso-27002.html" target="_blank">A Comparison of COBIT, ITIL, ISO 27002 and NIST</a> </h1> <span style="font-family:Arial, Helvetica, sans-serif;">This post discusses four standards related to implementing a risk management framework. While alike in some areas, they generally target different industries and may be applicable only within certain geographic boundaries.</span><br><span style="font-family:Arial, Helvetica, sans-serif;"><br></span><span style="font-family:Arial, Helvetica, sans-serif;">The standards discussed here are:</span><br><br><ul><li><span style="font-family:Arial, Helvetica, sans-serif;">COBIT (Control Objective over Information and related Technology)</span></li> <li><span style="font-family:Arial, Helvetica, sans-serif;">ITIL (Information Technology Infrastructure Library)</span></li> <li><span style="font-family:Arial, Helvetica, sans-serif;">ISO 27002</span></li> <li><span style="font-family:Arial, Helvetica, sans-serif;">NIST (NIST Special Publication 800-37 Revision 1)</span></li></ul><br><h2><span style="font-family:Arial, Helvetica, sans-serif;">Purpose</span></h2><br><ul><li><span style="font-family:Arial, Helvetica, sans-serif;">COBIT (published by ITGI) is a high-level framework (relative to ITIL, ISO 27002 and NIST) that maps core IT processes in a manner that allows governance bodies - usually business executives - to successfully execute key policies and procedures. Similar to ISO 27002, it answers the ‘what’ that is being managed, as opposed to the ‘how’ answered by ITIL. However, whereas ITIL and ISO 27002 are focused only on information security, COBIT allows for a much broader scope, taking into account all of IT management processes.</span></li> <li><span style="font-family:Arial, Helvetica, sans-serif;">ITIL is a set of best practices an organization may implement in order to align IT resources and offerings to business goals. It is offered in a series of five core publications each corresponding to a stage in the lifecycle of IT. This process produces documentation of processes, tasks and checklists not specific to the organization with a goal of being able to create a baseline from which to implement controls and measure success.</span></li> <li><span style="font-family:Arial, Helvetica, sans-serif;">ISO 27002 provides best practice recommendations for an ISMS (Information Security Management System) standard implemented most often by using ISO 27001. Both were produced by the ISO (International Organization for Standard). While 27001 formulates a management system that to control information security, it does not provide specific or industry-related controls – that is left up to ISO 27002.</span></li> <li><span style="font-family:Arial, Helvetica, sans-serif;">NIST Special Publication 800-53 is a requisite for federal bodies in the U.S. for security control compliance, with the exception of those associated with national security. It is published by the National Institute of Standards and Technology, and is related to FISMA (2002).</span></li></ul><br><h2><span style="font-family:Arial, Helvetica, sans-serif;">Common Uses</span></h2><br><ul><li><span style="font-family:Arial, Helvetica, sans-serif;">COBIT is usually employed by business executives to successfully execute key policies and procedures. dditionally, it is often used to tie together controls, technical issues and risks within an organization.</span></li> <li><span style="font-family:Arial, Helvetica, sans-serif;"> ITIL was originally designed for use within the U.K. government and is most applicable within that realm. However, it is now an globally accepted standard and is in-use by many companies outside the geographical area of origin.</span></li> <li><span style="font-family:Arial, Helvetica, sans-serif;">ISO 27002 is commonly used by or in accord with an IT department specific to the organization. The IT department is the focus of the resulting management system controls.</span></li> <li><span style="font-family:Arial, Helvetica, sans-serif;">NIST covers all steps in the Risk Management Framework that addresses the selection of security controls according to FIPS (Federal Information Processing Standard) 200. It is used by U.S. federal organizations to meet ISMS requirements.</span></li></ul><br><span style="font-family:Arial, Helvetica, sans-serif;"><br></span> <h2><span style="font-family:Arial, Helvetica, sans-serif;">Strengths</span></h2><br><ul><li><span style="font-family:Arial, Helvetica, sans-serif;">COBIT is managed by ISACA (Information Systems Audit and Control Association) and keeps the standard up-to-date and on-par with current technology. It is a globally accepted standard and encompassed far more than just the information security scope that other standards are limited to. Accordingly, it is also easier to partially implement COBIT without requiring a full-spectrum analysis and commitment by the organization.</span></li> <li><span style="font-family:Arial, Helvetica, sans-serif;">ITIL is created and managed by the U.K. government, and is a natural fit for companies in that area of the world. However, the ITIL standard is used worldwide and may be considered for any company regardless of geographical location. ITIL excels at increasing visibility into and management of internal process to positively impact efficiency and economy.</span></li> <li><span style="font-family:Arial, Helvetica, sans-serif;">ISO 27002 is associated with a very respected and widely known standard (ISO 27001), and will be recognized and understood by those familiar with the ISO/IEC standards. This standard allows system managers to identify and mitigate gaps and overlaps in coverage.</span></li> <li><span style="font-family:Arial, Helvetica, sans-serif;">The level of detail afforded by implementing a framework based on NIST is considerable, and an organization not wishing to spend time on customizing a framework for their specific industry or nature may wish to use NIST assuming that the level of detail is complimentary to its goals.</span></li></ul><br><span style="font-family:Arial, Helvetica, sans-serif;"><br></span> <h2><span style="font-family:Arial, Helvetica, sans-serif;">Weaknesses</span></h2><br><ul><li><span style="font-family:Arial, Helvetica, sans-serif;">While being widely scoped is can be viewed as a strength for COBIT, it can also be a detractor during implementation. Being by design not limited to a single area, it can often lead to gaps in coverage.</span></li> <li><span style="font-family:Arial, Helvetica, sans-serif;">While focused on information security only, ITIL is considered to be a higher-level standard than ISO 27002, and points to ISO standards for detailed implementation. Specific implementation details are rather lacking.</span></li> <li><span style="font-family:Arial, Helvetica, sans-serif;">ISO 27002 is focused specifically and purposefully on information security and is therefore limited in scope compared to other standards such as COBIT.</span></li> <li><span style="font-family:Arial, Helvetica, sans-serif;">Similar to ISO 27002, NIST is limited in scope to information security, whereas COBIT and ITIL are more general in nature. Multiple publications must be processed and implemented in order to achieve compliance, which can lead to coverage gaps.</span></li></ul><br><h2><span style="font-family:Arial, Helvetica, sans-serif;">Certification and Accreditation</span></h2><br><ul><li><span style="font-family:Arial, Helvetica, sans-serif;">ISACA, the author of COBIT, offers 4 levels of certification for individuals:</span></li></ul><span style="font-family:Arial, Helvetica, sans-serif;"> </span><ol><li>Certified Information Systems Auditor Learn more about CISA (CISA)</li> <li>Certified Information Security Manager Learn more about CISM (CISM)</li> <li>Certified in the Governance of Enterprise IT (CGEIT)</li> <li>Certified in Risk and Information Systems Control (CRISC)</li></ol> <ul><li><span style="font-family:Arial, Helvetica, sans-serif;">ITIL offers 4 levels of certification at the individual level (There are no organizational-level certifications at this time):</span></li></ul><span style="font-family:Arial, Helvetica, sans-serif;"> </span><ol><li>Foundation</li> <li>Intermediate</li> <li>Expert</li> <li>Master</li></ol> <ul><li><span style="font-family:Arial, Helvetica, sans-serif;">ISO 27002 can be applied to all sizes of organizations, and as a result is difficult to attach a compliance specification to. However, the associated standard ISO 27001 is very well aligned with ISO 27002 and does provide a certification path for organizations. Certification remains relatively rare, however.</span></li> <li><span style="font-family:Arial, Helvetica, sans-serif;">Federal bodies do not obtain an NIST certification, but rather are certified by obtaining and maintain proof of adherence to a number of other federal regulations related to FISMA. A key part of the process is the selection and implementation of a subset of the controls as put forth by the NIST standard and FIPS 200. Compliance was required by the end of 2005.</span></li></ul><br><h2><span style="font-family:Arial, Helvetica, sans-serif;">When to Use</span></h2><br><ul><li><span style="font-family:Arial, Helvetica, sans-serif;">COBIT is a good candidate when an organization wishes to create an organization-wide framework for management that is scoped outside of information security only. While not providing direct accreditation, certification can be achieved through closely aligned paths.</span></li> <li><span style="font-family:Arial, Helvetica, sans-serif;">ITIL points to ISO standards as a framework in which to implement a solution. This applies well for organizations wishing to use ISO standards with global recognition without necessarily achieving an ISO 27001 certification.</span></li> <li><span style="font-family:Arial, Helvetica, sans-serif;">The associated certification for ISO 27002 (ISO 27001) provides a worldwide recognition and acceptance, and therefore organizations wishing to operation across international boundaries may find implementation and certification advantageous. Additionally, some ISO 27001 certified companies require partners to become certified as well.</span></li> <li><span style="font-family:Arial, Helvetica, sans-serif;">U.S. government organizations are required to use NIST in order to comply with federal law. Additionally, non-federal organizations may also use the NIST standard, but other standards such as ISO 27002 or ITIL may be better suited as NIOST can be difficult to implement for some organizations.</span></li></ul><br><br>
댓글 분란 또는 분쟁 때문에 전체 댓글이 블라인드 처리되었습니다.