On May 7, 2014 Chinese hackers gained access to the United States Office of Personnel Management (OPM) but the breach wasn’t discovered until April 15, 2015, and the breach wasn’t announced until June 2015. The attackers had access to the OPM servers for almost a full year and stole 21 million personnel files, including fingerprint and biometric data, and polygraph tests(Gootman, 2016, p. 518). It was severely damaging to our national security and will have long reaching effects for decades to come(Adams, 2016).
This devastating breach wasn’t from a single exploit, but was due to a failure of security processes and systems on an enterprise level. The system failed because the governance control mechanisms failed to produce the correct policies and procedures(Wehbe, 2017, pp. 89-90). The breach might not have occurred at all, and certainly not for a full year with a suitable governance framework implemented.
An organization must have a governance framework to ensure that all required security policies and procedures are covered. The question as to whether COBIT or ITIL is better as a framework to guide IT security is simple. ITIL is not a governance framework, it’s an IT Service Management framework. COBIT is a governance framework that “defines ‘what’ should be done and ITIL providing the ‘how’(19). COBIT is more important overall because it covers important processes that ITIL ignores, such as security audits, and because it’s the controlling methodology for security services(Brotby, 2009, p. 31). COBIT controls ITIL, or NIST.
COBIT offers several benefits to an organization in its cybersecurity efforts. ISACA, the developer of COBIT states that effective information security governance should result in six beneficial outcomes(ITGI, 2006, pp. 11-12).
- Strategic alignment of business processes and the required security controls to support rather than hinder operational goals.
- Risk management through mitigating threats and the potential impact to acceptable levels by implementation of effective security processes.
- Business process assurance/convergence or integrating security controls with business processes to increase efficiency, rather than hinder business performance.
- Value delivery— correct investment of resources in implementing security controls and policies.
- Resource management— the efficient use of resources in developing an effective security program.
- Performance measurement— monitoring security controls to determine effectiveness and create reports for compliance(Hardy, 2006).
Using a governance framework such as COBIT 1.4 or the newer COBIT 5 will assist in achieving a robust organizational security posture in an efficient process with a minimum of wasted time and money(Hardy, 2006, p. 54). It’ll also improve the working relationship between business departments through effective communication.
References
Adams, M. (2016). Why the OPM Hack Is Far Worse Than You Imagine. Lawfare (Cybersecurity), 11.
Brotby, W. K. (2009). Information security governance : a practical development and implementation approach. Hoboken, N.J.: John Wiley & Sons.
Gootman, S. (2016). OPM hack: The most dangerous threat to the federal government today. Journal of Applied Security Research, 11(4), 517-525.
Hardy, G. (2006). Using IT governance and COBIT to deliver value with IT and respond to legal, regulatory and compliance challenges. Information Security technical report, 11(1), 55-61. doi: 10.1016/j.istr.2005.12.004
ITGI. (2006). Information Security Governance: Guidance for Boards of Directors and Executive Management, 2nd Edition.
Wehbe, A. (2017). OPM Data Breach Case Study: Mitigating Personnel Cybersecurity Risk. BU Pub. Int. LJ, 26, 75.