Aligning GRC Excellence: CIS Controls Risk Assessment Method and COBIT 2019 Framework

by

Image of people simulating a risk assessment business meeting, and analysis for management.

Introduction

The digital landscape today is fast-paced and interconnected, and has presented organizations with an ever-growing array of cybersecurity threats and compliance challenges. To navigate this complex terrain effectively, they often turn to comprehensive frameworks that provide guidance for Governance, Risk Management, and Compliance (GRC). Two of the most prominent frameworks in this realm are the CIS Controls Risk Assessment Method and the COBIT 2019 Framework.

In this article, we will explore the key components of the CIS Controls Risk Assessment Method and lay out a compelling argument for how it aligns with and complements the COBIT 2019 Framework, creating a powerful synergy for organizations seeking GRC excellence.

Understanding the CIS Controls Risk Assessment Method

The Center for Internet Security (CIS) Controls, formerly known as the SANS Critical Security Controls, is a widely recognized framework that offers a prioritized set of actions to improve an organization’s cybersecurity posture.

The CIS Controls consist of 18 specific security practices (formerly SANS Top 20), organized into three implementation groups: Basic, Foundational, and Organizational.

The Risk Assessment Method within the CIS Controls is a fundamental component of these practices and focuses on identifying, assessing, and managing cybersecurity risks.

Key steps in this method include:

  1. Asset Identification and Management: Establishing a comprehensive inventory of information assets and resources, which is foundational to effective GRC.
  2. Continuous Vulnerability Assessment and Remediation: Regularly identifying and addressing vulnerabilities to mitigate risks effectively.
  3. Secure Configuration: Ensuring that systems, applications, and devices are securely configured to reduce attack surfaces.
  4. Control of Administrative Privileges: Limiting and monitoring administrative access to systems and sensitive data to prevent unauthorized activities.
  5. Incident Response and Management: Developing and testing an incident response plan to minimize the impact of security incidents when they occur.

Mapping CIS Controls Risk Assessment to COBIT 2019 Framework

COBIT 2019, developed by ISACA (Information Systems Audit and Control Association), is a globally recognized framework that provides a comprehensive and integrated approach to enterprise governance of IT.

COBIT 2019 comprises five governance domains:

  1. Evaluate, Deliver and Monitor (EDM).
  2. Align, Plan and Organize (APO).
  3. Build, Acquire and Implement (BAI).
  4. Deliver, Service and Support (DSS).
  5. Monitor, Evaluate, and Assess (MEA).

Let’s examine how the CIS Controls Risk Assessment Method aligns with the COBIT 2019 Framework:

  1. Governance Framework – Evaluate, Direct and Monitor (EDM):
    • The CIS Controls Risk Assessment Method lays the foundation for governance by identifying assets and assessing risks, aligning with COBIT’s emphasis on setting the governance framework.
  2. Governance of Enterprise IT – Align, Plan and Organize (APO):
    • Vulnerability assessment and secure configuration practices in the CIS Controls correspond to COBIT’s focus on aligning IT with business objectives and ensuring risk management.
  3. Ensure the Delivery of Value – Build, Acquire and Implement (BAI):
    • CIS Controls’ emphasis on continuous vulnerability assessment and incident response aligns with COBIT’s domain for ensuring the delivery of value through effective IT processes.
  4. Monitor, Evaluate, and Assess Performance and Conformance (MEA):
    • Regular assessment and mitigation of risks, as advocated by the CIS Controls, are crucial components of COBIT’s monitoring and evaluation processes.

Benefits of Combining CIS Controls Risk Assessment with COBIT 2019

  1. Comprehensive GRC Coverage: The integration of CIS Controls Risk Assessment Method and COBIT 2019 ensures a comprehensive approach to GRC, addressing both cybersecurity risks and governance challenges.
  2. Risk-Based Decision-Making: CIS Controls’ risk assessment methodologies enhance COBIT’s risk-based decision-making processes, ensuring that resources are allocated effectively.
  3. Compliance Assurance: Organizations can better meet compliance requirements by aligning the CIS Controls’ risk assessment practices with COBIT’s governance and compliance processes.
  4. Continuous Improvement: The synergy between the two frameworks facilitates continuous improvement in security and governance practices, allowing organizations to adapt to evolving threats and regulatory changes.

Conclusion

In the current business environment where the stakes for information security and governance are higher than ever, organizations must leverage the best available tools and frameworks to stay ahead.

The CIS Controls Risk Assessment Method and the COBIT 2019 Framework, when combined, offer a potent formula for achieving GRC excellence. By aligning their practices with these frameworks, organizations can better manage risks, ensure compliance, and optimize their IT governance processes, ultimately leading to a more secure and resilient digital future.

What you should do now

Below are ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a conversation session with us, where we can review your challenges, answer your questions, and help you see if Tech Prognosis is right for you.
  2. Download one of our subject matter guides and reports and learn the risks associated with data exposure.
  3. Share this blog post with someone you know who’d enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Share
Share
Share