tag:blogger.com,1999:blog-6447776621493920602.post8425642276851638179..comments2011-11-04T11:53:03.111-07:00ISACA-SAC Blog Masterhttp://www.blogger.com/profile/07672995893033955927noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-6447776621493920602.post-44053432455481834122011-04-20T05:25:17.066-07:002011-04-20T05:25:17.066-07:00I totally agree that COBIT is the best answer to the management requirement of IT industry. But can it work without affecting the efficiency?USB Encryptionhttp://www.lok-it.net/encrypted-flash-drive/noreply@blogger.comtag:blogger.com,1999:blog-6447776621493920602.post-2416141083774871632011-02-09T09:21:52.897-08:002011-02-09T09:21:52.897-08:00@Encrypted Flash Guy<br /><br />So... is Federal management incapable? Personally, I think that the govt&#39;s efficiency issues originate at a higher level than agency management. The most talented managers executing against the most relevant metrics won&#39;t correct systemic policy and organizational shortcomings that lead to complacency, malignant redundancy, and fiefdom-building. Goals, carrots, and sticks are all misguided, and root causes are difficult at best, impossible at worst, to correct.Aud Man Outhttp://www.blogger.com/profile/03695859295572986136noreply@blogger.comtag:blogger.com,1999:blog-6447776621493920602.post-82969526144938248362011-02-08T03:39:52.695-08:002011-02-08T03:39:52.695-08:00FISMA has allocated precise tasks to the groups National Institute of Standards and Technology (NIST) and Office of the Management and Budget (OMB). Metrics are a sine qua non situation of a capable management; in fact management cannot be based just leading perception, it has to be underpinned by figures. A Strategy-Focused association aligns its every day actions and communicates that approach during the enterprise.J (Encrypted Flash Drive Guy)http://www.lok-it.net/encrypted-flash-drive/noreply@blogger.comtag:blogger.com,1999:blog-6447776621493920602.post-27841846104225582052008-07-14T04:00:00.000-07:002008-07-14T04:00:00.000-07:00Hello all, I would also like to give my opinion on Risk and Compliance.<BR/>IT governance, risk and compliance (IT GRC) is about striking an appropriate balance between business reward and risk. The maturity of IT GRC practices for managing reward and risk has a direct impact on the organization. IT GRC encompasses the practices for delivering: Greater business value from IT strategy, investment and alignment, Significantly reduced business and financial risk from the use of IT, and Conformance with policies of the organization and its external legal and regulatory compliance mandates. IT GRC energizes the entire organization to imagine what it can achieve, establishes methods for achieving their objectives, and demonstrates the practices that are proven to work for minimizing business and financial risk. Fundamentally, IT GRC is about striking an appropriate balance between business reward and risk, enabling an organization to more effectively anticipate and manage business risk while more effectively delivering value for the organization. IT governance, risk, compliance, IT GRC, White paper, compliance survey report, 2008 compliance report. <BR/>You can also get more information from http://www.compliancehome.com/symantec/jacksmithhttp://www.blogger.com/profile/15617558583873270467noreply@blogger.comtag:blogger.com,1999:blog-6447776621493920602.post-10486238655353695392008-06-19T17:48:00.000-07:002008-06-19T17:48:00.000-07:00rybolov,<BR/><BR/>Very humorous sarcasm! That <I>was</I> sarcasm, right? Seriously, I’m so excited about your ideas that I’m going to link back to you.<BR/><BR/>Yes, <A HREF="http://csrc.nist.gov/groups/SMA/fisma/framework.html" REL="nofollow">NIST Risk Management Framework</A> closely resembles—and in some cases borrows from—COBIT. It’s less structured and much more comprehensive, given all the Special Publications that comprise it. COBIT attempts to specify <I>what</I> you should do to achieve high-performing IT-driven operations. As I view it, the NIST framework attempts to tell you both <I>what</I> you should do and, in verbose detail, <I>how</I> you should do it.<BR/><BR/>When your smart friends figure out how to dismantle the barriers to quality and performance management in government, please include me in the celebration. I’ve been working on that problem most of my adult life.<BR/><BR/>I work in a large State government, so I can empathize with your plight. Sounds like the Fed faces conditions very similar to ours. I’m not sure that I can agree, though, that there are not enough skillfull/clueful people to meet demand. I find that a great many skillful—and clueful—people are chewed up and spit out by institutions that were purposefully designed not to change, evolve, or die. The theory of evolution <I>does not</I> hold true for government. Of course, DC is a very different place from Sacramento. Heck, LA is a very different place from Sacramento. California’s difficulty, I think, is:<BR/><BR/>1. Our constitution gives broad powers to individual agencies to manage as they see fit.<BR/><BR/>2. Influencers at the Executive level have two levers to shape the will of agencies: policy, i.e. administrative regulations, and law.<BR/><BR/>But...<BR/><BR/>3. Administrative regulation is largely ignored, with no ramifications befalling those in positions to know better.<BR/><BR/>4. Politics makes law impossible to effect.<BR/><BR/>A few years ago, the Governor commissioned a task force to find ways to improve operations. The group identified over 200 vectors in the problem space. But in short order, cold hard reality befell the naïve Governor’s best laid plans. Between a Legislature and public employees’ union bent on stonewalling all attempts to mandate change, and the utter inability of the Administration to apply pressure on agencies that had been ordained as kingdoms in the State Constitution, the initiative quietly died with only a handful of its recommendations realized.<BR/><BR/>Incidentally, I’ve been told that the Canadian government has been successful—you define success—at implementing the COBIT framework. I would sure like to visit Ottawa to see what everyone’s talking about.M.P. Schmidthttp://www.blogger.com/profile/03695859295572986136noreply@blogger.comtag:blogger.com,1999:blog-6447776621493920602.post-21604369552421345732008-06-18T05:51:00.000-07:002008-06-18T05:51:00.000-07:00Cavalcade of Risk #54 is up, and your post is in it:<BR/><BR/>http://www.bargaineering.com/articles/cavalcade-of-risk-54.htmlHenry Stern, LUTCF, CBChttp://www.blogger.com/profile/03043774760749462290noreply@blogger.comtag:blogger.com,1999:blog-6447776621493920602.post-74894390610306658132008-06-16T06:54:00.000-07:002008-06-16T06:54:00.000-07:00Yes, the government's metrics are broken right now. Some really smart people that I know are working on changing that, but it's slow because the culture of Government is to resist change.<BR/><BR/>I agree with you that PCI is the road to go down. In fact, I wrote a tongue-in-cheek rebuttal on my blog at <A HREF="http://www.guerilla-ciso.com/archives/363" REL="nofollow">FISMA: Better if PCI. WTF?</A><BR/><BR/>While COBIT makes some sense, the problem is that government is driven by a different set of laws and standards that the private sector. Looking through your description of COBIT, it's exactly what NIST has created in their Risk Management Framework.<BR/><BR/>The biggest problem that we have in the Government is one of scale:<BR/>1. We do not have information security models above the enterprise level.<BR/>2. We do not have enough skillfull/clueful people in the DC area to keep up with the demand.<BR/><BR/>No matter what the framework you use, you still will get the same results because it's not about the framework, it's about the people.<BR/><BR/>Have a look at the presentation I put together on <A HREF="http://www.guerilla-ciso.com/archives/408" REL="nofollow">security and the Government</A>, I go through some of this.rybolovhttp://www.blogger.com/profile/09022232218670789122noreply@blogger.com