IT policies and procedures cover a wide range of the issues that concern the field. These include security, operational, technical, networking, management, administrative and communication. Because IT standards are universal, frameworks with international standards have therefore been built to oversee this sensitive sector. (Wessel, 2010)
The existence of various frameworks in charge of IT has been both good and bad. It’s good since it protects end users from compromised policies yet it’s bad since many users want to choose the framework that suits their interests and apply its policies, which are not similar across the various frameworks.
The common frameworks whose policies and procedures are commonly referenced in the event of decision making include ISO 27002, NIST, ITIL and COBIT. Though each has its unique purpose, strengths and weaknesses.
ISO 27002 produced by the International Standards Organization focuses the security of information; that is how it can be achieved, importance and rules governing it. Its main areas of focus are the risk assessment, security policies, governance issues, human resources security, and environment among others.
It has an upper hand over other frameworks and has been widely accepted by most organizations that have put it into practice. It’s also advantaged since it provides for security controls that are so necessary in risk assessment.
ISO 27002 however has some weaknesses. These majorly concern the policies that it gives. Among the major weakness is its failure to be liable. The framework does not take responsibility of and is not answerable to its in-built shortcomings that may affect the organizations adopting it.
Ethical issues affecting cloud computing have also been adopted by this framework because it puts it so much into practice. This compromises on the security of the systems and other social related issues.
Another major weakness of this framework is the fact that it does not focus on how the system will be implemented. It also fails to offer guidelines on each process and how they contribute to the success of the system.
Its flexibility, allowing its users to adopt only the policies that apply to them makes if less credible. It’s hard to carry out certification with this framework as regards compliance issues.
ISO 27002 does not offer certification and accreditation because its just a code of standards meant to guide organizations into adoption and use of the real standard. Certification is offered by ISO 27001.
A company may choose to use this framework when protecting the security of its infrastructure and human resources. This is basically because ISO 27002 is mostly concerned with information security and resource protection and management.
NIST published by the National Institute of Standards and Technology is a guide towards use of the risk management framework in a federal system. It has great standards that allow for improved performance based standards to allow for quality in the products and services offered by organizations.
The major weakness of NIST has to do with its authentication. It’s currently not certifiable as an independent framework but only serves to complement the other frameworks for instance the various versions of ISO.
Adoption and implementation of NIST suits a company that is based in the United States and does not require international recognition. The company’s focus should also be towards effective risk management since this is what NIST advocates for. This argument is based on the fact that NIST is only applicable in the US and for a federalist state and is not yet recognized internationally, it’s a national framework.
ITIL that refers to the Information Technology Infrastructure Library is also a major IT framework. It was established by the commerce office in the UK and its use of an integrated approach does meet the ISO 2000 requirements. (Klosterboer, 2008)
Its service strategy deals with design and implementation issues, then there is the service design that focuses on development and management services. ITIL also focuses on service transition to allow for flexibility of the system. It also helps in allaying down strategies towards effectiveness and efficiency in service delivery. Finally, this framework provides for a continued system monitoring to measure performance.
One of the weaknesses facing ITIL is its incomplete language. This poses a problem to its users since it even considers just a small part of IT. Its policies are therefore limited and may not be effectively applicable in large IT organizations. Its language also differs from other frameworks so much, this then causes a further problem for organizations implementing it to co-work with others that use other frameworks.
In offering certification, ITIL policies require a client to first take training from accredited companies and organizations that will in the end certify the trainee company. Its certification is globally recognized and acceptable.
ITIL can be adopted as the framework that suits a company when the concerned company seeks to achieve better service delivery governed by internatinally acceptable standards. This is because the framework gives service delivery a professional approach increasing quality and productivity.
COBIT is a production of the Information Systems Audit and Control Association. It focuses on full system utilization with a wide range IT use and exposure. This framework deals with the planning and design of a system, its implementation and continued use, an evaluation and monitoring strategy for the time the system in question will be in use. (Klosterboer, 2008)
It mainly addresses management issues, hence a common reference to it as the framework of the managers. It also borrows so much on the advantages of ITIL, among them cost-benefit effectiveness, exhaustive explanations and models supported by flowcharts and its efficiency and effectiveness in management issues. (Klosterboer, 2008)
Certification of COBIT as a standard measure of information systems has also been questioned. This is mainly because of its tendency to focus more on the business based information systems, ignoring and leaving out other many types of information systems that are applicable in so many organizations. This has been the major weakness of this framework causing much tension to the people that want to adopt it.
Its persistent need for a customer to tell if they also do follow ITIL practices has also been much disadvantageous to this framework. It makes it lose its sense of independence, subjecting itself to so much rule and governance by ITIL. Hence it has always been thought of as just an improvement of ITIL that adds up some few policies. (Klosterboer, 2008)
A major weakness with COBIT is its failure to protect its clients when a problem arises. It does not meet the required international standards for effective IT governance in its policies hence not a legal framework.
It’s also so much aligned into the objectives and goals of an organization. Credit has been given to COBIT for helping organizations develop realistic and workable objectives, however, its weakness comes in since it does not provide for how these objectives will be met. It also fails to cater for the development stages that software goes through hence a failure to track and monitor the continuous growth and development of a system.
Just like ISO 27002, COBIT is also a documentation of codes for best practices. Certification with COBIT is, therefore, neither available nor recognized globally. It can only be charted into another framework that offers recognized certification, like it’s doing with ITIL.
COBIT can be chosen as the best framework over others when an organization seeks to implement new policies that will govern its service delivery. This is so because it so much focuses on control objectives that help in governance of the IT departments.
References
Frameworks for IT management: a pocket guide. (2007). Zaltbommel: Van Haren Publ.
IT governance implementation guide using COBIT and Val IT. (2nd ed.). (2007). Rolling Meadows, Ill.: IT Governance Institute.
Klosterboer, L. (2008). Implementing ITIL configuration management. Upper Saddle River, NJ: IBM Press/Pearson.
Wessel, R. (2010). Toward corporate IT standardization management frameworks and solutions. Hershey, PA: Information Science Reference.
