Based on the opinion poll within my last blog, interest was highest for the question: How to surface common knowledge security issues that management doesn't know about?

You are in good company. At the SIA risk conference I had the opportunity to meet with Richard G. Ketchum, Chief Executive Officer of the New York Stock Exchange Regulation. One of the major themes he spoke about was the need for Technology Assessments to review governance, risk and compliance issues. He commented that adoption of new technology combined with changes due to mergers and acquisitions have left corporate systems frail and patched 3-4 levels below the senior management level where they are "common knowledge" by operational staff members. He mentioned that these high risk field issues however are frequently not known or understood by leadership and audit committees. He further spoke of the need for best practices to be implemented to identify reporting and control gaps.

When asked about methods to approach this problem, Mr. Ketchum commented “Precision in an imprecise area is dangerous” and suggested to look at the qualitative risk assessment approach of Enterprise Risk Management tools. He further commented that high risk subjects include processes with deficiencies, that have been triaged, areas not well connected, and legacy systems. Issues to focus on include operations and control practices.

COBIT 4.0 is just such a set of operational and control best practices that can help in this endeavor. According to ISACA, the publisher, COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. Craig Symons at Forrester research, comments that "COBIT 4.0 Is A Strong Governance Platform"

You can download a complementary copy of the new COBIT 4.0 best practices document on my website. I also recommend reading my article on Risk Maturity Models to best understand how to use the COBIT 4.0 framework, "The Elephant at the Enterprise Risk Management Party"

My next blog will address the number two voted issue in the opinion poll of my last blog "How to draw the line between acceptable and unacceptable risks?"