Securing an IT Organization through Governance, Risk Management, and Audit: 1st Edition (Hardback) book cover

Securing an IT Organization through Governance, Risk Management, and Audit

1st Edition

By Ken E. Sigler, James L. Rainey, III

Auerbach Publications

368 pages | 19 B/W Illus.

Purchasing Options:$ = USD
Hardback: 9781498737319
pub: 2016-01-22
SAVE ~$17.19
eBook (VitalSource) : 9780429154362
pub: 2016-01-05
from $42.98

FREE Standard Shipping!


Past events have shed light on the vulnerability of mission-critical computer systems at highly sensitive levels. It has been demonstrated that common hackers can use tools and techniques downloaded from the Internet to attack government and commercial information systems. Although threats may come from mischief makers and pranksters, they are more likely to result from hackers working in concert for profit, hackers working under the protection of nation states, or malicious insiders.

Securing an IT Organization through Governance, Risk Management, and Audit introduces two internationally recognized bodies of knowledge: Control Objectives for Information and Related Technology (COBIT 5) from a cybersecurity perspective and the NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF). Emphasizing the processes directly related to governance, risk management, and audit, the book provides details of a cybersecurity framework (CSF), mapping each of the CSF steps and activities to the methods defined in COBIT 5. This method leverages operational risk understanding in a business context, allowing the information and communications technology (ICT) organization to convert high-level enterprise goals into manageable, specific goals rather than unintegrated checklist models.

The real value of this methodology is to reduce the knowledge fog that frequently engulfs senior business management, and results in the false conclusion that overseeing security controls for information systems is not a leadership role or responsibility but a technical management task. By carefully reading, implementing, and practicing the techniques and methodologies outlined in this book, you can successfully implement a plan that increases security and lowers risk for you and your organization.

Table of Contents

Cybersecurity Risk Management


Cybersecurity Risk Management

Managing ICT Security Risk through Governance, Control, and Audit

Implementing Best Practices Using a Single Cybersecurity Framework

Chapter Summary

Case Project

Introduction to the Framework for Improving Critical Infrastructure


Overview of the Framework

Framework Core

Framework Implementation Tiers

Framework Profile

Framework Is Descriptive and Not Prescriptive

Structure of the Book’s Presentation of the Framework

Chapter Summary

Case Project

Identify Function

Identify Function Overview

Asset Management Category

Business Environment Category

Governance Category

Risk Assessment Category

Risk Management Category

Risk Management Plan

Implementing Risk Management

Risk Handling Strategies

Linking COBIT to the Identify Function

Chapter Summary

Case Project

Protect Function

Protect Function Overview

Access Control Category

Awareness and Training Category

Data Security Category

Information Protection Processes and Procedures Category


Protective Technology

Linking COBIT to the Protect Function

Chapter Summary

Case Project

Detect Function

Detect Function Overview

Anomalies and Events Category

Security Continuous Monitoring Category

Detection Processes Category

Chapter Summary

Case Project

Respond Function

Respond Function Overview

Response Planning Category

Communications Category

Analysis Category

Mitigation Category

Improvement Category

Chapter Summary

Case Project

Recover Function

Distinguishing between Business Continuity and Disaster Recovery

Improvement Category

Communications Category

Chapter Summary

Case Project

The COBIT Framework


IT Governance

Framework Model

Practical Technical Scenarios (PTSs)

What Drives COBIT 5

Framework Principles

Other Governance Frameworks and Best Practices

Case Project

Decomposition of Framework

Framework Principles: Creation

Definition of Categories and Seven Enablers

Control Issue

Navigation Issue

Case Project

Framework Structure’s Generic Domains

COBIT’s Framework Structure

Planning and Organization

Acquisition and Implementation

Delivery and Support


Case Project

Decomposition of COBIT 5

Purpose of COBIT Control Objectives and Principles

Principle 1: Installing the Integrated IT Architectural Framework

Principle 2: What Do Stakeholders Value?

Principle 3: The Business Context Focus

Principle 4: Managing Risk

Principle 5: Measuring Performance

Case Project

COBIT Management Guidelines

Enterprise Management

Risk Management

Status of IT Systems

Continuous Improvement

Case Project

COBIT Management Dashboard

Performance Measurement

IT Control Profiling



Case Project

What COBIT Sets Out to Accomplish

Adaptability to Existing Frameworks

Constituency of Governance for Finance

Constituency of Governance for IT

Case Project

Internal Audits

Purpose of Internal Audits

Roles That Potentially Use COBIT

Approaches to Using COBIT in an Internal Audit

Types of Audits Which Can Be Facilitated Using COBIT

Advantages of Using COBIT in Internal Audits

Case Project

Tying It All Together

COBIT Works with Sarbanes–Oxley (SOx)

COBIT Works with GETIT

Process Assessment Model (PAM)

Case Project


About the Authors


Ken Sigler

Auburn Hills, MI, United States

Learn more about Ken Sigler >>

Ken Sigler is a faculty member of the Computer Information Systems (CIS) program at the Auburn Hills Michigan campus of Oakland Community College and the chair of the Campus Senate. His primary research is in the area of software management, software assurance, and cybersecurity. He has authored several books on the topic of cybersecurity ICT management and developed the college’s CIS program option Information Technologies for Homeland Security, which has a recognized relationship with the Committee on National Security Systems. Sigler serves as the liaison for the college as one of three founding members of the International Cybersecurity Education Coalition (ICSEC), which is now the Midwest chapter for CISSE.

James L. Rainey, III, DMIT, is an IT specialist with the U.S. government where he works on technical project documentation within the SDLC. Dr. Rainey holds an MS degree in computer and information systems and did a tour with the Department of Defense where he earned a citation for his work. Dr. Rainey has also worked as a UNIX system administrator, SAP basis administrator, and enterprise and infrastructure architect. Additionally, he worked at Comerica Bank’s Data Center in Auburn Hills, Michigan, as a developer and taught at the University of Detroit Mercy’s Computer and Information Systems Department for 10 years as an adjunct.

About the Series

Internal Audit and IT Audit

Learn more…

Subject Categories

BISAC Subject Codes/Headings:
BUSINESS & ECONOMICS / Information Management
COMPUTERS / Information Technology
COMPUTERS / Security / General