Creating A Compliant IT Delegation Framework (ISO 20000, COBIT, NIST)

Introduction To Creating A Compliant IT Delegation Framework (ISO 20000, COBIT, NIST)

Separately, the two structures touch on a critical finding of IT governance. When combined, they provide a solid basis in planning a delegation structure that is compliant, auditable/audited, and role-apposite, risk-informed. This blog will discuss the best way to establish a compliant IT Delegation Framework through the integration of ISO 20000, COBIT and NIST CSF. We shall analyse best practices, role descriptions, matrix of authority and some of the pitfalls to approach your organization with a model of accountability, reduced operational risk and a model to enhance compliance with regulations. 

Overview Of Integrated Framework (20000, COBIT, NIST)

1. ISO 20000: Service Management IT Cogitation

ISO 20000 defines the overall framework of services delivery, incident management, change control, problem management, and continuous improvement processes. When DoA is applied to it:

• Makes sure that delegation will be applicable to the service duties that are well described.

• Assigns responsibilities in a way that is in line with the RACI matrix under the Service Management System (SMS).

• Enables formal approvals of incidents escalations, service requests and the resolutions of problems.

2. COBIT: Introduction to Governance and Control

• The authorization to make an emergency modification to the IT Change Managers would be delegated.
  
  
• Approving service desk forms the approvals to escalate incidents according to the priority levels.

COBIT gives governance goals, decision rights and performance measurement, related to enterprise objectives. It complements the delegation system with the following:

• Assigning Process Practices (e.g. APO, DSS, MEA) processes to the decision rights.
  
  COBIT: Introduction to Governance and Control

• Under APO05 (Manage Portfolio), the approvals on IT investment to the CIO.

• The delegation of risk mitigation in the operations to the EDM03 (Ensure Risk Optimization).

3. Cybersecurity and Risk Orientation NIST CSF

Delegation structure implemented by the Cybersecurity Framework (Identify, Protect, Detect, Respond, Recover) of NIST, takes into account the risk posture, incident response, and data protection.

• Delegation of authority is according to classification of risk and system criticality.

• Holds defined and assigned incident response roles (Respond).

• Under Respond Function, the provision of the powers to CISOs to coordinate the breach notification procedures.

• Authorizing the IT Security Managers to approve security patches.

Why Integrate ISO 20000, COBIT, and NIST?

It is a multi-layered, multi-faceted IT world and use of a single framework will always leave gaps in coverage in terms of service quality, governance responsibility or cybersecurity readiness. The relevant standards (ISO 20000, COBIT, and NIST) can be combined, providing the alignment between them, and allowing organizations to establish an end-to-end and adequate IT Delegation of Authority (DoA) system.

Integration Ensures:

• Holistic Governance

• Excellence in Service Management

• Cybersecurity Resilience

The following are some of the main reasons as to why integration is necessary:

1. Complementary Strengths of Each Framework

• COBIT enforces enterprise IT governance and this approach highly focus on decision rights, responsibility and value delivery.
  

• ISO 20000 establishes order in the world of IT service management, helping establish distinct service support, delivery, and your continuous improvement roles.

2. End-to-End within IT Functions

• The NIST CSF reinforces the risk-based cybersecurity controls within delegations and authority frameworks.

• When used jointly, organizations will not have redundancies but they do address the most significant gaps.

• Addresses service procedures, security measures, planning, compliance, and incident response.
  

3. Global Compliance Level Harmony

• Delegation choices include change management, risk accepting, budget and access provisioning.

• Support of ISO, SOX, GDPR/HIPPA and other regulations requirements.

• Enhances the defensibility of IT decision-making through policy-based rationale of delegation.

• Increases the defensibility of IT decisions through policy-based rationale of delegation.

Defining Roles And Responsibilities Based On ISO 20000 

The international standard of Service Management in IT (ITSM) is called ISO/IEC 20000. It offers a methodical solution to the design, delivery, and perfecting of IT services. The well-defined roles and responsibilities that it establishes are one of its central strength; this makes the service activities quite-controlled, efficient and audit-able.

The best reason or advantage of ISO 20000 in role definition.

• Increases accountability and transparency of service delivery.

• Increases the fit of people to people, processes, and service outcomes.

• Promotes documentation of roles that should be constantly carried out across the ITSM system.

Principles Of Role Definition (ISO 20000)

1. Service-Centric Structure - Roles refer to the contexts of service lifecycle stages (e.g., incident management, change management, problem management, service level management).

2. Role Ownership - All processes or functions should bear their process owners, process managers and, perhaps, process practitioners.

3. Well-Ordered Sheets of Authority - Approval, escalation, and resolution authority lie in job function and not in personal discretion.

4. Documented Responsibilities - The scope of roles and responsibilities should be documented in procedures, work instructions and service management policies.

The Important Roles And Responsibilities In ISO 20000-Based Delegation

The following are the common ITSM positions and the authority of the position under an ISO 20000-congruent DoA structure:

1. Service Owner

• Responsible in terms of delivery and performance of a particular service end-to-end.
  
  
• Delegation: Accepts service changes touching on the boundary of the service or performance, approves SLAs and Sunset OLAs.

2. Incident Manager

• It controls the incident management process and in a timely manner.
  
  
• Delegation: Appoints escalation paths, declarations of major incidents, and investigations of root cause.

3. Change Manager

• Manages the process of change in order to affect the least service disruption.
  
  
• Delegation:Gives a go and look at low to medium risk change requests; sends high risk changes to CAB.

4. Problem Manager

• Determines and sustains root causes leading to regular incidence.
  
  
• Delegation: Empowering to carry out root cause analysis and recommendations to move to long term solutions.

5. Configuration Manager

• Keeps CMDB (Configuration Management Database) and CI connections.
  
  
• Delegation: Approves and permits change of preeminent system components.
  

6. Service Desk Director

• Works on user relations and tier 1 support.
  
  
• Delegation: Allows the request of standard services, password change, access and small incident resolutions.

Incorporating COBIT Governance Objectives into Delegation Policies

COBIT ( Control Objectives for Information and Related Technologies ) is a well-known institutionally acknowledged framework, offering thorough knowledge on the topic of IT governance and management. It establishes specific components of governance, goals, and the rights to decide, that is, it is an effective tool to develop structured, compliant, and value-based IT Delegation of Authority (DoA) policies.

By including COBIT in your IT delegation model, you will ensure that every action that you delegate touches on enterprise goals, a tolerance of risks, compliance requirements and strategic focuses.

What Is The Applicability Of COBIT To Policies On Delegation?

• Establishes enterprise-wide accountability to make IT related decisions.
  
  
• Facilitates a systematic kind of delegation in the spheres of governance (EDM) and management (APO, BAI, DSS, MEA).
  
  
• Helps to measure the maturity of decision-making process and performance.
  
  
• Significant COBIT Elements to Delegation

COBIT explains 40 Governance and Management Objectives categorized into five areas. And this is how they affect delegation:

1. EDM (Evaluate, Direct, Monitor) Strategic Governance Layer

These are board level purposes of governance, which affect top-level delegation.

• EDM01 - Ensure Setting and Maintaining of Governance Framework

Delegation: The CIO or IT Governance Committee holds the power to determine or set new governance structures.

• EDM02 - Transmit Benefits

Delegation: Approval of initiatives associated with business value is the responsibility of IT leaders.

2. APO (Align, Plan, Organize) Layer of Planning and Strategy

This area deals with the strategic alignment and the design of the business as an organization.

• APO01 -  IT Management Framework Management

Delegation: IT Directors are set in a position to sanction internal policies and collection on a strategy foundation.

• APO05- Portfolio Management

Delegation: Portfolio Managers have been delegated the responsibility to make prioritization on IT investment within specific caps.

3. BAI (Build, Acquire, Implement ) Project and Solution Layer

These are project execution and system development objectives.

• BAI02 - Requirements Definition - Manage

Delegation: There is a mandate that Business Analysts can approve requirements up to a limit.

4. DSS (Deliver, Service, Support) -Operational Layer

DSS deals with service provision, business and reaction to incidents.

• DSS01 - Operations Management

Delegation: The IT Operations Managers can delegate day to day operations (e.g., patching, back-ups).

• DSS02 Service Requests and Incidents

Delegation: The ID Managers are allowed to triage, escalate and resolve incidents.

5. MEA (Monitor, Evaluate, Assess) Performance and Assurance Layer

This domain ensures a relentless monitoring and performance management.

• MEA01 - Perform Monitoring Conformance and Performance

Delegation: KPIs can be tracked and correction action taken by OWNERS of process.

• MEA03: Tracking Notice of Submission of External Compliances

Delegation: Compliance Officers have the power to report and take on compliances concerns.

Best Practices In The Delegation Application Policy Of COBIT

1. Bring Delegation Levels to the Goals and Roles of COBIT - Assign to specific COBIT process in order to be aligned with the roles in decision making (e.g. CIO, Service Owner, Risk Officer).

2. Introduce Business Capability as Delegation by Role - Do not delegate person to person- delegate to roles on the basis of the governing scope.

3. Including Performance Measurements - Export delegation to measurable KPIs (which belong to MEA domain) to guarantee accountability and constant growth.

The Top 5 Things To Avoid in The Delegation Application Policy Of COBIT

• Extreme centralization of authority and consequent time consumption and bottlenecks.

• Not updating delegated authorities when any changes occur in an organization.

• Absence of alignment between assigned action and intentions of strategic governance.

NIST CSF Secure And Risk Aware Delegation Integration

NIST Cybersecurity Framework (CSF) offers a methodology to deal with cybersecurity risks and safeguard information assets on the basis of risk. NIST CSF will coordinate authority assignment within an IT Delegation of Authority (DoA) framework providing full visibility to cybersecurity risks, regulatory requirements, and the threat position of the organization.

Decision delegation should be optimized to avoid breaches, non-compliance or vulnerabilities by not having solutions to security impact, risk thresholds, or incident response authority. Incorporation of NIST CSF in the policies of delegation assists the organization in building a strong, audit-able, and sound governance system.

What NIST CSF Core Functions Are All about?

The NIST CSF has anchor functions or five high-level functions, which in turn provide a foundation to secure delegation:

• Identify - Learn about organization context and assets and organizational risks and roles.

• Protect - Put measures in place to reduce or constrain the effect of cybersecurity occurrences.

• Detect - specify the activities to determine when a cybersecurity event takes place.

• Respond - explain how one should respond in order to reduce impact.

• Recover - be capable of restoring capabilities and services in an efficient time following incidences.

All these functions are risk-conscious allocating of roles and incident-robust delegation.

Implementation Of NIST CSF Policies In Delegation Policies

 1. Define: Risk-Based Delegation Roles Define

• Group assets, data sensitivity and systems by considering the criticality and exposure.

• Implement organizational-level restrictions corresponding to the risk level of different assets (e.g., who is allowed to grant access to the sensitive systems).

• Make sure that people like Data Owners, Risk Officers and Leads to Compliance are assigned.

2. Protect: Offer Security Controls in Delegation of Duties

• Require all designated actions to have in-built security checks e.g. MFA, audit logs and encryption.

• Restrict the roles involved in implementing patch management, data loss prevention, access control and endpoint security.

• Just to evade bypasses or alteration of security setting, ensure that authority is well guarded and recorded.

3. Monitoring and escalation Definition and Responsibilities 

• Delegation of log-investigation, real-time discovery andanalysis of threat and/or vulnerability.

• Make sure that security teams possess the clarity in escalation and ability to label an event as an incident.

• Establish thresholds of who is authorized to perform various actions over alerts e.g. “high alerts escalated to CIRT lead, SOC Analyst can take action on medium alerts”

Conclusion

Companies deploying ISO 20000, COBIT, and NIST in their organization have a chance to establish a robust, visible, and completely governed IT delegation model which takes on service performance, regulatory compliance issues, and cybersecurity on a single platform by streamlining IT decision-making in each corner of the IT organization more smartly, more safely and more quickly.