As ICT professionals we are overwhelmed with quite a number of frameworks, but it is the nature of the specialization in the field that prompts the need for them.
It is always convenient to draw similarities between these frameworks to allow for seamless implementation to different regulations within the sector. As privacy is rising in prominence in many countries, understanding the specific processes or controls that are required to meet privacy requirements from legislation and regulations is key. COBIT is one of the frameworks that is overarching as it has taken a holistic approach to the governance and management of information and technology; as such, it is easier to integrate it with other frameworks.
One of the major changes introduced by COBIT 2019 is that the framework is open-ended, thus affording organizations using it the ability to create an unlimited number of focus areas that can address their particular needs.
To build an effective privacy focus area, one can combine the COBIT framework with the NIST Privacy Framework to get the best out of both. The NIST Privacy framework, as a specialized framework, can be used to build on COBIT for a comprehensive focus area. The three main striking similarities of these frameworks are:
- The two frameworks advocate for a risk-based approach to address specific needs of an organization.
- The frameworks provide models that organizations can use to practically define processes required to build a privacy-controlled environment.
- The frameworks emphasize the need for performance evaluation of defined privacy processes.
The NIST framework is composed of three parts that can be mapped to COBIT as follows:
Step 1
The Core is a set of privacy protection activities comprising functions, categories and sub-categories while the COBIT framework has a core model that consists of 40 governance and management objections. See the pictorial comparison of both below:
| NIST | COBIT |
| Functions | Domains |
| Categories | Governance and Management Objectives |
| Sub-Categories | Management Practices |
As a generic framework, the domains in the COBIT framework address key areas in the governance management of information and technology while the NIST functions are specific to addressing the privacy needs. To seamlessly implement the two, categories defined within the NIST framework can be used to guide the selection of governance and management objectives relevant to the organization’s needs. That is, the 29 categories will be mapped to 40 governance and management objectives. Below is an example that shows mapping of the NIST identity –P function to governance and management objective.
| NIST FRAMEWORK | COBIT FRAMEWORK | |||
| Function | Category | Objective | Governance/Management Objective | Description |
| Identity | Inventory and Mapping (ID.IM-P) | Data processing by systems, products, or services is understood and informs the management of privacy risk. | APO09 Manage Service Agreements | Align I&T enabled products and services and service levels with enterprise needs and expectations, including identification, specification, design, publishing, agreement and monitoring of I &T publishing, agreement, and monitoring of I&T products and services, service levels and performance indicators. |
| Business Environment (ID.BE-P) | The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform privacy roles, responsibilities and risk management decisions. | EDM02 Ensured Benefits Delivery | Optimize the value to the business from investment in business processes, I &T services and I&T assets. | |
| Risk Assessment (ID.RA-P) | The organization understands the privacy risks to individuals and how such privacy risks may create follow-on impacts on organizational operations, including mission, functions, other risk management priorities (e.g., compliance, financial), reputation, workforce, and culture. | APO12 Managed Risk | Continually identify, assess and reduce I&T-related risk within tolerance levels set by the enterprise executive management. | |
| Data Processing Ecosystem Risk Management (ID.DE-P): | The organization’s priorities, constraints, risk tolerance, and assumptions are established and used to support risk decisions associated with managing privacy risk and third parties within the data processing ecosystem. The organization has established and implemented the processes to identify, assess and manage privacy risks within the data processing ecosystem. | APO10 Managed Vendors | Manage I&T-related products and services provided by all types of vendors to meet the enterprise requirements. This includes the search for and selection of vendors, management of relations, management of contracts and reviewing and monitoring of vendor performance and vendor ecosystems (including upstream supply chain) for effectiveness and compliance | |
To make the selection of the COBIT governance and management objectives easier, one can refer to the ISACA guide on Implementing a Privacy Protection Program Using COBIT 5 Enablers with ISACA Privacy Principles. The guide clearly outlines the privacy goals of each governance and management objective, eliminating any language barriers between the NIST Privacy Framework and COBIT.
Step 2
The second component in the NIST framework is profiles, which is a selection of specific functions, categories and subcategories.
For a meaningful selection, the NIST framework advises that a risk-based framework approach should be used. The profile component can be likened to the COBIT Focus Area.
A focus area, as defined in the COBIT 2019 framework, is a certain governance topic, domain or issue that can be addressed by a collection of governance and management objectives and their components. In selection of the governance and management objectives to build a focus area, COBIT brings more practical guidance by assessing organizational needs through 11 design factors. These factors influence the selection of management objectives that address the organization’s privacy needs.
The 11 design factors include Enterprise Strategy, Enterprise Goals, Risk Profile, I&T-related issues, Threat Landscape, Compliance Requirements, Role of IT, Sourcing Model for IT, IT Implementation Methods, Technology Adoption Strategy and Enterprise Size.
After mapping the two core models as noted in step 1 above, only governance and management objectives that meet the privacy requirements of the organization will be implemented or referred to as the target profile.
Step 3
The third component, referred to as Implementation Tiers in the NIST framework, measures whether an organization has sufficient processes to effectively manage privacy risks. The tiers can therefore be likened to the COBIT focus area maturity levels which measure the performance focus areas on a scale of 1 to 5 (the maturity levels being 0 –Incomplete, 1 – initial, 2 – Managed, 3 – Defined, 4 – Quantitative and 5 –Optimizing).
The organization can thus measure its maturity level to ensure the level attained meets its compliance requirements.
Conclusion
For organizations that have already implemented COBIT and are required to implement privacy controls to manage privacy risks, building a privacy focus area using the two frameworks can provide a stable starting point.