IT Audit leverages a number of commonly accepted frameworks, standards, and regulatory requirements (where applicable) to evaluate processes and controls:
- The Control Objectives for Information and Related Technologies (COBIT) framework, which is a set of best practices for IT management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1992. COBIT provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company. As a result, management and business process owners are provided with an information technology (IT) governance model that helps in delivering value from IT and understanding and managing the risks associated with IT. COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment, and simplifies implementation of the COBIT framework.
- National Institute of Standards and Technology (NIST) Special Publications (SP): Publications in NIST’s SP 800-series present information of interest to the computer security community. The series comprises guidelines, recommendations, technical specifications, and annual reports of NIST’s cybersecurity activities. SP 800 publications are developed to address and support the security and privacy needs of U.S. Federal Government information and information systems. Created in 1990, the series reports on the Information Technology Laboratory’s research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations.
Entities outside of the U.S. Federal Government may voluntarily adopt NIST’s SP 800-series publications, unless they are contractually obligated to do so (e.g., SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations).
- HITRUST Cybersecurity Framework (CSF): Developed in collaboration with data protection professionals, the HITRUST CSF rationalizes relevant regulations and standards into a single overarching security and privacy framework. Because the HITRUST CSF is both risk- and compliance-based, organizations of varying risk profiles can customize the security and privacy control baselines through various factors, including organization type, size, systems, and compliance requirements.
The initial development of the HITRUST CSF leveraged nationally and internationally accepted security and privacy-related regulations, standards, and frameworks– including International Organization for Standardization (ISO), NIST, Payment Card Industry (PCI), HIPAA, and General Data Protection Regulation (GDPR)– to ensure a comprehensive set of security and privacy controls and continually incorporates additional authoritative sources. The HITRUST CSF standardizes these requirements, providing clarity and consistency and reducing the burden of compliance.
The commitment and expertise demonstrated by HITRUST ensure that organizations leveraging the framework are prepared when new security and privacy regulations and risks are introduced.
- Center for Internet Security (CIS): The CIS Controls (formerly known as Critical Security Controls) are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks.