cobit 5 for information security: protect & drive...

COBIT 5 for Information Security: COBIT 5 for Information Security: Protect & Drive Enterprise ValueProtect & Drive Enterprise Value

G C S C S C SS C

Protect & Drive Enterprise Value Protect & Drive Enterprise Value

Meenu Gupta, CISA,CISM,CISSP,CIPP,PMPISACA COBIT 5 Security Task ForcePresident, Mittal Technologies

2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.

WelcomeWelcome• Type in questions using the Ask A Question button

• All audio is streamed over your computer– Having technical issues? Click the ? button

• Click the Attachments button to find a printable copy of this presentation.

• After viewing the webinar, ISACA Members may earn 1 CPE credit. – Find a link to the CPE Quiz on the Attachments button. – Once you pass the quiz, you will receive a printable CPE

Certificate.

2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 2

• Question or suggestion? Email them to [email protected]

COBIT Framework EvolutionCOBIT Framework Evolution

Governance and Management of Enterprise IT (GEIT)Governance and Management of Enterprise IT (GEIT)

IT Governance

scop

e

V l IT 2 0Management

Controlutio

n of

s Val IT 2.0(2008)

Ri k IT

COBIT 5COBIT4 0/4 1COBIT3COBIT2

Audit

COBIT1

Evo

l Risk IT(2009)

COBIT4.0/4.1COBIT3COBIT2

COBIT 5 is a business framework for GEIT from ISACA at www isaca org/cobit

COBIT1

2005/7200019981996 2012


COBIT 5 is a business framework for GEIT from ISACA, at www.isaca.org/cobit

COBIT 5 Product FamilyCOBIT 5 Product Family


Source: COBIT® 5, figure 11. © 2012 ISACA® All rights reserved.

COBIT 5 for Information SecurityCOBIT 5 for Information Security

COBIT 5 for Information Security builds on the COBIT 5 framework inCOBIT 5 for Information Security builds on the COBIT 5 framework in that it focuses on information security and provides more detailed and more practical guidance for information security professionals andother interested parties at all levels of the enterprise.


COBIT 5 for Information Security COBIT 5 for Information Security CapabilitiesCapabilitiespp


Source: COBIT® 5, figure 15. © 2012 ISACA® All rights reserved.

Governance and Management Governance and Management DefinedDefinedDefinedDefined

• Governance ensures that enterprise objectives are p jachieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performancedecision making; and monitoring performance, compliance and progress against agreed-on direction and objectives (EDM).

• Management plans, builds, runs and monitorsactivities in alignment with the direction set by theactivities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM).


Implementing Information Security Implementing Information Security using COBIT 5 Enablersusing COBIT 5 Enablersusing COBIT 5 Enablersusing COBIT 5 Enablers

• COBIT 5 defines a set of enablers to support the CO 5 ppimplementation of a comprehensive governance and management system for enterprise IT and information. Enablers are factors that individually and collectivelyEnablers are factors that, individually and collectively, influence whether something will work—in this case, governance and management over enterprise IT and, g g prelated to that, information security governance.

• Enablers are driven by the goals cascade, i.e., higher-level IT-related goals define what the different enablers should achieve


enablers should achieve.

COBIT 5 Information Security COBIT 5 Information Security EnablersEnablers

• Principles, policies and frameworks enablerPrinciples, policies and frameworks enabler• Processes enabler• Organisational structures enablerOrganisational structures enabler• Culture, ethics and behaviour enabler• Information enabler• Information enabler• Services, infrastructure and applications enabler• People skills and competencies enabler• People, skills and competencies enabler


COBIT 5 Enabler Model COBIT 5 Enabler Model -- GenericGeneric


COBIT 5 for Information Security COBIT 5 for Information Security –– Culture, Culture, Ethics, & Behavior EnablerEthics, & Behavior Enabler


Detailed Guidance Detailed Guidance –– Culture, Ethics, Culture, Ethics, & Behavior Enabler& Behavior Enabler& Behavior Enabler& Behavior Enabler


Adapting COBIT 5 for Adapting COBIT 5 for Information SecurityInformation Security

• Major IT-related initiatives often fail due to inadequate direction, t d i ht b t k h ld th i l t ti f

Information SecurityInformation Security

support and oversight by stakeholders; the implementation of information security enablers leveraging this publication is no different.

• Support and direction from key stakeholders are critical to ensure that improvements are achieved and sustained. In a weak enterprise environment (such as an unclear overall information security strategy), thi t d ti i ti i t tthis support and participation are even more important.

• The use of enablers (leveraging COBIT 5 for Information Security) should be a solution addressing real business needs and issues rather than an end in itself. Information security requirements based on current pain points and drivers should be identified and accepted by

t th t d t b dd d


management as areas that need to be addressed.

COBIT 5 for Information Security and COBIT 5 for Information Security and Other Security Frameworks & ModelsOther Security Frameworks & Modelsyy

COBIT 5 for Information Security is intended to be an umbrella f k d h l t t t th f k t d d dframework and helps to connect to other frameworks, standards, good practices:

– The Business Model for Information Security (BMIS), ISACA, USA, 2010– The 2011 Standard of Good Practice for Information Security, Information Security Forum (ISF), UK, 2011– Common Security Framework (CSF), Health Information Trust Alliance (HITRUST), USA, 2009– Extended Basic Input/Output System (EBIOS), Direction Centrale de la Sécurité des Systèmes d’Information

(DCSSI), Ministry of Defense, France, 2000– Health Insurance Portability and Accountability Act (HIPAA)/Health Information Technology for Economic and

Clinical Health (HITECH) USA 1996 and 2009 respectivelyClinical Health (HITECH), USA, 1996 and 2009, respectively– ISO/IEC 27000 series, Switzerland, 2009-2012– National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53A, Guide for Assessing

the Information Security Controls in Federal Information Systems and Organizations, Building Effective SecurityAssessment Plans, Department of Commerce, USA, 2010

– Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVE®), Carnegie Mellon SoftwareEngineering Institute (SEI), USA, 2001

– Payment Card Industry Data Security Standards (PCI DSS) v2.0, PCI Security Standards Council, USA, 2010


COBIT 5 COBIT 5 Current and Future Current and Future Supporting ProductsSupporting ProductsSupporting ProductsSupporting Products

Professional Guides:• COBIT 5 for Information Security• COBIT 5 Implementation • COBIT 5 for Assurance• COBIT 5 for Risk

Enabler Guides:• COBIT 5: Enabling Processes • COBIT 5: Enabling Informationg

COBIT Online UpdateCOBIT Assessment Programme:

• Process Assessment Model (PAM): Using COBIT 5Process Assessment Model (PAM): Using COBIT 5• Assessor Guide: Using COBIT 5• Self-assessment Guide: Using COBIT 5


For details and pricing, go to www.isaca.org/cobit

Questions?


cobit 5 for information security: protect & drive...

Documents