The Role of the Chief Information Security Officer

Size: px

Start display at page:

Download "The Role of the Chief Information Security Officer"

Emory Chase
6 years ago
Views:

1 The Role of the Chief Information Security Officer Advisor: Co-advisor: Prof. André Vasconcelos Prof. Miguel Mira da Silva Tiago Martins Catarino

2 Motivation Uncertainty as to which standards and guides define the CISO s intervention range. In the literature, it is not clear which is the system of interest that should be within CISO s intervention area. 2

3 Research Problem How can an organization implement the CISO s role using COBIT 5 for Information Security in ArchiMate? o Can we perform a gap analysis between the organization s AS-IS to what is defined in the COBIT 5 for Information Security, regarding: Processes and base practices; Key practices; Information types; Roles. o Can the ArchiMate notation model all the concepts defined in the COBIT 5 for Information Security? o Can we identify inconsistencies between the RACI charts, defined in COBIT 5 Enabling Processes, and the CISO s role addressed by COBIT 5 for Information Security? 3

4 Theoretical Background COBIT 5 o o COBIT 5 Framework; COBIT 5 for Information Security. 4

architects to describe, analyze and visualize the

5 Theoretical Background Enterprise Architecture o ArchiMate Provides instruments to enable enterprise architects to describe, analyze and visualize the relationships among business domains in an unambiguous way. 5

6 Objectives Propose a method using ArchiMate to integrate COBIT 5 for Information Security with EA principles, methods and models in order to properly implement the CISO s role. o Create a method that: Figures out what processes and activities, key practices and business functions that the CISO should be held responsible; Identifies information types that the CISO is responsible to originate; Finds what organization s roles are performing the CISO s job; Hopefully improves the information security maturity level of the organization; Identifies inconsistencies between roles assignments, in particular the CISO s role. 6

7 Proposal 1. Model COBIT 5 for Information Security 7. Analysis & TO-BE Design 2. Model Organization s EA 3. Information Types mapping 4. Processes Outputs mapping 5. Key Practices mapping 6. Roles mapping 7

8 Demonstration CISO s Business Functions and Information Types viewpoint (COBIT 5 for Information Security) Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 8

9 Demonstration DemoCorp s Business Functions and Information Types viewpoint Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 9

10 Demonstration DemoCorp to COBIT 5 for Information Security s Information Types viewpoint Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 DemoCorp COBIT 5 Step 7 10

11 Demonstration DemoCorp to COBIT 5 for Information Security s Information Types Missing viewpoint Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 11

12 Demonstration DemoCorp to APO01 Manage the IT Management Framework Process viewpoint Step 1 Step 2 Step 3 No links between the process s outputs of COBIT 5 and DemoCorp Step 4 Step 5 Step 6 Step 7 12

13 Demonstration DemoCorp to COBIT 5 for Information Security s Key Practices viewpoint Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 DemoCorp COBIT 5 Step 7 13

14 Demonstration DemoCorp to COBIT 5 for Information Security s Missing Practices viewpoint Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 14

15 Demonstration DemoCorp to COBIT 5 for Information Security s Roles viewpoint Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 DemoCorp COBIT 5 Step 7 15

16 Demonstration Migration Viewpoint: Information Types (General) Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 16

Evaluation CISO s evolution in DemoCorp 2008

structure The ISMS (Information Security

17 Evaluation CISO s evolution in DemoCorp 2008 CISO s role was created to address the certification requirements of a production s process CISO s role became an organic structure The ISMS (Information Security Management System) was certified according to the ISO requirements 17

18 Evaluation The following solution s objectives were fully achieved: 1. Figure out what processes and activities, key practices and business functions that the CISO should be held responsible for; 2. Identify information types that the CISO is responsible for originating; 3. Identify which organization roles are performing the CISO s job; 4. Improve the information security maturity level of the organization; 5. Identify inconsistencies between roles assignments, in particular the CISO s role. 18

19 Communication 13 th European Mediterranean & Middle Eastern Conference on Information Systems (EMCIS) o Paper accepted in the EMCIS conference as a full paper (June 23, 2016). o Title: Inconsistencies in Information Security Roles 19

20 Conclusion Main Contributions o o A method for implementing the CISO s role using COBIT 5 for Information Security in ArchiMate, which comprises 7 steps; Identification of inconsistencies between roles assignments, in particular the CISO s role, which are defined in the assignments matrix charts of COBIT 5 Enabling Processes, and the roles addressed by COBIT 5 for Information Security. 20

21 Conclusion Future Work o o o o Develop a solution s proposal that addresses the inconsistencies detected; Demonstrate and evaluate the method in different industries; Specialize the proposed method by industry/type of organization (e.g. SME and Banking); Extend the research proposal in order to comprise others architectural levels (application and technology layers). 21

22 The Role of the Chief Information Security Officer Advisor: Co-advisor: Prof. André Vasconcelos Prof. Miguel Mira da Silva Tiago Martins Catarino 22

What is TOGAF? How to Perform EA with TOGAF ADM Tool? Written Date : January 20, 2017

What is TOGAF? How to Perform EA with TOGAF ADM Tool? Written Date : January 20, 2017 Enterprise Architecture is essential to every business, yet it's not easy to master. Have you ever thought that you