using COBIT 5 best practices?

Similar documents
Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

The Road Ahead for Healthcare Sector: What to Expect in Cybersecurity Session CS6, February 19, 2017 Donna F. Dodson, Chief Cybersecurity Advisor,

Framework for Improving Critical Infrastructure Cybersecurity

Acalvio Deception and the NIST Cybersecurity Framework 1.1

Knowledge Set of Attack Surface and Cybersecurity Rating for Firms in a Supply Chain Dr. Shaun Wang, FCAS, CERA

Securing an IT. Governance, Risk. Management, and Audit

NIST Cybersecurity Testbed for Transportation Systems. CheeYee Tang Electronics Engineer National Institute of Standards and Technology

Cybersecurity Framework Manufacturing Profile

NIST (NCF) & GDPR to Microsoft Technologies MAP

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

Framework for Improving Critical Infrastructure Cybersecurity

Opportunities (a.k.a challenges) Interfaces Governance Security boundaries expanded Legacy systems New application Compliance

Designing & Building a Cybersecurity Program. Based on the NIST Cybersecurity Framework (CSF)

Cyber Information Sharing

Track 4A: NIST Workshop

Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity

Using Metrics to Gain Management Support for Cyber Security Initiatives

COMPLIANCE BRIEF: NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY S FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY

The NIST Cybersecurity Framework

Les joies et les peines de la transformation numérique

Responsible Care Security Code

IoT & SCADA Cyber Security Services

NIST Cybersecurity Framework Based Written Information Security Program (WISP)

Assurance over Cybersecurity using COBIT 5

How to Align with the NIST Cybersecurity Framework

ISO based Written Information Security Program (WISP) (a)(1)(i) & (a)(3)(i) & (ii) & (A) (A)(5)(ii) & (ii)(a)

NCSF Foundation Certification

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

Mapping and Auditing Your DevOps Systems

Cyber Bounty Hunter. Key capabilities of today s. Renault Ross CISSP,MCSE,VCP5,CHSS Distinguished Engineer Chief Security Business Strategist

Cyber Resilience. Think18. Felicity March IBM Corporation

In support of this, the Coalition intends to host an event bringing together government and private sector leaders and experts to further discuss this

Internet of Things Toolkit for Small and Medium Businesses

The CIS Critical Security Controls are a relatively small number of prioritized, well-vetted, and supported security actions that organizations can

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Cloud Customer Architecture for Securing Workloads on Cloud Services

MEJORES PRACTICAS EN CIBERSEGURIDAD

Position Title: IT Security Specialist

Re: McAfee s comments in response to NIST s Solicitation for Comments on Draft 2 of Cybersecurity Framework Version 1.1

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Framework for Improving Critical Infrastructure Cybersecurity. and Risk Approach

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology

Improving Cybersecurity through the use of the Cybersecurity Framework

Altius IT Policy Collection Compliance and Standards Matrix

COURSE BROCHURE CISA TRAINING

locuz.com SOC Services

Rethinking Information Security Risk Management CRM002

DHS Cybersecurity: Services for State and Local Officials. February 2017

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

General Framework for Secure IoT Systems

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Addressing the elephant in the operating room: a look at medical device security programs

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

Updates to the NIST Cybersecurity Framework

Altius IT Policy Collection Compliance and Standards Matrix

Discussion Draft of the Preliminary Cybersecurity Framework August 28, 2013

Security and Privacy Governance Program Guidelines

INFORMATION ASSURANCE DIRECTORATE

Cloud Threat Defense. Cloud Security Buyer s Guide Based on the. NIST Cybersecurity Framework

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

NIST Framework for Improving Critical Infrastructure Cybersecurity Technical Control Automation

Next Generation Policy & Compliance

EUROPEAN ICT PROFESSIONAL ROLE PROFILES VERSION 2 CWA 16458:2018 LOGFILE

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

NCSF Foundation Certification

Certified Information Security Manager (CISM) Course Overview

Automating the Top 20 CIS Critical Security Controls

Oil & Natural Gas Third Party Collaboration IT Security NIST Profile API ITSS Third Party Collaboration IT Security Workgroup

Mission: Continuity BUILDING RESILIENCE AGAINST UNPLANNED SERVICE INTERRUPTIONS

Security and resilience in Information Society: the European approach

Cybersecurity in Government

Information Security Continuous Monitoring (ISCM) Program Evaluation

EXPERT SERVICES FOR IoT CYBERSECURITY AND RISK MANAGEMENT. An Insight Cyber White Paper. Copyright Insight Cyber All rights reserved.

Accelerate Your Enterprise Private Cloud Initiative

Nine Steps to Smart Security for Small Businesses

Medical Device Cybersecurity: FDA Perspective

Why you should adopt the NIST Cybersecurity Framework

THE POWER OF TECH-SAVVY BOARDS:

CISM Certified Information Security Manager

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

European Union Agency for Network and Information Security

Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13

FDA & Medical Device Cybersecurity

Cybersecurity for Service Providers

standards and frameworks and controls oh my! Mike Garcia Senior Advisor for Elections Best Practices

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Critical Infrastructure Protection (CIP) as example of a multi-stakeholder approach.

INTELLIGENCE DRIVEN GRC FOR SECURITY

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

Cybersecurity. Securely enabling transformation and change

Robert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group

Transcription:

How to effectively mitigate Risks and ensure effective deployment of IOT using COBIT 5 best practices? CA. Abdul Rafeq, FCA, CISA, CIA, CGEIT Managing Director, Wincer Infotech Limited Past Member, COBIT 5.0 Task Force, ISACA, USA 21 st Jan. 2018, Dubai

Some queries? Have you downloaded COBIT 5? Are you current user of COBIT5? Have you deployed IOT in your enterprise? If yes, in what way? What is your primary objective for attending this presentation? 2

Learning Objectives Impact of all-pervasive deployment of Internet of Things (IoT) on existing paradigm of risk, security, controls, assurance and governance. What are the solutions from IT professionals to ensure effective deployment of IOT from strategic and holistic perspective? How IT professionals (Risk, Security, Control, Compliance and Assurance) can update their skills to provide effective IOT-enabled solutions to meet enterprise objectives? How to use time-tested approach of global best practices and guides such as COBIT? 3

Agenda 1. COBIT 5: Eternal philosophy, Timeless Principles, Holistic Approach and Best Practices 2. Risk Management: Perennial need for enterprises of digital era and integrated approach 3. Cybersecurity: Threats, Counter-measures, best-practices and frameworks 4. IOT: Components, Risks and Benefits for enterprises of fully connected digital world 5. Security Challenges of IoT-enabled Solutions for enterprises and professionals 6. How to integrate COBIT 5 best practices for effective deployment of IOT? 4

1. COBIT 5: Eternal philosophy, Timeless Principles, Holistic Approach and Best Practices 5

COBIT 5 COBIT 5 COBIT 5 COBIT 5 6

Some Tips for learning COBIT Concepts & Practice Practical Usage Select & Customise Actionable Insights Tools not just Text Application not just certification Micro not just macro Skills not just knowledge Techniques not just content Templates not just Principles Specifics not just philosophy Action not just decisions 7

COBIT Sutras of Success Understand vocabulary Understand processes, key flows and systems Simple standard structure Underlying Logic and flow Chunk it down to components Get perspectives right to get insights right 8

COBIT 5 Principles 9

COBIT Enablers 2012 ISACA. All Rights Reserved.

COBIT 5 Process Reference Model 2012 ISACA. All Rights Reserved. 11

2. Risk Management: Perennial need for enterprises of digital era and integrated approach 12

Risk Management in COBIT 5 Source: COBIT 5, figure 16. 2012 ISACA All rights reserved. 13

Risk Management in COBIT 5 (cont.) All enterprise activities have associated risk exposures resulting from environmental threats that exploit enabler vulnerabilities EDM03 Ensure risk optimisation ensures that the enterprise stakeholders approach to risk is articulated to direct how risks facing the enterprise will be treated. APO12 Manage risk provides the enterprise risk management (ERM) arrangements that ensure that the stakeholder direction is followed by the enterprise. All other processes include practices and activities that are designed to treat related risk (avoid, reduce/mitigate/control, share/transfer/accept). 14

3. Cybersecurity: Threats, Counter-measures, best-practices and frameworks 15

COBIT 5 for Information Security COBIT 5 for Information Security is an extended view of COBIT 5 that explains each component of COBIT 5 from an information security perspective. Additional value for information security constituents is created through additional explanations, activities, processes and recommendations. The COBIT 5 for Information Security deliverable provides a view of information security governance and management that will provide security professionals detailed guidance for using COBIT 5 as they establish, implement and maintain information security in the business policies, processes and structures of an enterprise. 16

Understanding Business Domain Business Processes Regulatory requirements Business Objectives Organization Structure Technology Deployed 17

Understanding Risk Cycle Risk Security Business Objectives Assurance Control 18

COBIT, Risks, Security and IoT COBIT Governance and Management Best Practices Information Security and Cyber Security Business Objectives of deploying IOT Assurance IOT Security 19

NIST Cybersecurity Framework Framework for Improving Critical Infrastructure Cybersecurity, version 1.0, the National Institute of Standards and Technology (NIST), February 12, 2014. o A response to the President s Executive Order 13636, Improving Critical Infrastructure Cybersecurity on February 12, 2013. Critical infrastructure: systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters. a voluntary risk-based Cybersecurity Framework a set of industry standards and best practices to help organizations manage cybersecurity risks The Framework is technology neutral. 20

Core: Cybersecurity Framework Component What processes and assets need protection? What safeguards are available? What techniques can identify incidents? What techniques can contain impacts of incidents? What techniques can restore capabilities? Function Category ID Asset Management ID.AM Business Environment ID.BE Governance ID.GV Identify Risk Assessment ID.RA Risk Management Strategy ID.RM Protect Detect Respond Recover Access Control PR.AC Awareness and Training PR.AT Data Security PR.DS Information Protection Processes & Procedures PR.IP Maintenance PR.MA Protective Technology PR.PT Anomalies and Events DE.AE Security Continuous Monitoring DE.CM Detection Processes DE.DP Response Planning RS.RP Communications RS.CO Analysis RS.AN Mitigation RS.MI Improvements RS.IM Recovery Planning RC.RP Improvements RC.IM Communications RC.CO 21

Core Cybersecurity Framework Component Function Category ID Asset Management ID.AM Business Environment ID.BE Identify Governance ID.GV Risk Assessment ID.RA Risk Management Strategy ID.RM Access Control PR.AC Awareness and Training PR.AT Data Security PR.DS Protect Information Protection Processes & Procedures PR.IP Maintenance PR.MA Protective Technology PR.PT Anomalies and Events DE.AE Detect Security Continuous Monitoring DE.CM Detection Processes DE.DP Response Planning RS.RP Communications RS.CO Respond Analysis RS.AN Mitigation RS.MI Improvements RS.IM Recovery Planning RC.RP Recover Improvements RC.IM Communications RC.CO Subcategory ID.BE-1: The organization s role in the supply chain is identified and communicated ID.BE-2: The organization s place in critical infrastructure and its industry sector is identified and communicated ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated ID.BE-4: Dependencies and critical functions for delivery of critical services are established ID.BE-5: Resilience requirements to support delivery of critical services are established Informative References COBIT 5 APO08.04, APO08.05, APO10.03, APO10.04, APO10.05 ISO/IEC 27001:2013 A.15.1.3, A.15.2.1, A.15.2.2 NIST SP 800-53 Rev. 4 CP-2, SA-12 COBIT 5 APO02.06, APO03.01 NIST SP 800-53 Rev. 4 PM-8 COBIT 5 APO02.01, APO02.06, APO03.01 ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6 NIST SP 800-53 Rev. 4 PM-11, SA- 14 ISO/IEC 27001:2013 A.11.2.2, A.11.2.3, A.12.1.3 NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11, PM-8, SA-14 COBIT 5 DSS04.02 ISO/IEC 27001:2013 A.11.1.4, A.17.1.1, A.17.1.2, A.17.2.1 NIST SP 800-53 Rev. 4 CP-2, CP- 11, SA-14 22 22

23

Cyber Security Framework: 7-Step Process Step 1: Prioritize and Scope Step 2: Orient Step 3: Create a Current Profile Step 4: Conduct a Risk Assessment Step 5: Create a Target Profile Step 6: Determine, Analyze, and Prioritize Gaps Step 7: Implementation Action Plan 24

4. IOT: Components, Risks and Benefits for enterprises of fully connected digital world 25

Information Security Office of Budget and Finance Education Partnership Solutions What is IoT? The Internet of Things (IoT) is the network of physical objects devices, vehicles, buildings and other items embedded with electronics, software, sensors, and network connectivity that enables these objects to collect and exchange data.

Definition of IOT The Internet of Things (IoT) is the network of physical objects or things embedded with electronics, software, sensors, and network connectivity, which enables these objects to collect and exchange data. the essence of IoT resides in the source of the data, which are the sensors. Those smart devices generate data about activities, events, and influencing factors that provide visibility into performance and support decision processes across a variety of industries and consumer channels. 27

What is included in IOT IoT includes anyone or anything carrying embedded software that enables interaction with other animate or inanimate objects across networks, including the Internet. Interaction entails sharing and processing information to influence decision-making and/or actions with or without human intervention. 28

Where is IoT? Information Security It s everywhere! Office of Budget and Finance Education Partnership Solutions Smart Appliances Wearable Tech Healthcare

Driving Forces of IoT 1. Sensor Technology Tiny, Cheap, Variety 2. Cheap Miniature Computers 3. Low Power Connectivity 4. Capable Mobile Devices 5. Power of the Cloud

1. Sensor Technology Accelerometer (4mm diameter) Force Sensor (0.1N 10N) Pulse Sensor $25 https://www.sparkfun.com/ https://www.adafruit.com/

2. Cheap Mini Computers Key Parameters Lily Tiny Guess the Price? Flash: 8 Kbytes Pin Count: 8 Max. Operating Freq: 20 MHz CPU: 8-bit AVR Max I/O Pins: 6 Ext Interrupts: 6 SPI: 1 I2C: 1 http://www.atmel.com/devices/attiny 85.aspx?tab=parameters

3. Low Power Connectivity Bluetooth Smart (4.0) (Up to 2 years with a single Coin-cell battery)

4. Capable Mobile Devices Quad Core 1.5 GHz 128 GB Internal Memory 3 GB RAM 16 MP Camera 2160p@30fps video WiFI, GPS, BLE

5. Power of the Cloud

IoT: a network of converging networks Internet : IPv6 GPS Mobility Data matrix ONS Sensors RFID, tags & readers ad hoc networks 36

Connectivity of IoT

ABCD s of IoT Applications Big Data Analytics Connectivity and Communication Devices that are smart! Photos Libelium, Google Image Search

IoT Application Segments

IoT Evolution

[Source: http://postscapes.com/what-exactly-isthe-internet-of-things-infographic ]

Business Opportunities Capabilities Monitor Benefits Improved Performance Control Reduced Costs Optimize Create Innovative Products Autonomous New Revenue Streams

IoT Challenges Fragmented industry Security and Privacy of data Managing vast amounts of data Finding the right business model Copyright RIOT 2015 All Rights Reserved

Key Challenges of deploying IoT Integrating data from multiple sources Automating the collection of data Analyzing data to effectively identify actionable insights Only by addressing all three can organizations turn raw data into information and actionable insights.

5. Security Challenges of IoT-enabled Solutions for enterprises and professionals 45

Information Security Office of Budget and Finance Does IoT add additional risks? Are highly portable devices captured during vulnerability scans? Where is your network perimeter? Are consumer devices being used in areas like health care where reliability is critical? Do users install device management software on other computers? Is that another attack vector?

Attacking IoT Information Security Office of Budget and Finance Education Partnership Solutions Default, weak, and hardcoded credentials Difficult to update firmware and OS Lack of vendor support for repairing vulnerabilities Vulnerable web interfaces (SQL injection, XSS) Coding errors (buffer overflow) Clear text protocols and unnecessary open ports DoS / DDoS Physical theft and tampering

Threat vs. Opportunity Information Security Office of Budget and Finance If misunderstood and misconfigured IoT poses risk to our data, privacy, and safety If understood and secured IoT will enhance communications, lifestyle, and delivery of services

Security Best Practices for IOT Trust: Allow only designated people/services device or data access Identity: Validate the identity of people, services, and things Privacy: Ensure device, personal & sensitive data is kept private Protection: Protect devices and users from harm Safety: Provide safety for devices, infrastructure and people Security: Maintain security of data, devices, people, etc.

6. How to integrate COBIT 5 best practices for effective deployment of IOT? 50

Technology Stack of IOT by IOT World Forum: reference model 51

IOT Jobs: what is the role we can play 52

Role of IT professionals in IOT Be clear about what IoT is and where it manifests itself. Consider the shift of control from people to code. Understand the fusion of roles for engineers and IT professionals, the interdependency of those who create mechanical devices and those who program them to become smart devices. Adapt to changing roles in response to IoT. Manage the well-known cyber security skill deficit. Balance the potential of innovation with safety. Promote and enhance professional capability to advise, design, implement and support IoT. Identify risk, apply proper security and provide assurance to realize positive outcomes and address the risk of unintended effects. 53

Tenets of Good IoT Governance 1. Build security and control by design from the start. 2. Test controls and look for vulnerabilities by creating and testing use cases and misuse cases. 3. Educate everyone that building security alongside functionality by design is essential for IoT. 4. Engage experienced IT security and assurance personnel who understand cyber and IoT potential, risk and benefits. 5. Replace the isolation of specialists working in silos with collaboration across specialties so that security professionals work alongside IT engineers, architects, data managers, developers and business experts. 54

Key issues of IoT 1. Understand that IoT relies on data and the use of data. 2. Understand the business environment (i.e., strategic and business objectives). 3. Confirm that key decision makers understand the business environment and supply-chain behavior. 4. Identify the client/customer at the end of the supply chain. 5. Require the enterprise to define IoT based on take-aways 1 to 4. 55

Understand how IoT works? 1. Understand that each IoT device is a computer in its own right. 2. Understand that IoT tends to function as the automated equivalent of an end user. 3. Understand that IoT relies on and uses data. 4. Understand the purpose of sensors. 5. Recognize that data and sensors combine to make IoT a powerful and valuable resource. 6. Understand the relationship of hardware, firmware and software to IoT. 56

Understand how IoT works? 7. Understand how IoT interacts with big data, artificial intelligence, machine learning and the cloud. 8. Learn from relevant experts how IoT devices operate. 9. Understand how IoT devices work when they are connected to LANS/WANS/the Internet and how they work when not connected. 10. Recognize that IoT reflects a fusion of engineering and IT and that both disciplines must work together. 57

Understand how IoT is deployed 1. Determine whether the enterprise is a creator or consumer of IoT devices. 2. Clarify the strategic thinking behind the production and use of IoT. Does its production reflect market demand or technological push? 3. Determine if there is an inventory of IoT devices. 4. Identify where IoT devices exist. 5. Determine whether IoT interacts with clients/customers, and if so, how the interaction occurs. 6. Determine whether the enterprise understands the similarities and differences among health, safety and security. 58

IoT Security issues Insufficient holistic knowledge and experience to judge risk Lack of IoT technical experts Insufficient understanding of interrelated technologies Lack of IoT security specialists Lack of optimal project-management skills 59

Issues and challenges of IoT for business and IT professionals Lack of understanding of the basic attributes of IoT devices. Management of basic IoT attributes is magnified in complexity by the vast number of components that each device can use. Managing IoT devices alongside more conventional IT systems will be a challenge. Lack of transparency into IoT devices functionality, data and responses can make it difficult to determine correct management actions. Any protection that controls offer at the time of the device s installation may become obsolete as the device receives, stores and transmits more data over time. Gap not only between IoT development and security, but also between IoT engineering and security. 60

Risk in IoT 1. Understand that good, basic security is lacking in most off-the-shelf IoT devices. 2. Start with the risk assessments and methodology already in use and apply them to IoT devices, considering the following take-aways in this list. 3. Apply the ISACA nine questions that cover device use, access to data and risk management. 4. Avoid using IoT devices that have hardcoded, non-changeable passwords. 5. Change default passwords in IoT devices. 6. Maintain an asset inventory of all IoT devices. 7. Understand that devices featuring always on network connectivity increase the likelihood of attack. 8. Monitor IoT behavior to distinguish normal from abnormal behaviors. 9. Be aware of and check for stealth IoT because it potentially undermines controls. 61

9 Questions: Practitioners should ask 62

Think Think worst case scenario Everything in and connected to IoT is, by default, available to all; everything needs protection from harm and every hacker who attempts to breach controls is a criminal. How to perform IoT risk assessment Focus on Assess Categorize Focus on impacts, not likelihoods Cyberbreaches are a matter of when, not if. Emphasizing impact over likelihood will help spur development of all necessary proactive and reactive responses to threats. Assess the impact of each malfunctioning device Include its physical and virtual environments, the data it uses and produces and the expected range of actions taken by IoT in response to the data. Categorize severity of impacts Categories should include disastrous, disruptive and damaging. Identify For each category, identify scenarios Scenarios help clarify risk and identify relevant controls and responses to reduce potential damage. 63

Good Governance Responses for IoT 1. Governance foundations are dedicated to enhancing good behavior and relationships among people. IoT creates a parallel universe of autonomous devices whose behavior and relationships need to be governed in a complementary way. 2. IoT requires more focus on ethics for ethical outcomes, which means more ethical policies, projects and processes. 3. Profits are the main outcome that markets seek, so good governance is necessary to rein in excesses that can harm the enterprise and society. 4. In the absence of legislation and common standards, an organizational IoT governance framework needs to be promoted. 5. COBIT 5 provides a useful framework to improve overall governance. 64

Applying COBIT 5 to Governance of IoT 1. Carry out and review IT risk assessments at a technical level and evaluate the impact on the business. 2. Apply and/or modify controls, the bulk of which will be privacy, security and safety controls. 3. Obtain assurance on an ongoing basis from executives and from external third parties. 4. Obtain and act on independent assurance from internal and external audit. COBIT 5 offers tools that cover the governance of enterprise IT (GEIT), risk management, information security, audit and assurance and regulatory compliance. 65

66

Dos and Don ts of IOT 67

Tips for effective IoT deployment Risk must evaluated holistically to ensure that business value is maximised while risk is minimised. Risk assessment has to be collaborative effort among all stakeholders, including business teams, compliance, operations, information security, privacy and all other pertinent areas. Identify the new complex risks and problems. Plan in advance and implement from holistic and strategic perspective 68

ISACA Whitepapers on IoT 69

Thank You.. Any Questions? rafeq@wincaat.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback