COBIT 5 Security Robert E Stroud CGEIT CRISC Vice President Strategy & Innovation ISACA Strategic Advisory Council
Robert E Stroud CGEIT Vice President, Strategy & Innovation Cloud Computing, Service Management & Governance Evangelist Vice President Strategy & Innovation Immediate Past International Vice President ISACA\ITGI ISACA Strategic Advisory Council 15 years Banking Experience Contributor COBIT, VALIT and RISK IT Immediate Past Executive Board itsmf Intl. Treasurer and Director Audit Standards & compliance Former Board Member USA itsmf Author, Public Speaker & Industry GeeK
disclaimer This presentation is based on currently available information and the final product may change based the development process.
security and compliance are still major challenges The average cost of a security breach rose to $214 per compromised record in 2010. The biggest cause was negligence. Of the top 5 most important issues for companies migrating to the cloud, the #1 issue was identity and access management Compliance activities cost the average medium-sized company $5.4K per employee. 4
lets go to the numbers $124 48% 87% 74% Average cost of a security breach, per compromised record (2010), with negligence the main cause CA-sponsored survey Percent of all breaches that involved privileged user misuse Verizon report, 2010 Percentage of companies that have experienced a data breach IT Compliance Institute Percentage of breached companies who lost customers as a result of the breach IT Compliance Institute 5
the world is now changing dramatically 73% of workers will be mobile by 2012 1 62% of IT organizations will have flat or reduced budgets 2 By 2015, 40% of the enterprise security controls will be virtualized, up from less than 5% in 2010 3 63% of companies are using, or implementing SaaS solutions 4 There are stillover 4,000 (approx) new rules/regulations issued each year by the US government 5 6
the business of IT is changing Empowered users with high expectations as employees and customers The blurring of professional and personal lives brought on by pervasive connectivity Externalization of the business The Business is changing The New Business of IT and so IT must also change Accessibledata and applications anytime, anywhere Huge increase in social collaboration and sharing Enable mobile access to enterprise resources 7
This image cannot currently be displayed. This image cannot currently be displayed. Moving from no to know Web Servers Apps Privileged Users Service Security Servers Web Services Security of KNOW KNOW User, Access, Data, Activity Infrastructure Security Security of NO NO Viruses, Spyware, Vulnerabilities, Intrusions 8 Trojans Spam Worms Spyware
service security the key challenge Connect users to information Seems easy enough 9
This image cannot currently be displayed. This image cannot currently be displayed. This image cannot currently be displayed. things are getting more complex every day. Security must ensure that the right people have the right access to the right information at the right time Employees, Contractors, Privileged Users Portals Security Systems You have to Authenticate People Services Devices 10 Customers Supply Chain Partners Servers Applications Information Directories Operating Systems You have to Authorize Systems Applications Information use You have to Report User/Service Activity Information Activity Privileged Activity Privacy/Compliance
content-aware model for security Identity Role Management & Provisioning Identity Governance User Activity Reporting Access Web Access Management & Federation Privileged User Management & PUPM Advanced Authentication & Fraud Prevention Information Data Classification Data Loss Prevention 11
TOO much security?
COBIT Security Build on the new COBIT 5 framework to provide members, prospective members and other ISACA constituents with a robust approach to information security governance and management which is builtinto the business processes of an organization COBIT Security will make use of existing ISACA IP such as BMIS, information security governance guidance, & the COBIT Security Baseline and will connect to other major frameworks and standards in the marketplace as considered appropriate
COBIT Security COBIT Security will be an extended view of COBIT that explains each piece of COBIT from a security perspective. Additional value for security constituents will be created through additional explanations, activities, processes, and recommendations. The document will also provide implementation guidance for security professionals in a similar manner to that of the COBIT Implementation Guide
COBIT Security The COBIT Security deliverable will be a view of information security governance and management that will provide security professionals detailed guidance for using COBIT 5 as they establish, implement, and maintain information security in the business processes of an enterprise
COBIT Security Detailed design reviewed the SME community Development completed will begin at the end of May and will involve a workshop of SME s in June SME review completed expectation is that COBIT Security will be available July 2012
COBIT 5 news updates www.isaca.org/cobit5 COBIT Focus Newsletter Community.ca.com/blogs/ppm @ISACA
COBIT 5 security summary A lens into the COBIT 5 framework delivering practical guidance for security practitioners Empowers security professionals to deliver TRUST and VALUE First of multiple practitioner publications
control is important especially when you don t have it!
thank you Robert E Stroud CGEIT CRISC Robert.Stroud@ca.com +1 (631) 8802544 Twitter @robertestroud Blog http://community.ca.com/blogs/itil Blog http://community.ca.com/blogs/ppm