Leveraging COBIT to Implement Information Security

Similar documents
SAMPLE REPORT. Business Continuity Gap Analysis Report. Prepared for XYZ Business by CSC Business Continuity Services Date: xx/xx/xxxx

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

IT MANAGER PERMANENT SALARY SCALE: P07 (R ) Ref:AgriS042/2019 Information Technology Manager. Reporting to. Information Technology (IT)

Threat and Vulnerability Assessment Tool

Certified Information Security Manager (CISM) Course Overview

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Security In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.

ITG. Information Security Management System Manual

IT123: SABSA Foundation Training

COBIT 5 With COSO 2013

Planning and Implementing ITIL in ICT Organisations

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Global Security Consulting Services, compliancy and risk asessment services

ISO/ IEC (ITSM) Certification Roadmap

ROLE DESCRIPTION IT SPECIALIST

locuz.com SOC Services

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

WECC Internal Controls Evaluation Process WECC Compliance Oversight Effective date: October 15, 2017

Digital Health Cyber Security Centre

IS Audit and Assurance Guideline 2002 Organisational Independence

PREPARE FOR TAKE OFF. Accelerate your organisation s journey to the Cloud.

Data Security Standards

Symantec Data Center Transformation

ISACA. Certification Details for Certified in the Governance of Enterprise IT (CGEIT )

EUROPEAN ICT PROFESSIONAL ROLE PROFILES VERSION 2 CWA 16458:2018 LOGFILE

Convergence of BCM and Information Security at Direct Energy

Exam Requirements v4.1

Level Access Information Security Policy

Managing IT Risk: The ISACA Risk IT Framework. 1 st ISACA Day, Sofia 15 October Charalampos (Haris)Brilakis, CISA

ITG. Information Security Management System Manual

for TOGAF Practitioners Hands-on training to deliver an Architecture Project using the TOGAF Architecture Development Method

BHConsulting. Your trusted cybersecurity partner

SPECIALIST CYBER SECURITY SERVICES & CYBER VULNERABILITY HEALTH CHECK FOR SMALLER COMPANIES

Position Description IT Auditor

Information Security Continuous Monitoring (ISCM) Program Evaluation

COBIT 5 Implementation

Business Architecture Implementation Workshop

SOLUTION BRIEF Virtual CISO

Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING

2 The IBM Data Governance Unified Process

GDPR: A QUICK OVERVIEW

EPICK your GRC platform MAIN REFERENCES. EPICK REFERENCES EN Pag. 1/6

Security and Privacy Governance Program Guidelines

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Three Key Challenges Facing ISPs and Their Enterprise Clients

Manchester Metropolitan University Information Security Strategy

Aligning IT, Security and Risk Management Programs. Ahmed Qurram Baig, CISSP, CBCP, CRISC, CISM Information Security & GRC Expert

ITIL Service Lifecycle Strategy

Consolidation Committee Final Report

Effective COBIT Learning Solutions Information package Corporate customers

Oracle Buys Automated Applications Controls Leader LogicalApps

Val-EdTM. Valiant Technologies Education & Training Services. Workshop for CISM aspirants. All Trademarks and Copyrights recognized.

01.0 Policy Responsibilities and Oversight

ITSM20F_Umang. Number: ITSM20F Passing Score: 800 Time Limit: 120 min File Version: 4.0. Exin ITSM20F

Network Visibility and Segmentation

Mapping PCI DSS v2.0 With COBIT 4.1 By Pritam Bankar, CISA, CISM, and Sharad Verma

Accreditation Process. Trusted Digital Identity Framework February 2018, version 1.0

Agile Master Data Management TM : Data Governance in Action. A whitepaper by First San Francisco Partners

FOUNDATION CERTIFICATE IN INFORMATION SECURITY v2.0 INTRODUCING THE TOP 5 DISCIPLINES IN INFORMATION SECURITY SUMMARY

IT Service Management: Southeast Area Practice Gary West Solution director Business Service Optimization

Gatekeeper Public Key Infrastructure Framework. Information Security Registered Assessors Program Guide

Data Governance Quick Start

USING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

EXIN Expert in IT Service Management based on ISO/IEC Preparation Guide

UGANDA NATIONAL BUREAU OF STANDARDS LIST OF DRAFT UGANDA STANDARDS ON PUBLIC REVIEW

Agenda. TÜV Secure it GmbH short introduction. Risk Analysis Case Study. Certification Procedure. w w w. t u v. c o m 2/ 18. TÜV Secure it GmbH 2003

ITIL : Professional Education Training. Innovative solutions for modern businesses.

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

How To Reduce the IT Budget and Still Keep the Lights On

What is ISO/IEC 27001?

Building a Resilient Security Posture for Effective Breach Prevention

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

COBIT Maturity Assessment and Continual e-health Governance Improvement at NHS Fife By Elena Beratarbide, CISA, Pablo Borges and Donald Wilson

2017 PORT SECURITY SEMINAR & EXPO. ISACA/CISM Information Security Management Training for Security Directors/Managers

ITIL Intermediate Service Design (SD) Certification Boot Camp - Brochure

IS Audit and Assurance Guideline 2001 Audit Charter

Information Security Risk Strategies. By

What is ITIL. Contents

Canada Life Cyber Security Statement 2018

Implementing ITIL v3 Service Lifecycle

Information Security Governance and IT Governance

WELCOME TO ITIL FOUNDATIONS PREP CLASS AUBREY KAIGLER

REQUEST FOR EXPRESSIONS OF INTEREST

ORACLE SERVICES FOR APPLICATION MIGRATIONS TO ORACLE HARDWARE INFRASTRUCTURES

Course # 55011A. The ITIL Foundation Certificate in IT Service Management

Memorandum of Understanding between the Central LHIN and the Toronto Central LHIN to establish a Joint ehealth Program

BCS Specialist Certificate in Change Management Syllabus

Management s Response to the Auditor General s Review of Management and Oversight of the Integrated Business Management System (IBMS)

CYBERSECURITY MATURITY ASSESSMENT

ISACA Arizona May 2016 Chapter Meeting

CISM Certified Information Security Manager

COSO Enterprise Risk Management

Internal Audit Follow-Up Report. Multiple Use Agreements TxDOT Office of Internal Audit

ASD CERTIFICATION REPORT

BHConsulting. Your trusted cybersecurity partner

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA FAYETTEVILLE STATE UNIVERSITY

COPYRIGHTED MATERIAL. Index

Position Description. Computer Network Defence (CND) Analyst. GCSB mission and values. Our mission. Our values UNCLASSIFIED

Transcription:

DISCUSS THIS ARTICLE Leveraging COBIT to Implement Information By John Frisken, CA COBIT Focus 5 May 2015 In delivering IT security consulting services to large enterprises in Australia, particularly in the health care, utility and large government sectors, Information Systems Group has used the International Organization for Standardization (ISO) standards extensively, for example ISO 27001 for security and ISO 20000 for IT service management. In advising clients on the best way to apply the standards, the question that has consistently arisen is, How far does the application of these standards need to be taken? The ISO standards are good in that they apply a consistent and internationally agreed-upon definition; however, the Information Systems Group wanted a way to be able to describe to its clients how far they should take the application of the detailed controls within these standards. The ISO standards tend to be binary in their application; enterprises either comply, or do not comply, with the detailed control-level statements. The ISO standards are also not good at linking the application of these controls back to a business-focused framework that can answer Why? at a level that a business executive can understand and support. The consultancy undertook an engagement to evaluate the quality of its client s implementation of ISO 27001. In this case, IT represented approximately 100 staff members out of a work force of 2,500, so IT initially adopted a pragmatic approach to the application of the standards, which left quite a few gaps when benchmarked against a rigorous technical application of the ISO 27001 standard. The COBIT governance framework would be used with the associated process assessment techniques to create a maturity model as that measuring stick. Following the review, the consultancy was asked how it would address these gaps and why doing so would deliver benefits to the enterprise. ISO 27001 pertains to the domain of security, and while it is important, it is only one of many modern businesses areas that need to be addressed. The client had identified that it also wanted to address the Information Technology Infrastructure Library (ITIL), and it had an existing access control initiative that had good sponsorship. Last, the client s internal audit division used COBIT and was a significant sponsor for the implementation of ISO 27001. Accordingly, there was a desire to understand how all of these competing initiatives could work together practically. 1 P a g e

To address this challenge, the consultancy determined that an important step would be to obtain an assessment of the current state of IT governance using a nontechnical, business-focused measuring stick that was independent of the various competing control frameworks that it had been asked to integrate. After some discussion within the consulting business, it was agreed that the COBIT governance framework would be used with the associated process assessment techniques to create a maturity model as that measuring stick. This initiative began in 2009 and extended through to 2011, with implementation extending beyond 2011 through to the end of 2012. Thus, the framework development was based on COBIT 4.1, as COBIT 5 was released in April 2012. Since this case example, COBIT 5 has been released and offers an optimized approach to coordinate various standards. In the case at hand, a series of executive briefings that set out the implementation program was developed and, through a sequence of discussions, formulated an approach that the client felt would deliver benefits for its business. A project manager from the business was engaged to work with the consultant s team of four to scope out, in detail, the tasks and deliverables to be developed. The decision was made to start with information security initially to understand the various implementation models that were commonly in use. Many of these models were quite detailed and addressed security with respect to the requirements of technology, usually leading to very expensive programs of work for implementing security that were technology-focused, rather than business-focused. There had been the use of other models, including limiting the scope to individual-sensitive business units or considering the scope in terms of the business processes of the enterprise. Upon sharing these models with the client, it was discovered that the enterprise s appetite for security aligned with the process-centric view. However, the consultancy needed a way to push down security into business units and address device-level security. At this point, the consultancy looked to ITIL for some guidance and began to think of security as a process within ITIL. The consultancy developed the IT governance model shown in figure 1 to describe the theoretical underpinnings of the approach. The model starts with the COBIT 4.1 Maturity Attributed Table 1 and finishes with COBIT 4.1 using the RACI (Responsible, Accountable, Consulted and Informed) controls embedment process. In between these two COBIT techniques, the consultancy implemented the control framework for ISO 27001 and relevant parts of ITIL to deliver an operational information security system as shown in figure 2. The integration of the IT governance maturity model, COBIT 4.1, ISO 27001 and ITIL was achieved at a process level within the standards and frameworks rather than at a control objective level. Key ITIL processes for change management and release management were mapped into the ISO 27001 process model and then presented within a conventional EPM program management structure for ongoing reporting and management. Every security concept, construct or device type that had a change dimension associated with it was identified within this model using a concept similar to the 20 SANS Critical Controls 2 process. Finally, all changes were traced back into the ITIL change management system (CMS or CMDB) to manage traceability of key configuration items related to security. 2 P a g e

Figure 1 Information Model Business Objectives Input to CobiT IT Governance Maturity Model Input to Corporate Goals & Objectives ITIL Processes Results of Maturity Assessment ALM Processes PMO ISO 27001 ISMS Programme Processes Provides Basis For Improvement Suggestions Business Process Rostering Revenue Operations Performed On Risk Assessment Manage Planning P-D-C-A Audits Continuous Improvement Register Risk Register ISMS Calendar Defines Need For Results of Risk Assessment Rely on Information Assets Applications Infrastructure Data Centre Networks Terminals Protects ITIL ALM Policies & Standards Technology Mgmt Procedures ALM / PMO ITIL Defines Controls Controls Implement Controls CobiT Controls Embedment Process based on RACI Information Controls Implementation Guide Agreements Controls Business Controls Control Baseline Risk Mitigation Strategies ISO27001 Control Framework Information Risk Treatment Plan Source: Information Systems Group Pty Limited. Reprinted with permission. 3 P a g e

Figure 2 Information Program Architecture Information Program Code of Conduct Information Charter Records Management Policy Program Framework ISMS Governs Information Management Statements Directs Document Mgmt Architecture & Classification Records Management Systems Defines Information Controls Master Plan Defines User Training & Awareness Co-ordinates Procedures, Work Instructions & Forms Procedures, Work Instructions & Forms Computer Services Training and Awareness Information Agreements Events Technology Calendar Procedures Changes Configuration Management Devolve & Operate Controls Threat Risk Assessment User Applied Controls Verify Controls Reports & Corrective Action Requests Audit Schedule Computer Services Applied Controls Verify Controls Audit Source: Information Systems Group Pty Limited. Reprinted with permission. Because the system started and ended with COBIT, the consultancy effectively employed COBIT as a container or wrapper to allow it to integrate and enforce various competing standards within the enterprise/client. The consultancy found this to be a much more constructive approach than trying to reconcile standards at a detailed control level. Information security at a business-unit level is centered around and enforced by using information security agreements (similar to operating level agreements [OLAs] in ITIL), but using content from ISO 27001. The information security management system (ISMS) enforces the information security agreements with business unit managers, which in turn drives the application of detailed security controls and evidence collection. In this way, the detailed activities of information security are devolved to managers, rather than managed centrally within a management system. This use of COBIT to coordinate various standards is optimized within COBIT 5. Refer to the COBIT 5 Principles within COBIT 5 for Information. 3 This client s plan in the revision of the implemented frameworks is that the COBIT 5 framework will be used to introduce new concepts for management of information security as set forth in COBIT 5 for Information. One of the main advantages of this top-down approach to designing the IT governance initiatives is that it permits the organization to tackle the detailed controls embedment process in a measured way and ensure that it is aligned to the risk appetite of the business. With the overall ISMS in place, controls and supporting education programs can be added at a rate that the business can absorb. Currently, one of the main challenges limiting the use and implementation of an ISMS is the inability to integrate multiple programs across the enterprise systems. With systems for ITIL service management becoming more 4 P a g e

widespread, the capability to automate the IT side of information security systems is now readily available to organizations. On the business controls side, project and program management (PPM) and governance, risk and control (GRC) software linked to enterprise workflow solutions provide a platform for managing the rollout of information security programs and the regular review and reporting of controls and evidence collection. A typical program component view looks like what s shown in figure 3. The security forum is the body that reviews reporting from the ISMS and directs the focus of the initiatives to manage all aspects of the organization s security posture and response to information security threats. Figure 3 Information Program Elements Source: Information Systems Group Pty Limited. Reprinted with permission. For this client, the consultancy undertook a detailed design of the operational ISMS and a specification was developed for implementation. The solution was built in a document management system, housing the detailed policies and a calendar for establishing the program of reviews, training and reporting. This was an initial starting point for this client given that other ISO systems used this system as well. In the consultancy s experience, the ISMS can be built on top of detailed ITIL or application life cycle management (ALM) systems and integrated using a dashboard reporting tool similar to those available with enterprise tools, such as SAP or Oracle enterprise resource planning (ERP) applications, PPM tools, or enterprise document management (EDM) tools. All these tools usually incorporate enterprise workflow technologies that permit linkages into ITIL or ALM technologies and permit activities to be assigned and allocated to personnel within the enterprise. Conclusion The strength of the COBIT framework is its business-focused framework and pragmatic tools for the alignment of policy down to detailed controls embedment. By utilising COBIT, the company was able to provide answers to the questions of how and why organizations should protect information within the enterprise, aligning the cost of controls to the perceived risk at a business process level rather than based on technical controls. Author s Note 5 P a g e

This case study has been developed based on a real client situation in Australia. The name of the organization and some other identifying information have been removed. All material is either owned by Information Systems Group Pty Limited or used with permission. John Frisken, CA Is an application development specialist with a distinguished career in both professional practice with Ernst & Young and, subsequently, as founder and owner of the Information Systems Group. Since establishing ISG in 1996, Frisken has overseen the development of ISG s services through delivery of complex applications leveraging advanced messaging and secure platform technologies in NSW Health and Toyota Motor Corporation. He is currently the director, professional services for ISGroup, an international systems integration and applications development company headquartered in Sydney, New South Wales, Australia. Endnotes 1 IT Governance Institute, COBIT 4.1, USA, 2007 2 SANS, Critical Controls Version 5 3 ISACA, COBIT 5 for Information, USA, 2012 6 P a g e

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback