COBIT 5 for Information Security Dr. Derek J. Oliver Co-Chair, COBIT 5 Task Force
COBIT 5 Objectives
o ISACA Board of Directors: “tie together and reinforce all ISACA knowledge assets with
COBIT.”
Provide a renewed and authoritative governance and management framework for enterprise information and related technology, linking together and reinforcing all other major ISACA frameworks and guidance including:
Val IT Risk IT
BMIS ITAF Board Briefing Taking Governance Forward Connect to other major frameworks and standards in the
marketplace (ITIL, ISO standards, etc.)
© 2010 ISACA. All rights reserved. 3
Governance of Enterprise IT
COBIT 5
IT Governance
COBIT4.0/4.1
Management
COBIT3
Control
COBIT2
Audit
COBIT1
The COBIT Evolution
2005/7 2000 1998
Evo
lutio
n
1996 2012
Val IT 2.0 (2008)
Risk IT (2009)
BMIS (2010)
o Released 12th April, 2011 Framework �
Enabling Processes �
Implementation/Transition Guide �
o COBIT 5 Under Development for Information Security (Q3, 2011)
Enabling Information (Q3, 2012)
for Risk Management (Q1, 2013)
for Assurance (Q1, 2013)
COBIT 5 Today
o Based on 5 Principles and
o 7 Enablers To address the separate concepts of
Governance and Management
To meet the specific needs of the user
COBIT 5 is . . .
The COBIT 5 Principles
COBIT 5 will be used
to address specific
needs
COBIT 5 integrates
governance of
enterprise IT into
enterprise governance
COBIT 5 integrates all
existing frameworks,
standards etc
COBIT 5 supports a
comprehensive
governance and
management system
for enterprise IT and
Information
The COBIT 5
framework makes
a clear distinction
between
governance and
management
The COBIT 5 Principle 1
o Stakeholder needs have to be
transformed into an enterprises’
actionable strategy.
o The COBIT 5 goals cascade
translates stakeholder needs into
specific, actionable and
customised goals within the
context of the enterprise, IT-
related goals and enabler goals.
o Security is considered a
“Stakeholder Need”
© 2012 ISACA. All rights reserved. 8
o COBIT 5 integrates governance of enterprise IT into enterprise governance by: Covering all functions and processes within the enterprise.
COBIT 5 does not focus on only the „IT function‟, but instead treats information and related technologies as assets that need to be dealt with just like any other asset by everyone in the enterprise.
Considering all IT-related governance and management enablers to be enterprise-wide and end-to-end, i.e., inclusive of everything and everyone, internal and external, that are relevant to governance and management of enterprise information and related IT.
Applying this principle to information security, COBIT 5 for Information Security covers all stakeholders, functions and processes within the enterprise that are relevant for information security.
The COBIT 5 Principle 2
o COBIT 5 Integrates all other frameworks, standards etc. COBIT 5 is complete in enterprise coverage, providing a basis to
integrate effectively other frameworks, standards and practices used.
As a single integrated framework, it: serves as a consistent and integrated source of guidance in a
common language.
aligns with other relevant standards and frameworks.
COBIT 5 brings together knowledge previously dispersed over different ISACA frameworks and models (COBIT, BMIS, Risk IT, Val IT) With guidance from other major information security-related
standards such as the ISO/IEC 27000 series, the ISF Standard of Good Practice for Information Security, and NIST SP800-53A.
The COBIT 5 Principle 3
o COBIT 5 defines a set of enablers to support the implementation of a comprehensive governance and management system for enterprise IT and Information. Enablers are factors that, individually and collectively,
influence whether something will work
For Information Security this will mean the governance and management over both technical and operational security and, related to that, information security governance.
The COBIT 5 framework defines seven categories of enablers
COBIT 5 Principle 4
o The COBIT 5 framework makes a clear distinction between governance and management. These two disciplines encompass different types of activities, require different organisational structures and serve different purposes
o Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making; and monitoring performance and compliance against agreed-on direction and objectives. In most enterprises, governance is the responsibility of the board of directors under
the leadership of the chairperson.
o Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives. In most enterprises, management is the responsibility of the executive management
under the leadership of the CEO.
The COBIT 5 Principle 5
The COBIT 5 Enablers and Information Security
How the COBIT 5 enablers can be used to implement effective and efficient
information security governance and management in the organisation
o Enablers are factors that, individually and collectively, influence whether something will work.
o Enablers are driven by the goals cascade, i.e. Business and IT-related goals define what the different enablers should achieve.
o The COBIT 5 framework describes seven categories of enablers (“Enablers”)
COBIT 5 Enablers
o The 7 enablers defined in COBIT 5 have a set of common dimensions which:
Provide a simple and structured way to deal with enablers
Allow management of their complex interactions
Facilitate their successful outcome
Using the COBIT 5 Enablers
The COBIT 5 Enablers . . . 1. Principles, policies and frameworks—Are the vehicle to translate the desired
behaviour into practical guidance for day-to-day management
2. Processes—Describe an organised set of practices and activities to achieve
certain objectives and produce a set of outputs in support of achieving overall IT
related goals
3. Organisational structures—Are the key decision-making entities in an
organisation
4. Culture, ethics and behaviour—Of individuals and of the organisation; very
often underestimated as a success factor in governance and management
activities
5. Information—Is pervasive throughout any organisation, i.e., deals with all
information produced and used by the enterprise. Information is required for
keeping the organisation running and well governed, but at the operational level,
information is very often the key product of the enterprise itself.
6. Services, infrastructure and applications—Include the infrastructure,
technology and applications that provide the enterprise with information
technology processing and services
7. People, skills and competences—Are linked to people and are required for
successful completion of all activities and for making correct decisions and
taking corrective actions
© 2012 ISACA. All rights reserved. 16
o Organisations should expect positive outcomes from the application and use of enablers.
o To manage performance of the enablers, the following questions must be monitored and answered—by metrics—on a regular (e.g. quarterly) basis: Are stakeholder needs addressed?
Are enabler goals achieved?
Is the enabler life cycle managed?
Are good practices applied?
o The first two deal with the actual outcome of the enabler. The remaining two bullets deal with the actual functioning of the enabler itself.
Managing Performance
o The detailed COBIT 5 governance and management processes relevant to Information Security include:
Process identification Process label—Consisting of the domain prefix (EDM, APO, BAI, DSS, MEA) and the process
number
Process name—A short description, indicating the main subject of the process
Area—Governance or management
Domain name
Process description Overview of what the process does, i.e., the purpose of the process
Overview at a very high level of how the process accomplishes the purpose
Process purpose statement Process goals and metrics—For each process, a limited number of process goals are included, and for each
process goal a limited number of example metrics is listed, reflecting the clear relationship between the goals and the metrics.
Detailed description of the process practices Practice title and description
Enabling: Process
Which continues: The information
security-specific
processes will be
detailed in COBIT 5
for Information
Security . . . For
example:
Enabling: Information
Currently under development, this will give a much greater insight into the nature of
“Information”
o Looks at Information:
o Quality Intrinsic quality, which considers quality as an intrinsic property of information,
Contextual quality, which recognizes that information quality may depend on a context of use (i.e., the task to be performed by the information user), and Representational and Accessibility quality, which consider the quality of information in relation to the information technologies that are used
o Value/Cost Relates to information being economical and efficient.
o Lifecycle Phases Plan; Obtain, Store; Share; Use; Maintain; Dispose
o Attributes A framework which considers six different levels or layers to talk or reason about
properties of information
o Stakeholders Apart from identifying the stakeholders, their stakes need to be identified, i.e., why
do they care or are they interested in the information.
Enabling Information (Q3 2012)
Security groups within the enterprise can benefit from the
Attributes dimension of the publication. When charged with
protection of information, they need to look at:
o Physical layer – how and where is information physically
stored?
o Empirical layer – what are the access channels to the
information?
o Semantic layer – what type of information is it? Is the
information current or relating to the past or to the future?
o Pragmatic layer – what are the retention requirements? Is
information historic or operational?
Using these attributes will allow the user to determine the level
of protection and the protection mechanisms required
Enabling Information: Security
o COBIT 5: encourages and assists in meeting Stakeholder
Needs for Information Security
has adopted the BMIS concepts of taking the Holistic view of an organisation
focuses on the business use of Information in any form or medium
separates information governance from management activity
relates to all frameworks, standards etc, e.g. ITIL; ISO2700x; ISF etc
Summary & Conclusions
o COBIT 5 for Information Security: will be a Practitioner Guide on using COBIT 5 for
the specific discipline
supplements the Enablers of COBIT 5 with security-specific business & IT Objectives
adds security-specific governance and management activities
includes security-specific metrics
is currently under development with an expected release date of July, 2012
Summary & Conclusions
Dr. Derek J. Oliver
Ravenswood Consultants Ltd., Tel: 01268 794556
Ravenswood House, Mob: 07768 363808
148-150, Essex Way, E-mail: [email protected]
South Benfleet,
Essex, SS7 1LN
And so Goodbye . . .