COBIT 5 for Information Security. Dr. Derek J. Oliver Co-Chair, COBIT 5 Task Force

Transcription

1 COBIT 5 for Information Security Dr. Derek J. Oliver Co-Chair, COBIT 5 Task Force

2 First, a bit of background Just to level the playing field

3 COBIT 5 Objectives o ISACA Board of Directors: tie together and reinforce all ISACA knowledge assets with COBIT. Provide a renewed and authoritative governance and management framework for enterprise information and related technology, linking together and reinforcing all other major ISACA frameworks and guidance including: Val IT Risk IT BMIS ITAF Board Briefing Taking Governance Forward Connect to other major frameworks and standards in the marketplace (ITIL, ISO standards, etc.) 2010 ISACA. All rights reserved. 3

4 Evolution The COBIT Evolution Governance of Enterprise IT IT Governance Management Control Audit BMIS (2010) Val IT 2.0 (2008) Risk IT (2009) COBIT1 COBIT2 COBIT3 COBIT4.0/4.1 COBIT /7 2012

5 COBIT 5 Today o Released 12 th April, 2011 Framework Enabling Processes Implementation/Transition Guide o COBIT 5 Under Development for Information Security (Q3, 2011) Enabling Information (Q3, 2012) for Risk Management (Q1, 2013) for Assurance (Q1, 2013)

6 COBIT 5 is... o Based on 5 Principles and o 7 Enablers To address the separate concepts of Governance and Management To meet the specific needs of the user

7 The COBIT 5 Principles The COBIT 5 framework makes a clear distinction between governance and management COBIT 5 will be used to address specific needs COBIT 5 integrates governance of enterprise IT into enterprise governance COBIT 5 supports a comprehensive governance and management system for enterprise IT and Information COBIT 5 integrates all existing frameworks, standards etc

8 The COBIT 5 Principle 1 o Stakeholder needs have to be transformed into an enterprises actionable strategy. o The COBIT 5 goals cascade translates stakeholder needs into specific, actionable and customised goals within the context of the enterprise, ITrelated goals and enabler goals. o Security is considered a Stakeholder Need 2012 ISACA. All rights reserved. 8

9 The COBIT 5 Principle 2 o COBIT 5 integrates governance of enterprise IT into enterprise governance by: Covering all functions and processes within the enterprise. COBIT 5 does not focus on only the IT function, but instead treats information and related technologies as assets that need to be dealt with just like any other asset by everyone in the enterprise. Considering all IT-related governance and management enablers to be enterprise-wide and end-to-end, i.e., inclusive of everything and everyone, internal and external, that are relevant to governance and management of enterprise information and related IT. Applying this principle to information security, COBIT 5 for Information Security covers all stakeholders, functions and processes within the enterprise that are relevant for information security.

10 The COBIT 5 Principle 3 o COBIT 5 Integrates all other frameworks, standards etc. COBIT 5 is complete in enterprise coverage, providing a basis to integrate effectively other frameworks, standards and practices used. As a single integrated framework, it: serves as a consistent and integrated source of guidance in a common language. aligns with other relevant standards and frameworks. COBIT 5 brings together knowledge previously dispersed over different ISACA frameworks and models (COBIT, BMIS, Risk IT, Val IT) With guidance from other major information security-related standards such as the ISO/IEC series, the ISF Standard of Good Practice for Information Security, and NIST SP800-53A.

11 COBIT 5 Principle 4 o COBIT 5 defines a set of enablers to support the implementation of a comprehensive governance and management system for enterprise IT and Information. Enablers are factors that, individually and collectively, influence whether something will work For Information Security this will mean the governance and management over both technical and operational security and, related to that, information security governance. The COBIT 5 framework defines seven categories of enablers

12 The COBIT 5 Principle 5 o The COBIT 5 framework makes a clear distinction between governance and management. These two disciplines encompass different types of activities, require different organisational structures and serve different purposes o o Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making; and monitoring performance and compliance against agreed-on direction and objectives. In most enterprises, governance is the responsibility of the board of directors under the leadership of the chairperson. Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives. In most enterprises, management is the responsibility of the executive management under the leadership of the CEO.

13 The COBIT 5 Enablers and Information Security How the COBIT 5 enablers can be used to implement effective and efficient information security governance and management in the organisation

14 COBIT 5 Enablers o Enablers are factors that, individually and collectively, influence whether something will work. o Enablers are driven by the goals cascade, i.e. Business and IT-related goals define what the different enablers should achieve. o The COBIT 5 framework describes seven categories of enablers ( Enablers )

15 Using the COBIT 5 Enablers o The 7 enablers defined in COBIT 5 have a set of common dimensions which: Provide a simple and structured way to deal with enablers Allow management of their complex interactions Facilitate their successful outcome

16 The COBIT 5 Enablers Principles, policies and frameworks Are the vehicle to translate the desired behaviour into practical guidance for day-to-day management 2. Processes Describe an organised set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving overall IT related goals 3. Organisational structures Are the key decision-making entities in an organisation 4. Culture, ethics and behaviour Of individuals and of the organisation; very often underestimated as a success factor in governance and management activities 5. Information Is pervasive throughout any organisation, i.e., deals with all information produced and used by the enterprise. Information is required for keeping the organisation running and well governed, but at the operational level, information is very often the key product of the enterprise itself. 6. Services, infrastructure and applications Include the infrastructure, technology and applications that provide the enterprise with information technology processing and services 7. People, skills and competences Are linked to people and are required for successful completion of all activities and for making correct decisions and taking corrective actions 2012 ISACA. All rights reserved. 16

17 Managing Performance o Organisations should expect positive outcomes from the application and use of enablers. o To manage performance of the enablers, the following questions must be monitored and answered by metrics on a regular (e.g. quarterly) basis: Are stakeholder needs addressed? Are enabler goals achieved? Is the enabler life cycle managed? Are good practices applied? o The first two deal with the actual outcome of the enabler. The remaining two bullets deal with the actual functioning of the enabler itself.

18 Enabling: Process o The detailed COBIT 5 governance and management processes relevant to Information Security include: Process identification Process label Consisting of the domain prefix (EDM, APO, BAI, DSS, MEA) and the process number Process name A short description, indicating the main subject of the process Area Governance or management Domain name Process description Overview of what the process does, i.e., the purpose of the process Overview at a very high level of how the process accomplishes the purpose Process purpose statement Process goals and metrics For each process, a limited number of process goals are included, and for each process goal a limited number of example metrics is listed, reflecting the clear relationship between the goals and the metrics. Detailed description of the process practices Practice title and description

19 Enabling: Process

20 For example: APO13...

21 Which continues: The information security-specific processes will be detailed in COBIT 5 for Information Security... For example:

22 COBIT 5 for Information Security NOTE: This is just an example of what it might look like....!

23 Which might continue...

24 Enabling: Information Currently under development, this will give a much greater insight into the nature of Information

25 Enabling Information (Q3 2012) o o o o o o Looks at Information: Quality Intrinsic quality, which considers quality as an intrinsic property of information, Contextual quality, which recognizes that information quality may depend on a context of use (i.e., the task to be performed by the information user), and Representational and Accessibility quality, which consider the quality of information in relation to the information technologies that are used Value/Cost Relates to information being economical and efficient. Lifecycle Phases Plan; Obtain, Store; Share; Use; Maintain; Dispose Attributes A framework which considers six different levels or layers to talk or reason about properties of information Stakeholders Apart from identifying the stakeholders, their stakes need to be identified, i.e., why do they care or are they interested in the information.

26 Enabling Information: Security Security groups within the enterprise can benefit from the Attributes dimension of the publication. When charged with protection of information, they need to look at: o Physical layer how and where is information physically stored? o Empirical layer what are the access channels to the information? o Semantic layer what type of information is it? Is the information current or relating to the past or to the future? o Pragmatic layer what are the retention requirements? Is information historic or operational? Using these attributes will allow the user to determine the level of protection and the protection mechanisms required

27 Summary & Conclusions o COBIT 5: encourages and assists in meeting Stakeholder Needs for Information Security has adopted the BMIS concepts of taking the Holistic view of an organisation focuses on the business use of Information in any form or medium separates information governance from management activity relates to all frameworks, standards etc, e.g. ITIL; ISO2700x; ISF etc

28 Summary & Conclusions o COBIT 5 for Information Security: will be a Practitioner Guide on using COBIT 5 for the specific discipline supplements the Enablers of COBIT 5 with security-specific business & IT Objectives adds security-specific governance and management activities includes security-specific metrics is currently under development with an expected release date of July, 2012

29 And so Goodbye... Dr. Derek J. Oliver Ravenswood Consultants Ltd., Tel: Ravenswood House, Mob: , Essex Way, South Benfleet, Essex, SS7 1LN