Post on 29-Nov-2014
description
1
Using CobiT to Enhance IT Security Governance
LHSLHS
© John Mitchell
John MitchellPhD, MBA, CEng, CITP, FBCS, MBCS, FIIA, CIA, CISA, QiCA, CFE
LHS Business Control Tel: +44 (0)1707 85145447 Grangewood Fax: +44 (0)1707 851455Potters Bar Mobile: +44 (0)7774 145638Herts EN6 1SL john@lhscontrol.comEngland www.lhscontrol.com
2
LHSLHS
© John Mitchell
IT Security Governance Road Map
Identify Needs– Risk analysis– Raise awareness
Envisage Solution– Where are you now?– Where do you want to be– Gap analysis
Plan Solution– Identify measurement metrics– Develop change programme– Define projects
Implement Solution– Generate Balanced Score Card– Collect metrics– Report
3
LHSLHS
© John Mitchell
00 11 22 33 44 55
Non-Non-ExistentExistent
InitialInitial RepeatableRepeatable DefinedDefined ManagedManaged OptimisedOptimised
Where is Your IT Security?
4
LHSLHS
© John Mitchell
Maturity Models
A strategic management tool Helps in self-assessment and for making
decisions about where the IT function currently is and where it should be going
Developed with the help of world-wide experts in the field of IT governance, IT management, performance management, and information security and control.
Provides a pragmatic benchmark:“ Where is my IT department placed and where do we want it to be?”
5
LHSLHS
© John Mitchell
CMM Concepts
Initially proposed in 1991 by the Software Engineering Group at the Carnegie Mellon University, USA
Identified 6 maturity levels in the development of quality software
Extended by the Information Systems Audit & Control Association (ISACA) to include all aspects of IT
6
LHSLHS
© John Mitchell
CMM Levels
0 Non-Existent
1 Initial/Ad Hoc
2 Repeatable but intuitive
3 Defined Process
4 Managed & measurable
5 Optimised
7
LHSLHS
© John Mitchell
Security Maturity Models
8
LHSLHS
© John Mitchell
Security Maturity Models
9
LHSLHS
© John Mitchell
IT Security GovernanceEncompasses
Technology
Processes People
10
LHSLHS
© John Mitchell
IT Security Governance Requires
Planning & Organisation
Acquisition and Implementation
Delivery and Support
Monitoring and Enhancement
11
LHSLHS
© John Mitchell
Control Objectives for IT(CobiT)
Open standard provided by the Information Systems Audit & Control Association (ISACA)
Used by over 43,000 control professionals throughout the world
Increasingly seen as an IT Governance tool
12
LHSLHS
© John Mitchell
Where CobiT Fits-inCorporate
Governance
ITGovernance
FinanceGovernance
MarketingGovernance
CobiT
ISO17799 BS15000 CMM
ITIL
ISO9126
ISO15504 ISO 12207
ISO9000
TickIT
13
LHSLHS
© John Mitchell
CobiT & IT Governance
IT GOVERNANCE PROGRAMME
Planning & Organisation Acquisition & Impl. Delivery & Support Monitoring
- Strategic Planning- Information Architecture- Technological Direction- IT Organisation & Relationships- Manage the IT Investment- Communicate Aims & Direction- Manage human resources- Ensure Compliance- Assess Risks- Manage Projects- Manage Quality
- Identify Solutions- Acquire & Maintain Application Software- Acquire & Maintain Technology Architecture- Develop & Maintain IT Procedures- Install & Accredit systems- Manage Changes
- Define Service Levels- Manage third-party services- Manage performance and capacity- Ensure continuous service- Ensure systems security- Identify and attribute costs- Educate and train users- Assist & advise IT customers- Manage the configuration- Manage problems & incidents- Manage data- Manage facilities- Manage operations
- Monitor the processes- Assess internal control adequacy- Obtain independent assurance- Provide for independent audit
14
LHSLHS
© John Mitchell
CobiT Structure
Area Framework (i.e. IT Security) Control Objectives Audit Guidelines Key Goal Indicators Key Performance Indicators Critical Success Factors Maturity Models
15
LHSLHS
© John Mitchell
Security Framework
16
LHSLHS
© John Mitchell
Control Objectives
Control Objectives provide high level control statements linking the need for control to business requirements based on the CobiT Information Criteria
By addressing 34 high level control objectives, the business process owner can ensure that an adequate internal control system is in place for the IT environment
There are also over 300 detailed management & control objectives for 34 IT processes
These objectives have been derived from research across many sources of IT standards and best practice, including topics such as IT quality, security, service delivery and financial control
These objectives are intended to be a management tool, helping auditors, IT management and business management understand how to control IT activities to meet business requirements
17
LHSLHS
© John Mitchell
Control Objectives
18
LHSLHS
© John Mitchell
Audit Guidelines
A management tool Helps in self-assessment and for making choices for
control implementation and capability improvements
Developed with the help of world-wide experts in the field of IT governance, IT management, performance management, and information security and control.
Provides a set of tools to assist management in responding to the question:“ What is the right level of control for my IT such that it will support my business objectives?”
19
LHSLHS
© John Mitchell
Audit Guidelines
20
LHSLHS
© John Mitchell
Measurement Components
Key Goal Indicators (KGIs)– Where do you want to be?
Critical Success Factors (CSFs)– Those things that MUST happen to reach the KGI
Key Performance Indicators (KPIs)– Those measures that confirm you are meeting the CSFs or
which warn you when we are drifting off course
21
LHSLHS
© John Mitchell
Key Goal Indicators
22
LHSLHS
© John Mitchell
Critical Success Factors
23
LHSLHS
© John Mitchell
Key Performance Indicators
24
LHSLHS
© John Mitchell
Control Practices The benefits listed under ‘why do it’ are tangible and motivate to
implement controls The set of control practices is completecomplete (e.g. key controls) and
implementation satisfies the control objective Control practices listed are generally accepted as good business practicegood business practice Control practices suggest sustainablesustainable solutions The control practices are effectiveeffective in addressing the risk linked to not
achieving the detailed control objective The control practices suggest efficientefficient solutions The wording of the control practices is conciseconcise while providing clear and
unambiguous guidance on what is expected for implementation The control practices are realisticrealistic
25
LHSLHS
© John Mitchell
Control Practices
26
LHSLHS
© John Mitchell
Useful Sites & Tools
Sites– www.isaca.org– www.isaca-london.org– www.bcs-irma.org– www.itgi.org– www.bsi-global.com
Tools– Control Objectives for IT (CobiT)– IT Infrastructure Library (ITIL)– International Standards (ISO 17799, ISO 9000, etc.)
27
LHSLHS
© John Mitchell
Summary IT security governance is about measurement & control of
IT security within the corporate framework to ensure that IT supports and helps to extend the enterprise’s capabilities
Much of IT security governance involves risk management of:– Confidentiality– Integrity– Availability– Compliance
Knowing where you are is a prerequisite to knowing where you want to be:
– Capability maturity assessment– ISO 17799 gap analysis
28
LHSLHS
© John Mitchell
Questions?John MitchellPhD, MBA, CEng, CITP, FBCS, MBCS, FIIA, CIA, CISA, QiCA, CFE
LHS Business Control47 GrangewoodPotters BarHertfordshire EN6 1SLEngland
Tel: +44 (0)1707 851454Fax: +44 (0)1707 851455Mobile +44 (0)7774 145638
john@lhscontrol.comwww.lhscontrol.com