CISSPills #3.02
-
Upload
pierluigi-falcone -
Category
Education
-
view
472 -
download
6
description
Transcript of CISSPills #3.02
DOMAIN 3: Information Security Governance and Risk
Management# 3.02
CISSPills Table of Contents
Security and Audit Frameworks and Methodologies
COSO
CobiT
Frameworks Relationship
ITIL
ISO/IEC 27000 Series
CISSPills Security and Audit Frameworks and Methodologies
A lot of frameworks and methodologies have been developed in order to
support security, auditing and risk assessment of implemented security controls.
These resources are helpful to assist during the design and testing of a Security
Program (ISMS) (see CISSPills #3.01).
Some of the frameworks, even if not initially intended for Information Security,
have proved to be valuable tools for the security professionals and
consequently were adopted in such context.
CISSPills COSO
The Committee of Sponsoring Organizations (COSO) of the Tradeway
Commission developed this framework in 1985.
COSO is a corporate governance model which deals with non-IT topics, such
as board of director responsibilities, internal communications, etc. It is focused
on fraudulent financial reporting and provides companies, auditors, SEC and
other regulators with recommendations to address financial reporting and
disclosure objectives.
The Sarbanes-Oxley Act (SOX) is a U.S. Federal Law that sets new or enhanced
standards related to the accuracy of the financial information of a public
company as well as the penalties for fraudulent financial activities.
SOX is based upon the COSO model, so companies have to follow this model
in order to be SOX-compliant.
CISSPills CobiT
The Control Objectives for Information and related Technology (CobiT) is a
control-based framework developed by the Information Systems Audit and
Control Association (ISACA) and the IT Governance Institute (ITGI). CobiT is
derived from the COSO framework and deals with IT governance.
The main goal of the framework is providing process owners with a toolset for
the governance and the management of the Enterprise IT, so that it maps to
business needs.
IT Governance allows to:
Achieve strategic goals and experience business benefits through the
effective use of IT;
Achieve operational excellence through a reliable and efficient
application of the technology;
Maintain IT-related risk at an acceptable level;
Optimize the cost of IT services and technology;
Support compliance with relevant laws, regulations and policies.
CISSPills CobiT (cont’d)
CobiT provides a toolset containing:
A set of generic processes to manage IT;
A set of tools related to the processes (controls, metrics, analytical tools and
maturity models).
and allows to accomplish the following:
Linking IT goals with business requirements;
Arranging the IT function according to a generally accepted model of
processes;
Defining the control objectives;
Providing a maturity model to measure the achievements;
Defining measurable goals based upon Balanced Scorecard principles.
CISSPills CobiT (cont’d)
CobiT is made up of the following components:
Framework: IT governance objectives and good practices arranged by IT
domains, while processes and linked to business requirements;
Processes: set of generally accepted processes in which IT Function can be
split. CobiT defines 34 processes and each of them is associated to one of
the 4 domains CobiT breaks down IT: Plan and Organize, Acquire and
Implement, Deliver and Support and Monitor and Evaluate;
Control objectives: set of objectives, arranged by process, that chosen
controls (e.g. account management) have to meet;
Management guidelines: resources to help assigning responsibility, agreeing
on objectives, measuring performance and illustrating interrelationship with
other processes;
Maturity models: tools to assess maturity and capability per process and tohelp addressing gaps.
CISSPills Frameworks Relationship
SOX
(Federal Law)
COSO
(Corporate Governance)
CobiT
(IT Governance)
used to comply with
mapped by ITGI
with COSO
used to comply with
CISSPills ITIL
The Information Technology Infrastructure Library (ITIL) is the most used
framework for IT Service Management. It’s based on
best practices and allows to:
Identify
Plan
Deliver
Support
the IT services business relies on.
ITIL was developed because of the ever-increasing dependency between IT
and business.
CISSPills ITIL (cont’d)
A service is something providing a “value” to the customers (internal or
external). One example is the payroll service, which depends on an IT
infrastructure (storage, DBs, etc.). ITIL handles services in a holistic fashion, so
that also IT architecture is taken into account. This kind of approach, allows to
consider every aspect of a service and allows to assure proper service levels.
Services must be aligned with business and have to sustain its fundamental
processes. ITIL helps organization to use IT for easing the changes, the
transformations and the growth of the business.
CISSPills ISO/IEC 27000 Series
ISO/IEC 27000 series (formerly known as BS7799) is a set of standards that
outlines how to develop and maintain an ISMS. Its goal is helping organization
in managing centrally the security controls deployed throughout the
enterprise. Without an ISMS, controls are implemented individually and don’t
follow a holistic approach.
The series is split in several standards, each of them addressing a specific
requirement (e.g. 27033-1 - network security, 27035 - incident management
handling, etc.).
ISO/IEC 27001:2005 are the standards organizations have to follow (and areassessed against) if they want their ISMS to adhere to ISO 27001. Being
compliant means that the organization has put in place an effective ISMS able
to assure the security of the information from several standpoints (physical,
logical, organizational, etc.) and the reduction and/or prevention of the
threats.
CISSPills ISO/IEC 27000 Series (cont’d)
This framework relies on PDCA (Plan-Do-Check-Act), a four-step iterative cycle
which allows a continuous improvement of the process: the results of a step
can be used to feed the next one, which each cycle leading closer to the
goal.
Plan: aimed at establishing goals and plans;
Do: aimed at implementing the plans identified
in the previous step;
Check: aimed at measuring the results in order
to understand if objectives are met;
Act: aimed at determining where to apply changes in
order to achieve improvements.
CISSPills That’s all Folks!
We are done, thank you for the interest! Hope you have enjoyed these pills as
much as I have had fun in writing them.
For comments, typos, complains or whatever your want, drop me an e-mail to:
cisspills <at> gmail <dot> com
More resources:
Stay tuned on for the next issues;
Join ”CISSP Study Group Italia” if you are preparing your exam.
Brought to you by Pierluigi Falcone. More info about me at