COBIT 5

for Information Security

Dr. Derek J. Oliver

Co-Chair, COBIT 5 Task Force

First, a bit of background

Just to level the playing field

COBIT 5 Objectives

o ISACA Board of Directors: “tie together and reinforce all ISACA knowledge assets with

COBIT.”

Provide a renewed and authoritative governance and management framework for enterprise information and related technology, linking together and reinforcing all other major ISACA frameworks and guidance including:

Val IT Risk IT

BMIS ITAF Board Briefing Taking Governance Forward Connect to other major frameworks and standards in the

marketplace (ITIL, ISO standards, etc.)

© 2010 ISACA. All rights reserved. 3

Governance of Enterprise IT

COBIT 5

IT Governance

COBIT4.0/4.1

Management

COBIT3

Control

COBIT2

Audit

COBIT1

The COBIT Evolution

2005/7 2000 1998

Evo

lutio

n

1996 2012

Val IT 2.0 (2008)

Risk IT (2009)

BMIS (2010)

o Released 12th April, 2011 Framework �

Enabling Processes �

Implementation/Transition Guide �

o COBIT 5 Under Development for Information Security (Q3, 2011)

Enabling Information (Q3, 2012)

for Risk Management (Q1, 2013)

for Assurance (Q1, 2013)

COBIT 5 Today

o Based on 5 Principles and

o 7 Enablers To address the separate concepts of

Governance and Management

To meet the specific needs of the user

COBIT 5 is . . .

The COBIT 5 Principles

COBIT 5 will be used

to address specific

needs

COBIT 5 integrates

governance of

enterprise IT into

enterprise governance

COBIT 5 integrates all

existing frameworks,

standards etc

COBIT 5 supports a

comprehensive

governance and

management system

for enterprise IT and

Information

The COBIT 5

framework makes

a clear distinction

between

governance and

management

The COBIT 5 Principle 1

o Stakeholder needs have to be

transformed into an enterprises’

actionable strategy.

o The COBIT 5 goals cascade

translates stakeholder needs into

specific, actionable and

customised goals within the

context of the enterprise, IT-

related goals and enabler goals.

o Security is considered a

“Stakeholder Need”

© 2012 ISACA. All rights reserved. 8

o COBIT 5 integrates governance of enterprise IT into enterprise governance by: Covering all functions and processes within the enterprise.

COBIT 5 does not focus on only the „IT function‟, but instead treats information and related technologies as assets that need to be dealt with just like any other asset by everyone in the enterprise.

Considering all IT-related governance and management enablers to be enterprise-wide and end-to-end, i.e., inclusive of everything and everyone, internal and external, that are relevant to governance and management of enterprise information and related IT.

Applying this principle to information security, COBIT 5 for Information Security covers all stakeholders, functions and processes within the enterprise that are relevant for information security.

The COBIT 5 Principle 2

o COBIT 5 Integrates all other frameworks, standards etc. COBIT 5 is complete in enterprise coverage, providing a basis to

integrate effectively other frameworks, standards and practices used.

As a single integrated framework, it: serves as a consistent and integrated source of guidance in a

common language.

aligns with other relevant standards and frameworks.

COBIT 5 brings together knowledge previously dispersed over different ISACA frameworks and models (COBIT, BMIS, Risk IT, Val IT) With guidance from other major information security-related

standards such as the ISO/IEC 27000 series, the ISF Standard of Good Practice for Information Security, and NIST SP800-53A.

The COBIT 5 Principle 3

o COBIT 5 defines a set of enablers to support the implementation of a comprehensive governance and management system for enterprise IT and Information. Enablers are factors that, individually and collectively,

influence whether something will work

For Information Security this will mean the governance and management over both technical and operational security and, related to that, information security governance.

The COBIT 5 framework defines seven categories of enablers

COBIT 5 Principle 4

o The COBIT 5 framework makes a clear distinction between governance and management. These two disciplines encompass different types of activities, require different organisational structures and serve different purposes

o Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making; and monitoring performance and compliance against agreed-on direction and objectives. In most enterprises, governance is the responsibility of the board of directors under

the leadership of the chairperson.

o Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives. In most enterprises, management is the responsibility of the executive management

under the leadership of the CEO.

The COBIT 5 Principle 5

The COBIT 5 Enablers and Information Security

How the COBIT 5 enablers can be used to implement effective and efficient

information security governance and management in the organisation

o Enablers are factors that, individually and collectively, influence whether something will work.

o Enablers are driven by the goals cascade, i.e. Business and IT-related goals define what the different enablers should achieve.

o The COBIT 5 framework describes seven categories of enablers (“Enablers”)

COBIT 5 Enablers

o The 7 enablers defined in COBIT 5 have a set of common dimensions which:

Provide a simple and structured way to deal with enablers

Allow management of their complex interactions

Facilitate their successful outcome

Using the COBIT 5 Enablers

The COBIT 5 Enablers . . . 1. Principles, policies and frameworks—Are the vehicle to translate the desired

behaviour into practical guidance for day-to-day management

2. Processes—Describe an organised set of practices and activities to achieve

certain objectives and produce a set of outputs in support of achieving overall IT

related goals

3. Organisational structures—Are the key decision-making entities in an

organisation

4. Culture, ethics and behaviour—Of individuals and of the organisation; very

often underestimated as a success factor in governance and management

activities

5. Information—Is pervasive throughout any organisation, i.e., deals with all

information produced and used by the enterprise. Information is required for

keeping the organisation running and well governed, but at the operational level,

information is very often the key product of the enterprise itself.

6. Services, infrastructure and applications—Include the infrastructure,

technology and applications that provide the enterprise with information

technology processing and services

7. People, skills and competences—Are linked to people and are required for

successful completion of all activities and for making correct decisions and

taking corrective actions

© 2012 ISACA. All rights reserved. 16

o Organisations should expect positive outcomes from the application and use of enablers.

o To manage performance of the enablers, the following questions must be monitored and answered—by metrics—on a regular (e.g. quarterly) basis: Are stakeholder needs addressed?

Are enabler goals achieved?

Is the enabler life cycle managed?

Are good practices applied?

o The first two deal with the actual outcome of the enabler. The remaining two bullets deal with the actual functioning of the enabler itself.

Managing Performance

o The detailed COBIT 5 governance and management processes relevant to Information Security include:

Process identification Process label—Consisting of the domain prefix (EDM, APO, BAI, DSS, MEA) and the process

number

Process name—A short description, indicating the main subject of the process

Area—Governance or management

Domain name

Process description Overview of what the process does, i.e., the purpose of the process

Overview at a very high level of how the process accomplishes the purpose

Process purpose statement Process goals and metrics—For each process, a limited number of process goals are included, and for each

process goal a limited number of example metrics is listed, reflecting the clear relationship between the goals and the metrics.

Detailed description of the process practices Practice title and description

Enabling: Process

Enabling: Process

For example: APO13 . . .

Which continues: The information

security-specific

processes will be

detailed in COBIT 5

for Information

Security . . . For

example:

COBIT 5 for Information Security

NOTE: This is just an

example of what it

might look like . . . . !

Which might continue . . .

Enabling: Information

Currently under development, this will give a much greater insight into the nature of

“Information”

o Looks at Information:

o Quality Intrinsic quality, which considers quality as an intrinsic property of information,

Contextual quality, which recognizes that information quality may depend on a context of use (i.e., the task to be performed by the information user), and Representational and Accessibility quality, which consider the quality of information in relation to the information technologies that are used

o Value/Cost Relates to information being economical and efficient.

o Lifecycle Phases Plan; Obtain, Store; Share; Use; Maintain; Dispose

o Attributes A framework which considers six different levels or layers to talk or reason about

properties of information

o Stakeholders Apart from identifying the stakeholders, their stakes need to be identified, i.e., why

do they care or are they interested in the information.

Enabling Information (Q3 2012)

Security groups within the enterprise can benefit from the

Attributes dimension of the publication. When charged with

protection of information, they need to look at:

o Physical layer – how and where is information physically

stored?

o Empirical layer – what are the access channels to the

information?

o Semantic layer – what type of information is it? Is the

information current or relating to the past or to the future?

o Pragmatic layer – what are the retention requirements? Is

information historic or operational?

Using these attributes will allow the user to determine the level

of protection and the protection mechanisms required

Enabling Information: Security

o COBIT 5: encourages and assists in meeting Stakeholder

Needs for Information Security

has adopted the BMIS concepts of taking the Holistic view of an organisation

focuses on the business use of Information in any form or medium

separates information governance from management activity

relates to all frameworks, standards etc, e.g. ITIL; ISO2700x; ISF etc

Summary & Conclusions

o COBIT 5 for Information Security: will be a Practitioner Guide on using COBIT 5 for

the specific discipline

supplements the Enablers of COBIT 5 with security-specific business & IT Objectives

adds security-specific governance and management activities

includes security-specific metrics

is currently under development with an expected release date of July, 2012

Summary & Conclusions

Dr. Derek J. Oliver

Ravenswood Consultants Ltd., Tel: 01268 794556

Ravenswood House, Mob: 07768 363808

148-150, Essex Way, E-mail: consultants@ravenswood.co.uk

South Benfleet,

Essex, SS7 1LN

And so Goodbye . . .