COBIT Barry Caplin Chief Information Security Officer Minnesota Department of Human Services Christopher Buse Information Technology Audit Manager Minnesota Office of the Legislative Auditor

Agenda Need for an Information Security governance framework COBIT Framework overview Use of COBIT in the audit process Use of the COBIT Security Baseline at DHS

Need for an Information Security governance framework

COBIT Framework overview

Use of COBIT in the audit process

Use of the COBIT Security Baseline at DHS

About Us Barry Caplin CISO for DHS Member of ISACA, ISSA, InfraGard CISSP, CISA, CISM, ISSMP Christopher Buse IT Audit Manager for OLA Active in ISACA CPA, CIA, CISA, CISSP

Barry Caplin

CISO for DHS

Member of ISACA, ISSA, InfraGard

CISSP, CISA, CISM, ISSMP

Christopher Buse

IT Audit Manager for OLA

Active in ISACA

CPA, CIA, CISA, CISSP

Information Security Governance Why Adopt a Framework?

Information Security Governance “ a framework to provide assurance that information security strategies are aligned with business objectives and consistent with applicable laws and regulations” – www.isaca.org Regulations – HIPAA, MGDPA, IRS, SSA, etc. Establish a program Based on Standards, Industry Best Practice

“ a framework to provide assurance that information security strategies are aligned with business objectives and consistent with applicable laws and regulations” – www.isaca.org

Regulations – HIPAA, MGDPA, IRS, SSA, etc.

Establish a program

Based on Standards, Industry Best Practice

Information Security Governance With Information Security Governance: information security strategy supports business senior management supports information security defined roles and responsibilities reporting and communication

With Information Security Governance:

information security strategy supports business

senior management supports information security

defined roles and responsibilities

reporting and communication

Information Security Governance With Information Security Governance: regulatory issues and impact understood information security policies support business goals and objectives procedures and guidelines support information security policies Happiness is sure to follow!

With Information Security Governance:

regulatory issues and impact understood

information security policies support business goals and objectives

procedures and guidelines support information security policies

Happiness is sure to follow!

Information Security Governance Without Information Security Governance: unclear security strategy inconsistently supports business senior management can’t understand or support information security Ad hoc roles and responsibilities Lack of reporting and communication

Without Information Security Governance:

unclear security strategy inconsistently supports business

senior management can’t understand or support information security

Ad hoc roles and responsibilities

Lack of reporting and communication

Information Security Governance Without Information Security Governance: JIT: regulatory compliance efforts information security policies Out of sync with business Surprises Conflict

Without Information Security Governance:

JIT:

regulatory compliance efforts

information security policies

Out of sync with business

Surprises

Information Security Governance Who needs Security Governance? We do!

Industry Best Practice What do we need? Established and Proven methodology National or International acceptance Ability to Measure/Audit

What do we need?

Established and Proven methodology

National or International acceptance

Ability to Measure/Audit

The 10000 Foot View Information Security Governance Hierarchy Information Lifecycle Management Compliance Information Policy Information Risk Management Information Security Governance Framework

COBIT What’s it all About?

What is COBIT C ontrol Ob jectives For I nformation and Related T echnology Governance framework Collection of controls that should be done at various levels in an organization Outline of what must be done, not how Supporting toolset Management Auditors

C ontrol Ob jectives For I nformation and Related T echnology

Governance framework

Collection of controls that should be done at various levels in an organization

Outline of what must be done, not how

Supporting toolset

Management

Auditors

Strengths Outstanding support Incorporates work done by many others Business focused Publicly available

Outstanding support

Incorporates work done by many others

Business focused

Publicly available

Support Overseen by the IT Governance Institute Nonprofit and vendor neutral Heavily supported Well represented by industry, academia, & government COBIT R&D managed by a Steering Committee Core team and working groups worldwide Many expert reviewers User feedback Now in 4 th edition

Overseen by the IT Governance Institute

Nonprofit and vendor neutral

Heavily supported

Well represented by industry, academia, & government

COBIT R&D managed by a Steering Committee

Core team and working groups worldwide

Many expert reviewers

User feedback

Now in 4 th edition

Information Sources Over 40 recognized standards and best practices Sources underlying version 4.0 changes Committee of Sponsoring Organisations of the Treadway Commission Internal Control—Integrated Framework, 1994 Enterprise Risk Mangement—Integrated Framework, 2004 Office of Government Commerce, IT Infrastructure Library, 1999-2004 ISO/IEC 17799, Code of Practice for Information Security Management Software Engineering Institute SEI Capability Maturity Model, 1993 SEI Capability Maturity Model Integration, 2000 Project Management Institute, Project Management Body of Knowledge Information Security Forum, The Standard of Good Practice for Information Security, 2003

Over 40 recognized standards and best practices

Sources underlying version 4.0 changes

Committee of Sponsoring Organisations of the Treadway Commission

Internal Control—Integrated Framework, 1994

Enterprise Risk Mangement—Integrated Framework, 2004

Office of Government Commerce, IT Infrastructure Library, 1999-2004

ISO/IEC 17799, Code of Practice for Information Security Management

Software Engineering Institute

SEI Capability Maturity Model, 1993

SEI Capability Maturity Model Integration, 2000

Project Management Institute, Project Management Body of Knowledge

Information Security Forum, The Standard of Good Practice for Information Security, 2003

Business Focus IT resources must be Managed through standard processes To meet business requirements Metrics and maturity models to measure performance Responsibilities of business and IT process owners identified

IT resources must be

Managed through standard processes

To meet business requirements

Metrics and maturity models to measure performance

Responsibilities of business and IT process owners identified

COBIT Framework 34 processes, grouped into 4 domains Plan and Organize Acquire and Implement Deliver and Support Monitor and Evaluate Handout: P07 Manage IT Human Resources

34 processes, grouped into 4 domains

Plan and Organize

Acquire and Implement

Deliver and Support

Monitor and Evaluate

Handout: P07 Manage IT Human Resources

Products Framework Control Objectives Control Practices Management Guidelines Assurance IT Assurance Guide Control Objectives for SOX Governance Implementation Guide Quickstart Security Baseline Board Briefing

Framework

Control Objectives

Control Practices

Management Guidelines

Assurance

IT Assurance Guide

Control Objectives for SOX

Governance

Implementation Guide

Quickstart

Security Baseline

Board Briefing

Cost

Still Interested Visit the COBIT Website http://www.isaca.org Watch our local ISACA chapter for training opportunities http://www.mnisaca.org

Visit the COBIT Website

http://www.isaca.org

Watch our local ISACA chapter for training opportunities

http://www.mnisaca.org

COBIT as an Audit Tool Use of the COBIT Framework in the Office of the Legislative Auditor

Planning COBIT Summary Table used to scope projects Audit Focus: Data integrity and confidentiality Question: What control processes have a primary or secondary impact

COBIT Summary Table used to scope projects

Audit Focus: Data integrity and confidentiality

Question: What control processes have a primary or secondary impact

Reporting Criteria used to help draft report comments Discussions about issue severity follow maturity model format

Criteria used to help draft report comments

Discussions about issue severity follow maturity model format

COBIT as a Management Tool Use of the COBIT Security Baseline at the Department of Human Services

MN DHS Mission - helps people meet their basic needs so they can live in dignity and achieve their highest potential Consumers include: seniors who need help paying for hospital and nursing home bills or who need home-delivered meals families with children in a financial crisis parents who need child support enforcement or child care money people with physical or developmental disabilities who need assistance to live as independently as possible

Mission - helps people meet their basic needs so they can live in dignity and achieve their highest potential

Consumers include:

seniors who need help paying for hospital and nursing home bills or who need home-delivered meals

families with children in a financial crisis

parents who need child support enforcement or child care money

people with physical or developmental disabilities who need assistance to live as independently as possible

MN DHS Direct service through DHHS – Deaf and Hard of Hearing Services SOS – State Operated Services includes RTC’s – Regional Treatment Centers, including St. Peter, Moose Lake Forensics – St. Peter, Moose Lake, METO (MN Extended Treatment Options) State-run group homes New community-based treatment centers State-run nursing home – Ah-Gwah-Ching

Direct service through

DHHS – Deaf and Hard of Hearing Services

SOS – State Operated Services includes

RTC’s – Regional Treatment Centers, including St. Peter, Moose Lake

Forensics – St. Peter, Moose Lake, METO (MN Extended Treatment Options)

State-run group homes

New community-based treatment centers

State-run nursing home – Ah-Gwah-Ching

MN DHS Administrations (Divisions) CFS – Children and Family Services – Child Support Enforcement, Endangerment, Social Services, Medical/Welfare Eligibility Chemical and Mental Health Services– including SOS Health Care Administration and Operations Continuing Care FMO – Finance and Management Operations – including Information Security, IT

Administrations (Divisions)

CFS – Children and Family Services – Child Support Enforcement, Endangerment, Social Services, Medical/Welfare Eligibility

Chemical and Mental Health Services– including SOS

Health Care Administration and Operations

Continuing Care

FMO – Finance and Management Operations – including Information Security, IT

MN DHS Programs are state-administered, county-delivered Including MinnesotaCare, Medical Assistance, General Assistance Medical Care, mental health services, alternative care services, chemical dependency services and regional treatment center services One of the largest state agencies 2500 CO, 5000 SOS distributed staff State and Federal funding

Programs are state-administered, county-delivered

Including MinnesotaCare, Medical Assistance, General Assistance Medical Care, mental health services, alternative care services, chemical dependency services and regional treatment center services

One of the largest state agencies

2500 CO, 5000 SOS distributed staff

State and Federal funding

COBIT Use in State Chosen by CISO/Security Domain team for statewide security implementation Separate agency implementation Additional technical standards chosen: PCI, OWASP

Chosen by CISO/Security Domain team for statewide security implementation

Separate agency implementation

Additional technical standards chosen: PCI, OWASP

COBIT and Security COBIT Security Baseline Includes mapping to ISO17799 Guide for DHS implementation Identifies 39 “steps” (high-level projects) Multiple sub-projects

COBIT Security Baseline

Includes mapping to ISO17799

Guide for DHS implementation

Identifies 39 “steps” (high-level projects)

Multiple sub-projects

Maturity Model Measure the maturity of the team/unit/organization to the high level control objectives. Are the processes: 0 – non-existent 1 – Initial/Ad-Hoc 2 – Repeatable but Intuitive 3 – Defined Process 4 – Managed and Measurable 5 – Optimized

Measure the maturity of the team/unit/organization to the high level control objectives. Are the processes:

0 – non-existent

1 – Initial/Ad-Hoc

2 – Repeatable but Intuitive

3 – Defined Process

4 – Managed and Measurable

5 – Optimized

Initial Baseline Assess maturity of DHS Body of Policy and ISS projects and implementation using Maturity Model Self rating - ISS “ inner circle” units – central IT, MSD Business customers – HCO, CFS, SOS, etc.

Assess maturity of DHS Body of Policy and ISS projects and implementation using Maturity Model

Self rating - ISS

“ inner circle” units – central IT, MSD

Business customers – HCO, CFS, SOS, etc.

Implementation Steps Review initial maturity assessments Gap analysis Selection of initial metrics Prioritization of Phase 1 COBIT projects Documentation Implement Phase 1 projects Assess Iterate

Review initial maturity assessments

Gap analysis

Selection of initial metrics

Prioritization of Phase 1 COBIT projects

Documentation

Implement Phase 1 projects

Assess

Iterate

Security Baseline Projects Plan and Organize Step 1 - Define the Information Architecture Security requirements Projects: HIPAA Security Standard implementation ZOCA II

Plan and Organize

Step 1 - Define the Information Architecture

Security requirements

Projects:

HIPAA Security Standard implementation

ZOCA II

Security Baseline Projects Acquire and Implement Step 10 – Identify Automated Solutions Consider security risks of automated solutions Projects: Vendor Security Questionnaire Risk Assessment Vulnerability Assessment

Acquire and Implement

Step 10 – Identify Automated Solutions

Consider security risks of automated solutions

Projects:

Vendor Security Questionnaire

Risk Assessment

Vulnerability Assessment

Security Baseline Projects Monitor and Evaluate Step 38 – Monitor Performance of Security Controls Periodically: Assess Controls, Reassess Exceptions, Evaluate Effectiveness, Monitor Compliance Projects: Vulnerability Assessment IPW – Information Policy Workgroup SPCR – Security Policy Compliance Review

Monitor and Evaluate

Step 38 – Monitor Performance of Security Controls

Periodically: Assess Controls, Reassess Exceptions, Evaluate Effectiveness, Monitor Compliance

Projects:

Vulnerability Assessment

IPW – Information Policy Workgroup

SPCR – Security Policy Compliance Review

Information Lifecycle Management *From http://www.cacr.math.uwaterloo.ca/conferences/2005/psw/gingras.ppt

Supporting Work Risk Analysis Business Impact Analysis (BIA) Business Continuity Plan (BCP/DRP) Test Plans Vulnerability Analysis Incident Response Plan

Risk Analysis

Business Impact Analysis (BIA)

Business Continuity Plan (BCP/DRP)

Test Plans

Vulnerability Analysis

Incident Response Plan

Discussion?