Your SlideShare is downloading. ×
CISSPills #3.02
CISSPills #3.02
CISSPills #3.02
CISSPills #3.02
CISSPills #3.02
CISSPills #3.02
CISSPills #3.02
CISSPills #3.02
CISSPills #3.02
CISSPills #3.02
CISSPills #3.02
CISSPills #3.02
CISSPills #3.02
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

CISSPills #3.02


Published on

CISSPills are short-lasting presentations covering topics to study in order to prepare CISSP exam. CISSPills is a digest of my notes and doesn't want to replace a studybook, it wants to be only just …

CISSPills are short-lasting presentations covering topics to study in order to prepare CISSP exam. CISSPills is a digest of my notes and doesn't want to replace a studybook, it wants to be only just another companion for self-paced students.

Every issue covers different topics of CISSP's CCBK and the goal is addressing all the 10 domains which compose CISSP.


Domain 3: Information Security Governance and Risk Management
- Security and Audit Frameworks and Methodologies
- CobiT
- Frameworks Relationship
- ISO/IEC 27000 Series

Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. DOMAIN 3: Information Security Governance and RiskManagement# 3.02
  • 2. CISSPills Table of Contents Security and Audit Frameworks and Methodologies COSO CobiT Frameworks Relationship ITIL ISO/IEC 27000 Series
  • 3. CISSPills Security and Audit Frameworks and MethodologiesA lot of frameworks and methodologies have been developed in order tosupport security, auditing and risk assessment of implemented security controls.These resources are helpful to assist during the design and testing of a SecurityProgram (ISMS) (see CISSPills #3.01).Some of the frameworks, even if not initially intended for Information Security,have proved to be valuable tools for the security professionals andconsequently were adopted in such context.
  • 4. CISSPills COSOThe Committee of Sponsoring Organizations (COSO) of the TradewayCommission developed this framework in 1985.COSO is a corporate governance model which deals with non-IT topics, suchas board of director responsibilities, internal communications, etc. It is focusedon fraudulent financial reporting and provides companies, auditors, SEC andother regulators with recommendations to address financial reporting anddisclosure objectives.The Sarbanes-Oxley Act (SOX) is a U.S. Federal Law that sets new or enhancedstandards related to the accuracy of the financial information of a publiccompany as well as the penalties for fraudulent financial activities.SOX is based upon the COSO model, so companies have to follow this modelin order to be SOX-compliant.
  • 5. CISSPills CobiTThe Control Objectives for Information and related Technology (CobiT) is acontrol-based framework developed by the Information Systems Audit andControl Association (ISACA) and the IT Governance Institute (ITGI). CobiT isderived from the COSO framework and deals with IT governance.The main goal of the framework is providing process owners with a toolset forthe governance and the management of the Enterprise IT, so that it maps tobusiness needs.IT Governance allows to: Achieve strategic goals and experience business benefits through theeffective use of IT; Achieve operational excellence through a reliable and efficientapplication of the technology; Maintain IT-related risk at an acceptable level; Optimize the cost of IT services and technology; Support compliance with relevant laws, regulations and policies.
  • 6. CISSPills CobiT (cont’d)CobiT provides a toolset containing: A set of generic processes to manage IT; A set of tools related to the processes (controls, metrics, analytical tools andmaturity models).and allows to accomplish the following: Linking IT goals with business requirements; Arranging the IT function according to a generally accepted model ofprocesses; Defining the control objectives; Providing a maturity model to measure the achievements; Defining measurable goals based upon Balanced Scorecard principles.
  • 7. CISSPills CobiT (cont’d)CobiT is made up of the following components: Framework: IT governance objectives and good practices arranged by ITdomains, while processes and linked to business requirements; Processes: set of generally accepted processes in which IT Function can besplit. CobiT defines 34 processes and each of them is associated to one ofthe 4 domains CobiT breaks down IT: Plan and Organize, Acquire andImplement, Deliver and Support and Monitor and Evaluate; Control objectives: set of objectives, arranged by process, that chosencontrols (e.g. account management) have to meet; Management guidelines: resources to help assigning responsibility, agreeingon objectives, measuring performance and illustrating interrelationship withother processes; Maturity models: tools to assess maturity and capability per process and tohelp addressing gaps.
  • 8. CISSPills Frameworks RelationshipSOX(Federal Law)COSO(Corporate Governance)CobiT(IT Governance)used to comply withmapped by ITGIwith COSOused to comply with
  • 9. CISSPills ITILThe Information Technology Infrastructure Library (ITIL) is the most usedframework for IT Service Management. It’s based onbest practices and allows to: Identify Plan Deliver Supportthe IT services business relies on.ITIL was developed because of the ever-increasing dependency between ITand business.
  • 10. CISSPills ITIL (cont’d)A service is something providing a “value” to the customers (internal orexternal). One example is the payroll service, which depends on an ITinfrastructure (storage, DBs, etc.). ITIL handles services in a holistic fashion, sothat also IT architecture is taken into account. This kind of approach, allows toconsider every aspect of a service and allows to assure proper service levels.Services must be aligned with business and have to sustain its fundamentalprocesses. ITIL helps organization to use IT for easing the changes, thetransformations and the growth of the business.
  • 11. CISSPills ISO/IEC 27000 SeriesISO/IEC 27000 series (formerly known as BS7799) is a set of standards thatoutlines how to develop and maintain an ISMS. Its goal is helping organizationin managing centrally the security controls deployed throughout theenterprise. Without an ISMS, controls are implemented individually and don’tfollow a holistic approach.The series is split in several standards, each of them addressing a specificrequirement (e.g. 27033-1 - network security, 27035 - incident managementhandling, etc.).ISO/IEC 27001:2005 are the standards organizations have to follow (and areassessed against) if they want their ISMS to adhere to ISO 27001. Beingcompliant means that the organization has put in place an effective ISMS ableto assure the security of the information from several standpoints (physical,logical, organizational, etc.) and the reduction and/or prevention of thethreats.
  • 12. CISSPills ISO/IEC 27000 Series (cont’d)This framework relies on PDCA (Plan-Do-Check-Act), a four-step iterative cyclewhich allows a continuous improvement of the process: the results of a stepcan be used to feed the next one, which each cycle leading closer to thegoal. Plan: aimed at establishing goals and plans; Do: aimed at implementing the plans identifiedin the previous step; Check: aimed at measuring the results in orderto understand if objectives are met; Act: aimed at determining where to apply changes inorder to achieve improvements.
  • 13. CISSPills That’s all Folks!We are done, thank you for the interest! Hope you have enjoyed these pills asmuch as I have had fun in writing them.For comments, typos, complains or whatever your want, drop me an e-mail to:cisspills <at> gmail <dot> comMore resources: Stay tuned on for the next issues; Join ”CISSP Study Group Italia” if you are preparing your exam.Brought to you by Pierluigi Falcone. More info about me at