Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
for Information

Security
COBIT 5 Product Family

COBIT® 5
COBIT 5 Enabler Guides
COBIT® 5:
Enabling Processes

COBIT® 5:
...
for Information

Security
COBIT 5 Goals Cascade Overview

Stakeholder Drivers
(Environment, Technology Evolution, …)
Influ...
for Information

Security

Governance and Management in COBIT 5

Governance Objective: Value Creation
Benefits
Realisation...
for Information

Security

Information Security Skills/Competencies
Skills/Competencies
Information security governance
In...
for Information

Security

Advantages and Disadvantages of Potential Paths for Information Security Reporting
Role

Advant...
APO03 Manage
Enterprise
Architecture

EDM02 Ensure
Benefits Delivery

©2013 ISACA. A

l l

r i g h t s

r e s e r v e d

B...
for Information

Security
COBIT 5 Enterprise Enablers

4. Culture, Ethics
and Behaviour

3. Organisational
Structures

2. ...
for Information

Security

p

do
we
t

re ?

(middle ring)

fi n

e?
to b

ed

ge

th e

ap

m
Co o

De

• Change enableme...
Upcoming SlideShare
Loading in …5
×

Cobit 5 for Information Security

2,468 views

Published on

Published in: Technology
  • Be the first to comment

Cobit 5 for Information Security

  1. 1. for Information Security COBIT 5 Product Family COBIT® 5 COBIT 5 Enabler Guides COBIT® 5: Enabling Processes COBIT® 5: Enabling Information Other Enabler Guides COBIT 5 Professional Guides COBIT® 5 Implementation COBIT® 5 for Information Security COBIT® 5 for Assurance COBIT® 5 for Risk COBIT 5 Online Collaborative Environment Source: COBIT 5 for Information Security, figure 1 COBIT 5 Principles 1. Meeting Stakeholder Needs 5. Separating Governance From Management 2. Covering the Enterprise End-to-end COBIT 5 Principles 3. Applying a Single Integrated Framework 4. Enabling a Holistic Approach Source: COBIT 5, figure 2 3701 Algonquin Road, Suite 1010 • Rolling Meadows, IL 60008 USA Phone: +1.847.253.1545 • Fax: +1.847.253.1443 • Email: info@isaca.org Web site: www.isaca.org ©2013 ISACA. A l l r i g h t s r e s e r v e d . Other Professional Guides
  2. 2. for Information Security COBIT 5 Goals Cascade Overview Stakeholder Drivers (Environment, Technology Evolution, …) Influence Stakeholder Needs Benefits Realisation Risk Optimisation Resource Optimisation Cascade to Enterprise Goals Cascade to IT-related Goals Cascade to Enabler Goals Source: COBIT 5, figure 4 Selected Guidance From the COBIT 5 Family These charts and figures are elements of COBIT 5 and its supporting guides. This excerpt is available as a complimentary PDF (www.isaca.org/cobit) and for purchase in hard copy (www.isaca.org/bookstore). It provides an overview of the COBIT 5 guidance, its five principles and seven enablers. We encourage you to share this document with your enterprise leaders, team members, clients and/or consultants. COBIT enables enterprises to maximize the value and minimize the risk related to information, which has become the currency of the 21st century. COBIT 5 is a comprehensive framework of globally accepted principles, practices, analytical tools and models that can help any enterprise effectively address critical business issues related to the governance and management of information and technology. Additional information is available at www.isaca.org/cobit. ©2013 ISACA. A l l r i g h t s r e s e r v e d .
  3. 3. for Information Security Governance and Management in COBIT 5 Governance Objective: Value Creation Benefits Realisation Risk Optimisation Resource Optimisation Governance Enablers Governance Scope Roles, Activities and Relationships Source: COBIT 5, figure 8 Key Roles, Activities and Relationships Roles, Activities and Relationships Delegate Owners and Stakeholders Accountable Instruct and Align Set Direction Governing Body Management Monitor Report Source: COBIT 5, figure 9 COBIT 5 Governance and Management Key Areas Business Needs Governance Evaluate Direct Monitor Management Feedback Management Plan (APO) Build (BAI) Run (DSS) Monitor (MEA) Source: COBIT 5, figure 15 ©2013 ISACA. A l l r i g h t s r e s e r v e d . Operations and Execution
  4. 4. for Information Security Information Security Skills/Competencies Skills/Competencies Information security governance Information security strategy formulation Information risk management Information security architecture development Information security operations Information assessment and testing and compliance Source: COBIT 5 for Information Security, Figure 20 Example Stakeholders for Information Security-related Information (Small/Medium Enterprise) A Chief executive officer (CEO) U A U I U U U Policies Information Security Dashboard I Information Risk Profile Information Security Review Reports U Information Security Requirements I Information Security Plan U Stakeholder Information Security Budget Board Information Security Strategy Awareness Material Information Security Service Catalogue Information Type Internal: Enterprise Chief financial officer (CFO) A U Chief information security officer (CISO) O U O O A A A A U U Information security steering committee (ISSC) A O A U U I U I U U Business process owner U O U U U Head of human resources (HR) U U U O O O U Internal: IT Chief information officer (CIO)/IT manager U O U U U U I Information security manager (ISM) U U U O U O O External Investors I Insurers I I I I Business Partners I I Vendors/Suppliers I Regulators I External Auditors I I An indication of the nature of the relationship of the stakeholder for each information type: A—Approver O—Originator I—Informed of information type U—User of information type Source: COBIT 5 for Information Security, Figure 17 ©2013 ISACA. A l l r i g h t s r e s e r v e d . I I I I
  5. 5. for Information Security Advantages and Disadvantages of Potential Paths for Information Security Reporting Role Advantages Disadvantages Chief executive officer (CEO) Information risk is elevated to the highest level in the enterprise. Information risk needs to be presented in a format that is understandable to the CEO. Given the multitude of responsibilities of the CEO, information risk might be monitored and managed at too high a level of abstraction or might not be fully understood in its relevant details. Chief information officer (CIO) Information security issues and solutions can be aligned with all IT initiatives. Information risk may not be addressed due to other IT initiatives and deadlines taking precedence over information security. There is a potential conflict of interest. The work performed by information security professionals may be IT-focussed and not information security-focussed. In other words, there may be an insufficient business focus. Chief financial officer (CFO) Information security issues can be addressed from a financial business impact point of view. Information risk may not be addressed due to financial initiatives and deadlines taking precedence over information security. There is a potential conflict of interest. Chief risk officer (CRO) Information risk is elevated to a position that can also look at risk from strategic, financial, operational, reputational and compliance perspectives. This role does not exist in most enterprises. It is most often found in financial service organisations. In enterprises in which a CRO is not present, organisational risk decisions may be decided by the CEO or board of directors. Chief technology officer (CTO) Information security can be partnered and included in future technology road maps. Information risk may not be addressed due to technology directions taking precedence over information security. Chief operating officer (COO) Information security issues and solutions can be addressed from the standpoint of impact to the business’ operations. Information risk may not be addressed due to operational initiatives and deadlines taking precedence over information security. Board of directors (indirect report) Information risk is elevated to the highest level in the enterprise. Information risk needs to be presented in a format that is understandable to board members, and hence may become too high-level to be relevant. Source: COBIT 5 for Information Security, Figure 14 Policy Framework Policy Framework Input Information Security Principles Mandatory Information Security Standards, Frameworks and Models Information Security Policy Specific Information Security Policies Generic Information Security Standards, Frameworks and Models Information Security Procedures Information Security Requirements and Documentation Source: COBIT 5 for Information Security, Figure 10 ©2013 ISACA. A l l r i g h t s r e s e r v e d .
  6. 6. APO03 Manage Enterprise Architecture EDM02 Ensure Benefits Delivery ©2013 ISACA. A l l r i g h t s r e s e r v e d BAI09 Manage Assets BAI02 Manage Requirements Definition . Source: COBIT 5, figure 16 DSS01 Manage Operations DSS02 Manage Service Requests and Incidents Deliver, Service and Support BAI08 Manage Knowledge BAI01 Manage Programmes and Projects DSS04 Manage Continuity BAI04 Manage Availability and Capacity APO11 Manage Quality APO04 Manage Innovation EDM03 Ensure Risk Optimisation DSS05 Manage Security Services BAI05 Manage Organisational Change Enablement APO12 Manage Risk APO05 Manage Portfolio DSS06 Manage Business Process Controls BAI06 Manage Changes APO13 Manage Security APO06 Manage Budget and Costs EDM04 Ensure Resource Optimisation Processes for Management of Enterprise IT DSS03 Manage Problems BAI10 Manage Configuration BAI03 Manage Solutions Identification and Build APO09 Manage Service Agreements APO08 Manage Relationships Build, Acquire and Implement APO10 Manage Suppliers APO02 Manage Strategy APO01 Manage the IT Management Framework Align, Plan and Organise EDM01 Ensure Governance Framework Setting and Maintenance Evaluate, Direct and Monitor Processes for Governance of Enterprise IT COBIT 5 Process Reference Model BAI07 Manage Change Acceptance and Transitioning APO07 Manage Human Resources EDM05 Ensure Stakeholder Transparency MEA03 Monitor, Evaluate and Assess Compliance With External Requirements MEA02 Monitor, Evaluate and Assess the System of Internal Control MEA01 Monitor, Evaluate and Assess Performance and Conformance Monitor, Evaluate and Assess for Information Security
  7. 7. for Information Security COBIT 5 Enterprise Enablers 4. Culture, Ethics and Behaviour 3. Organisational Structures 2. Processes 1. Principles, Policies and Frameworks 6. Services, Infrastructure and Applications 5. Information 7. People, Skills and Competencies Resources Source: COBIT 5, figure 12 Enabler Performance Management Enabler Dimension COBIT 5 Enablers: Generic Stakeholders Goals Life Cycle Good Practices • Internal Stakeholders • External Stakeholders • Intrinsic Quality • Contextual Quality (Relevance, Effectiveness) • Accessibility and Security • Plan • Design • Build/Acquire/ Create/Implement • Use/Operate • Evaluate/Monitor • Update/Dispose • Practices • Work Products (Inputs/Outputs) Are Stakeholders Needs Addressed? Are Enabler Goals Achieved? Is Life Cycle Managed? Are Good Practices Applied? Metrics for Application of Practice (Lead Indicators) Metrics for Achievement of Goals (Lag Indicators) Source: COBIT 5, figure 13 ©2013 ISACA. A l l r i g h t s r e s e r v e d .
  8. 8. for Information Security p do we t re ? (middle ring) fi n e? to b ed ge th e ap m Co o De • Change enablement ant te n (outer ring) ew cu ow I d e n tif y r o l e pla ye rs oa e s er ta B u il d i m pro ve m e nts m ut u ni co c a m e te fi rg n e ta e t te e en n t ts • Programme management • Continual improvement life cycle (inner ring) dm Operate and measur e Embed n approach ew es Realise ben efits le m I m p o ve m r imp at er O p d us an E xe 5H e De re we now? here a Recog need nise act to ementation impl rm team Fo r nito Mo and ate alu ev 2W Establ is to ch h des ang ire e n stai Su la Initiat e pr ogr am me ow e ctiv ffe e re th ed rive rs? ss Asseent curr te sta 6 Did we get the ow 1 What a going? entum mom the p kee we viewness do Re ms and probleities ine un Def opport re? 7H The Seven Phases of the Implementation Life Cycle P la n p ro g ra m m e 3 4 W hat n eeds to be d one? Wh er Source: COBIT 5, figure 17 and COBIT 5 Implementation, figure 6 Summary of the COBIT 5 Process Capability Model Generic Process Capability Attributes Performance Attribute (PA) 1.1 Process Performance Incomplete Process Performed Process 0 PA 2.1 Performance Management PA 2.2 Work Product Management Managed Process 1 PA 3.1 Process Definition PA 3.2 PA 4.1 Process Process Deployment Management Established Process 2 Predictable Process 3 COBIT 5 Process Assessment Model—Performance Indicators PA 4.2 Process Control PA 5.1 Process Innovation PA 5.2 Process Optimisation Optimising Process 4 COBIT 5 Process Assessment Model–Capability Indicators Process Outcomes Base Practices (Management/ Governance Practices) Work Products (Inputs/ Outputs) Generic Resources Generic Practices Source: COBIT 5, figure 19 ©2013 ISACA. A l l r i g h t s r e s e r v e d . Generic Work Products 5

×