Use of the COBIT Security Baseline


Published on

Use of the COBIT Security Baseline as a framework for an information
security program at a large state agency. Presented at the 2005 MN Govt IT

Published in: Business, Technology

Use of the COBIT Security Baseline

  1. 1. COBIT Barry Caplin Chief Information Security Officer Minnesota Department of Human Services Christopher Buse Information Technology Audit Manager Minnesota Office of the Legislative Auditor
  2. 2. Agenda <ul><li>Need for an Information Security governance framework </li></ul><ul><li>COBIT Framework overview </li></ul><ul><li>Use of COBIT in the audit process </li></ul><ul><li>Use of the COBIT Security Baseline at DHS </li></ul>
  3. 3. About Us <ul><li>Barry Caplin </li></ul><ul><ul><li>CISO for DHS </li></ul></ul><ul><ul><li>Member of ISACA, ISSA, InfraGard </li></ul></ul><ul><ul><li>CISSP, CISA, CISM, ISSMP </li></ul></ul><ul><li>Christopher Buse </li></ul><ul><ul><li>IT Audit Manager for OLA </li></ul></ul><ul><ul><li>Active in ISACA </li></ul></ul><ul><ul><li>CPA, CIA, CISA, CISSP </li></ul></ul>
  4. 4. Information Security Governance Why Adopt a Framework?
  5. 5. Information Security Governance <ul><li>“ a framework to provide assurance that information security strategies are aligned with business objectives and consistent with applicable laws and regulations” – </li></ul><ul><li>Regulations – HIPAA, MGDPA, IRS, SSA, etc. </li></ul><ul><li>Establish a program </li></ul><ul><li>Based on Standards, Industry Best Practice </li></ul>
  6. 6. Information Security Governance <ul><li>With Information Security Governance: </li></ul><ul><li>information security strategy supports business </li></ul><ul><li>senior management supports information security </li></ul><ul><li>defined roles and responsibilities </li></ul><ul><li>reporting and communication </li></ul>
  7. 7. Information Security Governance <ul><li>With Information Security Governance: </li></ul><ul><li>regulatory issues and impact understood </li></ul><ul><li>information security policies support business goals and objectives </li></ul><ul><li>procedures and guidelines support information security policies </li></ul><ul><li>Happiness is sure to follow! </li></ul>
  8. 8. Information Security Governance <ul><li>Without Information Security Governance: </li></ul><ul><li>unclear security strategy inconsistently supports business </li></ul><ul><li>senior management can’t understand or support information security </li></ul><ul><li>Ad hoc roles and responsibilities </li></ul><ul><li>Lack of reporting and communication </li></ul>
  9. 9. Information Security Governance <ul><li>Without Information Security Governance: </li></ul><ul><li>JIT: </li></ul><ul><li>regulatory compliance efforts </li></ul><ul><li>information security policies </li></ul><ul><li>Out of sync with business </li></ul><ul><li>Surprises </li></ul>Conflict
  10. 10. Information Security Governance Who needs Security Governance? We do!
  11. 11. Industry Best Practice <ul><li>What do we need? </li></ul><ul><li>Established and Proven methodology </li></ul><ul><li>National or International acceptance </li></ul><ul><li>Ability to Measure/Audit </li></ul>
  12. 12. The 10000 Foot View Information Security Governance Hierarchy Information Lifecycle Management Compliance Information Policy Information Risk Management Information Security Governance Framework
  13. 13. COBIT What’s it all About?
  14. 14. What is COBIT <ul><li>C ontrol Ob jectives For I nformation and Related T echnology </li></ul><ul><li>Governance framework </li></ul><ul><ul><li>Collection of controls that should be done at various levels in an organization </li></ul></ul><ul><ul><li>Outline of what must be done, not how </li></ul></ul><ul><li>Supporting toolset </li></ul><ul><ul><li>Management </li></ul></ul><ul><ul><li>Auditors </li></ul></ul>
  15. 15. Strengths <ul><li>Outstanding support </li></ul><ul><li>Incorporates work done by many others </li></ul><ul><li>Business focused </li></ul><ul><li>Publicly available </li></ul>
  16. 16. Support <ul><li>Overseen by the IT Governance Institute </li></ul><ul><ul><li>Nonprofit and vendor neutral </li></ul></ul><ul><ul><li>Heavily supported </li></ul></ul><ul><ul><li>Well represented by industry, academia, & government </li></ul></ul><ul><li>COBIT R&D managed by a Steering Committee </li></ul><ul><ul><li>Core team and working groups worldwide </li></ul></ul><ul><ul><li>Many expert reviewers </li></ul></ul><ul><ul><li>User feedback </li></ul></ul><ul><li>Now in 4 th edition </li></ul>
  17. 17. Information Sources <ul><li>Over 40 recognized standards and best practices </li></ul><ul><li>Sources underlying version 4.0 changes </li></ul><ul><ul><li>Committee of Sponsoring Organisations of the Treadway Commission </li></ul></ul><ul><ul><ul><li>Internal Control—Integrated Framework, 1994 </li></ul></ul></ul><ul><ul><ul><li>Enterprise Risk Mangement—Integrated Framework, 2004 </li></ul></ul></ul><ul><ul><li>Office of Government Commerce, IT Infrastructure Library, 1999-2004 </li></ul></ul><ul><ul><li>ISO/IEC 17799, Code of Practice for Information Security Management </li></ul></ul><ul><ul><li>Software Engineering Institute </li></ul></ul><ul><ul><ul><li>SEI Capability Maturity Model, 1993 </li></ul></ul></ul><ul><ul><ul><li>SEI Capability Maturity Model Integration, 2000 </li></ul></ul></ul><ul><ul><li>Project Management Institute, Project Management Body of Knowledge </li></ul></ul><ul><ul><li>Information Security Forum, The Standard of Good Practice for Information Security, 2003 </li></ul></ul>
  18. 18. Business Focus <ul><li>IT resources must be </li></ul><ul><ul><li>Managed through standard processes </li></ul></ul><ul><ul><li>To meet business requirements </li></ul></ul><ul><li>Metrics and maturity models to measure performance </li></ul><ul><li>Responsibilities of business and IT process owners identified </li></ul>
  19. 19. COBIT Framework <ul><li>34 processes, grouped into 4 domains </li></ul><ul><ul><li>Plan and Organize </li></ul></ul><ul><ul><li>Acquire and Implement </li></ul></ul><ul><ul><li>Deliver and Support </li></ul></ul><ul><ul><li>Monitor and Evaluate </li></ul></ul><ul><li>Handout: P07 Manage IT Human Resources </li></ul>
  20. 20. Products <ul><li>Framework </li></ul><ul><ul><li>Control Objectives </li></ul></ul><ul><ul><li>Control Practices </li></ul></ul><ul><ul><li>Management Guidelines </li></ul></ul><ul><li>Assurance </li></ul><ul><ul><li>IT Assurance Guide </li></ul></ul><ul><ul><li>Control Objectives for SOX </li></ul></ul><ul><li>Governance </li></ul><ul><ul><li>Implementation Guide </li></ul></ul><ul><ul><li>Quickstart </li></ul></ul><ul><ul><li>Security Baseline </li></ul></ul><ul><ul><li>Board Briefing </li></ul></ul>
  21. 21. Cost
  22. 22. Still Interested <ul><li>Visit the COBIT Website </li></ul><ul><ul><li> </li></ul></ul><ul><li>Watch our local ISACA chapter for training opportunities </li></ul><ul><ul><li> </li></ul></ul>
  23. 23. COBIT as an Audit Tool Use of the COBIT Framework in the Office of the Legislative Auditor
  24. 24. Planning <ul><li>COBIT Summary Table used to scope projects </li></ul><ul><ul><li>Audit Focus: Data integrity and confidentiality </li></ul></ul><ul><ul><li>Question: What control processes have a primary or secondary impact </li></ul></ul>
  25. 25. Reporting <ul><li>Criteria used to help draft report comments </li></ul><ul><li>Discussions about issue severity follow maturity model format </li></ul>
  26. 26. COBIT as a Management Tool Use of the COBIT Security Baseline at the Department of Human Services
  27. 27. MN DHS <ul><li>Mission - helps people meet their basic needs so they can live in dignity and achieve their highest potential </li></ul><ul><li>Consumers include: </li></ul><ul><ul><li>seniors who need help paying for hospital and nursing home bills or who need home-delivered meals </li></ul></ul><ul><ul><li>families with children in a financial crisis </li></ul></ul><ul><ul><li>parents who need child support enforcement or child care money </li></ul></ul><ul><ul><li>people with physical or developmental disabilities who need assistance to live as independently as possible </li></ul></ul>
  28. 28. MN DHS <ul><li>Direct service through </li></ul><ul><li>DHHS – Deaf and Hard of Hearing Services </li></ul><ul><li>SOS – State Operated Services includes </li></ul><ul><ul><li>RTC’s – Regional Treatment Centers, including St. Peter, Moose Lake </li></ul></ul><ul><ul><li>Forensics – St. Peter, Moose Lake, METO (MN Extended Treatment Options) </li></ul></ul><ul><ul><li>State-run group homes </li></ul></ul><ul><ul><li>New community-based treatment centers </li></ul></ul><ul><ul><li>State-run nursing home – Ah-Gwah-Ching </li></ul></ul>
  29. 29. MN DHS <ul><li>Administrations (Divisions) </li></ul><ul><li>CFS – Children and Family Services – Child Support Enforcement, Endangerment, Social Services, Medical/Welfare Eligibility </li></ul><ul><li>Chemical and Mental Health Services– including SOS </li></ul><ul><li>Health Care Administration and Operations </li></ul><ul><li>Continuing Care </li></ul><ul><li>FMO – Finance and Management Operations – including Information Security, IT </li></ul>
  30. 30. MN DHS <ul><li>Programs are state-administered, county-delivered </li></ul><ul><ul><li>Including MinnesotaCare, Medical Assistance, General Assistance Medical Care, mental health services, alternative care services, chemical dependency services and regional treatment center services </li></ul></ul><ul><li>One of the largest state agencies </li></ul><ul><li>2500 CO, 5000 SOS distributed staff </li></ul><ul><li>State and Federal funding </li></ul>
  31. 31. COBIT Use in State <ul><li>Chosen by CISO/Security Domain team for statewide security implementation </li></ul><ul><li>Separate agency implementation </li></ul><ul><li>Additional technical standards chosen: PCI, OWASP </li></ul>
  32. 32. COBIT and Security <ul><li>COBIT Security Baseline </li></ul><ul><li>Includes mapping to ISO17799 </li></ul><ul><li>Guide for DHS implementation </li></ul><ul><li>Identifies 39 “steps” (high-level projects) </li></ul><ul><li>Multiple sub-projects </li></ul>
  33. 33. Maturity Model <ul><li>Measure the maturity of the team/unit/organization to the high level control objectives. Are the processes: </li></ul><ul><li>0 – non-existent </li></ul><ul><li>1 – Initial/Ad-Hoc </li></ul><ul><li>2 – Repeatable but Intuitive </li></ul><ul><li>3 – Defined Process </li></ul><ul><li>4 – Managed and Measurable </li></ul><ul><li>5 – Optimized </li></ul>
  34. 34. Initial Baseline <ul><li>Assess maturity of DHS Body of Policy and ISS projects and implementation using Maturity Model </li></ul><ul><ul><li>Self rating - ISS </li></ul></ul><ul><ul><li>“ inner circle” units – central IT, MSD </li></ul></ul><ul><ul><li>Business customers – HCO, CFS, SOS, etc. </li></ul></ul>
  35. 35. Implementation Steps <ul><li>Review initial maturity assessments </li></ul><ul><li>Gap analysis </li></ul><ul><li>Selection of initial metrics </li></ul><ul><li>Prioritization of Phase 1 COBIT projects </li></ul><ul><li>Documentation </li></ul><ul><li>Implement Phase 1 projects </li></ul><ul><li>Assess </li></ul><ul><li>Iterate </li></ul>
  36. 36. Security Baseline Projects <ul><li>Plan and Organize </li></ul><ul><li>Step 1 - Define the Information Architecture </li></ul><ul><ul><li>Security requirements </li></ul></ul><ul><ul><li>Projects: </li></ul></ul><ul><ul><ul><li>HIPAA Security Standard implementation </li></ul></ul></ul><ul><ul><ul><li>ZOCA II </li></ul></ul></ul>
  37. 37. Security Baseline Projects <ul><li>Acquire and Implement </li></ul><ul><li>Step 10 – Identify Automated Solutions </li></ul><ul><ul><li>Consider security risks of automated solutions </li></ul></ul><ul><ul><li>Projects: </li></ul></ul><ul><ul><ul><li>Vendor Security Questionnaire </li></ul></ul></ul><ul><ul><ul><li>Risk Assessment </li></ul></ul></ul><ul><ul><ul><li>Vulnerability Assessment </li></ul></ul></ul>
  38. 38. Security Baseline Projects <ul><li>Monitor and Evaluate </li></ul><ul><li>Step 38 – Monitor Performance of Security Controls </li></ul><ul><ul><li>Periodically: Assess Controls, Reassess Exceptions, Evaluate Effectiveness, Monitor Compliance </li></ul></ul><ul><ul><li>Projects: </li></ul></ul><ul><ul><ul><li>Vulnerability Assessment </li></ul></ul></ul><ul><ul><ul><li>IPW – Information Policy Workgroup </li></ul></ul></ul><ul><ul><ul><li>SPCR – Security Policy Compliance Review </li></ul></ul></ul>
  39. 39. Information Lifecycle Management *From
  40. 40. Supporting Work <ul><li>Risk Analysis </li></ul><ul><li>Business Impact Analysis (BIA) </li></ul><ul><li>Business Continuity Plan (BCP/DRP) </li></ul><ul><li>Test Plans </li></ul><ul><li>Vulnerability Analysis </li></ul><ul><li>Incident Response Plan </li></ul>
  41. 41. Discussion?