CISSPills #3.02


Published on

CISSPills are short-lasting presentations covering topics to study in order to prepare CISSP exam. CISSPills is a digest of my notes and doesn't want to replace a studybook, it wants to be only just another companion for self-paced students.

Every issue covers different topics of CISSP's CCBK and the goal is addressing all the 10 domains which compose CISSP.


Domain 3: Information Security Governance and Risk Management
- Security and Audit Frameworks and Methodologies
- CobiT
- Frameworks Relationship
- ISO/IEC 27000 Series

Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

CISSPills #3.02

  1. 1. DOMAIN 3: Information Security Governance and Risk Management # 3.02
  2. 2. CISSPills Table of Contents  Security and Audit Frameworks and Methodologies  COSO  CobiT  Frameworks Relationship  ITIL  ISO/IEC 27000 Series
  3. 3. CISSPills Security and Audit Frameworks and Methodologies A lot of frameworks and methodologies have been developed in order to support security, auditing and risk assessment of implemented security controls. These resources are helpful to assist during the design and testing of a Security Program (ISMS) (see CISSPills #3.01). Some of the frameworks, even if not initially intended for Information Security, have proved to be valuable tools for the security professionals and consequently were adopted in such context.
  4. 4. CISSPills COSO The Committee of Sponsoring Organizations (COSO) of the Tradeway Commission developed this framework in 1985. COSO is a corporate governance model which deals with non-IT topics, such as board of director responsibilities, internal communications, etc. It is focused on fraudulent financial reporting and provides companies, auditors, SEC and other regulators with recommendations to address financial reporting and disclosure objectives. The Sarbanes-Oxley Act (SOX) is a U.S. Federal Law that sets new or enhanced standards related to the accuracy of the financial information of a public company as well as the penalties for fraudulent financial activities. SOX is based upon the COSO model, so companies have to follow this model in order to be SOX-compliant.
  5. 5. CISSPills CobiT The Control Objectives for Information and related Technology (CobiT) is a control- based framework developed by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). CobiT is derived from the COSO framework and deals with IT governance. The main goal of the framework is providing process owners with a toolset for the governance and the management of the Enterprise IT, so that it maps to business needs. IT Governance allows to:  Achieve strategic goals and experience business benefits through the effective use of IT;  Achieve operational excellence through a reliable and efficient application of the technology;  Maintain IT-related risk at an acceptable level;  Optimize the cost of IT services and technology;  Support compliance with relevant laws, regulations and policies.
  6. 6. CISSPills CobiT (cont’d) CobiT provides a toolset containing:  A set of generic processes to manage IT;  A set of tools related to the processes (controls, metrics, analytical tools and maturity models). and allows to accomplish the following:  Linking IT goals with business requirements;  Arranging the IT function according to a generally accepted model of processes;  Defining the control objectives;  Providing a maturity model to measure the achievements;  Defining measurable goals based upon Balanced Scorecard principles.
  7. 7. CISSPills CobiT (cont’d) CobiT is made up of the following components:  Framework: IT governance objectives and good practices arranged by IT domains, while processes and linked to business requirements;  Processes: set of generally accepted processes in which IT Function can be split. CobiT defines 34 processes and each of them is associated to one of the 4 domains CobiT breaks down IT: Plan and Organize, Acquire and Implement, Deliver and Support and Monitor and Evaluate;  Control objectives: set of objectives, arranged by process, that chosen controls (e.g. account management) have to meet;  Management guidelines: resources to help assigning responsibility, agreeing on objectives, measuring performance and illustrating interrelationship with other processes;  Maturity models: tools to assess maturity and capability per process and to help addressing gaps.
  8. 8. CISSPills Frameworks Relationship SOX (Federal Law) COSO (Corporate Governance) CobiT (IT Governance) used to comply with mapped by ITGI with COSO used to comply with
  9. 9. CISSPills ITIL The Information Technology Infrastructure Library (ITIL) is the most used framework for IT Service Management. It’s based on best practices and allows to:  Identify  Plan  Deliver  Support the IT services business relies on. ITIL was developed because of the ever-increasing dependency between IT and business.
  10. 10. CISSPills ITIL (cont’d) A service is something providing a “value” to the customers (internal or external). One example is the payroll service, which depends on an IT infrastructure (storage, DBs, etc.). ITIL handles services in a holistic fashion, so that also IT architecture is taken into account. This kind of approach, allows to consider every aspect of a service and allows to assure proper service levels. Services must be aligned with business and have to sustain its fundamental processes. ITIL helps organization to use IT for easing the changes, the transformations and the growth of the business.
  11. 11. CISSPills ISO/IEC 27000 Series ISO/IEC 27000 series (formerly known as BS7799) is a set of standards that outlines how to develop and maintain an ISMS. Its goal is helping organization in managing centrally the security controls deployed throughout the enterprise. Without an ISMS, controls are implemented individually and don’t follow a holistic approach. The series is split in several standards, each of them addressing a specific requirement (e.g. 27033-1 - network security, 27035 - incident management handling, etc.). ISO/IEC 27001:2005 are the standards organizations have to follow (and are assessed against) if they want their ISMS to adhere to ISO 27001. Being compliant means that the organization has put in place an effective ISMS able to assure the security of the information from several standpoints (physical, logical, organizational, etc.) and the reduction and/or prevention of the threats.
  12. 12. CISSPills ISO/IEC 27000 Series (cont’d) This framework relies on PDCA (Plan-Do-Check-Act), a four-step iterative cycle which allows a continuous improvement of the process: the results of a step can be used to feed the next one, which each cycle leading closer to the goal.  Plan: aimed at establishing goals and plans;  Do: aimed at implementing the plans identified in the previous step;  Check: aimed at measuring the results in order to understand if objectives are met;  Act: aimed at determining where to apply changes in order to achieve improvements.
  13. 13. CISSPills That’s all Folks! We are done, thank you for the interest! Hope you have enjoyed these pills as much as I have had fun writing them. For comments, typos, complaints or whatever your want, drop me an e-mail at: cisspills <at> outlook <dot> com More resources:  Stay tuned on for the next issues;  Join ”CISSP Study Group Italia” if you are preparing your exam. Brought to you by Pierluigi Falcone. More info about me on Contact Details