The document discusses the COBIT framework's approach to managing cybersecurity using the NIST Cybersecurity Framework, emphasizing the importance of aligning business and IT strategies. It outlines COBIT's practices for governance and performance management, as well as its compatibility with NIST CSF to optimize cybersecurity efforts. The paper stresses that effective cybersecurity governance requires a comprehensive understanding of risk management and alignment with business goals.

1. COBIT Approach To Maintain Healthy
Cybersecurity Status Using NIST - CSF
By:
Aqel M. Aqel, CISA, MBA, CSSGB, SMP, CRISC, CGEIT
ISACA – Riyadh Chapter
28-Sep-2017
AMMAN’S SECOND CYBERSECURITY FORUM

2. Agenda
 Brief about ISACA & COBIT 5 (2012)
 Few Messages To Security Leaders
 How COBIT lends itself to Cyber Security
 Questions & Answers

3. Information System Audit And Control Association
(www.isaca.org)
• Established: 1969
• Engaged Professionals: More than 520,000
• Members: More than 130,000 in 188 countries
• Members and Certification-Holders: More than 159,000
• Chapters: More than 215 in various cities
• Student Groups: More than 80
Source: http://www.isaca.org/About-ISACA/Press-room/Documents/2017-ISACA-Fact-Sheet_pre_eng_0517.pdf

4. ISACA Professional Certifications
Source: http://www.isaca.org/About-ISACA/Press-room/Documents/2017-ISACA-Fact-Sheet_pre_eng_0517.pdf
Certification Established Certified
Certified Information Systems Auditor (CISA). 1978 130,000
Certified Information Security Manager (CISM). 2002 34,000
Certified in the Governance of Enterprise IT (CGEIT). 2007 7,000
Certified in Risk and Information Systems Control (CRISC). 2010 20,000
CSX Practitioner Certification (CSXP) is a performance-based. 2015 -

5. Few Messages For Security
Leaders

6. • IT is more than business
enabler.
• IT derive value through
innovation that reshaped the
competitive advantage in
many industries
• Both business and IT have to
accept this new inevitable role
then work to achieve it.
IT & Business Convergence

7. Understand business needs and impacts
• Who knows how will always find
a job; who now why will be his
manager.
• How to justify investments in
cybersecurity?

8. Strategic thinking is System
thinking
• Deal with the parts while
thinking of the whole.
• Cybersecurity is not about
technology only.
• Excellence in certain
cybersecurity parts is a
leading indicators. It will grow
the illusion of being over
secured

9. The grandeur of Articulation
• Grandeur means “impressive”
• Everybody is fond of his theory.
• “There is nothing practical as a good theory”
Kurt Lewin (1890-1947)
• “Simplicity is the ultimate sophistication”
Leonardo da Vinci (1452 - 1519)

10. Departmentalization of things
• Organization is a complicated
system of processes and people
• Managers are tempted to
institutionalize New modern
concepts by inserting new functions
and units.
See https://www.linkedin.com/pulse/departmentalization-things-aqel-aqel

11. This is why we need
IT Governance

12. Why we need IT governance
• What is Governance ?
• Why we need it ?
• Set of practices to sustain and
control organizations.
• Conformance
• Performance
• What is IT Governance?
Source: Aqel M. Aqel

13. Introduction – Vocabulary
• Governance From old Greek:
Kubernan i.e. to steer the ship
• Its Latin form:
Gobuernare
• Dictionary meanings:
• Control
• Rule
• Restrain
• Reign
• Audit
• Be Attentive
• Check
• Collate
• Direct
• Examine
• Mind
• Moderate
• Oversee
• Pay Attention
• Review
• Supervise
• Verify
• Watch Out
Without Clear Destination (Goals) No Meaning For Governance
•ََ‫م‬َ‫ك‬َ‫ح‬‫م‬ُ‫ك‬‫ح‬َ‫ي‬َ،
•َ‫كم‬ُ‫ح‬
•‫م‬َ‫ك‬‫حا‬
•‫م‬ّ‫ك‬‫تح‬
•َ‫احتكم‬
•‫كومة‬ُ‫ح‬

14. Introduction to COBIT
• COBIT is: A business framework
for the governance and
management of enterprise IT
• COBIT Aims to Ensure “value
creation” for various sectors of
stakeholders:
1. wishes, and concerns has been
addressed, and agreed upon.
2. Achieved while maintaining risks at
acceptable levels.
3. Investments and Resource are optimized
and used responsibly.
Source: COBIT 5, 2012, ISACA

15. What is COBIT
• COBIT considers both performance and conformance in GEIT.
• COBIT It is about the rational use of controls.
• Break down IT governance complexity in structured approach of
management and governance objectives achieved by set of enablers:
• 5 IT governance processes
• 32 IT management processes
• Include 200+ sub-tasks,
• Quantitatively Measurable for maturity using the ISO 15504; hence Auditable.
Control Objectives for Info & Related Technologies

16. Source: COBIT Framework, 2012, ISACA

17. Cybersecurity should realize business goals
The balanced Scorecard
Business Objectives
1. Stakeholder value of business investments
2. Portfolio of competitive products and services
3. Managed business risk (safeguarding of assets)
4. Compliance with external laws and regulations
5. Financial transparency
6. Customer-oriented service culture
7. Business service continuity and availability
8. Agile responses to a changing business environment
9. Information-based strategic decision making
10. Optimisation of service delivery costs
Customer
11. Optimisation of business process functionality
12. Optimisation of business process costs
13. Managed business change programmes
14. Operational and staff productivity
15. Compliance with internal policies
Internal Performance
Learning and Growth
16. Skilled and motivated people
17. Product and business innovation culture

18. Similarly we COBIT Articulated 17 IT Related Goals
Business Objectives
01 Alignment of IT and business strategy
02 IT compliance and support for business compliance with external laws and
regulations
03 Commitment of executive management for making IT-related decisions
04 Managed IT-related business risk
05 Realised benefits from IT-enabled investments and services portfolio
06 Transparency of IT costs, benefits and risk
07 Delivery of IT services in line with business
requirements
08 Adequate use of applications, information
and technology solutions
Customer
09 IT agility
10 Security of information, processing infrastructure and applications
11 Optimisation of IT assets, resources and capabilities
12 Enablement and support of business processes by integrating
applications and technology into business processes
13 Delivery of programmes delivering benefits, on time, on budget, and
meeting requirements and quality standards
14 Availability of reliable and useful information for decision making
15 IT compliance with internal policies
Internal Performance
Learning and Growth
16 Competent and motivated business and IT personnel
17 Knowledge, expertise and initiatives for business
innovation

19. Cascading Business Objectives to IT
Objectives
Example
• The business objectives of:
• (03) Managed business Risks (safeguarding of assets)
• (04) Compliance with External Laws and Regulations
• (07) Business service continuity and availability
• (15) Compliance with Internal Policies
• Are mapped to the IT objective of:
• (10) security of information processing, infrastructure
and applications
• Again the last IT objective is mapped to set of
enabling processes .. See next slide
Biz Goals
ITGoals

20. Primary mapped to
 EDM03 Ensure Risk Optimization
 APO12 Manage Risk
 APO13 Manage Security
 BAI06 Manage Change
And Secondary to:
 EDM01 Ensure Governance Framework Setting and Maintenance
 APO01 manage the IT management Framework
 APO03 Manage Enterprise Architecture
 APO07 Manage Human Resources
 APO09 Manage Service Agreements
 APO10 Manage Suppliers
 BAI02 Manage Requirements Definition
 BAI08 Manage Knowledge
 BAI09 Manage Assets
 BAI10 Manage Configuration
 DSS01 Manage Operations
 DSS02 Manage Service Requests and Incidents
 DSS04 Manage Continuity
 DSS06 Manage Business Process Controls
 MEA01 Monitor, Evaluate and Assess Performance and Conformance
 MEA02 Monitor, Evaluate and Assess the System of Internal Controls
 MEA02 Monitor, Evaluate and Assess Compliance with External Requirements
(10) security of information
processing, infrastructure and
applications mapped again to set
of enabling processes
• COBIT will never leave you
in void.
• It’s as much theoretical as
pragmatic to propose the
right actions to pursue.
Again each of them consists of
many sub-processes
IT Goals
COBIT
Processes
(10) security of information processing, infrastructure and applications

21. Following the
ISO 15504
• Process
Description
• Purpose
Statement
• IT Related goals
& Metrics (KPIs)
• Process Goals

22. Example
Proposed
Management
Practices
based on Best
practices

23. Management practices have defined input, output and activities
Example BAI10.01 Establish and Maintain a Configuration Model

24. The ISO 15504 and Process Assessment Methodology
Process Structure:
• Name
• description
• Purpose statement
• IT Related Goals
• Process Goals and Metrics (KPIS)
• Key Practices and their perspective RACI Matrix
• Name & Descriptions
• Input & Output
• Activities
• Capability Maturity levels
Source: ISO/IEC 15504:2012, 2017

25. The Power of COBIT Implementation Methodology
• Specially designed to support
organizational change
• Comprehensive: Cybersecurity is
integrated to GRC initiative
• Integrated with project management
and change management concepts and
practices
• Risk oriented: Has a phased, iterative
implementation methodology
• Clear roles and responsibilities
• Value driven: Continuous enhancement
is in the core
• Facilitate Continuous Improvement

26. COBIT Family of Products
are available in Arabic:
• COBIT Framework
• COBIT Enabling Processes
• COBIT Implementation Guide
• COBIT for IT security
• COBIT for Risk Management
Arabization is an essential
step toward Localization of IT
Governance practices.

27. How COBIT 5 Lends Itself to NIST-CSF

28. COIBT principles and implementation methodology are
highly compatible with NIST - CSF
Source: NIST-Cybersecurity-Framework-Using-COBIT-5, ISACA, 2017
First
The Compatibility
between both
frameworks is a
good news for
those who know
COBIT or Already
implemented in
their firms.

29. COBIT Compatibility with NIST CSF
Second
COBIT Maturity
is compatible
with NIST – CSF
four Tiers

30. COBIT Compatibility with NIST CSF
Third
Mapping
between CSF
functions and
sub-categories
and COBIT
enabling
processes

31. Conclusion
• An enterprise’s cyber stance should fit into a larger comprehensive
structure of the governance and management of enterprise IT.
• Enterprise governance measures, as well as attitudes toward risk
must drive the enterprise cyber security program
• Risk governance and management is about informed decision
making.
• COBIT and the NICS framework will organize the management of
many other frameworks, methodologies, standards, and emerging
best practices.

32. Aqel M. Aqel
Mobile: +966-502-104-007
e-Mail: aqel.aqel@gmail.com