Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Secure Software Development – COBIT5 Perspective

725 views

Published on

This presentation elucidates Secure Software Development based on COBIT 5, an IT governance framework and supporting tool set which emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework.

Published in: Business
  • Be the first to comment

Secure Software Development – COBIT5 Perspective

  1. 1. Secure Software Development – COBIT 5 Perspective Kewyn Walter George Management Consulting 29th June 2013
  2. 2. © [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 1 COBIT - A brief Introduction •COBIT is an IT governance framework and supporting tool set that allows managers to bridge the gap between control requirements, technical issues and business risk. •COBIT enables clear policy development and good practice for IT control throughout organizations. •COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework.
  3. 3. © [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 2 COBIT Framework Evolution Governance of Enterprise IT COBIT 5 IT Governance COBIT4.0/4.1 Management COBIT3 Control COBIT2 Audit COBIT1 2005/720001998 Evolutionofscope 1996 2012 Val IT 2.0 (2008) Risk IT (2009) An business framework from ISACA, at www.isaca.org/cobit © 2012 ISACA® All rights reserved. From Audit (COBIT1)  Governance of Enterprise IT (COBIT5)
  4. 4. © [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 3 COBIT 5: The latest version •COBIT 5 is a major strategic improvement providing the next generation of ISACA guidance on the governance and management of enterprise information technology (IT) assets. •Building on more than 15 years of practical application, ISACA designed COBIT 5 to meet the needs of stakeholders, and to align with current thinking on enterprise governance and management techniques as they relate to IT. •It focuses on the dual aspects of Governance as well as Management of Enterprise IT Source : ISACA.org Copyright@ISACA
  5. 5. © [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 4 COBIT 5 : Principles & Enablers Based on 5 Principles and 7 Enablers Source : ISACA.org Copyright@ISACA
  6. 6. © [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 5 COBIT 5: Overall Architecture COBIT 5 Family of Products COBIT 5 Enterprise Enablers Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved. Source: COBIT® 5, figure 11. © 2012 ISACA® All rights reserved. Source : ISACA.org Copyright@ISACA
  7. 7. © [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 6 COBIT 5: Importance on Life Cycle Management & Governance Source : ISACA.org Copyright@ISACA
  8. 8. © [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 7 COBIT 5: Enabling Processes: Source : ISACA.org Copyright@ISACA
  9. 9. © [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 8 Importance of Secured Software Development: • The use of internet & network systems has become all pervasive increasing the risk for data integrity during software development. • Secured software development reduces software maintenance cost and increases software reliability. • Secured software development reduces a significant number of security flaws. •Such security flaws if detected at later stages of software development may require the total overhaul of the entire software architecture.
  10. 10. © [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 9 Secured Software Development: Common Pitfalls: •Organizations focus on software application and information security only after their development. •Organizations conduct security audits only after development and before deployment. •There is lack of awareness on information security norms to be followed during the Software Development Lifecycle. •Organizations spend more time on reacting to security issues after software development than proactively eliminating issues before the software development is completed.
  11. 11. © [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 10 How COBIT 5 addresses these pitfalls: COBIT5 emphasizes on the following key areas to addresses the common issues related to information security and software development: • Awareness & Training • Assessment & Audit • Development & Quality Assurance • Compliance • Response Management • Metrics & Accountability • Operational Security The following sections detail how COBIT5 includes Information Security and Software Development into its processes
  12. 12. © [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 11 COBIT 5 –Information Security & Secure Software Development: •COBIT 5 has also taken the valuable holistic, interrelated component model approach from the Business Model for Information Security (BMIS) work and incorporated it into the framework components Source : ISACA.org Copyright@ISACA
  13. 13. © [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 12 Business Model for Information Security (BMIS) • A holistic and business-oriented approach to managing information security, and a common language for information security and business management to talk about information protection • BMIS challenges conventional thinking and enables you to creatively re-evaluate your information security investment • The Business Model for Information Security, provides an in-depth explanation to a holistic business model which examines security issues from a systems perspective. Source : ISACA.org Copyright@ISACA
  14. 14. © [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 13 COBIT 5 Integrates BMIS Components • Several of the BMIS components are now integrated within COBIT 5 as interacting enablers that support the enterprise in achieving its business goals and create stakeholder value: • Organization • Process • People • Human Factors • Technology • Culture Source : ISACA.org Copyright@ISACA
  15. 15. © [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 14 COBIT 5 Integrates BMIS Components • The remaining BMIS components are actually related the larger aspects of the COBIT 5 framework: • Governing—The dimensions of governance activities (evaluate, direct, monitor—ISO/IEC 38500) are addressed at the enterprise level in the COBIT 5 framework • Architecture (including a process model) —COBIT 5 includes the need to address enterprise architecture aspects to link organization and technology effectively • Emergence—The holistic and integrated nature of the COBIT 5 enablers supports enterprise in adapting to changes in both stakeholder needs and enabler capabilities as necessary Source : ISACA.org Copyright@ISACA
  16. 16. © [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 15 COBIT 5 Product Family—Includes Guides on Information Security Member Source : ISACA.org Copyright@ISACA
  17. 17. © [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 16 COBIT 5 for Information Security: •COBIT 5 for Information Security builds on the COBIT 5 framework in that it focuses on information security and provides more detailed and more practical guidance for information security professionals and other interested parties at all levels of the enterprise. Source : ISACA.org Copyright@ISACA
  18. 18. © [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 17 Implementing Information Security using COBIT 5 Enablers •COBIT 5 defines a set of enablers to support the implementation of a comprehensive governance and management system for enterprise IT and information. Enablers are factors that, individually and collectively, influence whether something will work—in this case, governance and management over enterprise IT and, related to that, information security governance. •Enablers are driven by the goals cascade, i.e., higher level IT- related goals define what the different enablers should achieve. Source : ISACA.org Copyright@ISACA
  19. 19. © [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 18 Implementing Information Security using COBIT 5 Enablers The Enablers contain detailed guidance on Information Security norms to be followed in daily processes. The following shows the example with the enabler – Culture, ethics & behaviour Source : ISACA.org Copyright@ISACA
  20. 20. © [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 19 COBIT 5 Processes: Tailored for Information Security & Software Development: Source : ISACA.org Copyright@ISACA
  21. 21. © [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 20 COBIT 5 Processes: Tailored for Information Security & Software Development: (An example) •COBIT 5 addresses information security specifically: •The focus on information security management system (ISMS) in the align, plan and organize (APO) management domain, APO13 Manage security, establishes the prominence of information security within the COBIT 5 process framework. •This process highlights the need for enterprise management to plan and establish an appropriate ISMS to support the information security governance principles and security- impacted business objectives resulting from the evaluate, direct and monitor (EDM) governance domain. Source : ISACA.org Copyright@ISACA
  22. 22. © [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 21 Secured Software Development: Benefits of Implementing COBIT 5 • Through its IT related processes, COBIT 5 emphasizes on ‘Monitor, Evaluate and Assess’ at every stage of software development. •This ensures a significant reduction in costs due to after development security related bug fixes. • Through enablers focused on culture, ethics and behaviour, COBIT 5 ensures that the principles related to information security are imbibed into the daily processes. • Application vulnerability to external information related threats is reduced at every developmental step. Source : ISACA.org Copyright@ISACA
  23. 23. © [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 22 Secured Software Development: Benefits of Implementing COBIT 5 • Through process optimization and early bug and security flaw detection COBIT 5 helps organizations reduce development time and achieve the fastest schedule for software development.
  24. 24. © [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 23 Accredited COBIT 5 Foundation Course by KPMG Course Overview: COBIT 5 is the only business framework for the governance and management of enterprise IT. This evolutionary version incorporates the latest thinking in enterprise governance and management techniques, and provides globally accepted principles, practices, analytical tools and models to help increase the trust in, and value from, information systems. COBIT 5 builds and expands on COBIT 4.1 by integrating other major frameworks, standards and resources, including ISACA’s Val IT and Risk IT, Information Technology Infrastructure Library (ITIL®) and related standards from the International Organization for Standardization (ISO). Course trainer: The trainers are accredited by APMG , who have in-depth experience in COBIT 5 consulting and conducted more than 25 COBIT workshops Duration : 2 Service days Course Fee : INR 22,900 ( Trainer charges ,Training Material , Exam and certification cost) + Service Tax ( 10% - 15% Discount for SPIN and ISACA Members) Course Contents: Enablers 1. Principles, policies and frameworks 2. Processes 3. Organizational structures. 4. Culture, ethics and behavior 5. Information 6. Services, infrastructure and applications 7. People, skills and competencies 5 Principles Principle 1: Meeting Stakeholder Needs Principle 2: Covering the Enterprise End-to- End Principle 3: Applying a Single, Integrated Framework Principle 4: Enabling a Holistic Approach Principle 5: Separating Governance From Management
  25. 25. © 2013 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks or trademarks of KPMG International Cooperative (KPMG International). Thank you Kewyn Walter George KPMG Management Consulting Email: kewyn@kpmg.com Phone: 97890 11128

×