COBIT 5 for Information Security

Presented by
COBIT–The ISACA Framework
 COBIT is an IT governance framework and supporting
tool set that allows managers to bridge the gap between
control requirements, technical issues and business risk.
 COBIT enables clear policy development and good
practice for IT control throughout organisations.
 COBIT emphasises regulatory compliance, helps
organisations to increase the value attained from IT,
enables alignment and simplifies implementation of the
COBIT framework.
 For more information: www.isaca.org/cobit
2
COBIT 4.1–The ISACA Framework
 COBIT 4.1
 Issued in 2007
 An IT
governance and
management
framework
 Focus on
processes as the
key enabler
Source: COBIT® 4.1, figure 23. © 2007 IT Governance Institute® All rights reserved.
3
COBIT 5–The NEW Version
 COBIT 5 is a major strategic improvement providing the
next generation of ISACA guidance on the governance and
management of enterprise information technology (IT)
assets.
 Building on more than 15 years of practical application,
ISACA designed COBIT 5 to meet the needs of
stakeholders, and to align with current thinking on
enterprise governance and management techniques as they
relate to IT.
 For more information: www.isaca.org/cobit
4
COBIT 5 Product Family–The
Overarching Framework Product
Source: COBIT® 5, figure 1. © 2012 ISACA® All rights reserved.
5
COBIT 5: Value Creation
 Delivering enterprise stakeholder value requires good
governance and management of IT assets—including
information security arrangements.
 External legal, regulatory and contractual compliance
requirements (sometimes covering information security
requirements) related to enterprise use of information and
technology are increasing, threatening value if breached.
 COBIT 5 provides a comprehensive framework that assists
enterprises to achieve their goals and deliver value through
effective governance and management of enterprise IT –
providing a sound basis for information security
arrangements.
6
The COBIT 5 Framework
 Simply stated, COBIT 5 helps enterprises to create
optimal value from IT by maintaining a balance between
realising benefits and optimising risk levels and resource
use.
 COBIT 5 enables information and related technology to
be governed and managed in a holistic manner for the
whole enterprise, taking in the full end-to-end business
and functional areas of responsibility, considering the ITrelated interests of internal and external stakeholders.
 The COBIT 5 principles and enablers are generic and
useful for enterprises of all sizes, whether commercial,
not-for -profit or in the public sector.
7
COBIT 5 Principles and Enablers
COBIT 5 Enterprise Enablers
Source: COBIT® 5, figure 2. © 2012 ISACA® All rights reserved.
Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved.
8
COBIT 5 Product Family–The Detailed
Process Guidance is Still There
Source: COBIT® 5: Enabling Processes, figure 1. © 2012 ISACA® All rights reserved.
9
COBIT 5 Enabling Processes
Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved.
10
COBIT 5–Integrates Earlier ISACA Frameworks
COBIT 5 has clarified management level processes and
integrated COBIT 4.1, Val IT and Risk IT content into
one process reference model.
11
COBIT 5–Integrates BMIS Components Too
COBIT 5 has also taken the valuable holistic, interrelated
component model approach from the Business Model for
Information Security (BMIS) work and incorporated it
into the framework components.
Source: BMIS®, figure 2. © 2010 ISACA® All rights reserved.
12
BMIS Introduction
• Business Model for Information Security (BMIS)
• A holistic and business-oriented approach to managing
information security, and a common language for
information security and business management to talk
about information protection
• BMIS challenges conventional thinking and enables you
to creatively re-evaluate your information security
investment
• The Business Model for Information Security, provides an
in-depth explanation to a holistic business model which
examines security issues from a systems perspective.
• For more information: www.isaca.org/bmis
13
COBIT 5 Integrates BMIS Components
• Several of the BMIS components are now integrated
within COBIT 5 as interacting enablers that support the
enterprise in achieving its business goals and create
stakeholder value:
• Organisation
• Process
• People
• Human Factors
• Technology
• Culture
14
COBIT 5 Integrates BMIS Components (cont)
• The remaining BMIS components are actually related the
larger aspects of the COBIT 5 framework:
• Governing—The dimensions of governance activities
(evaluate, direct, monitor—ISO/IEC 38500) are
addressed at the enterprise level in the COBIT 5
framework
• Architecture (including a process model) —COBIT 5
includes the need to address enterprise architecture
aspects to link organisation and technology effectively
• Emergence—The holistic and integrated nature of the
COBIT 5 enablers supports enterprise in adapting to
changes in both stakeholder needs and enabler
capabilities as necessary
15
COBIT 5 Product Family—Includes
Implementation Guidance
Source: COBIT® 5 Implementation, figure 1. © 2012 ISACA® All rights reserved.
16
COBIT 5 Implementation
• The improvement of the governance of enterprise IT
(GEIT) is widely recognised by top management as an
essential part of enterprise governance.
• Information and the pervasiveness of information
technology are increasingly part of every aspect of
business and public life.
• The need to drive more value from IT investments and
manage an increasing array of IT-related risk, including
often cited security risk, has never been greater.
• Increasing regulation and legislation over business use
and security of information is also driving heightened
awareness of the importance of well-governed, managed
and secure IT use.
17
COBIT 5 Implementation (cont.)
• ISACA has developed the COBIT 5 framework to help
enterprises implement sound governance enablers. Indeed,
implementing good GEIT is almost impossible without
engaging an effective governance framework. Best practices
and standards are also available to underpin COBIT 5—
including many focused on information security.
• However, frameworks, best practices and standards are
useful only if they are adopted and adapted effectively.
There are challenges that need to be overcome and issues
that need to be addressed if GEIT is to be implemented
successfully.
• COBIT 5 Implementation provides guidance on how to
do this.
18
COBIT 5 Implementation (cont.)
• COBIT 5 Implementation covers the following subjects:
• Positioning GEIT within an enterprise
• Taking the first steps towards improving GEIT
• Implementation challenges and success factors
• Enabling GEIT-related organisational and behavioural
change
• Implementing continual improvement that includes
change enablement and programme management
• Using COBIT 5 and its components
19
COBIT 5 Implementation (cont.)
Source: COBIT® 5 Implementation, figure 6. © 2012 ISACA® All rights reserved.
20
COBIT 5 Product Family—Includes
an Information Security Member
Source: COBIT® 5, adapted from figure 11. © 2012 ISACA® All rights reserved.
21
COBIT 5 and Information Security
COBIT 5 addresses information security specifically:
 The focus on information security management system
(ISMS) in the align, plan and organise (APO)
management domain, APO13 Manage security,
establishes the prominence of information security within
the COBIT 5 process framework.
 This process highlights the need for enterprise
management to plan and establish an appropriate ISMS to
support the information security governance principles
and security-impacted business objectives resulting from
the evaluate, direct and monitor (EDM) governance
domain.
22
COBIT 5 for Information Security (cont)
 COBIT 5 for Information Security will be an extended view
of COBIT 5 that explains each component of COBIT 5
from an information security perspective.
 Additional value for information security constituents will
be created through additional explanations, activities,
processes and recommendations.
 The COBIT 5 for Information Security deliverable will be a
view of information security governance and management
that will provide security professionals detailed guidance
for using COBIT 5 as they establish, implement and
maintain information security in the business policies,
processes and structures of an enterprise.
23
COBIT 5 for Information Security (cont)
What content will be included in the guide?
 Guidance on the enterprise business drivers and benefits
related to information security
 How the COBIT 5 principles can be viewed and applied
from an information security professionals’ perspective
 How the COBIT 5 enablers can be used by information
security professionals to support enterprise governance
and management of information security arrangements
 How COBIT 5 for Information Security guidance aligns
with other information security standards
24
COBIT 5 for Information Security (cont)
At what stage of development is COBIT 5 for Information
Security?
 Development has been underway for some time and a draft
delivered for subject matter expert (SME) review in
January 2012.
 The COBIT Security Task Force met in February 2012 to
review and incorporate SME feedback into the product.
 Expectation is that the COBIT 5 for Information Security
professional guide will be available in July 2012.
25
Thank you for listening!
If you have questions about ISACA publications
and ongoing research, please contact:
ISACA
Research Department
Phone: +1.847.660.5630
Fax: +1.847.253.1443
Email: research@isaca.org
26