Code Galore Caselet:

Using COBIT 5 for Information Security

Disclaimer
ISACA has designed and created the Code Galore Caselet : Using COBIT 5 for
Information Security (the Work) primarily as an educational resource for educational
professionals. ISACA makes no claim that use of any of the Work will assure a successful
outcome. The Work should not be considered inclusive of all proper information,
procedures and tests or exclusive of other information, procedures and tests that are
reasonably directed to obtaining the same results. In determining the propriety of any
specific information, procedure or test, security governance and assurance professionals
should apply their own professional judgment to the specific circumstances presented by
the particular systems or information technology environment.

ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: info@isaca.org
Web site: www.isaca.org

2013 ISACA. All rights reserved. 2

Reservation of Rights
2013 ISACA. All rights reserved. No part of this publication may be used, copied,
reproduced, modified, distributed, displayed, stored in a retrieval system or transmitted in
any form by any means (electronic, mechanical, photocopying, recording or otherwise)
without the prior written authorisation of ISACA. Reproduction and use of all or portions of
this publication are permitted solely for academic, internal and non-commercial use and
for consulting/advisory engagements, and must include full attribution of the materials
source. No other right or permission is granted with respect to this work.

Provide Feedback: www.isaca.org/information_security_caselets

Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center
Follow ISACA on Twitter: https://twitter.com/ISACANews
Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial
Like ISACA on Facebook: www.facebook.com/ISACAHQ

2013 ISACA. All rights reserved. 3

Acknowledgements
Researcher
Krag Brotby, CISM, CGEIT, Brotby & Associates, USA

Board of Directors
Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, International President
Allan Boardman, CISA, CISM, CGEIT, CRISC, ACA, CA (SA), CISSP, Morgan Stanley, UK, Vice President
Juan Luis Carselle, CISA, CGEIT, CRISC, Wal-Mart, Mexico, Vice President
Ramses Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, Six Sigma Black Belt, Dell, Spain, Vice President
Theresa Grafenstine, CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA, US House of Representatives, USA, Vice President
Vittal Raj, CISA, CISM, CGEIT, CFE. CIA, CISSP, FCA, Kumar & Raj, India, Vice President
Jeff Spivey, CRISC, CPP, PSP, Security Risk Management Inc., USA, Vice President
Marc Vael, Ph.D., CISA, CISM, CGEIT, CRISC, CISSP, Valuendo, Belgium, Vice President
Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, Past International President
Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Past International President
Christos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, INTRALOT S.A., Greece, Director
Krysten McCabe, CISA, The Home Depot, USA, Director
Jo Stewart-Rattray, CISA, CISM, CGEIT, CRISC, CSEPS, BRM Holdich , Australia, Director

Knowledge Board
Christos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, INTRALOT S.A., Greece, Chairman
Rosemary M. Amato, CISA, CMA, CPA, Deloitte Touche Tohmatsu Ltd., The Netherlands
Steven A. Babb, CGEIT, CRISC, Betfair, UK
Thomas E. Borton, CISA, CISM, CRISC, CISSP, Cost Plus, USA
Phil J. Lageschulte, CGEIT, CPA, KPMG LLP, USA
Anthony P. Noble, CISA, Viacom, USA
Jamie Pasfield, CGEIT, ITIL V3, MSP, PRINCE2, Pfizer, UK

Academic Program Subcommittee

Kameswara Rao Namuduri, Ph.D., CISA, CISM, CISSP, University of North Texas, USA, Chairman
Umesh R. Hodeghatta, Xavier Institute of Management, India
Joshua Onome Imoniana, Ph.D., CGEIT, Universidade Presbiteriana Mackenzie, Brazil
Matthew Liotine, Ph.D., CBCP, CSSBB, MBCI, University of Illinois at Chicago, USA
Nebil Messabia, Canada
Kumar Srikanteswaran, CISA, CMA, PMP, India
Sadir Vanderloot, CISA, CISM, CCNA, CCSA, NCSA, Sheffield Hallam University, Sweden
Ype van Wijk, Ph.D., RE, RA, Rijksuniversiteit Groningen, The Netherlands
Hiroshi Yoshida, Ph.D., CGEIT, CRISC, Nagoya Bunri University, Japan

2013 ISACA. All rights reserved. 4

Student Book
This caselet was developed to support
the Information Security Student Book:
Using COBIT 5 for Information Security,
www.isaca.org/information_security_student_book .

2013 ISACA. All rights reserved. 5

Agenda
Company Profile Code Galore

Background Information

The Problems

Your Role

Your Tasks

Figures

Notes

Questions

2013 ISACA. All rights reserved. 6

Company Profile Code Galore

Profile

Start-up company founded in 2005

One office in Sunnyvale, California, USA

10 remote salespeople and a few with space at

resellers offices

Approximately 100 total staff; about one-third work in

engineering

7
Background Information

What we do

Financials

Org. Structure

Operational

Industry

Products

Sales

8
Background Information

What we do Building a comprehensive business function automation

software that performs many functions (decision making
Financials in approaching new initiatives, goal setting and tracking,
financial accounting, a payment system, and much
Org. Structure
more).
Operational The software is largely the joint brainchild of the Chief
Technology Officer (CTO) and a highly visionary
Industry Marketing Manager who left the company a year ago

Products

Sales

9
Background Information

What we do Financed 100% by investors who are extremely anxious to

make a profit.
Financials Investors have invested more than US $35 million since
inception and have not received any returns.
Org. Structure
The organization expected a small profit in the last two
Operational quarters. However, the weak economy led to the
cancellation of several large orders. As a result, the
Industry organization was in the red each quarter by approximately
US $250,000.
Products

Sales

10
Background Information

What we do Code Galore is a privately held company with a budget of

US $15 million per year. Sales last year totaled US $13.5
Financials million (as mentioned earlier, the company came within US
$250,000 of being profitable each of the last two quarters).
Org. Structure
The investors hold the preponderance of the companys
Operational stock; share options are given to employees in the form of
stock options that can be purchased for US $1 per share if
Industry the company ever goes public.
Code Galore spends about five percent of its annual budget
Products
on marketing. Its marketing efforts focus on portraying
Sales other financial function automation applications as point
solutions in contrast to Code Galores product.

11
Background Information
Figure 1Code Galore Organisational Chart
What we do

Financials CEO

Org. Structure
CSO VP, Business VP, CTO VP, Human
Finance Resources
Operational
Security
Industry Administrator Accounting Sr. Financial
Dir. Analyst HR Manager

Products Infrastructure
Mgr. Sys. Dev. Mgr.

Sales Sales Mgr

12
Background Information

What we do The board of directors:

Consists of seasoned professionals with many years of
Financials experience in the software industry
Is scattered all over the world and seldom meets,
Org. Structure
except by teleconference
Operational Is uneasy with Code Galore being stretched so thin
financially, and a few members have tendered their
Industry resignations within the last few months

Products

Sales

13
Background Information

What we do Engineers perform code installations. The time to get the

product completely installed and customized to the
Financials customers environment can exceed one month with costs
higher than US $60,000 to the customer.
Org. Structure Labour and purchase costs are too high for small and
medium-sized businesses. So far, only large companies in
Operational the US and Canada have bought the product.
C-level officers and board members know that they have
Industry
developed a highly functional, unique product for which
there is really no competition. They believe that, in time,
Products
more companies will become interested in this product,
Sales but the proverbial time bomb is ticking. Investors have
stretched themselves to invest US $35 million in the
company, and are unwilling to invest much more.

14
Background Information

What we do The CEO:

Is the former chief financial officer (CFO) of Code Galore
Financials that replaced the original CEO who resigned to pursue
another opportunity two years ago
Org. Structure
Has a good deal of business knowledge, a moderate amount
Operational of experience as a C-level officer, but no prior experience as
a CEO
Industry As a former CFO, tends to focus more on cost cutting than
on creating a vision for developing more business and
Products
getting better at what Code Galore does best
Sales

15
Background Information

What we do Business function automation software is a profitable area

for many software vendors because it automates tasks that
Financials previously had to be performed manually or that software
did not adequately support.
Org. Structure
The business function automation software arena has many
Operational products developed by many vendors. However, Code
Galore is a unique niche player that does not really
Industry compete (at least on an individual basis) with other
business automation software companies.
Products

Sales

16
Background Information

What we do The product is comprehensiveat least four other

software products would have to be purchased and
Financials implemented to cover the range of functions that Code
Galores product covers.
Org. Structure Additionally, the product integrates information and
statistics throughout all functionseach function is aware
Operational of what is occurring in the other functions and can adjust
what it does accordingly, leading to better decision aiding.
Industry

Products

Sales

17
Background Information

What we do Sales have been slower than expected, mainly due to a

combination of the economic recession and the high price
Financials and complexity of the product.
The price is not just due to the cost of software
Org. Structure development; it also is due to the configuration labour
required to get the product running suitably for its
Operational customers.
Industry

Products

Sales

18
The Problems Overview
Acquisition
Code Galore is in many ways fighting for its life, and the fact that, four months ago, the
board of directors made the decision to acquire a small software start-up company,
Skyhaven Software, has not helped the cash situation.
Skyhaven consists of approximately 15 people, mostly programmers who work at the
companys small office in Phoenix, Arizona, USA. Originally, the only connection between
your network and Skyhavens was an archaic public switched telephone network (PSTN).

Setting up a WAN
Two months ago, your companys IT director was tasked with setting up a dedicated wide
area network (WAN) connection to allow the former Skyhaven staff to remotely access
Code Galores internal network and vice versa.
You requested that this implementation be delayed until the security implications of
having this new access route into your network were better understood, but the CEO
denied your request on the grounds that it would delay a critical business initiative,
namely getting Skyhavens code integrated into Code Galores.

19
The Problems Overview

Information Security
More recently, you have discovered that the connection does not require a password for
access and that, once a connection to the internal network is established from outside the
network, it is possible to connect to every server within the network, including the server that
holds Code Galores source code and software library and the server that houses employee
payroll, benefits and medical insurance information.
Fortunately, access control lists (ACLs) limit the ability of anyone to access these sensitive
files, but a recent vulnerability scan showed that both servers have vulnerabilities that could
allow an attacker to gain unauthorised remote privileged access.
You have told the IT director that these vulnerabilities need to be patched, but because of the
concern that patching them may cause them to crash or behave unreliably and because Code
Galore must soon become profitable or else, you have granted the IT director a delay of one
month in patching the servers.

20
The Problems Overview
Bots
What now really worries you is that, earlier today, monitoring by one of the security
engineers who does some work for you has shown that several hosts in Skyhavens network
were found to have bots installed in them.

Source Code
Furthermore, one of the Skyhaven programmers has told you that Skyhaven source code
(which is to be integrated into Code Galores source code as soon as the Skyhaven
programmers are through with the release on which they are currently working) is on just
about every Skyhaven machine, regardless of whether it is a workstation or server.

21
The Problems Overview
Code Galore vs. Skyhaven Employee knowledge
Code Galore employees are, in general, above average in their knowledge and awareness of
information security, due in large part to an effective security awareness programme that you
set up two months after you started working at Code Galore and have managed ever since.
You offer monthly brown bag lunch events in a large conference room, display posters
reminding employees not to engage in actions such as opening attachments that they are not
expecting, and send a short monthly newsletter informing employees of the direction in
which the company is going in terms of security and how they can help.
Very few incidents due to bad user security practices occurred until Skyhaven Software was
acquired. Skyhavens employees appear to have almost no knowledge of information security.
You also have discovered that the Skyhaven employee who informally provides technical
assistance does not make backups and has done little in terms of security configuration and
patch management.

22
Your Role
Hired two years ago as the only Chief
Security Officer (CSO) this company
has ever had.
Report directly to the Chief Executive
Officer (CEO).
Attend the weekly senior management
meeting in which goals are set,
progress reports are given and issues
to be resolved are discussed.
The Information Security Department
consists of just you; two members of
the security engineering team from
software are available eight hours
each week.
10 years of experience as an
information security manager, five of
which as a CSO, but you have no
previous experience in the software
arena.
Four years of experience as a junior IT
auditor.
Undergraduate degree in managing
information systems and have earned
many continuing professional
education credits in information
security, management and audit
areas.
Five years ago, you earned your CISM
certification.
23
Your Role and the Business Units

The focus here is not on a business unit, but rather on Code Galore as a
whole, particularly on security risk that could cripple the business.

Due primarily to cost-cutting measures the CEO has put in place, your
annual budget has been substantially less than you requested each year.

Frankly, you have been lucky that no serious incident has occurred so far.
You know that in many ways your company has been tempting fate.

You do the best you can with what you have, but levels of unmitigated risk
in some critical areas are fairly high.

24
 Your Role and the CEO, Ernest Wingate
Mr. Wingates focus on cost cutting is a major reason that you have not
been able to obtain more resources for security risk mitigation measures.

He is calm and fairly personable, but only a fair communicator, something

that results in your having to devote extra effort in trying to learn his
expectations of your companys information security risk mitigation effort
and keeping him advised of risk vectors and major developments and
successes of this effort.

25
Your Role and the IT Director, Carmela Duarte
Code Galores IT director is Carmela Duarte. She has put a system of change control into
effect for all IT activities involving hardware and software.

This system is almost perfect for Code Galoreit is neither draconian nor too lax and
very few employees have any complaints against it.

You have an excellent working relationship with her, and although she is under
considerable pressure from her boss, the CTO, and the rest of C-level management to
take shortcuts, she usually tries to do what is right from a security control perspective.

She is working hard to integrate the Skyhaven Software network into Code Galores, but
currently, there are few resources available to do a very thorough job. She would also
do more for the sake of security risk mitigation if she had the resources.

Carmela has worked with Code Galore since 2006, and she is very much liked and
respected by senior management and the employees who work for her.

26
Your Tasks

You believe that Code Galores (but not Skyhaven Softwares) security risk is well
within the risk appetite of the CEO and the board of directors.

You have a good security policy (including acceptable use provisions) and standards
in place, and you keep both of them up to date.

You have established a yearly risk management cycle that includes asset valuation,
threat and vulnerability assessment, risk analysis, controls evaluation and selection,
and controls effectiveness assessment, and you are just about ready to start a
controls evaluation when you suddenly realise that something more important
needs to be done right away (outlined in The Problem section).

2013 ISACA. All rights reserved. 27

Your Tasks Qualitative Risk Analysis

Using the figure 4 template, you need to modify the qualitative risk analysis that you
performed six months ago to take into account the risk related to Skyhaven
Software. The major risk events identified during this risk analysis are shown in
figure 2.

You must not only head this effort, but for all practical purposes, you will be the only
person from Code Galore who works on this effort.

2013 ISACA. All rights reserved. 28

Your Tasks Qualitative Risk Analysis
Your revision of the last risk analysis will not only bring Code Galore up to date
concerning its current risk landscape, but will also provide the basis for your
requesting additional resources to mitigate new, serious risk and previously
unmitigated or unsuitably mitigated risk.

You may find that some risk events are lower in severity than before, possibly to
the point that allocating further resources to mitigate them would not be
appropriate. This may help optimise your risk mitigation investments.

To the degree that you realistically and accurately identify new and changed risk,
you will modify the direction of your information security practice in a manner
that, ideally, lowers the level of exposure of business processes to major risk and
facilitates growth of the business.

Failure to realistically and accurately identify new and changed risk will result in
blindness to relevant risk that will lead to unacceptable levels of unmitigated risk.

2013 ISACA. All rights reserved. 29

Your Tasks Qualitative Risk Analysis
You must revise the most recent risk analysis, not only by reassessing all the
currently identified major risk, but also by adding at least three risk events that
were not previously identified.

COBIT 5 provides tools that might be helpful in determining the best approach
reassessing and prioritising the major risk events, in EDM03, Ensure risk
optimisation.

You must also provide a clear and complete rationale for the risk events, their
likelihood, and impacts (outlined in the section Alternatives With Pros and Cons
of Each section).

2013 ISACA. All rights reserved. 30

Your Tasks Pros and Cons
The rationale for each security-related risk that you select must
include a discussion of the pros and cons associated with identifying
and classifying each as a medium-low risk or higher.

For example, suppose that you decide that a prolonged IT outage is

no longer a medium- to low-level risk, but instead is now a low risk.

The pros (purely hypothetical in this case) may be that outage-related

risk events are now much lower than before due to, for example, the
implementation of a new backup and recovery system that feeds data
into an alternative data center (not true in this caselet).

In this case allocating additional resources would therefore be a

waste of time and money.

2013 ISACA. All rights reserved. 31

Your Tasks Pros and Cons

On the con side, lowering the severity of a prolonged IT outage risk

may result in underestimation of this source of risk, which could
result in failing to allocate resources and in a much higher amount of
outage-related loss and disruption than Code Galore could take, given
its somewhat precarious state.

2013 ISACA. All rights reserved. 32

Exhibits
Figure 2Major Risk

2013 ISACA. All rights reserved. 33

Figure 3Network Diagram

2013 ISACA. All rights reserved. 34

Figure 4Risk Analysis Template

2013 ISACA. All rights reserved. 35

Notes
Since Code Galore is in the business function automation software arena it should be
consider using business process automation (BPA), a strategy an business uses to automate
processes in order to contain costs. It consists of integrating applications, restructuring labor
resources and using software applications throughout the organization.

Code Galore is in a very difficult situation. Its existence is uncertain, and money is critical
right now.

Yet, this company has opened itself up to significant levels of security risk because of
acquiring Skyhaven Software and the need for former Skyhaven programmers to access
resources within the corporate network.

Worse yet, even if the chief security officer (CSO) in this scenario correctly identifies and
assesses the magnitude of security risk from acquiring Skyhaven and opening the Code
Galore network to connections from the Skyhaven network and prescribes appropriate
controls, given Code Galores cash crunch, not many resources (money and labour) are likely
to be available for these controls.

2013 ISACA. All rights reserved. 36

Notes
All the CSO may be able to do is document the risk and make prioritised recommendations
for controls, waiting for the right point in time when the companys financial situation gets
better.

If an information security steering committee exists, the CSO must keep this committee fully
apprised of changes in risk and solicit input concerning how to handle this difficult situation.

At the same time, the CSO should initiate an ongoing effort (if no such effort has been
initiated so far) to educate senior management and key stockholders concerning the
potential business impact of the new risk profile. (Note: The kind of situation described in
this caselet is not uncommon in real-world settings.)

2013 ISACA. All rights reserved. 37

Discussion Questions 1-5
1. What are the most important business issues and goals for Code Galore?
2. What are the factors affecting the problem related to this case?
3. What are the managerial, organisational, and technological issues and resources
related to this case?
4. What role do different decision makers play in the overall planning, implementing
and managing of the information technology/security applications?
5. What are some of the emerging IT security technologies that should be
considered in solving the problem related to the case?

2013 ISACA. All rights reserved. 38

Discussion Questions 6-10
6. In what major ways and areas can information security help the business in
reaching its goals?
7. Which of the confidentiality, integrity and availability (CIA) triad is most critical to
Code Galores business goals, and why?
8. Change leads to risk, and some significant changes have occurred. Which of these
changes lead to the greatest risk?
9. Imagine that three of the greatest risk events presented themselves in worst-case
scenarios. What would be some of these worst-case scenarios?
10. How can the CSO in this scenario most effectively communicate newly and
previously identified risk events that have grown because of the changes to
senior management?

2013 ISACA. All rights reserved. 39