Management
Nasser El-Hout
Managing Director
Service Management Centre of Excellence (SMCE)
Cybersecurity Governance using COBIT5
Cyber Defence Summit
Riyadh, KSA
March 1 – 2, 2015
www.SMCE.org
Agenda
I. The Need for Governance
II. Introduction to COBIT
1
Section I
3
GRC Definitions
4
Types of Governance
5
Role of IT as a Strategic Partner
Role of ICT within organizations could significantly differ based on the strategic direction of the business, ICT and their
alignment.
Proactive
IT in ENABLER role
Reactive
Fire Fighting
IT in SUPPORT role
6
Implementing Governance
7
A GRC Model Example
• From the OCEG Red Book GRC Capability Model version 2.1
8
ISACA and COBIT
9
Section II
INTRODUCTION TO COBIT5
10
Why Develop COBIT 5?
COBIT 5:
• ISACA Board of Directors directive:
Governance of Enterprise IT
IT Governance
BMIS
(2010)
Evolution
Management
Val IT 2.0
(2008)
Control
Audit Risk IT
(2009)
12
COBIT 5 Scope
13
Business Needs
• Simplified
• COBIT 5 directly addresses the needs of the viewer from different
perspectives
• Development continues with specific practitioner guides
• COBIT 5 is initially in 3 volumes:
1. The Framework – Free Download
2. Process Reference Guide – Free to Members
3. Implementation Guide - Free to Members
16
COBIT 5 Product Family
21
Principle 1:
Meeting Stakeholder Needs
• Enterprises have many stakeholders
• Governance is about
• Negotiating
• Deciding amongst different stakeholders’ value interests
• Considering all stakeholders when making benefit, resource and risk
assessment decisions
23
24
25
Principle 1:
Meeting Stakeholder Needs
• The COBIT 5 goals cascade allows the definition of priorities for
• Implementation
• Improvement
• Assurance of enterprise governance of IT
26
Principle 2:
Covering the Enterprise End–to–End
• COBIT 5:
• Integrates governance of enterprise IT into enterprise governance
• Covers all functions and processes within the enterprise
• Does not focus only on the ‘IT function’
27
Principle 2:
Covering the Enterprise End–to–End
28
Principle 2:
Covering the Enterprise End–to–End
Main elements of the governance approach:
• Governance Enablers comprising
• The organizational resources for governance
• The enterprise’s resources
• A lack of resources or enablers may affect the ability of the
enterprise to create value
• Governance Scope comprising
• The whole enterprise
• An entity, a tangible or intangible asset, etc.
29
Principle 3:
Applying a Single Integrated Framework
• COBIT 5:
• Aligns with the latest relevant standards and frameworks
• Is complete in enterprise coverage
• Provides a basis to integrate effectively other frameworks, standards
and practices used
• Integrates all knowledge previously dispersed over different ISACA
frameworks
• Provides a simple architecture for structuring guidance materials and
producing a consistent product set
30
Principle 3:
Applying a Single Integrated Framework
• The COBIT 5 product family is the connection:
• COBIT 5: A Business Framework for the Governance and Management of
Enterprise IT
• COBIT 5: Enabling Processes
• COBIT 5 Implementation Guide
• COBIT 5 for Information Security
• COBIT 5 for Assurance
• COBIT 5 for Risk
• COBIT 5 Enabling Information
• COBIT 5 Online
• A series of other products is planned for specific audiences or topics
• The perspective concept links the above to external sources for
standards
31
Principle 3:
Applying a Single Integrated Framework
Enablers provide
structure to the
COBIT 5
knowledge base
33
Principle 3:
Applying a Single Integrated Framework
CONFORMANCE
Drivers PERFORMANCE: Basel II, Sarbanes-
Business Goals Oxley Act, etc.
Balanced
Enterprise Governance COSO
Scorecard
IT Governance
COBIT
34
Principle 4:
Enabling a Holistic Approach
COBIT 5 defines a set of enablers to support the implementation
of a comprehensive governance and management system for
enterprise IT.
35
Principle 4:
Enabling a Holistic Approach
36
Principle 5:
Separating Governance from Management
37
Principle 5:
Separating Governance from Management
38
COBIT 5 Process Reference Model
reserved.
copyright © 2012. All rights
© 2012 ISACA. All Rights Reserved.
39
The COBIT 5 Principles – Summary
40
Section IV
42
The Enabler Dimensions
43
Enabler 1 - Principles, Policies & Frameworks
44
Enabler 1 - Principles, Policies & Frameworks
45
Enabler 2 - Processes
46
Enabler 2 - Processes
COBIT 5: Enabling Processes
• The COBIT 5 process reference model subdivides the IT-related
practices and activities of the enterprise into two main areas—
governance and management— with management further divided
into domains of processes:
47
Enabler 2 – Processes: PRM Structure
48
Enabler 2 – Processes: Definitions
50
Enabler 3 - Organisational Structures
51
Enabler 4 - Culture, Ethics and Behaviour
52
Enabler 5 - Information
53
Enabler 5 - Information : Business
Requirements
From COBIT 4.1
Efficiency Efficiency
Confidentiality
Confidentiality
Integrity
Integrity
Availability
Availability
Compliance
Compliance
Reliability
Business Requirements Reliability
IT Resources
IT Processes
54
Enabler 6 - Services, Infrastructure and
Applications
The five architecture principles that govern the implementation and
use of IT-Related resources
o Reuse – Common components of the architecture should be used when
designing and implementing solutions as part of the target or transition
architectures.
o Buy vs. build – Solutions should be purchased unless there is an
approved rationale for developing them internally.
o Simplicity – The enterprise architecture should be designed and
maintained to be simple as possible while still meeting enterprise
requirements.
o Agility – The enterprise architecture should incorporate agility to meet
changing business needs in an effective and efficient manner.
o Openness - The enterprise architecture should leverage open industry
standards.
55
Enabler 6 - Services, Infrastructure and
Applications
Relationship To other Enablers
o Information – is a service capability that is leveraged through
processes to deliver internal and external services.
o Cultural and behavioural aspects – relevant when a service-oriented
culture needs to be built
o Process inputs and outputs – Most of the inputs and outputs (work
products) of the process management practices and activities in the
PRM include service capabilities.
56
Enabler 7 – People, Skills and Competencies
57
Enabler 7 – People, Skills and Competencies
58
Section IV
60
Principle 3: Applying a Single Integrated
Framework
• To create a single integrated framework for governing (and
managing) cybersecurity, other governance provisions from
within the enterprise need to be taken on board:
• Cybersecurity, as defined in ISO 27032—Information technology—
Security techniques—Guidelines for cybersecurity
• Information security, e.g., ISO 27001 or National Institute of Standards
and Technology (NIST) SP 800-53
• SANS Critical Controls (Top 20)
• Enterprise governance of IT, as defined through COBIT 5 or other
frameworks
• Risk management frameworks and practices influencing cybersecurity
• Business continuity, service continuity and emergency/crisis handling
provisions at the governance level, e.g., ISO 22301, ISO 27031
• Organizational (corporate) governance provisions influencing
cybersecurity directly or indirectly
61
Cybersecurity Management
62
Enabler 1 – Principles, Policies & Frameworks
63
64
Enabler 1 - Principles, Policies & Frameworks
65
66
Enabler 2 - Processes
67
68
69
Enabler 3 - Organization Structures
70
Example: ISM Profile
71
Enabler 4 - Culture, Ethics, and Behaviour
72
73
Enabler 5 - Information
74
Enabler 5 - Information
75
Enabler 6 - Services, Infrastructure and
Applications
• The Services, Infrastructure and Applications enabler identifies
service capabilities, attributes and goals for information security
management, as described in COBIT 5 for Information Security:
• Security architecture
• Security awareness
• Secure development
• Security assessments
• Adequately secured and configured systems
• User access and access rights in line with business requirements
• Adequate protection against malware, external attacks and intrusion
attempts
• Adequate incident response
• Security testing
• Monitoring and alert services for security-related events
76
Enabler 7 - People, Skills and Competencies
77
Sample Training Structure Program
78
Thanks for joining us
QUESTIONS
79