COBIT 5 For Cyber Security Governance and

Management
Nasser El-Hout
Managing Director
Service Management Centre of Excellence (SMCE)
Cybersecurity Governance using COBIT5
Cyber Defence Summit
Riyadh, KSA
March 1 – 2, 2015

www.SMCE.org
Agenda
I. The Need for Governance
II. Introduction to COBIT

III. The COBIT5 Principles

IV. The COBIT5 Enablers

V. Applying COBIT5 to Cybersecurity Governance

1
Section I

THE NEED FOR GOVERNANCE

2
GRC

• Governance, risk management and compliance

• An increasingly used ‘umbrella term’ that covers these three

areas of enterprise activities

• These areas of activity are progressively being more aligned

and integrated to improve enterprise performance and
delivery of stakeholder needs.

3
GRC Definitions

• Governance—Exercise of authority; control; government;

arrangement.

• Risk (management )—Hazard; danger; peril; exposure to loss,

injury, or destruction (The act or art of managing; the manner
of treating, directing, carrying on, or using, for a purpose;
conduct; administration; guidance; control)

• Compliance—The act of complying; a yielding; as to a desire,

demand, or proposal; concession; submission

Webster’s Online Dictionary

4
Types of Governance

• Different types of governance exist:

• Corporate governance
• Project governance
• Information technology governance
• Environmental governance
• Economic and financial governance

• Each type has one or more sources of guidance, each with

similar goals but often varying terms and techniques for their
achievement.

5
 Role of IT as a Strategic Partner
Role of ICT within organizations could significantly differ based on the strategic direction of the business, ICT and their
alignment.

Do organisations need IT Governance?

Technology is an integral component of every

organizational strategy. Value IT in DIFFERENTIATOR role
It is the right use of ICT through Strategy and Plan
that differentiates successful organizations
Service

Proactive
IT in ENABLER role

Reactive

Fire Fighting
IT in SUPPORT role

6
Implementing Governance

• The integration of the implementation of the GRC activities

within an enterprise requires a systemic approach for reliably
achieving the business goals of its stakeholders.

• Such approaches are typically based on enablers of various

types (e.g., principles, policies, models, frameworks,
organisational structures).

7
A GRC Model Example

• From the OCEG Red Book GRC Capability Model version 2.1

8
ISACA and COBIT

• ISACA actively promotes research that results in the

development of products both relevant and useful to IT
governance, risk, control, assurance and security
professionals.

• ISACA developed and maintains the internationally recognised

COBIT framework, helping IT professionals and enterprise
leaders fulfil their IT governance responsibilities while
delivering value to the business.

9
Section II

INTRODUCTION TO COBIT5
10
Why Develop COBIT 5?

COBIT 5:
• ISACA Board of Directors directive:

“Tie together and reinforce all ISACA knowledge assets

with COBIT.”

• Provide a renewed and authoritative governance and

management framework for enterprise information and
related technology

• Integrate all other major ISACA frameworks and guidance

• Align with other major frameworks and standards

© 2012 ISACA. All Rights Reserved. 11

The Evolution of COBIT 5

Governance of Enterprise IT

IT Governance
BMIS
(2010)
Evolution

Management
Val IT 2.0
(2008)
Control

Audit Risk IT
(2009)

COBIT1 COBIT2 COBIT3 COBIT4.0/4.1 COBIT 5

1996 1998 2000 2005/7 2012

© 2012 ISACA. All Rights Reserved.

12
COBIT 5 Scope

• Not simply IT; not only for big business!

• COBIT 5 is about governing and managing information
• Whatever medium is used
• End to end throughout the enterprise
• Information is equally important to:
• Global, multinational business
• National and local government
• Charities and not for profit enterprises
• Small to medium enterprises and
• Clubs and associations

13
Business Needs

• Enterprises are under constant pressure to:

• Increase benefits realization through effective and innovative use
of enterprise IT
• Generate business value from new enterprise investments
with a supporting IT investment
• Achieve operational excellence through application of
technology
• Maintain IT related risk at an acceptable level
• Contain cost of IT services and technology
• Ensure business and IT collaboration, leading to business user
satisfaction with IT engagement and services
• Comply with ever increasing relevant laws, regulations and
policies

© 2012 ISACA. All Rights Reserved. 14

COBIT 5 . . .

• Defines the starting point of governance and management activities

with the stakeholder needs related to enterprise IT

• Creates a more holistic, integrated and complete view of enterprise

governance and management of IT that is consistent, provides an
end-to-end view on all IT-related matters and provides a holistic
view

• Creates a common language between IT and business for the

enterprise governance and management of IT

• Is consistent with generally accepted corporate governance

standards, and thus helps to meet regulatory requirements

© 2012 ISACA. All Rights Reserved. 15

The COBIT 5 Format

• Simplified
• COBIT 5 directly addresses the needs of the viewer from different
perspectives
• Development continues with specific practitioner guides
• COBIT 5 is initially in 3 volumes:
1. The Framework – Free Download
2. Process Reference Guide – Free to Members
3. Implementation Guide - Free to Members

• COBIT 5 is based on:

• 5 principles and
• 7 enablers

16
COBIT 5 Product Family

© 2012 ISACA. All Rights Reserved. 17

COBIT 5© 2012 ISACA All rights reserved 18
Section III

THE COBIT5 PRINCIPLES

19
COBIT 5 Principles

© 2012 ISACA. All Rights Reserved. 20

Principle 1:
Meeting Stakeholder Needs
• Enterprises exist to create value for their stakeholders

• Value creation: realizing benefits at an optimal resource

cost while optimizing risk.

21
Principle 1:
Meeting Stakeholder Needs
• Enterprises have many stakeholders

• Governance is about
• Negotiating
• Deciding amongst different stakeholders’ value interests
• Considering all stakeholders when making benefit, resource and risk
assessment decisions

• For each decision, ask:

• For whom are the benefits?
• Who bears the risk?
• What resources are required?

© 2012 ISACA. All Rights Reserved. 22

Principle 1:
Meeting Stakeholder Needs
• Stakeholder needs have to be
transformed into an enterprises’
actionable strategy

• The COBIT 5 goals cascade translates

stakeholder needs into specific,
practical and customized goals

23
24
25
Principle 1:
Meeting Stakeholder Needs
• The COBIT 5 goals cascade allows the definition of priorities for
• Implementation
• Improvement
• Assurance of enterprise governance of IT

• In practice, the goals cascade:

• Defines relevant and tangible goals and objectives at various levels of
responsibility
• Filters the knowledge base of COBIT 5, based on enterprise goals to extract
relevant guidance for inclusion in specific implementation, improvement or
assurance projects
• Clearly identifies and communicates how enablers are used to achieve
enterprise goals

26
Principle 2:
Covering the Enterprise End–to–End

• COBIT 5 addresses the governance and management of

information and related technology
from an enterprise-wide, end-to-end perspective

• COBIT 5:
• Integrates governance of enterprise IT into enterprise governance
• Covers all functions and processes within the enterprise
• Does not focus only on the ‘IT function’

27
Principle 2:
Covering the Enterprise End–to–End

28
Principle 2:
Covering the Enterprise End–to–End
Main elements of the governance approach:
• Governance Enablers comprising
• The organizational resources for governance
• The enterprise’s resources
• A lack of resources or enablers may affect the ability of the
enterprise to create value
• Governance Scope comprising
• The whole enterprise
• An entity, a tangible or intangible asset, etc.

29
Principle 3:
Applying a Single Integrated Framework
• COBIT 5:
• Aligns with the latest relevant standards and frameworks
• Is complete in enterprise coverage
• Provides a basis to integrate effectively other frameworks, standards
and practices used
• Integrates all knowledge previously dispersed over different ISACA
frameworks
• Provides a simple architecture for structuring guidance materials and
producing a consistent product set

30
 Principle 3:
Applying a Single Integrated Framework
• The COBIT 5 product family is the connection:
• COBIT 5: A Business Framework for the Governance and Management of
Enterprise IT
• COBIT 5: Enabling Processes
• COBIT 5 Implementation Guide
• COBIT 5 for Information Security
• COBIT 5 for Assurance
• COBIT 5 for Risk
• COBIT 5 Enabling Information
• COBIT 5 Online
• A series of other products is planned for specific audiences or topics
• The perspective concept links the above to external sources for
standards

31
Principle 3:
Applying a Single Integrated Framework

Enablers provide
structure to the
COBIT 5
knowledge base

© 2012 ISACA. All Rights Reserved.

32
Principle 3:
Applying a Single Integrated Framework

33
Principle 3:
Applying a Single Integrated Framework
CONFORMANCE
Drivers PERFORMANCE: Basel II, Sarbanes-
Business Goals Oxley Act, etc.

Balanced
Enterprise Governance COSO
Scorecard

IT Governance
COBIT

ISO ISO ISO

Best Practice Standards 9001:2000 27002 20000

Processes and Procedures QA Security ITIL

Procedures Principles

34
 Principle 4:
Enabling a Holistic Approach
COBIT 5 defines a set of enablers to support the implementation
of a comprehensive governance and management system for
enterprise IT.

COBIT 5 enablers are:

• Factors that, individually and collectively, influence whether
something will work
• Driven by the goals cascade
• Described by the COBIT 5 framework in seven categories

35
Principle 4:
Enabling a Holistic Approach

© 2012 ISACA. All Rights Reserved.

36
Principle 5:
Separating Governance from Management

• The COBIT 5 framework makes a clear distinction between

governance and management

• Governance and management

• Encompass different types of activities
• Require different organizational structures
• Serve different purposes

• COBIT 5: Enabling Processes differentiates the activities

associated with each

37
Principle 5:
Separating Governance from Management

© 2012 ISACA. All Rights Reserved.

38
COBIT 5 Process Reference Model

reserved.
copyright © 2012. All rights
© 2012 ISACA. All Rights Reserved.

39
The COBIT 5 Principles – Summary

COBIT 5 brings together the five principles that allow

the enterprise to build an effective governance and
management framework based on a holistic set of
seven enablers that optimises information and
technology investment and use for the benefit of
stakeholders.

40
Section IV

THE COBIT5 ENABLERS

41
Principle 4:
Enabling a Holistic Approach

© 2012 ISACA. All Rights Reserved.

42
The Enabler Dimensions

• COBIT 5 enabler dimensions:

• All enablers have a set of common dimensions that:
• Provide a common, simple and structured way to deal with
enablers
• Allow an entity to manage its complex interactions
• Facilitate successful outcomes of the enablers

43
Enabler 1 - Principles, Policies & Frameworks

• The purpose of this enabler is to convey the governing body’s

and management’s direction and instructions. They are
instruments to communicate the rules of the enterprise, in
support of the governance objectives and enterprise values as
defined by the board and executive management.
• Differences between principles and policies –
• Principles need to be limited in number
• Put in simple language, expressing as clearly as possible the core
values of the enterprise
• Policies are more detailed guidance on how to put principles into
practice

44
Enabler 1 - Principles, Policies & Frameworks

 The characteristics of good policies; they should

o Be effective – achieve their purpose
o Be efficient – especially when implementing them
o Non-intrusive – Should make sense and be logical to those who have to comply
with them.
Policies should have a mechanism (framework) in place where they
can be effectively managed and users know where to go. Specifically
they should be:
o Comprehensive, covering all required areas
o Open and flexible allowing for easy adaptation and change.
o Current and up to date
The purpose of a policy life cycle is that it must support a policy
framework in order to achieve defined goals.

45
Enabler 2 - Processes

• COBIT 5 Enablers: Processes complements COBIT 5 and

contains a detailed reference guide to the processes that are
defined in the COBIT 5 process reference model:
• The COBIT 5 goals cascade is recapitulated and complemented with a
set of example metrics for the enterprise goals and the IT-related goals.
• The COBIT 5 process model is explained and its components defined.
• The Enabler process guide which is referenced in this module contains
the detailed process information for all 37 COBIT 5 processes shown in
the process reference model.

46
Enabler 2 - Processes
COBIT 5: Enabling Processes
• The COBIT 5 process reference model subdivides the IT-related
practices and activities of the enterprise into two main areas—
governance and management— with management further divided
into domains of processes:

• The GOVERNANCE domain contains five governance processes;

within each process, evaluate, direct and monitor (EDM) practices are
defined.

• The four MANAGEMENT domains are in line with the responsibility

areas of plan, build, run and monitor (PBRM)

47
Enabler 2 – Processes: PRM Structure

 Each process is divided into :

o Process Description
o Process Purpose statement
o IT-related Goals (from the Goals cascade see example in the Appendix)
o Each IT-related goal is associated with a set of generic related metrics
o Process Goals (Also from the Goals cascade mechanism and is referred to
as Enabler Goals.
o Each Process Goal is associated or related with a set of generic metrics.
o Each Process contains a set of Management Practices
o These are associated with a generic RACI chart (Responsible, Accountable,
Consulted, Informed)
o Each management practices contains a set of inputs and outputs (called
work products in module PC)
o Each management Practice is associated with a set of activities

48
Enabler 2 – Processes: Definitions

A process is defined as ‘a collection of practices influenced by the

enterprises policies, and procedures that takes inputs from a
number of sources (including other processes) manipulates the
inputs and produces outputs (e.g. products and services)

Process Practices are defined as the ‘guidance’ necessary to achieve

process goals.

Process Activities are defined as the ‘guidance’ to achieve

management practices for successful governance and management
of enterprise IT.

Inputs and Outputs are the process work products/artefacts

considered necessary to support operation of the process.
49
Enabler 3 - Organisational Structures
Figure 33 - COBIT 5 Roles and Organisational Structures
Role /Structure Defeinition/Description
Board The group of the most senior executives and/or non-executive directors of the enterprise
who are accountable for the governance of the enterprise and have overall control of its
resources
CEO The highest-ranking officer who is in charge of the total management of the enterprise
CFO The most senior official of the enterprise who is accountable for all aspects of financial
management, including financial risk and controls and reliable and accurate accounts
Chief Operating officer (COO) The most senior official of the enterprise who is accountable for the operation of the
enterprise
CRO The most senior official of the enterprise who is accountable for all aspects of risk
management across the enterprise. An IT risk officer function may be established to oversee
IT-related risk.
CIO The most senior official of the enterprise who is responsible for aligning IT and business
strategies and accountable for planning, resourcing and managing the delivery of IT services
and solutions to support enterprise objectives
Chief Information security Officer The most senior official of the enterprise who is accountable for the security of enterprise
(CISO) information in all its forms
Business executive A senior management individual accountable for the operation of a specific business unit or
subsidiary
Business Process Owner An individual accountable for the performance of a process in realising its objectives, driving
process improvement and approving process changes
Strategy Committee (IT Executive) A group of senior executives appointed by the board to ensure that the board is involved in,
and kept informed of, major IT-related matters and decisions. The committee is accountable
for managing the portfolios of IT-enabled investments, IT services and IT assets, ensuring
that value is delivered and risk is managed. The committee is normally chaired by a board
member, not by the CIO.

50
Enabler 3 - Organisational Structures

Figure 33 - COBIT 5 Roles and Organisational Structures

Role /Structure Defeinition/Description
Project and Programme Steering A group of stakeholders and experts who are accountable for guidance of programmes and
Committees projects, including management and monitoring of plans, allocation of resources, delivery of
benefits and value, and management of programme and project risk
Architecture Board A group of stakeholders and experts who are accountable for guidance on enterprise
architecture-related matters and decisions, and for setting architectural policies and
standards
Enterprise Risk Committee The group of executives of the enterprise who are accountable for the enterprise-level
collaboration and consensus required to support enterprise risk management (ERM)
activities and decisions. An IT risk council may be established to consider IT risk in more
detail and advise the enterprise risk committee.
Head of HR The most senior official of an enterprise who is accountable for planning and policies with
respect to all human resources in that enterprise
Compliance The function in the enterprise responsible for guidance on legal, regulatory and contractual
compliance.
Audit The function in the enterprise responsible for provision of internal audits
Head of Architecture A senior individual accountable for the enterprise architecture process

51
Enabler 4 - Culture, Ethics and Behaviour

Good practices for creating, encouraging and maintaining desired

behaviour throughout the enterprise include:
o Communication throughout the enterprise of desired behaviours and
corporate values. (This can be done via a code of ethics)
o Awareness of desired behaviour, strengthened by senior management
example. This is one of the keys to a good governance environment
when senior management and the executives ‘walk the talk’ so to speak.
It is sometimes a difficult area and one that causes many enterprises to
fail because it leads to poor governance. (Typically this will be part of a
training and awareness sessions based around a code of ethics)
o Incentives to encourage and deterrents to enforce desired behaviour.
There is a clear link to HR payment and reward schemes.
o Rules and norms which provide more guidance and will typically be
found in a Code of Ethics

52
Enabler 5 - Information

Importance of the Information Quality categories and dimensions;

o The concept of information criteria was introduced in COBIT 4.1; these
were very important to be able show how to meet business
requirements.

Importance of Information Criteria

o COBIT 4.1 introduced us to the concept of 7 Key Information criteria to
meet Business requirements. This concept has been retained but
translated differently

53
Enabler 5 - Information : Business
Requirements
From COBIT 4.1

► To satisfy business objectives, information needs to conform to certain control

criteria, which COBIT refers to as business requirements for information. Based on
broader quality, fiduciary, and security requirements, seven distinct information
criteria are defined. These are:
 Effectiveness Effectiveness

 Efficiency Efficiency
 Confidentiality
Confidentiality
 Integrity
Integrity
 Availability
Availability
 Compliance
Compliance
 Reliability
Business Requirements Reliability

IT Resources
IT Processes

54
Enabler 6 - Services, Infrastructure and
Applications
The five architecture principles that govern the implementation and
use of IT-Related resources
o Reuse – Common components of the architecture should be used when
designing and implementing solutions as part of the target or transition
architectures.
o Buy vs. build – Solutions should be purchased unless there is an
approved rationale for developing them internally.
o Simplicity – The enterprise architecture should be designed and
maintained to be simple as possible while still meeting enterprise
requirements.
o Agility – The enterprise architecture should incorporate agility to meet
changing business needs in an effective and efficient manner.
o Openness - The enterprise architecture should leverage open industry
standards.

55
Enabler 6 - Services, Infrastructure and
Applications
Relationship To other Enablers
o Information – is a service capability that is leveraged through
processes to deliver internal and external services.
o Cultural and behavioural aspects – relevant when a service-oriented
culture needs to be built
o Process inputs and outputs – Most of the inputs and outputs (work
products) of the process management practices and activities in the
PRM include service capabilities.

Consider other frameworks such as:

o ITIL 3
o TOGAF (www.opengroup.org/togaf ) which provides an integrated information
infrastructure reference model.

56
Enabler 7 – People, Skills and Competencies

Identify the good practices of people, Skills and Competencies,

specifically:
o Described by different skill levels for different roles.
o Defining skill requirements for each role
o Mapping skill categories to COBIT 5 process domains (APO; BAI etc.)
o These correspond to the with IT-related activities undertaken, e.g.
business analysis, information management etc.
o Using external sources for good practices
 The Skills Framework for the information age (SFIA)

57
Enabler 7 – People, Skills and Competencies

58
Section IV

APPLYING COBIT5 TO CYBERSECURITY

GOVERNANCE 59
COBIT5 Principles

• The COBIT 5 framework and its components—as applied to

cybersecurity—cover governance, management and
assurance.
• To ensure appropriate and comprehensive governance, the
five basic principles within COBIT 5 should be used as a
starting point.

60
Principle 3: Applying a Single Integrated
Framework
• To create a single integrated framework for governing (and
managing) cybersecurity, other governance provisions from
within the enterprise need to be taken on board:
• Cybersecurity, as defined in ISO 27032—Information technology—
Security techniques—Guidelines for cybersecurity
• Information security, e.g., ISO 27001 or National Institute of Standards
and Technology (NIST) SP 800-53
• SANS Critical Controls (Top 20)
• Enterprise governance of IT, as defined through COBIT 5 or other
frameworks
• Risk management frameworks and practices influencing cybersecurity
• Business continuity, service continuity and emergency/crisis handling
provisions at the governance level, e.g., ISO 22301, ISO 27031
• Organizational (corporate) governance provisions influencing
cybersecurity directly or indirectly
61
Cybersecurity Management

• To efficiently manage all aspects of security, it is useful to

structure it in line with COBIT.
• COBIT 5 defines a number of enablers, which are used to build
holistic security management that addresses cybersecurity in
the widest sense and is seamlessly connected to other GRC
practices throughout the enterprise.

62
Enabler 1 – Principles, Policies & Frameworks

• In cybersecurity, principles, policies and frameworks form an

important foundation for specifying measures and activities
within the enterprise and in relationships with business
partners, customers and other third parties.

• This enabler further sets out the documentation requirements

for cybersecurity, including actual attacks and breaches.

63
64
Enabler 1 - Principles, Policies & Frameworks

• The purpose of a cybersecurity policy is to clearly and

unambiguously express the goals and objectives as well as the
boundaries for security management and security solutions.
• The policy also serves to define the role and scope of
cybersecurity within general information security. It should
further address the appropriate organizational alignment, and
specific roles and responsibilities in conjunction with
cybersecurity.

65
66
Enabler 2 - Processes

• In managing cybersecurity, both management and monitoring

processes need to be in place to achieve and maintain an
adequate level of security.

67
68
69
Enabler 3 - Organization Structures

70
Example: ISM Profile

71
Enabler 4 - Culture, Ethics, and Behaviour

• The Culture, Ethics and Behaviour enabler in COBIT 5 defines a

set of model behaviors and cultural values that need to be
applied to cybersecurity management.

72
73
Enabler 5 - Information

• The central asset to be protected from cybercrime and cyberwarfare

is enterprise information itself, including PII and other privileged
information assets. Most of these information assets will have an
intrinsic value as well as a business value attributed to them:
• Credit card data—Intrinsic value as privileged information (e.g.,
entrusted by the customer), business value for payments, generally high
attractiveness for cybercrime
• Personal login and password profiles—Intrinsic value as PII, business
value through access to sensitive data, very high attractiveness for
cybercrime and cyberwarfare

74
Enabler 5 - Information

75
Enabler 6 - Services, Infrastructure and
Applications
• The Services, Infrastructure and Applications enabler identifies
service capabilities, attributes and goals for information security
management, as described in COBIT 5 for Information Security:
• Security architecture
• Security awareness
• Secure development
• Security assessments
• Adequately secured and configured systems
• User access and access rights in line with business requirements
• Adequate protection against malware, external attacks and intrusion
attempts
• Adequate incident response
• Security testing
• Monitoring and alert services for security-related events

76
Enabler 7 - People, Skills and Competencies

77
Sample Training Structure Program

78
 Thanks for joining us

QUESTIONS
79