secure software development – cobit5 perspective

Secure Software Development – COBIT 5 Perspective

Kewyn Walter George Management Consulting 29th June 2013

© [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

1

COBIT - A brief Introduction

•COBIT is an IT governance framework and supporting tool set that allows managers to bridge the gap between control requirements, technical issues and business risk.

•COBIT enables clear policy development and good practice for IT control throughout organizations.

•COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework.


2

COBIT Framework Evolution

Governance of Enterprise IT

COBIT 5

IT Governance

COBIT4.0/4.1

Management

COBIT3

Control

COBIT2

Audit

COBIT1

2005/7 2000 1998

Evo

lutio

n of

sco

pe

1996 2012

Val IT 2.0 (2008)

Risk IT (2009)

An business framework from ISACA, at www.isaca.org/cobit

© 2012 ISACA® All rights reserved.

From Audit (COBIT1) Governance of Enterprise IT (COBIT5)


3

COBIT 5: The latest version

•COBIT 5 is a major strategic improvement providing the next generation of ISACA guidance on the governance and management of enterprise information technology (IT) assets.

•Building on more than 15 years of practical application, ISACA designed COBIT 5 to meet the needs of stakeholders, and to align with current thinking on enterprise governance and management techniques as they relate to IT.

•It focuses on the dual aspects of Governance as well as Management of Enterprise IT

Source : ISACA.org Copyright@ISACA


4

COBIT 5 : Principles & Enablers

Based on 5 Principles and 7 Enablers



5

COBIT 5: Overall Architecture

COBIT 5 Family of Products COBIT 5 Enterprise Enablers

Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved.

Source: COBIT® 5, figure 11. © 2012 ISACA® All rights reserved.



6

COBIT 5: Importance on Life Cycle Management & Governance



7

COBIT 5: Enabling Processes:



8

Importance of Secured Software Development:

• The use of internet & network systems has become all pervasive increasing the risk for data integrity during software development.

• Secured software development reduces software maintenance cost and increases software reliability.

• Secured software development reduces a significant number of security flaws.

•Such security flaws if detected at later stages of software development may require the total overhaul of the entire software architecture.


9

Secured Software Development: Common Pitfalls:

•Organizations focus on software application and information security only after their development.

•Organizations conduct security audits only after development and before deployment.

•There is lack of awareness on information security norms to be followed during the Software Development Lifecycle.

•Organizations spend more time on reacting to security issues after software development than proactively eliminating issues before the software development is completed.


10

How COBIT 5 addresses these pitfalls:

COBIT5 emphasizes on the following key areas to addresses the common issues related to information security and software development:

• Awareness & Training • Assessment & Audit • Development & Quality Assurance • Compliance • Response Management • Metrics & Accountability • Operational Security The following sections detail how COBIT5 includes Information Security and Software Development into its processes


11

COBIT 5 –Information Security & Secure Software Development:

•COBIT 5 has also taken the valuable holistic, interrelated component model approach from the Business Model for Information Security (BMIS) work and incorporated it into the framework components



12

Business Model for Information Security (BMIS)

• A holistic and business-oriented approach to managing information security, and a common language for information security and business management to talk about information protection

• BMIS challenges conventional thinking and enables you to creatively re-evaluate your information security investment

• The Business Model for Information Security, provides an in-depth explanation to a holistic business model which examines security issues from a systems perspective.



13

COBIT 5 Integrates BMIS Components

• Several of the BMIS components are now integrated within COBIT 5 as interacting enablers that support the enterprise in achieving its business goals and create stakeholder value: • Organization • Process • People • Human Factors • Technology • Culture



14

COBIT 5 Integrates BMIS Components

• The remaining BMIS components are actually related the larger aspects of the COBIT 5 framework: • Governing—The dimensions of governance activities

(evaluate, direct, monitor—ISO/IEC 38500) are addressed at the enterprise level in the COBIT 5 framework

• Architecture (including a process model) —COBIT 5 includes the need to address enterprise architecture aspects to link organization and technology effectively

• Emergence—The holistic and integrated nature of the COBIT 5 enablers supports enterprise in adapting to changes in both stakeholder needs and enabler capabilities as necessary



15

COBIT 5 Product Family—Includes Guides on Information Security Member



16

COBIT 5 for Information Security:

•COBIT 5 for Information Security builds on the COBIT 5 framework in that it focuses on information security and provides more detailed and more practical guidance for information security professionals and other interested parties at all levels of the enterprise.



17

Implementing Information Security using COBIT 5 Enablers

•COBIT 5 defines a set of enablers to support the implementation of a comprehensive governance and management system for enterprise IT and information. Enablers are factors that, individually and collectively, influence whether something will work—in this case, governance and management over enterprise IT and, related to that, information security governance.

•Enablers are driven by the goals cascade, i.e., higher level IT-related goals define what the different enablers should achieve.



18

Implementing Information Security using COBIT 5 Enablers

The Enablers contain detailed guidance on Information Security norms to be followed in daily processes. The following shows the example with the enabler – Culture, ethics & behaviour



19

COBIT 5 Processes: Tailored for Information Security & Software Development:



20

COBIT 5 Processes: Tailored for Information Security & Software Development: (An example)

•COBIT 5 addresses information security specifically:

•The focus on information security management system (ISMS) in the align, plan and organize (APO) management domain, APO13 Manage security, establishes the prominence of information security within the COBIT 5 process framework.

•This process highlights the need for enterprise management to plan and establish an appropriate ISMS to support the information security governance principles and security-impacted business objectives resulting from the evaluate, direct and monitor (EDM) governance domain.



21

Secured Software Development: Benefits of Implementing COBIT 5

• Through its IT related processes, COBIT 5 emphasizes on ‘Monitor, Evaluate and Assess’ at every stage of software development.

•This ensures a significant reduction in costs due to after development security related bug fixes.

• Through enablers focused on culture, ethics and behaviour, COBIT 5 ensures that the principles related to information security are imbibed into the daily processes.

• Application vulnerability to external information related threats is reduced at every developmental step.



22

Secured Software Development: Benefits of Implementing COBIT 5

• Through process optimization and early bug and security flaw detection COBIT 5 helps organizations reduce development time and achieve the fastest schedule for software development.


23

Accredited COBIT 5 Foundation Course by KPMG

Course Overview: COBIT 5 is the only business framework for the governance and management of enterprise IT. This evolutionary version incorporates the latest thinking in enterprise governance and management techniques, and provides globally accepted principles, practices, analytical tools and models to help increase the trust in, and value from, information systems. COBIT 5 builds and expands on COBIT 4.1 by integrating other major frameworks, standards and resources, including ISACA’s Val IT and Risk IT, Information Technology Infrastructure Library (ITIL®) and related standards from the International Organization for Standardization (ISO). Course trainer: The trainers are accredited by APMG , who have in-depth experience in COBIT 5 consulting and conducted more than 25 COBIT workshops Duration : 2 Service days Course Fee : INR 22,900 ( Trainer charges ,Training Material , Exam and certification cost) + Service Tax ( 10% - 15% Discount for SPIN and ISACA Members) Course Contents:

Enablers 1. Principles, policies and frameworks 2. Processes 3. Organizational structures. 4. Culture, ethics and behavior 5. Information 6. Services, infrastructure and applications 7. People, skills and competencies

5 Principles Principle 1: Meeting Stakeholder Needs Principle 2: Covering the Enterprise End-to- End Principle 3: Applying a Single, Integrated Framework Principle 4: Enabling a Holistic Approach Principle 5: Separating Governance From Management

© 2013 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks or trademarks of KPMG International Cooperative (KPMG International).

Thank you

Kewyn Walter George KPMG Management Consulting Email: [email protected] Phone: 97890 11128

mailto:[email protected]�

secure software development – cobit5 perspective

Business

year legal member firm

jurisdiction legal structure

enterprise governance

family of products cobit

overall architecture

latest version cobit

brief introduction cobit

swiss entity