using cobit to enhance it security governance
DESCRIPTION
TRANSCRIPT
![Page 1: Using CobiT to Enhance IT Security Governance](https://reader033.vdocuments.us/reader033/viewer/2022061201/54793a44b37959652b8b46e6/html5/thumbnails/1.jpg)
1
Using CobiT to Enhance IT Security Governance
LHSLHS
© John Mitchell
John MitchellPhD, MBA, CEng, CITP, FBCS, MBCS, FIIA, CIA, CISA, QiCA, CFE
LHS Business Control Tel: +44 (0)1707 85145447 Grangewood Fax: +44 (0)1707 851455Potters Bar Mobile: +44 (0)7774 145638Herts EN6 1SL [email protected] www.lhscontrol.com
![Page 2: Using CobiT to Enhance IT Security Governance](https://reader033.vdocuments.us/reader033/viewer/2022061201/54793a44b37959652b8b46e6/html5/thumbnails/2.jpg)
2
LHSLHS
© John Mitchell
IT Security Governance Road Map
Identify Needs– Risk analysis– Raise awareness
Envisage Solution– Where are you now?– Where do you want to be– Gap analysis
Plan Solution– Identify measurement metrics– Develop change programme– Define projects
Implement Solution– Generate Balanced Score Card– Collect metrics– Report
![Page 3: Using CobiT to Enhance IT Security Governance](https://reader033.vdocuments.us/reader033/viewer/2022061201/54793a44b37959652b8b46e6/html5/thumbnails/3.jpg)
3
LHSLHS
© John Mitchell
00 11 22 33 44 55
Non-Non-ExistentExistent
InitialInitial RepeatableRepeatable DefinedDefined ManagedManaged OptimisedOptimised
Where is Your IT Security?
![Page 4: Using CobiT to Enhance IT Security Governance](https://reader033.vdocuments.us/reader033/viewer/2022061201/54793a44b37959652b8b46e6/html5/thumbnails/4.jpg)
4
LHSLHS
© John Mitchell
Maturity Models
A strategic management tool Helps in self-assessment and for making
decisions about where the IT function currently is and where it should be going
Developed with the help of world-wide experts in the field of IT governance, IT management, performance management, and information security and control.
Provides a pragmatic benchmark:“ Where is my IT department placed and where do we want it to be?”
![Page 5: Using CobiT to Enhance IT Security Governance](https://reader033.vdocuments.us/reader033/viewer/2022061201/54793a44b37959652b8b46e6/html5/thumbnails/5.jpg)
5
LHSLHS
© John Mitchell
CMM Concepts
Initially proposed in 1991 by the Software Engineering Group at the Carnegie Mellon University, USA
Identified 6 maturity levels in the development of quality software
Extended by the Information Systems Audit & Control Association (ISACA) to include all aspects of IT
![Page 6: Using CobiT to Enhance IT Security Governance](https://reader033.vdocuments.us/reader033/viewer/2022061201/54793a44b37959652b8b46e6/html5/thumbnails/6.jpg)
6
LHSLHS
© John Mitchell
CMM Levels
0 Non-Existent
1 Initial/Ad Hoc
2 Repeatable but intuitive
3 Defined Process
4 Managed & measurable
5 Optimised
![Page 7: Using CobiT to Enhance IT Security Governance](https://reader033.vdocuments.us/reader033/viewer/2022061201/54793a44b37959652b8b46e6/html5/thumbnails/7.jpg)
7
LHSLHS
© John Mitchell
Security Maturity Models
![Page 8: Using CobiT to Enhance IT Security Governance](https://reader033.vdocuments.us/reader033/viewer/2022061201/54793a44b37959652b8b46e6/html5/thumbnails/8.jpg)
8
LHSLHS
© John Mitchell
Security Maturity Models
![Page 9: Using CobiT to Enhance IT Security Governance](https://reader033.vdocuments.us/reader033/viewer/2022061201/54793a44b37959652b8b46e6/html5/thumbnails/9.jpg)
9
LHSLHS
© John Mitchell
IT Security GovernanceEncompasses
Technology
Processes People
![Page 10: Using CobiT to Enhance IT Security Governance](https://reader033.vdocuments.us/reader033/viewer/2022061201/54793a44b37959652b8b46e6/html5/thumbnails/10.jpg)
10
LHSLHS
© John Mitchell
IT Security Governance Requires
Planning & Organisation
Acquisition and Implementation
Delivery and Support
Monitoring and Enhancement
![Page 11: Using CobiT to Enhance IT Security Governance](https://reader033.vdocuments.us/reader033/viewer/2022061201/54793a44b37959652b8b46e6/html5/thumbnails/11.jpg)
11
LHSLHS
© John Mitchell
Control Objectives for IT(CobiT)
Open standard provided by the Information Systems Audit & Control Association (ISACA)
Used by over 43,000 control professionals throughout the world
Increasingly seen as an IT Governance tool
![Page 12: Using CobiT to Enhance IT Security Governance](https://reader033.vdocuments.us/reader033/viewer/2022061201/54793a44b37959652b8b46e6/html5/thumbnails/12.jpg)
12
LHSLHS
© John Mitchell
Where CobiT Fits-inCorporate
Governance
ITGovernance
FinanceGovernance
MarketingGovernance
CobiT
ISO17799 BS15000 CMM
ITIL
ISO9126
ISO15504 ISO 12207
ISO9000
TickIT
![Page 13: Using CobiT to Enhance IT Security Governance](https://reader033.vdocuments.us/reader033/viewer/2022061201/54793a44b37959652b8b46e6/html5/thumbnails/13.jpg)
13
LHSLHS
© John Mitchell
CobiT & IT Governance
IT GOVERNANCE PROGRAMME
Planning & Organisation Acquisition & Impl. Delivery & Support Monitoring
- Strategic Planning- Information Architecture- Technological Direction- IT Organisation & Relationships- Manage the IT Investment- Communicate Aims & Direction- Manage human resources- Ensure Compliance- Assess Risks- Manage Projects- Manage Quality
- Identify Solutions- Acquire & Maintain Application Software- Acquire & Maintain Technology Architecture- Develop & Maintain IT Procedures- Install & Accredit systems- Manage Changes
- Define Service Levels- Manage third-party services- Manage performance and capacity- Ensure continuous service- Ensure systems security- Identify and attribute costs- Educate and train users- Assist & advise IT customers- Manage the configuration- Manage problems & incidents- Manage data- Manage facilities- Manage operations
- Monitor the processes- Assess internal control adequacy- Obtain independent assurance- Provide for independent audit
![Page 14: Using CobiT to Enhance IT Security Governance](https://reader033.vdocuments.us/reader033/viewer/2022061201/54793a44b37959652b8b46e6/html5/thumbnails/14.jpg)
14
LHSLHS
© John Mitchell
CobiT Structure
Area Framework (i.e. IT Security) Control Objectives Audit Guidelines Key Goal Indicators Key Performance Indicators Critical Success Factors Maturity Models
![Page 15: Using CobiT to Enhance IT Security Governance](https://reader033.vdocuments.us/reader033/viewer/2022061201/54793a44b37959652b8b46e6/html5/thumbnails/15.jpg)
15
LHSLHS
© John Mitchell
Security Framework
![Page 16: Using CobiT to Enhance IT Security Governance](https://reader033.vdocuments.us/reader033/viewer/2022061201/54793a44b37959652b8b46e6/html5/thumbnails/16.jpg)
16
LHSLHS
© John Mitchell
Control Objectives
Control Objectives provide high level control statements linking the need for control to business requirements based on the CobiT Information Criteria
By addressing 34 high level control objectives, the business process owner can ensure that an adequate internal control system is in place for the IT environment
There are also over 300 detailed management & control objectives for 34 IT processes
These objectives have been derived from research across many sources of IT standards and best practice, including topics such as IT quality, security, service delivery and financial control
These objectives are intended to be a management tool, helping auditors, IT management and business management understand how to control IT activities to meet business requirements
![Page 17: Using CobiT to Enhance IT Security Governance](https://reader033.vdocuments.us/reader033/viewer/2022061201/54793a44b37959652b8b46e6/html5/thumbnails/17.jpg)
17
LHSLHS
© John Mitchell
Control Objectives
![Page 18: Using CobiT to Enhance IT Security Governance](https://reader033.vdocuments.us/reader033/viewer/2022061201/54793a44b37959652b8b46e6/html5/thumbnails/18.jpg)
18
LHSLHS
© John Mitchell
Audit Guidelines
A management tool Helps in self-assessment and for making choices for
control implementation and capability improvements
Developed with the help of world-wide experts in the field of IT governance, IT management, performance management, and information security and control.
Provides a set of tools to assist management in responding to the question:“ What is the right level of control for my IT such that it will support my business objectives?”
![Page 19: Using CobiT to Enhance IT Security Governance](https://reader033.vdocuments.us/reader033/viewer/2022061201/54793a44b37959652b8b46e6/html5/thumbnails/19.jpg)
19
LHSLHS
© John Mitchell
Audit Guidelines
![Page 20: Using CobiT to Enhance IT Security Governance](https://reader033.vdocuments.us/reader033/viewer/2022061201/54793a44b37959652b8b46e6/html5/thumbnails/20.jpg)
20
LHSLHS
© John Mitchell
Measurement Components
Key Goal Indicators (KGIs)– Where do you want to be?
Critical Success Factors (CSFs)– Those things that MUST happen to reach the KGI
Key Performance Indicators (KPIs)– Those measures that confirm you are meeting the CSFs or
which warn you when we are drifting off course
![Page 21: Using CobiT to Enhance IT Security Governance](https://reader033.vdocuments.us/reader033/viewer/2022061201/54793a44b37959652b8b46e6/html5/thumbnails/21.jpg)
21
LHSLHS
© John Mitchell
Key Goal Indicators
![Page 22: Using CobiT to Enhance IT Security Governance](https://reader033.vdocuments.us/reader033/viewer/2022061201/54793a44b37959652b8b46e6/html5/thumbnails/22.jpg)
22
LHSLHS
© John Mitchell
Critical Success Factors
![Page 23: Using CobiT to Enhance IT Security Governance](https://reader033.vdocuments.us/reader033/viewer/2022061201/54793a44b37959652b8b46e6/html5/thumbnails/23.jpg)
23
LHSLHS
© John Mitchell
Key Performance Indicators
![Page 24: Using CobiT to Enhance IT Security Governance](https://reader033.vdocuments.us/reader033/viewer/2022061201/54793a44b37959652b8b46e6/html5/thumbnails/24.jpg)
24
LHSLHS
© John Mitchell
Control Practices The benefits listed under ‘why do it’ are tangible and motivate to
implement controls The set of control practices is completecomplete (e.g. key controls) and
implementation satisfies the control objective Control practices listed are generally accepted as good business practicegood business practice Control practices suggest sustainablesustainable solutions The control practices are effectiveeffective in addressing the risk linked to not
achieving the detailed control objective The control practices suggest efficientefficient solutions The wording of the control practices is conciseconcise while providing clear and
unambiguous guidance on what is expected for implementation The control practices are realisticrealistic
![Page 25: Using CobiT to Enhance IT Security Governance](https://reader033.vdocuments.us/reader033/viewer/2022061201/54793a44b37959652b8b46e6/html5/thumbnails/25.jpg)
25
LHSLHS
© John Mitchell
Control Practices
![Page 26: Using CobiT to Enhance IT Security Governance](https://reader033.vdocuments.us/reader033/viewer/2022061201/54793a44b37959652b8b46e6/html5/thumbnails/26.jpg)
26
LHSLHS
© John Mitchell
Useful Sites & Tools
Sites– www.isaca.org– www.isaca-london.org– www.bcs-irma.org– www.itgi.org– www.bsi-global.com
Tools– Control Objectives for IT (CobiT)– IT Infrastructure Library (ITIL)– International Standards (ISO 17799, ISO 9000, etc.)
![Page 27: Using CobiT to Enhance IT Security Governance](https://reader033.vdocuments.us/reader033/viewer/2022061201/54793a44b37959652b8b46e6/html5/thumbnails/27.jpg)
27
LHSLHS
© John Mitchell
Summary IT security governance is about measurement & control of
IT security within the corporate framework to ensure that IT supports and helps to extend the enterprise’s capabilities
Much of IT security governance involves risk management of:– Confidentiality– Integrity– Availability– Compliance
Knowing where you are is a prerequisite to knowing where you want to be:
– Capability maturity assessment– ISO 17799 gap analysis
![Page 28: Using CobiT to Enhance IT Security Governance](https://reader033.vdocuments.us/reader033/viewer/2022061201/54793a44b37959652b8b46e6/html5/thumbnails/28.jpg)
28
LHSLHS
© John Mitchell
Questions?John MitchellPhD, MBA, CEng, CITP, FBCS, MBCS, FIIA, CIA, CISA, QiCA, CFE
LHS Business Control47 GrangewoodPotters BarHertfordshire EN6 1SLEngland
Tel: +44 (0)1707 851454Fax: +44 (0)1707 851455Mobile +44 (0)7774 145638