0% found this document useful (0 votes)

261 views

Cobit and Iso 27001

Uploaded by

Antonio Clima

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

261 views

Cobit and Iso 27001

Uploaded by

Antonio Clima

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 64

A lecture of lectures about CoBIT and

ISO 27000

Dr. Hale
University of Nebraska at Omaha
Information Security and Policy– Lecture 6
Today’s topics:
Last Time recap: FISMA related docs
IS27000 Series
slides from 2013 Jones and Bartlett Learning, LLC
slides from 2007 Luděk Novák, CISA, CISSP
ISO Assessment tool
CoBIT: Control Objectives for Information and related Technology
slides from 2007 IT Governance Institute
slides from 2013 Jones and Bartlett Learning, LLC
ISO 27000 related slides

Policy Frameworks
ISO/IEC 27000

• The International Organization for Standardization (ISO) and the

International Electro-technical Commission (IEC) develop and
publish international standards.
• It is common to see these standards abbreviated to ISO/IEC.
• ISO/IEC 27001 and 27002 are the most interesting of the family

Policy Frameworks
Overview of Documents

ISO 27000: Overview and Vocabulary

ISO 27001: ISMS Requirements
ISO 27002: Code of Practice
ISO 27003: ISMS Implementation Guidance
ISO 27004: ISM Measurement
ISO 27005: InfoSec Risk Management
ISO 27006: Requirements for Bodies Providing Audit and Certification of ISMS
ISO 27007 – 27008: Guidelines for Auditing InfoSec Controls
ISO 27014: Governance of InfoSec
ISO 27015: ISM Guidelines for Financial Services
Next Few slides from 2007 Luděk Novák, CISA, CISSP, modified by MLH 2015

Policy Frameworks
ISO/IEC 27000 family review

ISMS Overview and vocabulary

ISO/IEC 27000:2008 (ISO/IEC 13335-1)

ISMS Certification scheme

ISO/IEC 27006:2007 (EA 7/03)

ISMS Requirements
Risk management ISO/IEC 27001:2005
BS 7799-3:2006 (BS 7799-2:2002) ISMS Measurement
ISO/IEC 27005:2007 ISO/IEC 27004:2008
(ISO/IEC TR 13335-3:1998) Annex A

ISMS Implementation ISMS Code of practice ISMS Auditor Guidelines

guidelines ISO/IEC 27002:2005 ISO/IEC 27007
ISO/IEC 27003:2008 (ISO/IEC17799)

Specific standards and guidelines

Policy Frameworks
ISO/IEC 27001:2013 principles
• Definition of requirements on Information Security Management System (ISMS)
• Information security management process based on PDCA Model
– Plan – Do – Check – Act
• Ensure the selection of adequate and proportionate security controls that protect
information assets and give confidence to interested parties
• All defined requirements are mandatory and it is not possible to exclude anyone
– But it is not necessary to implement all security controls !!!

Plan
Requirements Requirements
Customers

Suppliers
Do Act

Satisfaction Satisfaction

Check

Policy Frameworks
ISMS Measurement as a feedback
Business needs

Security Security Decision

management effectiveness criteria

Risk Indicators
management Define
measurement
priorities

Security Information flows Measurement

measures methods

Source: draft of ISO/IEC 27004

Policy Frameworks
Examples of ISMS metrics
• Percentage (%) of system users/security personnel that have received basic
awareness training
• Average frequency of audit records review and analyses for inappropriate activity
• Percentage of systems using automated mechanisms to conduct analysis and
reporting of inappropriate activities
• Percentage (%) of systems that are compliant with the baseline configuration
• Percentage (%) of systems successfully addressed in the testing of the contingency
plan
• Percentage of accounts not associated with specific users
• Percentage (%) of system components that undergo maintenance on schedule
• Cost of information security incidents of unauthorized access to information systems,
due to physical security failures
• Percentage (%) of employees who signed acknowledgement that they have read and
understood rules of behavior, before being authorized access to the information
system
Source: NIST SP 800-80 Guide for Developing Performance Metrics for Information Security (draft)
http://csrc.nist.gov/publications/drafts/draft-sp800-80-ipd.pdf
Policy Frameworks
CMM® Security
ISO/IEC 21827 – Systems
Security Engineering –
Capability Maturity Model
(SSE-CMM®)
• Capability model for security
• Advantage: more levels to
compare security enforcement
[GOTO ISO 27001 control documents]

Policy Frameworks
Some slides from 2013 Jones and Bartlett, modified by MLH 2015-2017

Policy Frameworks
ISO/IEC 27002 (2015)

ISO/IEC 27002 has 19 sections of best practices, of those, there are

12 main areas that compose the framework

Policy Frameworks
ISO/IEC 27002 (2015)

• ISO/IEC 27002 outlines 12 main areas that compose the

framework:
• Risk assessment and treatment
• Describes how to perform periodic risk assessments.
• Security policy
• Describes how management should define an information
security policy.
• Organizations usually maintain detailed security policies in
a library. Information security standards, procedures, and
guidelines support the library.
Policy Frameworks
ISO/IEC 27002 (2015)

• ISO/IEC 27002 outlines 12 main areas that compose the

framework:
• Organization of information security
• Describes how to design and implement an information
security governance structure.
• Covers the need for an internal group that manages the
program.
• Asset management
• Describes inventory and classification of information
assets. The organization should understand what
information assets it holds, and managePolicy Frameworks
its security
ISO/IEC 27002 (2015)

• ISO/IEC 27002 outlines 12 main areas that compose the

framework:
• Human resources security
• Describes security aspects for employees joining, moving,
and leaving an organization. The organization should
manage systems access rights.
• Physical and environmental security
• Describes the protection of computer facilities. Valuable IT
equipment should be physically protected against
malicious or accidental damage or loss.
Policy Frameworks
ISO/IEC 27002 (2015)

• ISO/IEC 27002 outlines 12 main areas that compose the

framework:
• Communications and operations management
• Describes management of technical security controls in
systems and networks
• Access control
• Describes restriction of access rights of networks, systems,
applications, functions, and data.
• Addresses controlled logical access to IT systems, network,
and data to prevent unauthorized.
Policy Frameworks
ISO/IEC 27002 (2015)

• ISO/IEC 27002 outlines 12 main areas that compose the

framework:
• Information systems acquisition, development, and
maintenance
• Describes building security into applications in the Systems
Development Life Cycle (SDLC)
• Information security incident management
• Describes anticipating and responding appropriately to
information security breaches.
• Information security events, incidents, and weaknesses
should be promptly reported and properly Policy Frameworks
managed.
ISO/IEC 27002 (2015)

• ISO/IEC 27002 outlines 12 main areas that compose the

framework:
• Business continuity management
• Describes protecting, maintaining, and recovering
business-critical processes and systems.
• Covers contingency planning from analysis and
documentation to regular testing of the plans.
• Compliance
• legal requirements
• security policies and standards, and technical compliance
• audit considerations. Policy Frameworks
Next: CoBIT is at the highest level of “standards”

Policy Frameworks
(next slides from 2007 IT governance institute, modified by mlh 2015)

Policy Frameworks
The Need for IT Governance

IC V Enterprise governance is a set of

T EG N T DE AL
E LI U E responsibilities and practices exercised by the
RA M VE
S T IG N RY board and executive management with the goal
AL
of:
• Providing strategic direction
PER SU R EM
MEA

T
MEN
• Ensuring that objectives are achieved
FO R

M A N R IS K
A GE
www.itgi.org • Ascertaining that risks are managed
MAN NT

www.itgi.org
appropriately
E
CE

RESOURCE
• Verifying that the enterprise’s resources are
MANAGEMENT used responsibly

©2007 IT Governance Institute. All rights reserved. 25

IT Governance, as Defined by ITGI

IT governance is:
• The responsibility of the board of directors and
IC
executive management
V
T EG N T DE AL
RA M
E LI U E
VE • An integral part of enterprise governance,
S T IG N RY
AL
consisting of the leadership, organisational
structures and processes that ensure that the
enterprise’s IT sustains and extends the
organisation’s strategies and objectives
PER SU R EM
MEA

T
MEN
FO R

M A N R IS K
A GE
www.itgi.org
MAN NT

www.itgi.org
E
CE

RESOURCE 2005 64% Doing something about it 36%

MANAGEMENT
2003 58% 42% Not doing something about it

Source: Surveys by PwC for the IT Governance Institute Sep-Oct 2003 and Sep-Oct 2005

©2007 IT Governance Institute. All rights reserved. 26

Enterprise Governance Drives IT Governance

Enterprise governance is about:

¤ Conformance
• Adhering to legislation, internal policies,
audit requirements, etc.

¤ Performance Performance
• Improving profitability, efficiency,
effectiveness, growth, etc. Conformance

Enterprise governance and IT governance require a balance between conformance

and performance goals directed by the board.

©2007 IT Governance Institute. All rights reserved. 27

IT Governance Focus Areas

Strategic Focuses on ensuring the linkage of business and IT plans;

on defining, maintaining and validating the IT value proposition;
alignment and on aligning IT operations with enterprise operations

Is about executing the value proposition throughout the delivery cycle, ensuring
Value delivery that IT delivers the promised benefits against the strategy, concentrating on
optimising costs and proving the intrinsic value of IT

Resource Is about the optimal investment in, and the proper management of, critical
IT resources: applications, information, infrastructure and people. Key
management issues relate to the optimisation of knowledge and infrastructure.

Requires risk awareness by senior corporate officers, a clear understanding

Risk management of the enterprise’s appetite for risk, understanding of compliance
requirements, transparency about the significant risks to the enterprise, and
embedding of risk management responsibilities in the organisation

Performance Tracks and monitors strategy implementation, project completion, resource

usage, process performance and service delivery, using, for example,
measurement balanced scorecards that translate strategy into action to achieve goals
measurable beyond conventional accounting

©2007 IT Governance Institute. All rights reserved. 28

IT Governance Stakeholders

Board and Set direction for IT, monitor results and insist on corrective
measures
executive
Defines business requirements for IT and ensures that
Business management value is delivered and risks are managed

Delivers and improves IT services as required by the

IT management business

Provides independent assurance to demonstrate that IT

IT audit delivers what is needed

Risk and Measures compliance with policies and focuses on alerts to

new risks
compliance

©2007 IT Governance Institute. All rights reserved. 29

COBIT Provides a Framework for IT Governance

COBIT helps bridge the gaps between business risks, control needs and technical
issues. It provides good practices across a domain and process framework and presents
activities in a manageable and logical structure.

COBIT:
¤ Starts from business requirements
¤ Is process-oriented, organising IT activities into a generally
accepted process model
¤ Identifies the major IT resources to be leveraged
¤ Defines the management control objectives to be considered
¤ Incorporates major international standards
¤ Has become the de facto standard for overall control of IT

IT resources need to be managed by a set of naturally

grouped processes. COBIT provides a framework that
achieves this objective.

©2007 IT Governance Institute. All rights reserved. 30

COBIT and Other IT Management Frameworks

Organisations will consider and use a variety of IT models, standards and best
practices. These must be understood in order to consider how they can be used
together, with COBIT acting as the consolidator (‘umbrella’).

COSO

COBIT

ISO 9000
ISO 17799/27000

WHAT ITIL HOW

SCOPE OF COVERAGE

©2007 IT Governance Institute. All rights reserved. 31

Where Does COBIT Fit?

CONFORMANCE
Drivers PERFORMANCE: Basel II, Sarbanes-
Business Goals Oxley Act, etc.

Enterprise Governance Balanced

COSO
Scorecard

IT Governance
COBIT

ISO ISO ISO

Best Practice Standards 9001:2000 17799 / 27000 20000

Processes and Procedures QA Security ITIL

Procedures Principles

©2007 IT Governance Institute. All rights reserved. 32

COBIT Framework

► The COBIT framework was created with the main characteristics:

§ Business-focused
§ Process-oriented
§ Controls-based
§ Measurement-driven
► The acronym COBIT stands for Control Objectives for Information and related Technology.

COBIT Framework Characteristics

Governance

Management

Evolution

Control

Audit

COBIT 1 COBIT 2 COBIT 3 COBIT 4

1996 1998 2000 2005

For latest updates on COBIT, log on to www.isaca.org/cobit.

©2007 IT Governance Institute. All rights reserved. 34

COBIT: Value and Limitations

COBIT:
► Has internationally accepted good practices
► Is management-oriented
► Is supported by tools and training
► Is freely downloadable LIES!!!
► Allows the knowledge of expert volunteers to be shared and leveraged
► Continually evolves
► Is maintained by a reputable not-for-profit organisation
► Maps 100 percent to COSO
► Maps strongly to all major, related standards
► Is a reference, not an ‘off-the-shelf’ cure

Enterprises still need to analyse control requirements and customise COBIT based on their:
► Value drivers
► Risk profile
► IT infrastructure, organisation and project portfolio

©2007 IT Governance Institute. All rights reserved. 35

COBIT Components

An organisation depends on reliable and timely data and information. COBIT components provide a
comprehensive framework for delivering value while managing risk and control over data and
information.

IT Resources

Business Strategy

IT Processes

Information
Criteria

©2007 IT Governance Institute. All rights reserved. 36

COBIT: Advantages

Some of the advantages of adopting COBIT are:

► COBIT is aligned with other standards and good practices and should be used together with
them.
► COBIT’s framework and supporting best practices provide a well-managed and flexible IT
environment in an organisation.
► COBIT provides a control environment that is responsive to business needs and serves
management and audit functions in terms of their control responsibilities.
► COBIT provides tools to help manage IT activities.

©2007 IT Governance Institute. All rights reserved. 37

COBIT and IT Governance

► COBIT focuses on improving IT governance in organisations.

► COBIT provides a framework to manage and control IT activities and supports five requirements
for a control framework.

Provides Defines a
sharper common
business language
focus

Ensures Helps meet

Control
process regulatory
orientation Framework
requirements

Has general
acceptability
amongst
organisations

©2007 IT Governance Institute. All rights reserved. 38

COBIT and IT Governance (Cont.)

Business Focus
► COBIT achieves sharper business
focus by aligning IT with business Provides
Defines a
objectives. sharper
common
business
► The measurement of IT performance language
focus
should focus on IT’s contribution to
enabling and extending the business
strategy.
► COBIT, supported by appropriate Ensures Helps meet
business-focused metrics, can ensure process Control regulatory
orientation Framework requirements
that the primary focus is value
delivery and not technical excellence
as an end in itself.
Has general
acceptability
amongst
organisations

©2007 IT Governance Institute. All rights reserved. 39

COBIT and IT Governance (Cont.)

Process Orientation
► When organisations implement
COBIT, their focus is more process- Provides
Defines a
oriented. sharper
common
business
language
► Incidents and problems no longer focus
divert attention from processes.
► Exceptions can be clearly defined as
part of standard processes.
Ensures Helps meet
► With process ownership defined, process Control regulatory
assigned and accepted, the orientation Framework requirements
organisation is better able to
maintain control through periods of
rapid change or organisational crisis.
Has general
acceptability
amongst
organisations

©2007 IT Governance Institute. All rights reserved. 40

COBIT and IT Governance (Cont.)

General Acceptability
► COBIT is a proven and globally
accepted standard for increasing the Provides
Defines a
contribution of IT to organisational sharper
common
business
success. focus language
► The framework continues to
improve and develop to keep pace
with good practices.
► IT professionals from all over the Ensures Helps meet
world contribute their ideas and time process Control regulatory
orientation Framework requirements
to regular review meetings.

Has general
acceptability
amongst
organisations

©2007 IT Governance Institute. All rights reserved. 41

COBIT and IT Governance (Cont.)

Regulatory Requirements
► Recent corporate scandals have
increased regulatory pressures on Provides
Defines a
boards of directors to report their sharper
common
business
status and ensure that internal language
focus
controls are appropriate. This
pressure covers IT controls as well.
► Organisations constantly need to
improve IT performance and Ensures Helps meet
demonstrate adequate controls over process Control regulatory
their IT activities. orientation Framework requirements
► Many IT managers, advisors and
auditors are turning to COBIT as the
de facto response to regulatory IT Has general
requirements. acceptability
amongst
organisations Security Baseline
comes in here

©2007 IT Governance Institute. All rights reserved. 42

COBIT and IT Governance (Cont.)

Common Language
► A framework helps get everybody on
the same page by defining critical Provides
Defines a
terms and providing a glossary. sharper
common
business
language
► Co-ordination within and across focus
project teams and organisations can
play a key role in the success of any
project.
► Common language helps build Ensures Helps meet
confidence and trust. process Control regulatory
orientation Framework requirements

Has general
acceptability
amongst
organisations

©2007 IT Governance Institute. All rights reserved. 43

COBIT: Premise

► The COBIT framework is based on the premise that IT needs to deliver the information that an
enterprise requires to achieve its objectives.

for Business
achieving Objectives
i to
Business
Processes
Information
provide

IT Resources
and Processes

► The COBIT framework helps align IT with the business by focusing on business information
requirements and organising IT resources. COBIT provides the framework and guidance to
implement IT governance.

©2007 IT Governance Institute. All rights reserved. 44

COBIT: Principle

The principle of the COBIT framework is to link management’s IT expectations with management’s
IT responsibilities. The objective is to facilitate IT governance to deliver IT value whilst managing IT
risks.

IT Resources

Business Strategy

IT Processes

Information
Criteria

©2007 IT Governance Institute. All rights reserved. 45

COBIT Framework

As a control and governance framework for IT, COBIT focuses on two key areas:
► Providing the information required to support business objectives and requirements
► Treating information as the result of the combined application of IT-related resources that
need to be managed by IT processes
Information Criteria
Effectiveness
IT Process Efficiency
Confidentiality
Integrity
Availability
Business Requirement Compliance
Reliability

Control Approach
IT Resources
IT Processes Applications
Domains
Consideration Information
Processes
• ……………………………
• …………………………… Activities Infrastructure
• ……………………..…….. People

©2007 IT Governance Institute. All rights reserved. 46

COBIT Cube

The COBIT framework describes how IT processes deliver the information that the business needs to
achieve its objectives.
For controlling this delivery, COBIT provides three key components, each forming a dimension of the
COBIT cube.

Business Requirements for Information Criteria

IT Resources

IT Processes

COBIT Cube: IT Processes

► COBIT describes the IT life cycle with the help of four domains:
§ Plan and Organise
§ Acquire and Implement
§ Deliver and Support
§ Monitor and Evaluate
► Processes are series of activities with natural control breaks. There are 34 processes across the
four domains. These processes specify what the business needs to achieve its objectives. The
delivery of information is controlled through 34 IT processes.
► Activities are actions that are required to achieve measurable results. Moreover, activities have
life cycles and include many discrete tasks.

Information Criteria

Domains IT Resources
Processes
Activities
IT Processes

COBIT Cube: IT Domains

Plan and Organise (PO)

► Objectives:
§ Formulating strategy and tactics
§ Identifying how IT can best contribute to achieving business objectives
§ Planning, communicating and managing the realisation of the strategic vision
§ Implementing organisational and technological infrastructure
► Scope:
§ Are IT and the business strategically aligned?
§ Is the enterprise achieving optimum use of its resources?
§ Does everyone in the organisation understand the IT objectives?
§ Are IT risks understood and being managed?
§ Is the quality of IT systems appropriate for business needs?

IT and Business