COBIT5 and InfoSec

Presented byCOBIT–The ISACA Framework  COBIT is an IT governance framework and supporting tool set that allows managers to bridge the gap between control requirements, technical issues and business risk.  COBIT enables clear policy development and good practice for IT control throughout organisations.  COBIT emphasises regulatory compliance, helps organisations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework.  For more information: www.isaca.org/cobit 2 © 2007 IT Governance Institute® All rights reserved. figure 23.1.1–The ISACA Framework  COBIT 4.1  Issued in 2007  An IT governance and management framework  Focus on processes as the key enabler Source: COBIT® 4. 3 .COBIT 4. ISACA designed COBIT 5 to meet the needs of stakeholders.COBIT 5–The NEW Version  COBIT 5 is a major strategic improvement providing the next generation of ISACA guidance on the governance and management of enterprise information technology (IT) assets.org/cobit 4 .  For more information: www.  Building on more than 15 years of practical application. and to align with current thinking on enterprise governance and management techniques as they relate to IT.isaca. COBIT 5 Product Family–The Overarching Framework Product Source: COBIT® 5. © 2012 ISACA® All rights reserved. 5 . figure 1.  COBIT 5 provides a comprehensive framework that assists enterprises to achieve their goals and deliver value through effective governance and management of enterprise IT – providing a sound basis for information security arrangements.COBIT 5: Value Creation  Delivering enterprise stakeholder value requires good governance and management of IT assets—including information security arrangements. threatening value if breached. 6 .  External legal. regulatory and contractual compliance requirements (sometimes covering information security requirements) related to enterprise use of information and technology are increasing. not-for -profit or in the public sector. 7 . COBIT 5 helps enterprises to create optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use. whether commercial.  The COBIT 5 principles and enablers are generic and useful for enterprises of all sizes. considering the ITrelated interests of internal and external stakeholders.The COBIT 5 Framework  Simply stated.  COBIT 5 enables information and related technology to be governed and managed in a holistic manner for the whole enterprise. taking in the full end-to-end business and functional areas of responsibility. figure 2. © 2012 ISACA® All rights reserved. figure 12. Source: COBIT® 5.COBIT 5 Principles and Enablers COBIT 5 Enterprise Enablers Source: COBIT® 5. 8 . © 2012 ISACA® All rights reserved. COBIT 5 Product Family–The Detailed Process Guidance is Still There Source: COBIT® 5: Enabling Processes. 9 . figure 1. © 2012 ISACA® All rights reserved. COBIT 5 Enabling Processes Source: COBIT® 5. figure 16. 10 . © 2012 ISACA® All rights reserved. COBIT 5–Integrates Earlier ISACA Frameworks COBIT 5 has clarified management level processes and integrated COBIT 4. Val IT and Risk IT content into one process reference model.1. 11 . Source: BMIS®.COBIT 5–Integrates BMIS Components Too COBIT 5 has also taken the valuable holistic. interrelated component model approach from the Business Model for Information Security (BMIS) work and incorporated it into the framework components. © 2010 ISACA® All rights reserved. figure 2. 12 . org/bmis 13 .isaca. provides an in-depth explanation to a holistic business model which examines security issues from a systems perspective. and a common language for information security and business management to talk about information protection • BMIS challenges conventional thinking and enables you to creatively re-evaluate your information security investment • The Business Model for Information Security.BMIS Introduction • Business Model for Information Security (BMIS) • A holistic and business-oriented approach to managing information security. • For more information: www. COBIT 5 Integrates BMIS Components • Several of the BMIS components are now integrated within COBIT 5 as interacting enablers that support the enterprise in achieving its business goals and create stakeholder value: • Organisation • Process • People • Human Factors • Technology • Culture 14 . monitor—ISO/IEC 38500) are addressed at the enterprise level in the COBIT 5 framework • Architecture (including a process model) —COBIT 5 includes the need to address enterprise architecture aspects to link organisation and technology effectively • Emergence—The holistic and integrated nature of the COBIT 5 enablers supports enterprise in adapting to changes in both stakeholder needs and enabler capabilities as necessary 15 .COBIT 5 Integrates BMIS Components (cont) • The remaining BMIS components are actually related the larger aspects of the COBIT 5 framework: • Governing—The dimensions of governance activities (evaluate. direct. © 2012 ISACA® All rights reserved.COBIT 5 Product Family—Includes Implementation Guidance Source: COBIT® 5 Implementation. 16 . figure 1. COBIT 5 Implementation • The improvement of the governance of enterprise IT (GEIT) is widely recognised by top management as an essential part of enterprise governance. • Information and the pervasiveness of information technology are increasingly part of every aspect of business and public life. • Increasing regulation and legislation over business use and security of information is also driving heightened awareness of the importance of well-governed. including often cited security risk. • The need to drive more value from IT investments and manage an increasing array of IT-related risk. has never been greater. managed and secure IT use. 17 . There are challenges that need to be overcome and issues that need to be addressed if GEIT is to be implemented successfully. • However. • COBIT 5 Implementation provides guidance on how to do this. 18 . Indeed.COBIT 5 Implementation (cont. best practices and standards are useful only if they are adopted and adapted effectively. Best practices and standards are also available to underpin COBIT 5— including many focused on information security. implementing good GEIT is almost impossible without engaging an effective governance framework. frameworks.) • ISACA has developed the COBIT 5 framework to help enterprises implement sound governance enablers. COBIT 5 Implementation (cont.) • COBIT 5 Implementation covers the following subjects: • Positioning GEIT within an enterprise • Taking the first steps towards improving GEIT • Implementation challenges and success factors • Enabling GEIT-related organisational and behavioural change • Implementing continual improvement that includes change enablement and programme management • Using COBIT 5 and its components 19 . 20 .) Source: COBIT® 5 Implementation. © 2012 ISACA® All rights reserved. figure 6.COBIT 5 Implementation (cont. COBIT 5 Product Family—Includes an Information Security Member Source: COBIT® 5. 21 . © 2012 ISACA® All rights reserved. adapted from figure 11. APO13 Manage security. 22 . establishes the prominence of information security within the COBIT 5 process framework. plan and organise (APO) management domain.COBIT 5 and Information Security COBIT 5 addresses information security specifically:  The focus on information security management system (ISMS) in the align. direct and monitor (EDM) governance domain.  This process highlights the need for enterprise management to plan and establish an appropriate ISMS to support the information security governance principles and security-impacted business objectives resulting from the evaluate.  Additional value for information security constituents will be created through additional explanations. processes and recommendations. activities. 23 . processes and structures of an enterprise.  The COBIT 5 for Information Security deliverable will be a view of information security governance and management that will provide security professionals detailed guidance for using COBIT 5 as they establish.COBIT 5 for Information Security (cont)  COBIT 5 for Information Security will be an extended view of COBIT 5 that explains each component of COBIT 5 from an information security perspective. implement and maintain information security in the business policies. COBIT 5 for Information Security (cont) What content will be included in the guide?  Guidance on the enterprise business drivers and benefits related to information security  How the COBIT 5 principles can be viewed and applied from an information security professionals’ perspective  How the COBIT 5 enablers can be used by information security professionals to support enterprise governance and management of information security arrangements  How COBIT 5 for Information Security guidance aligns with other information security standards 24 . COBIT 5 for Information Security (cont) At what stage of development is COBIT 5 for Information Security?  Development has been underway for some time and a draft delivered for subject matter expert (SME) review in January 2012. 25 .  The COBIT Security Task Force met in February 2012 to review and incorporate SME feedback into the product.  Expectation is that the COBIT 5 for Information Security professional guide will be available in July 2012. 5630 Fax: +1.847.660.253.org 26 .1443 Email: [email protected]. please contact: ISACA Research Department Phone: +1.Thank you for listening! If you have questions about ISACA publications and ongoing research.