COBIT’s presence in the enterprise. Prior to SOX, publicly traded organizations saw very little audit oversight of electronic data resource utilization and security. Security professionals instead relied heavily on standards of best practice, such as ITIL to safeguard resources. However, auditors chose to use the limited guidelines of COBIT 4 to govern SOX compliance. While COBIT 4 provided some guidance on information security (InfoSec), it lacked the comprehensive coverage of traditional standards. This changed with the release of COBIT 5.
With COBIT 5,
Principle 2: Covering the enterprise end-to-end
Information security is often applied as series of point solutions, as defined in more detail in Principle 3. However, general application of security and assurance best practices requires security reviews as part of all business processes and IT development and implementation activities. This isn’t just a horizontal integration. Rather, all levels of management must include InfoSec in every business strategic and operational planning activity.
For example, a department vice president might implement a new business process without consulting audit or security. If the organization has a solid
Principle 3: Applying a single integrated framework
Application of security controls is often a point-and-shoot activity. Many organizations tend to fix specific issues without stepping back and applying policies and controls that impact multiple vulnerabilities in network or system
One method of ensuring optimum use of controls is creation and management of a controls matrix, as shown in Figure A. (A working matrix Excel template is available for download at http://mcaf.ee/3zk7c.) A matrix should include areas of interest and critical controls, either developed during risk assessments or by using standards of best practice:
- Both IT and business teams use processes to get work done with consistent outcomes. Security teams must include how work is done when designing a security framework and program.
- An organizational structure (a management hierarchy) is designed to monitor and reach strategic and operational objectives. Leaders (decision makers) from each level are typically stakeholders in business processes and expected outcomes.
- An organization is a living entity, with its own culture, ethics, and behavior as exhibited by its employees. Changing the way employees see their working world is not easy and must be considered when trying to secure the workplace.
- Information is what we attempt to protect… and it is usually everywhere. In most cases, information is critical for business operations and must be available when and where needed. Further, access to the data should not come with unacceptable response times caused by poorly designed security controls.
- IT delivers information via services, infrastructure, and applications.
- All security control implementations require attention to people, skills, and competencies: both in and out of IT. For example, is it more appropriate to enforce a policy with technical controls, or are the employees able administratively to meet expected risk outcomes?
- Principles, policies, and frameworks provide the means to integrate all enablers into an overall solution resulting in secure operational success. The enablers help achieve the outcomes expected when developing principles, policies, and frameworks.
Principle 5: Separating governance from management
This principle establishes a line between setting objectives and measuring outcomes. According to COBIT 5 for Information Security:
“Governance ensures that stakeholder needs, conditions, and options are evaluated to determine balances, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives.
“Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives” (p. 23).
While governance and management are separate functions performed by designated teams, they must support each other. Governance defines outcomes and management implements technology and processes to meet those outcomes. Governance then determines if outcomes are met and provides feedback to help management make necessary adjustments.
- COBIT 5 for Information Security provides a comprehensive framework for integrating security into business processes. It also provides a set of enablers that, when applied, help ensure stakeholder acceptance and efficient business operation.
- Organizations must integrate security into every facet of management and operations. This begins with identifying all business processes and associated stakeholders, including audit and InfoSec teams.
- Point-and-shoot approaches to managing security will not achieve the best overall results. A holistic approach—one that defines a complete framework used to integrate new controls or vulnerability remediation—is necessary for both security and financial efficiency and efficacy.