The Sarbanes-Oxley Act of 2002 (SOX) strengthened COBIT's presence in the enterprise. Prior to SOX, publicly traded organizations saw very little audit oversight of electronic data resource utilization and security. Security professionals instead relied heavily on standards of best practice, such as ISO 27002 and ITIL to safeguard resources. However, auditors chose to use the limited guidelines of COBIT 4 to govern SOX compliance. While COBIT 4 provided some guidance on information security (InfoSec), it lacked the comprehensive coverage of traditional standards. This changed with the release of COBIT 5.
With COBIT 5, ISACA introduced a framework for information security. It includes all aspects of ensuring reasonable and appropriate security for information resources. Its foundation is a set of principles upon which an organization should build and test security policies, standards, guidelines, processes, and controls:
- Meeting stakeholder needs
- Covering the enterprise end-to-end
- Applying a single integrated framework
- Enabling a holistic approach
- Separating governance from management
Principle 1: Meeting stakeholder needs
A group of stakeholders includes any individual or group affected by the current state or future state of a process, system, policy, etc. Stakeholder analysis is the process of identifying stakeholders so that their input can ensure outcomes match requirements. This is an important step in both project planning and risk management. Failure to involve all stakeholders, including InfoSec and audit teams, usually results in less than optimum outcomes at best. Worst case outcomes include failed projects or material audit deficiencies.
Successful stakeholder analysis results in maximizing benefits, minimizing risk to or beyond expected outcomes, and optimizing resources. Further, ensuring integration of business and information assurance requirements into the development or acquisition of a solution is always preferable to trying to "hang" something onto a finished—but incomplete—system, network, or a physical controls framework.
Principle 2: Covering the enterprise end-to-end
Information security is often applied as series of point solutions, as defined in more detail in Principle 3. However, general application of security and assurance best practices requires security reviews as part of all business processes and IT development and implementation activities. This isn't just a horizontal integration. Rather, all levels of management must include InfoSec in every business strategic and operational planning activity.
For example, a department vice president might implement a new business process without consulting audit or security. If the organization has a solid security program, the VP is aware of and supports it, and C-level executives are clear in their requirement that each business process must conform to the program, then the new process will likely meet expected security outcomes: even without security and audit reviews. However, engaging InfoSec and audit teams to review major process changes is always a good idea: regardless of how "safe" or "insignificant" the change appears.
Principle 3: Applying a single integrated framework
Application of security controls is often a point-and-shoot activity. Many organizations tend to fix specific issues without stepping back and applying policies and controls that impact multiple vulnerabilities in network or system attack surfaces. Designing a complete framework includes all aspects of information storage, flow, and processing, providing a foundation for more efficient control implementation.
One method of ensuring optimum use of controls is creation and management of a controls matrix, as shown in Figure A. (A working matrix Excel template is available for download at http://mcaf.ee/3zk7c.) A matrix should include areas of interest and critical controls, either developed during risk assessments or by using standards of best practice:
- SANS Top Twenty Critical Security Controls
- COBIT 5 for Information Security
- ISO 27002
A framework supports a holistic approach to securing an organization.
Principle 4: Enabling a holistic approach
As support for developing an integrated framework, it's important to see information security as a set of related components: not as set of silos. Each component is driven by enablers and other factors affecting organization risk. COBIT 5 for Information Security provides a list of enablers and describes how they interrelate as shown in Figure B. Enablers help organizations integrate operations and security into the outcomes of all principles defined here. As always, this is done in a way to meet stakeholder requirements.
- Both IT and business teams use processes to get work done with consistent outcomes. Security teams must include how work is done when designing a security framework and program.
- An organizational structure (a management hierarchy) is designed to monitor and reach strategic and operational objectives. Leaders (decision makers) from each level are typically stakeholders in business processes and expected outcomes.
- An organization is a living entity, with its own culture, ethics, and behavior as exhibited by its employees. Changing the way employees see their working world is not easy and must be considered when trying to secure the workplace.
- Information is what we attempt to protect… and it is usually everywhere. In most cases, information is critical for business operations and must be available when and where needed. Further, access to the data should not come with unacceptable response times caused by poorly designed security controls.
- IT delivers information via services, infrastructure, and applications.
- All security control implementations require attention to people, skills, and competencies: both in and out of IT. For example, is it more appropriate to enforce a policy with technical controls, or are the employees able administratively to meet expected risk outcomes?
- Principles, policies, and frameworks provide the means to integrate all enablers into an overall solution resulting in secure operational success. The enablers help achieve the outcomes expected when developing principles, policies, and frameworks.
Principle 5: Separating governance from management
This principle establishes a line between setting objectives and measuring outcomes. According to COBIT 5 for Information Security:
"Governance ensures that stakeholder needs, conditions, and options are evaluated to determine balances, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives.
"Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives" (p. 23).
While governance and management are separate functions performed by designated teams, they must support each other. Governance defines outcomes and management implements technology and processes to meet those outcomes. Governance then determines if outcomes are met and provides feedback to help management make necessary adjustments.
- COBIT 5 for Information Security provides a comprehensive framework for integrating security into business processes. It also provides a set of enablers that, when applied, help ensure stakeholder acceptance and efficient business operation.
- Organizations must integrate security into every facet of management and operations. This begins with identifying all business processes and associated stakeholders, including audit and InfoSec teams.
- Point-and-shoot approaches to managing security will not achieve the best overall results. A holistic approach—one that defines a complete framework used to integrate new controls or vulnerability remediation—is necessary for both security and financial efficiency and efficacy.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.