Security

COBIT 5 for information security: The underlying principles

COBIT 5, a governance model for enterprise IT, introduces a framework that is better focused on information security.

The Sarbanes-Oxley Act of 2002 (SOX) strengthened COBIT’s presence in the enterprise. Prior to SOX, publicly traded organizations saw very little audit oversight of electronic data resource utilization and security. Security professionals instead relied heavily on standards of best practice, such as ISO 27002 and ITIL to safeguard resources. However, auditors chose to use the limited guidelines of COBIT 4 to govern SOX compliance. While COBIT 4 provided some guidance on information security (InfoSec), it lacked the comprehensive coverage of traditional standards. This changed with the release of COBIT 5.

COBIT5-Horiz.gif

With COBIT 5, ISACA introduced a framework for information security. It includes all aspects of ensuring reasonable and appropriate security for information resources. Its foundation is a set of principles upon which an organization should build and test security policies, standards, guidelines, processes, and controls:

  1. Meeting stakeholder needs
  2. Covering the enterprise end-to-end
  3. Applying a single integrated framework
  4. Enabling a holistic approach
  5. Separating governance from management

Principle 1: Meeting stakeholder needs

A group of stakeholders includes any individual or group affected by the current state or future state of a process, system, policy, etc. Stakeholder analysis is the process of identifying stakeholders so that their input can ensure outcomes match requirements. This is an important step in both project planning and risk management. Failure to involve all stakeholders, including InfoSec and audit teams, usually results in less than optimum outcomes at best. Worst case outcomes include failed projects or material audit deficiencies.

Successful stakeholder analysis results in maximizing benefits, minimizing risk to or beyond expected outcomes, and optimizing resources. Further, ensuring integration of business and information assurance requirements into the development or acquisition of a solution is always preferable to trying to “hang” something onto a finished—but incomplete—system, network, or a physical controls framework.

Principle 2: Covering the enterprise end-to-end

Information security is often applied as series of point solutions, as defined in more detail in Principle 3. However, general application of security and assurance best practices requires security reviews as part of all business processes and IT development and implementation activities. This isn’t just a horizontal integration. Rather, all levels of management must include InfoSec in every business strategic and operational planning activity.

For example, a department vice president might implement a new business process without consulting audit or security. If the organization has a solid security program, the VP is aware of and supports it, and C-level executives are clear in their requirement that each business process must conform to the program, then the new process will likely meet expected security outcomes: even without security and audit reviews. However, engaging InfoSec and audit teams to review major process changes is always a good idea: regardless of how “safe” or “insignificant” the change appears.

Principle 3: Applying a single integrated framework

Application of security controls is often a point-and-shoot activity. Many organizations tend to fix specific issues without stepping back and applying policies and controls that impact multiple vulnerabilities in network or system attack surfaces. Designing a complete framework includes all aspects of information storage, flow, and processing, providing a foundation for more efficient control implementation.

Figure A

Cobit_controls.FigA.jpg

Controls Matrix

One method of ensuring optimum use of controls is creation and management of a controls matrix, as shown in Figure A. (A working matrix Excel template is available for download at http://mcaf.ee/3zk7c.) A matrix should include areas of interest and critical controls, either developed during risk assessments or by using standards of best practice:

  • SANS Top Twenty Critical Security Controls
  • COBIT 5 for Information Security
  • ISO 27002

A framework supports a holistic approach to securing an organization.

Principle 4: Enabling a holistic approach

As support for developing an integrated framework, it’s important to see information security as a set of related components: not as set of silos. Each component is driven by enablers and other factors affecting organization risk. COBIT 5 for Information Security provides a list of enablers and describes how they interrelate as shown in Figure B. Enablers help organizations integrate operations and security into the outcomes of all principles defined here. As always, this is done in a way to meet stakeholder requirements.

Figure B

Cobit_enablers.FigB.jpg

Enabler Integration
  • Both IT and business teams use processes to get work done with consistent outcomes. Security teams must include how work is done when designing a security framework and program.
  • An organizational structure (a management hierarchy) is designed to monitor and reach strategic and operational objectives. Leaders (decision makers) from each level are typically stakeholders in business processes and expected outcomes.
  • An organization is a living entity, with its own culture, ethics, and behavior as exhibited by its employees. Changing the way employees see their working world is not easy and must be considered when trying to secure the workplace.
  • Information is what we attempt to protect… and it is usually everywhere. In most cases, information is critical for business operations and must be available when and where needed. Further, access to the data should not come with unacceptable response times caused by poorly designed security controls.
  • IT delivers information via services, infrastructure, and applications.  
  • All security control implementations require attention to people, skills, and competencies: both in and out of IT. For example, is it more appropriate to enforce a policy with technical controls, or are the employees able administratively to meet expected risk outcomes?
  • Principles, policies, and frameworks provide the means to integrate all enablers into an overall solution resulting in secure operational success. The enablers help achieve the outcomes expected when developing principles, policies, and frameworks.

Principle 5: Separating governance from management

This principle establishes a line between setting objectives and measuring outcomes. According to COBIT 5 for Information Security:

“Governance ensures that stakeholder needs, conditions, and options are evaluated to determine balances, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives.

"Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives” (p. 23).

While governance and management are separate functions performed by designated teams, they must support each other. Governance defines outcomes and management implements technology and processes to meet those outcomes. Governance then determines if outcomes are met and provides feedback to help management make necessary adjustments.

Takeaways

  1. COBIT 5 for Information Security provides a comprehensive framework for integrating security into business processes.  It also provides a set of enablers that, when applied, help ensure stakeholder acceptance and efficient business operation.
  2. Organizations must integrate security into every facet of management and operations. This begins with identifying all business processes and associated stakeholders, including audit and InfoSec teams.
  3. Point-and-shoot approaches to managing security will not achieve the best overall results. A holistic approach—one that defines a complete framework used to integrate new controls or vulnerability remediation—is necessary for both security and financial efficiency and efficacy.

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

2 comments
r0dsc0tt
r0dsc0tt

This article is ISACA kool-aid.  The truth is ISACA has dumbed-down COBIT in sucessive revisions 4 & 5 so that non-IT experienced people can claim they use what for a brief shining moment was the most usable IT framework available (version 3.2).  Making sure all the stakeholders are cuddly with security means nothing if there isn' t a robust framework actually controlling the IT environment.  COBIT 5 no longer assists in assuring that outcome. The feds cybersecurity project will not have stakeholder handholding as a serious control.

Tom Olzak
Tom Olzak

@r0dsc0tt

Stakeholder hand holding, as you call it, is not a dumbing down of security.  Rather, it ensures security mitigates risk while ensuring operational efficiency,  This was my job for several years at a large healthcare organization, and there is no way to do this without involving business stakeholders.  Security is much more than implementation of network and server controls.  Finally, failure to at least consider COBIT when implementing a framework--even if your primary framework is something like ISO 27002--is not a good idea if you fall under either SOX or the GLBA.

As for the NIST framework project (I assume that is what you're talking about), it fails miserably in the area of implementation and measuring success in terms of risk.  It needs a lot of work before it can  provide value to security teams focused on business success.

It's important to remember that we as security professionals are enablers; we enable the business to remain competitive while providing reasonable and appropriate safeguards.  Reasonableness is something we define TOGETHER with the stakeholders.

Editor's Picks