1 Using CobiT to Enhance IT Security Governance LHS © John Mitchell John Mitchell PhD, MBA, CEng, CITP, FBCS, MBCS, FIIA, CIA, CISA, QiCA, CFE LHS Business Control Tel: +44 (0) GrangewoodFax: +44 (0) Potters BarMobile: +44 (0) Herts EN6 1SL Englandwww.lhscontrol.com
LHS © John Mitchell 2 IT Security Governance Road Map n Identify Needs –Risk analysis –Raise awareness n Envisage Solution –Where are you now? –Where do you want to be –Gap analysis n Plan Solution –Identify measurement metrics –Develop change programme –Define projects n Implement Solution –Generate Balanced Score Card –Collect metrics –Report
LHS © John Mitchell Non- Existent InitialRepeatableDefinedManagedOptimised Where is Your IT Security?
LHS © John Mitchell 4 Maturity Models n A strategic management tool n Helps in self-assessment and for making decisions about where the IT function currently is and where it should be going n Developed with the help of world-wide experts in the field of IT governance, IT management, performance management, and information security and control. n Provides a pragmatic benchmark:“ Where is my IT department placed and where do we want it to be?”
LHS © John Mitchell 5 CMM Concepts n Initially proposed in 1991 by the Software Engineering Group at the Carnegie Mellon University, USA n Identified 6 maturity levels in the development of quality software n Extended by the Information Systems Audit & Control Association (ISACA) to include all aspects of IT
LHS © John Mitchell 6 CMM Levels 0 Non-Existent 1 Initial/Ad Hoc 2 Repeatable but intuitive 3 Defined Process 4 Managed & measurable 5 Optimised
LHS © John Mitchell 7 Security Maturity Models
LHS © John Mitchell 8 Security Maturity Models
LHS © John Mitchell 9 IT Security Governance Encompasses Technology Processes People
LHS © John Mitchell 10 IT Security Governance Requires n Planning & Organisation n Acquisition and Implementation n Delivery and Support n Monitoring and Enhancement
LHS © John Mitchell 11 Control Objectives for IT (CobiT) n Open standard provided by the Information Systems Audit & Control Association (ISACA) n Used by over 43,000 control professionals throughout the world n Increasingly seen as an IT Governance tool
LHS © John Mitchell 12 Where CobiT Fits-in Corporate Governance IT Governance Finance Governance Marketing Governance CobiT ISO17799BS15000CMM ITIL ISO9126 ISO15504ISO ISO9000 TickIT
LHS © John Mitchell 13 CobiT & IT Governance IT GOVERNANCE PROGRAMME Planning & OrganisationAcquisition & Impl.Delivery & SupportMonitoring - Strategic Planning - Information Architecture - Technological Direction - IT Organisation & Relationships - Manage the IT Investment - Communicate Aims & Direction - Manage human resources - Ensure Compliance - Assess Risks - Manage Projects - Manage Quality - Identify Solutions - Acquire & Maintain Application Software - Acquire & Maintain Technology Architecture - Develop & Maintain IT Procedures - Install & Accredit systems - Manage Changes - Define Service Levels - Manage third-party services - Manage performance and capacity - Ensure continuous service - Ensure systems security - Identify and attribute costs - Educate and train users - Assist & advise IT customers - Manage the configuration - Manage problems & incidents - Manage data - Manage facilities - Manage operations - Monitor the processes - Assess internal control adequacy - Obtain independent assurance - Provide for independent audit
LHS © John Mitchell 14 CobiT Structure n Area Framework (i.e. IT Security) n Control Objectives n Audit Guidelines n Key Goal Indicators n Key Performance Indicators n Critical Success Factors n Maturity Models
LHS © John Mitchell 15 Security Framework
LHS © John Mitchell 16 Control Objectives n Control Objectives provide high level control statements linking the need for control to business requirements based on the CobiT Information Criteria n By addressing 34 high level control objectives, the business process owner can ensure that an adequate internal control system is in place for the IT environment n There are also over 300 detailed management & control objectives for 34 IT processes n These objectives have been derived from research across many sources of IT standards and best practice, including topics such as IT quality, security, service delivery and financial control n These objectives are intended to be a management tool, helping auditors, IT management and business management understand how to control IT activities to meet business requirements
LHS © John Mitchell 17 Control Objectives
LHS © John Mitchell 18 Audit Guidelines n A management tool n Helps in self-assessment and for making choices for control implementation and capability improvements n Developed with the help of world-wide experts in the field of IT governance, IT management, performance management, and information security and control. n Provides a set of tools to assist management in responding to the question:“ What is the right level of control for my IT such that it will support my business objectives?”
LHS © John Mitchell 19 Audit Guidelines
LHS © John Mitchell 20 Measurement Components n Key Goal Indicators (KGIs) –Where do you want to be? n Critical Success Factors (CSFs) –Those things that MUST happen to reach the KGI n Key Performance Indicators (KPIs) –Those measures that confirm you are meeting the CSFs or which warn you when we are drifting off course
LHS © John Mitchell 21 Key Goal Indicators
LHS © John Mitchell 22 Critical Success Factors
LHS © John Mitchell 23 Key Performance Indicators
LHS © John Mitchell 24 Control Practices n The benefits listed under ‘why do it’ are tangible and motivate to implement controls complete n The set of control practices is complete (e.g. key controls) and implementation satisfies the control objective good business practice n Control practices listed are generally accepted as good business practice sustainable n Control practices suggest sustainable solutions effective n The control practices are effective in addressing the risk linked to not achieving the detailed control objective efficient n The control practices suggest efficient solutions concise n The wording of the control practices is concise while providing clear and unambiguous guidance on what is expected for implementation realistic n The control practices are realistic
LHS © John Mitchell 25 Control Practices
LHS © John Mitchell 26 Useful Sites & Tools n Sites – – – – – n Tools –Control Objectives for IT (CobiT) –IT Infrastructure Library (ITIL) –International Standards (ISO 17799, ISO 9000, etc.)
LHS © John Mitchell 27 Summary n IT security governance is about measurement & control of IT security within the corporate framework to ensure that IT supports and helps to extend the enterprise’s capabilities n Much of IT security governance involves risk management of: –Confidentiality –Integrity –Availability –Compliance n Knowing where you are is a prerequisite to knowing where you want to be: – Capability maturity assessment – ISO gap analysis
LHS © John Mitchell 28 Questions? John Mitchell PhD, MBA, CEng, CITP, FBCS, MBCS, FIIA, CIA, CISA, QiCA, CFE LHS Business Control 47 Grangewood Potters Bar Hertfordshire EN6 1SL England Tel: +44 (0) Fax: +44 (0) Mobile +44 (0)