Click to see next slide COBIT5@MAVIM Speed up your GDPR program Develop your IT Management System Accelerate your Information Security System … WITHOUT expensive consultancy fees….. ! Greet Volders Managing Consultant Voquals N.V.
Deliverables included in this service offering Complete content of COBIT5 Available in the DataBase Presentable on your website GDPR compliant processes & documents Necessary procedures Useful Information Practical examples & templates Greet Volders _ Voquals N.V. MAVIM / COBIT5
Deliverables included in this service offering Based on COBIT for Security Mapped to: ISO27001:2013 ISF (Information Security Forum) and NIST (National Institute of Standards and Technology) Additional integrated content RACI Level1 Process Capability Assessment IT related goals and metrics Specific templates for some processes Cross-reference to ITIL Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - homepage On the home page, you get access to the 4 most important parts of COBIT5, being : The processes, with flow and descriptions KPI’s based on the IT-related goals and KPI’s defined by Voquals Level 1 Process Capability Assessment execution & results RACI based on the standard RACI provided in COBIT5 On the home page, you get access to the 4 most important parts of COBIT5, being : The processes, with flow and descriptions KPI’s based on the IT-related goals and KPI’s defined by Voquals Level 1 assessment results RACI based on the standard RACI provided in COBIT5 Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - Processes Do you want to learn a about ... In this solution, you do not only manage your IT-related processes, but ALL company processes in an integrated, coherent way. All organisationational structures are linked with the processes. Reporting is done in a consistent way. Do you want to learn a about ... COBIT5, Processes and reporting Voquals 4 GDPR Voquals 4 Info Security The END Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - GDPR Part of the management processes is GDPR Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - GDPR GDPR contains all required processes, and useful information, such as definitions, templates, examples Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - GDPR example process Example : Manage Data Processor Agreeement With detailed description of the 2 sub-processes Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - GDPR example process With detailed description of the 2 sub-parts Including links to Data Processor information And an example Data Processors’ Agreement With detailed description of the 2 sub-parts Including links to Data Processor information With detailed description of the 2 sub-parts Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - GDPR After the GDPR, do you want to learn a about ... COBIT5, Processes and reporting Voquals 4 GDPR Voquals 4 Info Security The END Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - Security & Compliance 1 of the pre-defined views is related to Information Security & Compliance Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - Security & Compliance Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - Security & Compliance Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - Security & Compliance Available description of the Manage Security process The same exist for all the other processes on the schema Greet Volders _ Voquals N.V. MAVIM / COBIT5
How to protect from Logical Attacks We explain some examples to mitigate the threat of Logical Attacks : Security Process Goals, related metrics, resulting in Security Specific Actions Greet Volders _ Voquals N.V. MAVIM / COBIT5
How to protect from Logical Attacks Security Specific Process Goals Information security requirements are embedded within the enterprise architecture and translated into a formal information security architecture Information security architecture is understood as part of the overall enterprise architecture is aligned and evolves with changes to the enterprise architecture Information security architecture framework and methodology are used to enable reuse of information security components across the enterprise. Related Metrics Number of exceptions to information security architecture standards Number of deviations between information security architecture and enterprise architecture Date of last review and/or update to information security controls applied to enterprise architecture Percent of projects that use the information security architecture framework and methodology Number of people trained in the information security framework and methodology Security Specific Activities Ensure inclusion of information security artefacts, policies and standards in the architecture repository. Ensure that information security is integrated across all architectural domains (e.g., business, information, data, applications, technology). Greet Volders _ Voquals N.V. MAVIM / COBIT5
How to protect from Logical Attacks Related Metrics 1. Number of updates of the information security policy Management approval of the information security policy Security Specific Process Goals 1. An information security policy framework is defined and maintained. 2. A comprehensive information security strategy is in place and is aligned with the overall enterprise and IT strategy 3. cost-effective, appropriate, realistic, achievable, enterprise-focussed and balanced 4. aligned with long-term enterprise strategic goals and objectives. 2. Number of updates of the information security policy Management approval of the information security policy 3. Percent and number of initiatives for which a value metric (e.g., ROI) has been calculated Enterprise stakeholder satisfaction survey feedback on the effectiveness of the information security strategy 4. Percent of projects in the enterprise and IT project portfolios that involve information security Percent of IT initiatives/projects that have information security Security Specific Activities Ensure that information security requirements are included in the definition of target IT capabilities. Define the target state for information security. Define and agree on the impact of information security requirements on enterprise architecture, acknowledging the relevant stakeholders. Greet Volders _ Voquals N.V. MAVIM / COBIT5
How to protect from Logical Attacks Related Metrics 3. Average time between change and update of accounts Number of accounts (vs. number of authorised users/staff) information security strategy Security Specific Process Goals 3. All users are uniquely identifiable and have access rights in accordance with their business roles. 4. Physical measures have been implemented to protect information from unauthorised access, damage and interference when being processed, stored or transmitted. 4. Percent of periodic tests of environmental security devices Average rating for physical security assessments Number of physical security-related incidents Security Specific Activities 3. Authenticate all access to information assets based on their security classification, co-ordinating with business units that manage authentication within applications used in business processes to ensure that authentication controls have been properly administered. 4. Administer all changes to access rights (creation, modifications and deletions) to take effect at the appropriate time, based only on approved and documented transactions authorised by designated management individuals. Greet Volders _ Voquals N.V. MAVIM / COBIT5 Greet Volders _ Voquals N.V. MAVIM / COBIT5
How to protect from Logical Attacks Related Metrics 1. Number of enterprise and IT processes with which information security is integrated Percent of processes and practices with clear traceability to principles Number of information security breaches related to non-compliance with ethical and professional behaviour guidelines Security Specific Process Goals 1. The information security governance system is embedded in the enterprise. 2. Assurance is obtained over the information security governance system. 2. Frequency of independent reviews of governance of information security Frequency of governance of information security reporting to the executive committee and board Number of external/internal audits and reviews Number of non-compliance issues Security Specific Activities Evaluate the extent to which information security meets the business and compliance/regulatory needs. Articulate principles that will guide the design of information security enablers and promote a security-positive environment. Understand the enterprise’s decision-making culture and determine the optimal decision-making model for information security. Greet Volders _ Voquals N.V. MAVIM / COBIT5
How to protect from Logical Attacks Security Specific Process Goals 1. A system is in place that considers and effectively addresses enterprise information security requirements. 2. A security plan has been established, accepted and communicated throughout the enterprise. 3. Information security solutions are implemented and operated consistently throughout the enterprise. Security Specific Activities Define the scope and boundaries of the ISMS Define an ISMS in accordance with enterprise policy and aligned with the enterprise, the organisation, its location, assets and technology. Conduct internal ISMS audits at planned intervals. Maintain, as part of the enterprise architecture, an inventory of solution components that are in place to manage security-related risk. Related Metrics 1. Number of key security roles clearly defined Number of security-related incidents 2. Level of stakeholder satisfaction with the security plan throughout the enterprise Number of security solutions deviating from the plan Number of security solutions deviating from the enterprise architecture 3. Number of services with confirmed alignment to the security plan Number of solutions developed with confirmed alignment to the security plan Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - Security & Compliance After Information Security & Compliance, do you want to learn a about ... COBIT5, Processes and reporting Voquals 4 GDPR Voquals 4 Info Security The END Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - ICT Processes IT processes are part of the Supportive Processes In this part, you find 4 possible views on the complete set of 37 COBIT5 processes If you click in ICT, you receive the COBIT5 Process Reference Model Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - COBIT Processes All 37 COBIT5 processes are present in this overview Via this schema you can consult all the processes This can be done by clicking on the process-box All 37 COBIT5 processes are present in this overview Via this schema you can consult all the processes presented. This can be done by clicking on the box or by clicking on the “+” Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - COBIT Processes, example After clicking on the process, you receive the detailed flow, with – at the right, the introduction to this process. For each of the detailed boxes exists a description, which can be seen by clicking on each box. These are the steps for “Manage Security Services” Process DSS05 in COBIT5. After clicking on the “+”, you receive the detailed flow, with – at the right, the introduction to this process. For each of the detailed boxes exist a description, which can be seen by clicking on each box. Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - COBIT Processes, example By clicking on 1 box, you receive the detailed content of that process. See example for the last practice of “Managing Security Services”, Periodic Reporting. Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - COBIT Processes By clicking on the tree-structure, you find the processes grouped into : Primary Management Supportive processes If you click on the tree-structure, you find the processes grouped into : Governance of IT (EDM processes) Management of IT (APO-, BAI-, DSS-processes) Monitor, Evaluate and Assess In the MAVIM db, you find the same structure. Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - COBIT Processes Under Supportive Processes, you find all IT-related views on the processes ICT, which contains the complete COBIT5 process set IT Service Management = ITIL oriented IT Project Management Security & Compliance If you click on the tree-structure, you find the processes grouped into : Governance of IT (EDM processes) Management of IT (APO-, BAI-, DSS-processes) Monitor, Evaluate and Assess In the MAVIM db, you find the same structure. Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - COBIT Processes The ICT processes are divided in : Governance of IT (EDM processes) Management of IT (APO-, BAI-, DSS-processes) Monitor, Evaluate and Assess (MEA processes) If you click on the tree-structure, you find the processes grouped into : Governance of IT (EDM processes) Management of IT (APO-, BAI-, DSS-processes) Monitor, Evaluate and Assess In the MAVIM db, you find the same structure. Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - IT Service Processes Another view on your IT processes can easily be created. This schema shows the example for IT Service Management The next schema is focusing on IT Development All the processes mentioned on this schema refer to the – already created – COBIT5 processes In this way it’s easy to create your own process structure. Another view on your IT processes can easily be created. This schema shows the example for IT Service Management The next schema is focusing on IT Development All the processes mentioned on this schema refer to the – already created – COBIT5 processes. In this way it’s easy to create your own process structure. Some examples are given below. Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - IT Project Delivery Another view on your IT processes can easily be created. This schema shows the example for IT Service Management The next schema is focusing on IT Development All the processes mentioned on this schema refer to the – already created – COBIT5 processes. In this way it’s easy to create your own process structure. Some examples are given below. Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - KPI’s Other management tools available are : Level 1 Process Capability Assessment KPI’s (Key Performance Indicators) RACI (Responsibility matrix) Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - Level 1 Level1 Process Capability Assessment is based on the COBIT5 Process Assessment Model (PAM), which enables assessments by enterprises to support process improvement. Level 1 is the assessment against the practices and work products, which are specific for each process. Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - KPI’s The Key Performance Indicators, based on the IT-related goals, the Goals & Metrics per process, and specific experience of Voquals. Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - RACI Identifies who is Responsible or Accountable for the Practice / Activities, and who is Consulted and Informed about the Practice / Activities Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - Processes After the generic information on the COBIT5 solution, do you want to learn a about ... COBIT5, Processes and reporting Voquals 4 GDPR Voquals 4 Info Security The END Greet Volders _ Voquals N.V. MAVIM / COBIT5
More Information - Coordinates Voquals N.V. Greet Volders Phone +32 14 22 54 04 Genebroek 34 Mobile +32 475 63 45 06 2450 Meerhout, Belgium E-mail Gvolders@voquals.be Website www.voquals.be MAVIM See video’s for more information on MAVIM and their other solutions Business Process & Quality Management and demonstration Governance, Risk & Compliance and demonstration Application Implementation Management and demonstration IT Portfolio Management and demonstration Strategic Portfolio Management and demonstration Enterprise Architecture and demonstration Greet Volders _ Voquals N.V. MAVIM / COBIT5