P. 1
Cobit for Iso27000

Cobit for Iso27000

|Views: 142|Likes:
Published by hmendezg4680

More info:

Published by: hmendezg4680 on Sep 09, 2010
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

06/09/2011

pdf

text

original

COBIT for ISO27001 Users Concepts, Myths and Misconceptions

Anton J Aylward, CISSP, CISA

System Integrity Toronto, Ontario

30 Nov 2006/ Page 1 info@si.on.ca

COBIT is not ISO27000
What they have in common
Based on Experience Continuous Refinement Committee to make 'general'

How they differ
Audit is not implementation There's more to IT than ISMS
There's more to audit than IT!

COBIT is more than an ISMS

Quick side-by-side
System Integrity Toronto, Ontario 30 Nov 2006/ Page 2 info@si.on.ca

How they differ
Audit is not implementation There's more to IT than ISMS
There's more to audit than IT!

Quick side-by-side
Goals Paradigm Maturity levels InfoSec Paradigm Organization Model Inputs Outputs Certifiable

COBIT is different from an ISMS

System Integrity Toronto, Ontario

The Fourth Annual Canadian ISO17799/ISO17001 Conference

30 Nov 2006/ Page 3 info@si.on.ca

Goals
CobIT ISO27001
Many. Strategic Alignment, IT “Absolute” Security? Resource Management & Optimizations, Governance, Performance Measurement "Dashboard", Compliance, budgeting, reporting ...Identification of Processes, Value Delivery. Oh, and Risk Management - at many levels.
"Security" can easily end up as managing by FUD, especially when dealing with absolutes - yes/no. Granularity makes for better management,
System Integrity Toronto, Ontario

The Fourth Annual Canadian ISO17799/ISO17001 Conference

30 Nov 2006/ Page 4 info@si.on.ca

Paradigm
CobIT
IT Process Based

ISO27001
Focus on Security Controls

"Process Based" is aligned with ISO9000 and ITIL Controls and Process can be audited by testing Controls don't have a defined output. Processes do. Processes can be controlled and measured in terms of their I/O A (malfunctioning) control produces no output to tell what is wrong with it

System Integrity Toronto, Ontario

The Fourth Annual Canadian ISO17799/ISO17001 Conference

30 Nov 2006/ Page 5 info@si.on.ca

Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 6 info@si. justify further investment. audit process supplies this management focus Does ISO27001 need maturity Levels if the audit supplies it? System Integrity Toronto.on.Maturity Levels CobIT Five ISO27001 None (or just one) "Process Based" is aligned with ISO9000 and ITIL ISO27001 is a selective "Do everything or Do Nothing". ROI. This has economic implications as well as management implications.ca . Granularity and maturity levels can show progress.

Attacks (not just infosec) System Integrity Toronto. CIA + Compliance + 6. Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 7 info@si.CIA + Effectiveness + Efficiency 5. Errors & Omissions. ISMS 2.ca . Attacks Reliability/Robustness 3.on. Accidents.Infosec Paradigm CobIT ISO27001 1. Corporate Values 4.

Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 8 info@si. operations. support.Organisational Model CobIT ISO27001 All stakeholders. Accountable. security (including GGGD) Granularity and specific responsibilities and inputs System Integrity Toronto. development. executive. Informed) Board. procurement.ca . management Consulted.on. All RACI Management / nonEntities (Responsible. audit.

Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 9 info@si.Inputs CobIT Most CobIT process have inputs from other processes No ISO27001 System Integrity Toronto.ca .on.

Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 10 info@si.ca .on.Outputs CobIT CobIT metrics (KPIs etc) No are based on defined outputs that are measureable and which makes managing the relevant processes possible ISO27001 System Integrity Toronto.

ca .Certifiable? CobIT No Yes ISO-17799 -. Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 11 info@si.Standard CobIT -.on.“Code of Practice” ISO-27001 -.Methodology ISO27001 System Integrity Toronto.

ca . Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 12 info@si.on.CobIT Documentation System Integrity Toronto.

on.ca .CobIT Documentation System Integrity Toronto. Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 13 info@si.

ca .on.CobIT Documentation System Integrity Toronto. Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 14 info@si.

What is an Audit? Uh Oh! Audit Time! Everyone be on their best behaviour System Integrity Toronto. Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 15 info@si.ca .on.

Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 16 info@si.on.ca .Types of Audit Financial Compliance against 'self defined’ requirements against outside requirements by internal audit by external auditors Risk Scope? Types of Risk Business Technological System Integrity Toronto.

Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 17 info@si.ca .Financial ? Remember: These are all different! Financial Risk Security Risk Business Risk InfoSec Risk System Integrity Toronto.on.

Ensure Systems Security In reality: a) these take input from and supply output to many other processes b) there are many of the 318 second-level control objectives that supply input to the security processes System Integrity Toronto. Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 18 info@si.Value of COBIT On the face of it.ca .on.Asses and manage IT Risks DS5 . only TWO of the 34 top level COBIT control objectives map to security. PO9 .

cfm&ContentID=22490 System Integrity Toronto. Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 19 info@si.Value of COBIT.org/Template.ca . ITIL and ISO 17799 for Business Benefit" http://www.on. See also "Aligning COBIT.cfm?Section=Home&Template=/Co ntentManagement/ContentDisplay. Continue.isaca.

Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 20 info@si.on.Process Oriented Business Processes Driven in terms of Business Outcomes Four Domains Like the Deming/Shewhart Cycle Plan & Organize Acquire and Implement Deliver and Support Monitor and Evaluate System Integrity Toronto.ca .

on.Business Processes System Integrity Toronto.ca . Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 21 info@si.

ca .on.Driven in terms of Business Outcomes System Integrity Toronto. Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 22 info@si.

Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 23 info@si.at all levels System Integrity Toronto.on.Deming Cycle .ca .

on. Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 24 info@si.ca .Four Domains System Integrity Toronto.

Finally.Plan & Organize This domain covers strategy and tactics.ca .on. System Integrity Toronto. and concerns the identification of the way IT can best contribute to the achievement of the business objectives. the realization of the strategic vision needs to be planned. Furthermore. communicated and managed for different perspectives. Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 25 info@si. a proper organisation as well as technological domain infrastructure should be put in place.

This typically addresses the following management questions: Are IT and the business strategy aligned? Is the enterprise achieving optimum use of its resources? Does everyone in the organization understand the IT objectives? Are IT risks understood and being managed? Is the quality of IT systems appropriate for business needs? System Integrity Toronto..ca ..on. Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 26 info@si.Plan & Organize.

changes in and maintenance of existing systems are covered by this domain to make sure the solutions continue to meet business objectives.ca . In addition. as well as implemented and integrated into the business process.on. developed or acquired. Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 27 info@si. System Integrity Toronto.Acquire and Implement To realize the IT strategy. IT solutions need to be identified.

Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 28 info@si.ca .on... This domain typically addresses the following management questions: Are new projects likely to deliver solutions that meet business needs? Are new projects likely to be delivered on time and within budget? Will the new systems work properly when implemented? Will changes be made without upsetting current business operations? System Integrity Toronto.Acquire and Implement.

Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 29 info@si. which includes service delivery.on. service support for users. and management of data and the operational facilities. management of security and continuity.Deliver and Support This domain is concerned with the actual delivery of required services. System Integrity Toronto.ca .

Deliver and Support. Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 30 info@si.. It typically addresses the following management questions: Are IT services being delivered in line with business priorities? Are IT costs optimised? Is the workforce able to use the IT systems productively and safely? Are adequate confidentiality. integrity and availability in place? System Integrity Toronto.ca ..on.

ca . This domain addresses performance management.on. System Integrity Toronto. monitoring of internal control.Monitor and Evaluate All IT processes need to be regularly assessed over time for their quality and compliance with control requirements. regulatory compliance and providing governance. Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 31 info@si.

compliance and performance measured and reported? System Integrity Toronto. control. Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 32 info@si.Monitor and Evaluate..on..ca . It typically addresses the following management questions: Is IT?s performance measured to detect problems before it is too late? Does management ensure that internal controls are effective and efficient? Can IT performance be linked back to business goals? Are risk.

Control Based Ownership & Responsibility Data Processes Including inputs Business Controls vs IT Controls Consistent Consistent Results Efficient and Effective System Integrity Toronto. Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 33 info@si.ca .on.

Measurement Driven Maturity Model Consistent Benchmarking Measure Improvement Identify Areas of Concern Dimensions of Maturity Performance Goals Capabilities not absolutes Key Goal Indicators Key Performance Indicators Activity Goals Key Indicators System Integrity Toronto.on. Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 34 info@si.ca .

ca .Dimensions of Maturity System Integrity Toronto. Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 35 info@si.on.

on.Misconceptions About the Role of Audit Only Two? PO9 PO9 Inputs PO9 Outputs PO9 RACI DS5 DS5 Inputs DS5 Outputs DS5 RACI DS5 Relationship Between Goals and Metrics Pez will go into details about ITIL System Integrity Toronto.ca . Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 36 info@si.

Only Two? Only Two? That doesn’t seem right System Integrity Toronto. Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 37 info@si.ca .on.

Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 38 info@si.on.PO9 PO9 Inputs PO9 Outputs PO9 RACI System Integrity Toronto.ca .

Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 39 info@si.PO9 Inputs System Integrity Toronto.on.ca .

PO9 Outputs System Integrity Toronto.ca . Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 40 info@si.on.

Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 41 info@si.ca .PO9 RACI System Integrity Toronto.on.

Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 42 info@si.on.ca .DS5 DS5 Inputs DS5 Outputs DS5 RACI DS5 Relationship Between Goals and Metrics System Integrity Toronto.

DS5 Inputs System Integrity Toronto.on. Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 43 info@si.ca .

DS5 Outputs System Integrity Toronto.on. Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 44 info@si.ca .

Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 45 info@si.on.DS5 RACI System Integrity Toronto.ca .

Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 46 info@si.ca .DS5 Relationship between Goals and Metrics System Integrity Toronto.on.

ca ...More Information on COBIT s ISACA Information Systems Audit and Control Association http://www.org/cobit/ COBIT-Online s ITGI IT Governance Institute http://www. System Integrity Toronto.org/ Case Studies.on. Best Practices. … more .isaca. Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 47 info@si.itgi.

Pez will go into details about ITIL System Integrity Toronto.on.ca . Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 48 info@si.

ca .System Integrity Toronto.on. Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 49 info@si.

si.ca .on.ca http://www.com System Integrity Toronto. It requires a conscientious an continuous commitment that permeates every aspect of your enterprise and strategies. CISSP CISA aja@si.on.Contact Information “Security is not something that comes in a self-contained box. It is about understanding risks and managing them” Anton J Aylward. Ontario The Fourth Annual Canadian ISO17799/ISO17001 Conference 30 Nov 2006/ Page 50 info@si.ca P: (416) 497-0201 C: (416) 509 9649 Blog: InfoSecBlog.on.antonaylward.

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->