You are on page 1of 29

Leveraging COBIT to Implement Information Security

By John Frisken, CA
COBIT Focus | 4 May 2015
In delivering IT security consulting services to large enterprises in Australia, particularly in
the health care, utility and large government sectors, Information Systems Group has
used the International Organization for Standardization (ISO) standards extensively, for
example ISO 27001 for security and ISO 20000 for IT service management. In advising
clients on the best way to apply the standards, the question that has consistently arisen
is, How far does the application of these standards need to be taken?

The ISO standards are good in that they apply a consistent and internationally agreed-upon definition;
however, the Information Systems Group wanted a way to be able to describe to its clients how far they
should take the application of the detailed controls within these standards. The ISO standards tend to be
binary in their application; enterprises either comply, or do not comply, with the detailed control-level
statements. The ISO standards are also not good at linking the application of these controls back to a
business-focused framework that can answer Why? at a level that a business executive can understand
and support.

The consultancy undertook an engagement to evaluate the quality of its clients implementation of ISO
27001. In this case, IT represented approximately 100 staff members out of a work force of 2,500, so IT
initially adopted a pragmatic approach to the application of the standards, which left quite a few gaps
when benchmarked against a rigorous technical application of the ISO 27001 standard.

The COBIT governance framework would be used with the


associated process assessment techniques to create a
maturity model as that measuring stick.

Following the review, the consultancy was asked how it would address these gaps and why doing so
would deliver benefits to the enterprise. ISO 27001 pertains to the domain of security, and while it is
important, it is only one of many modern businesses areas that need to be addressed. The client had
identified that it also wanted to address the Information Technology Infrastructure Library (ITIL), and it
had an existing access control initiative that had good sponsorship. Last, the clients internal audit division
used COBIT and was a significant sponsor for the implementation of ISO 27001. Accordingly, there was a
desire to understand how all of these competing initiatives could work together practically.

To address this challenge, the consultancy determined that an important step would be to obtain an
assessment of the current state of IT governance using a nontechnical, business-focused measuring stick
that was independent of the various competing control frameworks that it had been asked to integrate.
After some discussion within the consulting business, it was agreed that the COBIT governance
framework would be used with the associated process assessment techniques to create a maturity model
as that measuring stick. This initiative began in 2009 and extended through to 2011, with implementation
extending beyond 2011 through to the end of 2012. Thus, the framework development was based on
COBIT 4.1, as COBIT 5 was released in April 2012. Since this case example, COBIT 5 has been
released and offers an optimized approach to coordinate various standards.

In the case at hand, a series of executive briefings that set out the implementation program was
developed and, through a sequence of discussions, formulated an approach that the client felt would
deliver benefits for its business. A project manager from the business was engaged to work with the
consultants team of four to scope out, in detail, the tasks and deliverables to be developed.

The decision was made to start with information security initially to understand the various implementation
models that were commonly in use. Many of these models were quite detailed and addressed security
with respect to the requirements of technology, usually leading to very expensive programs of work for
implementing security that were technology-focused, rather than business-focused.

There had been the use of other models, including limiting the scope to individual-sensitive business units
or considering the scope in terms of the business processes of the enterprise.

Upon sharing these models with the client, it was discovered that the enterprises appetite for security
aligned with the process-centric view. However, the consultancy needed a way to push down security into
business units and address device-level security. At this point, the consultancy looked to ITIL for some
guidance and began to think of security as a process within ITIL.

The consultancy developed the IT governance model shown in figure 1 to describe the theoretical
underpinnings of the approach. The model starts with the COBIT 4.1 Maturity Attributed Table1 and
finishes with COBIT 4.1 using the RACI (Responsible, Accountable, Consulted and Informed) controls
embedment process. In between these two COBIT techniques, the consultancy implemented the control
framework for ISO 27001 and relevant parts of ITIL to deliver an operational information security system
as shown in figure 2.

Figure 1Information Security Model


View Large Graphic

Figure 2Information Security Program Architecture


View Large Graphic

The integration of the IT governance maturity model, COBIT 4.1, ISO 27001 and ITIL was achieved at a
process level within the standards and frameworks rather than at a control objective level. Key ITIL
processes for change management and release management were mapped into the ISO 27001 process
model and then presented within a conventional EPM program management structure for ongoing
reporting and management. Every security concept, construct or device type that had a change
dimension associated with it was identified within this model using a concept similar to the 20 SANS
Critical Security Controls2 process. Finally, all changes were traced back into the ITIL change
management system (CMS or CMDB) to manage traceability of key configuration items related to
security.

Because the system started and ended with COBIT, the consultancy effectively employed COBIT as a
container or wrapper to allow it to integrate and enforce various competing standards within the
enterprise/client. The consultancy found this to be a much more constructive approach than trying to
reconcile standards at a detailed control level. Information security at a business-unit level is centered
around and enforced by using information security agreements (similar to operating level agreements
[OLAs] in ITIL), but using content from ISO 27001. The information security management system (ISMS)
enforces the information security agreements with business unit managers, which in turn drives the
application of detailed security controls and evidence collection. In this way, the detailed activities of
information security are devolved to managers, rather than managed centrally within a management
system.
This use of COBIT to coordinate various standards is optimized within COBIT 5. Refer to the COBIT 5
Principles within COBIT 5 for Information Security3. This clients plan in the revision of the implemented
frameworks is that the COBIT 5 framework will be used to introduce new concepts for management of
information security as set forth in COBIT 5 for Information Security.

One of the main advantages of this top-down approach to designing the IT governance initiatives is that it
permits the organization to tackle the detailed controls embedment process in a measured way and
ensure that it is aligned to the risk appetite of the business. With the overall ISMS in place, controls and
supporting education programs can be added at a rate that the business can absorb.

Currently, one of the main challenges limiting the use and implementation of an ISMS is the inability to
integrate multiple programs across the enterprise systems. With systems for ITIL service management
becoming more widespread, the capability to automate the IT side of information security systems is now
readily available to organizations.

On the business controls side, project and program management (PPM) and governance, risk and control
(GRC) software linked to enterprise workflow solutions provide a platform for managing the rollout of
information security programs and the regular review and reporting of controls and evidence collection. A
typical program component view looks like whats shown in figure 3. The security forum is the body that
reviews reporting from the ISMS and directs the focus of the initiatives to manage all aspects of the
organizations security posture and response to information security threats.

Figure 3Information Security Program Elements

For this client, the consultancy undertook a detailed design of the operational ISMS and a specification was
developed for implementation. The solution was built in a document management system, housing the detailed
policies and a calendar for establishing the program of reviews, training and reporting.

This was an initial starting point for this client given that other ISO systems used this system as well. In
the consultancys experience, the ISMS can be built on top of detailed ITIL or application life cycle
management (ALM) systems and integrated using a dashboard reporting tool similar to those available
with enterprise tools, such as SAP or Oracle enterprise resource planning (ERP) applications, PPM tools,
or enterprise document management (EDM) tools. All these tools usually incorporate enterprise workflow
technologies that permit linkages into ITIL or ALM technologies and permit activities to be assigned and
allocated to personnel within the enterprise.

Conclusion
The strength of the COBIT framework is its business-focused framework and pragmatic tools for the
alignment of policy down to detailed controls embedment. By utilising COBIT, the company was able to
provide answers to the questions of how and why organizations should protect information within the
enterprise, aligning the cost of controls to the perceived risk at a business process level rather than based
on technical controls.

Authors Note
This case study has been developed based on a real client situation in Australia. The name of the
organization and some other identifying information have been removed. All material is either owned by
Information Systems Group Pty Limited or used with permission.

John Frisken, CA
Is an application development specialist with a distinguished career in both professional practice with
Ernst & Young and, subsequently, as founder and owner of the Information Systems Group. Since
establishing ISG in 1996, Frisken has overseen the development of ISGs services through delivery of
complex applications leveraging advanced messaging and secure platform technologies in NSW Health
and Toyota Motor Corporation. He is currently the director, professional services for ISGroup, an
international systems integration and applications development company headquartered in Sydney, New
South Wales, Australia.

Endnotes
1 IT Governance Institute, COBIT 4.1, USA, 2007
2 SANS, Critical Security Controls Version 5
3 ISACA, COBIT 5 for Information Security, USA, 2012

http://www.isaca.org/COBIT/focus/Pages/leveraging-cobit-to-implement-information-security.aspx
Leveraging COBIT to Implement Information
Security (Part 2)
By John Frisken, CISA, CA
COBIT Focus | 27 July 2015
This article is a continuation of the article published 4 May 2015 called Leveraging
COBIT to Implement Information Security (Part1).

Studies by many organisations have highlighted that companies that are remaining
secure are focusing on implementing security controls as an integral part of their IT
service management (ITSM) systems, not as stand-alone management systems.
Companies that practice configuration management and maintain careful inventories of their hardware
and software are staying secure. Those that do not have significantly higher risk, as borne out by security
incident studies.

Many of the items managed within infrastructure management are significant for information security for 2
main reasons:

Loss of configuration information related to any piece of infrastructure represents a significant threat to the
ongoing availability of information stored on or managed by that device.
Incorrect configuration of devices such as routers, firewalls and servers represents critical threats that can
expose the enterprise to significant loss or corruption of data.

The implementation of an information security management system (ISMS) is designed to assist in the
automation and management of the large number of activities that need to be co-ordinated, recorded and
followed up to maintain security. When organisations do not have an ISMS, they either spend a large
amount of effort to manually track issues or they fail to maintain control over risk. In addition, it is a
requirement to maintain evidence in relation to the operation of these controls for audit and external
compliance purposes.

The previous article provided an overview of how COBIT provides the framework for enabling the various
standards and processes required to maintain these systems to be implemented and operated. This
follow-up article discusses implementing security within the context of operating ITSM and infrastructure
management systems.

COBIT 5 provides a recognised umbrella framework which helps to organise and structure how other
frameworks and concepts such as the IT Infrastructure Library (ITIL), ISO/IEC 27001 and SANS Critical
Security Controls can be orchestrated. The 2 main concepts in COBIT that are leveraged within this
model are:

IT Governance Maturity Model to prioritise measures for implementation of controls


Control embedment techniques based around the responsible, accountable, consulted and informed (RACI)
matrix
Process orchestration as implemented by leading vendors such as SAP and Serena refers to the idea of
facilitating the connection of different processes across the organisation so they can operate without
manual handoffs, which introduce opportunities for errors, oversights and/or gaps in the audit trail.

Process orchestration, therefore, provides benefits related to efficiency as well as higher levels of
protection owing to the automation of monitoring activities, escalation and alert processes on which
secure systems rely to provide continuous protection.

The design of an ISMS is defined by ISO 27001, particularly the governance concepts defined in the
initial section of the standard. It is an objective-driven approach linked to optional control statements that
organisations can adapt using a risk assessment basis to achieve those objectives.

The SANS Critical Security Controls provide an alternative view of priorities based around security
processes, focussing on the prevention of high-risk reported vulnerabilities. These are summarised
in figure 2, which shows a cross-reference of the SANS controls to ITSM processes (figure 1) such as
Configuration/Change Management using techniques such as workflow automation, notification and
escalation to effectively identify and manage security events. This depiction makes clear the criticality of
managing control over the configuration of all aspects of the infrastructure, software, processes and
personnel to achieve effective security.
Figure 1Configuration Management Process

Source: John Frisken. Reprinted with permission.

Figure 2SANS Critical Controls for Information Security


SANS Critical Control Configuration Automation Notification Escalation
Management
1 Inventory of Authorized and
Unauthorized Devices

2 Inventory of Authorized and


Unauthorized Software

3 Secure Configurations for


Hardware and Software on
Laptops, Workstations, and
Servers

4 Secure Configurations for


Network Devices such as
Firewalls, Routers, and Switches

5 Boundary Defense

6 Maintenance, Monitoring, and


Analysis of Audit Logs

7 Application Software Security

8 Controlled Use of
Administrative Privileges

9 Controlled Access Based on


Need to Know

10 Continuous Vulnerability
Assessment and Remediation

11 Account Monitoring and


Control

12 Malware Defenses

13 Limitation and Control of


Network Ports, Protocols, and
Services

14 Wireless Device Control

15 Data Loss Prevention

16 Secure Network Engineering

17 Penetration Tests and Red


Team Exercises

18 Incident Response Capability

19 Data Recovery Capability

20 Security Skills Assessment and


Appropriate Training to Fill
Gaps
Source: John Frisken. Reprinted with permission.

An additional complication is that within modern ITSM systems, capturing configuration data in a single
physical configuration management database is often impossible for a range of technical and political
reasons. For this reason, a federated configuration management database (CMDB) has evolved to meet
this need.

Achieving a unified workflow design in such an environment requires a clear understanding of how a
federated configuration management system (CMS or CMDB) would be implemented and how workflow
would operate within it to manage it. Where the underlying information is physically stored in several
databases, various application programming interfaces (API) or XML Web Services are required to
automate the update of this information in the various organisational repositories.

Figure 3 shows the concept of a modern configuration management system architected as a virtual or
extended CMDB.
Figure 3Federated Configuration Management System (Also Known as Virtual CMDB)

Source: John Frisken. Reprinted with permission


Figure 4 shows the outline of the ITIL Configuration Management Model and how it allows for a process-
based integration of ITIL and ISO 27001 information security processes.

Figure 4ITIL Configuration Management Model

View Large Graphic


Source: John Frisken. Reprinted with permission.

Given the centrality of configuration and change management to effective information security
management, operational involvement from the information security function in the following activities
should be considered a minimum:

Update of CMDB configuration items based on approved change management documentation. This would
include secure-build identifiers for server and workstation images, specifications of configuration items (CIs)
for managed network appliances such as firewalls and routers, and software release versions for
applications on each server.
Processing of requests for new or changed application privileges within the organisations applications.
Access privileges may relate to either the application functionality or the underlying database.
Update of privileged access to operating systems, including Citrix, Windows and Unix.
Notification of high-risk monitoring alerts to permit timely intervention to avert possible attacks or failures.
Notification of changes to secure configurations that have not been authorised. This is achieved by
automated examination of all images to an approved image and raising alerts for inconsistencies.
Notifications where unapproved hardware is attached to the network (approved hardware means recorded
within the CMDB)
Notifications where unapproved software is added to a server
Notifications where changes are made to configurations of network devices
Scheduling of regular calendar reviews, meetings or other actions to be initiated as a result of critical
incidents or identified risk

Finally, the design of the ISMS which would integrate and control these types of activities is shown
in figure 5. This integrates and co-ordinates all aspects of the security functions integration with ITSM in
order to operationalise a system that would be capable of implementing and managing a security system
implementing the control processes as envisaged by the SANS Critical Security Controls.

Figure 5ISMS ArchitectureOperations View

View Large Graphic


Source: John Frisken. Reprinted with permission.

Conclusion
The strength of the COBIT framework is its business-focused framework and pragmatic tools for the
alignment of policy down to detailed controls embedment. By utilising COBIT, any company is able to
integrate a range of standards and concepts to achieve a much more refined approach to security than
would be possible if considering any single standard on its own. In the opinion of this author, this will
become the core strength and most compelling reason for the use of the COBIT framework in the future.

Authors Note
This case study has been developed based on a real client situation in Australia. The name of the
organisation and some other identifying information have been removed. All material is either owned by
Information Systems Group Pty Limited or used with permission.
John Frisken, CISA, CA
Is an application development specialist with a distinguished career in professional practice with Ernst &
Young and, subsequently, as founder and owner of the Information Systems Group, an international
systems integration and applications development company headquartered in Sydney, New South Wales,
Australia. Since establishing ISG in 1996, Frisken has overseen the development of ISGs services
through delivery of complex applications leveraging advanced messaging and secure platform
technologies in NSW Health and Toyota Motor Corporation. He currently serves as ISGs director of
professional services.
Leveraging COBIT to Implement Information
Security (Part 3)
By John Frisken, CISA, CA
COBIT Focus | 31 August 2015
This article is a continuation of the article originally published 4 May 2015 called
Leveraging COBIT to Implement Information Security. Part 1 covered how COBIT 5 can
be used to establish the overall framework for the collaboration of technical standards
such as the IT Infrastructure Library (ITIL), ISO/IEC 27001 and SANS Critical Security
Controls. Part 2 focussed on using COBIT to implement information security process
controls within an ITIL system to provide protection envisaged by SANS Critical Security
Controls. Part 3 looks at how to implement an information security management system (ISMS)
governance framework and enable tools to manage the security program.

The implementation of an ISMS is designed to assist in the management of the large number of activities
that need to be coordinated, recorded and followed up to maintain security. In the context discussed here,
it is envisaged that controls within the system are selected by management on a risk-assessed basis to
address the perceived threats to the security of the organisations core business processes. Once
selected, the ISMS is the basis for collecting evidence for operation and reviewing the efficacy of the
implementation on an ongoing basis as part of the security forum. The forum is created by senior
management, typically the chief executive officer (CEO), as a collaborative round table where managers
from IT security, IT, human resources (HR) and major business functions can come together to make
decisions on the basis of regular reporting from the system.

Figure 1 provides a snapshot of what a typical ISMS may look like for a specific control objective; in this
example, the objective is access control. This example uses ISO 27001 as the control objectives
framework; however, conceptually, any other control framework, including COBIT, could be used as long
as it is suitable, a judgement that management, IT security and internal audit need to make. In the ISMS
presented in this example the COBIT Responsible, Accountable, Consulted, Informed (RACI) Matrix is
used (refer to section E in figure 1) as a technique for designing and embedding controls around the
business process (refer to section B in figure 1). This fact means that it would be quite normal to borrow
many features from COBIT when considering the design and implementation of the security controls
within the information security master plan, the key document coordinating the policies, controls, work
instructions and forms (refer to sections C and D in figure 1) for addressing information security.

Figure 1Information Security Management System Overview


View Large Graphic
Source: John Frisken. Reprinted with permission.

Another key aspect of this ISMS is the internal workflow of accountability and review (refer to section A
in figure 1) that occurs as part of the operation of the ISMS. This is based on the Plan-Do-Check-Act
(PDCA) model and refers to documenting who needs to be involved in the operation of the selected
controls. This is important, because controls do not operate in isolation within organisationssomeone
needs to ensure they are working and be accountable if they do not work, ensuring that the gap is
addressed. In this example, the organisation has selected information security agreements (similar to
service level agreements [SLAs] as used in ITIL) to summarise the responsibilities of each key manager
within the organisation to ensure that they are fully informed about how they are required to participate to
maintain security within the organisation. These individuals will have a representative on the forum, and
therefore, they will have a voice about how well this process is working.

Having outlined how the ISMS is designed to work, the questions arise as to how this is practically
implemented as part of the organisations management systems, how people are trained and motivated to
operate the controls, and where the evidence for the operation of the controls is kept. These are a few of
the questions that senior managers have asked over the years with regard to operating an ISMS.

The author was advising an organisation that operated critical national infrastructure. In this organisation,
the managers were aware of the need for information security (it was self-evident given its prominent role
in society), but there was concern about the costs and efficiency of operating a major system to address
such a singular focus. It was this challenge that resulted in the author working with senior management to
find an alternative to maintaining massive spreadsheets for documenting who was doing what and where
the evidence was maintained. Through this process, the concept of the information security agreement
was developed, which became the main accountability document for evidencing the discharge of
managements information security responsibilities.

What was created was a set of activities that each manager was required to take responsibility for and
focus on implementing. Managers could maintain the evidence for the operation of the controls in
whatever way they believed was appropriate. This evidence provides the information security officer (as
well as the internal and external auditors) a point of reference for inspecting those controls as part of the
ongoing audits and reviews that the ISMS activities set out in the calendar. Issues discovered were then
recorded within the ISMS for follow-up and action and included in the formal forum reporting. Auditors
typically would review the forum reports and registers of the ISMS and focus their activities on key risk
and adverse findings that came to light during the operation of the ISMS. The objective of this exercise is
to optimise the operation of the system through the involvement of each of these functions in a structured
and managed way using the system.

The design of the information security organisation is shown in figure 2. This graphic shows the various
organisational personnel involved in carrying out information security and shows representative activities
and functions for each.
Figure 2Information Security Program (ISP) Overview

Source: John Frisken. Reprinted with permission.

The green boxes represent more general security activities that are undertaken by end users or their
representatives, depicted by the green stick persons.
The blue activities are those that require a more technical understanding of information security concepts
or technology generally. They are undertaken by information security or IT specialist personnel seconded
from IT or contracted to specialists.

The yellow activities are those undertaken by risk management or control specialists with an
understanding of the IT security vulnerabilities and control techniques. These activities are usually
undertaken by a dedicated information security officer or personnel seconded or contracted to him/her,
especially for the more specialised activities.

The red boxes are the checking or compliance activities that are involved in ensuring that the various
controls and processes have been appropriately implemented and are working effectively.

Having outlined how the security program operates (supported by the ISMS), decisions need to be made
about how these activities and systems are to be implemented. There are no right answers; however,
some answers are often found in how the organisation addresses other processes such as quality, safety,
occupational health and safety, incident management, or the US Sarbanes-Oxley Act of 2002 and other
legislated requirements that are often well supported with systems to manage policies, work instructions,
and the collection of evidence around deviations, noncompliance and corrective action.

Many aspects of the operation of the information security controls and processes can be automated using
specialised tools (refer to Part 2 of this series of articles). This releases personnel from activities
associated with doing controls and allows them to focus on higher-value activities associated with
review/enforcement, consultation/advice and training.

The inclusion of project managers and architects as key roles within information security is because
security begins at project conception and must be built into the designit is not an afterthought.

Methods such as the Comprehensive, Lightweight Application Security Process (CLASP) by the Open
Web Application Security Project (OWASP), Sherwood Applied Business Security Architecture (SABSA),
or COBIT 5 for Information Security by ISACA are all powerful open source frameworks that describe how
to build security in as part of application life cycle management (ALM) to provide reliable and secure
applications that continuously conform to the outcomes required by users and stakeholders throughout
their life. Figure 4 sets out a high-level overview of CLASP design security in design principles that guide
organisations in how to build in security, step 2 of the security planning process described in figure 3.

Figure 3Information Security Involvement in the Systems Development Planning Process


Source: John Frisken. Reprinted with permission

Figure 4Developing Information Security Requirements


Source: John Frisken. Adapted from CLASP version 2.0., OWASP, March 2006. Reprinted with permission.

The final point to make is that given the importance of information security during the design and
construction phases, considering information security as a cross-domain function operating as a core
program management office (PMO) advisory team is a powerful way to ensure that information security is
well understood and the security team is kept informed of corporate plans and strategies.

Conclusion
COBIT facilitates the development of the governance framework within which the information security
function makes assessments around risk and priorities for information security, permitting multiple
technical standards to operate within the organisation. In the design of the controls and their embeding
within the organisation, COBITs RACI techniques allow for controls to be designed taking into account
requirements from multiple standards and implemented within a cohesive framework for ongoing review
and enforcement.

Authors Note
This case study has been developed based on a real client situation in Australia. The name of the
organisation and some other identifying information have been removed. All material is either owned by
Information Systems Group Pty Limited or used with permission.

John Frisken, CISA, CA


Is an application development specialist with a distinguished career in professional practice with Ernst &
Young and, subsequently, as founder and owner of the Information Systems Group, an international
systems integration and applications development company headquartered in Sydney, New South Wales,
Australia. Since establishing ISG in 1996, Frisken has overseen the development of ISGs services
through delivery of complex applications leveraging advanced messaging and secure platform
technologies in NSW Health and Toyota Motor Corporation. He currently serves as ISGs director of
professional services.
Leveraging COBIT to Implement Information
Security (Part 4)
By John Frisken, CISA, CA
COBIT Focus | 5 October
This article is the final article of a 4-part Leveraging COBIT to Implement Information
Security series. Part 1 covered how COBIT 5 can be used to establish the overall
framework for the collaboration of technical standards such as the IT Infrastructure
Library (ITIL), ISO/IEC 27001and SANS Critical Security Controls (SANS Top 20). Part
2 focused on using COBIT to implement information security process controls within an
ITIL system to provide protection envisaged by SANS Top 20. Part 3 outlined how to
implement the Information Security Management System (ISMS) governance framework and enabling
tools to manage the security programme. This article shows how the requirements for certification of the
ISMS framework can be satisfied by using the approaches outlined in this 4-part series.

An ISMS can be implemented according to the methods and techniques set out in ISO 27001 simply to
obtain the best practice benefits established within the standard. Certification of the ISMS is an optional
step designed to allow an organisation to demonstrate to third parties that its ISMS does, in fact, meet
these best practices for management of information security.

The story outlined in this series of articles started when the IT operations director of a major Australian
utility company contacted the author to discuss how the requirements of ISO 27001, which were a
requirement for the organisation, could be met efficiently without imposing high costs on the organisation,
particularly with regard to evidence collection and storage. The system that was designed went even
further than this and simplified the entire process of certification, making the certification process
straightforward for both the organisations management and the certifiers.

The story outlined in this series of articles started when


the IT operations director of a major Australian utility
company contacted the author to discuss how the
requirements of ISO 27001could be met efficiently
without imposing high costs on the organisation

Figure 1 provides a snapshot of what typical ISO 27001 implementation processes may look like for a
specific business process. The certification scope of this organisation had been determined as the core
business processes on which the business relied to operate and deliver services to its customers. Within
each of these business processes there were, in turn, controls over how information was handled
(including both storage and communication). For each business application within the scope of
certification, a risk assessment was conducted that established the key risk and controls relevant for that
application. On the basis of this risk assessment, management was required to implement and maintain
ongoing evidence for the operation of these controls within the application.

Figure 1ISO 27001 Controls Implementation Process Overview (Expanded View)

Source: John Frisken. Reprinted with permission.

The certifiers would go through and sample that, in fact, the controls were in place and effective. Within
the certification obtained for this organisation, the certification obtained was for the operation of the
management system itself rather than the individual controls. Therefore, the evidence required was that
the governance controls (including the ISMS) was operating rather than each of the 133 individual
controls. The rationale for this approach was that if these governance controls are working, then this will
provide the required assurance that the operational controls being managed by the ISMS will be put in
place, managed and monitored accordingly.

In order to anchor the process and establish a basis for referencing control implementation and operation
within the ISMS, each manager agreed to and signed an Information Security Agreement (ISA) which
contained the relevant controls identified within the ISO 27001 Statement of Applicability (SOA)
applicable within their business process. The ISA overview and its role within the operation of the ISMS
are depicted in figure 2. In this example, internal audit verifies the operation of the ISAs, although this
could be outsourced to a third-party organisation if the internal audit section did not feel it had the
required competencies to assess the controls.

Figure 2Operation of the Information Security Agreement Process Within an Organisation


Source: John Frisken. Reprinted with permission.

In this example, ISO 27002 is used as the control objectives framework; however, conceptually, any other
control framework, including COBIT, could be used as long as it was suitable, a judgement that
management, IT security and internal audit need to make. Refer to Part 3 for a more in-depth discussion
of the ISMS.

During the initial certification meetings, the auditors are likely to focus on the initial risk assessments
performed by the organisation and how these have been used to implement treatments for any
deficiencies identified during the risk assessment. Following a process similar to that outlined in figure 1,
the results should be stored in a manner that can be readily maintained over time, preferably in a simple
database application. However, a spreadsheet will suffice during the initial data collection.

The Information Security Controls Master Plan provides the details required for the SOA in the
certification process, and in the certification example set out here, the Information Security Controls
Master Plan was simply adapted to present the view required by the certifiers.

The Information Security Controls Master Plan is the basis on which the organisation carries out its duty
of care to protect information from unauthorised or accidental modification, loss, release, or impact upon
the safety and wellbeing of individuals. The plan outlines the Information Security Programme and how
management implements controls in order to ensure:

The effectiveness and efficiency of services and business operations that rely on information
The protection of the organisations commercial interests and information assets that manage this
information

Specifically, information plays a vital role in supporting business processes and customer services, in
contributing to operational and strategic business decisions, and in conforming to legal and statutory
requirements. Accordingly, information must be protected to a level commensurate with its value to the
organisation as well as any legal requirement.

The Information Security Controls Master Plan describes the broad framework within which all enterprise
controls over information are implemented via the ISMS. The starting point for this is the alignment of
current practices against existing policies, within a Threat Risk Assessment Matrix (TRAM).

A high-level view of the ISMS is shown in figure 3. This graphic was discussed in more depth in Part 2 of
this series. It is shown here since it is important in understanding the various components of the ISMS
required to support a certified ISMS. The key area of focus is on the ISMS registers and the ISMS
reporting engines, particularly as they link into the wider information flows within the overall organisation.
These are briefly discussed here:

Information security responsibility statementsStatements embodied within the ISA detailing the
roles within the organisation responsible for managing each of the business, IT and information security
controls identified as required by the organisations risk assessment

Information security policies and guidelinesThe formalised policies and work instructions developed
describing how each of the required controls are required to be implemented and maintained. These are
derived from the 15 Information Security Operational Management Statements addressing each of the
required ISO 27001 control domains identified within the standard.

Deviation registerA record of all approvals granted for exceptions from organisational information
security policies

Corrective action requestsA record of all identified security control deficiencies identified during the
ISMS security review or security incident investigations together with recommended corrective actions

Security training registerA listing of all personnel who have undertaken security-related training
courses applicable for their roles and positions in the organisation. This register may be used as the basis
for follow-up and review of the efficacy of training conducted.

Information security work requestsA register of all requests to perform reviews or undertake work in
relation to management of information security within the organisation. These are listed on the information
security calendar of individuals who are involved in the conduct of the work or review of reports.

Security incident and event registerA register of all incidents brought to the attention of information
security, details of how the incidents were responded to and recommendations for improvements
following post-event briefings.

Risk and issues registerRegisters for risk and issues noted during reviews or brought to the attention
of the information security officer. Issues may start as risk and become issues for treatment, or issues
raised could become risk.

Forum reportsEach month a report is published and distributed for tabling at the Information Security
Forum related to reviews performed, reports issued, risk and issues raised, or security incidents during
the past month. These are discussed as a basis for agreeing and confirming the scope of the information
security functions operation.

Figure 3Information Security Management System Operations View (Expanded View)


Source: John Frisken. Reprinted with permission.

The work flow technologies, calendar management function, and knowledge base for information security
are depicted at the bottom, right-hand corner of figure 4. These can take many forms, but workflow
automation is an essential concept in the implementation of mature IT service management and ISMS
solutions, as is the concept of management of a programme of work. Accordingly, workflow-enabled
program and project management systems are seen as the ideal platform for managing the program and
automating monthly compliance and key performance indicator (KPI) reporting.

Figure 4Information Security Systems Domain (Expanded View)


Source: John Frisken. Reprinted with permission.

The following activities are envisaged as being supported by the workflow:

Update of the configuration management database (CMDB) configuration items based on approved change
management documentation. This would include secure-build identifiers for server and workstation images,
specifications of configuration items (CIs) for managed network appliances such as firewalls and routers,
and software release versions for applications on each server.
Processing of requests for new or changed application privileges within the corporate enterprise resource
planning (ERP) and other applications. Access privileges may relate to either the application functionality or
the underlying database access.
Update of privileged access to operating systems and utilities
Notification of high-risk monitoring alerts to permit timely intervention to avert possible attacks or failures
Notification of changes to secure configurations that have not been authorised. This is achieved by
automated examination of all images to an approved image and raising alerts for inconsistencies.
Notifications where unapproved hardware is attached to the network (approved hardware means recorded
within the CMDB)
Notifications where unapproved software is added to the server
Notifications where changes are made to configurations of network devices
Scheduling of regular calendar reviews, meetings or other actions to be initiated and follow-up reminders if
action is not completed within specified time frames for each type of action.

Certification by a provider will focus on ensuring that the ISMS is operating and the resulting management
capability it provides is starting to be evidenced in the form of better security outcomes for the
organisation. Adopting a model like that presented in this series of articles not only makes this process
practical, but also provides a rich source of evidence and metadata around security matters that the
auditors can use as a basis for issuing their certificate.

In many organisations where multiple certifications are in place, the organisation ought to consider the
benefits of integrated certifications using common processes and technologies to manage these. This
makes it simpler for individuals who are required to operate more than one certification domain, e.g.,
quality (ISO 9000), IT service management (ITSM) (ISO 20000), information security (ISO 27001), and
risk management (ISO 31000).

In an environment such as health care or banking, all and possibly more standards will be in place. A
consistent approach and set of technologies will provide significant cost reductions for the organisation
and simplify the process for training of personnel and certification, especially where personnel are
involved with operating more than one management system.

Conclusion
COBIT facilitates the development of the governance framework within which the information security
function makes assessments around risk and priorities for information security, permitting multiple
technical standards to operate within the organisation. In the design of the controls and their embedment
within the organisation, COBITs Responsible, Accountable, Consulted, Informed (RACI) techniques allow
for controls to be designed taking into account requirements from multiple standards and implemented
within a cohesive framework for ongoing review and enforcement.

This has been a high-level summary of the issues involved in the use of COBIT for implementing
information security within an organisation. Review of the entire series (4 articles) is recommended to
gain a thorough and holistic view of the concepts.

Authors Note
This case study has been developed based on a real client situation in Australia. The names of the
organisations and some other identifying information have been removed. All material is either owned by
Information Systems Group Pty Limited or used with permission.

John Frisken, CISA, CA


Is an information security and application development specialist with a distinguished career in
professional practice with Ernst & Young and, subsequently, as founder and owner of the Information
Systems Group, an international security consulting, systems integration and secure development
company headquartered in Sydney, New South Wales, Australia. Since establishing ISG in 1996, Frisken
has overseen the delivery of ISGs services including ISMS implementation projects for many large public
sector, judicial and utility organisations in Australia, and development of complex applications leveraging
advanced messaging and secure platform technologies. He is a member of ISACA, the Institute of
Chartered Accountants in Australia, and the Australian Information Security Association. Frisken led the
adaption of the COBIT framework into the IFAC Delivery and Support Standards which are aimed at
explaining the application of the framework within a business context. He currently serves as ISGs
director of professional services.