Professional Documents
Culture Documents
Cybersecurity Framework
Using COBIT 5
A Step-by-Step Guide for Your Enterprise
Abstract
In a time of growing threats and evolving circumstances, adopting and maintaining a
robust cyber security profile in your enterprise is vital. Valuable information and assets
must be protected, but the mission goes beyond that. An enterprises cyber stance
should fit into a larger comprehensive structure of the governance and management
of enterprise IT. In such a structure with proper governance, risk and control
(GRC) programs, and supported by a thorough audit and assurance function, decisions
are made and actions are taken to maximize value to the enterprise, accounting for
the needs of all stakeholders, balancing risk and reward. Given this importance to
enterprise strategy and results, cyber security as part of an entire GRC structure is
no longer just a tech issue. It is the foundation upon which enterprise innovation
and transformation takes place.
To help organizations address cyber concerns, the National Institute of Standards
and Technology (NIST) has developed a set of voluntary best practices. Still, every
enterprise is different, creating unique challenges for implementation, especially as
part of a comprehensive GRC program. In such a situation, the COBIT 5 governance
framework has proved extremely valuable. This white paper outlines the steps for
bringing your NIST cyber program under a COBIT 5 structure, thereby preparing your
enterprise for value creation and laying the foundation for future innovation and
business transformation.
IMPLEMENTING THE NIST CYBERSECURITY FRAMEWORK USING COBIT 5: A STEP-BY-STEP GUIDE FOR YOUR ENTERPRISE
Introduction
The governance and management of enterprise IT has taken on
a new meaning with the rapid growth of cyber security and the
multitude of best practices in the market. Given the complexity, it
is no wonder why some enterprises continue to struggle with their
efforts or take incomplete actions. Although there are some great
approaches for a cyber security program, a critical success factor is
ensuring that some key principles exist: meeting stakeholder needs,
using a holistic approach, covering the complete enterprise and
leveraging a single integrated framework. All of these principles lead
toward the enterprise goal of providing value, proving that cyber
security is not only an IT issue.
Providing value to
approach taken by most enterprisesis not enough.
To be effective, security measures must be fully integrated
into the enterprise architectures and GRC programs.
structure
Cyber security attacks are growing more intense and
harmful, and based on the increasing number of incidents
over the last few years, they are likely to continue. These
scenarios, coupled with an increasing threat to a nations
critical infrastructure, puts cyber security protection very
high on any enterprise priority list.
1 Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, National Institute of Standards and Technology. February 12, 2014
FIGURE 2
Functions of the NIST CSF Framework Core
Appropriate activities to
Develop the organizational Develop and implement the Develop and implement the maintain plans for resistance
Develop and implement the
understanding to manage appropriate safeguards to appropriate activities to and to restore any
appropriate activities to take
cyberspace risk to systems, ensure delivery of critical identify the occurrence of a capabilities or services
action regarding
assets, data and capabilities infrastructure services cybersecurity event that were impaired due to
a cybersecurity event
ASSET MANAGEMENT ACCESS CONTROL ANOMALIES AND EVENTS RESPONSIVE PLANNING RECOVERY PLANNING
SECURITY CONTINUOUS
BUSINESS ENVIRONMENT AWARENESS AND TRAINING COMMUNICATIONS IMPROVEMENTS
MONITORING
INFORMATION PROTECTION
RISK ASSESSMENT MITIGATION
PROCESSES AND PROCEDURES
PROTECTIVE TECHNOLOGY
SOURCE: Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, National Institute of Standards and Technology. February 12, 2014
practice to use to achieve the associated outcome. These option 1, the gradual approach. The NIST implementation
include specific COBIT 5, CIS Critical Security Controls, ISO/ approach is a nice fit with the COBIT 5 framework, because
IEC 27001, NIST SP 800-53, and ISA 62443 references. COBIT 5:
Employs a principles-based structure
Adopting NIST
Provides a holistic approach
Has a phased, iterative implementation methodology
Is used as an informative reference in the NIST CSF
Regardless of the type of framework, adoption can be Therefore, it is no surprise that COBIT 5 is a natural fit
typically accomplished in one of two ways: for adopting not only solid GRC practices, but also cyber
1. Adopting the framework gradually by starting small to security practices that are based on the NIST CSF.
create quick wins and building on initial successes to Figure 3 shows the alignment between the NIST CSF and
iterate deployments regularly the COBIT 5 implementation steps and principles.
2. Using a big bang approach across the entire enterprise Using a deployment methodology that is proven in the
industry is paramount. Because the NIST CSF and COBIT 5
Although the big bang approach can be a viable solution, align nicely, it is a logical approach. Following are the steps
depending on the situation, it is generally best to adopt of a typical enterprise implementation.
FIGURE 3
NIST CSF and COBIT 5 Implementation Alignment
1 Prioritize and scope 1 What are the drivers? 1 Meeting stakeholder needs
NIST CSF STEP 1: Prioritize and scope with the COBIT 5 implementation Step 2, Where are we
now? and COBIT 5 principles Covering the enterprise end
The purpose of this step is to obtain an understanding of
to end and Applying a single integrated framework.
the current approach to governance and cyber security in
the enterprise and identify key stakeholders, organizational This is where the framework implementation tiers enter the
mission, roles and responsibilities. This aligns with the equation. These are levels of implementation that can assist
COBIT 5 implementation phase What are the drivers? and in assessment and planning of cyber security activities. Tiers
principle Meeting stakeholder needs. describe attributes to consider when completing the current
profile and creating a target profile later on, and describe the
Step 1 is also the right moment to conduct a Goals Cascade
implementation progression. These tiers are also aligned well
exercise (another feature in COBIT 5), which is a really helpful
with the COBIT 5 process capability levels. Figure 5 shows
and effective tool. The Goals Cascade is a series of
the four tiers.
mappings that allow an enterprise to link stakeholder needs
with enterprise goals, IT-related goals and enabler goals. This step conducts a current-state assessment using the
Figure 4 is a high-level description of the Goals Cascade. ISO 15504 approach to process capability. The COBIT 5
assessment methodology is used to complete the current
NIST CSF STEPS 2 AND 3: Orient and Create a profile, iterating through each subcategory and recording
current profile current status, ranging from not achieved to fully achieved.
Now that the goals cascading is complete, it is time to
Therefore, a current profile can also be referred to as the
identify threats to, and vulnerabilities of, those systems and
current state. This is the key output to Step 3. The NIST CSF
assets. The purpose of these two steps is to gain an
provides a template for this, as illustrated in figure 6.
understanding of the enterprise systems and assets that
enable the mission described in Step 1. These steps align
FIGURE 4
Stakeholder Drivers
COBIT 5 Goals Cascade
Stakeholder Needs
Enterprise Goals
IT-Related Goals
Enabler Goals
SOURCE: COBIT 5, A Business Framework for the Governance and Management of Enterprise IT, ISACA
FIGURE 5
NIST CSF Implementation Tiers
Implementation Guidance uses Organizational risk approach with Active sharing with partners to
Tier 4: Level 4 (Predictable)
a seven-step process that is situational awareness integrated proactively learn and benefit the
Adaptive Level 5 (Optimizing)
iterative and flexible. into culture. community.
SOURCE: Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, National Institute of Standards and Technology. February 12, 2014
FIGURE 6
NIST CSF Current Profile Template
ID.AM-1: Physical devices and systems within the organization are inventoried BAI09.01, BAI09.02
ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and
APO01.02, DSS06.03
third-party stakeholders (e.g., suppliers, customers, partners) are established
APO08.04, APO08.05,
ID.BE-1: The organizations role in the supply chain is identified
APO10.03, APO10.04,
and communicated
APO10.05
Business Environment (ID.BE): ID.BE-2: The organizations place in critical infrastructure and its industry
The organizations mission, APO02.06, APO03.01
Identify sector is identified and communicated
(ID) objectives, stakeholders, and
activities are understood and
ID.BE-3: Priorities for organizational mission, objectives, and activities are APO02.01, APO02.06,
prioritized; this information is
established and communicated APO03.01
used to inform cybersecurity
roles, responsibilities, and risk
management decisions. ID.BE-4: Dependencies and critical functions for delivery of critical services
are established
APO01.03, EDM01.01,
ID.GV-1: Organizational information security policy is established
EDM01.02
Governance (ID.GV): The
policies, procedures, and processes ID.GV-2: Information security roles & responsibilities are coordinated and
to manage and monitor the APO13.12
aligned with internal roles and external partners
organizations regulatory, legal, risk,
environmental, and operational
requirements are understood ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including
MEA03.01, MEA03.04
and inform the management of privacy and civil liberties obligations, are understood and managed
cybersecurity risk.
ID.GV-4: Governance and risk management processes address
DSS04.02
cybersecurity risks
In this sample template, each of the subcategories are linked NIST CSF STEP 6: Determine, analyze
to specific COBIT 5 practices. These subcategories can also and prioritize gaps
be linked to the other industry references. Information about In this step, the enterprise seeks to understand and
these specific COBIT 5 practices can be found in the COBIT document the actions required to close the gaps between
5: Enabling Processes guide. current and target state environments. This step is aligned
with the COBIT 5 Implementation step What needs to be
NIST CSF STEPS 4 AND 5: Conduct a risk done? and COBIT 5 principles Covering the enterprise end
assessment and Create a target profile to end and Applying a single integrated framework.
The purpose of these two steps is to identify the overarching
The enterprise records the differences between the current
threats to, and vulnerabilities of, those systems and assets
and desired states and uses COBIT 5: Enabling Processes
identified earlier, and determine the likelihood and impact of
to determine the practices and activities that need to be
a cyber security event. Completion of these steps results in a
improved to close the gaps. In addition to the gaps, one
catalog of potential security risk and business impact
must understand the resources and capabilities that are
assessment, a target capability level and target profile.
required to accomplish these efforts. This action plan of
These two steps align with the COBIT 5 implementation activities includes milestones, responsibilities and desired
step, Where do we want to be?, and COBIT 5 principles outcomes according to the set priorities. An action plan
Covering the enterprise end to end and Applying a single should include the following:
integrated framework. Identification
Description of how the achievement rating was determined The enterprise should consider the challenges, root causes
Actions required to achieve the target state goals and success factors from the COBIT 5 Implementation
Guide, which include:
Resources required
Test the approach by making small improvements initially further governance or management requirements, and
and to provide some quick wins support continual improvement. This step is aligned with
Involve all stakeholders the COBIT 5 Implementation step How do we keep the
momentum going?
Improve processes before attempting to apply automation
Set clear, measurable goals and produce scorecards
showing how performance is being measured
Communicate in business impact terms Auditing and
Using sound program and project management principles
in this step is key. If this step is successful, the outcomes
include operating procedures for implemented action items,
assurance
performance reports and metrics. Having this single, integrated framework for the governance
and management of enterprise IT and cyber security efforts
NIST CSF STEP 8: CSF action plan review clearly creates value for the enterprise; however, providing
The enterprise reviews the application of the improved assurance for these efforts is just as critical. From a cyber
governance and management practices, and confirms that security perspective, an audit provides management with
the action plan delivered the expected benefits. This step is an evaluation of the effectiveness of cyber security-related
aligned with the COBIT 5 Implementation step Did we get policies, implementation of controls, and achievement of
there? The enterprise assesses the activities from the process purposes. These can identify internal and external
implementation step to ensure that improvements achieve deficiencies that could potentially impact the enterprises
the anticipated goals and risk management objectives. The ability to meet its goals. Considering the three lines of
enterprise documents the lessons learned and identifies any defense model in figure 7, simply adopting the COBIT 5
specific ongoing monitoring needs. and NIST frameworks can be linked to the first two lines of
defense. Therefore, having the third line of defense, the
audit department, can provide an objective view of how
NIST CSF STEP 9: CSF lifecycle management
the frameworks practices and activities are reliable,
The purpose of this step is to provide ongoing review/ accurate, and secure.
assessment of the overall success of the initiative, identify
FIGURE 7
Three Lines of Defense Model Based on COBIT 5 for Risk
Operations
There are numerous programs available today that provide CSF functions, categories, subcategories, and informative
solid assurance models. Considering the topic of this paper, references. Adopting the three lines of defense model,
it makes sense to adopt an auditing program that focuses incorporated with solid processes and practices, truly
on the COBIT 5 and NIST frameworks. ISACAs IS Audit/ provides a holistic approach that meets stakeholder needs.
Assurance Program for Cyber security: Based on the NIST It is also an important part of the GRC foundation
Cybersecurity Framework Audit Program provides control necessary for successfully undertaking enterprise innovation
objectives, controls and testing steps based on the NIST and transformation.
ISACA
ISACA (isaca.org) helps professionals Disclaimer
around the globe realize the positive ISACA has designed and created
potential of technology in an evolving Integrating COBIT 5 and the NIST
digital world. By offering industry-leading 3701 Algonquin Road, Suite 1010
Cybersecurity Frameworks (the Work)
knowledge, standards, credentialing and Rolling Meadows, IL 60008 USA
primarily as an educational resource for
education, ISACA enables professionals professionals. ISACA makes no claim that Phone: +1.847.253.1545
to apply technology in ways that instill use of any of the Work will assure a
Fax: +1.847.253.1443
confidence, address threats, drive successful outcome. The Work should
innovation and create positive not be considered inclusive of all proper Email: info@isaca.org
momentum for their organizations. information, procedures and tests or www.isaca.org
Established in 1969, ISACA is a global exclusive of other information, procedures
association serving more than 500,000 and tests that are reasonably directed to
engaged professionals in 188 countries. obtaining the same results. In determining Provide feedback:
ISACA is the creator of the COBIT the propriety of any specific information, www.isaca.org/NIST-COBIT5
framework, which helps organizations procedure or test, professionals should Participate in the ISACA
effectively govern and manage their apply their own professional judgment to Knowledge Center:
information and technology. Through its the specific circumstances presented by www.isaca.org/knowledge-center
Cybersecurity Nexus (CSX), ISACA the particular systems or information
helps organizations develop skilled technology environment. Follow ISACA on Twitter:
cyber workforces and enables www.twitter.com/ISACANews
individuals to grow and advance their
Reservation of Rights Join ISACA on LinkedIn:
cyber careers.
2017 ISACA. All rights reserved. www.linkd.in/ISACAOfficial
ACKNOWLEDGMENTS
ISACA would like to recognize:
Robert Clyde
CISM, Clyde Consulting LLC, USA, Director
Leonard Ong
CISA, CISM, CGEIT, CRISC, CPP, CFE, PMP, CIPM,
CIPT, CISSP ISSMP-ISSAP, CSSLP, CITBCM, GCIA,
GCIH, GSNA, GCFA, Merck, Singapore, Director
Andre Pitkowski
CGEIT, CRISC, OCTAVE, CRMA, ISO27kLA, ISO31kLA,
APIT Consultoria de Informatica Ltd., Brazil, Director
Eddie Schwartz
CISA, CISM, CISSP-ISSEP, PMP, WhiteOps,
USA, Director
Jo Stewart-Rattray
CISA, CISM, CGEIT, CRISC, FACS CP,
BRM Holdich, Australia, Director
Tichaona Zororo
CISA, CISM, CGEIT, CRISC, CIA, CRMA, EGIT |
Enterprise Governance (Pty) Ltd.,
South Africa, Director
Zubin Chagpar
CISA, CISM, PMP, Amazon Web Services,
UK, Director
Jeff Spivey
CRISC, CPP, Security Risk Management Inc.,
USA, Director
Robert E. Stroud
CGEIT, CRISC, Forrester Research,
USA, Past Chair
Tony Hayes
CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA,
Queensland Government, Australia, Past Chair
Greg Grocholski
CISA, SABIC, Saudi Arabia, Past Chair
Matt Loeb
CGEIT, FASAE, CAE, ISACA, USA, Director