Professional Documents
Culture Documents
WHY COBIT?
✓ IT is now critical to every business activity
✓ Success in business is mostly driven by planned and perfected business
processes.
✓ The same level of care is usually•• not given
Poor IT-business to IT in an organisation
relations
Poor project delivery
Enablers – factors that individually and collectively influence whether something will work or not
PRINCIPLE 5 : SEPARATING GOVERNANCE FROM MANAGEMENT
✓ COBIT 5 makes a clear distinction between governance and
management.
✓ Due to different set of activities carried out
✓ Requires different org. structure
• Poor IT-business relations
objectives. ENABLER
1. Principles, policies and Frameworks
Organizational structures are key decision- •
•
Data not compartmentalized
Applications need standardization
making entities in an enterprise •
•
Lack of internal controls in applications
Network not reliable at all locations
Critical Success
Most important
Factors
tasks required
Measured by
Phase 2: Identify Infrastructure Vulnerabilities – During this phase, the analysis team takes a
high-level review of their infrastructure and technology-related practices to refine the threat
profiles.
OCTAVE-S Processes
I. Process S3: Examine the Computing Infrastructure in Relation to Critical Assets - The
analysis team analyzes the access paths in the systems that support the critical assets
and determines how well their technology related processes are protecting those assets.
Phase 3: Develop Security Strategy and Plans – During this phase, the risks to critical assets are
evaluated and an organizational protection strategy and risk mitigation plans are defined.
I. Process S4: Identify and Analyze Risks – The analysis team evaluates all active risks for
impact and, optionally, probability.
II. Process S5: Develop Protection Strategy and Mitigation Plans – The team develops an
organization-wide protection strategy and risk mitigation plans based on security
practices.
Selecting a method to implement
The OCTAVE Method is designed/structured for an analysis team who have some
understanding of IT and security issues, employing an open, brainstorming
approach for gathering and analyzing information.
OCTAVE–S on the other hand is much more structured with Security concepts
embedded in its worksheets, allowing for their use by less experienced
practitioners