Professional Documents
Culture Documents
P
rotecting enterprises from malicious code to understand which processes and controls can
and software requires that governance help address conflicts between various IT entities
and cybersecurity practitioners take a and business departments, and service delivery
comprehensive approach. Many people problems related to IT outsourcing.
believe that governance, risk and compliance (GRC) is
a path to cybersecurity. Others believe that GRC is a The COBIT goals cascade (figure 1) and design
part of cybersecurity. However, based on 56 years of factors are helpful in assessing an enterprise’s
scientific research in audit, expertise theory, schema current and future state with respect to reducing
theory, judgment and decision-making (JDM), and
human capital theory, it is clear that governance
professionals should leverage design factors such as
enterprise strategy, enterprise goals, risk profile and
current IT issues (pain points) to determine which
cybersecurity practices and controls are necessary
rather than aligning governance to cybersecurity
practices that might not be warranted. In other
words, without inherent risk, there is no need for
cybersecurity practices, frameworks or tools.
Strategies for Addressing Malicious BLAKE CURTIS | SC.D, CISA, CRISC, CISM, CGEIT, CDPSE, COBIT 2019
Code From the Strategic Level FOUNDATION, DESIGN AND IMPLEMENTATION, CISSP, NIST CSF
Risk must be communicated from the board level
Is a cybersecurity governance advisor with more than 13 years of
in business terms that stress the importance of
experience in engineering, networking, virtualization and IT service
implementing and maintaining detective, preventive
management. He creates global information assurance programs for the
and corrective controls via security baselines
government, commercial, international and healthcare sectors. Currently,
(benchmarks), patch management, endpoint
he assesses various aspects and latitudes of risk and audits information
detection/response and virus control. To accomplish
systems to assure compliance with applicable state, federal and regulatory
these aims, GRC professionals need to understand
requirements. In addition, he leverages a comprehensive amalgamation
the enterprise’s strategy (business plan) and vision
of cybersecurity, governance and control frameworks to develop tailored
and identify which enterprise archetype the business
assurance programs for enterprises. Curtis is also a research scientist who
has chosen to adopt. Conducting a risk assessment
specializes in quantitative correlational research, measuring cybersecurity
at the strategic level to evaluate which portfolio
expertise, task performance and technical competency for IT; governance,
items are at the greatest risk helps the assessor
risk and compliance; and cybersecurity professionals. He also mentors
understand which governance and management
students and advises on strategies to help them earn their master’s degree
objectives are ideal for reducing risk to acceptable
in cybersecurity or pass difficult IT certification exams. He can be reached
levels. Identifying the organization’s current IT
at www.linkedin.com/in/reginaldblakecurtis/.
issues (pain points) enables GRC professionals
1. Understand
2. Determine
the initial 3. Refine the 4. Conclude the
Leveraging Strategies and Goals
the enterprise scope of the
context and
scope of the
governance governance
governance
system design.
to Meet Governance and
strategy. system.
system. Management Objectives
Enterprise goals can be identified using a
• 1.1 Understand enterprise • 2.1 Consider enterprise • 3.1 Consider the threat • 4.1 Resolve inherent priority questionnaire or survey. For this example, consider
strategy. strategy. landscape. conflicts.
• 1.2 Understand enterprise • 2.2 Consider enterprise • 3.2 Consider compliance • 4.2 Conclude the a mature yet risk-averse organization that not only
goals. goals and apply the requirements. governance system
• 1.3 Understand the risk COBIT goals cascade. • 3.3 Consider the role of IT. design. is focused on growth and acquisition, but also
profile. • 2.3 Consider the risk profile • 3.4 Consider the sourcing
• 1.4 Understand current of the enterprise. model. wants to minimize business risk. In this case, the
I&T-related issues. • 2.4 Consider current • 3.5 Consider IT
I&T-related issues. implementation methods. COBIT framework recommends governance and
• 3.6 Consider the IT adoption
strategy. management objectives, as shown in figure 3, and
• 3.7 Consider enterprise size.
indicates how to rank them by importance.
Source: ISACA, COBIT® 2019 Framework: Introduction and Methodology, USA, 2018, https://www.isaca.org/
resources/cobit. Reprinted with permission.
2 ISACA JOURNAL VOLUME 3 | 2022 © 2022 ISACA. All rights reserved. www.isaca.org
The goals cascade process can be used to map only frameworks that stresses the importance of its
enterprise goals (EG) to their corresponding IT components (enablers) to implement and maintain
alignment goals (AG). The AGs are then used to processes (controls). As shown in figure 5, processes
identify their related governance and management are the practices and activities (also known as security
objectives and processes (controls). Mapping controls in other frameworks) that organizations
AG01, AG02, AG05, AG07 and AG11 generates leverage to meet specific objectives by implementing
approximately 35 unique governance and safeguards and countermeasures. The organizational
management objectives, including Deliver, Service structures represent the responsible, accountable,
and Support (DSS). For this example, it is helpful to consulted and informed (RACI) parties for a given
focus on only one—in this case, DSS05 Managed objective and its components.
Security Services—to understand how to map it
to MITRE (figure 4). However, it is important to Organizations must consider the following questions:
note that the alignment goals shown in the second
• Who is responsible for the implementation of the
column of figure 4 will map to many governance
process or control?
and management objectives.
• Who is accountable for the overall maturity of the
process or control?
Mapping DSS05 Processes to
• Who has expertise in the relevant domain, and who
Industry Control Frameworks
should be consulted for additional perspective?
Governance and management objectives comprise
• Which individuals are directly or indirectly impacted
more than processes (controls). COBIT is one of the
by the process or control?
FIGURE 3
Goals Cascade: Enterprise Goals to IT Alignment Goals
Enterprise
Design Factor Goal Description BSC Dimension IT Alignment Goal Description IT BSC Dimension
AG01 I&T compliance and support Financial
for business compliance with
external laws and regulations
AG02 Managed I&T-related risk Financial
EG02 Managed business risk Financial AG07 Security of information, Internal
processing infrastructure and
applications, and privacy
AG11 I&T compliance with internal Internal
DF2: Enterprise Goals policies
AG02 Managed I&T-related risk Financial
Source: ISACA, COBIT® 2019 Framework: Introduction and Methodology, USA, 2018, https://www.isaca.org/resources/cobit. Reprinted with permission.
FIGURE 4
DSS05 Managed Security Services Example
IT Alignment Description BSC Governance/Manag
Design Factor Goal Description Priority
ement Objective
AG02 Managed I&T-related risk
DF2: Enterprise Goals AG07 Security of information, processing DSS05 Managed security services Primary
infrastructure and applications and
privacy
Source: ISACA, COBIT® 2019 Framework: Governance and Management Objectives, USA, 2018, https://www.isaca.org/resources/cobit.
Reprinted with permission.
© 2022 ISACA. All rights reserved. www.isaca.org VOLUME 3 | 2022 ISACA JOURNAL 3
FIGURE 5
DSS05 Component Processes
COBIT Components of a
Governance System (Controls) of Managed Security
Services
The goals of DSS05 Managed Security Services
Processes are to “maintain the level of information security
risk acceptable to the enterprise in accordance
Services,
Infrastructure Organizational with the security policy” and to “establish and
and Structures maintain information security roles and access
Applications
privileges.” 3 These objectives are achieved through
its component processes:
Governance
People, Skills System Principles, • DSS05.01 Protect against malicious software.
and Policies,
Competencies Procedures • DSS05.02 Manage network and connectivity security.
• DSS05.03 Manage endpoint security.
• DSS05.04 Manage user identity and logical access.
Culture, Ethics
and Information • DSS05.05 Manage physical access to IT assets.
Behavior
• DSS05.06 Manage sensitive documents and
output devices.
Source: ISACA, COBIT® 2019 Framework: Introduction and Methodology,
USA, 2018, https://www.isaca.org/resources/cobit. Reprinted with permission.
• DSS05.07 Monitor the infrastructure for security-
related events.
4 ISACA JOURNAL VOLUME 3 | 2022 © 2022 ISACA. All rights reserved. www.isaca.org
communities can utilize this framework to optimize
their existing audit and assurance programs.
GRC professionals can help enterprises
In this example, only one of the seven processes— create bridges between the IT audit, GRC and
DSS05.01 Protect against malicious software—is
mapped to MITRE so that the risk can be articulated cybersecurity communities.
from the attacker’s perspective. DSS05.01 focuses
on identifying malicious code and ensuring that
the organization monitors its assets for security
• M1034 Limit Hardware Installation:
events and verifies that the appropriate safeguards
‒ Examples of associated techniques—T1200
and countermeasures are in place. Figure 6 shows
Hardware Additions, T1091 Replication Through
examples of MITRE mitigations for addressing
Removable Media
malicious code.4
FIGURE 6
MITRE Mitigations Example
Mitigation ID Mitigation Name Mitigation Description
M1048 Application Isolation and Sandboxing Restrict execution of code to a virtual environment on
or in transit to an endpoint system.
M1049 Antivirus/Antimalware Use signatures or heuristics to detect malicious
software.
M1051 Update Software Perform regular software updates to mitigate
exploitation risk.
M1034 Limit Hardware Installation Block users or groups from installing or using
unapproved hardware on systems, including USB
devices.
© 2022 ISACA. All rights reserved. www.isaca.org VOLUME 3 | 2022 ISACA JOURNAL 5
Endnotes 6 International Organization for Standardization
(ISO)/International Electrotechnical Commission
1 ISACA®, COBIT® 2019 Framework: Governance and
(IEC), ISO/IEC 27001 Information Security
Management Objectives, USA, 2018,
Management, Switzerland, www.iso.org/
www.isaca.org/resources/cobit
isoiec-27001-information-security.html
2 MITRE ATT&CK, https://attack.mitre.org/
7 International Organization for Standardization
3 Op cit ISACA (ISO)/International Electrotechnical Commission
4 Center for Internet Security (CIS), CIS Controls (IEC), ISO/IEC 27002:2013 Information
Mapping to MITRE ATT&CK Enterprise Mitigations, Technology—Security Techniques—Code of Practice
2020, https://workbench.cisecurity.org/ for Information Security Controls, Switzerland,
5 MITRE Engenuity Center for Threat Informed October 2013, www.iso.org/standard/54533.html
Defense, National Institute of Standards and 8 Pylant, A.; “18 Is the New 20: CIS Critical Security
Technology (NIST) Special Publication (SP) 800- Controls v8 Is Here!” Center for Internet Security
53 Controls to ATT&CK Mappings, USA, 2022, (CIS), www.cisecurity.org/insights/blog/
https://ctid.mitre-engenuity.org/our-work/ 18-is-the-new-20-cis-controls-v8-is-here
nist-800-53-control-mappings/
6 ISACA JOURNAL VOLUME 3 | 2022 © 2022 ISACA. All rights reserved. www.isaca.org