Professional Documents
Culture Documents
Come join the discussion! Abbas K will respond to questions in the discussion area of the COBIT 5—
Use It Effectively topic beginning 24 January 2014.
Obtaining buy-in from senior management is a common complaint among information security professionals. However, at one
Middle East bank in Kuwait, the information security manager did not have that problem when implementing COBIT to define
the enterprise’s information security principles because senior management at the bank was already well aware of the
industry-accepted framework. As a result, his assessment report was quickly completed, quickly accepted and greatly
appreciated.
The organization uses many standards and frameworks, including ISO 27001, the Payment Card Industry Data Security
Standard (PCI DSS) and the IT Infrastructure Library (ITIL), and wanted to align its department processes and principles with
a common framework that is highly flexible and adaptable, and has controls and processes in common with other industry
® ®
frameworks. The organization found this in COBIT , which in its latest edition—COBIT 5—offers detailed mapping with other
frameworks including International Organization for Standardization (ISO) standards, The Open Group Architecture
Framework (TOGAF) and the Project Management Body of Knowledge (PMBOK).
No other framework provides such detailed mapping with various, industry-accepted standards. The bank has used COBIT 5
®
and COBIT 5 for Information Security for a number of projects:
COBIT 5 Tool Kit was used to identify the statement of applicability (SOA) for each domain, along with the
corresponding 37 processes and 210 practice statements.
The COBIT 5 principles have been mapped to the information security department’s current processes with an objective
to identify any potential gaps. (See the Supporting Evidence column in figure 1 for results of the mapping.)
All gaps identified in the assessment were addressed based on recommended guidelines for each of the practice
statements.
These principles (figure 1) are generic and applicable to all enterprises and can be used as a basis for developing information
security principles unique to the enterprise.
Focus on the Ensure that Individuals within the information security Implemented Information security
business. information community should forge relationships with strategy
security is business leaders and show how
integrated into information security can complement key
essential business business and risk management processes.
activities. They should adopt an advisory approach
to information security by supporting
business objectives through resource
allocation, programs and projects. High-
level, enterprise-focused advice should be
provided to protect information and help
manage information risk both now and in
the future.
Deliver quality Ensure that Internal and external stakeholders should Implemented Information security
and value to information be engaged through regular strategy
stakeholders. security delivers communication so that their changing
value and meets requirements for information security can
business continue to be met. Promoting the value of
requirements. information security (both financial and
nonfinancial) helps to gain support for
decision making, which can, in turn, help
the success of the vision for information
security.
Comply with Ensure that Compliance obligations should be Implemented PCI compliance
relevant legal statutory identified, translated into requirements status, ISO 27001
and regulatory obligations are specific to information security and compliance status
requirements. met, stakeholder communicated to all relevant individuals.
expectations are The penalties associated with
managed, and civil noncompliance should be clearly
or criminal understood. Controls should be monitored,
penalties are analyzed and brought up to date to meet
avoided. new or updated legal or regulatory
requirements.
Provide timely Support business Requirements for providing information on Implemented Information security
and accurate requirements and information security performance should monthly management
information on manage be clearly defined, supported by the most report
information information risk. relevant and accurate information security
security metrics (such as compliance, incidents,
performance. control status and costs), and aligned to
business objectives. Information should be
captured in a periodic, consistent and
rigorous manner so that the information
remains accurate and results can be
presented to meet the objectives of
relevant stakeholders.
Act in a Ensure that Information security relies heavily on the Implemented Background checks
professional information ability of professionals within the industry
and ethical security-related to perform their roles responsibly and with
manner. activities are a clear understanding of how their integrity
performed in a has a direct impact on the information they
reliable, are charged with protecting. Information
responsible and security professionals need to be
effective manner. committed to a high standard of quality in
their work while demonstrating consistent
and ethical behavior and respect for
business needs, other individuals and
confidential (often personal) information.
Foster a Provide a positive Emphasis should be placed on making Implemented Information security
positive information information security a key part of business governance committee
information security influence as usual, raising information security (ISGC) meetings
security culture. on the behavior of awareness among users, and ensuring
end users, reduce that they have the skills required to protect
the likelihood of critical or classified information and
information systems. Individuals should be made
security incidents aware of the risk to information in their
occurring, and care and empowered to take the
limit their potential necessary steps to protect it.
business impact.
Conclusion
The bank plans to continue using this assessment framework on an annual basis and as other projects warrant it. The latest
version of COBIT is easy to understand and implement, particularly the tool kit, which provides all the required information
needed to use COBIT within the organization.