Volume 1, January 2014

Come join the discussion! Abbas K will respond to questions in the discussion area of the COBIT 5—
Use It Effectively topic beginning 24 January 2014.

Middle East Bank Improves Information Security

By Abbas K, CISA, CISM, CGEIT, COBIT 5 (Foundation), CEH, C|CISO, PRINCE2
As a result of its initiative to improve information security with the help of COBIT, a Middle East bank realized several benefits,
including:
 Improved integration of information security within the organization
 Informed risk decisions and risk awareness
 Improved prevention, detection and recovery
 Reduced (impact of) information security incidents
 Enhanced support for innovation and competitiveness
 Improved management of costs related to the information security function
 Better understanding of information security

Obtaining buy-in from senior management is a common complaint among information security professionals. However, at one
Middle East bank in Kuwait, the information security manager did not have that problem when implementing COBIT to define
the enterprise’s information security principles because senior management at the bank was already well aware of the
industry-accepted framework. As a result, his assessment report was quickly completed, quickly accepted and greatly
appreciated.

The organization uses many standards and frameworks, including ISO 27001, the Payment Card Industry Data Security
Standard (PCI DSS) and the IT Infrastructure Library (ITIL), and wanted to align its department processes and principles with
a common framework that is highly flexible and adaptable, and has controls and processes in common with other industry
® ®
frameworks. The organization found this in COBIT , which in its latest edition—COBIT 5—offers detailed mapping with other
frameworks including International Organization for Standardization (ISO) standards, The Open Group Architecture
Framework (TOGAF) and the Project Management Body of Knowledge (PMBOK).

No other framework provides such detailed mapping with various, industry-accepted standards. The bank has used COBIT 5
®
and COBIT 5 for Information Security for a number of projects:
 COBIT 5 Tool Kit was used to identify the statement of applicability (SOA) for each domain, along with the
corresponding 37 processes and 210 practice statements.
 The COBIT 5 principles have been mapped to the information security department’s current processes with an objective
to identify any potential gaps. (See the Supporting Evidence column in figure 1 for results of the mapping.)
 All gaps identified in the assessment were addressed based on recommended guidelines for each of the practice
statements.

Information Security Principles

As outlined in COBIT 5 for Information Security, information security principles communicate the rules of the enterprise in
support of the governance objectives and enterprise values, as defined by the board and executive management. These
principles need to be:
 Limited in number
 Expressed in simple language and state, as clearly as possible, the core values of the enterprise

These principles (figure 1) are generic and applicable to all enterprises and can be used as a basis for developing information
security principles unique to the enterprise.

Figure 1—Bank’s Information Security Principles Based on COBIT 5

Principle Objective Description Status Supporting Evidence

1. Support the business.

Focus on the Ensure that Individuals within the information security Implemented Information security
business. information community should forge relationships with strategy
security is business leaders and show how
integrated into information security can complement key
essential business business and risk management processes.
activities. They should adopt an advisory approach
to information security by supporting
business objectives through resource
allocation, programs and projects. High-
level, enterprise-focused advice should be
provided to protect information and help
manage information risk both now and in
the future.
Deliver quality Ensure that Internal and external stakeholders should Implemented Information security
and value to information be engaged through regular strategy
stakeholders. security delivers communication so that their changing
value and meets requirements for information security can
business continue to be met. Promoting the value of
requirements. information security (both financial and
nonfinancial) helps to gain support for
decision making, which can, in turn, help
the success of the vision for information
security.
Comply with Ensure that Compliance obligations should be Implemented PCI compliance
relevant legal statutory identified, translated into requirements status, ISO 27001
and regulatory obligations are specific to information security and compliance status
requirements. met, stakeholder communicated to all relevant individuals.
expectations are The penalties associated with
managed, and civil noncompliance should be clearly
or criminal understood. Controls should be monitored,
penalties are analyzed and brought up to date to meet
avoided. new or updated legal or regulatory
requirements.
Provide timely Support business Requirements for providing information on Implemented Information security
and accurate requirements and information security performance should monthly management
information on manage be clearly defined, supported by the most report
information information risk. relevant and accurate information security
security metrics (such as compliance, incidents,
performance. control status and costs), and aligned to
business objectives. Information should be
captured in a periodic, consistent and
rigorous manner so that the information
remains accurate and results can be
presented to meet the objectives of
relevant stakeholders.

Volume 1, January 2014 Page 2

 Figure 1—Bank’s Information Security Principles Based on COBIT 5

Principle Objective Description Status Supporting Evidence

Evaluate Analyze and Major trends and specific information Implemented Periodic security
current and assess emerging security threats should be categorized in a testing and review
future information comprehensive, standard framework
information security threats so covering a wide range of topics such as
threats. that informed, political, legal, economic, sociocultural and
timely action to technical issues. Individuals should share
mitigate risk can and build on their knowledge of upcoming
be taken. threats to proactively address their causes,
rather than just the symptoms.
Promote Reduce costs, Constantly changing organizational Implemented Key performance
continuous improve efficiency business models—coupled with evolving indicators; monthly
improvement in and effectiveness, threats—require information security and annual
information and promote a techniques to be adapted and their level of management reports
security. culture of effectiveness improved on an ongoing
continuous basis. Knowledge of the latest information
improvement in security techniques should be maintained
information by learning from incidents and liaising with
security. independent research organizations.
2. Defend the business.
Adopt a risk- Ensure that risk is Options for addressing information risk Implemented Information security
based treated in a should be reviewed so that informed, management system
approach. consistent and documented decisions are made about the (ISMS) and PCI
effective manner. treatment of risk. Risk treatment involves compliance risk
choosing one or more options, which assessment
typically include:
 Accepting risk (by a member of
management signing off that he/she has
accepted the risk and no further action is
required)
 Avoiding risk (e.g., by deciding not to
pursue a particular initiative)
 Transferring risk (e.g., by outsourcing or
taking out insurance)
 Mitigating risk (typically by applying
appropriate information security
measures, e.g., access controls, network
monitoring and incident management)
Protect Prevent disclosure Information should be identified and then Implemented Information security
classified of classified (e.g., classified according to its level of policy and standards
information. confidential or confidentiality (e.g., secret, restricted,
sensitive) internal, public). Classified information
information to should be protected accordingly
unauthorized throughout all stages of the information life
individuals. cycle—from creation to destruction—using
appropriate controls such as encryption
and access restrictions.
Concentrate on Prioritize scarce Understanding the business impact of a Implemented Information security
critical business information loss of integrity or availability of important policy and standards
security resources information handled by business

Volume 1, January 2014 Page 3

 Figure 1—Bank’s Information Security Principles Based on COBIT 5

Principle Objective Description Status Supporting Evidence

applications. by protecting the applications (processed, stored or
business transmitted) will help to establish the level
applications on of criticality. Information security resource
which an requirements can then be determined and
information priority placed on protecting the
security incident applications that are most critical to the
would have the success of the organization.
greatest business
impact.
Develop Build quality, cost- Information security should be integral to Implemented Information security
systems effective systems the scope, design, build and testing standards
securely. on which business phases of the system development life
people can rely cycle (SDLC). Good information security
(e.g., that are practices (e.g., rigorous testing for
consistently information security weaknesses; peer
robust, accurate review; and ability to cope with error,
and reliable). exception and emergency conditions)
should play a key role at all stages of the
development process.
3. Promote responsible information security behavior.

Act in a Ensure that Information security relies heavily on the Implemented Background checks
professional information ability of professionals within the industry
and ethical security-related to perform their roles responsibly and with
manner. activities are a clear understanding of how their integrity
performed in a has a direct impact on the information they
reliable, are charged with protecting. Information
responsible and security professionals need to be
effective manner. committed to a high standard of quality in
their work while demonstrating consistent
and ethical behavior and respect for
business needs, other individuals and
confidential (often personal) information.
Foster a Provide a positive Emphasis should be placed on making Implemented Information security
positive information information security a key part of business governance committee
information security influence as usual, raising information security (ISGC) meetings
security culture. on the behavior of awareness among users, and ensuring
end users, reduce that they have the skills required to protect
the likelihood of critical or classified information and
information systems. Individuals should be made
security incidents aware of the risk to information in their
occurring, and care and empowered to take the
limit their potential necessary steps to protect it.
business impact.

Benefits of COBIT 5 Implementation

The bank achieved its goals in a short time—just three months—improving a number of processes, including:
 Ensure governance framework setting and maintenance
 Ensure benefits delivery
 Ensure risk optimization

Volume 1, January 2014 Page 4

 Ensure resource optimization
 Ensure stakeholder transparency
 Manage the IT management framework
 Manage strategy
 Manage enterprise architecture
 Manage innovation
 Manage requirements definition
 Manage assets
 Manage continuity

Conclusion
The bank plans to continue using this assessment framework on an annual basis and as other projects warrant it. The latest
version of COBIT is easy to understand and implement, particularly the tool kit, which provides all the required information
needed to use COBIT within the organization.

Abbas K, CISA, CISM, CGEIT, COBIT 5 (Foundation), CEH, C|CISO, PRINCE2

Has more than 14 years of experience with cross-functional sectors of information security and information risk. He is the
manager of information security at a leading regional bank in the Middle East. Previously, he has worked with Ernst & Young
and KPMG. He is well versed in IT standards and frameworks, such as COBIT, ISO 27001, PCI DSS, TOGAF and ITIL.

©2014 ISACA. All rights reserved.

Volume 1, January 2014 Page 5