cobit5 and infosec
DESCRIPTION
Sobre segurança da informação com base no Cobit 5, governança , processos , gestão , maturidade de processos , controles de TITRANSCRIPT
Presented by
COBIT–The ISACA FrameworkCOBIT is an IT governance framework and supporting
tool set that allows managers to bridge the gap between control requirements, technical issues and business risk.
COBIT enables clear policy development and good practice for IT control throughout organisations.
COBIT emphasises regulatory compliance, helps organisations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework.
For more information: www.isaca.org/cobit
2
COBIT 4.1–The ISACA FrameworkCOBIT 4.1Issued in 2007An IT
governance and management framework
Focus on processes as the key enabler
3Source: COBIT® 4.1, figure 23. © 2007 IT Governance Institute® All rights reserved.
COBIT 5–The NEW VersionCOBIT 5 is a major strategic improvement providing the
next generation of ISACA guidance on the governance and management of enterprise information technology (IT) assets.
Building on more than 15 years of practical application, ISACA designed COBIT 5 to meet the needs of stakeholders, and to align with current thinking on enterprise governance and management techniques as they relate to IT.
For more information: www.isaca.org/cobit
4
COBIT 5 Product Family–The Overarching Framework Product
5
Source: COBIT® 5, figure 1. © 2012 ISACA® All rights reserved.
COBIT 5: Value CreationDelivering enterprise stakeholder value requires good
governance and management of IT assets—including information security arrangements.
External legal, regulatory and contractual compliance requirements (sometimes covering information security requirements) related to enterprise use of information and technology are increasing, threatening value if breached.
COBIT 5 provides a comprehensive framework that assists enterprises to achieve their goals and deliver value through effective governance and management of enterprise IT – providing a sound basis for information security arrangements.
6
The COBIT 5 FrameworkSimply stated, COBIT 5 helps enterprises to create optimal
value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use.
COBIT 5 enables information and related technology to be governed and managed in a holistic manner for the whole enterprise, taking in the full end-to-end business and functional areas of responsibility, considering the IT-related interests of internal and external stakeholders.
The COBIT 5 principles and enablers are generic and useful for enterprises of all sizes, whether commercial, not-for -profit or in the public sector.
7
COBIT 5 Principles and Enablers
8
COBIT 5 Enterprise Enablers
Source: COBIT® 5, figure 2. © 2012 ISACA® All rights reserved. Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved.
COBIT 5 Product Family–The Detailed Process Guidance is Still There
9
Source: COBIT® 5: Enabling Processes, figure 1. © 2012 ISACA® All rights reserved.
COBIT 5 Enabling Processes
10Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved.
COBIT 5–Integrates Earlier ISACA FrameworksCOBIT 5 has clarified management level processes and integrated COBIT 4.1, Val IT and Risk IT content into one process reference model.
11
COBIT 5–Integrates BMIS Components Too
COBIT 5 has also taken the valuable holistic, interrelated component model approach from the Business Model for Information Security (BMIS) work and incorporated it into the framework components.
12Source: BMIS®, figure 2. © 2010 ISACA® All rights reserved.
BMIS Introduction • Business Model for Information Security (BMIS)• A holistic and business-oriented approach to managing
information security, and a common language for information security and business management to talk about information protection
• BMIS challenges conventional thinking and enables you to creatively re-evaluate your information security investment
• The Business Model for Information Security, provides an in-depth explanation to a holistic business model which examines security issues from a systems perspective.
• For more information: www.isaca.org/bmis
•
13
COBIT 5 Integrates BMIS Components
• Several of the BMIS components are now integrated within COBIT 5 as interacting enablers that support the enterprise in achieving its business goals and create stakeholder value:• Organisation• Process• People • Human Factors• Technology• Culture
14
COBIT 5 Integrates BMIS Components (cont)
• The remaining BMIS components are actually related the larger aspects of the COBIT 5 framework:• Governing—The dimensions of governance activities
(evaluate, direct, monitor—ISO/IEC 38500) are addressed at the enterprise level in the COBIT 5 framework
• Architecture (including a process model) —COBIT 5 includes the need to address enterprise architecture aspects to link organisation and technology effectively
• Emergence—The holistic and integrated nature of the COBIT 5 enablers supports enterprise in adapting to changes in both stakeholder needs and enabler capabilities as necessary
15
COBIT 5 Product Family—Includes Implementation Guidance
16
Source: COBIT® 5 Implementation, figure 1. © 2012 ISACA® All rights reserved.
COBIT 5 Implementation• The improvement of the governance of enterprise IT
(GEIT) is widely recognised by top management as an essential part of enterprise governance.
• Information and the pervasiveness of information technology are increasingly part of every aspect of business and public life.
• The need to drive more value from IT investments and manage an increasing array of IT-related risk, including often cited security risk, has never been greater.
• Increasing regulation and legislation over business use and security of information is also driving heightened awareness of the importance of well-governed, managed and secure IT use.
17
COBIT 5 Implementation (cont.)• ISACA has developed the COBIT 5 framework to help
enterprises implement sound governance enablers. Indeed, implementing good GEIT is almost impossible without engaging an effective governance framework. Best practices and standards are also available to underpin COBIT 5—including many focused on information security.
• However, frameworks, best practices and standards are useful only if they are adopted and adapted effectively. There are challenges that need to be overcome and issues that need to be addressed if GEIT is to be implemented successfully.
• COBIT 5 Implementation provides guidance on how to do this.
18
COBIT 5 Implementation (cont.)
• COBIT 5 Implementation covers the following subjects:• Positioning GEIT within an enterprise• Taking the first steps towards improving GEIT • Implementation challenges and success factors• Enabling GEIT-related organisational and behavioural
change • Implementing continual improvement that includes
change enablement and programme management• Using COBIT 5 and its components
19
20
COBIT 5 Implementation (cont.)
Source: COBIT® 5 Implementation, figure 6. © 2012 ISACA® All rights reserved.
COBIT 5 Product Family—Includes an Information Security Member
21
Source: COBIT® 5, adapted from figure 11. © 2012 ISACA® All rights reserved.
COBIT 5 and Information SecurityCOBIT 5 addresses information security specifically:The focus on information security management system
(ISMS) in the align, plan and organise (APO) management domain, APO13 Manage security, establishes the prominence of information security within the COBIT 5 process framework.
This process highlights the need for enterprise management to plan and establish an appropriate ISMS to support the information security governance principles and security-impacted business objectives resulting from the evaluate, direct and monitor (EDM) governance domain.
22
COBIT 5 for Information Security will be an extended view of COBIT 5 that explains each component of COBIT 5 from an information security perspective.
Additional value for information security constituents will be created through additional explanations, activities, processes and recommendations.
The COBIT 5 for Information Security deliverable will be a view of information security governance and management that will provide security professionals detailed guidance for using COBIT 5 as they establish, implement and maintain information security in the business policies, processes and structures of an enterprise.
23
COBIT 5 for Information Security (cont)
What content will be included in the guide?Guidance on the enterprise business drivers and benefits
related to information securityHow the COBIT 5 principles can be viewed and applied
from an information security professionals’ perspectiveHow the COBIT 5 enablers can be used by information
security professionals to support enterprise governance and management of information security arrangements
How COBIT 5 for Information Security guidance aligns with other information security standards
24
COBIT 5 for Information Security (cont)
At what stage of development is COBIT 5 for Information Security?Development has been underway for some time and a
draft delivered for subject matter expert (SME) review in January 2012.
The COBIT Security Task Force met in February 2012 to review and incorporate SME feedback into the product.
Expectation is that the COBIT 5 for Information Security professional guide will be available in July 2012.
25
COBIT 5 for Information Security (cont)
Thank you for listening!
If you have questions about ISACA publications and ongoing research, please contact:
ISACA Research Department
Phone: +1.847.660.5630Fax: +1.847.253.1443
Email: [email protected]
26