From the course: Cybersecurity Foundations

Managing security with COBIT

From the course: Cybersecurity Foundations

Managing security with COBIT

- [Instructor] One of the more important IT frameworks for the enterprise is COBIT, the Control Objectives for IT. COBIT is published by the Information Systems' Audit and Control Association, ISACA, and its purpose is to ensure that enterprises have in place an effective and auditable set of governance and management processes for IT, which deliver value for its stakeholders. COBIT is designed around a set of processes. These are grouped into the four areas of plan, build, deliver, and monitor. We can see at the top left the Plan group, known in full as a Align, Plan and Organize, with its 14 APO processes. Below that is the Build, Acquire, and Implement group. It has 11 processes. At the bottom of the diagram are the six processes in the Deliver, Service and Support group. And to the right is the Monitor, Evaluate and Assess group with its four processes. The COBIT framework is used by the financial sector for carrying out IT general controls external audits. Consequently, having a COBIT aligned security framework is the first step in putting in place an IT environment which will meet regulatory obligations. From a cybersecurity perspective, there are two key processes for security. APO13, Managed Security, in the Plan group, and DSS05, Managed Security Services in the Deliver group. Of course, there are many other processes in which security plays a part. For example, security incident management is an important activity but this falls within the overall IT process of DSS02, Managed Service Requests and Incidents. Let's take a look into APO13 Managed Security which defines the requirement for security management. The process description is define, operate and monitor a system for information security management. And it has five goals: support IT and business compliance, support the management of IT and enterprise risk. Contribute to the transparency of IT costs and benefits. Ensure the security of information, infrastructure, and applications and provide reliable information for decision making. APO13 consists of three control objectives. APO13.01, establish and maintain an Enterprise Information Security Management System. APO13.02, define and manage a security plan which establishes a set of objectives to progress towards the desired security posture and APO13.03, monitor and review the ISMS. The Enterprise Information Security Management System, or ISMS, defines the approach taken to ensuring information security is effective. And this is often aligned to the set of requirements outlined in the international standard ISO 27001, information security management systems requirements. While IPO 1301 is a single control objective, to satisfy it involves putting in place a number of lower level controls from the ISO 27000 series of standards.

Contents