Assessment ISO 15504

COBIT 5 for Information Security

2

� Sono «compliant» ma sono anche «sicuro» ?

� Come interagiscono tra loro i controlli ?

� The idea is that Lagging Indicators without Leading Indicators tell you nothing about how the outcomes will be achieved, nor can you have any early warnings about being on track to achieve your strategic goals.

� . . . . “investing in organisational capability”leads to “efficient and effective processes”, which deliver the products and services that “satisfy customers” and ultimately lead to “profit”

� Security by Compliance (675 / 96) o Complianceby Security (2012 / O11)?

Misurare la sicurezza

3

Sarebbe utile uno strumento di valutazione modulabile

� Quali controlli sono più importanti, dai quali cominciare o nei quali investire maggiormente ?

� Implementazione progressiva

� Scala graduata di valutazione

� Classi di Assessment :

� Self

� Informale

� Formale

� ….

4

…. ma i controlli funzioneranno ?

Il problema è stato affrontato nell’industria «matura», (o) dove si sbaglia una volta sola !La risposta :�Non «Controlli» od «Obiettivi di Controllo» ma : Modello di Processi di Controllo con le loro connessioni

�Si misura la «Capability» del Processo

Quindi, se i Processi hanno come obiettivo la Sicurezza IT

IT Security Capability Determination

C’è uno standard ISO di Assessment di questo tipo ?

Capabilitydetermination:Un esame, secondo regole formali, dei processi rispetto alla loro capacità di raggiungere un determinato obiettivo.

ISO/IEC 15504(SPICE)

6

ISO/IEC 15504 � SPICE Project 1993

� 2003 rilascio ISO/IEC 15504

due concetti base :

1. Come definire un Processo per poterne

misurare la Capability

2. Come eseguire la misura

7

7ISO/IEC 15504 Process Assessment Model(PAM)

8

The Process Reference Model:

� Process Reference Model: a model comprising definitions of processes in a life cycle described in terms of process purpose and outcomes, together with an architecture describing the relationships between the processes (15504-1)

� ISO/IEC 15504-2 requires that processes included in a Process Reference Model satisfy the following:

– "The fundamental elements of a Process Reference Model are the set of descriptions of the processes within the scope of the model. These process descriptions shall meet the following requirements: a) A process shall be described in terms of its Purpose and Outcomes.

b) In any description the set of process outcomes shall be necessary and sufficient to achieve the purpose of the process.

c) Process descriptions shall be such that no aspects of the measurementframework as described in clause 5 of this International Standard beyond level 1 are contained or implied."

8

9

….Process outcome:

an observable result of a process (15504-1); expected positive results of the process performance (15504-5); an outcome statement describes one of the following:

– production of an artifact;

– a significant change of state;

– meeting of specified constraints, e.g. requirements, goals etc. (15504-2)

9

10

Un Processo misurabile (COSO) 10

11

� ISO/IEC 15504-2:2003 defines the requirements forperforming process assessment as a basis for use in process improvement and capability determination.

� Process assessment is based on a two dimensionalmodel containing a process dimension and a capability dimension.

� The process dimension is provided by an externalprocess reference model, which defines a set ofprocesses characterized by statements of processpurpose and process outcomes.

� The capability dimension consists of a measurementframework comprising six process capability levelsand their associated process attributes.

� The assessment output consists of a set of processattribute ratings for each process assessed, termedthe process profile, and may also include the capability level achieved by that process.

ISO/IEC 15504-2

12

� ISO/IEC 15504-2:2003 identifies the measurementframework for process capability and the requirements for:

� performing an assessment; � process reference models; � process assessment models; � verifying conformity of process assessment.

� The requirements for process assessment defined in ISO/IEC 15504-2:2003 form a structure which:

� facilitates self-assessment; � provides a basis for use in process improvement and

capability determination; � takes into account the context in which the assessed process

is implemented; � produces a process rating; � addresses the ability of the process to achieve its purpose; � is applicable across all application domains and sizes of

organization; and may provide an objective benchmark between organizations.

� The minimum set of requirements defined in ISO/IEC 15504-2:2003 ensures that assessment results are objective, impartial, consistent, repeatable and representative of the assessed processes. Results ofconformant process assessments may be compared whenthe scopes of the assessments are considered to besimilar;.

The minimum set of requirements defined in ISO/IEC 15504-2:2003 ensures that assessment results are objective, impartial, consistent, repeatable and representative of the assessedprocesses. Results of conformant process assessments may becompared when the scopes of the assessments are considered tobe similar;.

ISO/IEC 15504-2

13

Validazione dello Standard

� Sono state analizzate / valutate :� Affidabilità

� Se ripeto l’assessment che probabilitàho di ottenere il medesimo risultato

� Predictive validity� …. ma funziona ?

� confronto tra Lead e Lag indicators !

� Assessment effort� The cost of performing SPICE

assessments ranges from 33 to 824 person-hours (median of 110)

14

15

Esempio di utilizzo

16

17

Lead indicator !

18

19

PAM : PRM & MF 19

ISACA’s COBIT Assessment Programme

21

� The COBIT process programme is described in COBIT® Process Assessment Model (PAM): Using COBIT ® 5.

� PAM brings together two proven ‘heavyweights’ in the IT arena, ISO and ISACA.

� ISACA decided to adopt ISO/IEC 15504-2:2003 Information technology—Process assessment—Part 2: Performing an assessment, that support , among others, both the Committee of Sponsoring Organizations of the TreadwayCommission’s Internal Control—Integrated Framework and ITIL Version 3 assessments using the ISO approach.

� The COBIT PAM uses the existing COBIT 5 content : an ISO 15504 compliant process assessment model.

What is the new COBIT assessment process?

Assessment Overview

22

This figure is reproduced from ISO 15504-2:2003 with the permission of ISO at www.iso.org. Copyright remains with ISO.

Process Assessment Model

Assessment Process

23

COBIT 5� Eliminati gli Obiettivi di Controllo

-> Purpose , Outcomes e Base Practices

� Sequenze di WP in/ BP / WP out

� Costituisce un PRM di Governance e Management compatibile ISO 15504

24

Left brain information processing = analytic/logical thinking = sequential processing

Generally, people with a left-brain dominance are sequential thinkers, analytics who like facts, details and logic. They tend to like their work areas neat and organised. They have perfect filing systems, always deal with one project at a time and are deadline-driven. Keeping lists of tasks to do is their favourite hobby, and if they complete something that’s not on their list, they are likely to add it just for the satisfaction of crossing it out. Analytics are the ones who know the price of eggs in the local dairy, hang up the toilet paper so that the straight part touches the wall, roll up the toothpaste tube and replace the cap. An analytic cook follows a recipe step by step, and if she runs out of an ingredient, she drives to the shops to replace it.

Right brain information processing = holistic/global thinking = simultaneous processing

Right-brained people, in contrast, are holistic multi-processors. They aren't interested in the nitty-gritty of issues. Instead, they need to know the overall picture, the reasons behind a project rather than its deadline. Piles of paper gather dust on their desks and office floor, yet they are able to find any document at a moment's notice. Holistics tend to use their intuition or feelings rather than rationalise about a problem. A holistic cook never ever keeps a shopping list, doesn't sticks to recipes and is happy to substitute milo for cocoa powder in her chocolate cake.

25

PRM = COBIT 5 FrameworkBSC

Processi

Governo

GestionePianificare ed Organizzare

Realizzare

Erogare

Contro

llare

26

DSS05 Manage Security Services

Descr Protect enterprise information to maintain the level of information security risk acceptable to the enterprise in accordance with the security policy. Establish and maintain information security roles and access privileges and perform security monitoring.

Purpose Minimise the business impact of operational information security vulnerabilities and incidents.

Outcomes1. Networks and communications security meet business needs.

2. Information processed on, stored on and transmitted by endpoint devices is protected.

3. All users are uniquely identifiable and have access rights in accordance with their business role.

4. Physical measures have been implemented to protect information from unauthorised access, damage and interference when being processed, stored or transmitted.

5. Electronic information is properly secured when stored, transmitted or destroyed.

Base Practices1 - Protect against malware. Activity + RACI

2 - Manage network and connectivity security. Activity + RACI

3 - Manage endpoint security. Activity + RACI

4 - Manage user identity and logical access. Activity + RACI

5 - Manage physical access to IT assets. Activity + RACI

6 - Manage sensitive documents and output devices. Activity + RACI

7 - Monitor the infrastructure for security-related events. Activity + RACI

11

WP In (da altri Processi)

�SLAs, OLAs�Data classification guidelines�Information architecture model �Results of physical inventory checks�Records of transactions�IT-related roles and responsibilities�…

WP Out (verso altri Processi)

�Malicious software prevention policy �Evaluations of potential threats �Connectivity security policy �Results of penetration tests �Security policies for endpoint devices �Approved user access rights �User accounts and privileges �Approved access requests �Access logs �Security incident characteristics �Security event logs �Security incident tickets �Inventory of sensitive documents and devices �Access privileges

27

Process Attribute Rating Scale N Not achieved—0 to 15% achievement

There is little or no evidence of achievement of the defined attribute in the assessed process.

P Partially achieved—> 15% to 50% achievementThere is some evidence of an approach to, and some achievement of, the defined attribute in the assessed process. Some aspects of achievement of the attribute may be unpredictable.

L Largely achieved—> 50% to 85% achievement There is evidence of a systematic approach to, and significant achievement of, the defined attribute in the assessed process.Some weakness related to this attribute may exist in the assessed process.

F Fully achieved—> 85% to 100% achievement There is evidence of a complete and systematic approach to, and full achievement of, the defined attribute in the assessed process. No significant weaknesses related to this attribute exist in theassessed process.

28

DSS05 Manage Security Services

Description Protect enterprise information to maintain the level of information security risk acceptable to the enterprise in accordance with the security policy. Establish and maintain information security roles and access privileges and perform security monitoring.

Purpose Minimise the business impact of operational information security vulnerabilities and incidents.

General Practices2.1 Performance Management

GP 2.1.1 Identify the objectives

GP 2.1.2 Plan and monitor the performances

GP 2.1.3 Adjust the performance

GP 2.1.4 Define responsibilities

GP 2.1.5 Identify and make available resources

GP 2.1.6 Manage involved parties interfaces

2.2 Work Product Management

GP 2.2.1 Define product requirements …

GP 2.2.2 Define documentation requirements

GP 2.2.3 ….

3.1 Process definition

3.2 Process Deployment

22

33

GWP GWP

29

� It should be noted that WPs for some processes provide higher capability requirements for other processes. This will result in a progressive implementation of processes.

� The initial focus on any process assessment would be the core (sometimes called primary) processes, which are primarily part of the BAI and DSS domains.

� Processes in the APO and MEA domains will be required to support improvement in the capability of these core processes past level 1.

Livelli 2-5 :Implementazione progressiva

30

CAPABILITYPROCESSES

CAPABILITYPROCESSES

PERFORMANCEPROCESSES

PERFORMANCEPROCESSES

31

COBIT 5 Implementazione progressiva

32

ed il COBIT 5 forInformation Security ?

� Lo schema PAM è di validitàgenerale

� Basta adattare il PRM COBIT 5 per specializzarlo in InfoSec� Stessa struttura di Processi e

connessioni tra BP � Specializzo gli Outcomes e WP’s sulla

Sicurezza (Strategy -> Security Strategy, ecc.)

� Strutturo i WP’s secondo gli altri enablers

� COBIT5 è quindi adattabile (con cautela) a specifiche esigenze !

The Lens Concept33

The Eye of the Beholder: what are you looking for?

COBIT 5For ?

COBIT 5For ?

COBIT 5For ?

COBIT 5For ?

Links to other Standards, Frameworks, Guidelines etc

e.g. ISO, ITIL, National Standards.

Links to other Standards, Frameworks, Guidelines etc

e.g. ISO, ITIL, National Standards.

COBIT 5 Framework

COBIT 5For ?

COBIT 5 Enabling . . . .(e.g. Process)

PractitionerGuides

PractitionerGuides

ImplementationGuide

ImplementationGuide

34

COBIT 5 for Information Security

Enablers

�Principi e Policy�Ruoli e Strutt. Org.�Dati ed Informazioni�Appl. e Servizi�Etica e Comportamenti�Skills e competenze

Enablers

�Principi e Policy�Ruoli e Strutt. Org.�Dati ed Informazioni�Appl. e Servizi�Etica e Comportamenti�Skills e competenze

PRM Specializzato

OggettiConcretiOggettiConcreti

Caratteristiche, struttura e ciclo di vita

Process Capability Determination Enabler Capability Determination

(quando usciranno le relative Guide)

Assessment Overview

35

This figure is reproduced from ISO 15504-2:2003 with the permission of ISO at www.iso.org. Copyright remains with ISO.

Process Assessment Model

Assessment Process

36

Classi di assessment

� Classe 1� Alto livello di affidabilit� - adatto per benchmarking

con altre organizzazioni� Derivazione di conclusioni affidabili circa punti di

forza/debolezza� Utilizzabile per: process improvement, benchmarking

esterno e capability determination

� � Classe 2� Adatto per benchmarking interno tra diverse Unit�

Organizzative o linee di prodotto� Conclusioni affidabili circa opportunit� di

miglioramento e rischi di processo� Utile per assessment iniziale nell�ambito di un

programma di miglioramento

� � Classe 3� Risultati di carattere generale che possono indicare

opportunit� critiche di miglioramento e rischi chiave correlati ai processi

� Adatto per assessment di monitoraggio in un programma di miglioramento o per l�identificazione degli elementi chiave per successivi assessment di classe superiore

� Self Assessment

37

Assessment Process Activities

1. Initiation

2. Planning the assessment

3. Briefing

4. Data collection

5. Data validation

6. Process attributes rating

7. Reporting the results

38

� COBIT process assessment roles:• Lead assessor—a ‘competent’

assessor responsible for overseeing the assessment activities

• Assessor—an individual, developing assessor competencies, who performs the assessment activities

� Assessor competencies:• Knowledge, skills and experience:

• With the process reference model; process assessment model, methods and tools; and rating processes

• With the processes/domains being assessed

• Personal attributes that contribute to effective performance

Assessor Certification

38

39

� TheAssessor Guide has been enhanced to provide additional guidance on the available assessments using this approach and the value they deliver to the enterprise, as well as to enable those applying the approach to better understand and communicate effectively the limitations and potential expectation gap risk of the approach to the assessment sponsor.

� In addition, ISACA is working to develop and deliver related training that will lead to a certification in performing COBIT 5-based assessments using this approach. Since the approach stresses the need for competent assessors, such a certification will support assessment sponsors in identifying competent assessors. More news will be available regarding this new opportunity soon.

� Finally, having established a market capability for COBIT-based process capability assessments, in 2013, ISACA will examine market needs and opportunities to establish a COBIT-based enterprise certificate similar to other enterprise certifications (e.g., the CMMI SCAMPI, AICPA HITRUST assessment, ISO standards compliance reports). Further details will be announced once plans have been confirmed.

39

COBIT-based enterprise certificate

40

Corsi AIEA MI

� COBIT 5 Base

• Milano, 16 e 17 Aprile 2013

• Roma, 7 e 8 Maggio 2013

� COBIT 5 Foundation (Corso + Certificazione)

• Date da definire

QUESTIONS & COMMENTS

© 2013 ISACA. All rights reserved

alberto.piamonte@isaca.mi.it