Transcript Fundamentals….

Information Security Governance:
COBIT or ISO 17799/ BS 7799
Presented byAbhinav Goyal
Charu Sharma
Shivangi Gupta
Sonali Gupta
Anju Bhadoria
Khyati Shah
Shreeya Dhingra
Vishal Jain
Fundamentals….
IT Governance and
its importance
International
Standards
Control Objectives
for Information and
Related Technology.
History Of Cobit
 ISACF Control Objectives
in 1992
1st Edition in 1996
2nd Edition in 1998
3rd Edition in 2000
4th Edition in 2005
Cobit is developed by ISACA
and the IT Governance
Institute (ITGI) in order to
implement IT Governance in
organizations




COBIT Focuses on What – Not How!
Proactive, Not Reactive!
Adaptable to Organizations
Common Sense – maximize benefits of IT while providing IT
governance and control.
1. Executive Summary - “There is a method…”
2. Framework - “The method is…”
3. Control Objectives - “The minimum controls are…”
4. Audit Guidelines - “Here’s how you audit…”
5. Management Guidelines - “Here’s how you measure your
performance…”
6. Implementation Guide - “Here’s how you implement…”
 4 Domains
– Plan & Organize (PO)
– Acquire & Implement
(AI)
– Deliver & Support (DS)
– Monitor & Evaluate (ME)
 34 High Level Control
Objectives
 215 Detailed Control
Objectives
Information Criteria:
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability
Business
Processes
IT Resources
ME1
ME2
ME3
ME4
Monitor the Process
Assess Internal Control Adequacy
Obtain Independent Assurance
Provide for Independent Audit
Data
Applications
Technology
Facilities
People
PO1 Define a Strategic IT Plan
PO2 Define the Information Architecture
PO3 Determine Technological Direction
PO4 Define the IT Organization and Relationships
PO5 Manage the IT Investment
PO6 Communicate Management Aims and Direction
PO7 Manage Human Resources
PO8 Ensure Compliance with External Requirements
PO9 Assess Risks
PO10 Manage Projects
PO11 Manage Quality
Monitor &
Evaluate
DS1 Define and Manage Service Levels
DS2 Manage Third-Party Services
DS3 Manage Performance and Capacity
DS4 Ensure Continuous Service
DS5 Ensure Systems Security
DS6 Identify and Allocate Costs
DS7 Educate and Train Users
DS8 Assist and Advise Customers
DS9 Manage the Configuration
DS10 Manage Problems and Incidents
DS11 Manage Data
DS12 Manage Facilities
DS13 Manage Operations
Deliver &
Support
Plan &
Organize
Acquire &
Implement
AI1
AI2
AI3
AI4
AI5
AI6
Identify Automated Solutions
Acquire and Maintain Application Software
Acquire and Maintain Technology Infrastructure
Develop and Maintain Procedures
Install and Accredit Systems
Manage Changes
 Management
– Describes what needs to be taken into account when making IT related
decisions and investments; helps balance risk and control investment.
 IT Providers
– Provides clear expectations on minimum controls in IT environments
 IT Users
– Assurance over security and controls (internal & external providers)
 Auditors
– List of control objectives and minimum controls
– Substantiation of opinion
 Self Assessment Tool for All Groups
ISO 17799 / BS 7799
SECURITY PARAMETERS
STRUCTURE
RISK ASSESSMENT AND
TREATMENT
SECURITY POLICY
ORGANISATIONAL AND
INFORMATION SECURITY
ASSET
MANAGEMENT
HUMAN RESOURCE
SECURITY
ISO 17799 / BS 7799
PHYSICAL SECURITY
ACQUISITION,
DEVELOPMENT AND
MAINTAINANCE
COMMUNICATION AND
OPERATIONAL SECURITY
INCIDENTAL
MANAGEMENT
ACCESS CONTROL
BUSINESS CONTINUITY
INFORMATION
SYSTEMS
COMPLIANCE
ISO 17799 Overview
ISO 17799 modules
ISO 17799 Controls
ISO 17799 Controls
ISO 17799 Controls
ISO 17799 Controls
DIMENSION
COBIT
ISO 17799
Function
Mapping IT Processes
Information Security
Framework
Implementation
Information System Audit
Compliance to security
standard
Area
4 domain
10 Domain
Structure
318 controls/ 34 high level
objectives
127 controls/ 36 control
objectives
Focus
Information Technology
Controls
Information Security
Consultant
Accounting Firm, IT
Consulting Firm
IT Consulting Firm, Security
Firm, Network Consultant
Issuer
ISACA
ISO
Available Certification
None
BS 7799-2
Goals
IT control objectives for day- Guidance for implementing
to-day use
information security
DIMENSION
COBIT
ISO 17799
Suitability
SOX or Basel II
Organizations with focus
on Information Security
Taxonomy
Collection of publications,
classified as best practice
for IT control and IT
governance
International Standard
Target Audiences
Management, users and
auditors
People responsible for
information security
What do we want to achieve with IT?
How we can achieve these IT goals
How we can achieve these IT goals
How we can achieve these IT goals:
Where are the methods strong in?
How can we achieve these IT goals:
continuous IT improvement