Agenda

COBIT 5 Product FamilyInformation SecurityCOBIT 5 content

Chapter 2. Enabler: Principles, Policies and Frameworks.Chapter 3. Enabler: ProcessesChapter 4. Enabler: Organisational StructuresChapter 5. Enabler: Culture, Ethics and BehaviourChapter 6. Enabler: InformationChapter 7. Enabler: Services, Infrastructure and ApplicationsChapter 8. Enabler: People, Skills and Competencies

AppendicesAppendix A. Detailed Guidance: Principles, Policies and Frameworks EnablerAppendix B. Detailed Guidance: Processes EnablerAppendix C. Detailed Guidance: Organisational Structures EnablerAppendix D. Detailed Guidance: Culture, Ethics and Behaviour EnablerAppendix E. Detailed Guidance: Information EnablerAppendix F. Detailed Guidance: Services, Infrastructure and Applications EnablerAppendix G. Detailed Guidance: People, Skills and Competencies EnablerAppendix H. Detailed Mappings

Product Family

COBIT 5 Principles

Information Security

ISACA defines information security as something that:Ensures that within the enterprise, information is protected against disclosure to unauthorised users (confidentiality), improper modification (integrity) and non-access when required (availability).

Confidentiality means preserving authorised restrictions on access and disclosure, including means for protecting privacy and proprietary information.Integrity means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. Availability means ensuring timely and reliable access to and use of information.

Capability

COBIT 5 Enablers

Enabler: Principles, Policies and Framework

2.1 Principles, Policies and Framework Model2.2 Information Security Principles2.3 Information Security Policies2.4 Adapting Policies to the Enterprise’s Environment2.5 Policy Life Cycle

Enabler: Principles, Policies and Framework

Appendix A

Appendix A

Information security policyAccess control policyPersonnel information security policyPhysical and environmental information security policyIncident management policyBusiness continuity and disaster recovery policyAsset management policyRules of behaviour (acceptable use)Information systems acquisition, software development and maintenance policyVendor management policy Communications and operation management policyCompliance policyRisk management policy

Enabler: Process

3.1 The Process Model3.2 Governance and Management Processes3.3 Information Security Governance and Management Processes3.4 Linking Processes to Other Enablers

Appendix B Process

Appendix B Process

Appendix B Process

Appendix B Process

Appendix B Process

Enabler: Organisational Structures

4.1 Organisational Structures Model4.2 Information Security Roles and Structures4.3 Accountability Over Information Security

Appendix C

Appendix C

Enabler: Culture, Ethics and Behaviour

5.1 Culture Model5.2 Culture Life Cycle5.3 Leadership and Champions5.4 Desirable Behavior

Appendix D

Enabler: Information

6.1 Information Model6.2 Information Types6.3 Information Stakeholders6.4 Information Life Cycle

Appendix E

Enabler: Services, Infrastructure and Applications

7.1 Services, Infrastructure and Applications Model.7.2 Information Security Services, Infrastructure and Applications

Appendix F

Provide a security architecture.Provide security awareness.Provide secure development (development in line with security standards).Provide security assessments.Provide adequately secured and configured systems, in line with security requirements and security architecture.Provide user access and access rights in line with business requirements.Provide adequate protection against malware, external attacks and intrusion attempts.Provide adequate incident response.Provide security testing.Provide monitoring and alert services for security-related events.

Appendix F

Appendix F

Enabler: People, Skills and Competencies

8.1 People, Skills and Competencies Model8.2 Information Security-related Skills and Competencies

Appendix G

Appendix H

ISO/IEC 27000 series provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an ISMS:• Security- and risk-related processes in the EDM, APO and DSS domains• Various security-related activities within processes in other domains• Monitoring and evaluating activities from the MEA domain

The ISF 2011 Standard of Good Practice for Information Security is based on the ISF Information Security Model four main categories: information security governance, information security requirements, control framework, and information security monitoring and improvement.

Guide for Assessing the Information Security Controls in Federal Information Systems and Organisations, NIST—The purpose of this guide is to provide direction with regard to information security controls for executive agencies of the US government