Minimize impact of security vulnerabilities and incidents with COBIT 5 processes

With the new release of the COBIT standard IT organizations have a roadmap to achieve greater financial transparency, customer satisfaction, operational excellence, and future orientation. But what about security? With HP’s recent announcements about security, I thought I’d spend some time talking about how COBIT 5 processes will help you better manage risk and minimize business impact. As you can see in the below image, security does play a big role in the COBIT Scorecard.

 

 Cobit 5.png

 

But what are COBIT 5’s prescriptions for security? COBIT 5 says the targets for managing security are to protect enterprise information and to maintain the level of information security risk acceptable to the enterprise in accordance with security policy. This includes establishing and maintaining security roles and access privileges and performing security monitoring. In terms of purposes, security management is simply about minimizing the business impact of operational informational security vulnerabilities and incidents.

 

Process goals for security

To improve security, COBIT 5 suggests IT organizations measure themselves against 8 explicit goals. Let’s explore them along with their specific metrics: 

 

1.                  A system is in place that considers and effectively addresses enterprise information security requirements. This goal is about establishing a security management system. Two metrics are recommended to measure success: the number of key security roles clearly defined and the number of security-related incidents. The first is a checklist item but essential. The latter asks how effective you are really at security. If you are managing security well, security incidents should represent a small percent of incidents.

2.                  A security plan has been established, accepted, and communicated throughout the enterprise. This may seem basic to you but it is really needs to be there.  Because a security breach can be an emergency, the roles and responsibilities for key players need to be understood. Three metrics are recommended here: level of stakeholder satisfaction with the security plan throughout the enterprise, the number of security solutions deviating from the plan, and the number of security solutions deviating from the enterprise architecture. Failure of the business to understand the security plan should be a red flag. If this is the case, the next step for security is exemplified by the slogan “designed in.” If security is designed in, solutions deviating from plan should be minimal. Enterprise architecture deviation is important as well. Not only is conformance with enterprise architecture important to business agility, but it is important to security. If you are up-to-date on the latest patches and greater system security “know-how,” you provide greater agility to respond to security emergencies.

3.                  Information security solutions are implemented and operated consistently throughout the enterprise. Three metrics are recommended to measure success: the number of services with confirmed alignment to the security plan, the number of security incidents caused by non-adherence to the security plan, and the number of solutions developed with confirmed alignment to the security plan. These are really important security metrics. Clearly, we need services and solutions to conform to the security plan and we want adherence to the security plan because there are real business consequences.

4.                  Networks and communication security meet business needs. Networks and communications need to be protected based on business needs and consequences. Two metrics are recommended to measure this goal: the number of vulnerabilities discovered and the number of firewall breaches. Clearly, if these numbers are high we have issues of people, process, and technology to solve.

5.                  Information processed on, stored on and transmitted by endpoint devices is protected. Three metrics net out performance for this goal area: percent of individuals receiving awareness training relating to use of endpoint devices, number of incidents involving endpoint devices, and number of unauthorized devices detected on the network or in the end-user environment. Endpoint devices include desktop PCs, laptops, servers, printers, PDAs, digital imaging devices, smart phones, and network. This shows the importance not only of end-user training on security but also the need to have an asset management or CMDB system to track connected devices on the network.

6.                  All users are uniquely identifiable and have access rights in accordance with their business role. Two metrics exist for this goal area: average time between change and update accounts and number of accounts (vs. numbers of authorized users/staff). You need to manage access control so new and existing users can perform their jobs, but also users leaving have their access cut. The second metric really goes after this.

7.                  Physical measures have been implemented to protect information from unauthorized access, damage and interference when being processes, stored, or transmitted. Three metrics exist for this goal area: the percent of periodic tests of environmental security devices, the average rating for physical security assessment, and the number of physical security-related incidents. You clearly need to protect the environment. This means you need to prove that it is safe by testing, assessing, and protecting physical security.

8.                  Electronic information is properly secured when stored, transmitted, or destroyed. Only one metric exists for this goal area: Number of incidents relating to unauthorized access to information. As you know this means someone hacked in—this should not happen. This number should be as small as possible.

 

Where to start?

Once again, my suggestion is you start where the most immediate value can be driven. But if it were up to me, I would start with process goals number one and two. You need process to improve. And then I would look at the incident counts relating to security and try to proactively control my IT environment. For those of you that are security experts, where would you start?

 

Related links:

HP Introduces Intelligent Security Solutions to Drive Innovation, Reduce RiskBlog post: 3 ways IT leaders can strengthen compliance and control

Blog post: Making COBIT 5 part of your IT strategy

Blog post: COBIT 5 guides IT leaders to better manage future orientation in their organizations

Blog post: 7 goals in COBIT 5 that will improve your operational excellence

Blog post: COBIT 5’s scorecard measures IT’s relationship with its customers

Blog post: COBIT 5 scorecard measures the quality of IT’s financial performance

COBIT 5

Solution page:  IT Performance Management

Twitter: @MylesSuer

Labels: security
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Mr. Suer is a senior manager for IT Performance Management. Prior to this role, Mr. Suer headed IT Performance Management Analytics Product ...
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.