1 / 32

Agenda

Agenda. COBIT 5 Product Family Information Security COBIT 5 content Chapter 2. Enabler: Principles, Policies and Frameworks . Chapter 3. Enabler : Processes Chapter 4. Enabler : Organisational Structures Chapter 5. Enabler: Culture, Ethics and Behaviour

bary
Télécharger la présentation

Agenda

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Agenda • COBIT 5 ProductFamily • Information Security • COBIT 5 content • Chapter 2. Enabler: Principles, Policies and Frameworks. • Chapter 3. Enabler: Processes • Chapter 4. Enabler: OrganisationalStructures • Chapter 5. Enabler: Culture, Ethics and Behaviour • Chapter 6. Enabler: Information • Chapter 7. Enabler: Services, Infrastructure and Applications • Chapter 8. Enabler: People, Skills and Competencies • Appendices • Appendix A. Detailed Guidance: Principles, Policies and Frameworks Enabler • Appendix B. DetailedGuidance: ProcessesEnabler • Appendix C. DetailedGuidance: OrganisationalStructuresEnabler • Appendix D. Detailed Guidance: Culture, Ethics and BehaviourEnabler • Appendix E. Detailed Guidance: Information Enabler • Appendix F. DetailedGuidance: Services, Infrastructure and ApplicationsEnabler • Appendix G. Detailed Guidance: People, Skills and Competencies Enabler • Appendix H. DetailedMappings

  2. ProductFamily

  3. COBIT 5 Principles

  4. Information Security ISACA defines information security as something that: • Ensures that within the enterprise, information is protected against disclosure to unauthorisedusers (confidentiality), improper modification (integrity) and non-access when required (availability). • Confidentialitymeans preserving authorised restrictions on access and disclosure, including means for protecting privacy and proprietary information. • Integritymeans guarding against improper information modification or destruction, and includes ensuring informationnon-repudiation and authenticity. • Availability means ensuring timely and reliable access to and use of information.

  5. Capability

  6. COBIT 5 Enablers

  7. Enabler: Principles, Policies and Framework 2.1 Principles, Policies and Framework Model 2.2 Information Security Principles 2.3 Information Security Policies 2.4 Adapting Policies to the Enterprise’s Environment 2.5 PolicyLifeCycle

  8. Enabler: Principles, Policies and Framework

  9. Appendix A

  10. Appendix A • Informationsecuritypolicy • Access control policy • Personnelinformationsecuritypolicy • Physical and environmental information security policy • Incidentmanagementpolicy • Business continuity and disaster recovery policy • Assetmanagementpolicy • Rules of behaviour (acceptable use) • Informationsystemsacquisition, software development and maintenancepolicy • Vendormanagementpolicy • Communications and operationmanagementpolicy • Compliancepolicy • Riskmanagementpolicy

  11. Enabler: Process 3.1 The Process Model 3.2 Governance and Management Processes 3.3 Information Security Governance and Management Processes 3.4 Linking Processes to Other Enablers

  12. Appendix B Process

  13. Appendix B Process

  14. Appendix B Process

  15. Appendix B Process

  16. Appendix B Process

  17. Enabler: OrganisationalStructures 4.1 Organisational Structures Model 4.2 Information Security Roles and Structures 4.3 Accountability Over Information Security

  18. Appendix C

  19. Appendix C

  20. Enabler: Culture, Ethics and Behaviour 5.1 Culture Model 5.2 Culture Life Cycle 5.3 Leadership and Champions 5.4 Desirable Behavior

  21. Appendix D

  22. Enabler: Information 6.1 Information Model 6.2 Information Types 6.3 Information Stakeholders 6.4 Information Life Cycle

  23. Appendix E

  24. Enabler: Services, Infrastructure and Applications 7.1 Services, Infrastructure and Applications Model. 7.2 Information Security Services, Infrastructure and Applications

  25. Appendix F • Providea securityarchitecture. • Providesecurityawareness. • Provide secure development (development in line with security standards). • Providesecurityassessments. • Provide adequately secured and configured systems, in line with security requirements and security architecture. • Provide user access and access rights in line with business requirements. • Provide adequate protection against malware, external attacks and intrusion attempts. • Provideadequateincident response. • Providesecuritytesting. • Provide monitoring and alert services for security-related events.

  26. Appendix F

  27. Appendix F

  28. Enabler: People, Skills and Competencies 8.1 People, Skills and Competencies Model 8.2 Information Security-related Skills and Competencies

  29. Appendix G

  30. Appendix H • ISO/IEC 27000 series provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an ISMS: • Security- and risk-related processes in the EDM, APO and DSS domains • Various security-related activities within processes in other domains • Monitoring and evaluating activities from the MEA domain • The ISF 2011 Standard of Good Practice for Information Security is based on the ISF Information Security Model four main categories: information security governance, information security requirements, control framework, and information securitymonitoring and improvement. • Guide for Assessing the Information Security Controls in Federal Information Systems and Organisations, NIST—The purpose of this guide is to provide direction with regard to information security controls for executive agencies of the US government

More Related