1 / 20

C OBI T vs. ISO 17799 (27002)

C OBI T vs. ISO 17799 (27002) . Erica Elliott Stephanie Park. Questions For IT Managers. How far should we go and is the cost justified by the benefit? What are the indicators of good performance? What are the critical success factors?

osborn
Télécharger la présentation

C OBI T vs. ISO 17799 (27002)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COBIT vs. ISO 17799 (27002) Erica Elliott Stephanie Park

  2. Questions For IT Managers • How far should we go and is the cost justified by the benefit? • What are the indicators of good performance? • What are the critical success factors? • What are the risks of not achieving our objectives? • What do others do? • How do we measure and compare?

  3. The History of ISO 17799 • The standard was published in 2000 in its first edition, which was updated in June 2005. It can be classified as current best practice in the subject area of information security management systems. • It provides information to responsible parties for implementing information security within an organization. • It can be seen as a basis for developing security standards and management practices within an organization to improve reliability on information security in inter-organizational relationships.

  4. What is ISO 17799? • As mentioned, the standard simply offers guidelines; it does not contain in-depth information on how information security should be implemented and maintained. • Suggests that nothing be implemented until after an in-depth risk assessment of the current controls. • It is important to understand that the controls mentioned in the standard are not organized or prioritized according to any specific criteria. Each control should be given equal importance and should consider the systems’ and projects’ requirement specification and design stage. Failure to do this will result in less cost-effective measures or even failure in achieving adequate security. • ISO 17799 warns that no set of controls will achieve complete security. It encourages additional intervention from management to monitor, evaluate and improve the effectiveness of security controls to support the business objectives of the organization.

  5. Under ISO • Measurements based on legal requirements include: • Protection and nondisclosure of personal data • Protection of internal information • Protection of intellectual property rights • Best practices mentioned are: • Information security policy • Assignment of responsibility for information security • Problem escalation • Business continuity management

  6. Implementation under ISO • When implementing a system for information security management several critical success factors are to be considered: • The security policy, its objectives and activities reflect the business objectives. • The implementation considers cultural aspects of the organization. • Open support from and engagement of senior management are required. • Thorough knowledge of security requirements, risk assessment and risk management is required. • Effective marketing of security targets all personnel, including members of management. • The security policy and security measures are communicated to contracted third parties. • Users are trained in an adequate manner. • A comprehensive and balanced system for performance measurement is available, which supports continuous improvement by giving feedback.

  7. Structure of ISO 17799 • The standard contains 11 security control ‘clauses,’ collectively containing a total of 39 main security categories. • First, each main security category has a ‘control objective.’ This states what the control is to achieve. Second, each has one or more controls that can be applied to achieve the control’s objective. a. Security Policy (1) b. Organizing Information Security (2) c. Asset Management (2) d. Human Resources Security (3) e. Physical and Environment Security (2) f. Communications and Operations Management (10) g. Access Control (7) h. Information Systems Acquisition, Development and Maintenance (6) i. Information Security Incident Management (2) j . Business Continuity Management (1) k. Compliance (3)

  8. COBIT • The main theme: Business orientation. • It is designed to be employed not only by users and auditors, but also, as a comprehensive guidance for management and business process owners. • The overall objective – to understand the issues and strategic importance of IT so the enterprise can sustain its operations and implement the strategies required to extend its activities into the future.

  9. Governance under COBIT • IT governance aims to ensure that expectations for IT are met and IT risks are mitigated. • It is the responsibility of the board of directors and executive management. • It consists of the leadership and organizational structures and processes that ensure that the organizations IT sustains and extends the organizations strategies and objectives. • At the heart of the governance responsibilities of setting strategy, managing risks, delivering value and measuring performance are the stakeholder values.

  10. Governance under COBIT (Cont) • The purpose of IT governance is to direct IT endeavors, to ensure that IT meets the following objectives: • Alignment of IT with the enterprise and realization of the promised benefits • Use of IT to enable the enterprise and realization of the promised benefit • IT governance enables the enterprise to take full advantage of its information, thereby maximizing benefits, capitalizing on opportunities and gaining competitive advantage.

  11. COBIT Framework • The framework starts from a simple and pragmatic premise: To provide the information that the organization needs to achieve its objectives, IT resources need to be managed by a set of naturally grouped processes. • The grouped processes are: • Plan and Organize • Acquire and Implement • Deliver and Support • Monitor

  12. COBIT Guidelines • Action-oriented and generic. • Provide management direction for getting the enterprise’s information and related processes under control, monitoring achievement of organizational goals, monitoring performance within each IT process, and benchmarking organizational achievement.

  13. Maturity Models in COBIT • Management can map where the organization is today, where it stands in relation to the best in class in its industry and to international standards, and where the organization wants to be. • Critical success factors (CSFs) define the most important management-oriented implementation guidelines to achieve control over and within its IT processes.

  14. Similarities • As COBIT is an internationally recognized standard for control of governance of IT and ISO 17799 is equally recognized and established in the field of information security management, these two standards do not compete against each other, in fact they are mutually complementary. COBIT by its nature is broader and ISO/IEC 17799 tends to be deeper in the area of security.

  15. http://www.isaca.org/Template.cfm?Section=Home&Template=/ContentManagement/ContentDisplay.cfm&ContentID=26409http://www.isaca.org/Template.cfm?Section=Home&Template=/ContentManagement/ContentDisplay.cfm&ContentID=26409

  16. Differences • ISO 17799 provides security controls. It does not provide implementation guidance and does not specifically address how these processes fit into the overall IT management processes. • COBIT is focused on controls and metrics. It also lacks a security component but provides a more global view of IT processes at the IT organization management principles than ITIL.

  17. Main goal of ISO 17799 • ISO 17799 aims to improve the practices and organizations around information security. It defines a global approach to security management that touches the responsibilities and organizations responsible for security as well as the policies, critical asset classification, and risk management. It is best used when security certification and overall definition of all security processes — logical and physical — is needed and basic rules for security defined.

  18. Main Goal of COBIT • COBIT compiles an up-to-date international set of generally accepted control objectives for day-to-day use by business managers and IT managers. It addresses IT governance and the key performance indicators associated with process improvement. COBIT has clearly been influenced by problems raised by the insurance industry. Mergers and acquisitions, unification of processes, outsourcing and audits are main chapters of the COBIT framework.

  19. Managerial Recommendations As previously stated COBIT and ISO 17799 do not compete against each other, in fact they are mutually complementary Therefore, we recommend that management use COBIT and ISO 17799 together to provide a more global view of IT processes while increasing security controls

  20. References • http://www.isaca.org/Template.cfm?Section=Home&Template=/ContentManagement/ContentDisplay.cfm&ContentID=26409 • http://rickyboeykens.spaces.live.com/blog/cns!7EE40084F422EFB2!142.entry • http://17799-news.the-hamster.com/issue10-news11.htm • http://www.17799.com/papers/iso17799scope.pdf • http://www.isaca.org/Content/ContentGroups/Research1/Deliverables/AligningCOBIT,ITIL.pdf

More Related