COBIT as a foundation for Information Security Management

Information security is now highly dependent on business decision-making and user activities that involve the entire enterprise population. Most organisations have a large number of inter-enterprise connections and a wide range of internally integrated technology and operations across multiple processing environments. The ITGN uses COBIT 5 as the foundation on which to establish and build a capability in information security management.

The integrated nature of the COBIT 5 process model enables accountability and responsibility to be identified and assigned. Selection, testing and deployment of appropriate mechanisms to supply security functions is complex. Few organisations have established the processes necessary for effective information security and therefore COBIT 5 provides an excellent reference and foundation on which to establish information security enterprise in an effective, lean and sustainable manner.

THE CHALLENGE
A well-structured approach is required for building information security around confidentiality (stressing the "need to know" as the guiding principle for implementing a security program), managing integrity (by focusing on the "control of privilege to create, modify, store, copy or delete information or information resources) and ensuring the availability of information (based on the "business' need" and regulatory obligations to have systems, resources and data available). 

HOW DOES COBIT HELP
Through the use of an integrated process based approach and directed from the governance layer, with a management system to coordinate improvements:

  • Identify the IT activities necessary for effective information security using the 37 COBIT 5 processes as a guide
  • Build capability in information security processes and related activities
  • Focus on delivering the outcomes that business expects from information security (and avoid unnecessary concepts of 'best practice').


LESSONS LEARNED

  • There are a large number of IT processes that will have an impact on the effectiveness of information security
  • The outcome expected from information security should be based on what the business actually needs (e.g. security in a hostile environment, regulatory compliance, etc.).