La gouvernance au cœur de la transformation numérique - Comment COBIT 5 peut répondre à ce nouveau contexte - Illustrations

« Comment placer la Gouvernance au cœur de la transformation numérique ?»

(2/2)

Les jeudis de l’AFAI

Patrick Stachtchenko 2 Avril 2015

1 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015

Patrick Stachtchenko Coordonnées

• Mobile : +33 6 86 68 35 76

• Email : [email protected]


Comment COBIT 5 peut répondre à ce nouveau contexte : Illustration?


COBIT 5 : Vue d’ensemble – COBIT 5 Framework

• A Business Framework for the Governance and Management of Enterprise IT (94 p) • COBIT 5 Principles : Where did they come from? (12 p)

– COBIT 5 Enabler Guides • Processes (37 IT processes) (230 p), Information (Business and IT) (90 p), …

– COBIT 5 Professional Guides • Implementation (78 p) + Toolkit (17 files), Risk (244 p) and Risk Scenarios (294 p), Assurance (318 p),

Security (220 p), Cloud Governance : Questions Boards of Directors Need to Ask? (9 p)…

– Practices and Guidance using COBIT 5 • Configuration Management (88 p), Vendor Management (178 p), ... • COBIT Assessment Program : Model (144 p), Self Assessment (24 p), User Guide

– White Papers / Vision Series / Studies / Surveys • Social Media, Business Benefits and Security, Governance and Assurance Perspectives (10 p) • Cloud Computing, Business Benefits with Security, Governance and Assurance Perspectives (10 p) • Big Data Impacts and Benefits (14 p), Top Business / Technology Issues Survey Results (34 p), …

– Professionals Standards and Guidance • ITAF, A Professional Practices Framework for IS Audit / Assurance, 3rd Edition (148 p)

– Audit/Assurance Programs • EDM/APO/DSS/BAI (25p /Process), Software Assurance (35 p), Outsourcing IT Environments (39 p),

BYOD (39 p), …

– Knowledge Center (Over 100 topics : for each topic discussions, documents and publications, events, journal articles, external links, wikis, blog posts), Elibrary (> 500 Publications), Academia, ..

• Performance Management, Business Analytics, Casinos and Gambling, Solvency 2, OS/400,…

– COBIT Focus (4 x year) : COBIT Case studies, Articles, Updates, …

– COBIT 5 Online : Multiphase project. Capabilities for accessing, understanding and applying COBIT 5 4

Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015

COBIT 5 : Vue spécifique (Information Security)

– COBIT 5 Professional Guides • Information Security (220 p)

– Practices and Guidance using COBIT 5 • Securing Mobile Devices (138 p), Transforming Cyber Security (190 p), European

Cybersecurity Implementation Series (146 p),…

– White Papers / Vision Series / Studies / Surveys • Cybersecurity : What the Board of Directors Needs to Ask? (20 p) • Security as a Service: Business Benefits with Security, Governance and Assurance

Perspectives (18p) • Business Continuity Management, Emerging Trends (15 p) • Web Application Security, Business and Risk Considerations (16 p) • Security Considerations for Cloud Computing (80 p) • Advanced Persistent Threat (APT) Awareness Study Results (20 p), …

– Audit / Assurance programs • VPN Security (33 p), Biometrics (47 p), Voice-over Internet Protocol (VoIP) (42 p), …

– Knowledge Center, Elibrary, … • Security Tools, Physical Security, Network Security, …

– COBIT 5 Online • Security Specific View


COBIT 5 : Etude Globale sur la Gouvernance (ISACA 2014)

• White papers – Issues that have just begun to, or will soon impact enterprise operations

• Research projects

• Knowledge Center – Over 100 topics

– Discussions, Documents and Publications, Events and Online Learning, Journal Articles, User Contributed External Links, Wikis, Blog Posts

• Academia – Model Curricula

– Teaching Material (for Academia advocates)

• Elibrary – All ISACA publications

– 525 external books

• Career Center

Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 6

COBIT 5 : Les publications récentes


ISACA en résumé : Knowledge 2015 • DevOps Overview 16 p

• Internet of Things : Risk and Value Consideratrions 13 p

• IS Auditing Tools and Techniques : IS Audit Reporting 46 p

• Getting Started With Governance 8 p

• Overview of Digital Forensics 14 p

• DevOps Series

• Industrial Control Systems (ICS) 2nd Q

• Internal Controls 1st Q

• Operational Risk Management/Basel Using COBIT 5 ?

• PCI DSS (Payment Card Industry Data Security Standard) 1st Q

• Security, Audit and Control Features SAP ERP, 4th Edition 1st Q

• + Travaux des comités et task forces (Emerging Business and Technology Committee, Privacy Task Force, Audit/Assurance Programs based on COBIT 5, etc…)


Ensemble du knowledge développé en respectant les principes de COBIT 5

ISACA en résumé : Knowledge 2014

• Deliver, Service and Support Audit/Assurance Programs 1-6 (25 p / process)

• A Global Look at IT Audit Best Practices (45 p)

• IT Control Objectives for Sarbanes Oxley using COBIT 5, 3rd Edition (142 p)

• Build, Acquire and Implement Audit/Assurance Programs 1-10 (25 p / process)

• Risk Scenarios Using COBIT 5 for Risk (294 p)

• Align, Plan and Organize Audit/Assurance Programs 1-13 (25 p / process)

• European Cybersecurity Implementation Series – Overview (26 pages)

– Assurance (24 pages)

– Resilience (25 pages)

– Risk Guidance (24 pages)

– Audit/Assurance Program (47 pages)



• Cybersecurity : What the Board of Directors Needs to Ask? (20 p)

• Implementating the NIST Cybersecurity Framework (108 p)

• COBIT 5 Principles : Where did they come from? (12 p)

• Advance Persistent Threat Awareness Study Results (20 p)

• ITAF 3rd Edition (148 p)

• Controls and Assurance in the Cloud : Using COBIT 5 (266 p)

• Relating the COSO Internal Control Integrated Framework and COBIT (22 p)

• Vendor Management Using COBIT 5 (178 p)

• Evaluate, Direct and Monitor Programs 1-5 (25 p / process)

• Genrating Value from Big Data Analytics (12 p)



• Security as a Service (18 p)

• COBIT 5 : Enabling Information (90 p)

• Advanced Persistent Threats : How to manage the Risk to Your Business? (132 p)

• COBIT 5 for Risk (244 p)

• Configuration Management Using COBIT 5 (88 p)

• Privacy and Big Data (12 p)

• Transforming Cybersecurity (190 p)

• COBIT 5 for Assurance (318 p)



• Responding to Targeted Cyberattacks (88 p)

• Cloud Governance : Questions Boards of Directors Need to Ask? (9 p)

• Big Data : Impacts and Benefits (14 p)

• Software Assurance Audit/Assurance Program (35 p)

• Identity Management Audit/Assurance Program (40 p)

• COBIT Assessment Programme Using COBIT 5 (144 p)

• Outsourced IT Environments Audit/Assurance Program (39 p)

• Personally Identifiable Information Audit/Assurance Program (34 p)


COBIT 5 : Contenu Illustrations


Contenu : COBIT 5 Enabling Information


COBIT 5 Deliverables : Enabling Information (90 pages) • Introduction: Benefits, Target Audience, Prerequisite Knowledge, Overview and Scope

• COBIT 5 Principles applied to Information – COBIT 5 Principles

• Goals Cascade for the Enterprise (Function Goals) • Examples of Information Items that support the Enterprise Value Chain Goals (Governance, Management

and Operations Items for 8 Functional areas : Human Resources (22 items), Procurement (20 items), …) • Examples of Information Items supporting IT-related Goals (Quality Criteria, Related Metrics) (69 items)

• The COBIT 5 Information Model – COBIT 5 Information Model Overview

• Information Stakeholders : Examples for Customer Data (8), IT Strategy (8), Supply Chain Software Specification Document (6), Hospital Patient Records (9) (Description, Stakes)

• Information Goals : Examples for each of the 15 information quality criteria • Lifecycle : Examples for Supplier Information, Retention Requirements, IT Change Management Data • Good Practices : Examples for the 11 information attributes

– Additional Examples of COBIT 5 Information Model Use • 5 sample use cases : Building IS Specifications, Definition of Information Protection Requirements, etc.. • Comprehensive Information Item Description : Illustration for Risk Profile (Lifecycle and stakeholders,

Goals, Good Practices, Link to other enablers)

• Addressing Information Governance and Management Issues Using COBIT – Information Governance and Management Issues Reviewed in this Chapter (9 issues)

• For each Issue : Issue Description and Business Context, Affected Information, Affected Goals, Enablers to Address the Issue

• Appendix A : Reference to other Guidance (DAMA-DMBOK Framework, ISO 15489-1:2001) • Appendix B : Example Information Items Supporting Functional Area Goals (8 areas, 179 items) • Appendix C : Example Information Items Supporting IT-related Goals (1 area, 69 items)


Information Exemple de critères d’appréciation

Qualité intrinsèque : valeurs des données en conformité ave les valeurs réelles • Exactitude : correcte et fiable • Objectivité : non biaisée et impartial • Crédibilité : considérée comme vraie et crédible • Réputation : bien considérée en termes de source et de contenu

Qualité contextuelle et représentationnelle : s’applique à la tache de l’utilisateur de l’information et est présenté de manière claire et intélligible • Pertinence : applicable et utile pour la tâche à effectuer • Exhaustivité : pas absente et à un niveau suffisant pour la tâche à effectuer • Actualité : suffisamment à jour pour la tâche à effectuer • Quantité d’information appropriée : appropriée pour la tâche à effectuer • Représentation concise : représentée de manière compacte • Représentation consistante : présentée dans le même format • Interprétabilité :dans des langages, symboles et unités appropriés, et définitions claires • Compréhensibilité : facilement compréhensible • Facilité de manipulation : facile à manipuler et appliquer aux différentes tâches

Qualité d’accès/Sécurité : que l’on peut accéder et disponible • Disponibilité/Opportun : disponible lorsque cela est requis, facilement et rapidement récupérable • Restriction d’accès: accès restreint aux personnes et actions autorisées

16

• Multiples périmètres possibles pour la sécurité des informations. Problématique de recouvrement. • La sécurité traite le plus souvent au minimum toutes les problématiques liées aux « accès non valides » • Aussi, les aspects intégrité/disponibilité/confidentialité, identification/authentification/non

répudiation/habilitation sont à couvrir au minimum


Information Les niveaux/attributs

• L’utilisation de ces niveaux permet de déterminer les niveaux de protection et les mécanismes de protection à mettre en œuvre à chaque niveau: • Où est conservée l’information?

• Comment peut-on y avoir accès?

• Comment sera-t-elle structurée et codifiée?

• Quelle sorte d’information? Quel est le niveau d’information?

• Quels sont les délais de rétention? Quelles autres informations sont requises pour que cette information soit utile et utilisable?

• Niveau physique : Support de l’information (média : papier, signaux électriques, ondes sonores)

• Niveau empirique: Canal d’accès (interfaces utilisateurs)

• Niveau syntactique: Code/langage/format

• Niveau sémantique: Sens de l’information • Type d’information : financier/non financier, interne/externe, valeurs prévisionnelles/valeurs observées • Actualité de l’information : information sur la passé, le présent, le futur • Niveau d’aggrégation : ventes par année, trimestre, mois, …

• Niveau pragmatique : Utilisation de l’information • Période de rétention : pendant combien de temps faut-il conservée l’information avant de la détruire • Statut de l’information : information est opérationnelle ou historique • Nouveauté: nouvelle connaissance ou confirmation de la connaissance existente (information/confirmation) • Contingence: information requise pour précéder l’information pour qu’elle soit considérée comme de l’information

• Niveau social : Contexte (contrats, loi, culture)


Description complète d’un élément d’Information - Profil de Risque Description de toutes ses dimensions. Cela peut être utile pour traiter des questions telles que :

• « Risk Managers » – A quoi ressemble une profil de risque?

– Quels sont les critères de qualité d’un profil de risque et comment peuvent-ils être atteints?

– Qui sont les principales parties prenantes?

– Quels sont leurs intérêts?

– Quelles sont les bonnes pratiques?

– Quels sont les leviers concernés, etc… ?

• Auditeurs – Comment puis-je revoir la qualité d’un profil de risque?

– Quels sont les critères à analyser?

• Parties Prenantes – Quelles sont mes responsabilités dans le cycle de vie du profil de risque?

Le contexte professionnel et business est décrit dans COBIT 5 for Risk, COBIT 5 for Security et COBIT 5 for Assurance

18

Information : Exemple « Profil de Risque »


19

Information : Exemple « Risk Profile » Cycle de vie et Parties Prenantes

Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 Copyright ISACA

20

Information : Exemple « Risk Profile » Objectifs


21

Information : Exemple « Risk Profile » Bonnes Pratiques


22

Information : Exemple « Risk Profile » Connexion aux autres leviers


23

Information : Exemple « Risk Profile » Fiche de Scénario de risque


• 20 Types de Scénario de risque

• >100 Fiches de Scénario de risque détaillées

Fiche de Scénario de Risque

ECP : La sécurité des système d'information 24

Copyright ISACA

Patrick Stachtchenko


Fiche de Scénario de Risque : “Logical Attacks”





28

Information : Exemples de préoccupations à traiter


Copyright ISACA

Contenu : Securing Mobile Devices


COBIT 5 Deliverables : Securing Mobile Devices (138 pages)

• Introduction : What is a mobile device? Mobile Device Use – Past Present Future

• Mobile Device Impact on Business and Society : Mobility and Flexibility, Patterns of Work, Organizational Perimeter, Other Impacts

• Threats, Vulnerabilities and Associated Risks : Physical, Organizational, Technical

• Security Governance : Business Case, Standardized Enterprise Solutions, BYOD, Combines Scenario, Private Use of Mobile Devices, Defining the Business Case

• Security Management for Mobile Devices : Categories and Classification, Existing Security Controls, 7 Enablers

• Hardening Mobile Devices : Device and SIM card, Permanent Storage, Removable Storage and Devices, Connectivity, Remote Functionality

• Mobile Device Security Assurance: Auditing and Reviewing Mobile Devices, Investigation and Forensics for Mobile Devices

• Guiding Principles for Mobile Device Security : 8 principles

• Appendix A. Mappings of COBIT 5 and COBIT 5 for Information Security

• Appendix B. Hardening Mobile Devices

• Appendix C. Sample Audit Steps in Forensics and Investigation


Illustration pour la sécurité des mobiles

31

• Enjeux : bénéfices attendus,… • Type de mobiles et de connexions • Classement par catégorie d’actifs • Niveaux de sécurité par catégorie d’actifs • Type de Risques par catégorie de risques • Nature de Risques par cible, par type d’information, par facteur de risque • Exemples de vulnérabilités/menaces/risques

• Exemple d’options de réponses aux risques pour chaque levier • Principes de sécurité des SI, Objectifs associés, Principes de sécurité des mobiles • Directives de sécurité des SI, Thèmes couverts, Directives de sécurité des mobiles • Standards de sécurité des mobiles, Aspects centralisés, Clauses couvertes • Procédures opérationnelles • Processus de sécurité des mobiles et connexion aux processus SI • Attributs de l’Organisation de sécurité, Responsable Sécurité des SI, Responsable Sécurité

des Mobiles • Comportement attendu en sécurité des SI, Comportement attendu en sécurité des mobiles • Compétences du responsable sécurité des mobiles, Compétences des utilisateurs • Formation : perspective, thèmes clés, contenu • Compétences responsable sécurité des SI • Capacités de Services, architecture et applications : types de services par domaine


Enjeux • “Internet of things”

– 10 Milliards d’appareils connectés à internet

– 20 – 50 Milliards d’appareils en réseau

– 1,7 Milliards de mobiles connectés à internet

• Impacts – Notion de bureau (anywhere, moins de locaux)

– Horaire de travail (anytime)

– Périmètre de l’entreprise (système ouvert, cloud, partenaires, voiture de location, …)

– Vies privée et professionnelle (emails, contacts, agenda, etc…)

– Efficacité au travail / productivité / flexibilité

– Responsabilités

– Fonction supports (7/7, 24/24), process, formation,…

– Nouveaux Risques

32

Exemple Sécurité des Mobiles



Types de mobiles et de connections

• Téléphone cellulaire traditionnel • Smartphones et PC de poche • Unités auxiliaires : clés usb, haut-parleurs ou écouteurs sans fil, GPS,… • Appareils non téléphoniques sans fil : tablettes,…

• Automobile : appareils électroniques connectés tels qu’une aide de navigation GPS, diagnostic, fermeture/ouverture automatique,…

• Vêtements « intelligents » • Jouets et “robots” (drones, caméras, aspirateurs, tondeuses, …) • Implants (pompes à insuline,…),…

• Public Cloud • Autres mobiles • Private Cloud • Entreprise

• GSM, GPRS/Edge, 3.5 G, 4G/LTE, Bluetooth, WLAN/802.x, NFC,…



Classement par catégorie d’actif

Categorie Appareils Exemples

1 Data storage (limited), basic telephony and messaging

services, proprietary OS (limited), no data processing

capability

Traditional cell phones

2 Data storage (including external) and data processing

capabilities, standardized OS (configurable), extended

services

• Smartphones

• Early pocket PC devices

3 Data storage, processing and transmission

capabilities via alternative channels, broadband

Internet connectivity, standardized OS (configurable),

PC-like capabilities

• Advanced smartphones

• Tablet PCs

34

Copyright ISACA


Niveaux de risque par catégorie d’actif

Categorie/Risque Categorie 1 Categorie 2 Categorie 3 Categorie 4

Physique

Theft Faible Moyen Fort Fort

Loss Moyen Moyen Moyen Moyen

Damage/destruction Fort Fort Fort Fort

Organisationnelle

Agglomeration/heavy users Faible Faible Fort Fort

Complexity/diversity Faible Moyen Fort Fort

Technique

Activity monitoring, data retrieval Faible Fort Fort Fort

Unauthorized network connectivity Faible Moyen Fort Fort

Web view/impersonation Faible Moyen Fort Fort

Sensitive data leakage Faible Fort Fort Fort

Unsafe sensitive data storage Moyen Fort Moyen Moyen

Unsafe sensitive data transmission Faible Fort Moyen Fort

Drive-by vulnerabilities Faible Fort Fort Fort

Usability Faible Faible Fort Fort

35


Copyright ISACA Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015

Types de risque par catégorie d’actif

Risques physiques

• Incapacité de travailler pour une longue durée • Accès à l’information (emails, contacts, rendez-vous, historique

d’utilisation, éléments détruits, codes, …); souvent données non chiffrées • Usurpation d’identité

Mais des possibilités pour limiter ces risques

• Appareil de localisation et de suivi • Capacités de fermeture à distance • Capacités de blocage de la carte SIM

36



Types de risque par catégorie d’actif

Risques organisationnels

• Réplication des droits d’accès privilégiés • Nature sensible des données conservées pour les cadres • Complexité d’utilisation (richesse des fonctionnalités,…) : erreurs,

data roaming, … • Cycle de vie court (gestion, formation,..)

37



Risques techniques : “Activity monitoring, data retrieval »

Cible Risque

Messaging Generic attacks on short message service (SMS) text, multimedia messaging service (MMS)-enriched transmission of text and contents

Retrieval of online and offline email contents

Insertion of service commands by SMS cell broadcast texts

Arbitrary code execution via SMS/MMS

Redirect or phishing attacks by Hypertext Markup Language (HTML)-enabled SMS text or email

Audio Covert call initiation, call recording

Open microphone recording

Pictures/ video

Retrieval of still pictures and videos, for example, by piggybacking the usual “share” functionality in most mobile apps

Covert picture or video taking and sharing, including traceless wiping of such material

Geolocation Monitoring and retrieval of GPS positioning data, including date and time stamps

Static data Contact list, calendar, tasks, notes retrieval

History Monitoring and retrieval of all history files in the device or on SIM card (calls, SMS, browsing, input, stored passwords, etc.)

Storage Generic attacks on device storage (hard disk or solid-state disk [SSD]) and data replicated there

38



Risques techniques : “Sensitive Data Leakage Risk »

Type d’information Risque

Identity International Mobile Equipment Identity (IMEI), manufacturer device ID, customized user information

Hardware/firmware and software release statistics, also disclosing known weaknesses or potential zero-day exploits

Credentials User names and passwords, keystrokes

Authorization tokens, certificates (Secure Multipurpose Internet Mail Extensions [S/MIME], Pretty Good Privacy (PGP), etc.)

Location GPS coordinates, movement tracking, location/behavioral inference

Files All files stored at OS/file system level

39


Copyright ISACA


Risques techniques : “Usability Risk »

Facteur de risque Risque

Frequent change of hardware as part of the mobile contract

In upgrading to “state-of-the-art” devices, users are compelled to familiarize themselves with new and complex features. This creates a significant risk of human error and resulting security issues.

Users’ limited familiarity with their devices

The number of features and apps may appear overwhelming to the average user. This creates a high risk of inadvertent actions, errors and security breaches.

Limitations to configurability, opaque OSs

As OSs become less transparent, configuration and device management is restricted. This reduces the amount of organizational control over mobile OSs.

Mandatory services prescribed by the OS or contract

Consumer-based services run in the background, creating potential security issues. Security management may not be able to control these activities where the contractor sees them as essential.

Proliferation of pay-as-you-go and subscription services

Users are facing more and more opt-in challenges for activation or extension of applications. This creates contractual and security-related risk.

Mandatory cloud sign-in as prerequisite to accessing certain services

Mobile devices may become dysfunctional or restricted if the mandated services are not activated. This creates additional security risk when users naturally opt in to these services.

40


Copyright ISACA


Exemples de vulnérabilités

Vulnerabilité Menaces Risque

Information travels across wireless

networks that are often less secure than

wired networks.

Malicious outsiders can do harm to the

enterprise.

Information interception resulting in a breach

of sensitive data, damage to enterprise

reputation, compromised adherence to

regulation, legal action

Mobility provides the users with the

opportunity to leave enterprise boundaries,

thereby eliminating many security controls.

Mobile devices cross boundaries and network

perimeters, carrying malware, and can bring this

malware into the enterprise network.

Malware propagation, which can result in data

leakage, data corruption and unavailability of

necessary data; physical theft

Bluetooth technology makes it very

convenient for many users to have hands-

free conversations; however, it is often left

on and is then discoverable.

Hackers can discover the device and then

launch an attack.

Device corruption, lost data, call interception,

possible exposure of sensitive information

Unencrypted information is stored on the

device.

In the event that a malicious outsider intercepts

data in transit or steals a device, or if the employee

loses the device, the data are readable and usable.

Exposure of sensitive data, resulting in

damage to the enterprise, customers or

employees

Lost data may affect employee productivity. Mobile devices may be lost or stolen due to their

portability. Data on these devices are not

always backed up.

Workers dependent on mobile devices unable

to work in the event of broken, lost or stolen

devices, and data that are not backed up

The device has no authentication

requirements applied.

If the device is lost or stolen, outsiders can

access the device and all its data.

Data exposure, resulting in damage to the

enterprise and liability and regulation issues

The enterprise is not managing the device. If no mobile device strategy exists, employees

may choose to bring in their own, unsecured

devices. While these devices may not connect to

the virtual private network (VPN), they may

interact with emails or store sensitive documents.

Data leakage, malware propagation,

unknown data loss in the event of device loss

or theft

The device allows installation of

unverified/unsigned third-party applications.

Applications may carry malware that propagates

Trojan horses or viruses. The applications may

also transform the device into a gateway for

malicious outsiders to enter the enterprise network.

Malware propagation, data leakage, intrusion

to the enterprise network

41



Exemple Sécurité (Sécurité des Mobiles)

Principes, Directives, Référentiels, …

• Principes de Sécurité de l’Information • Venir en appui du business (6 sous-principes) • Protéger le business (4 sous-principes) • Promouvoir un comportement responsable en ce qui concerne la sécurité de

l’Information (2 sous-principes)

• Directives • Directive Générale concernant la Sécurité de l’Information • Directives concernant la Sécurité de l’Information pilotées par la fonction Sécurité de

l’Information • Contrôles d’accès • Protection des Informations Personnelles • Sécurité physique et de l’environnement • Réponse aux incidents

• Directives concernant la Sécurité de l’Information pilotées par les autres fonctions • Continuité des activités et plan de reprise • Gestion des actifs • Comportements attendus • Acquisition, Dévelopement et Maintenance des Solutions • Gestion des fournisseurs • Exploitation • Conformité • Gestion des risques


Principes, Directives et Référentiels : Principes

Principe Objectif Sécurité des Mobiles

Focus on the business Ensure that information security is integrated into essential business processes

Analyze business processes with mobile device dependencies, and prioritize accordingly

Deliver quality and value to stakeholders

Ensure that information security delivers value and meets business requirements

Perform stakeholder analysis (internal and external) and derive requirements for mobile devices

Comply with relevant legal and regulatory requirements

Ensure that statutory obligations are met, stakeholder expectations are managed and civil or criminal penalties are avoided

Identify laws, regulations and governance rules for mobile device use, and define requirements

Provide timely and accurate information on information security performance

Support business requirements and manage information risk

Establish mobile device key performance indicators (KPIs) and regular reporting

Evaluate current and future information threats

Analyze and assess emerging information security threats so that informed, timely action to mitigate risk can be taken

Identify threats to mobile devices (at all levels), anticipate future threats through technology innovation, and collect evidence on incidents and breaches

Promote continuous improvement in information security

Reduce costs, improve efficiency and effectiveness, and promote a culture of continuous improvement in information security

Establish a continuous improvement process for mobile device security, and include BYOD scenarios as well as vendor patching

Adopt a risk-based approach

Ensure that risk is treated in a consistent and effective manner

Maintain mobile device categorization and keep the risk heat map up to date

43


Copyright ISACA


Principes, Directives et Référentiels : Principes

Principe Objectif Sécurité des Mobiles

Protect classified information

Prevent disclosure of classified (e.g., confidential or sensitive) information to unauthorized individuals

Establish data classification for information resident on, or flowing through, mobile devices. Include cloud services and storage. Align mobile device identity and access management with corporate identity and access management (IAM).

Concentrate on critical business applications

Prioritize scarce information security resources by protecting the business applications on which an information security incident would have the greatest business impact

Regularly perform a business impact analysis (BIA) on mobile devices as assets, related processes and resulting categories of impact (financial, nonfinancial)

Develop systems securely

Build quality, cost-effective systems on which business people can rely (e.g., that are consistently robust, accurate and reliable)

Establish software life cycle controls for self-developed and vendor apps on mobile devices, and include app onboarding in BYOD scenarios

Act in a professional and ethical manner

Ensure that information security-related activities are performed in a reliable, responsible and effective manner

Apply governance to mobile device policies, standards and key operating procedures

Foster an information-security-positive culture

Provide a positive information security influence on the behavior of end users, reduce the likelihood of information security incidents occurring and limit their potential business impact

Educate end users about mobile device security, particularly in BYOD scenarios. Provide useful tools and aids to enable user self-protection.

44


Copyright ISACA


Principes, Directives et Référentiels : Directives

Directive concernant l’utilisation des Mobiles Thème Directives : la Sécurité de l’Information

Analyze business processes with mobile device dependencies, and prioritize accordingly

Mobile device strategy

• Information security policy • Business continuity and disaster recovery policy

Perform stakeholder analysis (internal and external) and derive requirements for mobile devices


• Information security policy

Identify laws, regulations and governance rules for mobile device use, and define requirements

Governance compliance

• Information security policy • Compliance policy

Establish mobile device KPIs and regular reporting Governance compliance

• Information security policy • Compliance policy

Identify threats to mobile devices (at all levels), anticipate future threats through technology innovation, and collect evidence on incidents and breaches

Risk • Risk management policy

Establish a continuous improvement process for mobile device security, and include BYOD scenarios as well as vendor patching

Mobile device life cycle

• Information systems acquisition, software development and maintenance policy

Maintain mobile device categorization and keep the risk heat map up to date Risk • Risk management policy

Establish data classification for information resident on, or flowing through, mobile devices. Include cloud services and storage. Align mobile device identity and access management with corporate IAM

ISMS asset management

• Information security policy • Asset management policy

Regularly perform a BIA on mobile devices as assets, related processes and resulting categories of impact (financial, nonfinancial)


• Information security policy • Business continuity and disaster recovery policy

Establish software life cycle controls for self developed and vendor apps on mobile devices, and include app onboarding in BYOD scenarios

Mobile device life cycle

• Information systems acquisition, software development and maintenance policy

Apply governance (see chapter 3) to mobile device policies, standards and key operating procedures

Governance • Information security policy

Educate end users about mobile device security, particularly in BYOD scenarios. Provide useful tools and aids to enable user self-protection

Security culture • Rules of behavior policy

45



Mobiles : Principes, Directives et Référentiels : Standards

Clause Aspects centralisés Aspects BYOD

Acquisition Process for acquisition by the enterprise, link to procurement or purchasing processes

• Provide users with subsidized/preferential arrangements OR • Specify approved devices

Onboarding Process for onboarding any device presented by user, including opt-in clauses

Provisioning Process for provisioning hardware, OS, standardized apps, optional apps

Configuration Process for developing, testing, deploying and updating configuration, link to general config mgmt

Process for partial configuration of device with organizational standard (user must have opted in and signed)

Systems and data management

Process for security-related systems and data management, linked to general systems mgmt.

Process for partial systems and data management activities (user must have opted in and signed)

Organizational risk

Preapplied security controls for organizational risk (user agglomeration, diversity and complexity)

Preapplied security controls, e.g., security axioms, for any device

Physical risk Preapplied security controls for loss, theft, damage Preapplied security controls for loss, theft, damage, etc.

Technical risk Preapplied security controls for all categories of technical risk

• Preapplied security controls for the standardized part of the device • Mandatory guidance for user self-protection (minimum requirements)

Exception/incident management

Process for logging, treating and resolving exceptions and incidents, link to business continuity/disaster recovery

Process for: • Identifying incidents, containment, resolution and ex post impact • Isolating, quarantine and removal

Life span Process for aging devices in line with life span/innovation, including risk of obsolete devices

Process for aging devices in line with life span/innovation and cost of supporting obsolete devices vs. risk of operating obsolete devices

Decommissioning Process for: • Decommissioning end-of-business-life devices • Secure disposal

Removal Process for: • Initiating removal, secure organizational data disposal, apps removal • Offboarding device (not user) and replacement

46



Principes, Directives et Référentiels : Procédures opérationnelles

• Audit des mobiles

• Gestion des changements

• Gestion des Patchs

• Protection des Malware

• Chiffrement, VPN, encapsulation

• Dommage, pertes, vols

• …

47



Structures organisationnelles

• Composition • Les structures sont composées de membres qui sont ou représentent des parties

prenantes internes et externes. Ils ont un rôle spécifique en fonction du contexte de la structure

• Périmètre • Frontières des droits décisionnels de la structure organisationnelle

• Niveau d’autorité • Décisions que la structure est autorisée à prendre

• Principes opérationnels • Modalités pratiques de fonctionnement de la structure (fréquence des réunions,

documentation, règles,…)

• Pouvoirs de délégation • Structure peut déléguer ces droits décisionnels (ou un sous-ensemble) à d’autres

structures qui lui sont rattachées

• Procédures d’escalade • Le circuit d’escalade décrit les actions nécessaires en cas de problèmes pour prendre

des décisions 48 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015


Structures organisationnelles

• Directeur de la Sécurité de l’Information (ou SI)

• Comité de pilotage de la Sécurité de l’Information (ou SI)

• Manager de la Sécurité de l’Information (ou SI)

• Comité de pilotage des Risques

• Responsible de la Sécurité de l’Information au sein des fonctions “business”



Structures Organisationnelles

Aspect Caractéristiques (Manager Sécurité de l’Information)

Caractéristiques (Spécialiste Sécurité des Mobiles)

Mandat Overall responsibility for the management of information security efforts

Operational responsibility for securing mobile devices

Reporting Reports to the CISO (or, in some enterprises, to the business unit leads)

Reports to the information security manager

Périmètre Application information security, infrastructure information security, access management, threat management, risk management, awareness program, metrics, vendor assessments

Mobile device security management and monitoring

Niveau d’autorité, droits de décision

Overall decision-making authority over information security domain practices

Recommends and implements concepts, controls and processes for mobile device security management and monitoring

Droits de Délégation

Should not delegate decisions related to information security domain practice

No delegation

Escalade Issues escalated to the CISO Issues escalated to the information security manager

Responsabilité Accountability; responsibility in small and medium-sized enterprises, delegation to experts in larger enterprises

Responsibility

Points de contact : Juridique, Services Généraux, Gestion des Risques, Achats, Développement, Technologie Informatique, Audit, Utilisateurs

50


Copyright ISACA



Compétences

• Position (Fiche mission, Evolution, …)

• Education (Diplômes, …)

• Qualifications (Certifications, …)

• Expérience

• Savoir/Connaissance, Savoir faire, Savoir être

• Disponibilité / Rétention (accès aux ressources externes)

• Formation

• Evaluation



Compétences

• Gouvernance de la Sécurité de l’Information

• Elaboration de la Stratégie de la Sécurité de l’Information

• Gestion des Risques de l’Information

• Architecture de la Sécurité de l’Information

• Exploitation de la Sécurité de l’Information

• Evaluation, test et conformité de l’Information


Personnes et Compétences : Compétences

Compétences Manager/Spécialiste Sécurité des

Mobiles Utilisateur

Governance Extensive skills and experience Awareness

Strategy formulation Ability to set mobile device security strategy Awareness

Risk management Recognition of mobile device risk and treatment options

Recognition of mobile device risk, avoidance or mitigation behavior

Architecture development

Extensive skills and experience in mobile architectures

Reasonable understanding of mobile architecture and inherent risk

Operations Extensive skills and experience in operating mobile device architectures, including back end

Experience with operating mobile devices commensurate with device complexity

Assessment, testing, compliance

Ability to perform/support assessments, extensive testing skills, awareness and in-depth understanding of compliance requirements

Awareness of compliance requirements, basic understanding of assessments, ability to participate in testing

53


Copyright ISACA


Personnes et Compétences : Formation

Perspective Thèmes Clés Contenu

Basics Mobile device features Basics and background for use, OS, popular apps, typical risks, security points to note

Basics for senior management

Mobile device features Basics (in a very short time), how to set an example for all employees, governance and how to communicate it, making security a top priority, eye-opening demonstrations of how easy it is to attack the device, etc.

Business Business-related services and apps

Onboarding, access and identity management, apps and services offered by the organization, security ground rules, policy and standards, etc.

Outside the enterprise

Travel-related security Connectivity, foreign networks, what to do when traveling (and what not to do), typical security risk, local warnings, etc.

Private Private use and security

Popular services and apps, associated risk and security issues, attacks and defense, golden rules of private use (governance), etc.

Advanced Using advanced features and related security

Knowing the device, advanced apps and features, self preservation and what to do in security, organizational testing and participation, how to become a key user, etc.

Management Mobile device security manager skills

Basic/intermediate/advanced series of training courses for information security managers or specialists

Management refresher

Mobile device security manager skills

Regular update on trends, emerging technologies and risk, new security management techniques, etc.

54


Copyright ISACA


Personnes et Compétences : Compétences du RSSI

Domaine Compétences Génériques Compétences relatives au Mobiles

Governance Ability to:

Define metrics that apply to information security governance

Define a full set of mobile device security metrics and measurements

Create a performance measurement model Define mobile device performance indicators for measurement

Develop a business case justifying investments in information security

Develop a business case for mobile devices, including standardized solutions vs. partial or full BYOD

Knowledge of:

Legal and regulatory requirements Specific legal and regulatory requirements for mobile device use, including telecommunications and IT

Roles and responsibilities required for information security

Mobile device security roles and responsibilities, including end-user responsibilities as defined for the enterprise

Methods to implement information security governance policies

Implementing information security governance for mobile device possession and use

Fundamental concepts of governance Fundamental concepts of governance

Internationally recognized standards, frameworks and best practices

Internationally recognized standards for mobile devices, mobile OSs, telephony, data transmission, etc.

Technical skills:

Good understanding of information security practices that apply to the specific business

Understanding of business dependencies on mobile devices and resulting security requirements

55





Strategy Ability to:

Understand the enterprise culture and values Understand the enterprise culture and values

Define an information security strategy that is aligned with enterprise strategy

Define a mobile device security strategy in line with the information security strategy

Develop information security policies and devise metrics Develop a mobile device use policy and mobile device security standard

Knowledge of:

Information security trends, services and disciplines Mobile device trends, innovative apps, market developments, emerging risk, new paradigms in mobile work, etc.

Technical skills:

Broad understanding of various information security disciplines Broad understanding of various information security disciplines

Risk Mgmt Knowledge of:

Information asset classification model Mobile device inventory and asset classification, including hardware, apps, data and information assets

Risk assessment and analysis Mobile device risk assessment

Business processes and essential functions Business processes and functions depending on mobile devices and services

Industry standards Industry standards

Risk-related laws and regulations

Risk frameworks and models

Technical skills:

Risk associated with information security practices and activities Risk associated with mobile device use and mobile security

Risk analyses and mitigating controls Risk analyses and mitigating controls

56





Architecture development

Knowledge of:

Interaction of technologies with business and information security policies

Interaction of mobile devices (technology, services, apps, etc.) with business and general information security

Information security architectures Mobile architectures

Application design review and threat modeling

Application design review (mobile apps) and threat modeling (device side, network provider side, etc.)

Methods to design information security practices

Methods to design mobile security practices (organization and end user)

Managing information security programs, policies, procedures and standards

Emerging technologies and development methodologies

Emerging mobile technologies and app development tools

Technical Skills

Deep and broad knowledge of IT and emerging trends

Deep and broad knowledge of anything that moves (i.e., anything that could be seen as a mobile device in the broadest sense)

Technical design capabilities Technical design capabilities

Strong subject matter expertise in computer operations

Reasonable expertise in computer operations, strong expertise in linking mobile devices to back-end/data center operations

57





Operations Knowledge of:

Log monitoring, log aggregation, log analysis Log monitoring, log aggregation, log analysis

Technical Skills

In-depth knowledge of OSs, authentication, firewalls, routers, web services, etc.

Application design review (mobile apps) and threat modeling (device side, network provider side, etc.)

Assessment, testing, compliance

Knowledge of:

IS audit standards, guidelines and best practices IS audit standards, guidelines and best practices relevant to mobile devices

Audit planning and project management

Local laws and regulations

Technical Skills

Audit-related tools, gap analysis, analytics, etc. Audit and investigation tools for mobile devices

58


Copyright ISACA



Ethique, Culture, Comportement

Aussi bien pour les organisations que pour les individus

Ensemble des façons de penser et d'agir et de règles / attitudes explicites ou implicites qui caractérisent une entité

• Valeurs

• Comportement

• Prise de risques

• Non conformité

• Résultats (positif, negatif, …) : apprendre, blâmer, …

• Incitations

• Eléments disuasifs



Ethique, Culture, Comportement

Comportements attendus

• 8 comportements attendus

Leadership • Communication, Exemplarité, Règles • Incitations • Sensibilisation


Culture, Ethique, Comportement

Comportement de Référence En ce qui concerne l’utilisation des Mobiles

Information security is practiced in daily operations. Security management and monitoring processes are applied to mobile devices to the agreed extent (standardized/BYOD/combined). End users understand and apply security measures completely and in a timely manner.

People respect the importance of information security principles and policies.

Users are aware of, and ideally actively involved in, defining mobile device security principles and policies. These are updated frequently to reflect day-to-day reality as experienced by the users

People are provided with sufficient and detailed information security guidance and are encouraged to participate in and challenge the current information security situation.

Mobile device security is a fluid process with regular challenges by users. Security guidance for mobile devices is simple, to the point and relates to typical day-to-day security risk. The security situation is frequently and jointly assessed by users and security managers.

Everyone is accountable for the protection of information within the enterprise.

Security managers and users share accountability for mobile device security. This includes business use and private use (in BYOD scenarios). Users have a clear understanding about their accountability and act responsibly when using mobile devices.

Stakeholders are aware of how to identify and respond to threats to the enterprise.

All mobile device users are stakeholders— regardless of their hierarchical position within the enterprise. There is full awareness of the risk, threats and vulnerabilities associated with mobile device use. Response to threats and incidents is well understood, exercised frequently and auditable

Management proactively supports and anticipates new information security innovations and communicates this to the enterprise. The enterprise is receptive to accounting for and dealing with new information security challenges.

Security management and end users cooperatively identify, test and adopt innovation in mobile device technology and use. Management and end users foster innovation by identifying and presenting new business cases for technology, mobile services and other types of added value. The enterprise aims at staying in front of the curve in mobile device use.

Business management engages in continuous cross-functional collaboration to allow for efficient and effective information security programs.

Mobile device use (and technology) programs are in place and form part of the IT innovation strategy. Security innovations are actively adopted and incorporated as key projects. Business functions cooperate with information security to maximize the return on information security for mobile services and devices.

Executive management recognizes the business value of information security.

Executive managers act as end users and recognize the value they derive from their use of mobile devices and associated services. They participate in training and awareness activities.

61




Services : Applications, Infrastructure, …. • Capacité de services • Technologie en appui • Bénéfices attendus • Objectifs et indicateurs de performance

• Architecture

• Réutilisation • Acquisition / Développement • Simplicité • Agilité • Ouverture


Services : Infrastructure, Applications, …. : Illustrations Sécurité de l’Information • Architecture de sécurité • Sensibilisation à la sécurité • Développement sécurisé • Evaluation de la sécurité • Systèmes configurés et sécurisés de manière adéquate en ligne avec les

exigences de sécurité et avec l’architecture de sécurité • Accès des utilisateurs et droits d’accès en ligne avec les besoins

business • Protection adéquate envers les logiciels malvaillants, les attaques

externes et les tentatives d’intrusions • Réponse aux incidents adéquate • Tests de sécurité • Monitoring et services d’alerte concernant les évènements relatifs à la

sécurité

63



Services : Infrastructure and Applications, ….

• Security architecture

• Security awareness

• Secure development

• Security assessments

• Adequately secured and configured systems

• User access and access rights in line with business requirements

• Adequate protection against malware, external attacks and intrusion attempts

• Adequate incident response

• Security testing

• Monitoring and alert services for security-related events

• Device Management

• Device Structure

• Device Oss

• Applications

• Connectivity

64




Device Management

• Overarching device management system

• Identity and access management (IAM)

• Malware protection (including attacks and intrusions)

• Security testing and monitoring

• Incident response

65




Device Structure

• Enhanced SIM card functionality

• Hardware add-ons for security purposes

• Use of inbuilt processors for specific security tasks

• Firmware modifications (own security builds)

66




Device Oss

• Kernel modifications (usually done through firmware updates)

• OS “tweaking” tools, registry and configuration editors

• Modifications to factory reset

• Modifications to the first responder interface

• Device/SIM interaction changes

• Remote control interfaces (usually provided by the vendor)

• Secure coding tools and resources

67




Applications

• Antivirus

• Application patching

• Control risk assessments

• Penetration testing

68




Connectivity

• Secure coding resources and tools specifically for protecting existing connections

• Technical tools such as fuzzers, sniffers, protocol analyzers

• Remote configuration and control solutions

• Cloud access management

69



Services : Infrastructure, Applications,…

70


Service Device Management Device Structure

Device Operating System

Device Applications

Device Connectivity

Architecture/ plan services

Configuration management Database (CMDB), asset Management systems

Reporting agents, policy management solutions, vulnerability scanners

Cloud access management

Awareness Training courses, news feeds

Knowledge bases, vendor and industry advisories

Knowledge bases, vendor and industry advisories, computer Emergency response team (CERT) advisories

Training tools, Collaboration tools

Email, social media, news feeds

Development Compilers, linkers, secure coding resources

Secure coding resources, code scanners, static and binary analysis tools

Secure coding resources

Secure coding resources

Assessments Threat and vulnerability Risk assessment (TVRA)

Log analyzers, flash readers

Log analyzers, other tools Reporting tools Fuzzers, sniffers, Protocol analyzers, Network analyzers, honeypots

Secured and Configured systems

Firmware, vendor tools

Kernel and related, Security model, first Responder interface, System and patch management, OS tools

CMDB tools and agents

Remote Configuration and control solutions

Copyright ISACA


Services : Infrastructure, Applications,…

71


Service Device Management Device Structure

Device Operating System

Device Applications

Device Connectivity

Access rights

Biometrics, dongles, smart cards (SIM), Embedded device IDs, embedded processors, location services

Public key infrastructure (PKI) and encryption, configuration management tools, software Distribution tools, provisioning

Encryption and related apps, Provisioning and IAM tools

Cloud access management

Malware and attack protection

Central anti-malware solutions

Vendor advisories, Other advisories, Device management

CMDB, patch management, knowledge bases, software distribution, firewalls, IDS

PKI, antivirus, anti-malware, Packet analyzers, IDS agents, honeypots, tarpits, Browser protection, sandboxing

Remote Configuration and control solutions, Virtualization and cloud apps

Incident response

TVRA, business continuity Management (BCM) and IT service continuity Management (ITSCM), Vendor advisories, industry advisories

Vendor advisories, Industry advisories

Memory inspection tools, network analyzers, log analyzers, reverse engineering, malware analysis, Security information and event management (SIEM)

App and data inspection tools, backup and restore, Vendor recovery tool sets, vendor forensics tools

Cloud recovery tools

Monitoring and alerting

Central log management, Alerting systems, management dashboards, Network operations centers

Vendor tools System logs, Monitoring agents, reporting agents

Monitoring tools Traffic monitoring, Network analyzers, cloud logging


Exemple IT (Sécurité) (Sécurité des Mobiles)

72

Processus IT

• 129 objectifs des processus IT

• 207 pratiques IT

• 1108 activités IT

• 266 indicateurs de performance IT

• 26 rôles IT+ Business en IT


Business et IT

• 17 objectifs business

• 17 objectifs IT

• 59 indicateurs de performance IT

Processus Sécurité • 79 objectifs des processus de sécurité

• 188 pratiques de sécurité

• 378 activités de sécurité

• 154 indicateurs de performance de sécurité

Exemple Sécurité (Sécurité des Mobiles) Pour le processus IT, Manage Operations

73 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 Copyright ISACA

Exemple IT (Sécurité) (Sécurité des Mobiles) Pour le processus IT, Manage Operations


Copyright ISACA

Exemple Sécurité (Sécurité des Mobiles) Pour le processus IT, Manage Operations


Copyright ISACA

Exemple Sécurité (Sécurité des Mobiles) Processus Sécurité qui viennent s’ajouter aux Processus IT

Pour le processus IT, Manage Operations


Exemple Sécurité (Sécurité des Mobiles) Processus Sécurité qui viennent s’ajouter aux Processus IT

Pour le processus IT, Manage Operations


Copyright ISACA

Processus

IT Process Mobile Device Security Management Process

EDM01 Ensure governance framework setting and maintenance

Reflect governance in mobile device use policy, maintain policy in line with general process

EDM02 Ensure benefits delivery Mobile device value optimization process

EDM03 Ensure risk optimisation Mobile device security risk management process

APO03 Manage enterprise architecture Subsidiary process for mobile devices that substantiates security solutions as part of overall architecture

APO04 Manage innovation Subsidiary mobile device (security) innovation process

APO05 Manage portfolio Subsidiary process for mobile devices to identify and obtain funds for security management

APO06 Manage budget and costs Subsidiary mobile device security budgeting process

APO09 Manage service agreements Subsidiary process for mobile device service level agreements (SLAs) and operating level agreements (OLAs)

BAI06 Manage changes Subsidiary processes for mobile device change management and emergency changes

DSS04 Manage continuity Subsidiary process for mobile device service continuity management; autonomous process (subsidiary to business continuity/disaster recovery) for mobile device business recovery

DSS03 Manage problems Subsidiary processes for mobile devices security problems and known errors

MEA03 Monitor, evaluate and assess compliance with external requirements

Subsidiary process for identifying and interpreting external compliance requirements for mobile devices

78


Copyright ISACA



Information

79

• Objectifs et indicateurs de performance

• Cycle de vie

• Bonnes pratiques

• Responsabilités

• Contraintes

• Contenu



Information

80

• Stratégie

• Budget

• Plan

• Directives

• Exigences

• Sensibilisation

• Rapport de revues

• Tableau de bord


Information

Type d’information

• Replicated emails, contacts, calendars and notes • Music, movies and other content that users have acquired

• Mobile banking and micropayments • Airline ticketing and electronic boarding card (similar for railways) • Vendor app stores and related transactions • Social networking and cloud services

• Geolocation data • Device coupling with other devices (vehicles, buildings, public networks, etc.) and

semi permanent “partnership” data • Voice, video and data connection information (semi permanent) • Original data created by the mobile device (pictures, videos, waypoints, etc.) • Chat and file transfer information, for example, notes taken from popular Internet

telephony software • Information stored by telecommunications providers as mandated by law, for

example, connection date and time stamps 81



82

COBIT 5 Online


COBIT 5 Online is a multi-phase initiative by ISACA to address a wide variety of member needs for accessing, understanding and applying the COBIT 5 framework. The primary objective of this inaugural version is to provide easy access to online versions of COBIT 5 publications. While retaining all of the stylistic conventions of print editions, the online editions greatly simplify the process of navigating, searching and exporting the principles, practices, analytical tools and models that make COBIT 5 an essential resource for the governance and management of enterprise IT. The new online service will include features such as :

• Access to publications in the COBIT 5 product family

• Access to other, non-COBIT, ISACA content and current, relevant GEIT material

• Ability to customize COBIT to fit the needs of your enterprise with access for multiple users

• Access to tools : Goals planner, RACI Planner, Self Assessment, …

COBIT 5 Online

Annexe COBIT 5 : Autres Publications


COBIT 5 Deliverables : A Business Framework for the Governance and Management of Enterprise IT (94 pages)

• Executive Summary

• Overview of COBIT 5

• Principle 1 : Meeting Stakeholders Needs

• Principle 2 : Covering the Enterprise from End-to-end

• Principle 3 : Applying a Single Integrated Framework

• Principle 4 : Enabling a Holistic Approach

• Principle 5 : Separating Governance from Management

• Implementation Guidance

• The COBIT 5 Process Capability Model

• Appendices


COBIT 5 Deliverables : A Business Framework for the Governance and Management of Enterprise IT

• Appendix A : References

• Appendix B : Detailed Mapping 17 Enterprise Goals –17 IT- related Goals

• Appendix C : Detailed Mapping 17 IT‐related Goals – 32 IT-related Processes

• Appendix D : 22 Stakeholder Needs and 17 Enterprise Goals

• Appendix E : Mapping of COBIT 5 with most relevant related standards and frameworks (ISO/IEC 38500, ITIL V3 2011 - ISO/IEC 20000, ISO/IEC 27000 Series, ISO/IEC 3100 Series, TOGAF, CMMI, PRINCE2)

• Appendix F : Comparison between COBIT 5 Information Reference Model and the COBIT 4.1 information criteria

• Appendix G : Detailed description of COBIT 5 Enablers

• Appendix H : Glossary

• Appendix G: Detailed description of COBIT 5 Enablers • Introduction • COBIT 5 Enabler : Principles, Policies and Frameworks • COBIT 5 Enabler : Processes • COBIT 5 Enabler : Organisational Structures • COBIT 5 Enabler : Culture, Ethics and Behaviour • COBIT 5 Enabler : Information • COBIT 5 Enabler : Services, Infrastructures and Applications • COBIT 5 Enabler : People, Skills and Competencies


COBIT 5 Deliverables : Enabling Processes (230 pages)

• Introduction

• The Goals Cascade and Metrics for Enterprise Goals and IT-related Goals – COBIT 5 Goals Cascade : Stakeholders Drivers, Stakeholders Needs, Enterprise Goals, IT Goals, Enabler Goals – Using the COBIT 5 Goals Cascade – Metrics : Enterprise, IT

• The COBIT 5 Process Model – Enabler Performance Management

• The COBIT 5 Process Reference Model – Governance and Management Processes (5 governance processes and 32 management processes) – Reference Model

• COBIT 5 Process Reference Guide Contents – Generic Guidance for Processes :

• EDM : Evaluate, Direct and Monitor • APO : Align, Plan and Organize • BAI : Build, Acquire and Implement • DSS : Deliver, Service and Support • MEA : Monitor, Evaluate and Assess

• Appendix A : Mapping between COBIT 5 and legacy ISACA Frameworks (COBIT 4.1, Val IT 2.0, Risk IT Management Practices)

• Appendix B : Detailed Mapping 17 Enterprise Goals and 17 IT-related Goals

• Appendix C : Detailed Mapping 17 IT-related Goals and 37 IT‐related Processes

86

• 129 IT Process Goals • 266 IT Process Goal Metrics • 207 IT Practices • 26 business and IT roles in IT Practices • 1108 IT Activities

17 Enterprise Goals, 17 IT-related Goals, 59 IT-related Goals metrics


COBIT 5 Deliverables : Enabling Processes

• Process identification : Label, Name, Area, Domain

• Process description

• Process purpose statement

• IT goals and metrics supported

• 17 IT Goals, 59 IT-related Goals Metrics

• Process goals and metrics • Governance : 15 IT Process Goals and 37 IT Process Goal metrics • Management : 114 IT Process Goals and 229 IT Process Goal metrics

• RACI chart • 26 Business and IT Roles concerned with the 207 IT Practices

• Detailed description of the process practices • Description, inputs and outputs with origin/destination, activities • Governance : 12 IT Governance Practices and 79 IT Governance Activities • Management : 195 IT Management Practices and 1029 IT Management Activities

• Related guidance


COBIT 5 Deliverables : Information Security (220 pages)

• Executive Summary: Introduction, Drivers, Benefits, Target Audience, Conventions

• Information Security • Information Security Defined • COBIT 5 Principles

• Using COBIT 5 Enablers for Implementing Information Security in Practice • Introduction • Enabler : Principles, Policies and Frameworks • Enabler : Processes • Enabler : Organizational Structures • Enabler : Culture, Ethics and Behaviour • Enabler : Information • Enabler : Services, Infrastructure and Applications • Enabler : People, Skills and Competencies

• Adapting COBIT 5 for Information Security to the Enterprise Environment • Introduction • Implementing Information Security Initiatives • Using COBIT 5 to connect to other frameworks, models, good practices and standards

• Appendix A to G : Detailed Guidance for each of the 7 categories of enablers

• Appendix H : Detailed Mappings

• Acronyms, Glossary 88 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015

COBIT 5 Deliverables : Information Security

• Appendix A Detailed Guidance : Principles, Policies and Frameworks • 3 high level security principles with 12 elements : Objective and description • 13 types of policies : scope, validity, goals (5 driven by security function, 8 driven by other functions)

• Appendix B Detailed Guidance Processes (see next page)

• Appendix C Detailed Guidance : Organizational Structures • 5 types of security-related organizational structures : Composition, Mandate, Operating principles,

Span of control, Authority level, Delegation rights, Escalation path, RACI chart, Inputs/Outputs

• Appendix D Detailed Guidance : Culture, Ethics and Behaviour • 8 types of security-related expected behaviours

• Appendix E Detailed Guidance : Information • 34 types of security-related information stakeholders • 10 types of security related information : goals, life cycle, good practice

• Appendix F Detailed Guidance : Services, Infrastructure and Applications • 10 types of security services : 27 security-related service capabilities (supporting technology, benefit,

quality goal, metric)

• Appendix G Detailed Guidance : People, Skills and Competencies • 7 types of security set of skills and competencies : description, experience, education, qualifications,

knowledge, technical skills, behavioural skills, related role structure

• Appendix H Detailed Mappings (ISO/IEC 27001, ISO/IEC 27002, ISF, NIST) 89 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015

COBIT 5 Deliverables : Information Security Processes Enabler

• Process Identification : Label, Name, Area, Domain

• Process Description

• Process Purpose Statement

• Security-specific Process Goals and Metrics

• Governance : 8 Security Process Goals and 17 Security Process Goals related Metrics • Management : 71 Security Process Goals and 137 Security Process Goals related Metrics

• Security-specific Process Practices, Inputs/Outputs and Activities

• Description of governance/management practice, security-specific inputs and outputs in addition to COBIT 5 inputs and outputs with origin/destination, security-specific activities in addition to COBIT 5 activities

• Governance : 12 Security Governance Practices and 31 Security Governance Activities • Management : 176 Security Management Practices and 347 Security Management Activities

• Related Guidance


COBIT 5 Deliverables : Risk (244 pages)

• Executive Summary: Introduction, Terminology, Drivers, Benefits, Target Audience, Overview and Guidance on use of Publication, Prerequisite Knowledge

• Risk and Risk Management • The Governance Objective : Value Creation • Risk : Risk Categories, Risk Duality, Interrelationship between Inherent, Current and Residual Risk • Scope of Publication (Two Perspectives on Risk : Risk Function and Risk Management Perspectives) • Applying the COBIT 5 Principles to Managing Risks

• The Risk Function Perspective • Introduction to Enablers • The 7 Enablers

• The Risk Management Perspective and using COBIT 5 Enablers • Core Risk Processes • Risk Scenarios • Generic Risk Scenarios • Risk Aggregation • Risk Response

• How this Publication Aligns with Other Standards • ISO 31000, ISO/IEC 27005:2011, COSO ERM

• Appendix A : Glossary

• Appendix B : Detailed Risk Governance and Management Enablers

• Appendix C : Core Risk Management Processes

• Appendix D : Using COBIT 5 Enablers to Mitigate IT Risk Scenarios (20 scenarios)

• Appendix E : Comparison of Risk IT with COBIT 5

• Appendix F : Comprehensive Risk Scenario Template 91 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015

COBIT 5 Deliverables : Risk

• Appendix A. Detailed Guidance : Principles, Policies and Frameworks • 7 high level risk principles : Principle and Explanation • 18 types of risk policies : Scope, Validity, Management Commitment and Accountability, Risk

Governance, Risk Management Framework

• Appendix B. Detailed Guidance Processes (see next page) • 12 key risk function supporting processes

• 2 key risk management supporting processes

• Appendix C. Detailed Guidance : Organizational Structures • 5 key risk-related organizational structures : Composition, Mandate, Operating principles, Span of

control, Authority level, Delegation rights, Escalation path, RACI chart, Inputs/Outputs

• 17 other relevant structures for Risk : Description, Role in risk process

• Appendix D. Detailed Guidance : Culture, Ethics and Behavior • 8 types of general behavior, 8 types of risk professional behavior, 7 types of management behavior

• Appendix E. Detailed Guidance : Information • 13 types of risk related information items : stakeholders, stakes, goals, life cycle, good practices, links

to other enablers

• Appendix F. Detailed Guidance : Services, Infrastructure and Applications • 6 types of risk services (description, goal, benefit, good practice, stakeholders, metric)

• 3 types of risk infrastructure (description), 5 types of risk applications (description)

• Appendix G. Detailed Guidance : People, Skills and Competencies • 11 types of risk set of skills and competencies (description) and 2 risk roles (description, experience,

education, qualifications, knowledge, technical skills, behavioral skills, related role structure)


COBIT 5 Deliverables : Risk




• Risk-specific Process Goals and Metrics • Risk Function

• Governance : 5 Risk Process Goals and 12 Risk Process Goals related Metrics • Management : 14 Risk Process Goals and 24 Risk Process Goals related Metrics

• Risk-specific Process Practices, Inputs/Outputs and Activities

• Description of governance/management practice, risk-specific inputs and outputs in addition to COBIT 5 inputs and outputs with origin/destination, risk-specific activities in addition to COBIT 5 activities

• Risk Function • Governance : 9 Risk Governance Practices and 28 Risk Governance Activities • Management : 50 Risk Management Practices and 80 Risk Management Activities

• Risk Management • Governance : 2 Risk Governance Practices and 12 Risk Governance Activities (69 actions) • Management : 6 Risk Management Practices and 26 Risk Management Activities (103 actions)


COBIT 5 Deliverables : Assurance (318 pages)

• Executive Summary: Introduction and Objectives, Drivers, Benefits, Target Audience, Document Overview and Guidance on its use, Prerequisite Knowledge

• Assurance • Assurance defined : 3 party relationship, subject matter, suitable criteria, execution, conclusion • Scope of Publication: Two Perspectives, Assurance Function and Assurance • Principles of providing Assurance (Engagement types)

• Assurance Function Perspective : Using COBIT 5 Enablers for Governing and Managing an Assurance Function

• Introduction to Enablers • The 7 Enablers

• Assessment Perspective : Providing Assurance Over a Subject Matter • Core Assurance Processes • Introduction and Overview of the Assessment Approach • Determine the scope of the Assurance Initiative (Phase A)

• 3 aspects to be taken into account (stakeholders, goals, 7 enablers), 14 steps, an example • Understand the Enablers, Set Suitable Assessment Criteria and Perform the Assessment (Phase B)

• Achievement of goals (2 steps), 7 enablers (37 steps) • Generic Approach for Communicating on an Assurance Initiative (Phase C)

• 2 aspects (document and communicate) and 5 steps

• How this publication relates to other Standards • ITAF, 2nd Edition, International Professional Practices Framework (IPPF) for Internal Auditing

Standards 2013, Statement on Standards for Attestation Engagements N° 16 (SSAE 16)

• Appendix A : Glossary

• Appendix B : Detailed Enablers For Assurance Governance and Management

• Appendix C : Core Assurance Processes

• Appendix D : Example Audit / Assurance Programmes (3 examples : Change Management, Risk Management, BYOD)


COBIT 5 Deliverables : Assurance

• Appendix A. Detailed Guidance : Principles, Policies and Frameworks • 4 areas : Covered by ITAF, 2nd Edition (18 sections of ITAF)

• Appendix B. Detailed Guidance Processes (see next page) • 11 key processes supporting assurance provisioning

• 3 key core assurance processes

• Appendix C. Detailed Guidance : Organizational Structures • 4 key assurance-related organizational structures : Composition, Mandate, Operating principles,

Span of control, Authority level, Delegation rights, Escalation path, RACI chart, Inputs/Outputs

• 12 other relevant structures for Assurance : Description, Stake in Assurance provisioning

• Appendix D. Detailed Guidance : Culture, Ethics and Behavior • 5 types of enterprise wide behavior, 8 types of assurance professional behavior, 10 types of

management behavior : Behavior, Key Objective/Suitable criteria/outcome, Communication/Enforcement actions, Incentives and rewards actions, Raising awareness actions

• Appendix E. Detailed Guidance : Information • 18 types of information items supporting assurance : stakeholders, stakes, goals, life cycle, good

practices, links to other enablers • 5 types of additional information items input : description

• Appendix F. Detailed Guidance : Services, Infrastructure and Applications • 8 types of assurance services (description, goal, benefit, good practice, stakeholders)

• 8 types of assurance supporting applications (description, goal, benefit, good practice, stakeholders)

• Appendix G. Detailed Guidance : People, Skills and Competencies • 16 types of assurance set of skills and competencies : description, experience, education,

qualifications, knowledge, technical skills, behavioral skills 95


COBIT 5 Deliverables : Assurance




• Assurance-specific Process Goals and Metrics • Processes Supporting Assurance Provisioning

• Governance : 8 Assurance Process Goals and 11 Assurance Process Goals related Metrics • Management : 11 Assurance Process Goals and 19 Assurance Process Goals related Metrics

• Core Assurance Processes • Management : 11 Assurance Process Goals and 17 Assurance Process Goals related Metrics

• Assurance-specific Process Practices, Inputs/Outputs and Activities

• Description of governance/management practice, assurance-specific inputs and outputs in addition to COBIT 5 inputs and outputs with origin/destination, assurance-specific activities in addition to COBIT 5 activities

• Processes Supporting Assurance Provisioning • Governance : 9 Assurance Governance Practices and 28 Assurance Governance Activities • Management : 50 Assurance Management Practices and 80 Assurance Management Activities

• Core Assurance Processes • Management : 17 Core Assurance Practices and 88 Core Assurance Activities (124 actions)


COBIT 5 Deliverables : Implementation (78 pages)

• Introduction

• Positioning GEIT

• Taking the first steps towards GEIT

• Identifying implementation challenges and success factors

• Enabling change

• Implementation life cycle tasks, roles and responsibilities

• Using the COBIT 5 components

• Appendix A : Mapping Pain Points to COBIT 5 Processes

• Appendix B : Example Decision Matrix

• Appendix C : Mapping Example Risk Scenarios to COBIT 5 Processes

• Appendix D : Example Business Case

• Appendix E : COBIT 4.1 Maturity Attribute Table
