Upload
antoine-vigneron
View
832
Download
1
Embed Size (px)
Citation preview
« Comment placer la Gouvernance au cœur de la transformation numérique ?»
(2/2)
Les jeudis de l’AFAI
Patrick Stachtchenko 2 Avril 2015
1 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Patrick Stachtchenko Coordonnées
• Mobile : +33 6 86 68 35 76
• Email : [email protected]
2 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Comment COBIT 5 peut répondre à ce nouveau contexte : Illustration?
3 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
COBIT 5 : Vue d’ensemble – COBIT 5 Framework
• A Business Framework for the Governance and Management of Enterprise IT (94 p) • COBIT 5 Principles : Where did they come from? (12 p)
– COBIT 5 Enabler Guides • Processes (37 IT processes) (230 p), Information (Business and IT) (90 p), …
– COBIT 5 Professional Guides • Implementation (78 p) + Toolkit (17 files), Risk (244 p) and Risk Scenarios (294 p), Assurance (318 p),
Security (220 p), Cloud Governance : Questions Boards of Directors Need to Ask? (9 p)…
– Practices and Guidance using COBIT 5 • Configuration Management (88 p), Vendor Management (178 p), ... • COBIT Assessment Program : Model (144 p), Self Assessment (24 p), User Guide
– White Papers / Vision Series / Studies / Surveys • Social Media, Business Benefits and Security, Governance and Assurance Perspectives (10 p) • Cloud Computing, Business Benefits with Security, Governance and Assurance Perspectives (10 p) • Big Data Impacts and Benefits (14 p), Top Business / Technology Issues Survey Results (34 p), …
– Professionals Standards and Guidance • ITAF, A Professional Practices Framework for IS Audit / Assurance, 3rd Edition (148 p)
– Audit/Assurance Programs • EDM/APO/DSS/BAI (25p /Process), Software Assurance (35 p), Outsourcing IT Environments (39 p),
BYOD (39 p), …
– Knowledge Center (Over 100 topics : for each topic discussions, documents and publications, events, journal articles, external links, wikis, blog posts), Elibrary (> 500 Publications), Academia, ..
• Performance Management, Business Analytics, Casinos and Gambling, Solvency 2, OS/400,…
– COBIT Focus (4 x year) : COBIT Case studies, Articles, Updates, …
– COBIT 5 Online : Multiphase project. Capabilities for accessing, understanding and applying COBIT 5 4
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
COBIT 5 : Vue spécifique (Information Security)
– COBIT 5 Professional Guides • Information Security (220 p)
– Practices and Guidance using COBIT 5 • Securing Mobile Devices (138 p), Transforming Cyber Security (190 p), European
Cybersecurity Implementation Series (146 p),…
– White Papers / Vision Series / Studies / Surveys • Cybersecurity : What the Board of Directors Needs to Ask? (20 p) • Security as a Service: Business Benefits with Security, Governance and Assurance
Perspectives (18p) • Business Continuity Management, Emerging Trends (15 p) • Web Application Security, Business and Risk Considerations (16 p) • Security Considerations for Cloud Computing (80 p) • Advanced Persistent Threat (APT) Awareness Study Results (20 p), …
– Audit / Assurance programs • VPN Security (33 p), Biometrics (47 p), Voice-over Internet Protocol (VoIP) (42 p), …
– Knowledge Center, Elibrary, … • Security Tools, Physical Security, Network Security, …
– COBIT 5 Online • Security Specific View
5 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
COBIT 5 : Etude Globale sur la Gouvernance (ISACA 2014)
• White papers – Issues that have just begun to, or will soon impact enterprise operations
• Research projects
• Knowledge Center – Over 100 topics
– Discussions, Documents and Publications, Events and Online Learning, Journal Articles, User Contributed External Links, Wikis, Blog Posts
• Academia – Model Curricula
– Teaching Material (for Academia advocates)
• Elibrary – All ISACA publications
– 525 external books
• Career Center
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 6
ISACA en résumé : Knowledge 2015 • DevOps Overview 16 p
• Internet of Things : Risk and Value Consideratrions 13 p
• IS Auditing Tools and Techniques : IS Audit Reporting 46 p
• Getting Started With Governance 8 p
• Overview of Digital Forensics 14 p
• DevOps Series
• Industrial Control Systems (ICS) 2nd Q
• Internal Controls 1st Q
• Operational Risk Management/Basel Using COBIT 5 ?
• PCI DSS (Payment Card Industry Data Security Standard) 1st Q
• Security, Audit and Control Features SAP ERP, 4th Edition 1st Q
• + Travaux des comités et task forces (Emerging Business and Technology Committee, Privacy Task Force, Audit/Assurance Programs based on COBIT 5, etc…)
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 8
Ensemble du knowledge développé en respectant les principes de COBIT 5
ISACA en résumé : Knowledge 2014
• Deliver, Service and Support Audit/Assurance Programs 1-6 (25 p / process)
• A Global Look at IT Audit Best Practices (45 p)
• IT Control Objectives for Sarbanes Oxley using COBIT 5, 3rd Edition (142 p)
• Build, Acquire and Implement Audit/Assurance Programs 1-10 (25 p / process)
• Risk Scenarios Using COBIT 5 for Risk (294 p)
• Align, Plan and Organize Audit/Assurance Programs 1-13 (25 p / process)
• European Cybersecurity Implementation Series – Overview (26 pages)
– Assurance (24 pages)
– Resilience (25 pages)
– Risk Guidance (24 pages)
– Audit/Assurance Program (47 pages)
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 9
ISACA en résumé : Knowledge 2014
• Cybersecurity : What the Board of Directors Needs to Ask? (20 p)
• Implementating the NIST Cybersecurity Framework (108 p)
• COBIT 5 Principles : Where did they come from? (12 p)
• Advance Persistent Threat Awareness Study Results (20 p)
• ITAF 3rd Edition (148 p)
• Controls and Assurance in the Cloud : Using COBIT 5 (266 p)
• Relating the COSO Internal Control Integrated Framework and COBIT (22 p)
• Vendor Management Using COBIT 5 (178 p)
• Evaluate, Direct and Monitor Programs 1-5 (25 p / process)
• Genrating Value from Big Data Analytics (12 p)
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 10
ISACA en résumé : Knowledge 2013
• Security as a Service (18 p)
• COBIT 5 : Enabling Information (90 p)
• Advanced Persistent Threats : How to manage the Risk to Your Business? (132 p)
• COBIT 5 for Risk (244 p)
• Configuration Management Using COBIT 5 (88 p)
• Privacy and Big Data (12 p)
• Transforming Cybersecurity (190 p)
• COBIT 5 for Assurance (318 p)
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 11
ISACA en résumé : Knowledge 2013
• Responding to Targeted Cyberattacks (88 p)
• Cloud Governance : Questions Boards of Directors Need to Ask? (9 p)
• Big Data : Impacts and Benefits (14 p)
• Software Assurance Audit/Assurance Program (35 p)
• Identity Management Audit/Assurance Program (40 p)
• COBIT Assessment Programme Using COBIT 5 (144 p)
• Outsourced IT Environments Audit/Assurance Program (39 p)
• Personally Identifiable Information Audit/Assurance Program (34 p)
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 12
COBIT 5 Deliverables : Enabling Information (90 pages) • Introduction: Benefits, Target Audience, Prerequisite Knowledge, Overview and Scope
• COBIT 5 Principles applied to Information – COBIT 5 Principles
• Goals Cascade for the Enterprise (Function Goals) • Examples of Information Items that support the Enterprise Value Chain Goals (Governance, Management
and Operations Items for 8 Functional areas : Human Resources (22 items), Procurement (20 items), …) • Examples of Information Items supporting IT-related Goals (Quality Criteria, Related Metrics) (69 items)
• The COBIT 5 Information Model – COBIT 5 Information Model Overview
• Information Stakeholders : Examples for Customer Data (8), IT Strategy (8), Supply Chain Software Specification Document (6), Hospital Patient Records (9) (Description, Stakes)
• Information Goals : Examples for each of the 15 information quality criteria • Lifecycle : Examples for Supplier Information, Retention Requirements, IT Change Management Data • Good Practices : Examples for the 11 information attributes
– Additional Examples of COBIT 5 Information Model Use • 5 sample use cases : Building IS Specifications, Definition of Information Protection Requirements, etc.. • Comprehensive Information Item Description : Illustration for Risk Profile (Lifecycle and stakeholders,
Goals, Good Practices, Link to other enablers)
• Addressing Information Governance and Management Issues Using COBIT – Information Governance and Management Issues Reviewed in this Chapter (9 issues)
• For each Issue : Issue Description and Business Context, Affected Information, Affected Goals, Enablers to Address the Issue
• Appendix A : Reference to other Guidance (DAMA-DMBOK Framework, ISO 15489-1:2001) • Appendix B : Example Information Items Supporting Functional Area Goals (8 areas, 179 items) • Appendix C : Example Information Items Supporting IT-related Goals (1 area, 69 items)
15 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Information Exemple de critères d’appréciation
Qualité intrinsèque : valeurs des données en conformité ave les valeurs réelles • Exactitude : correcte et fiable • Objectivité : non biaisée et impartial • Crédibilité : considérée comme vraie et crédible • Réputation : bien considérée en termes de source et de contenu
Qualité contextuelle et représentationnelle : s’applique à la tache de l’utilisateur de l’information et est présenté de manière claire et intélligible • Pertinence : applicable et utile pour la tâche à effectuer • Exhaustivité : pas absente et à un niveau suffisant pour la tâche à effectuer • Actualité : suffisamment à jour pour la tâche à effectuer • Quantité d’information appropriée : appropriée pour la tâche à effectuer • Représentation concise : représentée de manière compacte • Représentation consistante : présentée dans le même format • Interprétabilité :dans des langages, symboles et unités appropriés, et définitions claires • Compréhensibilité : facilement compréhensible • Facilité de manipulation : facile à manipuler et appliquer aux différentes tâches
Qualité d’accès/Sécurité : que l’on peut accéder et disponible • Disponibilité/Opportun : disponible lorsque cela est requis, facilement et rapidement récupérable • Restriction d’accès: accès restreint aux personnes et actions autorisées
16
• Multiples périmètres possibles pour la sécurité des informations. Problématique de recouvrement. • La sécurité traite le plus souvent au minimum toutes les problématiques liées aux « accès non valides » • Aussi, les aspects intégrité/disponibilité/confidentialité, identification/authentification/non
répudiation/habilitation sont à couvrir au minimum
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Information Les niveaux/attributs
• L’utilisation de ces niveaux permet de déterminer les niveaux de protection et les mécanismes de protection à mettre en œuvre à chaque niveau: • Où est conservée l’information?
• Comment peut-on y avoir accès?
• Comment sera-t-elle structurée et codifiée?
• Quelle sorte d’information? Quel est le niveau d’information?
• Quels sont les délais de rétention? Quelles autres informations sont requises pour que cette information soit utile et utilisable?
• Niveau physique : Support de l’information (média : papier, signaux électriques, ondes sonores)
• Niveau empirique: Canal d’accès (interfaces utilisateurs)
• Niveau syntactique: Code/langage/format
• Niveau sémantique: Sens de l’information • Type d’information : financier/non financier, interne/externe, valeurs prévisionnelles/valeurs observées • Actualité de l’information : information sur la passé, le présent, le futur • Niveau d’aggrégation : ventes par année, trimestre, mois, …
• Niveau pragmatique : Utilisation de l’information • Période de rétention : pendant combien de temps faut-il conservée l’information avant de la détruire • Statut de l’information : information est opérationnelle ou historique • Nouveauté: nouvelle connaissance ou confirmation de la connaissance existente (information/confirmation) • Contingence: information requise pour précéder l’information pour qu’elle soit considérée comme de l’information
• Niveau social : Contexte (contrats, loi, culture)
17 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Description complète d’un élément d’Information - Profil de Risque Description de toutes ses dimensions. Cela peut être utile pour traiter des questions telles que :
• « Risk Managers » – A quoi ressemble une profil de risque?
– Quels sont les critères de qualité d’un profil de risque et comment peuvent-ils être atteints?
– Qui sont les principales parties prenantes?
– Quels sont leurs intérêts?
– Quelles sont les bonnes pratiques?
– Quels sont les leviers concernés, etc… ?
• Auditeurs – Comment puis-je revoir la qualité d’un profil de risque?
– Quels sont les critères à analyser?
• Parties Prenantes – Quelles sont mes responsabilités dans le cycle de vie du profil de risque?
Le contexte professionnel et business est décrit dans COBIT 5 for Risk, COBIT 5 for Security et COBIT 5 for Assurance
18
Information : Exemple « Profil de Risque »
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
19
Information : Exemple « Risk Profile » Cycle de vie et Parties Prenantes
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 Copyright ISACA
20
Information : Exemple « Risk Profile » Objectifs
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 Copyright ISACA
21
Information : Exemple « Risk Profile » Bonnes Pratiques
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 Copyright ISACA
22
Information : Exemple « Risk Profile » Connexion aux autres leviers
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 Copyright ISACA
23
Information : Exemple « Risk Profile » Fiche de Scénario de risque
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 Copyright ISACA
• 20 Types de Scénario de risque
• >100 Fiches de Scénario de risque détaillées
Fiche de Scénario de Risque
ECP : La sécurité des système d'information 24
Copyright ISACA
Patrick Stachtchenko
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 25
Fiche de Scénario de Risque : “Logical Attacks”
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 26
Fiche de Scénario de Risque : “Logical Attacks”
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 27
Fiche de Scénario de Risque : “Logical Attacks”
28
Information : Exemples de préoccupations à traiter
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Copyright ISACA
COBIT 5 Deliverables : Securing Mobile Devices (138 pages)
• Introduction : What is a mobile device? Mobile Device Use – Past Present Future
• Mobile Device Impact on Business and Society : Mobility and Flexibility, Patterns of Work, Organizational Perimeter, Other Impacts
• Threats, Vulnerabilities and Associated Risks : Physical, Organizational, Technical
• Security Governance : Business Case, Standardized Enterprise Solutions, BYOD, Combines Scenario, Private Use of Mobile Devices, Defining the Business Case
• Security Management for Mobile Devices : Categories and Classification, Existing Security Controls, 7 Enablers
• Hardening Mobile Devices : Device and SIM card, Permanent Storage, Removable Storage and Devices, Connectivity, Remote Functionality
• Mobile Device Security Assurance: Auditing and Reviewing Mobile Devices, Investigation and Forensics for Mobile Devices
• Guiding Principles for Mobile Device Security : 8 principles
• Appendix A. Mappings of COBIT 5 and COBIT 5 for Information Security
• Appendix B. Hardening Mobile Devices
• Appendix C. Sample Audit Steps in Forensics and Investigation
30 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Illustration pour la sécurité des mobiles
31
• Enjeux : bénéfices attendus,… • Type de mobiles et de connexions • Classement par catégorie d’actifs • Niveaux de sécurité par catégorie d’actifs • Type de Risques par catégorie de risques • Nature de Risques par cible, par type d’information, par facteur de risque • Exemples de vulnérabilités/menaces/risques
• Exemple d’options de réponses aux risques pour chaque levier • Principes de sécurité des SI, Objectifs associés, Principes de sécurité des mobiles • Directives de sécurité des SI, Thèmes couverts, Directives de sécurité des mobiles • Standards de sécurité des mobiles, Aspects centralisés, Clauses couvertes • Procédures opérationnelles • Processus de sécurité des mobiles et connexion aux processus SI • Attributs de l’Organisation de sécurité, Responsable Sécurité des SI, Responsable Sécurité
des Mobiles • Comportement attendu en sécurité des SI, Comportement attendu en sécurité des mobiles • Compétences du responsable sécurité des mobiles, Compétences des utilisateurs • Formation : perspective, thèmes clés, contenu • Compétences responsable sécurité des SI • Capacités de Services, architecture et applications : types de services par domaine
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Enjeux • “Internet of things”
– 10 Milliards d’appareils connectés à internet
– 20 – 50 Milliards d’appareils en réseau
– 1,7 Milliards de mobiles connectés à internet
• Impacts – Notion de bureau (anywhere, moins de locaux)
– Horaire de travail (anytime)
– Périmètre de l’entreprise (système ouvert, cloud, partenaires, voiture de location, …)
– Vies privée et professionnelle (emails, contacts, agenda, etc…)
– Efficacité au travail / productivité / flexibilité
– Responsabilités
– Fonction supports (7/7, 24/24), process, formation,…
– Nouveaux Risques
32
Exemple Sécurité des Mobiles
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Exemple Sécurité des Mobiles
Types de mobiles et de connections
• Téléphone cellulaire traditionnel • Smartphones et PC de poche • Unités auxiliaires : clés usb, haut-parleurs ou écouteurs sans fil, GPS,… • Appareils non téléphoniques sans fil : tablettes,…
• Automobile : appareils électroniques connectés tels qu’une aide de navigation GPS, diagnostic, fermeture/ouverture automatique,…
• Vêtements « intelligents » • Jouets et “robots” (drones, caméras, aspirateurs, tondeuses, …) • Implants (pompes à insuline,…),…
• Public Cloud • Autres mobiles • Private Cloud • Entreprise
• GSM, GPRS/Edge, 3.5 G, 4G/LTE, Bluetooth, WLAN/802.x, NFC,…
33 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Exemple Sécurité des Mobiles
Classement par catégorie d’actif
Categorie Appareils Exemples
1 Data storage (limited), basic telephony and messaging
services, proprietary OS (limited), no data processing
capability
Traditional cell phones
2 Data storage (including external) and data processing
capabilities, standardized OS (configurable), extended
services
• Smartphones
• Early pocket PC devices
3 Data storage, processing and transmission
capabilities via alternative channels, broadband
Internet connectivity, standardized OS (configurable),
PC-like capabilities
• Advanced smartphones
• Tablet PCs
34
Copyright ISACA
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Niveaux de risque par catégorie d’actif
Categorie/Risque Categorie 1 Categorie 2 Categorie 3 Categorie 4
Physique
Theft Faible Moyen Fort Fort
Loss Moyen Moyen Moyen Moyen
Damage/destruction Fort Fort Fort Fort
Organisationnelle
Agglomeration/heavy users Faible Faible Fort Fort
Complexity/diversity Faible Moyen Fort Fort
Technique
Activity monitoring, data retrieval Faible Fort Fort Fort
Unauthorized network connectivity Faible Moyen Fort Fort
Web view/impersonation Faible Moyen Fort Fort
Sensitive data leakage Faible Fort Fort Fort
Unsafe sensitive data storage Moyen Fort Moyen Moyen
Unsafe sensitive data transmission Faible Fort Moyen Fort
Drive-by vulnerabilities Faible Fort Fort Fort
Usability Faible Faible Fort Fort
35
Exemple Sécurité des Mobiles
Copyright ISACA Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Types de risque par catégorie d’actif
Risques physiques
• Incapacité de travailler pour une longue durée • Accès à l’information (emails, contacts, rendez-vous, historique
d’utilisation, éléments détruits, codes, …); souvent données non chiffrées • Usurpation d’identité
Mais des possibilités pour limiter ces risques
• Appareil de localisation et de suivi • Capacités de fermeture à distance • Capacités de blocage de la carte SIM
36
Exemple Sécurité des Mobiles
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Types de risque par catégorie d’actif
Risques organisationnels
• Réplication des droits d’accès privilégiés • Nature sensible des données conservées pour les cadres • Complexité d’utilisation (richesse des fonctionnalités,…) : erreurs,
data roaming, … • Cycle de vie court (gestion, formation,..)
37
Exemple Sécurité des Mobiles
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Risques techniques : “Activity monitoring, data retrieval »
Cible Risque
Messaging Generic attacks on short message service (SMS) text, multimedia messaging service (MMS)-enriched transmission of text and contents
Retrieval of online and offline email contents
Insertion of service commands by SMS cell broadcast texts
Arbitrary code execution via SMS/MMS
Redirect or phishing attacks by Hypertext Markup Language (HTML)-enabled SMS text or email
Audio Covert call initiation, call recording
Open microphone recording
Pictures/ video
Retrieval of still pictures and videos, for example, by piggybacking the usual “share” functionality in most mobile apps
Covert picture or video taking and sharing, including traceless wiping of such material
Geolocation Monitoring and retrieval of GPS positioning data, including date and time stamps
Static data Contact list, calendar, tasks, notes retrieval
History Monitoring and retrieval of all history files in the device or on SIM card (calls, SMS, browsing, input, stored passwords, etc.)
Storage Generic attacks on device storage (hard disk or solid-state disk [SSD]) and data replicated there
38
Exemple Sécurité des Mobiles
Copyright ISACA Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Risques techniques : “Sensitive Data Leakage Risk »
Type d’information Risque
Identity International Mobile Equipment Identity (IMEI), manufacturer device ID, customized user information
Hardware/firmware and software release statistics, also disclosing known weaknesses or potential zero-day exploits
Credentials User names and passwords, keystrokes
Authorization tokens, certificates (Secure Multipurpose Internet Mail Extensions [S/MIME], Pretty Good Privacy (PGP), etc.)
Location GPS coordinates, movement tracking, location/behavioral inference
Files All files stored at OS/file system level
39
Exemple Sécurité des Mobiles
Copyright ISACA
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Risques techniques : “Usability Risk »
Facteur de risque Risque
Frequent change of hardware as part of the mobile contract
In upgrading to “state-of-the-art” devices, users are compelled to familiarize themselves with new and complex features. This creates a significant risk of human error and resulting security issues.
Users’ limited familiarity with their devices
The number of features and apps may appear overwhelming to the average user. This creates a high risk of inadvertent actions, errors and security breaches.
Limitations to configurability, opaque OSs
As OSs become less transparent, configuration and device management is restricted. This reduces the amount of organizational control over mobile OSs.
Mandatory services prescribed by the OS or contract
Consumer-based services run in the background, creating potential security issues. Security management may not be able to control these activities where the contractor sees them as essential.
Proliferation of pay-as-you-go and subscription services
Users are facing more and more opt-in challenges for activation or extension of applications. This creates contractual and security-related risk.
Mandatory cloud sign-in as prerequisite to accessing certain services
Mobile devices may become dysfunctional or restricted if the mandated services are not activated. This creates additional security risk when users naturally opt in to these services.
40
Exemple Sécurité des Mobiles
Copyright ISACA
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Exemples de vulnérabilités
Vulnerabilité Menaces Risque
Information travels across wireless
networks that are often less secure than
wired networks.
Malicious outsiders can do harm to the
enterprise.
Information interception resulting in a breach
of sensitive data, damage to enterprise
reputation, compromised adherence to
regulation, legal action
Mobility provides the users with the
opportunity to leave enterprise boundaries,
thereby eliminating many security controls.
Mobile devices cross boundaries and network
perimeters, carrying malware, and can bring this
malware into the enterprise network.
Malware propagation, which can result in data
leakage, data corruption and unavailability of
necessary data; physical theft
Bluetooth technology makes it very
convenient for many users to have hands-
free conversations; however, it is often left
on and is then discoverable.
Hackers can discover the device and then
launch an attack.
Device corruption, lost data, call interception,
possible exposure of sensitive information
Unencrypted information is stored on the
device.
In the event that a malicious outsider intercepts
data in transit or steals a device, or if the employee
loses the device, the data are readable and usable.
Exposure of sensitive data, resulting in
damage to the enterprise, customers or
employees
Lost data may affect employee productivity. Mobile devices may be lost or stolen due to their
portability. Data on these devices are not
always backed up.
Workers dependent on mobile devices unable
to work in the event of broken, lost or stolen
devices, and data that are not backed up
The device has no authentication
requirements applied.
If the device is lost or stolen, outsiders can
access the device and all its data.
Data exposure, resulting in damage to the
enterprise and liability and regulation issues
The enterprise is not managing the device. If no mobile device strategy exists, employees
may choose to bring in their own, unsecured
devices. While these devices may not connect to
the virtual private network (VPN), they may
interact with emails or store sensitive documents.
Data leakage, malware propagation,
unknown data loss in the event of device loss
or theft
The device allows installation of
unverified/unsigned third-party applications.
Applications may carry malware that propagates
Trojan horses or viruses. The applications may
also transform the device into a gateway for
malicious outsiders to enter the enterprise network.
Malware propagation, data leakage, intrusion
to the enterprise network
41
Exemple Sécurité des Mobiles
Copyright ISACA Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Exemple Sécurité (Sécurité des Mobiles)
Principes, Directives, Référentiels, …
• Principes de Sécurité de l’Information • Venir en appui du business (6 sous-principes) • Protéger le business (4 sous-principes) • Promouvoir un comportement responsable en ce qui concerne la sécurité de
l’Information (2 sous-principes)
• Directives • Directive Générale concernant la Sécurité de l’Information • Directives concernant la Sécurité de l’Information pilotées par la fonction Sécurité de
l’Information • Contrôles d’accès • Protection des Informations Personnelles • Sécurité physique et de l’environnement • Réponse aux incidents
• Directives concernant la Sécurité de l’Information pilotées par les autres fonctions • Continuité des activités et plan de reprise • Gestion des actifs • Comportements attendus • Acquisition, Dévelopement et Maintenance des Solutions • Gestion des fournisseurs • Exploitation • Conformité • Gestion des risques
42 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Principes, Directives et Référentiels : Principes
Principe Objectif Sécurité des Mobiles
Focus on the business Ensure that information security is integrated into essential business processes
Analyze business processes with mobile device dependencies, and prioritize accordingly
Deliver quality and value to stakeholders
Ensure that information security delivers value and meets business requirements
Perform stakeholder analysis (internal and external) and derive requirements for mobile devices
Comply with relevant legal and regulatory requirements
Ensure that statutory obligations are met, stakeholder expectations are managed and civil or criminal penalties are avoided
Identify laws, regulations and governance rules for mobile device use, and define requirements
Provide timely and accurate information on information security performance
Support business requirements and manage information risk
Establish mobile device key performance indicators (KPIs) and regular reporting
Evaluate current and future information threats
Analyze and assess emerging information security threats so that informed, timely action to mitigate risk can be taken
Identify threats to mobile devices (at all levels), anticipate future threats through technology innovation, and collect evidence on incidents and breaches
Promote continuous improvement in information security
Reduce costs, improve efficiency and effectiveness, and promote a culture of continuous improvement in information security
Establish a continuous improvement process for mobile device security, and include BYOD scenarios as well as vendor patching
Adopt a risk-based approach
Ensure that risk is treated in a consistent and effective manner
Maintain mobile device categorization and keep the risk heat map up to date
43
Exemple Sécurité des Mobiles
Copyright ISACA
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Principes, Directives et Référentiels : Principes
Principe Objectif Sécurité des Mobiles
Protect classified information
Prevent disclosure of classified (e.g., confidential or sensitive) information to unauthorized individuals
Establish data classification for information resident on, or flowing through, mobile devices. Include cloud services and storage. Align mobile device identity and access management with corporate identity and access management (IAM).
Concentrate on critical business applications
Prioritize scarce information security resources by protecting the business applications on which an information security incident would have the greatest business impact
Regularly perform a business impact analysis (BIA) on mobile devices as assets, related processes and resulting categories of impact (financial, nonfinancial)
Develop systems securely
Build quality, cost-effective systems on which business people can rely (e.g., that are consistently robust, accurate and reliable)
Establish software life cycle controls for self-developed and vendor apps on mobile devices, and include app onboarding in BYOD scenarios
Act in a professional and ethical manner
Ensure that information security-related activities are performed in a reliable, responsible and effective manner
Apply governance to mobile device policies, standards and key operating procedures
Foster an information-security-positive culture
Provide a positive information security influence on the behavior of end users, reduce the likelihood of information security incidents occurring and limit their potential business impact
Educate end users about mobile device security, particularly in BYOD scenarios. Provide useful tools and aids to enable user self-protection.
44
Exemple Sécurité des Mobiles
Copyright ISACA
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Principes, Directives et Référentiels : Directives
Directive concernant l’utilisation des Mobiles Thème Directives : la Sécurité de l’Information
Analyze business processes with mobile device dependencies, and prioritize accordingly
Mobile device strategy
• Information security policy • Business continuity and disaster recovery policy
Perform stakeholder analysis (internal and external) and derive requirements for mobile devices
Mobile device strategy
• Information security policy
Identify laws, regulations and governance rules for mobile device use, and define requirements
Governance compliance
• Information security policy • Compliance policy
Establish mobile device KPIs and regular reporting Governance compliance
• Information security policy • Compliance policy
Identify threats to mobile devices (at all levels), anticipate future threats through technology innovation, and collect evidence on incidents and breaches
Risk • Risk management policy
Establish a continuous improvement process for mobile device security, and include BYOD scenarios as well as vendor patching
Mobile device life cycle
• Information systems acquisition, software development and maintenance policy
Maintain mobile device categorization and keep the risk heat map up to date Risk • Risk management policy
Establish data classification for information resident on, or flowing through, mobile devices. Include cloud services and storage. Align mobile device identity and access management with corporate IAM
ISMS asset management
• Information security policy • Asset management policy
Regularly perform a BIA on mobile devices as assets, related processes and resulting categories of impact (financial, nonfinancial)
Mobile device strategy
• Information security policy • Business continuity and disaster recovery policy
Establish software life cycle controls for self developed and vendor apps on mobile devices, and include app onboarding in BYOD scenarios
Mobile device life cycle
• Information systems acquisition, software development and maintenance policy
Apply governance (see chapter 3) to mobile device policies, standards and key operating procedures
Governance • Information security policy
Educate end users about mobile device security, particularly in BYOD scenarios. Provide useful tools and aids to enable user self-protection
Security culture • Rules of behavior policy
45
Exemple Sécurité des Mobiles
Copyright ISACA Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Mobiles : Principes, Directives et Référentiels : Standards
Clause Aspects centralisés Aspects BYOD
Acquisition Process for acquisition by the enterprise, link to procurement or purchasing processes
• Provide users with subsidized/preferential arrangements OR • Specify approved devices
Onboarding Process for onboarding any device presented by user, including opt-in clauses
Provisioning Process for provisioning hardware, OS, standardized apps, optional apps
Configuration Process for developing, testing, deploying and updating configuration, link to general config mgmt
Process for partial configuration of device with organizational standard (user must have opted in and signed)
Systems and data management
Process for security-related systems and data management, linked to general systems mgmt.
Process for partial systems and data management activities (user must have opted in and signed)
Organizational risk
Preapplied security controls for organizational risk (user agglomeration, diversity and complexity)
Preapplied security controls, e.g., security axioms, for any device
Physical risk Preapplied security controls for loss, theft, damage Preapplied security controls for loss, theft, damage, etc.
Technical risk Preapplied security controls for all categories of technical risk
• Preapplied security controls for the standardized part of the device • Mandatory guidance for user self-protection (minimum requirements)
Exception/incident management
Process for logging, treating and resolving exceptions and incidents, link to business continuity/disaster recovery
Process for: • Identifying incidents, containment, resolution and ex post impact • Isolating, quarantine and removal
Life span Process for aging devices in line with life span/innovation, including risk of obsolete devices
Process for aging devices in line with life span/innovation and cost of supporting obsolete devices vs. risk of operating obsolete devices
Decommissioning Process for: • Decommissioning end-of-business-life devices • Secure disposal
Removal Process for: • Initiating removal, secure organizational data disposal, apps removal • Offboarding device (not user) and replacement
46
Exemple Sécurité des Mobiles
Copyright ISACA Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Principes, Directives et Référentiels : Procédures opérationnelles
• Audit des mobiles
• Gestion des changements
• Gestion des Patchs
• Protection des Malware
• Chiffrement, VPN, encapsulation
• Dommage, pertes, vols
• …
47
Exemple Sécurité des Mobiles
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Structures organisationnelles
• Composition • Les structures sont composées de membres qui sont ou représentent des parties
prenantes internes et externes. Ils ont un rôle spécifique en fonction du contexte de la structure
• Périmètre • Frontières des droits décisionnels de la structure organisationnelle
• Niveau d’autorité • Décisions que la structure est autorisée à prendre
• Principes opérationnels • Modalités pratiques de fonctionnement de la structure (fréquence des réunions,
documentation, règles,…)
• Pouvoirs de délégation • Structure peut déléguer ces droits décisionnels (ou un sous-ensemble) à d’autres
structures qui lui sont rattachées
• Procédures d’escalade • Le circuit d’escalade décrit les actions nécessaires en cas de problèmes pour prendre
des décisions 48 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Exemple Sécurité (Sécurité des Mobiles)
Structures organisationnelles
• Directeur de la Sécurité de l’Information (ou SI)
• Comité de pilotage de la Sécurité de l’Information (ou SI)
• Manager de la Sécurité de l’Information (ou SI)
• Comité de pilotage des Risques
• Responsible de la Sécurité de l’Information au sein des fonctions “business”
49 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Exemple Sécurité (Sécurité des Mobiles)
Structures Organisationnelles
Aspect Caractéristiques (Manager Sécurité de l’Information)
Caractéristiques (Spécialiste Sécurité des Mobiles)
Mandat Overall responsibility for the management of information security efforts
Operational responsibility for securing mobile devices
Reporting Reports to the CISO (or, in some enterprises, to the business unit leads)
Reports to the information security manager
Périmètre Application information security, infrastructure information security, access management, threat management, risk management, awareness program, metrics, vendor assessments
Mobile device security management and monitoring
Niveau d’autorité, droits de décision
Overall decision-making authority over information security domain practices
Recommends and implements concepts, controls and processes for mobile device security management and monitoring
Droits de Délégation
Should not delegate decisions related to information security domain practice
No delegation
Escalade Issues escalated to the CISO Issues escalated to the information security manager
Responsabilité Accountability; responsibility in small and medium-sized enterprises, delegation to experts in larger enterprises
Responsibility
Points de contact : Juridique, Services Généraux, Gestion des Risques, Achats, Développement, Technologie Informatique, Audit, Utilisateurs
50
Exemple Sécurité des Mobiles
Copyright ISACA
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Exemple Sécurité (Sécurité des Mobiles)
Compétences
• Position (Fiche mission, Evolution, …)
• Education (Diplômes, …)
• Qualifications (Certifications, …)
• Expérience
• Savoir/Connaissance, Savoir faire, Savoir être
• Disponibilité / Rétention (accès aux ressources externes)
• Formation
• Evaluation
51 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Exemple Sécurité (Sécurité des Mobiles)
Compétences
• Gouvernance de la Sécurité de l’Information
• Elaboration de la Stratégie de la Sécurité de l’Information
• Gestion des Risques de l’Information
• Architecture de la Sécurité de l’Information
• Exploitation de la Sécurité de l’Information
• Evaluation, test et conformité de l’Information
52 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Personnes et Compétences : Compétences
Compétences Manager/Spécialiste Sécurité des
Mobiles Utilisateur
Governance Extensive skills and experience Awareness
Strategy formulation Ability to set mobile device security strategy Awareness
Risk management Recognition of mobile device risk and treatment options
Recognition of mobile device risk, avoidance or mitigation behavior
Architecture development
Extensive skills and experience in mobile architectures
Reasonable understanding of mobile architecture and inherent risk
Operations Extensive skills and experience in operating mobile device architectures, including back end
Experience with operating mobile devices commensurate with device complexity
Assessment, testing, compliance
Ability to perform/support assessments, extensive testing skills, awareness and in-depth understanding of compliance requirements
Awareness of compliance requirements, basic understanding of assessments, ability to participate in testing
53
Exemple Sécurité des Mobiles
Copyright ISACA
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Personnes et Compétences : Formation
Perspective Thèmes Clés Contenu
Basics Mobile device features Basics and background for use, OS, popular apps, typical risks, security points to note
Basics for senior management
Mobile device features Basics (in a very short time), how to set an example for all employees, governance and how to communicate it, making security a top priority, eye-opening demonstrations of how easy it is to attack the device, etc.
Business Business-related services and apps
Onboarding, access and identity management, apps and services offered by the organization, security ground rules, policy and standards, etc.
Outside the enterprise
Travel-related security Connectivity, foreign networks, what to do when traveling (and what not to do), typical security risk, local warnings, etc.
Private Private use and security
Popular services and apps, associated risk and security issues, attacks and defense, golden rules of private use (governance), etc.
Advanced Using advanced features and related security
Knowing the device, advanced apps and features, self preservation and what to do in security, organizational testing and participation, how to become a key user, etc.
Management Mobile device security manager skills
Basic/intermediate/advanced series of training courses for information security managers or specialists
Management refresher
Mobile device security manager skills
Regular update on trends, emerging technologies and risk, new security management techniques, etc.
54
Exemple Sécurité des Mobiles
Copyright ISACA
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Personnes et Compétences : Compétences du RSSI
Domaine Compétences Génériques Compétences relatives au Mobiles
Governance Ability to:
Define metrics that apply to information security governance
Define a full set of mobile device security metrics and measurements
Create a performance measurement model Define mobile device performance indicators for measurement
Develop a business case justifying investments in information security
Develop a business case for mobile devices, including standardized solutions vs. partial or full BYOD
Knowledge of:
Legal and regulatory requirements Specific legal and regulatory requirements for mobile device use, including telecommunications and IT
Roles and responsibilities required for information security
Mobile device security roles and responsibilities, including end-user responsibilities as defined for the enterprise
Methods to implement information security governance policies
Implementing information security governance for mobile device possession and use
Fundamental concepts of governance Fundamental concepts of governance
Internationally recognized standards, frameworks and best practices
Internationally recognized standards for mobile devices, mobile OSs, telephony, data transmission, etc.
Technical skills:
Good understanding of information security practices that apply to the specific business
Understanding of business dependencies on mobile devices and resulting security requirements
55
Exemple Sécurité des Mobiles
Copyright ISACA Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Personnes et Compétences : Compétences
Domaine Compétences Génériques Compétences relatives au Mobiles
Strategy Ability to:
Understand the enterprise culture and values Understand the enterprise culture and values
Define an information security strategy that is aligned with enterprise strategy
Define a mobile device security strategy in line with the information security strategy
Develop information security policies and devise metrics Develop a mobile device use policy and mobile device security standard
Knowledge of:
Information security trends, services and disciplines Mobile device trends, innovative apps, market developments, emerging risk, new paradigms in mobile work, etc.
Technical skills:
Broad understanding of various information security disciplines Broad understanding of various information security disciplines
Risk Mgmt Knowledge of:
Information asset classification model Mobile device inventory and asset classification, including hardware, apps, data and information assets
Risk assessment and analysis Mobile device risk assessment
Business processes and essential functions Business processes and functions depending on mobile devices and services
Industry standards Industry standards
Risk-related laws and regulations
Risk frameworks and models
Technical skills:
Risk associated with information security practices and activities Risk associated with mobile device use and mobile security
Risk analyses and mitigating controls Risk analyses and mitigating controls
56
Exemple Sécurité des Mobiles
Copyright ISACA Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Personnes et Compétences : Compétences
Domaine Compétences Génériques Compétences relatives au Mobiles
Architecture development
Knowledge of:
Interaction of technologies with business and information security policies
Interaction of mobile devices (technology, services, apps, etc.) with business and general information security
Information security architectures Mobile architectures
Application design review and threat modeling
Application design review (mobile apps) and threat modeling (device side, network provider side, etc.)
Methods to design information security practices
Methods to design mobile security practices (organization and end user)
Managing information security programs, policies, procedures and standards
Emerging technologies and development methodologies
Emerging mobile technologies and app development tools
Technical Skills
Deep and broad knowledge of IT and emerging trends
Deep and broad knowledge of anything that moves (i.e., anything that could be seen as a mobile device in the broadest sense)
Technical design capabilities Technical design capabilities
Strong subject matter expertise in computer operations
Reasonable expertise in computer operations, strong expertise in linking mobile devices to back-end/data center operations
57
Exemple Sécurité des Mobiles
Copyright ISACA Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Personnes et Compétences : Compétences
Domaine Compétences Génériques Compétences relatives au Mobiles
Operations Knowledge of:
Log monitoring, log aggregation, log analysis Log monitoring, log aggregation, log analysis
Technical Skills
In-depth knowledge of OSs, authentication, firewalls, routers, web services, etc.
Application design review (mobile apps) and threat modeling (device side, network provider side, etc.)
Assessment, testing, compliance
Knowledge of:
IS audit standards, guidelines and best practices IS audit standards, guidelines and best practices relevant to mobile devices
Audit planning and project management
Local laws and regulations
Technical Skills
Audit-related tools, gap analysis, analytics, etc. Audit and investigation tools for mobile devices
58
Exemple Sécurité des Mobiles
Copyright ISACA
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Exemple Sécurité (Sécurité des Mobiles)
Ethique, Culture, Comportement
Aussi bien pour les organisations que pour les individus
Ensemble des façons de penser et d'agir et de règles / attitudes explicites ou implicites qui caractérisent une entité
• Valeurs
• Comportement
• Prise de risques
• Non conformité
• Résultats (positif, negatif, …) : apprendre, blâmer, …
• Incitations
• Eléments disuasifs
59 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Exemple Sécurité (Sécurité des Mobiles)
Ethique, Culture, Comportement
Comportements attendus
• 8 comportements attendus
Leadership • Communication, Exemplarité, Règles • Incitations • Sensibilisation
60 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Culture, Ethique, Comportement
Comportement de Référence En ce qui concerne l’utilisation des Mobiles
Information security is practiced in daily operations. Security management and monitoring processes are applied to mobile devices to the agreed extent (standardized/BYOD/combined). End users understand and apply security measures completely and in a timely manner.
People respect the importance of information security principles and policies.
Users are aware of, and ideally actively involved in, defining mobile device security principles and policies. These are updated frequently to reflect day-to-day reality as experienced by the users
People are provided with sufficient and detailed information security guidance and are encouraged to participate in and challenge the current information security situation.
Mobile device security is a fluid process with regular challenges by users. Security guidance for mobile devices is simple, to the point and relates to typical day-to-day security risk. The security situation is frequently and jointly assessed by users and security managers.
Everyone is accountable for the protection of information within the enterprise.
Security managers and users share accountability for mobile device security. This includes business use and private use (in BYOD scenarios). Users have a clear understanding about their accountability and act responsibly when using mobile devices.
Stakeholders are aware of how to identify and respond to threats to the enterprise.
All mobile device users are stakeholders— regardless of their hierarchical position within the enterprise. There is full awareness of the risk, threats and vulnerabilities associated with mobile device use. Response to threats and incidents is well understood, exercised frequently and auditable
Management proactively supports and anticipates new information security innovations and communicates this to the enterprise. The enterprise is receptive to accounting for and dealing with new information security challenges.
Security management and end users cooperatively identify, test and adopt innovation in mobile device technology and use. Management and end users foster innovation by identifying and presenting new business cases for technology, mobile services and other types of added value. The enterprise aims at staying in front of the curve in mobile device use.
Business management engages in continuous cross-functional collaboration to allow for efficient and effective information security programs.
Mobile device use (and technology) programs are in place and form part of the IT innovation strategy. Security innovations are actively adopted and incorporated as key projects. Business functions cooperate with information security to maximize the return on information security for mobile services and devices.
Executive management recognizes the business value of information security.
Executive managers act as end users and recognize the value they derive from their use of mobile devices and associated services. They participate in training and awareness activities.
61
Exemple Sécurité des Mobiles
Copyright ISACA Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Exemple Sécurité (Sécurité des Mobiles)
Services : Applications, Infrastructure, …. • Capacité de services • Technologie en appui • Bénéfices attendus • Objectifs et indicateurs de performance
• Architecture
• Réutilisation • Acquisition / Développement • Simplicité • Agilité • Ouverture
62 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Services : Infrastructure, Applications, …. : Illustrations Sécurité de l’Information • Architecture de sécurité • Sensibilisation à la sécurité • Développement sécurisé • Evaluation de la sécurité • Systèmes configurés et sécurisés de manière adéquate en ligne avec les
exigences de sécurité et avec l’architecture de sécurité • Accès des utilisateurs et droits d’accès en ligne avec les besoins
business • Protection adéquate envers les logiciels malvaillants, les attaques
externes et les tentatives d’intrusions • Réponse aux incidents adéquate • Tests de sécurité • Monitoring et services d’alerte concernant les évènements relatifs à la
sécurité
63
Exemple Sécurité (Sécurité des Mobiles)
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Services : Infrastructure and Applications, ….
• Security architecture
• Security awareness
• Secure development
• Security assessments
• Adequately secured and configured systems
• User access and access rights in line with business requirements
• Adequate protection against malware, external attacks and intrusion attempts
• Adequate incident response
• Security testing
• Monitoring and alert services for security-related events
• Device Management
• Device Structure
• Device Oss
• Applications
• Connectivity
64
Exemple Sécurité des Mobiles
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Services : Infrastructure and Applications, ….
Device Management
• Overarching device management system
• Identity and access management (IAM)
• Malware protection (including attacks and intrusions)
• Security testing and monitoring
• Incident response
65
Exemple Sécurité des Mobiles
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Services : Infrastructure and Applications, ….
Device Structure
• Enhanced SIM card functionality
• Hardware add-ons for security purposes
• Use of inbuilt processors for specific security tasks
• Firmware modifications (own security builds)
66
Exemple Sécurité (Sécurité des Mobiles)
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Services : Infrastructure and Applications, ….
Device Oss
• Kernel modifications (usually done through firmware updates)
• OS “tweaking” tools, registry and configuration editors
• Modifications to factory reset
• Modifications to the first responder interface
• Device/SIM interaction changes
• Remote control interfaces (usually provided by the vendor)
• Secure coding tools and resources
67
Exemple Sécurité des Mobiles
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Services : Infrastructure and Applications, ….
Applications
• Antivirus
• Application patching
• Control risk assessments
• Penetration testing
68
Exemple Sécurité des Mobiles
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Services : Infrastructure and Applications, ….
Connectivity
• Secure coding resources and tools specifically for protecting existing connections
• Technical tools such as fuzzers, sniffers, protocol analyzers
• Remote configuration and control solutions
• Cloud access management
69
Exemple Sécurité des Mobiles
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Services : Infrastructure, Applications,…
70
Exemple Sécurité (Sécurité des Mobiles)
Service Device Management Device Structure
Device Operating System
Device Applications
Device Connectivity
Architecture/ plan services
Configuration management Database (CMDB), asset Management systems
Reporting agents, policy management solutions, vulnerability scanners
Cloud access management
Awareness Training courses, news feeds
Knowledge bases, vendor and industry advisories
Knowledge bases, vendor and industry advisories, computer Emergency response team (CERT) advisories
Training tools, Collaboration tools
Email, social media, news feeds
Development Compilers, linkers, secure coding resources
Secure coding resources, code scanners, static and binary analysis tools
Secure coding resources
Secure coding resources
Assessments Threat and vulnerability Risk assessment (TVRA)
Log analyzers, flash readers
Log analyzers, other tools Reporting tools Fuzzers, sniffers, Protocol analyzers, Network analyzers, honeypots
Secured and Configured systems
Firmware, vendor tools
Kernel and related, Security model, first Responder interface, System and patch management, OS tools
CMDB tools and agents
Remote Configuration and control solutions
Copyright ISACA
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Services : Infrastructure, Applications,…
71
Exemple Sécurité des Mobiles
Service Device Management Device Structure
Device Operating System
Device Applications
Device Connectivity
Access rights
Biometrics, dongles, smart cards (SIM), Embedded device IDs, embedded processors, location services
Public key infrastructure (PKI) and encryption, configuration management tools, software Distribution tools, provisioning
Encryption and related apps, Provisioning and IAM tools
Cloud access management
Malware and attack protection
Central anti-malware solutions
Vendor advisories, Other advisories, Device management
CMDB, patch management, knowledge bases, software distribution, firewalls, IDS
PKI, antivirus, anti-malware, Packet analyzers, IDS agents, honeypots, tarpits, Browser protection, sandboxing
Remote Configuration and control solutions, Virtualization and cloud apps
Incident response
TVRA, business continuity Management (BCM) and IT service continuity Management (ITSCM), Vendor advisories, industry advisories
Vendor advisories, Industry advisories
Memory inspection tools, network analyzers, log analyzers, reverse engineering, malware analysis, Security information and event management (SIEM)
App and data inspection tools, backup and restore, Vendor recovery tool sets, vendor forensics tools
Cloud recovery tools
Monitoring and alerting
Central log management, Alerting systems, management dashboards, Network operations centers
Vendor tools System logs, Monitoring agents, reporting agents
Monitoring tools Traffic monitoring, Network analyzers, cloud logging
Copyright ISACA Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Exemple IT (Sécurité) (Sécurité des Mobiles)
72
Processus IT
• 129 objectifs des processus IT
• 207 pratiques IT
• 1108 activités IT
• 266 indicateurs de performance IT
• 26 rôles IT+ Business en IT
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Business et IT
• 17 objectifs business
• 17 objectifs IT
• 59 indicateurs de performance IT
Processus Sécurité • 79 objectifs des processus de sécurité
• 188 pratiques de sécurité
• 378 activités de sécurité
• 154 indicateurs de performance de sécurité
Exemple Sécurité (Sécurité des Mobiles) Pour le processus IT, Manage Operations
73 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 Copyright ISACA
Exemple IT (Sécurité) (Sécurité des Mobiles) Pour le processus IT, Manage Operations
74 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Copyright ISACA
Exemple Sécurité (Sécurité des Mobiles) Pour le processus IT, Manage Operations
75 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Copyright ISACA
Exemple Sécurité (Sécurité des Mobiles) Processus Sécurité qui viennent s’ajouter aux Processus IT
Pour le processus IT, Manage Operations
76 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Exemple Sécurité (Sécurité des Mobiles) Processus Sécurité qui viennent s’ajouter aux Processus IT
Pour le processus IT, Manage Operations
77 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Copyright ISACA
Processus
IT Process Mobile Device Security Management Process
EDM01 Ensure governance framework setting and maintenance
Reflect governance in mobile device use policy, maintain policy in line with general process
EDM02 Ensure benefits delivery Mobile device value optimization process
EDM03 Ensure risk optimisation Mobile device security risk management process
APO03 Manage enterprise architecture Subsidiary process for mobile devices that substantiates security solutions as part of overall architecture
APO04 Manage innovation Subsidiary mobile device (security) innovation process
APO05 Manage portfolio Subsidiary process for mobile devices to identify and obtain funds for security management
APO06 Manage budget and costs Subsidiary mobile device security budgeting process
APO09 Manage service agreements Subsidiary process for mobile device service level agreements (SLAs) and operating level agreements (OLAs)
BAI06 Manage changes Subsidiary processes for mobile device change management and emergency changes
DSS04 Manage continuity Subsidiary process for mobile device service continuity management; autonomous process (subsidiary to business continuity/disaster recovery) for mobile device business recovery
DSS03 Manage problems Subsidiary processes for mobile devices security problems and known errors
MEA03 Monitor, evaluate and assess compliance with external requirements
Subsidiary process for identifying and interpreting external compliance requirements for mobile devices
78
Exemple Sécurité des Mobiles
Copyright ISACA
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Exemple Sécurité (Sécurité des Mobiles)
Information
79
• Objectifs et indicateurs de performance
• Cycle de vie
• Bonnes pratiques
• Responsabilités
• Contraintes
• Contenu
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Exemple Sécurité (Sécurité des Mobiles)
Information
80
• Stratégie
• Budget
• Plan
• Directives
• Exigences
• Sensibilisation
• Rapport de revues
• Tableau de bord
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Information
Type d’information
• Replicated emails, contacts, calendars and notes • Music, movies and other content that users have acquired
• Mobile banking and micropayments • Airline ticketing and electronic boarding card (similar for railways) • Vendor app stores and related transactions • Social networking and cloud services
• Geolocation data • Device coupling with other devices (vehicles, buildings, public networks, etc.) and
semi permanent “partnership” data • Voice, video and data connection information (semi permanent) • Original data created by the mobile device (pictures, videos, waypoints, etc.) • Chat and file transfer information, for example, notes taken from popular Internet
telephony software • Information stored by telecommunications providers as mandated by law, for
example, connection date and time stamps 81
Exemple Sécurité des Mobiles
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
82
COBIT 5 Online
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
COBIT 5 Online is a multi-phase initiative by ISACA to address a wide variety of member needs for accessing, understanding and applying the COBIT 5 framework. The primary objective of this inaugural version is to provide easy access to online versions of COBIT 5 publications. While retaining all of the stylistic conventions of print editions, the online editions greatly simplify the process of navigating, searching and exporting the principles, practices, analytical tools and models that make COBIT 5 an essential resource for the governance and management of enterprise IT. The new online service will include features such as :
• Access to publications in the COBIT 5 product family
• Access to other, non-COBIT, ISACA content and current, relevant GEIT material
• Ability to customize COBIT to fit the needs of your enterprise with access for multiple users
• Access to tools : Goals planner, RACI Planner, Self Assessment, …
COBIT 5 Online
COBIT 5 Deliverables : A Business Framework for the Governance and Management of Enterprise IT (94 pages)
• Executive Summary
• Overview of COBIT 5
• Principle 1 : Meeting Stakeholders Needs
• Principle 2 : Covering the Enterprise from End-to-end
• Principle 3 : Applying a Single Integrated Framework
• Principle 4 : Enabling a Holistic Approach
• Principle 5 : Separating Governance from Management
• Implementation Guidance
• The COBIT 5 Process Capability Model
• Appendices
84 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
COBIT 5 Deliverables : A Business Framework for the Governance and Management of Enterprise IT
• Appendix A : References
• Appendix B : Detailed Mapping 17 Enterprise Goals –17 IT- related Goals
• Appendix C : Detailed Mapping 17 IT‐related Goals – 32 IT-related Processes
• Appendix D : 22 Stakeholder Needs and 17 Enterprise Goals
• Appendix E : Mapping of COBIT 5 with most relevant related standards and frameworks (ISO/IEC 38500, ITIL V3 2011 - ISO/IEC 20000, ISO/IEC 27000 Series, ISO/IEC 3100 Series, TOGAF, CMMI, PRINCE2)
• Appendix F : Comparison between COBIT 5 Information Reference Model and the COBIT 4.1 information criteria
• Appendix G : Detailed description of COBIT 5 Enablers
• Appendix H : Glossary
• Appendix G: Detailed description of COBIT 5 Enablers • Introduction • COBIT 5 Enabler : Principles, Policies and Frameworks • COBIT 5 Enabler : Processes • COBIT 5 Enabler : Organisational Structures • COBIT 5 Enabler : Culture, Ethics and Behaviour • COBIT 5 Enabler : Information • COBIT 5 Enabler : Services, Infrastructures and Applications • COBIT 5 Enabler : People, Skills and Competencies
85 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
COBIT 5 Deliverables : Enabling Processes (230 pages)
• Introduction
• The Goals Cascade and Metrics for Enterprise Goals and IT-related Goals – COBIT 5 Goals Cascade : Stakeholders Drivers, Stakeholders Needs, Enterprise Goals, IT Goals, Enabler Goals – Using the COBIT 5 Goals Cascade – Metrics : Enterprise, IT
• The COBIT 5 Process Model – Enabler Performance Management
• The COBIT 5 Process Reference Model – Governance and Management Processes (5 governance processes and 32 management processes) – Reference Model
• COBIT 5 Process Reference Guide Contents – Generic Guidance for Processes :
• EDM : Evaluate, Direct and Monitor • APO : Align, Plan and Organize • BAI : Build, Acquire and Implement • DSS : Deliver, Service and Support • MEA : Monitor, Evaluate and Assess
• Appendix A : Mapping between COBIT 5 and legacy ISACA Frameworks (COBIT 4.1, Val IT 2.0, Risk IT Management Practices)
• Appendix B : Detailed Mapping 17 Enterprise Goals and 17 IT-related Goals
• Appendix C : Detailed Mapping 17 IT-related Goals and 37 IT‐related Processes
86
• 129 IT Process Goals • 266 IT Process Goal Metrics • 207 IT Practices • 26 business and IT roles in IT Practices • 1108 IT Activities
17 Enterprise Goals, 17 IT-related Goals, 59 IT-related Goals metrics
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
COBIT 5 Deliverables : Enabling Processes
• Process identification : Label, Name, Area, Domain
• Process description
• Process purpose statement
• IT goals and metrics supported
• 17 IT Goals, 59 IT-related Goals Metrics
• Process goals and metrics • Governance : 15 IT Process Goals and 37 IT Process Goal metrics • Management : 114 IT Process Goals and 229 IT Process Goal metrics
• RACI chart • 26 Business and IT Roles concerned with the 207 IT Practices
• Detailed description of the process practices • Description, inputs and outputs with origin/destination, activities • Governance : 12 IT Governance Practices and 79 IT Governance Activities • Management : 195 IT Management Practices and 1029 IT Management Activities
• Related guidance
87 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
COBIT 5 Deliverables : Information Security (220 pages)
• Executive Summary: Introduction, Drivers, Benefits, Target Audience, Conventions
• Information Security • Information Security Defined • COBIT 5 Principles
• Using COBIT 5 Enablers for Implementing Information Security in Practice • Introduction • Enabler : Principles, Policies and Frameworks • Enabler : Processes • Enabler : Organizational Structures • Enabler : Culture, Ethics and Behaviour • Enabler : Information • Enabler : Services, Infrastructure and Applications • Enabler : People, Skills and Competencies
• Adapting COBIT 5 for Information Security to the Enterprise Environment • Introduction • Implementing Information Security Initiatives • Using COBIT 5 to connect to other frameworks, models, good practices and standards
• Appendix A to G : Detailed Guidance for each of the 7 categories of enablers
• Appendix H : Detailed Mappings
• Acronyms, Glossary 88 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
COBIT 5 Deliverables : Information Security
• Appendix A Detailed Guidance : Principles, Policies and Frameworks • 3 high level security principles with 12 elements : Objective and description • 13 types of policies : scope, validity, goals (5 driven by security function, 8 driven by other functions)
• Appendix B Detailed Guidance Processes (see next page)
• Appendix C Detailed Guidance : Organizational Structures • 5 types of security-related organizational structures : Composition, Mandate, Operating principles,
Span of control, Authority level, Delegation rights, Escalation path, RACI chart, Inputs/Outputs
• Appendix D Detailed Guidance : Culture, Ethics and Behaviour • 8 types of security-related expected behaviours
• Appendix E Detailed Guidance : Information • 34 types of security-related information stakeholders • 10 types of security related information : goals, life cycle, good practice
• Appendix F Detailed Guidance : Services, Infrastructure and Applications • 10 types of security services : 27 security-related service capabilities (supporting technology, benefit,
quality goal, metric)
• Appendix G Detailed Guidance : People, Skills and Competencies • 7 types of security set of skills and competencies : description, experience, education, qualifications,
knowledge, technical skills, behavioural skills, related role structure
• Appendix H Detailed Mappings (ISO/IEC 27001, ISO/IEC 27002, ISF, NIST) 89 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
COBIT 5 Deliverables : Information Security Processes Enabler
• Process Identification : Label, Name, Area, Domain
• Process Description
• Process Purpose Statement
• Security-specific Process Goals and Metrics
• Governance : 8 Security Process Goals and 17 Security Process Goals related Metrics • Management : 71 Security Process Goals and 137 Security Process Goals related Metrics
• Security-specific Process Practices, Inputs/Outputs and Activities
• Description of governance/management practice, security-specific inputs and outputs in addition to COBIT 5 inputs and outputs with origin/destination, security-specific activities in addition to COBIT 5 activities
• Governance : 12 Security Governance Practices and 31 Security Governance Activities • Management : 176 Security Management Practices and 347 Security Management Activities
• Related Guidance
90 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
COBIT 5 Deliverables : Risk (244 pages)
• Executive Summary: Introduction, Terminology, Drivers, Benefits, Target Audience, Overview and Guidance on use of Publication, Prerequisite Knowledge
• Risk and Risk Management • The Governance Objective : Value Creation • Risk : Risk Categories, Risk Duality, Interrelationship between Inherent, Current and Residual Risk • Scope of Publication (Two Perspectives on Risk : Risk Function and Risk Management Perspectives) • Applying the COBIT 5 Principles to Managing Risks
• The Risk Function Perspective • Introduction to Enablers • The 7 Enablers
• The Risk Management Perspective and using COBIT 5 Enablers • Core Risk Processes • Risk Scenarios • Generic Risk Scenarios • Risk Aggregation • Risk Response
• How this Publication Aligns with Other Standards • ISO 31000, ISO/IEC 27005:2011, COSO ERM
• Appendix A : Glossary
• Appendix B : Detailed Risk Governance and Management Enablers
• Appendix C : Core Risk Management Processes
• Appendix D : Using COBIT 5 Enablers to Mitigate IT Risk Scenarios (20 scenarios)
• Appendix E : Comparison of Risk IT with COBIT 5
• Appendix F : Comprehensive Risk Scenario Template 91 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
COBIT 5 Deliverables : Risk
• Appendix A. Detailed Guidance : Principles, Policies and Frameworks • 7 high level risk principles : Principle and Explanation • 18 types of risk policies : Scope, Validity, Management Commitment and Accountability, Risk
Governance, Risk Management Framework
• Appendix B. Detailed Guidance Processes (see next page) • 12 key risk function supporting processes
• 2 key risk management supporting processes
• Appendix C. Detailed Guidance : Organizational Structures • 5 key risk-related organizational structures : Composition, Mandate, Operating principles, Span of
control, Authority level, Delegation rights, Escalation path, RACI chart, Inputs/Outputs
• 17 other relevant structures for Risk : Description, Role in risk process
• Appendix D. Detailed Guidance : Culture, Ethics and Behavior • 8 types of general behavior, 8 types of risk professional behavior, 7 types of management behavior
• Appendix E. Detailed Guidance : Information • 13 types of risk related information items : stakeholders, stakes, goals, life cycle, good practices, links
to other enablers
• Appendix F. Detailed Guidance : Services, Infrastructure and Applications • 6 types of risk services (description, goal, benefit, good practice, stakeholders, metric)
• 3 types of risk infrastructure (description), 5 types of risk applications (description)
• Appendix G. Detailed Guidance : People, Skills and Competencies • 11 types of risk set of skills and competencies (description) and 2 risk roles (description, experience,
education, qualifications, knowledge, technical skills, behavioral skills, related role structure)
92 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
COBIT 5 Deliverables : Risk
• Process Identification : Label, Name, Area, Domain
• Process Description
• Process Purpose Statement
• Risk-specific Process Goals and Metrics • Risk Function
• Governance : 5 Risk Process Goals and 12 Risk Process Goals related Metrics • Management : 14 Risk Process Goals and 24 Risk Process Goals related Metrics
• Risk-specific Process Practices, Inputs/Outputs and Activities
• Description of governance/management practice, risk-specific inputs and outputs in addition to COBIT 5 inputs and outputs with origin/destination, risk-specific activities in addition to COBIT 5 activities
• Risk Function • Governance : 9 Risk Governance Practices and 28 Risk Governance Activities • Management : 50 Risk Management Practices and 80 Risk Management Activities
• Risk Management • Governance : 2 Risk Governance Practices and 12 Risk Governance Activities (69 actions) • Management : 6 Risk Management Practices and 26 Risk Management Activities (103 actions)
93 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
COBIT 5 Deliverables : Assurance (318 pages)
• Executive Summary: Introduction and Objectives, Drivers, Benefits, Target Audience, Document Overview and Guidance on its use, Prerequisite Knowledge
• Assurance • Assurance defined : 3 party relationship, subject matter, suitable criteria, execution, conclusion • Scope of Publication: Two Perspectives, Assurance Function and Assurance • Principles of providing Assurance (Engagement types)
• Assurance Function Perspective : Using COBIT 5 Enablers for Governing and Managing an Assurance Function
• Introduction to Enablers • The 7 Enablers
• Assessment Perspective : Providing Assurance Over a Subject Matter • Core Assurance Processes • Introduction and Overview of the Assessment Approach • Determine the scope of the Assurance Initiative (Phase A)
• 3 aspects to be taken into account (stakeholders, goals, 7 enablers), 14 steps, an example • Understand the Enablers, Set Suitable Assessment Criteria and Perform the Assessment (Phase B)
• Achievement of goals (2 steps), 7 enablers (37 steps) • Generic Approach for Communicating on an Assurance Initiative (Phase C)
• 2 aspects (document and communicate) and 5 steps
• How this publication relates to other Standards • ITAF, 2nd Edition, International Professional Practices Framework (IPPF) for Internal Auditing
Standards 2013, Statement on Standards for Attestation Engagements N° 16 (SSAE 16)
• Appendix A : Glossary
• Appendix B : Detailed Enablers For Assurance Governance and Management
• Appendix C : Core Assurance Processes
• Appendix D : Example Audit / Assurance Programmes (3 examples : Change Management, Risk Management, BYOD)
94 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
COBIT 5 Deliverables : Assurance
• Appendix A. Detailed Guidance : Principles, Policies and Frameworks • 4 areas : Covered by ITAF, 2nd Edition (18 sections of ITAF)
• Appendix B. Detailed Guidance Processes (see next page) • 11 key processes supporting assurance provisioning
• 3 key core assurance processes
• Appendix C. Detailed Guidance : Organizational Structures • 4 key assurance-related organizational structures : Composition, Mandate, Operating principles,
Span of control, Authority level, Delegation rights, Escalation path, RACI chart, Inputs/Outputs
• 12 other relevant structures for Assurance : Description, Stake in Assurance provisioning
• Appendix D. Detailed Guidance : Culture, Ethics and Behavior • 5 types of enterprise wide behavior, 8 types of assurance professional behavior, 10 types of
management behavior : Behavior, Key Objective/Suitable criteria/outcome, Communication/Enforcement actions, Incentives and rewards actions, Raising awareness actions
• Appendix E. Detailed Guidance : Information • 18 types of information items supporting assurance : stakeholders, stakes, goals, life cycle, good
practices, links to other enablers • 5 types of additional information items input : description
• Appendix F. Detailed Guidance : Services, Infrastructure and Applications • 8 types of assurance services (description, goal, benefit, good practice, stakeholders)
• 8 types of assurance supporting applications (description, goal, benefit, good practice, stakeholders)
• Appendix G. Detailed Guidance : People, Skills and Competencies • 16 types of assurance set of skills and competencies : description, experience, education,
qualifications, knowledge, technical skills, behavioral skills 95
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
COBIT 5 Deliverables : Assurance
• Process Identification : Label, Name, Area, Domain
• Process Description
• Process Purpose Statement
• Assurance-specific Process Goals and Metrics • Processes Supporting Assurance Provisioning
• Governance : 8 Assurance Process Goals and 11 Assurance Process Goals related Metrics • Management : 11 Assurance Process Goals and 19 Assurance Process Goals related Metrics
• Core Assurance Processes • Management : 11 Assurance Process Goals and 17 Assurance Process Goals related Metrics
• Assurance-specific Process Practices, Inputs/Outputs and Activities
• Description of governance/management practice, assurance-specific inputs and outputs in addition to COBIT 5 inputs and outputs with origin/destination, assurance-specific activities in addition to COBIT 5 activities
• Processes Supporting Assurance Provisioning • Governance : 9 Assurance Governance Practices and 28 Assurance Governance Activities • Management : 50 Assurance Management Practices and 80 Assurance Management Activities
• Core Assurance Processes • Management : 17 Core Assurance Practices and 88 Core Assurance Activities (124 actions)
96 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
COBIT 5 Deliverables : Implementation (78 pages)
• Introduction
• Positioning GEIT
• Taking the first steps towards GEIT
• Identifying implementation challenges and success factors
• Enabling change
• Implementation life cycle tasks, roles and responsibilities
• Using the COBIT 5 components
• Appendix A : Mapping Pain Points to COBIT 5 Processes
• Appendix B : Example Decision Matrix
• Appendix C : Mapping Example Risk Scenarios to COBIT 5 Processes
• Appendix D : Example Business Case
• Appendix E : COBIT 4.1 Maturity Attribute Table
97 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015