@ISACA Volume 24  29 November 2017

Implementing COBIT 5—Suggestions to Overcome the Initial Challenge


Sunil Bakshi COBIT 5 is an end-to-end framework for implementing governance of enterprise IT (GEIT) within any organization that depends on IT. The COBIT 5 framework and related COBIT publications help organizations implement COBIT to enable benefit realization, risk optimization and resource optimization for their enterprises. These publications include COBIT 5 for Risk, Primer for Implementing GEIT, COBIT 5 for Security, COBIT 5 for Assurance and more. COBIT 5 publications provide adequate guidance on processes organizations can follow to implement COBIT 5, and these publications include self-assessment toolkits. A Guide for Implementing COBIT 5 provides comprehensive guidance for initiating and executing the process for implementing COBIT 5 within an organization.

However, many times the implementer faces challenges, particularly when it comes to implementing processes. Most organizations have defined business processes and IT operational processes. Mapping these processes with the COBIT 5 process reference model (PRM) becomes difficult due to the fact that organizations have multiple verticals, and each vertical has different processes to deliver products and services. The COBIT 5 PRM also identifies generic processes for governance and management, management/governance practices for each process, and activities for these practices, documented in COBIT 5: Enabling Processes. Organizations that have multiple business verticals must repeat most processes from PRM in each vertical and, therefore, mapping becomes challenging.

The main reason organizations look to implement the COBIT 5 PRM is that COBIT 5: Enabling Processes provides detailed management practices and activities for each process along with indicative measurement metrics that are handy and useful, but also require adjustment to an organization’s requirements. This becomes obvious for organizations that have various business functions supported by common and independent IT solutions. For example, commercial banks have implemented multiple solutions for retail banking, treasury operations and alternate service delivery channels, e.g., Internet banking, mobile banking and automated teller machines (ATMs).

Although some organizations find their own way to implement COBIT 5, some tips to overcome COBIT 5 implementation challenges are offered here:

  • Instead of starting with COBIT 5 PRM and other COBIT 5 artifacts, start with organization processes.
  • Identify the goals, practices, work products (input and output), activities and enablers for these processes.
  • Map them with various processes from the COBIT 5 PRM. COBIT 5: Enabling Processes provides the best reference for this mapping. Repeat this mapping for each business function.
  • This mapping helps identify gaps in activities and management practices and processes of the organization when compared with the COBIT 5 PRM.
  • Identify measurement metrics for each business unit’s processes for each business function where the PRM processes are mapped.
  • Define measurement metrics as per organization goals and objectives to reflect benefit realization.
  • One can use this method for implementation in other areas, e.g., risk management, information security and vendor management.

Of course, this is not the only way to implement COBIT 5, however, it may help clarify the process since organizational-established processes are more familiar to the professionals in charge of implementation.

Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP, is a consultant and trainer in IT governance and information security.


Learn to Design Better Security With Attack Path Mapping in This Webinar


Source: M-A-U/
Getty Images

If you could predict how hackers would break into your organization and extract data, you could use this information to design security controls to prevent a data breach. Using a technique called attack path mapping, you can now understand the probability of the hacker kill chain and quantify the risk. This allows organizations not only to reduce risk, but design better controls.

ISACA and CA Technologies are partnering to present the “Design Better Security, How to Use ‘Attack Path Mapping’ to Prescribe Your Security Controls” webinar, in which attendees will learn how to use these techniques not only to help organizations put controls in the right place, but also to think like attackers to reduce risk. Instead of building a security strategy based on fear and sensationalism, organizations can apply a methodology that instills confidence across the organization. MWR InfoSecurity has applied this approach at Scotia Gas Network (SGN), the first fully cloud-based utility company in the United Kingdom, with great success and created an example for the UK National Center for Cyber Security (NCSC) to follow. This webinar takes place on 5 December at 11AM CST (UTC -6 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Naresh Persaud, senior director of security at CA Technologies, and Edward Parsons, associate director at MWR InfoSecurity, will lead the webinar. They will use their combined dynamic security industry experience to illustrate how to use attack path mapping to reduce hacker risk to your enterprise.

To learn more about this webinar or to register for it, visit the Design Better Security, How to Use “Attack Path Mapping” to Prescribe Your Security Controls page of the ISACA website.


Webinar: Protect Your Data With Threat Intelligence


Source: Andrew

Threat intelligence plays a critical role in data protection and malware mitigation. Learning to gain deep visibility into your network and creating regular centralized reports can help you analyze your network and plan to prevent future data leaks.

ISACA and Infoblox are partnering to present the “Threat Intelligence Is Vital to Data Protection and Malware Mitigation” webinar, which will cover disruption of the cyber kill chain, prevention of malware proliferation, prevention of domain name system (DNS)-based detection, and prevention of known and 0-day data exfiltration. This webinar takes place on 12 December at 11AM CST (UTC -6 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Sam Kumarsamy, who is currently working in security product marketing at Infoblox, will lead the webinar. He will use his experience with disruptive products, services and solutions to help guide your understanding of threat intelligence applied to your organization.

To learn more about this webinar or to register for it, visit the Threat Intelligence Is Vital to Data Protection and Malware Mitigation page of the ISACA website.


Explore Security Resilience Topics in ISACA Virtual Conference


Wednesday, 13 December, marks ISACA’s free, full-day virtual conference focused on providing you with the opportunity to explore security resilience topics from the comfort of your own home. According to the 2017 Verizon Data Breach Investigation Report (DBIR), more than 50% of data breaches analyzed involved malware, and ransomware was the 5th most common malware variety recorded, up from the 22nd most common in the 2014 DBIR. As security professionals move from a shields-up approach to a multidimensional posture, some common challenges emerge.

Today’s security and IT professionals will gain insight into the paradigm shift that is already underway in this virtual event. Learn from security experts Nicholas Merker, partner and cochair at Ice Miller’s Data Security and Privacy Practice, Dave Shackleford, owner and principal consultant at Voodoo Security, Jeffrey Ritter, founder at Ritter Academy, and Kevin Beaver, founder and principle information security consultant at Principle Logic LLC, as they dive into the following topics in their respective sessions:

  • GDPR: The Data Security Processes to Remain Compliant
  • Five Opportunities for Security Improvements in a Cloud Microservices Architecture
  • Ransomware: What It Tells Us About Future Cybercrime
  • Tapping Into Incident Management Data to Prevent Future Risk

Earn up to 5 free continuing professional education (CPE) hours by attending this ISACA and Tech Target event from 7:15AM – 4PM CST (UTC -6 hours). To learn more, visit the Virtual Conference: Security Resilience: Incident Management Beyond Ransomware, Zero-Days and Even GDPR page of the ISACA website.


Nominate an Outstanding Colleague for an ISACA Award


Source: Cristian
Baitg/Getty Images

Have you read a thought-provoking article or seen a motivating speaker at an ISACA event? Have you been inspired by the passion and leadership of an ISACA volunteer? Does your chapter have dedicated leaders launching innovative new programs? ISACA needs your help to recognize these outstanding contributions across our professional community.

Nominations for the ISACA Global Achievement Awards and ISACA Chapter Awards are due by 31 January.

ISACA recognizes outstanding contributions that advance the professional community and exemplify ISACA’s purpose, values and leadership. By acknowledging the individuals and achievements that have a positive impact on a global society, ISACA seeks to inspire future generations of business and technology professionals.

Global Achievement Awards are the highest awards presented by ISACA for exemplary and longstanding contributions to the organization and the business technology community. Chapter Awards recognize outstanding contributions by chapters and individual chapter members in fulfilling the needs of ISACA and its professional community. ISACA is launching 2 new chapter awards: the Outstanding Chapter Leader Award and the Innovative Chapter Program Award.

It is with gratitude to the ISACA Awards Working Group that the awards program is being relaunched with numerous enhancements, including a more defined nomination and peer evaluation process, new Chapter Awards, and better recognition of award recipients. The 2018 award nomination process concludes on 31 January 2018.

The 2018 Global Achievement Awards and certification top scores for the Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC), and Certified in Governance of Enterprise IT (CGEIT) exams will be presented at EuroCACS, and Certified Information Systems Auditor (CISA) and CSX Practitioner exam top scores will be recognized at CSX Europe. The Chapter Awards banquet will be held at the 2018 Global Leadership Summit.

The 2019 nomination cycle will open in mid-2018 and marks the beginning of a regular annual nomination cycle.

ISACA membership is not required to receive an ISACA award, though membership is required to submit a nomination. ISACA seeks to recognize the most outstanding achievements across the industry from speakers, authors, leaders and chapters. Nominate someone who inspires you! Visit the ISACA Awards page to access nomination forms, eligibility guidelines and read more about the different awards.


White Paper: Discover How to Define Your DevOps Processes


Development Operations (DevOps) is not the enemy of robust and mature software development; it is the path toward more efficient processes. Implementing DevOps processes, culture and technology can make application development more flexible and deployment more stable and continuous. As a result of integrating deployment operations into software development itself, an organization can create applications more efficiently and rapidly adjust to user requirements for smoother and more resilient performance overall.

The white paper DevOps: Process Maturity by Example demonstrates DevOps value to enterprises utilizing mature development, addresses the culture and mindset required for successful DevOps implementation, reviews the application of the Capability Maturity Model Integration (CMMI) model or COBIT 5 within a DevOps environment, and examines the challenges that coincide with that application. Several case studies illustrating how DevOps provides value to enterprises with mature development organizations are also included at the end of this paper.

You can access the complimentary ISACA white paper on the DevOps: Process Maturity by Example page of the ISACA website. If you would like to learn more about DevOps, ISACA offers 2 publications that introduce the methodology and explore its implications. The DevOps Overview outlines what DevOps is, while DevOps Practitioner Considerations covers practitioner considerations in enterprise DevOps adoption.


Show Your Expertise With a CISM Certification

Steve Challans, CISA, CRISC, CISM, ISO 27001 LA, PCIP, Chief Security Officer at Prophecy International, Shares His Experience as a CISM

Steve ChallansIn the mid-2000s when Steve Challans was contracted as a security manager for a large organization, he already had his Certified Information Systems Auditor (CISA) certification. He had been practicing information security as a consultant for 6 years and had worked around information security since the late 1980s, so he decided to take his knowledge and credentials one step further by taking the Certified Information Security Manager (CISM) exam. He feels that adding this certification helps him speak with authority to customers and management about information security.

As a past president for the ISACA Adelaide (South Australia, Australia) Chapter, member of the ISACA CISM exam item development working group and past member of the ISACA conference program development subcommittee, Challans has had an opportunity to meet many like-minded and aspiring CISMs. He loves mentoring others on how to be security conscious, helping developers implement better security and helping others pass the CISM exam. He has enjoyed working with the CISM certification team to prepare exam questions that allow those who seek the knowledge to learn more. Challans says he would like “to see millions more people in the world understand security like [he does] and aspire to get certified; it would help to make the world a safer place.” He believes that pursuing the CISM exam drives professionals to get the experience needed for the certification and helps add credibility to their knowledge base.

Challans believes security applies to more than just information. He applies security principles to everything he does, whether at home or at the office. He helps friends with IT and security issues and spreads general security awareness with those around him. In his professional life, he works with development teams to ensure secure coding practices and principles while also assuring that customers are aware of security best practice concepts.

Even though Challans struggles to find time to do his job and get adequate sleep, he loves what he does. Challans says, “There is never a dull moment. There is a variety of things to do and improve. It is a constant process of learning and improving in everything I do.” He feels that being a CISM allows him to be involved in more security-based projects and that it is an extension of his overall goal to always learn more and be a better security professional. He still tries to make time to study and help others, and he attributes all of this to helping him build a successful career.

When Challans is not studying, working or sleeping, he loves to delve into science fiction and space movies and play video games to unwind. Even in his spare time he likes to read about current security news around the world. He also enjoys spending time with his family and traveling with them.

Overall, Challans is thankful that the CISM exam has broadened the information security world for him. He has gotten involved in an ISACA chapter board, served on international committees and traveled the world. He has met amazing people and made long-lasting friendships by working with his local chapter and the CISM certification working group and attending the ISACA Global Leadership Conference. He says he loves to see people from different cultures come together at the ISACA Global Leadership Conference to work toward certifications that broaden their skill sets.

To learn more about ISACA certifications, visit the Certification page of the ISACA website.