@ISACA Volume 14: 3 July 2012 

@ISACA Relevant, Timely News

Obtain Your Copy of COBIT 5 for Information Security Now

COBIT 5® for Information Security, a COBIT 5 professional guide to be released, examines COBIT 5 from a security point of view, placing an information security lens over the concepts, enablers and principles within the recently updated framework. It is intended for all stakeholders in the enterprise because information security is everyone’s responsibility. Using it can result in enterprise benefits such as improved risk decisions and cost management related to the information security function.

Appendix B, Detailed Guidance: Processes Enabler, of the publication is presented in the same format as the tables in COBIT 5:  Enabling Processes and provides security-specific process goals and metrics, inputs/outputs, and activities.

COBIT 5 for Information Security aims to be an umbrella framework to connect to other information security frameworks, good practices and standards. It describes the pervasiveness of information security throughout the enterprise and provides an overarching framework of enablers. The relevant information security frameworks, good practices and standards need to be adapted to suit specific requirements of the enterprise’s environment. Everyone can then decide, based on the specific needs of their enterprise and taking into account the legacy situation in the enterprise, the availability of the framework and other relevant factors, which framework or combination of frameworks is best to use. The mapping of COBIT 5 for Information Security to related standards, provided in appendix H of the publication, can help you find a suitable combination of frameworks for your enterprise.

COBIT 5 for Information Security is available in the ISACA Bookstore.


Tips for Accomplishing Incident Classification

The basic requirement for incident response (IR) is identifying the type of incident that has occurred or is occurring. The six levels for classification of incidents are provided here. This list originated with the US Computer Emergency Readiness Team (US-CERT) and the US National Institute of Standards and Technology (NIST) for use with governmental systems, but has been modified to encompass both public and private enterprises. The list includes the generally accepted security practices reporting requirements for each type of incident:

  • Level 1:  Unauthorized access—In this category, an individual gains logical or physical access without permission to a department/agency/corporate network, system, application, data or other resource (e.g., physical documents). This category includes any breach of personally identifiable information (PII) or privacy data. This type of incident should be reported to the responsible corporate or organizational office as soon as the incident is identified.
  • Level 2:  Denial of service (DoS)—This category concerns an attack that successfully prevents or impairs the normal authorized functionality of networks, systems or applications by exhausting resources. This activity includes being the victim of or participating in DoS. A DoS attack is focused on not allowing users to access the needed computing resources to accomplish their tasks. Most current router devices have mitigation techniques built into their operating systems. Therefore, this type of incident is either based against older equipment or focused on large-scale attacks from multiple sources.
  • Level 3:  Malicious code—This particular category includes successful installation of malicious software (e.g., virus, worm, Trojan horse, other code-based malicious entity) that infects an operating system or application. Today, this level has the largest number of incidents reported. Most antivirus and malware security vendors are reporting large increases in the number and deployment of malware across the Internet. Departments/companies/agencies are not required to report malicious logic that has been successfully quarantined by antivirus software.
  • Level 4:  Improper use—In this category, a person violates acceptable computing use of any network or computer-use policies. This is the typical classification for an insider threat or an incident involving a disgruntled employee within an enterprise. This type of incident typically causes large-scale losses, but isolated to one network or location. With this type of incident, there are potentially major activities that require incident handling.
  • Level 5:  Scans/probes/attempted access—This category includes any activity that seeks to access or identify a corporation or department computer, open ports, protocols, service, or a combination of these for later exploit. This activity does not directly result in a compromise or DoS. This type of incident can be caused by vulnerability scanning tools, network mapping tools and penetration testing tools. This incident level can be related to expected or unexpected scans, tests, automated equipment evaluations, and outside reconnaissance of networks and machines.
  • Level 6:  Investigation—This category covers unconfirmed incidents that are potentially malicious or anomalous activity deemed by the enterprise to warrant further review. Once an incident is determined to require additional investigation, this level remains in effect during the entire investigation. This is the level for all types of investigations—criminal, civil, administrative and forensic.

Leighton Johnson, CISA, CISM, CRISC, CAP, CISSP, CSSLP, CTO-ISFMT, is a senior security consultant for the Information Security & Forensics Management Team of Bath, South Carolina, USA.


Keep IT Running Securely in the Face of Mobility and BYOD
Attend ISACA’s Complimentary Virtual Conference: Mobile Security Imperatives 2012: Keep IT Running in the Face of Mobility, Bring Your Own Device and Mobile Applications

Looking to secure your enterprise in the face of mobility and Bring Your Own Device (BYOD)? Participate in ISACA’s upcoming Virtual Conference:  Mobile Security Imperatives 2012. Scheduled for 19 July 2012 from 6:45AM to 3:30PM CDT (UTC/GMT -5 hours), this virtual conference will provide a great opportunity for you to:

  • Engage in educational sessions on today’s mobile security hot topics
  • Network with colleagues from around the globe
  • Take part in technology spotlight sessions by leading security service providers and thought leaders
  • Attend education sessions from home or work at no charge
This virtual conference will include multiple education sessions, including:
  • The Legal Issues of Bring Your Own Device Under EU Privacy and Data Protection Law, presented by Johan Vandendriessche, independent technology and privacy lawyer
  • BYOD: Preparing Your Organization for the Connectivity Wave, presented by John Harris, chief architect and global vice president of IT strategy, GlaxoSmithKline, and founder of the Corporate IT Forum
  • Diverse Mobile Platforms, Complicated Security, presented by Lisa Phifer, president of Core Competence Inc.
  • Safeguarding Mobile Applications, presented by Lisa Phifer, president of Core Competence Inc.

Register now for Mobile Security Imperatives 2012 on the ISACA web site.


Tips for Effective Documentation

To help IT professionals turn unstructured information into usable material during the documentation process, ISACA Journal volume 4 author Adrienne Bellehumeur, CISA, CA, PMP, offers a three-step documentation process:

  1. The organization must adopt a strategic process for documentation. This demands that management, project managers, technical writers and technical staff all understand and engage in the process. This step requires prioritization based on risk and opportunity, as not every process, department and team require the same level of attention.
  2. The organization needs to have the right people. The resources required for effective documentation are not necessarily the same for every assignment, and the appropriate professionals may come from a variety of backgrounds including technical writing, project communications, business analysis, quality assurance and audit. The organization needs team members who not only have the competence for documentation, but who also understand and appreciate its value.
  3. The organization needs to build a culture of accountability and best practices around effective documentation. This culture must stem from senior management and trickle down throughout IT operations. A culture of accountability requires regular audits of operational and project documentation and a system for rewarding staff who maintain strong documentation practices.

Read Adrienne Bellehumeur’s full article, “Everybody Loves Documentation,” in the current issue of the ISACA Journal, in which you will also find additional coverage of timely and relevant issues affecting the ISACA professional communities.


Read More Articles in Our Archives