ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > Continuing the conversation: COBIT 5 and data-breach prevention

Continuing the conversation:  COBIT 5 and data-breach prevention

| Posted at 4:49 PM by ISACA News | Category: COBIT-Governance of Enterprise IT | Permalink | Email this Post | Comments (1)

Mathew Nicho, Ph.D., director of the Master of Science program at the College of Information Technology at the University of Dubai, and Hussein Fakhry, Ph.D., dean of that college, recently contributed an intriguing piece to the ISACA Journal, titled “Using COBIT 5 for Data Breach Prevention.” We reconnected with them to further explore the topic in the Q&A below.

ISACA:  How effective is COBIT 5 for data-breach prevention? Why?
Hussein: Generally speaking, the COBIT5 framework covers the big-picture boundary and issues. However, considering specific industry, we need to respect and integrate its standards within the COBIT framework. For example, consider the case of the PCI industry and its standards and best practices.
Mathew: COBIT can be used as an umbrella framework and the processes need to be matched with the NIST or ISO 27000 series for greater granularity. This is confirmed from a banking or government perspective.

ISACA:  Are unique approaches needed to protect data that is at rest, in motion and in use?
Hussein:  The question spans different situations/categories for data protection. Each category has its unique features and corresponding vulnerabilities. Therefore, the short answer is yes. There is a need to use multiple approaches to cover all these situations.
Mathew: Yes, they need to be classified and encrypted—COBIT has controls for this. Plus there are commercial solutions.

ISACA: You wrote, “The key guiding principle for any control implementation is to decide on the appropriate level of security since organizations are not in a position to ensure maximum security.” What is that?
Hussein:  No security system is perfect. Also, we have to always balance security, accepted risk and cost of doing business. So, within the general assessments of risks, probabilities and impacts, organizations have to consciously decide on the acceptable levels of security to implement and acceptable risks to mitigate.
Mathew: The security probability can be enhanced through appropriate controls.

ISACA: Why is information security not often addressed in a holistic and comprehensive way? Why should it be?
Hussein: Information security is often less appreciated due to lack of proper awareness at the executives/board-member level. It is traditionally seen as pure technology issue/solution to be handled by the company IT guru using some software fix. Nonetheless, it is often underestimated in the enterprise risk management assessments and reports. This is further compounded by the shortage of holistic models to derive this change. A holistic and comprehensive approach is needed, as a security plan’s success depends very much on top management commitment, staff training and company cultural change, as well as adopting the proper governance model and security systems.
Mathew: As of now there is no holistic model for this. But in interviewing a dozen organizations since 2010, we found that their profile and requirements are different. Hence, a generic model incorporating all elements of IT governance, compliance and security is not feasible, but still possible. In this respect we are on the fourth year of this research and found one successful implementation of a holistic homegrown model with 10 frameworks/models/standards in a synergic integration. This holistic model—an IT GRC model focusing on a bank—will be published in due course.

ISACA: Why is the generic/malleable nature of COBIT5 beneficial?
Hussein: It allows customization and integration of specific standards and processes to further suit the specific needs of a particular industry.
Mathew: Users can customize it to suit or map to any detailed framework.

Continue the conversation in the COBIT 5—Use if Effectively topic within ISACA’s Knowledge Center.


Comments and questions on addressing nontechnical controls with more IT controls?

An interesting article with very stimulating observations. However, I found difficult to understand whether and how the use of the proposed IT management practices would address the main issues raised in the article.

While the fundamental finding reported in the article “revealed that 70 per cent of the breaches occurred due to missing or overlooked nontechnical IT controls”, the analysis kept its focus on the “role of IT controls” and the derived “IS control frameworks/standards” as mapped with COBIT.

My initial reaction to this approach: Why keep trying to address the overlooked nontechnical IT controls with “more” IT controls? What not looking beyond IT controls all together?
Having implemented and audited COBIT, VAL-IT, and ISO2700X, I greatly benefited from the structured approach and comprehensive scope of these standards. The many mapping exercises between these standards have also helped to build bridges between the nontechnical and technical IT controls. However, the gaps persisted and - as the demonstrated in the referenced cases– in some instances are getting wider.

Allow me to pose some provocative questions for the sake of continuing this interesting conversation:

(i) What is a “nontechnical IT control”? Isn't this a self-contradicting statement considering that the “T” in IT stands for “technology”?

(ii) Should any answer to the first question confirm that nontechnical controls would include “non-IT” people and processes?

(iii) Then, why not trying to advance and build on models focused on systems analysis, people, and processes (i.e., the ISACA Business Model for Information Security)?     

It could be argued that framework and code of practices - such as COBIT and ISO27002 - are generic, process based, and nontechnical in nature.  In practice, however, how many nontechnical/non-IT managers would be familiar with them and their application?
Dino C. Dell'Accio at 11/13/2013 5:36 PM
You must be logged in and a member to post a comment to this blog.