Mathew Nicho, Ph.D., director of the Master of Science program at the College of Information Technology at the University of Dubai, and Hussein Fakhry, Ph.D., dean of that college, recently contributed an intriguing piece to the ISACA Journal, titled “Using COBIT 5 for Data Breach Prevention.” We reconnected with them to further explore the topic in the Q&A below.
ISACA: How effective is COBIT 5 for data-breach prevention? Why?
Hussein: Generally speaking, the COBIT5 framework covers the big-picture boundary and issues. However, considering specific industry, we need to respect and integrate its standards within the COBIT framework. For example, consider the case of the PCI industry and its standards and best practices.
Mathew: COBIT can be used as an umbrella framework and the processes need to be matched with the NIST or ISO 27000 series for greater granularity. This is confirmed from a banking or government perspective.
ISACA: Are unique approaches needed to protect data that is at rest, in motion and in use?
Hussein: The question spans different situations/categories for data protection. Each category has its unique features and corresponding vulnerabilities. Therefore, the short answer is yes. There is a need to use multiple approaches to cover all these situations.
Mathew: Yes, they need to be classified and encrypted—COBIT has controls for this. Plus there are commercial solutions.
ISACA: You wrote, “The key guiding principle for any control implementation is to decide on the appropriate level of security since organizations are not in a position to ensure maximum security.” What is that?
Hussein: No security system is perfect. Also, we have to always balance security, accepted risk and cost of doing business. So, within the general assessments of risks, probabilities and impacts, organizations have to consciously decide on the acceptable levels of security to implement and acceptable risks to mitigate.
Mathew: The security probability can be enhanced through appropriate controls.
ISACA: Why is information security not often addressed in a holistic and comprehensive way? Why should it be?
Hussein: Information security is often less appreciated due to lack of proper awareness at the executives/board-member level. It is traditionally seen as pure technology issue/solution to be handled by the company IT guru using some software fix. Nonetheless, it is often underestimated in the enterprise risk management assessments and reports. This is further compounded by the shortage of holistic models to derive this change. A holistic and comprehensive approach is needed, as a security plan’s success depends very much on top management commitment, staff training and company cultural change, as well as adopting the proper governance model and security systems.
Mathew: As of now there is no holistic model for this. But in interviewing a dozen organizations since 2010, we found that their profile and requirements are different. Hence, a generic model incorporating all elements of IT governance, compliance and security is not feasible, but still possible. In this respect we are on the fourth year of this research and found one successful implementation of a holistic homegrown model with 10 frameworks/models/standards in a synergic integration. This holistic model—an IT GRC model focusing on a bank—will be published in due course.
ISACA: Why is the generic/malleable nature of COBIT5 beneficial?
Hussein: It allows customization and integration of specific standards and processes to further suit the specific needs of a particular industry.
Mathew: Users can customize it to suit or map to any detailed framework.
Continue the conversation in the COBIT 5—Use if Effectively topic within ISACA’s Knowledge Center.