ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > Auditing Cyber Controls using COBIT 5

Auditing Cyber Controls using COBIT 5

David Berkelmans, CISA
Executive Director IT Audit at Synergy Group
 
| Posted at 3:08 PM by ISACA News | Category: Audit-Assurance | Permalink | Email this Post | Comments (0)

The Australian Signals Directorate (ASD) has developed a list of 35 mitigation strategies (http://asd.gov.au/infosec/mitigationstrategies) to mitigate targeted cyber intrusions. These are ranked in order of overall effectiveness. Analysis undertaken by ASD indicates that at least 85 percent of cyber attacks they responded to could have been prevented if the top four in this list had been implemented. This top four is often referred to as the “ASD Top 4” and their implementation is mandatory for certain Australian Government entities. The ASD Top 4 are:

  1. Use application whitelisting to help prevent malicious software and unapproved programs from running
  2. Patch applications such as Java, PDF viewers, Flash, web browsers and Microsoft Office
  3. Patch operating system vulnerabilities
  4. Restrict administrative privileges to operating systems and applications based on user duties.

To support this, the Australian Government Information Systems Manual (ISM) (http://www.asd.gov.au/infosec/ism) includes 23 mandatory controls that relate to the ASD Top 4.

Due to this mandatory requirement, in recent years, I have been involved in a number of audits that have included an assessment of compliance with the ASD Top 4. Initially, our approach was to undertake these audits using a strict compliance approach, undertaking a yes/no assessment for each of the 23 controls for the systems in scope.

Our initial assessments in these areas indicated that non-compliance could generally be attributed to broader governance issues. For instance, on any given day, a review may identify that all or not all security patches are up-to-date; however, the ongoing processes to ensure security patches are installed in a timely manner requires supporting governance structures. We made the decision that our approach required adjustment and we should focus on cybersecurity governance.

We subsequently started using COBIT 5 assurance guidance to undertake these audits. Our first step is to assess the COBIT 5 enablers and understand how these enablers apply to the ASD Top 4 requirements.

We mapped the enablers to each of the ASD Top 4. For each of these enablers, there is an assessment of what is in place to ensure ASD Top 4 compliance. The ISACA’s Transforming Cybersecurity Using COBIT 5 provides excellent guidance on how to apply these Enablers to Cybersecurity Controls.

In relation to the actual implementation of the ASD Top 4, the 2nd COBIT 5 Enabler “processes” are the key area of focus for any ASD Top 4 review. Figure 32 in Transforming Cybersecurity Using COBIT 5 provides mapping between the COBIT 5 processes and cybersecurity processes. The following COBIT 5 processes can be specifically applied to the ASD Top 4.

COBIT 5 Process

Application White Listing

Patch Applications

Patch Operating Systems

Restricting Administrator

APO03 Manage enterprise architecture.

 

APO07 Manage human resources.

 

 

 

APO12 Manage risk.

 

 

 

APO13 Manage security.

BAI02 Manage requirements definition.

BAI03 Manage solutions identification and build.

 

BAI05 Manage organisational change enablement.

 

 

 

BAI06 Manage changes.

 

DSS01 Manage operations.

 

DSS02 Manage service requests and incidents.

 

 

 

For each of the COBIT 5 processes listed above audit/assurance programs are available from ISACA. We have been able to adapt these audit programs to make them more specific to the ASD Top 4. The end result is we can then not only provide entities with an assessment of compliance but guidance on how to ensure compliance in the future by having in place a robust governance framework.

David Berkelmans, CISA
Executive Director IT Audit at Synergy Group

Comments

There are no comments yet for this post.
You must be logged in and a member to post a comment to this blog.
Email