In a testament to COBIT's universal acceptance, the Supreme Audit Office of Poland (NIK) recently used the COBIT 4.1 framework to assess the level of security of the major IT systems used by Poland’s government agencies.
The process began in 2014 when the NIK reviewed the involvement and performance of Poland’s government agencies to ensure IT security. The results of the review, published last year, showed that Poland, at the state level, was not prepared to deal with the serious threats coming from cyberspace.
To address this major cybersecurity shortcoming, the NIK decided to verify the security of the information processed in the information systems the state relies upon to operate. The audit, using COBIT 4.1, included 6 systems managed by different ministries and government agencies.
To achieve an objective and comparable assessment of the level of security management of the selected systems, the NIK decided to use the control objectives of process DS5 Ensure Systems Security, as the source of the control objectives and process maturity model for the audit. The COBIT framework is recommended to supreme audit institutions in the "INTOSAI GOV 9100 Guidelines for Internal Control Standards for the Public Sector" and the "WGITA – IDI Handbook on IT Audit for Supreme Audit Institutions" developed by the INTOSAI Development Initiative (IDI).
The audit found only one government agency’s systems security was assessed to be at level 3, meaning it had a defined DS5 process (see diagram below). Three agencies were at level 2, meaning the process was repeatable. Two were at level 1, which are initial or ad hoc processes.
The results of the audit were recently published in Polish on the NIK's web site. They were also presented by Krzysztof Kwiatkowski, president of the Supreme Audit Office of Poland during CyberGOV, an important conference on cyber security for the public sector in Poland.
In its report, the NIK also included conclusions on its findings and recommendations for the audited organizations as well as specific recommendations for the Ministry of Digitization, which is responsible for coordinating cybersecurity in Poland. The significance of the findings has been widely commented on and analyzed by stakeholders responsible for implementing the NIK’s recommendations.
Since the report was completed, there has been a rise in interest in the COBIT framework and the ISACA Cybersecurity Nexus (CSX) program in Poland. Poland’s two ISACA chapters have been busy answering questions and providing guidance on how to implement governance and security processes that can enable Poland to deal with cyber security threats.
ISACA has since released COBIT 5 in Polish. The following processes are recommended to prepare an audit of Information Security:
APO13 Manage Security
DSS05 Manage Security Services
MEA02 Monitor, Evaluate and Assess the System of Internal Control
COBIT publications in Polish include COBIT 5 Framework, COBIT 5 for Risk, COBIT 5 for Information Security, COBIT Process Assessment Model (PAM): Using COBIT 5, and COBIT Self-assessment Guide: Using COBIT 5. In addition to English, COBIT materials are also available in the following languages:
View Large Graphic.
COBIT recently celebrated its 20th anniversary. For fun graphics, highlights and more information click here.