• Bookmark

Leveraging COBIT to Implement Information
Security (Part 2)

By John Frisken, CISA, CA

COBIT Focus | 27 July 2015

This article is a continuation of the article published 4 May 2015 called “Leveraging COBIT to Implement Information Security (Part1).”


Studies by many organisations have highlighted that companies that are remaining secure are focusing on implementing security controls as an integral part of their IT service management (ITSM) systems, not as stand-alone management systems. Companies that practice configuration management and maintain careful inventories of their hardware and software are staying secure. Those that do not have significantly higher risk, as borne out by security incident studies.


Many of the items managed within infrastructure management are significant for information security for 2 main reasons:

  • Loss of configuration information related to any piece of infrastructure represents a significant threat to the ongoing availability of information stored on or managed by that device.
  • Incorrect configuration of devices such as routers, firewalls and servers represents critical threats that can expose the enterprise to significant loss or corruption of data.

The implementation of an information security management system (ISMS) is designed to assist in the automation and management of the large number of activities that need to be co-ordinated, recorded and followed up to maintain security. When organisations do not have an ISMS, they either spend a large amount of effort to manually track issues or they fail to maintain control over risk. In addition, it is a requirement to maintain evidence in relation to the operation of these controls for audit and external compliance purposes.


The previous article provided an overview of how COBIT provides the framework for enabling the various standards and processes required to maintain these systems to be implemented and operated. This follow-up article discusses implementing security within the context of operating ITSM and infrastructure management systems.


COBIT 5 provides a recognised umbrella framework which helps to organise and structure how other frameworks and concepts such as the IT Infrastructure Library (ITIL), ISO/IEC 27001 and SANS Critical Security Controls can be orchestrated. The 2 main concepts in COBIT that are leveraged within this model are:

  • IT Governance Maturity Model to prioritise measures for implementation of controls
  • Control embedment techniques based around the responsible, accountable, consulted and informed (RACI) matrix

Process orchestration as implemented by leading vendors such as SAP and Serena refers to the idea of facilitating the connection of different processes across the organisation so they can operate without manual handoffs, which introduce opportunities for errors, oversights and/or gaps in the audit trail.


Process orchestration, therefore, provides benefits related to efficiency as well as higher levels of protection owing to the automation of monitoring activities, escalation and alert processes on which secure systems rely to provide continuous protection.


The design of an ISMS is defined by ISO 27001, particularly the governance concepts defined in the initial section of the standard. It is an objective-driven approach linked to optional control statements that organisations can adapt using a risk assessment basis to achieve those objectives.


The SANS Critical Security Controls provide an alternative view of priorities based around security processes, focussing on the prevention of high-risk reported vulnerabilities. These are summarised in figure 2, which shows a cross-reference of the SANS controls to ITSM processes (figure 1) such as Configuration/Change Management using techniques such as workflow automation, notification and escalation to effectively identify and manage security events. This depiction makes clear the criticality of managing control over the configuration of all aspects of the infrastructure, software, processes and personnel to achieve effective security.

Figure 1—Configuration Management Process

Source: John Frisken. Reprinted with permission.


Figure 2—SANS Critical Controls for Information Security

 

SANS Critical Control

Configuration Management

Automation

Notification

Escalation
1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
4 Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
5 Boundary Defense
6 Maintenance, Monitoring, and Analysis of Audit Logs
7 Application Software Security
8 Controlled Use of Administrative Privileges
9 Controlled Access Based on Need to Know
10 Continuous Vulnerability Assessment and Remediation
11 Account Monitoring and Control
12 Malware Defenses
13 Limitation and Control of Network Ports, Protocols, and Services
14 Wireless Device Control
15 Data Loss Prevention
16 Secure Network Engineering
17 Penetration Tests and Red Team Exercises
18 Incident Response Capability
19 Data Recovery Capability
20 Security Skills Assessment and Appropriate Training to Fill Gaps

Source: John Frisken. Reprinted with permission.


An additional complication is that within modern ITSM systems, capturing configuration data in a single physical configuration management database is often impossible for a range of technical and political reasons. For this reason, a federated configuration management database (CMDB) has evolved to meet this need.


Achieving a unified workflow design in such an environment requires a clear understanding of how a federated configuration management system (CMS or CMDB) would be implemented and how workflow would operate within it to manage it. Where the underlying information is physically stored in several databases, various application programming interfaces (API) or XML Web Services are required to automate the update of this information in the various organisational repositories.


Figure 3 shows the concept of a modern configuration management system architected as a virtual or extended CMDB.

Figure 3—Federated Configuration Management System (Also Known as Virtual CMDB)

Source: John Frisken. Reprinted with permission


Figure 4 shows the outline of the ITIL Configuration Management Model and how it allows for a process-based integration of ITIL and ISO 27001 information security processes.


Figure 4—ITIL Configuration Management Model

View Large Graphic
Source: John Frisken. Reprinted with permission.


Given the centrality of configuration and change management to effective information security management, operational involvement from the information security function in the following activities should be considered a minimum:

  • Update of CMDB configuration items based on approved change management documentation. This would include secure-build identifiers for server and workstation images, specifications of configuration items (CIs) for managed network appliances such as firewalls and routers, and software release versions for applications on each server.
  • Processing of requests for new or changed application privileges within the organisation’s applications. Access privileges may relate to either the application functionality or the underlying database.
  • Update of privileged access to operating systems, including Citrix, Windows and Unix.
  • Notification of high-risk monitoring alerts to permit timely intervention to avert possible attacks or failures.
  • Notification of changes to secure configurations that have not been authorised. This is achieved by automated examination of all images to an approved image and raising alerts for inconsistencies.
  • Notifications where unapproved hardware is attached to the network (approved hardware means recorded within the CMDB)
  • Notifications where unapproved software is added to a server
  • Notifications where changes are made to configurations of network devices
  • Scheduling of regular calendar reviews, meetings or other actions to be initiated as a result of critical incidents or identified risk

Finally, the design of the ISMS which would integrate and control these types of activities is shown in figure 5. This integrates and co-ordinates all aspects of the security functions’ integration with ITSM in order to operationalise a system that would be capable of implementing and managing a security system implementing the control processes as envisaged by the SANS Critical Security Controls.


Figure 5—ISMS Architecture—Operations View

View Large Graphic
Source: John Frisken. Reprinted with permission.


Conclusion

The strength of the COBIT framework is its business-focused framework and pragmatic tools for the alignment of policy down to detailed controls embedment. By utilising COBIT, any company is able to integrate a range of standards and concepts to achieve a much more refined approach to security than would be possible if considering any single standard on its own. In the opinion of this author, this will become the core strength and most compelling reason for the use of the COBIT framework in the future.


Author’s Note

This case study has been developed based on a real client situation in Australia. The name of the organisation and some other identifying information have been removed. All material is either owned by Information Systems Group Pty Limited or used with permission.


John Frisken, CISA, CA

Is an application development specialist with a distinguished career in professional practice with Ernst & Young and, subsequently, as founder and owner of the Information Systems Group, an international systems integration and applications development company headquartered in Sydney, New South Wales, Australia. Since establishing ISG in 1996, Frisken has overseen the development of ISG’s services through delivery of complex applications leveraging advanced messaging and secure platform technologies in NSW Health and Toyota Motor Corporation. He currently serves as ISG’s director of professional services.

THIS WEBSITE USES INFORMATION GATHERING TOOLS INCLUDING COOKIES, AND OTHER SIMILAR TECHNOLOGY.
BY USING THIS WEBSITE, YOU CONSENT TO USE OF THESE TOOLS. IF YOU DO NOT CONSENT, DO NOT USE THIS WEBSITE. USE OF THIS WEBSITE IS NOT REQUIRED BY ISACA. OUR PRIVACY POLICY IS LOCATED HERE.