• Bookmark

The Victorian Protective Data Security Framework and COBIT 5

By Syed Salman, CISA

COBIT Focus | 9 July 2018

Syed Salman The amount of data being produced, processed, communicated and stored is larger than ever before.1 Most people are well aware that information about them is typically held by a variety of organizations ranging from governments to private organizations. The information can be personal in nature, which individuals would not want to have disclosed to others without their express consent. Unfortunately, private and personal data of individuals have been compromised on many occasions.2 Furthermore, recent revelations regarding major social media service providers has made many of their users concerned about how their personal data are being used.3

With the growing amount of data and cyberthreats, a number of regulations around the world directed toward information security and privacy of personal data have come up. Some examples include the Cyber Security Framework issued by the Saudi Arabian Monetary Authority, the General Data Protection Regulation (GDPR) approved and adopted by the EU Parliament, and the Victorian Protective Data Security Framework (VPDSF) issued by the Office of the Victorian Information Commissioner (OVIC) in the state of Victoria, Australia.

This article shows how COBIT 5 can be utilized to help organizations comply with Victorian Protective Data Security Standards (VPDSS) at their organizations. Figure 1 shows how COBIT 5 process enablers relate to each specific VPDSS standard.


Figure 1—COBIT 5 Enabling Processes Mapping to VPDSS

VPDSS Standard Title

Standard Description

Relevant COBIT 5 Process

Relevant Process Goal/Management Practice

1-Security Management Framework An organization must establish, implement and maintain a security management framework proportionate to its size, resources and risk posture. APO13 Manage Security Process Goal 1—A system is in place that considers and effectively addresses enterprise information security requirements.
2-Security Risk Management An organization must utilize a risk management framework to manage security risk. APO12 Manage Risk Process Goal 1—IT-related risk is identified, analyzed, managed and reported.
Process Goal 2—A current and complete risk profile exists.
3-Security Policies and Procedures An organization must establish, implement and maintain security policies and procedures proportionate to the organization's size, resources and risk posture. APO01 Manage the IT Management Framework

Process Goal 1—An effective set of policies is defined and maintained.

4-Information Access An organization must establish, implement and maintain an access management regime for access to public sector data. DSS06 Manage Business Process Controls Process Goal 2—The inventory of roles, responsibilities and access rights is aligned with authorized business needs.
5-Security Obligations An organization must define, document, communicate and regularly review the security obligations of all persons with access to public sector data. MEA03 Monitor, Evaluate and Assess Compliance With External Requirements Process Goal 1—All external compliance requirements are identified.
Process Goal 2—External compliance requirements are adequately addressed.
6-Security Training and Awareness An organization must ensure all persons with access to public sector data undergo security training and awareness. APO07 Manage Human Resources Management Practice APO07.03: Maintain the skills and competencies of personnel.
7-Security Incident Management An organization must establish, implement and maintain a security incident management regime proportionate to the organization's size, resources and risk posture. DSS02 Manage Service Requests and Incidents Process Goal 3—Service requests are dealt with according to agreed on service levels and to the satisfaction of users.
8-Business Continuity Management An organization must establish, implement and maintain a business continuity management program that addresses the security of public sector data. DSS04 Manage Continuity Process Goal 4—An up-to-date continuity plan reflects current business requirements.
9-Contracted Service Providers An organization must ensure that contracted service providers with access to public sector data do not act or engage in a practice that contravenes the VPDSS. APO10 Manage Suppliers Process Goal 2—Supplier risk is assessed and properly addressed.
10-Government Services An organization that receives a government service from another organization must ensure that the service complies with the VPDSS in respect to public sector data that are collected, held, used, managed, disclosed or transferred. APO10 Manage Suppliers Process Goal 2—Supplier risk is assessed and properly addressed.
11-Security Plans An organization must establish, implement and maintain a protective data security plan to manage its security risk. APO13 Manage Security Process Goal 2—A security plan has been established, accepted and communicated throughout the enterprise.
12-Compliance An organization must perform an annual assessment of its implementation of the VPDSS and report its level of compliance to the Office of the Victorian Information Commissioner. MEA03 Monitor, Evaluate and Assess Compliance With External Requirements Process Goal 2—External compliance requirements are adequately addressed.
13-Information Value An organization must conduct an information assessment considering the potential compromise to the confidentiality, integrity and availability of public sector data. DSS04 Manage Continuity Management Practice DSS04.02: Maintain a continuity strategy.

Activity 2—Conduct a business impact analysis to evaluate the impact over time of a disruption to critical business functions and the effect that a disruption would have on them.

14-Information Management An organization must establish, implement and maintain information security controls in its information management framework. APO13 Manage Security Process Goal 1—A system is in place that considers and effectively addresses enterprise information security requirements.
15-Information Sharing An organization must ensure that security controls are applied when sharing public sector data. APO13 Manage Security Process Goal 1—A system is in place that considers and effectively addresses enterprise information security requirements.
16-Personnel Life Cycle An organization must establish, implement and maintain personnel security controls in its personnel management regime. APO07 Manage Human Resources Management Practice APO07.03: Maintain the skills and competencies of personnel.

Activity 5—Develop and deliver training programs based on organizational and process requirements, including requirements for enterprise knowledge, internal control, ethical conduct and security.

17-Information Communications Technology (ICT) Life Cycle An organization must establish, implement and maintain ICT security controls in its ICT management regime. DSS05 Manage Security Services Process Goal 1—Networks and communications security meet business needs.
Process Goal 2—Information processed on, stored on and transmitted by endpoint devices is protected.
Process Goal 3—All users are uniquely identifiable and have access rights in accordance with their business role.
Process Goal 5—Electronic information is properly secured when stored, transmitted or destroyed.
18-Physical Life Cycle An organization must establish, implement and maintain physical security controls in its physical management regime. DSS05 Manage Security Services Process Goal 4—Physical measures have been implemented to protect information from unauthorized access, damage and interference when being processed, stored or transmitted.


With the mapping from figure 1 at hand, professionals have access to further valuable information provided in the publication COBIT 5: Enabling Processes. Such information has not been provided in the VPDSS publications. For each COBIT 5 enabling process, the additional information (figure 2) is provided, which can prove to be very helpful in implementing/improving processes to achieve compliance with the VPDSS.


Figure 2—Additional Information for Each Process

Additional Information Provided for Each Process in the COBIT 5: Enabling Processes Publication

Description

Key performance indicators (KPIs)

This is a list of suggested KPIs that can be used to measure process performance, the results of which can be used to continuously improve the process.

Metrics are defined to measure the extent to which goals are achieved. Metrics can be defined as “a quantifiable entity that allows the measurement of the achievement of a process goal. Metrics should be SMART—specific, measurable, actionable, relevant and timely.”4

Stakeholders responsibility charts

COBIT 5 processes have internal and external stakeholders with their own roles; stakeholders and their responsibility levels are documented in charts that show who is responsible, accountable, consulted or informed (RACI). External stakeholders include customers, business partners, shareholders and regulators. Internal stakeholders include board, management, staff and volunteers.

Inputs/outputs

The COBIT 5 inputs and outputs are the process work products/artifacts considered necessary to support operation of the process. They enable key decisions, provide a record and audit trail of process activities, and enable follow-up in the event of an incident. They are defined at the key governance/management practice level, may include some work products used only within the process and are often essential inputs to other processes.


Government entities in Victoria, Australia, will be making efforts to comply with VPDSS and are required to submit a high-level protective data security plan (PDSP) by 31 August 2018. Professionals working in government entities can benefit by using the world-class COBIT 5 framework to make their journey easier and to implement processes that are practical and bring sustainable benefits to the organization.


Syed Salman, CISA

Is part of the Advisory team at EY Australia. He has extensive experience in IT audit and IT advisory roles in Australia, the Middle East and south Asia. He has been involved in helping a number of government entities in Victoria, Australia, to perform VPDSS gap assessment exercises and in preparing PDSPs. He has also been involved in assessing IT governance and IT risk management practices at large organizations and has passed the COBIT 5 foundation and assessor exams.


Endnotes

1 EMC Digital Universe, The Digital Universe of Opportunities: Rich Data and the Increasing Value of the Internet of Things, USA, April 2014
2 Dingwall, D.; F. O’Mallon; T. McIlroy; “Data Breach Sees Records of 50,000 Australian Workers Exposed,” The Sydney Morning Herald, 2 November 2017
3 Timberg, C.; T. Romm; E. Dwoskin; “Facebook: ‘Malicious Actors’ Used Its Tools to Discover Identities and Collect Data on a Massive Global Scale,” The Washington Post, 4 April 2018
4 ISACA, COBIT 5: Enabling Processes, USA, 2012, p. 19