ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > Aligning Information Security With the 21st Century Way of Doing Business

Aligning Information Security With the 21st Century Way of Doing Business

| Published: 1/30/2014 8:55 AM | Category: COBIT-Governance of Enterprise IT | Permalink | Email this Post | Comments (0)
Giuseppe ArcidiaconoGiuseppe Arcidiacono, CISA, CISM, CGEIT
COBIT 5 for Information Security represents a revolution in the field of information security because it gives IT managers and security specialists the opportunity to align their perspectives and daily work with the new global way of doing business.
While the 20th century’s economy was founded on material and tangible assets, the focal point and the currency of the 21st century enterprise is information. For this reason, the real challenge is how to govern and manage this new virtual gold.
COBIT 5 for Information Security provides an end-to-end business view of governance of enterprise IT (GEIT), reflecting the central role of information and technology in creating value for enterprises.

This new standard was created largely to do the following: 

  • To describe information security in an enterprise context, including all aspects that lead to effective governance and management of information security.
  • To maintain (while containing the overall cost) information risk at an acceptable level and to protect information against disclosure, modifications or intrusions.

COBIT 5 for Information Security is based on 5 principles tailored to enterprise’s real and actual context: 

  • Principle 1 (meeting stakeholders’ needs):  Modern organizations are called to integrate security into every aspect of management and operations. Integration begins with identifying all business processes and related stakeholders, including auditors and information security managers.
  • Principle 2 (covering the enterprise end-to-end):  The general application of security and assurance best practices requires security reviews as part of all business processes and IT development and implementation activities. This is not just horizontal integration. All levels of management must include information security in every business, strategic and operational planning activity.
  • Principle 3 (applying a single integrated framework):  Aligning with other relevant standards and frameworks at a high level ensures effective governance by avoiding overlaps and additional complexities and costs.
  • Principle 4 (enabling a holistic approach):  Years of experience (and failures) in information security have demonstrated that point-and-shoot approaches to managing security do not achieve the best overall results for the enterprise. A holistic approach is necessary to obtain enterprisewide efficiency and efficacy.
  • Principle 5 (separating governance from management):  Governance and management are distinct functions; different teams perform them, but they are strictly related and must support each other. While governance defines outcomes, management implements technology and processes to meet those outcomes. Governance then determines if outcomes are met and provides feedback to help management make necessary adjustments.
Read Giuseppe Arcidiacono’s recent Journal article:
Challenges and Benefits of Migrating to COBIT 5 in the Strongly Regulated Environment of EU Agricultural Paying Agencies,” ISACA Journal, volume 1, 2014.


There are no comments yet for this post.