Mathew Nicho, Ph.D., CEH, SAP-SA, RWSP, and Hussein Fakhry, Ph.D.
With security and privacy of information systems (IS) being key top 10 issues for IS executives since 2003, organizations have invested heavily on technical aspects of IS security and, to some extent, on compliance mechanisms with mixed success, as is evident from the growing number of attacks on organizational IS.
Data breaches (from external and internal sources), intrusions into organizational networks, and pilferage and destruction of sensitive information through network hacking have put a heavy burden on organizations in terms of investing in IS security defenses and compliance. Although organizations have numerous industry standard choices available to them for implementing technical IS security, choosing IS security governance compliance frameworks is subjective.
Researching statistics available from the Identity Theft Resource Centre (ITRC), Privacy Rights Clearing House and CSI Computer Crime Survey (US-based) over the past few years showed that major vulnerabilities in an organization’s systems come from not having adequate compliance related to nontechnical aspects of IS.
Furthermore, in our research, we identified the top 10 breaches in 2012 as reported by ITRC and found that 70 percent of these breaches occurred as a result of missing or overlooked nontechnical controls, while only 30 percent were the result of technical controls.
To provide a practical perspective, in our recent Journal article
, we analyzed each of the 10 high-profile data breach cases to identify the vulnerabilities and mapped these to corresponding COBIT 5 management practices.
After analyzing relevant IS governance and security frameworks available to organizations to mitigate breaches, we found that the security-related management practices of COBIT 5
provide adequate and effective deterrence against the identified vulnerabilities.