Mathew Nicho, Ph.D., CEH, SAP-SA, RWSP, and Hussein Fakhry, Ph.D.
High-profile information security breaches have become a steady feature, creating increased pressure on firms to harden their networks and take a more aggressive security posture. However, it is often not clear which security initiatives can offer firms the greatest improvements.1 Security and privacy remain in the top 10 of key issues for information security executives, as they have been since 2003.2 In this respect, information security has become a critical issue for information systems (IS) executives3 and crucial to the continuous well-being of modern organizations,4 with the result that organizations need to protect information assets against cybercrime, denial-of-service attacks, web hackers, data breaches, identity and credit card theft, fraud, and other forms of internal threats.5 A firm’s information-related assets are now among its most valuable assets6 so the ever-increasing mobility of the workforce and the convenience of working with company information inside and outside the organization through different portable and online media have amplified any threat to a critical level. Information is a fundamental asset within any organization, thus its protection through the process of information security is of high importance.7 The application of existing technical IS security frameworks and IS controls has been effective in preventing attacks from external entities into the organizational networks, but the mobility of the organizational staff and the IT assets along the extended networks have posed serious risk to organizational data. This is substantiated by the fact that six out of 10 employees between the ages of 18 and 35 use a personal device at work and that the average corporate worker sends and receives 112 emails per day.8
A careful analysis and review of the trends and statistics in data breaches in the last three years (2010 to 2012) reported in CSI computer crime surveys and Identity Theft Resource Center (ITRC) studies point out that hackers circumvent the organizational network defenses by targeting the data and the media that are at rest, in use, and in motion inside and over the extended network. Moreover, errors, mistakes and accidents on the part of the employees using data have worsened the situation such that conventional technical and sociotechnical controls are not adequate preventions. In this respect, it is imperative for organizations to categorize and protect data that are at rest, in motion and in use.
COBIT 5 enablers and management practices can be used to prevent malicious activities and data breaches within organizations and extended networks. The detailed identification and analysis of 10 high-profile data breaches and intrusions in 2012, sourced from the ITRC database, identified, analyzed and highlighted the vulnerabilities and missing controls that led to the breaches. The analysis revealed that 70 percent of the breaches occurred due to missing or overlooked nontechnical IT controls; that is, 30 percent of the breaches could have been prevented using technical mechanisms.
For the identified vulnerabilities, corresponding IT management practices of COBIT 5 have been selected and mapped to demonstrate not only how the identified breaches could have been prevented using COBIT management practices, but also how to effectively monitor these practices using three COBIT monitoring management processes. This article recommends a security framework based on a set of essential COBIT 5 management practices and industry-specific relevant frameworks that are required to adequately protect organizations from external and internal intrusions.
The top 10 data breaches in 2012, according to the ITRC database, were analyzed to determine the nature of the attacks and evaluate the role of technical and nontechnical IT mechanisms in these breaches.9 These data are presented in figure 1 with the identifying methodology and the nature of attacks for each case.
While it is impossible to totally secure information systems, systems risk can be substantially reduced through effective management practices.10 Computer security technologies have had a difficult time keeping pace with advances in computing such that the growing emphasis on user friendliness has, to some extent, adversely affected the deployment of some control mechanisms, which often leads to compromises in security design and causes problems for systems controllers and auditors.11
In 70 percent of the aforementioned cases, the attack happened due to the lack of effective controls rather than weak security layers.
It has been stated that information security is primarily a people problem in which technology is designed and managed by people, leaving opportunities for human error.12 In these cases, the identification of IT access control policies is required to direct best-practice approaches within the IT security program of an organization.13 Thus, the cases prove that while hardening the technical layers is important to prevent data breaches, the involvement of humans in information security is equally important and many examples exist where human activity can be linked to security issues.14
The shift from technical to nontechnical methods employed by hackers has led organizations to aim for an optimal mix of technical and nontechnical aspects of IS as well as the incorporation of best practices for comprehensive generic IS governance controls. Thus, in order for information security measures to become effective, security should not be built only like a staircase of combined measures; the measures should be mutually dependent on each other.15
Appropriate controls are necessary to protect organizations from legal suits against negligent duty and compliance to computer misuse and data protection legislation.16 Internal control is broadly defined as a process, affected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.17 In this respect, the COBIT 5 framework helps enterprises implement sound governance enablers in which processes are one of the seven enabler categories for governance and management of enterprise IT (GEIT).18 Currently, implementations of IS control frameworks are on the rise worldwide due to compliance and regulatory requirements to various regulations and standards.19
The key guiding principle for any control implementation is to decide on the appropriate level of security since organizations are not in a position to ensure maximum security. In this respect, the amount spent should be in proportion to the criticality of the system, cost of the control and probability of the occurrence of an event, as appropriate controls are also necessary to protect organizations from lawsuits against negligent duty and compliance to computer misuse and data protection legislation.20 Organizations frequently view information security as compliance with laws and regulations, which is not surprising as liability is a chief concern of executives.21 However, this is a narrow, short-sighted view of information security, as laws and regulations are geared toward protecting external stakeholders of the organization, such as customers and investors.22
In a survey of security professionals, the Enterprise Strategy Group (ESG) found that 72 percent of North American organizations with 1,000 or more employees have implemented one or more formal IT best-practice control and process models.23 Further, the study found that the most widely used commercial IT control frameworks are ITIL, ISO 27002 and COBIT, which provide optimal security management. ISO/IEC 27002, COBIT, ISO 20000 and ITIL are also the most applicable and widely used frameworks to manage and maintain IT services, as IT control implementers use ITIL to define strategies, plans and processes; COBIT for metrics, benchmarks and audits; and ISO/IEC 27002 to address security issues to mitigate risk.24
Information security is often not addressed in a holistic and comprehensive way. When all its dimensions are taken into account, real risk exists to prevent a really secure environment. In response, 12 dimensions of IS security are proposed, focusing on the governance, audit, legal, technical, human and measurement areas that need to work together to create a secure environment.25 Mapping these 12 dimensions into the IT control frameworks as detailed in figure 2 reveals the comprehensive nature of technical and nontechnical IT controls.
Figure 2 illustrates that COBIT encompasses most of the dimensions of IS security, taking into account the technical and nontechnical aspects. Next, the relevant processes of COBIT (also referred to as IT controls) are analyzed to see how applying these processes can prevent breaches like the 10 described previously.
COBIT 5 consolidates and integrates these previously released ISACA frameworks: COBIT 4.1, Val IT 2.0, Risk IT and the Business Model for Information Security (BMIS). It aligns with other frameworks and standards such as ITIL, International Organization for Standardization (ISO) standards, Project Management Body of Knowledge (PMBOK), PRINCE2 and The Open Group Architecture Framework (TOGAF).
Many of the detailed COBIT 5 processes map directly to information security. All the data breach cases presented earlier are mapped to COBIT 5. Figure 3 demonstrates how each of the COBIT 5 management practices, if implemented, could have prevented the breach. While the mapped management practices correspond to COBIT 5’s plan (APO) and run (DSS) domains, the six management practices—APO01.02, 01.06, 03.02, 09.03, BAI09.01 and DSS06.06—provide inputs for the activities.
COBIT 5 management practices are generic and can be mapped to multiple vulnerabilities. In the 10 cases, seven management practices and six inputs are found to be essential to prevent the identified breaches. These management practices are APO13.01, DSS5.01, DSS5.02, DSS5.03, DSS5.04, DSS5.05 and DSS5.06, with APO01.02, APO01.06, APO03.02, APO09.03, BAI09.01 and DSS06.06 providing the inputs. The process enablers coming under the Monitor, Assess and Evaluate domain—MEA01, MEA02 and MEA03—ensure effective monitoring mechanisms for the selected management practices. Implementation of DSS05.07 along with the practices ensures the monitoring of security incidents, logs and tickets.
One of the advantages of COBIT 5 is its generic nature, which allows for greater freedom in customizing the enabling processes, corresponding practices and activities. This helps not only to achieve specific objectives and produce a set of outputs in support of achieving overall IT-related goals, but also suits the dynamic IS security threat environment. Looking at the highly dynamic nature of IS security threats translates into the continuous improvement of COBIT enablers to overcome current and emerging IS security threats. COBIT 5 Implementation provides guidelines to implement a continuous improvement process and maintain the momentum. The technical and nontechnical nature of threats prove that it is neither possible nor a good practice to separate business and IT-related activities.
Figure 4 illustrates an implementation framework that provides guidance on how to develop an implementation strategy for data breach prevention. However, frameworks, best practices and standards are useful only if they are adopted and adapted to the organization’s situation. Looking from a holistic perspective, the implementation process of IS security controls takes into account selecting, customizing and mapping relevant IT controls and standards, depending on the IS security environment, industry and mandatory regulations on a continual basis. The assessment of information is an ongoing continuous process where security assessment is an iterative process to review current functions with/against specific standards.26 This follows Deming’s Plan-Do-Check-Act (PDCA) cycle, which is used in ISO 27001.
The first stage involves deciding on relevant frameworks/standards based on a holistic IS security perspective or focusing only on COBIT 5. The next step involves selecting and implementing COBIT 5 management practices related to IS security (namely APO13.01 and DSS5.01–5.07), with the option of selecting and mapping the relevant security processes and controls for data breach prevention with COBIT 5. The use of the COBIT 5 enabler process of the MEA domain closes the feedback loop. The incorporation of the feedback loop to generated refinements and adjustments based on MEA01–MEA03 is a mechanism to monitor and ensure compliance. In this phase, the organization also has the option to select/map industry-specific or essential controls from relevant standards/frameworks. The Act phase is very relevant to information security due to the highly dynamic nature of the vulnerabilities and methods of data breaches in which continuous review and customization of COBIT processes and relevant IT controls are done to reach the planning stage.
Despite advances in IS security technologies and the availability of relevant frameworks, standards and IT control mechanisms, statistical trends in data breaches reveal an increasing threat to organizations. Taking a sample of the top 10 high-profile cases, this article identifies the vulnerable areas and the remedial actions to counter them, thus proving that the majority of data breaches occurred due to missing or overlooked nontechnical IT controls and highlighting the emphasis that managers should place on nontechnical controls in IS security. From a practitioner’s perspective, the mapping of COBIT 5 processes and management practices to the identified vulnerability provides a road map for implementation and for data breach prevention and monitoring.
1 Johnson, E.; E. Goetz; “Embedding Information Security Risk Management Into the Extended Enterprise,” IEEE Security and Privacy, vol. 5, 2007, p. 16-242 Luftman, J.; T. Ben-Zvi; “Key Issues for IT Executives 2011: Cautious Optimism in Uncertain Economic Times,” MIS Quarterly Executive, vol. 10, 2011, p. 203-2123 Culnan M. J.; E. R. Foxman; A. W. Ray; “Why IT Executives Should Help Employees Secure Their Home Computers,” MIS Quarterly Executive, vol. 7, 2008, p. 49-564 Kruger, H. A.; W. D. Kearney; “Consensus Ranking— An ICT Security Awareness Case Study,” Computers & Security, vol. 27, 2008, p. 254-2595 Smith, S.; D. Winchester; D. Bunker; “Circuits of Power: A Study of Mandated Compliance to an Information Systems Security De Jure Standard in a Government Organization,” MIS Quarterly Executive, vol. 34, 2010, p. 463-4866 Gordon, L. A.; M. P. Loeb; T. Sohail; “Market Value of Voluntary Disclosures Concerning Information Security,” MIS Quarterly Executive, vol. 34, 2010, p. 567-5947 Thomson, K. L.; R. V. Solms; “Information Security Obedience: A Definition,” Computers and Security, vol. 24, 20058 ISACA, COBIT 5 for Information Security, 2012, www.isaca.org/cobit9 While the findings in this study provide an understanding of data breaches from both technical and nontechnical perspectives, a number of caveats need to be noted. First, a small sample of 10 cases in one country does not represent the population and, hence, this study needs to be extended with a larger sample from different countries in order to generalize findings. Second, the cases are all taken from secondary sources, which may not always reveal the true cause or the events leading to the breach. Finally, while COBIT 5 is taken as the framework to demonstrate the mitigation of the identified vulnerabilities, further research can identify and map relevant IT controls/processes from related industry frameworks/standards and result in a common set of IT controls/processes for a set of commonly identified vulnerabilities.10 Adams, D. A.; S. Y. Chang; “An Investigation of Keypad Interface Security,” Information & Management, vol. 24, 1993, p. 53-5911 Schultz, E.; “The Human Factor in Security,” Computer & Security, vol. 24, 2005, p. 425-42612 Hagen, J. M.; E. Albrechtsen; J. Hovden; “Implementation and Effectiveness of Organizational Information Security Measures,” Information Management & Computer Security, vol. 16, 2008, p. 377-39713 Ward and Smith; “The Development of Access Control Policies for Information Technology Systems,” Computers & Security, vol. 21, 2002, p. 356-37114 Op cit, Kruger and Kearney15 Dhillon, G.; S. Moores; “Computer Crimes: Theorizing About the Enemy Within,” Computers & Security, vol. 20, 2001, p. 715-72316 Committee of Sponsoring Organizations of the Treadway Commission (COSO), Internal Control—Integrated Framework, 22 May 2012, http://coso.org/documents/Internal%20Control-Integrated%20Framework.pdf17 ISACA, COBIT 5: Enabling Processes, 2012, www.isaca.org/cobit18 Dutta, A.; K. McCrohan; “Management’s Role in Information Security in a Cyber Economy,” California Management Review, vol. 45, 2002, p. 67-8719 Op cit, Smith, Winchester and Bunker20 Op cit, COSO21 Turner, M. J.; J. Oltsik; J. McKnigh; “ISO, ITIL, & COBIT Together Foster Optimal Security Investment,” 2009, www.thecomplianceauthority.com/iso-itil-a-cobit.php22 Nicho, M.; “An Information Governance Model for Information Security Management,” in Mellado, D.; L. E. Sánchez; E. Fernández-Medina; M. Piattini, Eds.; IT Security Governance Innovations: Theory and Research, IGI Global, 201223 Sahibudin, S.; M. Sharifi; M. Ayat; “Combining ITIL, COBIT and ISO/IEC 27002 in Order to Design a Comprehensive IT Framework in Organizations,” Second Asia International Conference on Modeling & Simulation, Malaysia, 200824 Solms, B. V.; “Information Security—A Multidimensional Discipline,” Computers & Security, vol. 20, 2001, p. 504-50825 Op cit, Nicho26 Yadav, S. B.; “A Six-view Perspective Framework for System Security: Issues, Risks, and Requirements,” International Journal of Information Security and Privacy, vol. 4, 2010, p. 61-92
Mathew Nicho, Ph.D., CEH, SAP-SA, RWSP, is the director of the Master of Science program at the College of Information Technology at the University of Dubai (Dubai, UAE). He trains students/professionals on ethical hacking and preventive measures; teaches IT governance, audit and control; and has published papers in several international journals and conference proceedings.
Hussein Fakhry, Ph.D., is the dean of the College of Information Technology at the University of Dubai (Dubai, UAE). Fakhry’s research in information systems research using systems dynamics, information systems security, e-commerce and e-business, decision support systems, applications of artificial intelligence, and assessment of academic programs has appeared in numerous international journals and international conferences.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2013 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.