« Comment placer la Gouvernance au cœur de la
transformation numérique ?»
(2/2)
Les jeudis de l’AFAI
Patrick Stachtchenko ...
Patrick Stachtchenko
Coordonnées
• Mobile : +33 6 86 68 35 76
• Email : pstachtchenko@orange.fr
2Patrick Stachtchenko Jeud...
Comment COBIT 5 peut
répondre à ce nouveau
contexte : Illustration?
3Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
COBIT 5 : Vue d’ensemble– COBIT 5 Framework
• A Business Framework for the Governance and Management of Enterprise IT (94 ...
COBIT 5 : Vue spécifique (Information Security)
– COBIT 5 Professional Guides
• Information Security (220 p)
– Practices a...
COBIT 5 : Etude Globale sur la Gouvernance (ISACA 2014)
• White papers
– Issues that have just begun to, or will soon impa...
COBIT 5 : Les publications récentes
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 7
ISACA en résumé : Knowledge 2015
• DevOps Overview 16 p
• Internet of Things : Risk and Value Consideratrions 13 p
• IS Au...
ISACA en résumé : Knowledge 2014
• Deliver, Service and Support Audit/Assurance Programs 1-6 (25 p / process)
• A Global L...
ISACA en résumé : Knowledge 2014
• Cybersecurity : What the Board of Directors Needs to Ask? (20 p)
• Implementating the N...
ISACA en résumé : Knowledge 2013
• Security as a Service (18 p)
• COBIT 5 : Enabling Information (90 p)
• Advanced Persist...
ISACA en résumé : Knowledge 2013
• Responding to Targeted Cyberattacks (88 p)
• Cloud Governance : Questions Boards of Dir...
COBIT 5 : Contenu
Illustrations
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 13
Contenu : COBIT 5 Enabling Information
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 14
COBIT 5 Deliverables : Enabling Information (90 pages)
• Introduction: Benefits, Target Audience, Prerequisite Knowledge, ...
Information
Exemple de critères d’appréciation
Qualité intrinsèque : valeurs des données en conformité ave les valeurs rée...
Information
Les niveaux/attributs
• L’utilisation de ces niveaux permet de déterminer les niveaux de protection et les méc...
Description complète d’un élément d’Information - Profil de Risque
Description de toutes ses dimensions. Cela peut être ut...
19
Information : Exemple « Risk Profile »
Cycle de vie et Parties Prenantes
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril ...
20
Information : Exemple « Risk Profile »
Objectifs
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Copyright ISACA
21
Information : Exemple « Risk Profile »
Bonnes Pratiques
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Copyright IS...
22
Information : Exemple « Risk Profile »
Connexion aux autres leviers
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
...
23
Information : Exemple « Risk Profile »
Fiche de Scénario de risque
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
C...
Fiche de Scénario de Risque
ECP : La sécurité des système d'information 24
Copyright ISACA
Patrick Stachtchenko
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 25
Fiche de Scénario de Risque : “Logical Attacks”
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 26
Fiche de Scénario de Risque : “Logical Attacks”
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 27
Fiche de Scénario de Risque : “Logical Attacks”
28
Information : Exemples de préoccupations à traiter
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Copyright ISACA
Contenu : Securing Mobile Devices
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 29
COBIT 5 Deliverables : Securing Mobile Devices (138 pages)
• Introduction : What is a mobile device? Mobile Device Use – P...
Illustration pour la sécurité des mobiles
31
• Enjeux : bénéfices attendus,…
• Type de mobiles et de connexions
• Classeme...
Enjeux
• “Internet of things”
– 10 Milliards d’appareils connectés à internet
– 20 – 50 Milliards d’appareils en réseau
– ...
Exemple Sécurité des Mobiles
Types de mobiles et de connections
• Téléphone cellulaire traditionnel
• Smartphones et PC de...
Exemple Sécurité des Mobiles
Classement par catégorie d’actif
Categorie Appareils Exemples
1 Data storage (limited), basic...
Niveaux de risque par catégorie d’actif
Categorie/Risque Categorie 1 Categorie 2 Categorie 3 Categorie 4
Physique
Theft Fa...
Types de risque par catégorie d’actif
Risques physiques
• Incapacité de travailler pour une longue durée
• Accès à l’infor...
Types de risque par catégorie d’actif
Risques organisationnels
• Réplication des droits d’accès privilégiés
• Nature sensi...
Risques techniques : “Activity monitoring, data retrieval »
Cible Risque
Messaging Generic attacks on short message servic...
Risques techniques : “Sensitive Data Leakage Risk »
Type d’information Risque
Identity International Mobile Equipment Iden...
Risques techniques : “Usability Risk »
Facteur de risque Risque
Frequent change of hardware
as part of the mobile contract...
Exemples de vulnérabilités
Vulnerabilité Menaces Risque
Information travels across wireless
networks that are often less s...
Exemple Sécurité (Sécurité des Mobiles)
Principes, Directives, Référentiels, …
• Principes de Sécurité de l’Information
• ...
Principes, Directives et Référentiels : Principes
Principe Objectif Sécurité des Mobiles
Focus on the business Ensure that...
Principes, Directives et Référentiels : Principes
Principe Objectif Sécurité des Mobiles
Protect classified
information
Pr...
Principes, Directives et Référentiels : Directives
Directive concernant l’utilisation des Mobiles Thème Directives : la Sé...
Mobiles : Principes, Directives et Référentiels : Standards
Clause Aspects centralisés Aspects BYOD
Acquisition Process fo...
Principes, Directives et Référentiels : Procédures opérationnelles
• Audit des mobiles
• Gestion des changements
• Gestion...
Structures organisationnelles
• Composition
• Les structures sont composées de membres qui sont ou représentent des partie...
Structures organisationnelles
• Directeur de la Sécurité de l’Information (ou SI)
• Comité de pilotage de la Sécurité de l...
Structures Organisationnelles
Aspect Caractéristiques (Manager Sécurité de
l’Information)
Caractéristiques (Spécialiste
Sé...
Exemple Sécurité (Sécurité des Mobiles)
Compétences
• Position (Fiche mission, Evolution, …)
• Education (Diplômes, …)
• Q...
Exemple Sécurité (Sécurité des Mobiles)
Compétences
• Gouvernance de la Sécurité de l’Information
• Elaboration de la Stra...
Personnes et Compétences : Compétences
Compétences Manager/Spécialiste Sécurité des
Mobiles
Utilisateur
Governance Extensi...
Personnes et Compétences : Formation
Perspective Thèmes Clés Contenu
Basics Mobile device features Basics and background f...
Personnes et Compétences : Compétences du RSSI
Domaine Compétences Génériques Compétences relatives au Mobiles
Governance ...
Personnes et Compétences : Compétences
Domaine Compétences Génériques Compétences relatives au Mobiles
Strategy Ability to...
Personnes et Compétences : Compétences
Domaine Compétences Génériques Compétences relatives au Mobiles
Architecture
develo...
Personnes et Compétences : Compétences
Domaine Compétences Génériques Compétences relatives au Mobiles
Operations Knowledg...
Exemple Sécurité (Sécurité des Mobiles)
Ethique, Culture, Comportement
Aussi bien pour les organisations que pour les indi...
Exemple Sécurité (Sécurité des Mobiles)
Ethique, Culture, Comportement
Comportements attendus
• 8 comportements attendus
L...
Culture, Ethique, Comportement
Comportement de Référence En ce qui concerne l’utilisation des Mobiles
Information security...
Exemple Sécurité (Sécurité des Mobiles)
Services : Applications, Infrastructure, ….
• Capacité de services
• Technologie e...
Services : Infrastructure, Applications, …. : Illustrations Sécurité de
l’Information
• Architecture de sécurité
• Sensibi...
Services : Infrastructure and Applications, ….
• Security architecture
• Security awareness
• Secure development
• Securit...
Services : Infrastructure and Applications, ….
Device Management
• Overarching device management system
• Identity and acc...
Services : Infrastructure and Applications, ….
Device Structure
• Enhanced SIM card functionality
• Hardware add-ons for s...
Services : Infrastructure and Applications, ….
Device Oss
• Kernel modifications (usually done through firmware updates)
•...
Services : Infrastructure and Applications, ….
Applications
• Antivirus
• Application patching
• Control risk assessments
...
Services : Infrastructure and Applications, ….
Connectivity
• Secure coding resources and tools specifically for protectin...
Services : Infrastructure, Applications,…
70
Exemple Sécurité (Sécurité des Mobiles)
Service Device Management Device
Stru...
Services : Infrastructure, Applications,…
71
Exemple Sécurité des Mobiles
Service Device Management Device
Structure
Devic...
Exemple IT (Sécurité) (Sécurité des Mobiles)
72
Processus IT
• 129 objectifs des processus IT
• 207 pratiques IT
• 1108 ac...
Exemple Sécurité (Sécurité des Mobiles)
Pour le processus IT, Manage Operations
73Patrick Stachtchenko Jeudis de l'AFAI 2 ...
Exemple IT (Sécurité) (Sécurité des Mobiles)
Pour le processus IT, Manage Operations
74
Patrick Stachtchenko Jeudis de l'A...
Exemple Sécurité (Sécurité des Mobiles)
Pour le processus IT, Manage Operations
75
Patrick Stachtchenko Jeudis de l'AFAI 2...
Exemple Sécurité (Sécurité des Mobiles)
Processus Sécurité qui viennent s’ajouter aux Processus IT
Pour le processus IT, M...
Exemple Sécurité (Sécurité des Mobiles)
Processus Sécurité qui viennent s’ajouter aux Processus IT
Pour le processus IT, M...
Processus
IT Process Mobile Device Security Management Process
EDM01 Ensure governance framework
setting and maintenance
R...
Exemple Sécurité (Sécurité des Mobiles)
Information
79
• Objectifs et indicateurs de performance
• Cycle de vie
• Bonnes p...
Exemple Sécurité (Sécurité des Mobiles)
Information
80
• Stratégie
• Budget
• Plan
• Directives
• Exigences
• Sensibilisat...
Information
Type d’information
• Replicated emails, contacts, calendars and notes
• Music, movies and other content that u...
82
COBIT 5 Online
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
COBIT 5 Online is a multi-phase initiative by ISACA t...
Annexe
COBIT 5 : Autres Publications
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 83
COBIT 5 Deliverables : A Business Framework for the
Governance and Management of Enterprise IT (94 pages)
• Executive Summ...
COBIT 5 Deliverables : A Business Framework for the
Governance and Management of Enterprise IT
• Appendix A : References
•...
COBIT 5 Deliverables : Enabling Processes (230 pages)
• Introduction
• The Goals Cascade and Metrics for Enterprise Goals ...
COBIT 5 Deliverables : Enabling Processes
• Process identification : Label, Name, Area, Domain
• Process description
• Pro...
COBIT 5 Deliverables : Information Security (220 pages)
• Executive Summary: Introduction, Drivers, Benefits, Target Audie...
COBIT 5 Deliverables : Information Security
• Appendix A Detailed Guidance : Principles, Policies and Frameworks
• 3 high ...
COBIT 5 Deliverables : Information Security
Processes Enabler
• Process Identification : Label, Name, Area, Domain
• Proce...
COBIT 5 Deliverables : Risk (244 pages)
• Executive Summary: Introduction, Terminology, Drivers, Benefits, Target Audience...
COBIT 5 Deliverables : Risk
• Appendix A. Detailed Guidance : Principles, Policies and Frameworks
• 7 high level risk prin...
COBIT 5 Deliverables : Risk
• Process Identification : Label, Name, Area, Domain
• Process Description
• Process Purpose S...
COBIT 5 Deliverables : Assurance (318 pages)
• Executive Summary: Introduction and Objectives, Drivers, Benefits, Target A...
COBIT 5 Deliverables : Assurance
• Appendix A. Detailed Guidance : Principles, Policies and Frameworks
• 4 areas : Covered...
COBIT 5 Deliverables : Assurance
• Process Identification : Label, Name, Area, Domain
• Process Description
• Process Purp...
COBIT 5 Deliverables : Implementation (78 pages)
• Introduction
• Positioning GEIT
• Taking the first steps towards GEIT
•...
Prochain SlideShare
Chargement dans…5
×

La gouvernance au cœur de la transformation numérique - Comment COBIT 5 peut répondre à ce nouveau contexte - Illustrations

2 465 vues

Publié le

La gouvernance au cœur de la transformation numérique - Comment COBIT 5 peut répondre à ce nouveau contexte - Illustrations

Publié dans : Technologie
0 commentaire
1 j’aime
Statistiques
Remarques
  • Soyez le premier à commenter

Aucun téléchargement
Vues
Nombre de vues
2 465
Sur SlideShare
0
Issues des intégrations
0
Intégrations
624
Actions
Partages
0
Téléchargements
80
Commentaires
0
J’aime
1
Intégrations 0
Aucune incorporation

Aucune remarque pour cette diapositive

La gouvernance au cœur de la transformation numérique - Comment COBIT 5 peut répondre à ce nouveau contexte - Illustrations

  1. 1. « Comment placer la Gouvernance au cœur de la transformation numérique ?» (2/2) Les jeudis de l’AFAI Patrick Stachtchenko 2 Avril 2015 1Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  2. 2. Patrick Stachtchenko Coordonnées • Mobile : +33 6 86 68 35 76 • Email : pstachtchenko@orange.fr 2Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  3. 3. Comment COBIT 5 peut répondre à ce nouveau contexte : Illustration? 3Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  4. 4. COBIT 5 : Vue d’ensemble– COBIT 5 Framework • A Business Framework for the Governance and Management of Enterprise IT (94 p) • COBIT 5 Principles : Where did they come from? (12 p) – COBIT 5 Enabler Guides • Processes (37 IT processes) (230 p), Information (Business and IT) (90 p), … – COBIT 5 Professional Guides • Implementation (78 p) + Toolkit (17 files), Risk (244 p) and Risk Scenarios (294 p), Assurance (318 p), Security (220 p), Cloud Governance : Questions Boards of Directors Need to Ask? (9 p)… – Practices and Guidance using COBIT 5 • Configuration Management (88 p), Vendor Management (178 p), ... • COBIT Assessment Program : Model (144 p), Self Assessment (24 p), User Guide – White Papers / Vision Series / Studies / Surveys • Social Media, Business Benefits and Security, Governance and Assurance Perspectives (10 p) • Cloud Computing, Business Benefits with Security, Governance and Assurance Perspectives (10 p) • Big Data Impacts and Benefits (14 p), Top Business / Technology Issues Survey Results (34 p), … – Professionals Standards and Guidance • ITAF, A Professional Practices Framework for IS Audit / Assurance, 3rd Edition (148 p) – Audit/Assurance Programs • EDM/APO/DSS/BAI (25p /Process), Software Assurance (35 p), Outsourcing IT Environments (39 p), BYOD (39 p), … – Knowledge Center (Over 100 topics : for each topic discussions, documents and publications, events, journal articles, external links, wikis, blog posts), Elibrary (> 500 Publications), Academia, .. • Performance Management, Business Analytics, Casinos and Gambling, Solvency 2, OS/400,… – COBIT Focus (4 x year) : COBIT Case studies, Articles, Updates, … – COBIT 5 Online : Multiphase project. Capabilities for accessing, understanding and applying COBIT 54 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  5. 5. COBIT 5 : Vue spécifique (Information Security) – COBIT 5 Professional Guides • Information Security (220 p) – Practices and Guidance using COBIT 5 • Securing Mobile Devices (138 p), Transforming Cyber Security (190 p), European Cybersecurity Implementation Series (146 p),… – White Papers / Vision Series / Studies / Surveys • Cybersecurity : What the Board of Directors Needs to Ask? (20 p) • Security as a Service: Business Benefits with Security, Governance and Assurance Perspectives (18p) • Business Continuity Management, Emerging Trends (15 p) • Web Application Security, Business and Risk Considerations (16 p) • Security Considerations for Cloud Computing (80 p) • Advanced Persistent Threat (APT) Awareness Study Results (20 p), … – Audit / Assurance programs • VPN Security (33 p), Biometrics (47 p), Voice-over Internet Protocol (VoIP) (42 p), … – Knowledge Center, Elibrary, … • Security Tools, Physical Security, Network Security, … – COBIT 5 Online • Security Specific View 5 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  6. 6. COBIT 5 : Etude Globale sur la Gouvernance (ISACA 2014) • White papers – Issues that have just begun to, or will soon impact enterprise operations • Research projects • Knowledge Center – Over 100 topics – Discussions, Documents and Publications, Events and Online Learning, Journal Articles, User Contributed External Links, Wikis, Blog Posts • Academia – Model Curricula – Teaching Material (for Academia advocates) • Elibrary – All ISACA publications – 525 external books • Career Center Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 6
  7. 7. COBIT 5 : Les publications récentes Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 7
  8. 8. ISACA en résumé : Knowledge 2015 • DevOps Overview 16 p • Internet of Things : Risk and Value Consideratrions 13 p • IS Auditing Tools and Techniques : IS Audit Reporting 46 p • Getting Started With Governance 8 p • Overview of Digital Forensics 14 p • DevOps Series • Industrial Control Systems (ICS) 2nd Q • Internal Controls 1st Q • Operational Risk Management/Basel Using COBIT 5 ? • PCI DSS (Payment Card Industry Data Security Standard) 1st Q • Security, Audit and Control Features SAP ERP, 4th Edition 1st Q • + Travaux des comités et task forces (Emerging Business and Technology Committee, Privacy Task Force, Audit/Assurance Programs based on COBIT 5, etc…) Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 8 Ensemble du knowledge développé en respectant les principes de COBIT 5
  9. 9. ISACA en résumé : Knowledge 2014 • Deliver, Service and Support Audit/Assurance Programs 1-6 (25 p / process) • A Global Look at IT Audit Best Practices (45 p) • IT Control Objectives for Sarbanes Oxley using COBIT 5, 3rd Edition (142 p) • Build, Acquire and Implement Audit/Assurance Programs 1-10 (25 p / process) • Risk Scenarios Using COBIT 5 for Risk (294 p) • Align, Plan and Organize Audit/Assurance Programs 1-13 (25 p / process) • European Cybersecurity Implementation Series – Overview (26 pages) – Assurance (24 pages) – Resilience (25 pages) – Risk Guidance (24 pages) – Audit/Assurance Program (47 pages) Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 9
  10. 10. ISACA en résumé : Knowledge 2014 • Cybersecurity : What the Board of Directors Needs to Ask? (20 p) • Implementating the NIST Cybersecurity Framework (108 p) • COBIT 5 Principles : Where did they come from? (12 p) • Advance Persistent Threat Awareness Study Results (20 p) • ITAF 3rd Edition (148 p) • Controls and Assurance in the Cloud : Using COBIT 5 (266 p) • Relating the COSO Internal Control Integrated Framework and COBIT (22 p) • Vendor Management Using COBIT 5 (178 p) • Evaluate, Direct and Monitor Programs 1-5 (25 p / process) • Genrating Value from Big Data Analytics (12 p) Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 10
  11. 11. ISACA en résumé : Knowledge 2013 • Security as a Service (18 p) • COBIT 5 : Enabling Information (90 p) • Advanced Persistent Threats : How to manage the Risk to Your Business? (132 p) • COBIT 5 for Risk (244 p) • Configuration Management Using COBIT 5 (88 p) • Privacy and Big Data (12 p) • Transforming Cybersecurity (190 p) • COBIT 5 for Assurance (318 p) Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 11
  12. 12. ISACA en résumé : Knowledge 2013 • Responding to Targeted Cyberattacks (88 p) • Cloud Governance : Questions Boards of Directors Need to Ask? (9 p) • Big Data : Impacts and Benefits (14 p) • Software Assurance Audit/Assurance Program (35 p) • Identity Management Audit/Assurance Program (40 p) • COBIT Assessment Programme Using COBIT 5 (144 p) • Outsourced IT Environments Audit/Assurance Program (39 p) • Personally Identifiable Information Audit/Assurance Program (34 p) Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 12
  13. 13. COBIT 5 : Contenu Illustrations Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 13
  14. 14. Contenu : COBIT 5 Enabling Information Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 14
  15. 15. COBIT 5 Deliverables : Enabling Information (90 pages) • Introduction: Benefits, Target Audience, Prerequisite Knowledge, Overview and Scope • COBIT 5 Principles applied to Information – COBIT 5 Principles • Goals Cascade for the Enterprise (Function Goals) • Examples of Information Items that support the Enterprise Value Chain Goals (Governance, Management and Operations Items for 8 Functional areas : Human Resources (22 items), Procurement (20 items), …) • Examples of Information Items supporting IT-related Goals (Quality Criteria, Related Metrics) (69 items) • The COBIT 5 Information Model – COBIT 5 Information Model Overview • Information Stakeholders : Examples for Customer Data (8), IT Strategy (8), Supply Chain Software Specification Document (6), Hospital Patient Records (9) (Description, Stakes) • Information Goals : Examples for each of the 15 information quality criteria • Lifecycle : Examples for Supplier Information, Retention Requirements, IT Change Management Data • Good Practices : Examples for the 11 information attributes – Additional Examples of COBIT 5 Information Model Use • 5 sample use cases : Building IS Specifications, Definition of Information Protection Requirements, etc.. • Comprehensive Information Item Description : Illustration for Risk Profile (Lifecycle and stakeholders, Goals, Good Practices, Link to other enablers) • Addressing Information Governance and Management Issues Using COBIT – Information Governance and Management Issues Reviewed in this Chapter (9 issues) • For each Issue : Issue Description and Business Context, Affected Information, Affected Goals, Enablers to Address the Issue • Appendix A : Reference to other Guidance (DAMA-DMBOK Framework, ISO 15489-1:2001) • Appendix B : Example Information Items Supporting Functional Area Goals (8 areas, 179 items) • Appendix C : Example Information Items Supporting IT-related Goals (1 area, 69 items) 15 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  16. 16. Information Exemple de critères d’appréciation Qualité intrinsèque : valeurs des données en conformité ave les valeurs réelles • Exactitude : correcte et fiable • Objectivité : non biaisée et impartial • Crédibilité : considérée comme vraie et crédible • Réputation : bien considérée en termes de source et de contenu Qualité contextuelle et représentationnelle : s’applique à la tache de l’utilisateur de l’information et est présenté de manière claire et intélligible • Pertinence : applicable et utile pour la tâche à effectuer • Exhaustivité : pas absente et à un niveau suffisant pour la tâche à effectuer • Actualité : suffisamment à jour pour la tâche à effectuer • Quantité d’information appropriée : appropriée pour la tâche à effectuer • Représentation concise : représentée de manière compacte • Représentation consistante : présentée dans le même format • Interprétabilité :dans des langages, symboles et unités appropriés, et définitions claires • Compréhensibilité : facilement compréhensible • Facilité de manipulation : facile à manipuler et appliquer aux différentes tâches Qualité d’accès/Sécurité : que l’on peut accéder et disponible • Disponibilité/Opportun : disponible lorsque cela est requis, facilement et rapidement récupérable • Restriction d’accès: accès restreint aux personnes et actions autorisées 16 • Multiples périmètres possibles pour la sécurité des informations. Problématique de recouvrement. • La sécurité traite le plus souvent au minimum toutes les problématiques liées aux « accès non valides » • Aussi, les aspects intégrité/disponibilité/confidentialité, identification/authentification/non répudiation/habilitation sont à couvrir au minimum Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  17. 17. Information Les niveaux/attributs • L’utilisation de ces niveaux permet de déterminer les niveaux de protection et les mécanismes de protection à mettre en œuvre à chaque niveau: • Où est conservée l’information? • Comment peut-on y avoir accès? • Comment sera-t-elle structurée et codifiée? • Quelle sorte d’information? Quel est le niveau d’information? • Quels sont les délais de rétention? Quelles autres informations sont requises pour que cette information soit utile et utilisable? • Niveau physique : Support de l’information (média : papier, signaux électriques, ondes sonores) • Niveau empirique: Canal d’accès (interfaces utilisateurs) • Niveau syntactique: Code/langage/format • Niveau sémantique: Sens de l’information • Type d’information : financier/non financier, interne/externe, valeurs prévisionnelles/valeurs observées • Actualité de l’information : information sur la passé, le présent, le futur • Niveau d’aggrégation : ventes par année, trimestre, mois, … • Niveau pragmatique : Utilisation de l’information • Période de rétention : pendant combien de temps faut-il conservée l’information avant de la détruire • Statut de l’information : information est opérationnelle ou historique • Nouveauté: nouvelle connaissance ou confirmation de la connaissance existente (information/confirmation) • Contingence: information requise pour précéder l’information pour qu’elle soit considérée comme de l’information • Niveau social : Contexte (contrats, loi, culture) 17Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  18. 18. Description complète d’un élément d’Information - Profil de Risque Description de toutes ses dimensions. Cela peut être utile pour traiter des questions telles que : • « Risk Managers » – A quoi ressemble une profil de risque? – Quels sont les critères de qualité d’un profil de risque et comment peuvent-ils être atteints? – Qui sont les principales parties prenantes? – Quels sont leurs intérêts? – Quelles sont les bonnes pratiques? – Quels sont les leviers concernés, etc… ? • Auditeurs – Comment puis-je revoir la qualité d’un profil de risque? – Quels sont les critères à analyser? • Parties Prenantes – Quelles sont mes responsabilités dans le cycle de vie du profil de risque? Le contexte professionnel et business est décrit dans COBIT 5 for Risk, COBIT 5 for Security et COBIT 5 for Assurance 18 Information : Exemple « Profil de Risque » Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  19. 19. 19 Information : Exemple « Risk Profile » Cycle de vie et Parties Prenantes Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 Copyright ISACA
  20. 20. 20 Information : Exemple « Risk Profile » Objectifs Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 Copyright ISACA
  21. 21. 21 Information : Exemple « Risk Profile » Bonnes Pratiques Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 Copyright ISACA
  22. 22. 22 Information : Exemple « Risk Profile » Connexion aux autres leviers Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 Copyright ISACA
  23. 23. 23 Information : Exemple « Risk Profile » Fiche de Scénario de risque Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 Copyright ISACA • 20 Types de Scénario de risque • >100 Fiches de Scénario de risque détaillées
  24. 24. Fiche de Scénario de Risque ECP : La sécurité des système d'information 24 Copyright ISACA Patrick Stachtchenko
  25. 25. Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 25 Fiche de Scénario de Risque : “Logical Attacks”
  26. 26. Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 26 Fiche de Scénario de Risque : “Logical Attacks”
  27. 27. Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 27 Fiche de Scénario de Risque : “Logical Attacks”
  28. 28. 28 Information : Exemples de préoccupations à traiter Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 Copyright ISACA
  29. 29. Contenu : Securing Mobile Devices Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 29
  30. 30. COBIT 5 Deliverables : Securing Mobile Devices (138 pages) • Introduction : What is a mobile device? Mobile Device Use – Past Present Future • Mobile Device Impact on Business and Society : Mobility and Flexibility, Patterns of Work, Organizational Perimeter, Other Impacts • Threats, Vulnerabilities and Associated Risks : Physical, Organizational, Technical • Security Governance : Business Case, Standardized Enterprise Solutions, BYOD, Combines Scenario, Private Use of Mobile Devices, Defining the Business Case • Security Management for Mobile Devices : Categories and Classification, Existing Security Controls, 7 Enablers • Hardening Mobile Devices : Device and SIM card, Permanent Storage, Removable Storage and Devices, Connectivity, Remote Functionality • Mobile Device Security Assurance: Auditing and Reviewing Mobile Devices, Investigation and Forensics for Mobile Devices • Guiding Principles for Mobile Device Security : 8 principles • Appendix A. Mappings of COBIT 5 and COBIT 5 for Information Security • Appendix B. Hardening Mobile Devices • Appendix C. Sample Audit Steps in Forensics and Investigation 30Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  31. 31. Illustration pour la sécurité des mobiles 31 • Enjeux : bénéfices attendus,… • Type de mobiles et de connexions • Classement par catégorie d’actifs • Niveaux de sécurité par catégorie d’actifs • Type de Risques par catégorie de risques • Nature de Risques par cible, par type d’information, par facteur de risque • Exemples de vulnérabilités/menaces/risques • Exemple d’options de réponses aux risques pour chaque levier • Principes de sécurité des SI, Objectifs associés, Principes de sécurité des mobiles • Directives de sécurité des SI, Thèmes couverts, Directives de sécurité des mobiles • Standards de sécurité des mobiles, Aspects centralisés, Clauses couvertes • Procédures opérationnelles • Processus de sécurité des mobiles et connexion aux processus SI • Attributs de l’Organisation de sécurité, Responsable Sécurité des SI, Responsable Sécurité des Mobiles • Comportement attendu en sécurité des SI, Comportement attendu en sécurité des mobiles • Compétences du responsable sécurité des mobiles, Compétences des utilisateurs • Formation : perspective, thèmes clés, contenu • Compétences responsable sécurité des SI • Capacités de Services, architecture et applications : types de services par domaine Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  32. 32. Enjeux • “Internet of things” – 10 Milliards d’appareils connectés à internet – 20 – 50 Milliards d’appareils en réseau – 1,7 Milliards de mobiles connectés à internet • Impacts – Notion de bureau (anywhere, moins de locaux) – Horaire de travail (anytime) – Périmètre de l’entreprise (système ouvert, cloud, partenaires, voiture de location, …) – Vies privée et professionnelle (emails, contacts, agenda, etc…) – Efficacité au travail / productivité / flexibilité – Responsabilités – Fonction supports (7/7, 24/24), process, formation,… – Nouveaux Risques 32 Exemple Sécurité des Mobiles Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  33. 33. Exemple Sécurité des Mobiles Types de mobiles et de connections • Téléphone cellulaire traditionnel • Smartphones et PC de poche • Unités auxiliaires : clés usb, haut-parleurs ou écouteurs sans fil, GPS,… • Appareils non téléphoniques sans fil : tablettes,… • Automobile : appareils électroniques connectés tels qu’une aide de navigation GPS, diagnostic, fermeture/ouverture automatique,… • Vêtements « intelligents » • Jouets et “robots” (drones, caméras, aspirateurs, tondeuses, …) • Implants (pompes à insuline,…),… • Public Cloud • Autres mobiles • Private Cloud • Entreprise • GSM, GPRS/Edge, 3.5 G, 4G/LTE, Bluetooth, WLAN/802.x, NFC,… 33Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  34. 34. Exemple Sécurité des Mobiles Classement par catégorie d’actif Categorie Appareils Exemples 1 Data storage (limited), basic telephony and messaging services, proprietary OS (limited), no data processing capability Traditional cell phones 2 Data storage (including external) and data processing capabilities, standardized OS (configurable), extended services • Smartphones • Early pocket PC devices 3 Data storage, processing and transmission capabilities via alternative channels, broadband Internet connectivity, standardized OS (configurable), PC-like capabilities • Advanced smartphones • Tablet PCs 34 Copyright ISACA Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  35. 35. Niveaux de risque par catégorie d’actif Categorie/Risque Categorie 1 Categorie 2 Categorie 3 Categorie 4 Physique Theft Faible Moyen Fort Fort Loss Moyen Moyen Moyen Moyen Damage/destruction Fort Fort Fort Fort Organisationnelle Agglomeration/heavy users Faible Faible Fort Fort Complexity/diversity Faible Moyen Fort Fort Technique Activity monitoring, data retrieval Faible Fort Fort Fort Unauthorized network connectivity Faible Moyen Fort Fort Web view/impersonation Faible Moyen Fort Fort Sensitive data leakage Faible Fort Fort Fort Unsafe sensitive data storage Moyen Fort Moyen Moyen Unsafe sensitive data transmission Faible Fort Moyen Fort Drive-by vulnerabilities Faible Fort Fort Fort Usability Faible Faible Fort Fort 35 Exemple Sécurité des Mobiles Copyright ISACAPatrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  36. 36. Types de risque par catégorie d’actif Risques physiques • Incapacité de travailler pour une longue durée • Accès à l’information (emails, contacts, rendez-vous, historique d’utilisation, éléments détruits, codes, …); souvent données non chiffrées • Usurpation d’identité Mais des possibilités pour limiter ces risques • Appareil de localisation et de suivi • Capacités de fermeture à distance • Capacités de blocage de la carte SIM 36 Exemple Sécurité des Mobiles Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  37. 37. Types de risque par catégorie d’actif Risques organisationnels • Réplication des droits d’accès privilégiés • Nature sensible des données conservées pour les cadres • Complexité d’utilisation (richesse des fonctionnalités,…) : erreurs, data roaming, … • Cycle de vie court (gestion, formation,..) 37 Exemple Sécurité des Mobiles Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  38. 38. Risques techniques : “Activity monitoring, data retrieval » Cible Risque Messaging Generic attacks on short message service (SMS) text, multimedia messaging service (MMS)- enriched transmission of text and contents Retrieval of online and offline email contents Insertion of service commands by SMS cell broadcast texts Arbitrary code execution via SMS/MMS Redirect or phishing attacks by Hypertext Markup Language (HTML)-enabled SMS text or email Audio Covert call initiation, call recording Open microphone recording Pictures/ video Retrieval of still pictures and videos, for example, by piggybacking the usual “share” functionality in most mobile apps Covert picture or video taking and sharing, including traceless wiping of such material Geolocation Monitoring and retrieval of GPS positioning data, including date and time stamps Static data Contact list, calendar, tasks, notes retrieval History Monitoring and retrieval of all history files in the device or on SIM card (calls, SMS, browsing, input, stored passwords, etc.) Storage Generic attacks on device storage (hard disk or solid-state disk [SSD]) and data replicated there 38 Exemple Sécurité des Mobiles Copyright ISACA Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  39. 39. Risques techniques : “Sensitive Data Leakage Risk » Type d’information Risque Identity International Mobile Equipment Identity (IMEI), manufacturer device ID, customized user information Hardware/firmware and software release statistics, also disclosing known weaknesses or potential zero-day exploits Credentials User names and passwords, keystrokes Authorization tokens, certificates (Secure Multipurpose Internet Mail Extensions [S/MIME], Pretty Good Privacy (PGP), etc.) Location GPS coordinates, movement tracking, location/behavioral inference Files All files stored at OS/file system level 39 Exemple Sécurité des Mobiles Copyright ISACA Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  40. 40. Risques techniques : “Usability Risk » Facteur de risque Risque Frequent change of hardware as part of the mobile contract In upgrading to “state-of-the-art” devices, users are compelled to familiarize themselves with new and complex features. This creates a significant risk of human error and resulting security issues. Users’ limited familiarity with their devices The number of features and apps may appear overwhelming to the average user. This creates a high risk of inadvertent actions, errors and security breaches. Limitations to configurability, opaque OSs As OSs become less transparent, configuration and device management is restricted. This reduces the amount of organizational control over mobile OSs. Mandatory services prescribed by the OS or contract Consumer-based services run in the background, creating potential security issues. Security management may not be able to control these activities where the contractor sees them as essential. Proliferation of pay-as-you-go and subscription services Users are facing more and more opt-in challenges for activation or extension of applications. This creates contractual and security-related risk. Mandatory cloud sign-in as prerequisite to accessing certain services Mobile devices may become dysfunctional or restricted if the mandated services are not activated. This creates additional security risk when users naturally opt in to these services. 40 Exemple Sécurité des Mobiles Copyright ISACA Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  41. 41. Exemples de vulnérabilités Vulnerabilité Menaces Risque Information travels across wireless networks that are often less secure than wired networks. Malicious outsiders can do harm to the enterprise. Information interception resulting in a breach of sensitive data, damage to enterprise reputation, compromised adherence to regulation, legal action Mobility provides the users with the opportunity to leave enterprise boundaries, thereby eliminating many security controls. Mobile devices cross boundaries and network perimeters, carrying malware, and can bring this malware into the enterprise network. Malware propagation, which can result in data leakage, data corruption and unavailability of necessary data; physical theft Bluetooth technology makes it very convenient for many users to have hands- free conversations; however, it is often left on and is then discoverable. Hackers can discover the device and then launch an attack. Device corruption, lost data, call interception, possible exposure of sensitive information Unencrypted information is stored on the device. In the event that a malicious outsider intercepts data in transit or steals a device, or if the employee loses the device, the data are readable and usable. Exposure of sensitive data, resulting in damage to the enterprise, customers or employees Lost data may affect employee productivity. Mobile devices may be lost or stolen due to their portability. Data on these devices are not always backed up. Workers dependent on mobile devices unable to work in the event of broken, lost or stolen devices, and data that are not backed up The device has no authentication requirements applied. If the device is lost or stolen, outsiders can access the device and all its data. Data exposure, resulting in damage to the enterprise and liability and regulation issues The enterprise is not managing the device. If no mobile device strategy exists, employees may choose to bring in their own, unsecured devices. While these devices may not connect to the virtual private network (VPN), they may interact with emails or store sensitive documents. Data leakage, malware propagation, unknown data loss in the event of device loss or theft The device allows installation of unverified/unsigned third-party applications. Applications may carry malware that propagates Trojan horses or viruses. The applications may also transform the device into a gateway for malicious outsiders to enter the enterprise network. Malware propagation, data leakage, intrusion to the enterprise network 41 Exemple Sécurité des Mobiles Copyright ISACA Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  42. 42. Exemple Sécurité (Sécurité des Mobiles) Principes, Directives, Référentiels, … • Principes de Sécurité de l’Information • Venir en appui du business (6 sous-principes) • Protéger le business (4 sous-principes) • Promouvoir un comportement responsable en ce qui concerne la sécurité de l’Information (2 sous-principes) • Directives • Directive Générale concernant la Sécurité de l’Information • Directives concernant la Sécurité de l’Information pilotées par la fonction Sécurité de l’Information • Contrôles d’accès • Protection des Informations Personnelles • Sécurité physique et de l’environnement • Réponse aux incidents • Directives concernant la Sécurité de l’Information pilotées par les autres fonctions • Continuité des activités et plan de reprise • Gestion des actifs • Comportements attendus • Acquisition, Dévelopement et Maintenance des Solutions • Gestion des fournisseurs • Exploitation • Conformité • Gestion des risques 42Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  43. 43. Principes, Directives et Référentiels : Principes Principe Objectif Sécurité des Mobiles Focus on the business Ensure that information security is integrated into essential business processes Analyze business processes with mobile device dependencies, and prioritize accordingly Deliver quality and value to stakeholders Ensure that information security delivers value and meets business requirements Perform stakeholder analysis (internal and external) and derive requirements for mobile devices Comply with relevant legal and regulatory requirements Ensure that statutory obligations are met, stakeholder expectations are managed and civil or criminal penalties are avoided Identify laws, regulations and governance rules for mobile device use, and define requirements Provide timely and accurate information on information security performance Support business requirements and manage information risk Establish mobile device key performance indicators (KPIs) and regular reporting Evaluate current and future information threats Analyze and assess emerging information security threats so that informed, timely action to mitigate risk can be taken Identify threats to mobile devices (at all levels), anticipate future threats through technology innovation, and collect evidence on incidents and breaches Promote continuous improvement in information security Reduce costs, improve efficiency and effectiveness, and promote a culture of continuous improvement in information security Establish a continuous improvement process for mobile device security, and include BYOD scenarios as well as vendor patching Adopt a risk-based approach Ensure that risk is treated in a consistent and effective manner Maintain mobile device categorization and keep the risk heat map up to date 43 Exemple Sécurité des Mobiles Copyright ISACA Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  44. 44. Principes, Directives et Référentiels : Principes Principe Objectif Sécurité des Mobiles Protect classified information Prevent disclosure of classified (e.g., confidential or sensitive) information to unauthorized individuals Establish data classification for information resident on, or flowing through, mobile devices. Include cloud services and storage. Align mobile device identity and access management with corporate identity and access management (IAM). Concentrate on critical business applications Prioritize scarce information security resources by protecting the business applications on which an information security incident would have the greatest business impact Regularly perform a business impact analysis (BIA) on mobile devices as assets, related processes and resulting categories of impact (financial, nonfinancial) Develop systems securely Build quality, cost-effective systems on which business people can rely (e.g., that are consistently robust, accurate and reliable) Establish software life cycle controls for self- developed and vendor apps on mobile devices, and include app onboarding in BYOD scenarios Act in a professional and ethical manner Ensure that information security-related activities are performed in a reliable, responsible and effective manner Apply governance to mobile device policies, standards and key operating procedures Foster an information- security-positive culture Provide a positive information security influence on the behavior of end users, reduce the likelihood of information security incidents occurring and limit their potential business impact Educate end users about mobile device security, particularly in BYOD scenarios. Provide useful tools and aids to enable user self-protection. 44 Exemple Sécurité des Mobiles Copyright ISACA Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  45. 45. Principes, Directives et Référentiels : Directives Directive concernant l’utilisation des Mobiles Thème Directives : la Sécurité de l’Information Analyze business processes with mobile device dependencies, and prioritize accordingly Mobile device strategy • Information security policy • Business continuity and disaster recovery policy Perform stakeholder analysis (internal and external) and derive requirements for mobile devices Mobile device strategy • Information security policy Identify laws, regulations and governance rules for mobile device use, and define requirements Governance compliance • Information security policy • Compliance policy Establish mobile device KPIs and regular reporting Governance compliance • Information security policy • Compliance policy Identify threats to mobile devices (at all levels), anticipate future threats through technology innovation, and collect evidence on incidents and breaches Risk • Risk management policy Establish a continuous improvement process for mobile device security, and include BYOD scenarios as well as vendor patching Mobile device life cycle • Information systems acquisition, software development and maintenance policy Maintain mobile device categorization and keep the risk heat map up to date Risk • Risk management policy Establish data classification for information resident on, or flowing through, mobile devices. Include cloud services and storage. Align mobile device identity and access management with corporate IAM ISMS asset management • Information security policy • Asset management policy Regularly perform a BIA on mobile devices as assets, related processes and resulting categories of impact (financial, nonfinancial) Mobile device strategy • Information security policy • Business continuity and disaster recovery policy Establish software life cycle controls for self developed and vendor apps on mobile devices, and include app onboarding in BYOD scenarios Mobile device life cycle • Information systems acquisition, software development and maintenance policy Apply governance (see chapter 3) to mobile device policies, standards and key operating procedures Governance • Information security policy Educate end users about mobile device security, particularly in BYOD scenarios. Provide useful tools and aids to enable user self-protection Security culture • Rules of behavior policy 45 Exemple Sécurité des Mobiles Copyright ISACAPatrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  46. 46. Mobiles : Principes, Directives et Référentiels : Standards Clause Aspects centralisés Aspects BYOD Acquisition Process for acquisition by the enterprise, link to procurement or purchasing processes • Provide users with subsidized/preferential arrangements OR • Specify approved devices Onboarding Process for onboarding any device presented by user, including opt-in clauses Provisioning Process for provisioning hardware, OS, standardized apps, optional apps Configuration Process for developing, testing, deploying and updating configuration, link to general config mgmt Process for partial configuration of device with organizational standard (user must have opted in and signed) Systems and data management Process for security-related systems and data management, linked to general systems mgmt. Process for partial systems and data management activities (user must have opted in and signed) Organizational risk Preapplied security controls for organizational risk (user agglomeration, diversity and complexity) Preapplied security controls, e.g., security axioms, for any device Physical risk Preapplied security controls for loss, theft, damage Preapplied security controls for loss, theft, damage, etc. Technical risk Preapplied security controls for all categories of technical risk • Preapplied security controls for the standardized part of the device • Mandatory guidance for user self-protection (minimum requirements) Exception/inciden t management Process for logging, treating and resolving exceptions and incidents, link to business continuity/disaster recovery Process for: • Identifying incidents, containment, resolution and ex post impact • Isolating, quarantine and removal Life span Process for aging devices in line with life span/innovation, including risk of obsolete devices Process for aging devices in line with life span/innovation and cost of supporting obsolete devices vs. risk of operating obsolete devices Decommissioning Process for: • Decommissioning end-of-business-life devices • Secure disposal Removal Process for: • Initiating removal, secure organizational data disposal, apps removal • Offboarding device (not user) and replacement 46 Exemple Sécurité des Mobiles Copyright ISACA Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  47. 47. Principes, Directives et Référentiels : Procédures opérationnelles • Audit des mobiles • Gestion des changements • Gestion des Patchs • Protection des Malware • Chiffrement, VPN, encapsulation • Dommage, pertes, vols • … 47 Exemple Sécurité des Mobiles Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  48. 48. Structures organisationnelles • Composition • Les structures sont composées de membres qui sont ou représentent des parties prenantes internes et externes. Ils ont un rôle spécifique en fonction du contexte de la structure • Périmètre • Frontières des droits décisionnels de la structure organisationnelle • Niveau d’autorité • Décisions que la structure est autorisée à prendre • Principes opérationnels • Modalités pratiques de fonctionnement de la structure (fréquence des réunions, documentation, règles,…) • Pouvoirs de délégation • Structure peut déléguer ces droits décisionnels (ou un sous-ensemble) à d’autres structures qui lui sont rattachées • Procédures d’escalade • Le circuit d’escalade décrit les actions nécessaires en cas de problèmes pour prendre des décisions 48Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 Exemple Sécurité (Sécurité des Mobiles)
  49. 49. Structures organisationnelles • Directeur de la Sécurité de l’Information (ou SI) • Comité de pilotage de la Sécurité de l’Information (ou SI) • Manager de la Sécurité de l’Information (ou SI) • Comité de pilotage des Risques • Responsible de la Sécurité de l’Information au sein des fonctions “business” 49Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 Exemple Sécurité (Sécurité des Mobiles)
  50. 50. Structures Organisationnelles Aspect Caractéristiques (Manager Sécurité de l’Information) Caractéristiques (Spécialiste Sécurité des Mobiles) Mandat Overall responsibility for the management of information security efforts Operational responsibility for securing mobile devices Reporting Reports to the CISO (or, in some enterprises, to the business unit leads) Reports to the information security manager Périmètre Application information security, infrastructure information security, access management, threat management, risk management, awareness program, metrics, vendor assessments Mobile device security management and monitoring Niveau d’autorité, droits de décision Overall decision-making authority over information security domain practices Recommends and implements concepts, controls and processes for mobile device security management and monitoring Droits de Délégation Should not delegate decisions related to information security domain practice No delegation Escalade Issues escalated to the CISO Issues escalated to the information security manager Responsabilité Accountability; responsibility in small and medium-sized enterprises, delegation to experts in larger enterprises Responsibility Points de contact : Juridique, Services Généraux, Gestion des Risques, Achats, Développement, Technologie Informatique, Audit, Utilisateurs 50 Exemple Sécurité des Mobiles Copyright ISACA Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  51. 51. Exemple Sécurité (Sécurité des Mobiles) Compétences • Position (Fiche mission, Evolution, …) • Education (Diplômes, …) • Qualifications (Certifications, …) • Expérience • Savoir/Connaissance, Savoir faire, Savoir être • Disponibilité / Rétention (accès aux ressources externes) • Formation • Evaluation 51Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  52. 52. Exemple Sécurité (Sécurité des Mobiles) Compétences • Gouvernance de la Sécurité de l’Information • Elaboration de la Stratégie de la Sécurité de l’Information • Gestion des Risques de l’Information • Architecture de la Sécurité de l’Information • Exploitation de la Sécurité de l’Information • Evaluation, test et conformité de l’Information 52Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  53. 53. Personnes et Compétences : Compétences Compétences Manager/Spécialiste Sécurité des Mobiles Utilisateur Governance Extensive skills and experience Awareness Strategy formulation Ability to set mobile device security strategy Awareness Risk management Recognition of mobile device risk and treatment options Recognition of mobile device risk, avoidance or mitigation behavior Architecture development Extensive skills and experience in mobile architectures Reasonable understanding of mobile architecture and inherent risk Operations Extensive skills and experience in operating mobile device architectures, including back end Experience with operating mobile devices commensurate with device complexity Assessment, testing, compliance Ability to perform/support assessments, extensive testing skills, awareness and in-depth understanding of compliance requirements Awareness of compliance requirements, basic understanding of assessments, ability to participate in testing 53 Exemple Sécurité des Mobiles Copyright ISACA Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  54. 54. Personnes et Compétences : Formation Perspective Thèmes Clés Contenu Basics Mobile device features Basics and background for use, OS, popular apps, typical risks, security points to note Basics for senior management Mobile device features Basics (in a very short time), how to set an example for all employees, governance and how to communicate it, making security a top priority, eye- opening demonstrations of how easy it is to attack the device, etc. Business Business-related services and apps Onboarding, access and identity management, apps and services offered by the organization, security ground rules, policy and standards, etc. Outside the enterprise Travel-related security Connectivity, foreign networks, what to do when traveling (and what not to do), typical security risk, local warnings, etc. Private Private use and security Popular services and apps, associated risk and security issues, attacks and defense, golden rules of private use (governance), etc. Advanced Using advanced features and related security Knowing the device, advanced apps and features, self preservation and what to do in security, organizational testing and participation, how to become a key user, etc. Management Mobile device security manager skills Basic/intermediate/advanced series of training courses for information security managers or specialists Management refresher Mobile device security manager skills Regular update on trends, emerging technologies and risk, new security management techniques, etc. 54 Exemple Sécurité des Mobiles Copyright ISACA Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  55. 55. Personnes et Compétences : Compétences du RSSI Domaine Compétences Génériques Compétences relatives au Mobiles Governance Ability to: Define metrics that apply to information security governance Define a full set of mobile device security metrics and measurements Create a performance measurement model Define mobile device performance indicators for measurement Develop a business case justifying investments in information security Develop a business case for mobile devices, including standardized solutions vs. partial or full BYOD Knowledge of: Legal and regulatory requirements Specific legal and regulatory requirements for mobile device use, including telecommunications and IT Roles and responsibilities required for information security Mobile device security roles and responsibilities, including end- user responsibilities as defined for the enterprise Methods to implement information security governance policies Implementing information security governance for mobile device possession and use Fundamental concepts of governance Fundamental concepts of governance Internationally recognized standards, frameworks and best practices Internationally recognized standards for mobile devices, mobile OSs, telephony, data transmission, etc. Technical skills: Good understanding of information security practices that apply to the specific business Understanding of business dependencies on mobile devices and resulting security requirements 55 Exemple Sécurité des Mobiles Copyright ISACAPatrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  56. 56. Personnes et Compétences : Compétences Domaine Compétences Génériques Compétences relatives au Mobiles Strategy Ability to: Understand the enterprise culture and values Understand the enterprise culture and values Define an information security strategy that is aligned with enterprise strategy Define a mobile device security strategy in line with the information security strategy Develop information security policies and devise metrics Develop a mobile device use policy and mobile device security standard Knowledge of: Information security trends, services and disciplines Mobile device trends, innovative apps, market developments, emerging risk, new paradigms in mobile work, etc. Technical skills: Broad understanding of various information security disciplines Broad understanding of various information security disciplines Risk Mgmt Knowledge of: Information asset classification model Mobile device inventory and asset classification, including hardware, apps, data and information assets Risk assessment and analysis Mobile device risk assessment Business processes and essential functions Business processes and functions depending on mobile devices and services Industry standards Industry standards Risk-related laws and regulations Risk frameworks and models Technical skills: Risk associated with information security practices and activities Risk associated with mobile device use and mobile security Risk analyses and mitigating controls Risk analyses and mitigating controls 56 Exemple Sécurité des Mobiles Copyright ISACAPatrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  57. 57. Personnes et Compétences : Compétences Domaine Compétences Génériques Compétences relatives au Mobiles Architecture development Knowledge of: Interaction of technologies with business and information security policies Interaction of mobile devices (technology, services, apps, etc.) with business and general information security Information security architectures Mobile architectures Application design review and threat modeling Application design review (mobile apps) and threat modeling (device side, network provider side, etc.) Methods to design information security practices Methods to design mobile security practices (organization and end user) Managing information security programs, policies, procedures and standards Emerging technologies and development methodologies Emerging mobile technologies and app development tools Technical Skills Deep and broad knowledge of IT and emerging trends Deep and broad knowledge of anything that moves (i.e., anything that could be seen as a mobile device in the broadest sense) Technical design capabilities Technical design capabilities Strong subject matter expertise in computer operations Reasonable expertise in computer operations, strong expertise in linking mobile devices to back-end/data center operations 57 Exemple Sécurité des Mobiles Copyright ISACA Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  58. 58. Personnes et Compétences : Compétences Domaine Compétences Génériques Compétences relatives au Mobiles Operations Knowledge of: Log monitoring, log aggregation, log analysis Log monitoring, log aggregation, log analysis Technical Skills In-depth knowledge of OSs, authentication, firewalls, routers, web services, etc. Application design review (mobile apps) and threat modeling (device side, network provider side, etc.) Assessment, testing, compliance Knowledge of: IS audit standards, guidelines and best practices IS audit standards, guidelines and best practices relevant to mobile devices Audit planning and project management Local laws and regulations Technical Skills Audit-related tools, gap analysis, analytics, etc. Audit and investigation tools for mobile devices 58 Exemple Sécurité des Mobiles Copyright ISACA Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  59. 59. Exemple Sécurité (Sécurité des Mobiles) Ethique, Culture, Comportement Aussi bien pour les organisations que pour les individus Ensemble des façons de penser et d'agir et de règles / attitudes explicites ou implicites qui caractérisent une entité • Valeurs • Comportement • Prise de risques • Non conformité • Résultats (positif, negatif, …) : apprendre, blâmer, … • Incitations • Eléments disuasifs 59Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  60. 60. Exemple Sécurité (Sécurité des Mobiles) Ethique, Culture, Comportement Comportements attendus • 8 comportements attendus Leadership • Communication, Exemplarité, Règles • Incitations • Sensibilisation 60Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  61. 61. Culture, Ethique, Comportement Comportement de Référence En ce qui concerne l’utilisation des Mobiles Information security is practiced in daily operations. Security management and monitoring processes are applied to mobile devices to the agreed extent (standardized/BYOD/combined). End users understand and apply security measures completely and in a timely manner. People respect the importance of information security principles and policies. Users are aware of, and ideally actively involved in, defining mobile device security principles and policies. These are updated frequently to reflect day-to-day reality as experienced by the users People are provided with sufficient and detailed information security guidance and are encouraged to participate in and challenge the current information security situation. Mobile device security is a fluid process with regular challenges by users. Security guidance for mobile devices is simple, to the point and relates to typical day-to-day security risk. The security situation is frequently and jointly assessed by users and security managers. Everyone is accountable for the protection of information within the enterprise. Security managers and users share accountability for mobile device security. This includes business use and private use (in BYOD scenarios). Users have a clear understanding about their accountability and act responsibly when using mobile devices. Stakeholders are aware of how to identify and respond to threats to the enterprise. All mobile device users are stakeholders— regardless of their hierarchical position within the enterprise. There is full awareness of the risk, threats and vulnerabilities associated with mobile device use. Response to threats and incidents is well understood, exercised frequently and auditable Management proactively supports and anticipates new information security innovations and communicates this to the enterprise. The enterprise is receptive to accounting for and dealing with new information security challenges. Security management and end users cooperatively identify, test and adopt innovation in mobile device technology and use. Management and end users foster innovation by identifying and presenting new business cases for technology, mobile services and other types of added value. The enterprise aims at staying in front of the curve in mobile device use. Business management engages in continuous cross-functional collaboration to allow for efficient and effective information security programs. Mobile device use (and technology) programs are in place and form part of the IT innovation strategy. Security innovations are actively adopted and incorporated as key projects. Business functions cooperate with information security to maximize the return on information security for mobile services and devices. Executive management recognizes the business value of information security. Executive managers act as end users and recognize the value they derive from their use of mobile devices and associated services. They participate in training and awareness activities. 61 Exemple Sécurité des Mobiles Copyright ISACA Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  62. 62. Exemple Sécurité (Sécurité des Mobiles) Services : Applications, Infrastructure, …. • Capacité de services • Technologie en appui • Bénéfices attendus • Objectifs et indicateurs de performance • Architecture • Réutilisation • Acquisition / Développement • Simplicité • Agilité • Ouverture 62Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  63. 63. Services : Infrastructure, Applications, …. : Illustrations Sécurité de l’Information • Architecture de sécurité • Sensibilisation à la sécurité • Développement sécurisé • Evaluation de la sécurité • Systèmes configurés et sécurisés de manière adéquate en ligne avec les exigences de sécurité et avec l’architecture de sécurité • Accès des utilisateurs et droits d’accès en ligne avec les besoins business • Protection adéquate envers les logiciels malvaillants, les attaques externes et les tentatives d’intrusions • Réponse aux incidents adéquate • Tests de sécurité • Monitoring et services d’alerte concernant les évènements relatifs à la sécurité 63 Exemple Sécurité (Sécurité des Mobiles) Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  64. 64. Services : Infrastructure and Applications, …. • Security architecture • Security awareness • Secure development • Security assessments • Adequately secured and configured systems • User access and access rights in line with business requirements • Adequate protection against malware, external attacks and intrusion attempts • Adequate incident response • Security testing • Monitoring and alert services for security-related events • Device Management • Device Structure • Device Oss • Applications • Connectivity 64 Exemple Sécurité des Mobiles Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  65. 65. Services : Infrastructure and Applications, …. Device Management • Overarching device management system • Identity and access management (IAM) • Malware protection (including attacks and intrusions) • Security testing and monitoring • Incident response 65 Exemple Sécurité des Mobiles Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  66. 66. Services : Infrastructure and Applications, …. Device Structure • Enhanced SIM card functionality • Hardware add-ons for security purposes • Use of inbuilt processors for specific security tasks • Firmware modifications (own security builds) 66 Exemple Sécurité (Sécurité des Mobiles) Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  67. 67. Services : Infrastructure and Applications, …. Device Oss • Kernel modifications (usually done through firmware updates) • OS “tweaking” tools, registry and configuration editors • Modifications to factory reset • Modifications to the first responder interface • Device/SIM interaction changes • Remote control interfaces (usually provided by the vendor) • Secure coding tools and resources 67 Exemple Sécurité des Mobiles Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  68. 68. Services : Infrastructure and Applications, …. Applications • Antivirus • Application patching • Control risk assessments • Penetration testing 68 Exemple Sécurité des Mobiles Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  69. 69. Services : Infrastructure and Applications, …. Connectivity • Secure coding resources and tools specifically for protecting existing connections • Technical tools such as fuzzers, sniffers, protocol analyzers • Remote configuration and control solutions • Cloud access management 69 Exemple Sécurité des Mobiles Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  70. 70. Services : Infrastructure, Applications,… 70 Exemple Sécurité (Sécurité des Mobiles) Service Device Management Device Structure Device Operating System Device Applications Device Connectivity Architecture/ plan services Configuration management Database (CMDB), asset Management systems Reporting agents, policy management solutions, vulnerability scanners Cloud access management Awareness Training courses, news feeds Knowledge bases, vendor and industry advisories Knowledge bases, vendor and industry advisories, computer Emergency response team (CERT) advisories Training tools, Collaboration tools Email, social media, news feeds Development Compilers, linkers, secure coding resources Secure coding resources, code scanners, static and binary analysis tools Secure coding resources Secure coding resources Assessments Threat and vulnerability Risk assessment (TVRA) Log analyzers, flash readers Log analyzers, other tools Reporting tools Fuzzers, sniffers, Protocol analyzers, Network analyzers, honeypots Secured and Configured systems Firmware, vendor tools Kernel and related, Security model, first Responder interface, System and patch management, OS tools CMDB tools and agents Remote Configuration and control solutions Copyright ISACA Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  71. 71. Services : Infrastructure, Applications,… 71 Exemple Sécurité des Mobiles Service Device Management Device Structure Device Operating System Device Applications Device Connectivity Access rights Biometrics, dongles, smart cards (SIM), Embedded device IDs, embedded processors, location services Public key infrastructure (PKI) and encryption, configuration management tools, software Distribution tools, provisioning Encryption and related apps, Provisioning and IAM tools Cloud access management Malware and attack protection Central anti-malware solutions Vendor advisories, Other advisories, Device management CMDB, patch management, knowledge bases, software distribution, firewalls, IDS PKI, antivirus, anti-malware, Packet analyzers, IDS agents, honeypots, tarpits, Browser protection, sandboxing Remote Configuration and control solutions, Virtualization and cloud apps Incident response TVRA, business continuity Management (BCM) and IT service continuity Management (ITSCM), Vendor advisories, industry advisories Vendor advisories, Industry advisories Memory inspection tools, network analyzers, log analyzers, reverse engineering, malware analysis, Security information and event management (SIEM) App and data inspection tools, backup and restore, Vendor recovery tool sets, vendor forensics tools Cloud recovery tools Monitoring and alerting Central log management, Alerting systems, management dashboards, Network operations centers Vendor tools System logs, Monitoring agents, reporting agents Monitoring tools Traffic monitoring, Network analyzers, cloud logging Copyright ISACA Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  72. 72. Exemple IT (Sécurité) (Sécurité des Mobiles) 72 Processus IT • 129 objectifs des processus IT • 207 pratiques IT • 1108 activités IT • 266 indicateurs de performance IT • 26 rôles IT+ Business en IT Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 Business et IT • 17 objectifs business • 17 objectifs IT • 59 indicateurs de performance IT Processus Sécurité • 79 objectifs des processus de sécurité • 188 pratiques de sécurité • 378 activités de sécurité • 154 indicateurs de performance de sécurité
  73. 73. Exemple Sécurité (Sécurité des Mobiles) Pour le processus IT, Manage Operations 73Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 Copyright ISACA
  74. 74. Exemple IT (Sécurité) (Sécurité des Mobiles) Pour le processus IT, Manage Operations 74 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 Copyright ISACA
  75. 75. Exemple Sécurité (Sécurité des Mobiles) Pour le processus IT, Manage Operations 75 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 Copyright ISACA
  76. 76. Exemple Sécurité (Sécurité des Mobiles) Processus Sécurité qui viennent s’ajouter aux Processus IT Pour le processus IT, Manage Operations 76Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  77. 77. Exemple Sécurité (Sécurité des Mobiles) Processus Sécurité qui viennent s’ajouter aux Processus IT Pour le processus IT, Manage Operations 77Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 Copyright ISACA
  78. 78. Processus IT Process Mobile Device Security Management Process EDM01 Ensure governance framework setting and maintenance Reflect governance in mobile device use policy, maintain policy in line with general process EDM02 Ensure benefits delivery Mobile device value optimization process EDM03 Ensure risk optimisation Mobile device security risk management process APO03 Manage enterprise architecture Subsidiary process for mobile devices that substantiates security solutions as part of overall architecture APO04 Manage innovation Subsidiary mobile device (security) innovation process APO05 Manage portfolio Subsidiary process for mobile devices to identify and obtain funds for security management APO06 Manage budget and costs Subsidiary mobile device security budgeting process APO09 Manage service agreements Subsidiary process for mobile device service level agreements (SLAs) and operating level agreements (OLAs) BAI06 Manage changes Subsidiary processes for mobile device change management and emergency changes DSS04 Manage continuity Subsidiary process for mobile device service continuity management; autonomous process (subsidiary to business continuity/disaster recovery) for mobile device business recovery DSS03 Manage problems Subsidiary processes for mobile devices security problems and known errors MEA03 Monitor, evaluate and assess compliance with external requirements Subsidiary process for identifying and interpreting external compliance requirements for mobile devices 78 Exemple Sécurité des Mobiles Copyright ISACA Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  79. 79. Exemple Sécurité (Sécurité des Mobiles) Information 79 • Objectifs et indicateurs de performance • Cycle de vie • Bonnes pratiques • Responsabilités • Contraintes • Contenu Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  80. 80. Exemple Sécurité (Sécurité des Mobiles) Information 80 • Stratégie • Budget • Plan • Directives • Exigences • Sensibilisation • Rapport de revues • Tableau de bord Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  81. 81. Information Type d’information • Replicated emails, contacts, calendars and notes • Music, movies and other content that users have acquired • Mobile banking and micropayments • Airline ticketing and electronic boarding card (similar for railways) • Vendor app stores and related transactions • Social networking and cloud services • Geolocation data • Device coupling with other devices (vehicles, buildings, public networks, etc.) and semi permanent “partnership” data • Voice, video and data connection information (semi permanent) • Original data created by the mobile device (pictures, videos, waypoints, etc.) • Chat and file transfer information, for example, notes taken from popular Internet telephony software • Information stored by telecommunications providers as mandated by law, for example, connection date and time stamps 81 Exemple Sécurité des Mobiles Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  82. 82. 82 COBIT 5 Online Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 COBIT 5 Online is a multi-phase initiative by ISACA to address a wide variety of member needs for accessing, understanding and applying the COBIT 5 framework. The primary objective of this inaugural version is to provide easy access to online versions of COBIT 5 publications. While retaining all of the stylistic conventions of print editions, the online editions greatly simplify the process of navigating, searching and exporting the principles, practices, analytical tools and models that make COBIT 5 an essential resource for the governance and management of enterprise IT. The new online service will include features such as : • Access to publications in the COBIT 5 product family • Access to other, non-COBIT, ISACA content and current, relevant GEIT material • Ability to customize COBIT to fit the needs of your enterprise with access for multiple users • Access to tools : Goals planner, RACI Planner, Self Assessment, … COBIT 5 Online
  83. 83. Annexe COBIT 5 : Autres Publications Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 83
  84. 84. COBIT 5 Deliverables : A Business Framework for the Governance and Management of Enterprise IT (94 pages) • Executive Summary • Overview of COBIT 5 • Principle 1 : Meeting Stakeholders Needs • Principle 2 : Covering the Enterprise from End-to-end • Principle 3 : Applying a Single Integrated Framework • Principle 4 : Enabling a Holistic Approach • Principle 5 : Separating Governance from Management • Implementation Guidance • The COBIT 5 Process Capability Model • Appendices 84Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  85. 85. COBIT 5 Deliverables : A Business Framework for the Governance and Management of Enterprise IT • Appendix A : References • Appendix B : Detailed Mapping 17 Enterprise Goals –17 IT- related Goals • Appendix C : Detailed Mapping 17 IT‐related Goals – 32 IT-related Processes • Appendix D : 22 Stakeholder Needs and 17 Enterprise Goals • Appendix E : Mapping of COBIT 5 with most relevant related standards and frameworks (ISO/IEC 38500, ITIL V3 2011 - ISO/IEC 20000, ISO/IEC 27000 Series, ISO/IEC 3100 Series, TOGAF, CMMI, PRINCE2) • Appendix F : Comparison between COBIT 5 Information Reference Model and the COBIT 4.1 information criteria • Appendix G : Detailed description of COBIT 5 Enablers • Appendix H : Glossary • Appendix G: Detailed description of COBIT 5 Enablers • Introduction • COBIT 5 Enabler : Principles, Policies and Frameworks • COBIT 5 Enabler : Processes • COBIT 5 Enabler : Organisational Structures • COBIT 5 Enabler : Culture, Ethics and Behaviour • COBIT 5 Enabler : Information • COBIT 5 Enabler : Services, Infrastructures and Applications • COBIT 5 Enabler : People, Skills and Competencies 85Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  86. 86. COBIT 5 Deliverables : Enabling Processes (230 pages) • Introduction • The Goals Cascade and Metrics for Enterprise Goals and IT-related Goals – COBIT 5 Goals Cascade : Stakeholders Drivers, Stakeholders Needs, Enterprise Goals, IT Goals, Enabler Goals – Using the COBIT 5 Goals Cascade – Metrics : Enterprise, IT • The COBIT 5 Process Model – Enabler Performance Management • The COBIT 5 Process Reference Model – Governance and Management Processes (5 governance processes and 32 management processes) – Reference Model • COBIT 5 Process Reference Guide Contents – Generic Guidance for Processes : • EDM : Evaluate, Direct and Monitor • APO : Align, Plan and Organize • BAI : Build, Acquire and Implement • DSS : Deliver, Service and Support • MEA : Monitor, Evaluate and Assess • Appendix A : Mapping between COBIT 5 and legacy ISACA Frameworks (COBIT 4.1, Val IT 2.0, Risk IT Management Practices) • Appendix B : Detailed Mapping 17 Enterprise Goals and 17 IT-related Goals • Appendix C : Detailed Mapping 17 IT-related Goals and 37 IT‐related Processes 86 • 129 IT Process Goals • 266 IT Process Goal Metrics • 207 IT Practices • 26 business and IT roles in IT Practices • 1108 IT Activities 17 Enterprise Goals, 17 IT-related Goals, 59 IT-related Goals metrics Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  87. 87. COBIT 5 Deliverables : Enabling Processes • Process identification : Label, Name, Area, Domain • Process description • Process purpose statement • IT goals and metrics supported • 17 IT Goals, 59 IT-related Goals Metrics • Process goals and metrics • Governance : 15 IT Process Goals and 37 IT Process Goal metrics • Management : 114 IT Process Goals and 229 IT Process Goal metrics • RACI chart • 26 Business and IT Roles concerned with the 207 IT Practices • Detailed description of the process practices • Description, inputs and outputs with origin/destination, activities • Governance : 12 IT Governance Practices and 79 IT Governance Activities • Management : 195 IT Management Practices and 1029 IT Management Activities • Related guidance 87Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  88. 88. COBIT 5 Deliverables : Information Security (220 pages) • Executive Summary: Introduction, Drivers, Benefits, Target Audience, Conventions • Information Security • Information Security Defined • COBIT 5 Principles • Using COBIT 5 Enablers for Implementing Information Security in Practice • Introduction • Enabler : Principles, Policies and Frameworks • Enabler : Processes • Enabler : Organizational Structures • Enabler : Culture, Ethics and Behaviour • Enabler : Information • Enabler : Services, Infrastructure and Applications • Enabler : People, Skills and Competencies • Adapting COBIT 5 for Information Security to the Enterprise Environment • Introduction • Implementing Information Security Initiatives • Using COBIT 5 to connect to other frameworks, models, good practices and standards • Appendix A to G : Detailed Guidance for each of the 7 categories of enablers • Appendix H : Detailed Mappings • Acronyms, Glossary 88Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  89. 89. COBIT 5 Deliverables : Information Security • Appendix A Detailed Guidance : Principles, Policies and Frameworks • 3 high level security principles with 12 elements : Objective and description • 13 types of policies : scope, validity, goals (5 driven by security function, 8 driven by other functions) • Appendix B Detailed Guidance Processes (see next page) • Appendix C Detailed Guidance : Organizational Structures • 5 types of security-related organizational structures : Composition, Mandate, Operating principles, Span of control, Authority level, Delegation rights, Escalation path, RACI chart, Inputs/Outputs • Appendix D Detailed Guidance : Culture, Ethics and Behaviour • 8 types of security-related expected behaviours • Appendix E Detailed Guidance : Information • 34 types of security-related information stakeholders • 10 types of security related information : goals, life cycle, good practice • Appendix F Detailed Guidance : Services, Infrastructure and Applications • 10 types of security services : 27 security-related service capabilities (supporting technology, benefit, quality goal, metric) • Appendix G Detailed Guidance : People, Skills and Competencies • 7 types of security set of skills and competencies : description, experience, education, qualifications, knowledge, technical skills, behavioural skills, related role structure • Appendix H Detailed Mappings (ISO/IEC 27001, ISO/IEC 27002, ISF, NIST) 89Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  90. 90. COBIT 5 Deliverables : Information Security Processes Enabler • Process Identification : Label, Name, Area, Domain • Process Description • Process Purpose Statement • Security-specific Process Goals and Metrics • Governance : 8 Security Process Goals and 17 Security Process Goals related Metrics • Management : 71 Security Process Goals and 137 Security Process Goals related Metrics • Security-specific Process Practices, Inputs/Outputs and Activities • Description of governance/management practice, security-specific inputs and outputs in addition to COBIT 5 inputs and outputs with origin/destination, security-specific activities in addition to COBIT 5 activities • Governance : 12 Security Governance Practices and 31 Security Governance Activities • Management : 176 Security Management Practices and 347 Security Management Activities • Related Guidance 90Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  91. 91. COBIT 5 Deliverables : Risk (244 pages) • Executive Summary: Introduction, Terminology, Drivers, Benefits, Target Audience, Overview and Guidance on use of Publication, Prerequisite Knowledge • Risk and Risk Management • The Governance Objective : Value Creation • Risk : Risk Categories, Risk Duality, Interrelationship between Inherent, Current and Residual Risk • Scope of Publication (Two Perspectives on Risk : Risk Function and Risk Management Perspectives) • Applying the COBIT 5 Principles to Managing Risks • The Risk Function Perspective • Introduction to Enablers • The 7 Enablers • The Risk Management Perspective and using COBIT 5 Enablers • Core Risk Processes • Risk Scenarios • Generic Risk Scenarios • Risk Aggregation • Risk Response • How this Publication Aligns with Other Standards • ISO 31000, ISO/IEC 27005:2011, COSO ERM • Appendix A : Glossary • Appendix B : Detailed Risk Governance and Management Enablers • Appendix C : Core Risk Management Processes • Appendix D : Using COBIT 5 Enablers to Mitigate IT Risk Scenarios (20 scenarios) • Appendix E : Comparison of Risk IT with COBIT 5 • Appendix F : Comprehensive Risk Scenario Template 91Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  92. 92. COBIT 5 Deliverables : Risk • Appendix A. Detailed Guidance : Principles, Policies and Frameworks • 7 high level risk principles : Principle and Explanation • 18 types of risk policies : Scope, Validity, Management Commitment and Accountability, Risk Governance, Risk Management Framework • Appendix B. Detailed Guidance Processes (see next page) • 12 key risk function supporting processes • 2 key risk management supporting processes • Appendix C. Detailed Guidance : Organizational Structures • 5 key risk-related organizational structures : Composition, Mandate, Operating principles, Span of control, Authority level, Delegation rights, Escalation path, RACI chart, Inputs/Outputs • 17 other relevant structures for Risk : Description, Role in risk process • Appendix D. Detailed Guidance : Culture, Ethics and Behavior • 8 types of general behavior, 8 types of risk professional behavior, 7 types of management behavior • Appendix E. Detailed Guidance : Information • 13 types of risk related information items : stakeholders, stakes, goals, life cycle, good practices, links to other enablers • Appendix F. Detailed Guidance : Services, Infrastructure and Applications • 6 types of risk services (description, goal, benefit, good practice, stakeholders, metric) • 3 types of risk infrastructure (description), 5 types of risk applications (description) • Appendix G. Detailed Guidance : People, Skills and Competencies • 11 types of risk set of skills and competencies (description) and 2 risk roles (description, experience, education, qualifications, knowledge, technical skills, behavioral skills, related role structure) 92Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  93. 93. COBIT 5 Deliverables : Risk • Process Identification : Label, Name, Area, Domain • Process Description • Process Purpose Statement • Risk-specific Process Goals and Metrics • Risk Function • Governance : 5 Risk Process Goals and 12 Risk Process Goals related Metrics • Management : 14 Risk Process Goals and 24 Risk Process Goals related Metrics • Risk-specific Process Practices, Inputs/Outputs and Activities • Description of governance/management practice, risk-specific inputs and outputs in addition to COBIT 5 inputs and outputs with origin/destination, risk-specific activities in addition to COBIT 5 activities • Risk Function • Governance : 9 Risk Governance Practices and 28 Risk Governance Activities • Management : 50 Risk Management Practices and 80 Risk Management Activities • Risk Management • Governance : 2 Risk Governance Practices and 12 Risk Governance Activities (69 actions) • Management : 6 Risk Management Practices and 26 Risk Management Activities (103 actions) 93Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  94. 94. COBIT 5 Deliverables : Assurance (318 pages) • Executive Summary: Introduction and Objectives, Drivers, Benefits, Target Audience, Document Overview and Guidance on its use, Prerequisite Knowledge • Assurance • Assurance defined : 3 party relationship, subject matter, suitable criteria, execution, conclusion • Scope of Publication: Two Perspectives, Assurance Function and Assurance • Principles of providing Assurance (Engagement types) • Assurance Function Perspective : Using COBIT 5 Enablers for Governing and Managing an Assurance Function • Introduction to Enablers • The 7 Enablers • Assessment Perspective : Providing Assurance Over a Subject Matter • Core Assurance Processes • Introduction and Overview of the Assessment Approach • Determine the scope of the Assurance Initiative (Phase A) • 3 aspects to be taken into account (stakeholders, goals, 7 enablers), 14 steps, an example • Understand the Enablers, Set Suitable Assessment Criteria and Perform the Assessment (Phase B) • Achievement of goals (2 steps), 7 enablers (37 steps) • Generic Approach for Communicating on an Assurance Initiative (Phase C) • 2 aspects (document and communicate) and 5 steps • How this publication relates to other Standards • ITAF, 2nd Edition, International Professional Practices Framework (IPPF) for Internal Auditing Standards 2013, Statement on Standards for Attestation Engagements N° 16 (SSAE 16) • Appendix A : Glossary • Appendix B : Detailed Enablers For Assurance Governance and Management • Appendix C : Core Assurance Processes • Appendix D : Example Audit / Assurance Programmes (3 examples : Change Management, Risk Management, BYOD) 94 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  95. 95. COBIT 5 Deliverables : Assurance • Appendix A. Detailed Guidance : Principles, Policies and Frameworks • 4 areas : Covered by ITAF, 2nd Edition (18 sections of ITAF) • Appendix B. Detailed Guidance Processes (see next page) • 11 key processes supporting assurance provisioning • 3 key core assurance processes • Appendix C. Detailed Guidance : Organizational Structures • 4 key assurance-related organizational structures : Composition, Mandate, Operating principles, Span of control, Authority level, Delegation rights, Escalation path, RACI chart, Inputs/Outputs • 12 other relevant structures for Assurance : Description, Stake in Assurance provisioning • Appendix D. Detailed Guidance : Culture, Ethics and Behavior • 5 types of enterprise wide behavior, 8 types of assurance professional behavior, 10 types of management behavior : Behavior, Key Objective/Suitable criteria/outcome, Communication/Enforcement actions, Incentives and rewards actions, Raising awareness actions • Appendix E. Detailed Guidance : Information • 18 types of information items supporting assurance : stakeholders, stakes, goals, life cycle, good practices, links to other enablers • 5 types of additional information items input : description • Appendix F. Detailed Guidance : Services, Infrastructure and Applications • 8 types of assurance services (description, goal, benefit, good practice, stakeholders) • 8 types of assurance supporting applications (description, goal, benefit, good practice, stakeholders) • Appendix G. Detailed Guidance : People, Skills and Competencies • 16 types of assurance set of skills and competencies : description, experience, education, qualifications, knowledge, technical skills, behavioral skills 95 Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  96. 96. COBIT 5 Deliverables : Assurance • Process Identification : Label, Name, Area, Domain • Process Description • Process Purpose Statement • Assurance-specific Process Goals and Metrics • Processes Supporting Assurance Provisioning • Governance : 8 Assurance Process Goals and 11 Assurance Process Goals related Metrics • Management : 11 Assurance Process Goals and 19 Assurance Process Goals related Metrics • Core Assurance Processes • Management : 11 Assurance Process Goals and 17 Assurance Process Goals related Metrics • Assurance-specific Process Practices, Inputs/Outputs and Activities • Description of governance/management practice, assurance-specific inputs and outputs in addition to COBIT 5 inputs and outputs with origin/destination, assurance-specific activities in addition to COBIT 5 activities • Processes Supporting Assurance Provisioning • Governance : 9 Assurance Governance Practices and 28 Assurance Governance Activities • Management : 50 Assurance Management Practices and 80 Assurance Management Activities • Core Assurance Processes • Management : 17 Core Assurance Practices and 88 Core Assurance Activities (124 actions) 96Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
  97. 97. COBIT 5 Deliverables : Implementation (78 pages) • Introduction • Positioning GEIT • Taking the first steps towards GEIT • Identifying implementation challenges and success factors • Enabling change • Implementation life cycle tasks, roles and responsibilities • Using the COBIT 5 components • Appendix A : Mapping Pain Points to COBIT 5 Processes • Appendix B : Example Decision Matrix • Appendix C : Mapping Example Risk Scenarios to COBIT 5 Processes • Appendix D : Example Business Case • Appendix E : COBIT 4.1 Maturity Attribute Table 97Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015

×