The document discusses cybersecurity risk management and the Framework for Improving Critical Infrastructure Cybersecurity. It addresses that cybersecurity requires managing risk through balancing business needs and protecting assets. It also discusses determining critical assets and prioritizing their protection, taking a layered security approach. The framework provides functions and categories to manage cybersecurity risks and align efforts with business strategies through application of technology, policies, training, and oversight.
Diskusi buku: Securing an IT Organization through Governance, Risk Management, and Audit
1.
2.
3.
4. Part I
Cybersecurity Risk Management
and the Framework For Improving
Critical Infrastructure Cybersecurity
Anisa Fatakh Sabila
5. • Cyber security is about managing risk. Risk governance and
management is about informed decision making. Therefore, the cyber
security equation has two components: business enablement and
asset
protection.
6. • First, cyber security efforts must be aligned to fit the enterprise GRC
framework by delivering on business strategy. Cyber risk is a critical
business risk and thus an important element.
• Second, information is a key enterprise asset and must be protected
based on criticality, integrity and availability needs. Cyber security
must be considered in the larger picture of enterprise GRC scope,
because of the need to move information in today’s economy is vital
to success.
7. • Determine what assets it needs to protect and place a priority on
• Cybersecurity should follow a layered approach, with additional
protections for the most important assets, such as corporate and
customer data. Remember that reputational harm from a breach can
do more damage than the breach itself.
8. •Cybersecurity Risk Management” means
technologies, practices, and policies that address
threats or vulnerabilities in networks, computers,
programs and data, flowing from or enabled by
connection to digital infrastructure, information
systems, or industrial control systems, including but
not limited to, information security, supply chain
assurance, information assurance, and hardware and
software assurance.
9. Cyber security, therefore, requires several levels of effort involving:
• Application of technology
• Management oversight
• Legal and regulatory awareness
• Employee training
• Adoption and implementation of policies and procedures governing
the information technology environment
10. • Recognizing that cyber security is no longer only an IT issue,
leadership should ensure that the enterprise develops a cyber
security/risk framework.
11. • To manage cybersecurity risks, a clear understanding of the
organization’s business drivers and security considerations specific to
its use of technology is required. Because each organization’s risks,
priorities, and systems are unique, the tools and methods used to
achieve the outcomes described by the Framework will vary.
19. NIST CSF STEPS 4 AND 5: Conduct a risk
assessment and Create a target profile
Where do we want to be?
COBIT 5 for Risk
Process
Assessment
Model (PAM)
COBIT 5
Assessor’s
Guide
COBIT 5
COBIT 5 process
APO12,
Manage Risk.
20. The target profile is similar to the current profile template
and should include the following information:
• Applicable function
• Applicable category
• Applicable subcategory
• COBIT 5 reference to identify practices required to meet
the goals of the subcategory
• Achievement rating (e.g., not achieved, partially achieved, largely
achieved, fully achieved) based on existing procedures
• Practices, policies and procedures identified in the risk assessment
• Description of how the achievement rating was determined
• Actions required to achieve the target state goals
• Resources required
21. NIST CSF STEP 6: Determine, analyze and
prioritize gaps
What needs to be done?
COBIT 5:
Enabling
Processes
22. An action plan should include the following:
• Identification
• Priority
• Assumptions and constraints
• Rationale
• Specific actions
• Resources
• Schedule/milestones
• Status
• Pre-requisites/dependencies
• Action assignee
• Stakeholder roles
23. NIST CSF STEP 7: Implement action plan
How do we get there?
COBIT 5
Implementation
Guide:
24. COBIT 5 Implementation Guide:
Test the approach by making small improvements initially
and to provide some quick wins
Involve all stakeholders
Improve processes before attempting to apply automation
Set clear, measurable goals and produce scorecards
showing how performance is being measured
Communicate in business impact terms
25. NIST CSF STEP 8: CSF action plan review
Did we get there?
The enterprise assesses the activities from the
implementation step to ensure that improvements achieve
the anticipated goals and risk management objectives. The
enterprise documents the lessons learned and identifies any
specific ongoing monitoring needs.
26. NIST CSF STEP 9: CSF lifecycle management
• Initiate
• Identify further governance or
management requirements
• Support continual improvement
29. 10 Tips for Adopting NIST Using COBIT 5
Know the Stakeholders
Understand Why
Leverage industry available frameworks
Get top management involved
Instill accountability
34. Decomposition of Framework
Framework Principles: Creation
Quality confentiality Cost integrity Delivery availability
Effectiveness and
efficiency of
operations
Reliability of
information
Compliance with
laws and regulations
40. Acquisition and Implementation
Business system document (finalized draft)
Design specification document (finalized draft)
Interface control document (1st draft, living document)
System deployment document (1st draft, living document)
Transition management document (1st draft, living document)
User training documentation (1st draft, living document)
Computer operator’s handbook (1st draft, living document)
41. Delivery and Support
Business system document
Design specification document
Interface control document (finalized draft)
System deployment document (finalized draft)
Transition management document
User training documentation (finalized draft)
Computer operator’s handbook (finalized draft)
43. Monitoring
Preventive maintenance and performance optimization are
IT disciplines that are usually mastered by system
administrators and database administrators as opposed to
developers.
44. Decomposition of COBIT 5 Principles
Purpose of COBIT Control Objectives and Principles
Principle 1: Installing the Integrated IT Architectural Framework
These needs are then fed through COBIT’s seven enablers:
(1) processes, (2) principles and policies, (3) organizational structures,
(4) skills and competencies, (5) culture and behavior, (6) service
capabilities, and (7) information
45. Principle 2: What Do Stakeholders Value?
Centralized
The catalog of stakeholder’s needs
should serve as a single point of
reference
One must also take into
consideration the culture in many
organizations
This also applies to various levels of
the centralized stakeholders
Outer
Benefis realization
Risk balancing
Cost optimization
46. Principle 3: The Business Context Focus
Financial
Customer
related
Internal
(enterprise)
47. Principle 4: Measuring Performance
The measurement of projects throughout their life cycles
should be evident in most organizations and processes
should also be in place. To this end, there is an important
distinction between governance and management. The
governance in an organization is the pathway.
49. Risk Management
Risk management and security assurance depend on the
ability to apply specific, repeatable management practices.
Risk management should be proactive for the most part but
when we think about disaster recovery and how this IT
discipline focuses around simulating various events and the
preparedness of the enterprise to handle those risks, it can
be argued that it is reactive.
50. Status of IT Systems
There was an application that ran on data center
infrastructures, which would show indicator readings on
a Graphical User Interface (GUI), reflecting the status of
systems. If a system or application was down, it would
show a red status on the GUI and the dashboard
consisted of several indicator bubbles, each of which is
represented on system, server, or application.
52. COBIT Management Dashboard
Performance Measurement
1. Performance measurement—What are the indicators
of good performance?
2. IT control profiling
a. What is important?
b. What are the critical success factors for control?
3. Awareness—What are the risks of not achieving our
objectives?
4. Benchmarking—What do others do? How do we
measure and compare?
54. Awareness
COBIT 5 sets out to increase awareness from the
governance in the enterprise, which is composed of several
levels of technical stakeholders and throughout the
enterprise.
55. Benchmarking
This is the research component to the implementing
framework. It requires the organization to have an in-depth
understanding of what is going on in the industry and how
are other agencies or companies accomplishing the same
initiatives using the COBIT 5 Framework.
56. What COBIT Sets Out to Accomplish
Adaptability to Existing Frameworks
ISO/IEC
38500:2008
Corporate
Governance of
Information
Technology
ITIL 2011
PRINCE2 2009 PMBOK
57. Constituency of Governance for Finance
CIO CEO CFO
COBIT 5 distributes the responsibility for the governance of finance
to through the Board
58. Constituency of Governance for IT
The constituency in IT consists of the CIO and top-
management team from the enterprise
59. Internal Audits
Purpose of Internal Audits
Conceptualization of COBIT 1 through COBIT 5, the framework’s
maturity
60. Roles That Potentially Use COBIT
IT auditor
Business
process auditor
IT inspection
team
Internal system
administrator
groups
Managers of
system
administrators
Cybersecurity
analysts
61. Approaches to Using COBIT in an
Internal Audit
Internal auditors following COBIT to conduct their auditing
generally approach audits when: formulating control
baselines and standards, building or coordinating
performance metrics for risk assessments, authoring and
maintaining the audit plan, driving the audit, and mitigating
risk or relaying advisements and recommendations to the IT
manager and IT personnel.
62. Types of Audits That Can Be Facilitated
Using COBIT
Some include analyses of requirements baselines and
standards processes for IT, application and software
development implementations, predevelopment planning,
certification reviews, milestone entries and exits, lessons
learned, post implementation reviews, programmer’s peer
reviews, enterprise operation reviews, or data center
reviews.
63. Advantages of Using COBIT in Internal
Audits
Conceptualization of COBIT 5, roles, activities, and relationships in an
enterprise