COBIT vs. ISO 17799 (27002)

1
COBIT vs. ISO 17799 (27002)

• Erica Elliott
• Stephanie Park

2
Questions For IT Managers

• How far should we go and is the cost justified by
  the benefit?
• What are the indicators of good performance?
• What are the critical success factors?
• What are the risks of not achieving our
  objectives?
• What do others do?
• How do we measure and compare?

3
The History of ISO 17799

• The standard was published in 2000 in its first
  edition, which was updated in June 2005. It can
  be classified as current best practice in the
  subject area of information security management
  systems.
• It provides information to responsible parties
  for implementing information security within an
  organization.
• It can be seen as a basis for developing security
  standards and management practices within an
  organization to improve reliability on
  information security in inter-organizational
  relationships.

4
What is ISO 17799?

• As mentioned, the standard simply offers
  guidelines it does not contain in-depth
  information on how information security should be
  implemented and maintained.
• Suggests that nothing be implemented until after
  an in-depth risk assessment of the current
  controls.
• It is important to understand that the controls
  mentioned in the standard are not organized or
  prioritized according to any specific criteria.
  Each control should be given equal importance and
  should consider the systems and projects
  requirement specification and design stage.
  Failure to do this will result in less
  cost-effective measures or even failure in
  achieving adequate security.
• ISO 17799 warns that no set of controls will
  achieve complete security. It encourages
  additional intervention from management to
  monitor, evaluate and improve the effectiveness
  of security controls to support the business
  objectives of the organization.

5
Under ISO

• Measurements based on legal requirements include
• Protection and nondisclosure of personal data
• Protection of internal information
• Protection of intellectual property rights
• Best practices mentioned are
• Information security policy
• Assignment of responsibility for information
  security
• Problem escalation
• Business continuity management

6
Implementation under ISO

• When implementing a system for information
  security management several critical success
  factors are to be considered
• The security policy, its objectives and
  activities reflect the business objectives.
• The implementation considers cultural aspects of
  the organization.
• Open support from and engagement of senior
  management are required.
• Thorough knowledge of security requirements, risk
  assessment and risk management is required.
• Effective marketing of security targets all
  personnel, including members of management.
• The security policy and security measures are
  communicated to contracted third parties.
• Users are trained in an adequate manner.
• A comprehensive and balanced system for
  performance measurement is available, which
  supports continuous improvement by giving
  feedback.

7
Structure of ISO 17799

• The standard contains 11 security control
  clauses, collectively containing a total of 39
  main security categories.
• First, each main security category has a control
  objective. This states what the control is to
  achieve. Second, each has one or more controls
  that can be applied to achieve the controls
  objective.
• a. Security Policy (1)
• b. Organizing Information Security (2)
• c. Asset Management (2)
• d. Human Resources Security (3)
• e. Physical and Environment Security (2)
• f. Communications and Operations Management (10)
• g. Access Control (7)
• h. Information Systems Acquisition, Development
  and Maintenance (6)
• i. Information Security Incident Management (2)
• j . Business Continuity Management (1)
• k. Compliance (3)

8
COBIT

• The main theme Business orientation.
• It is designed to be employed not only by users
  and auditors, but also, as a comprehensive
  guidance for management and business process
  owners.
• The overall objective to understand the issues
  and strategic importance of IT so the enterprise
  can sustain its operations and implement the
  strategies required to extend its activities into
  the future.

9
Governance under COBIT

• IT governance aims to ensure that expectations
  for IT are met and IT risks are mitigated.
• It is the responsibility of the board of
  directors and executive management.
• It consists of the leadership and organizational
  structures and processes that ensure that the
  organizations IT sustains and extends the
  organizations strategies and objectives.
• At the heart of the governance responsibilities
  of setting strategy, managing risks, delivering
  value and measuring performance are the
  stakeholder values.

10
Governance under COBIT (Cont)

• The purpose of IT governance is to direct IT
  endeavors, to ensure that IT meets the following
  objectives
• Alignment of IT with the enterprise and
  realization of the promised benefits
• Use of IT to enable the enterprise and
  realization of the promised benefit
• IT governance enables the enterprise to take full
  advantage of its information, thereby maximizing
  benefits, capitalizing on opportunities and
  gaining competitive advantage.

11
COBIT Framework

• The framework starts from a simple and pragmatic
  premise To provide the information that the
  organization needs to achieve its objectives, IT
  resources need to be managed by a set of
  naturally grouped processes.
• The grouped processes are
• Plan and Organize
• Acquire and Implement
• Deliver and Support
• Monitor

12
COBIT Guidelines

• Action-oriented and generic.
• Provide management direction for getting the
  enterprises information and related processes
  under control, monitoring achievement of
  organizational goals, monitoring performance
  within each IT process, and benchmarking
  organizational achievement.

13
Maturity Models in COBIT

• Management can map where the organization is
  today, where it stands in relation to the best in
  class in its industry and to international
  standards, and where the organization wants to
  be.
• Critical success factors (CSFs) define the most
  important management-oriented implementation
  guidelines to achieve control over and within its
  IT processes.

14
Similarities

• As COBIT is an internationally recognized
  standard for control of governance of IT and ISO
  17799 is equally recognized and established in
  the field of information security management,
  these two standards do not compete against each
  other, in fact they are mutually complementary.
  COBIT by its nature is broader and ISO/IEC 17799
  tends to be deeper in the area of security.

15
(No Transcript)
16
Differences

• ISO 17799 provides security controls. It does not
  provide implementation guidance and does not
  specifically address how these processes fit into
  the overall IT management processes.
• COBIT is focused on controls and metrics. It also
  lacks a security component but provides a more
  global view of IT processes at the IT
  organization management principles than ITIL.

17
Main goal of ISO 17799

• ISO 17799 aims to improve the practices and
  organizations around information security. It
  defines a global approach to security management
  that touches the responsibilities and
  organizations responsible for security as well as
  the policies, critical asset classification, and
  risk management. It is best used when security
  certification and overall definition of all
  security processes logical and physical is
  needed and basic rules for security defined.

18
Main Goal of COBIT

• COBIT compiles an up-to-date international set of
  generally accepted control objectives for
  day-to-day use by business managers and IT
  managers. It addresses IT governance and the key
  performance indicators associated with process
  improvement. COBIT has clearly been influenced by
  problems raised by the insurance industry.
  Mergers and acquisitions, unification of
  processes, outsourcing and audits are main
  chapters of the COBIT framework.

19
Managerial Recommendations

• As previously stated COBIT and ISO 17799 do not
  compete against each other, in fact they are
  mutually complementary
• Therefore, we recommend that management use COBIT
  and ISO 17799 together to provide a more global
  view of IT processes while increasing security
  controls

20
References

• http//www.isaca.org/Template.cfm?SectionHomeTem
  plate/ContentManagement/ContentDisplay.cfmConten
  tID26409
• http//rickyboeykens.spaces.live.com/blog/cns!7EE4
  0084F422EFB2!142.entry
• http//17799-news.the-hamster.com/issue10-news11.h
  tm
• http//www.17799.com/papers/iso17799scope.pdf
• http//www.isaca.org/Content/ContentGroups/Researc
  h1/Deliverables/AligningCOBIT,ITIL.pdf