Chapter 9
Treating Cyber Risks Using Process Capabilities
ISACA Todd Fitzgerald, CISO and ISACA, USA
Tom stared at the center of the diagram he had penciled (see Figure 1.1). His chief risk officer, Nathan, looked across to their chief of information security, Maria, and invited her to explain the word process at the center. Maria obliged, “Process is located at the center of our business model for information security. We understand that cyber risk is an enterprise-wide risk requiring organization-wide solutions. I’ll define these processes for you to clarify how they collectively add clear value to our organization. Interrelationships between process and the people, technology, and other enterprise functions determine the effectiveness and efficiency of our cyber risk management system.”
Cybersecurity Processes Are the Glue That Binds
Maintaining effective cybersecurity processes is too critical to an organization to leave to chance, yet many organizations continue to rely on undocumented processes, tribal knowledge, and paying security professionals to manage routine operational security controls. Cybersecurity processes form the critical piece between those performing the security function and the technology.
Undocumented Processes Result in Tribal Knowledge Dependency
Processes are developed within an organization to include practices and activities to meet objectives through the creation of multiple outputs. Some organizations operate with processes that are either ill defined or undocumented, resulting in inconsistent activities performed and different outputs of differing quality, depending on the individual performing the process. For example, if cyber vulnerabilities are scanned monthly using tool A by employee A and the highly critical vulnerabilities are patched, or fixed, within 7 days, this will provide different results than the employee B using tool B and fixing all vulnerabilities found within 60 days. It would be difficult to be able to articulate the risk posture of the organization if multiple approaches are implemented, as it would be dependent on the individual performing the work. The act of documenting the processes would uncover the use of Tools A and B in use as well and raise the question, “Why are we using two tools, training, and the need for integration to perform the same function?” The different results that come from multiple processes create different outcomes and increase risk.
Undocumented cybersecurity processes create an efficiency and effectiveness issue, as (1) it is assumed that everyone is doing the same thing each time, (2) the processes cannot be universally improved upon, (3) time is wasted communicating processes, (4) junior team members do not have the ability to learn from more senior knowledge of “best practices,” and (5) the wheel is reinvented again and again. The lack of documented cybersecurity processes and charts depicting who is responsible, accountable, consulted, and informed (RACI charts) lead to processes being missed, assumptions that processes are being executed when they are not, and uncertainty as to who owns the process and is accountable when the process fails.
Having well-defined processes is important for any business process, so why the particular attention on processes with respect to cybersecurity? The answer is simple: even the slightest failure in one of these processes can cause issues with confidential disclosure, availability, or data integrity of the systems in place to support the mission. In the above example (of not having a consistent vulnerability and patch management process), this could result in critical security vulnerabilities existing on the system that could be exploited by external hackers or insiders, or through carelessness. Executive leadership may assume that the processes are in place and they are being executed on a consistent basis, only to find out that the process was never implemented, the tool was removed, or the individual performing that task was pulled onto another project and no one was informed that the process was no longer being executed. Unnecessary duplication of software application tools and training costs also results.
No Intrinsic Motivation to Document
Information technology professionals generally dislike creating documentation of processes since this takes time away from exploring the new technology, creating new applications and databases, or resolving a system or end-user issue. Without clear direction and governance in place to ensure that process development is an organizational priority to support effective and efficient execution to meet the organizational mission, these processes are unlikely to be created, and it should not be assumed that they are. Various standards and frameworks such as ISO 9000 and the International Standards for Assurance Engagements (ISAE) 402 impose documented processes. Specifically, for security, ISO 27001 processes and their artifacts are reviewed by the ISO 27001 registrar to ensure compliance.
Move Routine Actions to Operations
Information security personnel are more expensive resources relative to the computer operations areas that have been optimized for efficiency. Thus, these resources should be leveraged to design the most appropriate processes, with the view of moving these processes to a production operation as soon as possible, executed by less expensive resources. In the preceding vulnerability management example, most of the running of the vulnerability reports could be run by an external security operations center (SOC), or a managed security services provider (MSSP) that operates the process and patches the vulnerabilities according to the risk acceptance level and the priority established by the cybersecurity team designing the process.
This frees up the cybersecurity professional to focus on other high-value efforts versus spending time managing the “routine” operational work. The cybersecurity team could be focused on the exception reports or those cybersecurity items that need further analysis and other potential technology tools to mitigate effectively.
Leveraging ISACA COBIT 5 Processes
COBIT 5 processes describe an organized set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving cybersecurity objectives aligned to enterprise objectives. The processes shown as an appendix to this chapter in Table 9.1, “Cybersecurity Risk and Process Capabilities,” are adapted from two professional guides designed to assist in the understanding and implementation of the COBIT 5 Framework, specifically the ISACA COBIT 5 Implementation (COBIT 5, 2012) and COBIT 5 for Information Security (COBIT, 2012) Professional Guides. It clearly presents common business scenarios alongside their corresponding risks and capabilities.
Table 9.1 Cybersecurity Risk and Process Capabilities
| Risk Sources and COBIT 5 Process Capabilities | ||
| Risk Sources | COBIT 5 Process Capabilities | |
| If the scenario is relevant and inherently likely … | … given these threats | … then consider whether these COBIT 5 processes need improvement. Note: In this column, next to each process number is an example from the process to consider. These are not the process names. |
| Benefit/Value Enablement Risk | ||
| IT program selection | Incorrect programs selected for implementation and misaligned with corporate strategy and priorities Duplication among different initiatives New and important program creates long-term incompatibility with the enterprise architecture |
Alignment of cybersecurity with IT and business frameworks (APO02) Cybersecurity is integrated with architecture (APO03) Innovation promoted in cybersecurity (APO04) Establish cybersecurity target investments (APO05) Cybersecurity requirements in feasibility study (BAI01) |
| New technologies | Failure to adopt and exploit new technologies (i.e., functionality, optimization) in a timely manner New and important technology trends not identified Inability to use technology to realize desired outcomes (e.g., failure to make required business model or organizational changes) |
Measure effectiveness, efficiency and capacity of cybersecurity resources against business need (EDM04) Define target state for cybersecurity (APO02) IT and cybersecurity architecture aligned with current technology trends (APO03) Scan external environment and identify emerging cybersecurity trends (APO04) Create feasible new technology solutions while minimizing risk (BAI02) Integrate cybersecurity in new technology design (BAI03) |
| Technology selection | Incorrect technologies (i.e., cost, performance, features, compatibility) selected for implementation | Develop clear information security criteria (APO02) Cybersecurity architecture is aligned and evolves with changes (APO03) Cybersecurity specifications in line with design (BAI03) Security impacts of technology selection (APO13) |
| IT investment decision making | Business managers or representatives not involved in important IT investment decision making regarding new applications, prioritization, or new technology opportunities | Value management direction and/or oversight for cybersecurity (EDM02) Business and cybersecurity involvement in IT strategic planning (APO02) Cybersecurity Investment fit with target enterprise architecture (APO03) Cybersecurity investments allocated by risk appetite (APO05) Develop cybersecurity budget (APO06) Understanding of business how cybersecurity enables/affects it (APO08) Program management stage-gating (BAI01) |
| Accountability over IT | Business not assuming accountability over those IT areas it should such as functional requirements, development priorities, and assessing opportunities through new technologies | Executive management accountability for cybersecurity related decisions (EDM01-05) Business, IT-related, and cybersecurity roles and responsibilities (APO01) Clear and approved service agreements including cybersecurity (APO09) Supplier relationship and requirements based on risk profile (APO10) Visible leadership through executive commitment to cybersecurity (BAI05) |
| IT project termination | Projects that are failing due to cost, delays, scope creep, or changed business priorities not terminated in a timely manner | Cybersecurity roles, reporting and monitoring established (EDM05) Value governance monitoring (EDM02) Resource governance monitoring (EDM04) Program/project management stage-gating (BAI01) Effective portfolio management decision making (APO05) Investment monitoring (APO06) Cybersecurity monitoring process and procedure (MEA01) |
| IT project economics | Isolated IT project budget overrun Consistent and important IT projects budget overruns Absence of view on portfolio and project economics |
GEIT policies, organization structures and roles (EDM01) Value governance monitoring (EDM02) Resource governance monitoring (EDM04) Cybersecurity Investment monitoring (APO06) Independent project assessment to ensure cybersecurity requirements included (BAI01) |
| Program/Project Delivery Risk | ||
| Architectural agility and flexibility | Complex and inflexible IT architecture obstructing further evolution and expansion | Define information security expectations (APO01) Governance over resource optimization (EDM04) Responsive cybersecurity planning (APO02) Maintenance of enterprise architecture aligned with cybersecurity (APO03) Cybersecurity innovation is promoted (APO04) Portfolio management decision making (APO05) Agile development life cycle methods include cybersecurity (BAI02,03) Maintaining security in an agile and flexible environment (APO13) |
| Integration of IT within business processes | Extensive dependency and use of end-user computing and ad hoc solutions for important information needs Separate and nonintegrated IT solutions to support business processes |
GEIT policies, organization structures and roles (EDM01) Business and IT-related roles and responsibilities (APO01) Define cybersecurity strategy and align with IT and business strategies (APO02) Align cybersecurity and enterprise architecture (APO03) |
| Stakeholders recognize cybersecurity as enabler (APO08) Definition and understanding of business requirements and cybersecurity aspects (BAI02) Define cybersecurity specifications with high-level design (BAI03) Managing organizational changes with regard to cybersecurity (BAI05) |
||
| Software implementation | Operational glitches when new software is made operational Users not prepared to use and exploit new application software |
Monitor security quality metrics (APO11) Project management (BAI01) Requirements definitions (BAI02) Solution development (BAI03) Managing organizational changes with regards to software implementation (BAI05) Cybersecurity requirements incorporated into infrastructure, process, and application changes (BAI06) Ensure cybersecurity acceptance in test plan (BAI07) Cybersecurity knowledge support through awareness training (BAI08) |
| Project delivery | Occasional late IT project delivery by internal development department Routinely important delays in IT project delivery Excessive delays in outsourced IT development project |
GEIT policies, organization structures and roles (EDM01) Value governance monitoring (EDM02) Investment monitoring (APO06) Program/project management planning and monitoring (BAI01) |
| Project quality | Insufficient quality of project deliverables due to software, documentation, or compliance with functional requirements | Architecture standards and reuse of cybersecurity components (APO03) Consistent and effective quality management activities (APO11) Program/project quality management planning and monitoring (BAI01) |
| Service Delivery/IT Operations Risk | ||
| State of infrastructure technology | Obsolete IT technology cannot satisfy new business requirements such as networking, security, and storage | Resource management direction and/or oversight (EDM04) Identify potential cybersecurity gaps (APO02) Align cybersecurity and enterprise architecture (APO03) Identifying important cybersecurity trends (APO04) Maintaining security infrastructure (BAI03) Planning for and addressing capacity and performance issues (BAI04) Identify cybersecurity requirements for assets (BAI09) |
| Ageing of application software | Application software that is old, poorly documented, expensive to maintain, difficult to extend or not integrated in current architecture | Resource management direction and/or oversight (EDM04) Define target state for cybersecurity (APO02) Maintaining enterprise architecture (APO03) Identifying new and important cybersecurity trends (APO04) Maintaining applications with cybersecurity (BAI03) Identify cybersecurity requirements for assets (BAI09) Business process controls (DSS06) |
| Regulatory compliance | Noncompliance with regulations of accounting or manufacturing | GEIT compliance policies and roles (EDM01) Policies and guidance on regulatory compliance (APO01) Planning for regulatory requirements (APO02) Identifying and defining regulatory requirements (BAI02) Monitoring compliance requirements and current status (MEA03) |
| Selection/performance of third-party suppliers | Inadequate support and services delivered by vendors, not in line with SLAs | Effective supplier selection, management, and relationships based on cybersecurity risk (APO10) |
| Inadequate performance of outsourcer in large-scale, long-term outsourcing arrangement | Ensure cybersecurity part of procurement planning (BAI03) | |
| Infrastructure theft | Theft of laptop with sensitive data Theft of a substantial number of development servers | Policies and guidance on protection of assets (APO01) References and background checks on new hires and contractors (APO07) Protection of critical assets during maintenance activities (BAI03) Physical security measures (DSS05) |
| Destruction of infrastructure | Destruction of data center due to sabotage or other causes Accidental destruction of individual laptops |
Environmental protection and facilities management (DSS01) Physical security measures (DSS05) |
| IT staff | Departure or extended unavailability of key IT staff Key development team leaving the enterprise Inability to recruit IT staff |
Use certification to develop cybersecurity skill set and enable retention (APO07) Managing tacit knowledge (BAI08) |
| IT expertise and skills | Lack or mismatch of IT-related skills within IT due to new technologies or other causes Lack of business understanding by IT staff |
Definition and development of business and cybersecurity staff competency requirements (APO07) Cybersecurity knowledge support through awareness training (BAI08) |
| Software integrity | Intentional modification of software leading to wrong data or fraudulent actions Unintentional modification of software leading to unexpected results Unintentional configuration and change management errors |
Definition of cybersecurity control requirements (BAI02) Cybersecurity requirements incorporated into infrastructure, process and application changes (BAI06) Ensure cybersecurity part of acceptance testing (BAI07) Establish cybersecurity configuration baselines (BAI10) Access controls (DSS05) Business process controls (DSS06) |
| Infrastructure (hardware) | Misconfiguration of hardware components Damage of critical servers in the computer room due to accident or other causes Intentional tampering with hardware such as security devices |
Protection of critical assets during maintenance activities (BAI03) Physical security measures (DSS05) Establish cybersecurity configuration baselines (BAI10) |
| Software performance | Regular software malfunctioning of critical application software Intermittent performance problems with important system software |
Software development quality assurance (BAI03) Planning for and addressing capacity and performance issues (BAI04) Root cause analysis and problem resolution (DSS03) |
| System capacity | Inability of systems to handle transaction volumes when user volumes increase Inability of systems to handle system load when new applications or initiatives are deployed |
Architecture principles for scalability and agility (APO03) Maintaining infrastructure (BAI03) Planning for and addressing capacity and performance issues (BAI04) |
| Ageing of infrastructural software | Use of unsupported versions of operating system software Use of old database system |
Resource management direction and/or oversight (EDM04) Recognizing and strategically addressing current IT capability issues (APO02) Maintaining enterprise architecture (APO03) Identifying new and important technology trends (APO04) Maintaining infrastructure (BAI03) Problems relating to business process controls (DSS03) |
| Malware | Intrusion of malware on critical operational servers Regular infection of laptops with malware |
Policies and guidance on use of software (APO01) Malicious software detection (DSS05) |
| Logical attacks | Virus attack Unauthorized users trying to break into systems Denial-of-service attack Web site defacing Industrial espionage |
Policies and guidance on protection and use of IT assets (APO01) Security requirements in solutions (BAI03) Access controls and security monitoring (DSS05) |
| Information media | Loss/disclosure of portable media (e.g., CD, universal serial bus [USB] drives, portable disks) containing sensitive data Loss of backup media Accidental disclosure of sensitive information due to failure to follow information handling guidelines |
Policies and guidance on protection and use of IT assets (APO01) Protection of mobile and/or removable storage and media devices (DSS05-06) |
| Utilities performance | Intermittent utilities (e.g., telecom, electricity) failure Regular, extended utilities failures |
Relationships/management of key utility suppliers (APO08) Environmental protection and facilities management (DSS01) |
| Industrial action | Inaccessible facilities and building due to labor union strike Unavailable key staff due to industrial action | Staff relationships and key individuals (APO07) Managing staff knowledge (BAI08) |
| Data(base) integrity | Intentional modification of data (e.g., accounting, security-related data, sales figures) Database (e.g., client or transactions database) corruption | Information architecture and data classification (APO03) Development standards (BAI03) Change management (BAI06) Managing data storage (DSS01) Access controls (DSS05) |
| Logical trespassing | Users circumventing logical access rights Users obtaining access to unauthorized information Users stealing sensitive data |
Policies and guidance on protection and use of IT assets (APO01) Access controls and security monitoring (DSS05) Contract staff policies (APO07) |
| Operational IT errors | Operator errors during backup, upgrades of systems, or maintenance of systems Incorrect information input |
Staff training (APO07) Operations procedures (DSS01) Business process controls (DSS06) |
| Contractual compliance | Noncompliance with software license agreements (e.g., use and/or distribution of unlicensed software) Contractual obligations as service provider with customers/clients not met |
Monitoring service agreements (APO09) Supplier agreements and relationship monitoring (APO10) Software license management (DSS02) Contractual compliance requirements and current status monitoring (MEA03) |
| Environmental | Use of equipment that is not environmentally friendly (e.g., high level of power consumption packaging) | Incorporation of environmentally friendly principles in enterprise architecture (APO03) Selection of solutions and procurement policies (BAI03) Environmental and facilities management (DSS01) |
| Acts of nature | Earthquake Tsunami | Environmental and facilities management (DSS01) Physical security (DSS05) |
| Major storm/hurricane Major wildfire | Manage continuity (DSS04) | |
Adapted with the kind permission of ISACA 2016.
The risks related to information technology implementations are noted as “risk sources” in the matrix, and a sampling of the COBIT 5 processes that could be used to mitigate the risk are shown in the far right column as COBIT 5 Process Capabilities. The COBIT 5 Framework contains processes for the enablement of information technology, much of which can apply to cybersecurity practices. The COBIT 5 for Information Security Professional Guide extends the definition of these processes by adding processes specific to cybersecurity.
Components of the Cybersecurity Processes
Each of the cybersecurity processes has a life cycle by which the process is defined, created, monitored, updated, and subsequently retired. New technologies are introduced that may negate the need for a process or significantly alter the process. For example, a cybersecurity policy in the past may have required that sensitive files be placed on a network server and not on the laptop or desktop. A change to the process, by moving to a cloud storage provider with contractual backups or implementing laptops with encryption and backup software, may remove the need to store information on a central network server to ensure the contents are appropriately backed up on a regular schedule.
The cybersecurity process components would include the process description; identification of stakeholders (internal and external), goals, life cycle, and good practices (i.e., process practices, activities, work product inputs and outputs); as well as including metrics for achieving and monitoring the goals and ensuring the stakeholder needs are met.
Cybersecurity Practices and Activities
Enabling processes are developed from practices, activities, and creating detailed activities through increasing levels of detail. Practices are statements of action that develop benefits, provide the appropriate level of risk, and manage the appropriate level of resources to meet the business objectives.
An example of a security-specific practice to support the Manage Security Services process would be Manage Endpoint Security. This practice would ensure that endpoints (laptop, desktop, server, and other mobile and network devices or software) are secured at a level that is equal to or greater than the defined security requirements of the information processed, stored, or transmitted. Inputs to the process could include the information security architecture, service-level agreements, physical inventory audits, or reports of violations of security of these devices. These practices are somewhat generic and may be adapted for the needs of each enterprise. The organization also decides, through the governing bodies, which practices would apply, the frequency of the practice execution, how the practice is applied (manual or through automated means), and the acceptance of the risk if the practice is not implemented.
Cybersecurity-specific activities provide guidance to achieve the practices. Activities are, in short, the primary actions taken to operate the process. Each of the practices will have a set of either COBIT 5 activities or cybersecurity-specific activities to achieve the operation of the practice. Continuing the Manage Endpoint Security practice example, some of the cybersecurity activities may be to configure the endpoints in a secure manner, categorize the types of endpoints and the control needs, identify potential entry point targets of the endpoints, analyze the target attractiveness for each endpoint, implement network monitoring on devices, dispose of endpoints securely, and examine the history of attacks and compare against the current endpoint population.
These activities would be based on generally accepted and good practices. These provide a sufficient level of detail to achieve the cybersecurity-specific practice, would support definition of clear organizational responsibilities (i.e., RACI charts, governance structures), and support the development of more detailed procedures. Some processes may need to be more detailed than others depending on the criticality of the activity and the experience level of the group performing the task.
Different Types of Cybersecurity Processes Work Together
The processes need the input from other enablers to be effective. For example, processes need information as input and also provide information as output to other processes and enablers. The five domains of processes are (1) evaluate, direct, and monitor (EDM); (2) align, plan, and organize (APO); (3) build, acquire, and implement (BAI); (4) deliver, service, and support (DSS); and (5) monitor, evaluate, and assess (MEA).
Evaluate, Direct, and Monitor (EDM) Domain
The EDM domain of processes is geared at providing governance for cybersecurity and is focused on ensuring that the appropriate direction is provided and monitoring mechanisms are in place. Processes to ensure a governance framework and maintenance, benefits delivery, risk optimization, resource optimization, and stakeholder transparency are specified. For example, from Table 9.1, the risk “Obsolete IT technology cannot satisfy new business requirements such as networking, security, and storage” would be addressed through process capability EDM04—Resource Management Direction and/or Oversight. Judgment would be made on whether or not the current cybersecurity resources (people, process, or technology) are sufficient to satisfy the needs of the business. A laptop may have had sufficient processing power, memory, and storage in the past when encryption was not required; however, now that encryption is loaded on the device along with other security controls, the device may no longer be adequate.
Align, Plan, and Organize (APO) Domain
The APO domain of processes contains cybersecurity management processes that are helpful to embed cybersecurity within the IT management framework. They also align the cybersecurity strategy, define the architectural components necessary to support the enterprise architecture, manage the cybersecurity portfolio, set a budget and provision expenses for breaches, manage the training process for cybersecurity professionals, obtain vendor service-level agreements for outsourced services, identify risk and treatment plans, manage cybersecurity innovation with new technologies, and other management practices. Essentially, the APO cybersecurity process capabilities ensure that cybersecurity is appropriately inserted into the processes to support the development of existing and new technology to meet the business objectives.
Build, Acquire, and Implement (BAI) Domain
The BAI domain defines process capabilities to assist in the execution of the cybersecurity program. Such capabilities include processes for defining cybersecurity requirements, selecting cybersecurity solutions, embedding cybersecurity in change management processes, managing normal and emergency changes, managing the collective knowledge of cybersecurity practices across the organization, and managing requirements risk. Project management practices are crucial to ensuring that the solutions selected meet the business requirements in a timely and budget-sensitive manner.
Deliver, Service, and Support (DSS) Domain
The DSS domain defines those process capabilities that provide operational support and “keep the cybersecurity lights on.” These apply to outsourced services as well as internally run services. The cybersecurity operations management is developed with input from the security architecture, information security policies, and facilities information. A process capability exists for identifying, classifying, escalating, and managing security incidents; managing the ticketing system for cybersecurity items; managing problems through root cause analysis and reducing the likelihood of reoccurrence; managing crises, and ensuring that an appropriate business continuity plan and disaster recovery of IT-related equipment and data are in place. Incident response and recovery operations should be integrated with the overall business continuity management program. A key control today for recovering from ransomware attacks is the restoration of the data files using the backups obtained through the documented disaster recovery process. If these controls are not in place and integrated with business continuity, data may be unrecoverable, and if effective processes are not defined, the delay in processing may be unacceptable.
Monitor, Evaluate, and Assess (MEA) Domain
This set of management process capabilities in the MEA domain provides the cybersecurity monitoring, self-assessments, and ensuring that reporting requirements satisfying compliance with various laws and regulations are being executed properly. Periodic reviews of cybersecurity through a formal approach are defined. Corrective cybersecurity actions are also tracked and performance is reported. These processes ensure that the appropriate internal control mechanisms for cybersecurity are developed and operating effectively.
COBIT 5 Domains Support Complete Cybersecurity Life Cycle
Each of the COBIT 5 domains contributes to the maturing of the cybersecurity program processes by contributing either governance or management practices and related activities to address the planning, building, or ongoing operation of the cybersecurity environment. The processes are the enablers to provide the who, what, when, and where actions that need to be taken. Holistically, this reduces the risk that actions necessary to protect the confidentiality, integrity, and availability of the information critical to the business are missed.
Why Use a COBIT 5 Process Enabler Approach?
There are other approaches available for specifying cybersecurity control environments, such as NIST Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations. The purpose of Special Publication 800-53 is to provide guidelines for selecting and specifying security controls for information systems supporting executive agencies of the federal government. The NIST model, in contrast to the COBIT 5 model, is very prescriptive in nature and may be overwhelming to many organizations. These are very detailed definitions and may be best used to compliment and help develop the organization-specific detailed activities to perform the COBIT 5 practices, which in turn, as indicated in the previous section, support the overarching cybersecurity process.
The Center for Internet Security (CIS) and the Centre for the Protection of National Infrastructure (CPNI) promote the Top 20 Critical Controls to provide a prioritized set of cybersecurity practices to reduce the risk of cyber attack. These are technical-based controls such as ensuring that accurate inventories of authorized and unauthorized devices are available, secure configurations are created, vulnerabilities are assessed and remediated, administrative privileges are controlled, and so forth, prioritized with increased level-of-control importance. The idea is that by mitigating these cybersecurity gaps the bar is raised for the external hacker to gain access. The controls are important, and this process differs from the COBIT 5 approach as there is less focus on development of processes to support the business objectives and the primary focus is on the technical controls that need to be implemented. These controls, as with the NIST 800-53 controls, are useful in building the detailed activities to support the processes and practices needed; however, the COBIT 5 process enablers are necessary to ensure the right cybersecurity activities are performed efficiently and effectively. These constructs are not readily apparent by using solely the Top 20 critical controls.
The ISO/IEC 27001 security techniques for Information Security Management Systems (ISMS) and the Information Security Forum Standard of Good Practice for Information Security can be used to supplement the processes of the five domains of the COBIT 5 for Information Security framework. The relevant guidance in these standards, along with the NIST 800-53 controls, has been mapped to the COBIT 5 Framework in the COBIT 5 for Information Security Appendices. Using the COBIT 5 framework and the associated processes provides the overarching governance and management assurance that adequate cybersecurity coverage exists from the governance and planning of cybersecurity activities through to the ongoing operation and measurement of the program.
So What Does CEO Tom Get Out of the Process Enablers?
Using the COBIT 5 process enablers provides a very holistic set of cybersecurity processes to manage the cyber risk management system. Once Tom has implemented these processes, it will be clear who in the organization is accountable and responsible for each of the governance and management practices supporting cybersecurity treatment processes, and who else needs to be involved to change or implement the process by being informed or consulted. Tom will have a clear definition of the cybersecurity governance and management practices necessary to achieve each of the cybersecurity processes that make up the cybersecurity program. Tom will also have assurance that the detailed activities are defined and based on good practices, leveraging those technical definitions defined by other standards built on good practices at that level. He will also have the comfort that processes are in place to ensure that the risks inherent in implementing technology have associated processes to mitigate the risk.
Moreover, Tom will have assurance that resources spent on executing processes will add value to the organization by creating cybersecurity- specific outputs used as inputs to follow-on processes, which, taken together, holistically support the business objectives of Tom’s organization. Continual review of the processes aids in making clear decisions on the cybersecurity priorities and those processes that need additional investment, or those that can be discontinued or moved to a lower cost of support. Tom will have an integrated program covering multiple processes to support the organization, people, and technology with metrics to measure the effectiveness and efficiency of the cybersecurity program.
Conclusion
The following cyber risk management statement represents those organization capabilities CEO and board expect to be demonstrated in terms of treating cyber risk using process capabilities.
About ISACA
As an independent, nonprofit, global association, ISACA engages in the development, adoption and use of globally accepted, industry-leading knowledge and practices for information systems. Previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only, to reflect the broad range of IT governance professionals it serves. Incorporated in 1969, ISACA today serves 140,000 professionals in 180 countries. ISACA provides practical guidance, benchmarks, and other effective tools for all enterprises that use information systems. Through its comprehensive guidance and services, ISACA defines the roles of information systems governance, security, audit, and assurance professionals worldwide. The COBIT framework and the CISA, CISM, CGEIT, and CRISC certifications are ISACA brands respected and used by these professionals for the benefit of their enterprises.
About Todd Fitzgerald
Todd is the global director of information security for Grant Thornton International, Ltd., providing strategic information security leadership for Grant Thornton member firms, supporting 42,000 employees in 140 countries. Todd is an ISACA member, prior Information Security Risk Management conference chair, thought leader, and frequent international speaker. Leading large company information security programs for 19 years, Todd is the 2016 Chicago CISO of the Year awarded by ISACA, ISSA, AITP, Infragard, and SIM. Todd is also a 2013 Top 50 Information Security Executive, 2013–2016 Ponemon Institute Distinguished Fellow, and top-rated RSA conference speaker. He is the author of three books (Information Security Governance Simplified: From the Boardroom to the Keyboard; CISO Leadership: Essential Principles for Success [ISC2 Press]; and 2014 Certified Chief Information Security Officer (C-CISO) Body of Knowledge) and a contributor to a dozen others.