IT Governance Network (providers of CobiT and ISO 38500 training in the UK). - Case study: COBIT as a foundation for Information Security Management

Case study: COBIT as a foundation for Information Security Management

ABSTRACT
Information security is now a business driven function involving the entire enterprise population. Most organisations have a large number of inter-enterprise connections and a wide range of technology and operational choices available for exercising (or not) security activities in each processing environment.

Security and control are highly dependent on user and application activities, as well as resource protection.
Selection, testing and deployment of appropriate mechanisms to supply security functions is complex.
Few organisations have established the processes necessary for effective information security.

THE CHALLENGE
Building information protection programs around:

confidentiality, stressing "need to know" as the guiding principle for implementing a security program.
integrity, focusing on the "control of privilege to create, modify, store, copy or delete information or information resources."
availability, based on the "business' need" to have systems, resources and data available.

HOW WE HELP
Through the use of a process based approach:

Establish an information security Oversight Authority
Define the IT activities necessary for effective information security
Start with a process owner and clear process goals for information security management
Identify each CobiT process that has an impact on, or is affected by, information security
Assign responsibilities to define and develop existing security processes
Develop process and process artefacts
Build capability in information security and related activities
Establish process governance over information security management
Focus on delivering the outcome that business expects from information security
Establish performance measures for information security
Monitor process performance.

LESSONS LEARNED

There are a large number of IT processes that will have an impact on the effectiveness of information security.
The outcome expected from information security should be first obtained from the business.

Last Updated ( Tuesday, 24 April 2007 )