3. Models & Framework
Model is a high level construct representing processes, variables and
relationships. Thus, model is an abstract, conceptual construct
without providing specific guidance on or practices for
implementation.
A framework is defined as a support structure in which another
software project can be organized or developed.
While a model is abstract and conceptual, a framework is linked to
demonstrable work. Furthermore, frameworks set assumptions and
practices that are designed to directly impact implementations. In
contrast, models provide the general guidance for achieving the
goals, but without getting into the details of practice and procedures.
4. Standards
A standard is a published document that contains a technical specification
or other precise criterion designed to be used consistently as a rule,
guideline or definition.
Standards help to make life simpler and to increase the reliability and
effectiveness of many goods and services that we use.
They are the summary of best practices and are created by bringing
together the experiences and expertise of all interested parties- the
producers, sellers, buyers, users and regulators of a particular material,
product, process or service.
An important point to note is that standards are designed for voluntary use
and do not impose any regulations.
However, laws and regulations may refer to certain standards, and make
compliance with them compulsory.
5. Methodology
• A methodology is a codified set of recommended practices,
sometimes accompanied by training materials, formal educational
programs, worksheets and diagramming tools.
• It is ‘a body of practices, procedures and rules used by those who
work in a discipline or engage in an inquiry.’
6. A methodology is a way to systematically solve a problem. It is a combination of
two things together – the methods you’ve chosen to get to a desired outcome and
the logic behind those methods. On the other hand, a framework is a structured
approach to problem solving. Frameworks provide the structural components you
need to implement a model. It is a skeletal structure around which something can
be built.
A framework is a collection of reusable components that offer a consultant
shortcuts to avoid developing a structure from scratch, each time they start an
engagement. Some frameworks take a more rigid approach to consulting, while
others are more lenient throughout the engagement lifecycle. Such frameworks
provide enough room for creativity, allowing consultants to cherry pick
components according to their clients’ needs or style of work. Methodology, on the
other hand, has its limitations in terms of creativity because it is based on a set of
pre-defined rules.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16. Topics to be covered
• ISO 27001 (Framework/Standard)
• COBIT (Framework/Standard)
• SSE-CMM: System Security Engineering Capability Maturity model
(Framework)
• Methodologies for IS security
• IAM: InfoSec assessment methodology
• IEM: InfoSec evaluation methodology
• SIPES: Security incident policy enforcement system
17. ISO 27001
• It is an ISM standard.
• Its purpose is to help organizations to establish and maintain the
ISMS.
• It is the set of requirements that must be met if you want your ISMS
to be formally certified.
• Being ISO 27001 approved is a certification which shows that the
business has defined and implemented effective security process.
18. ISO 27001
ISO 27001 (formally known as ISO/IEC 17799:2005) is a specification
for an information security management system (ISMS).
An ISMS is a framework of policies and procedures that includes all
legal, physical and technical controls involved in an organization's
information risk management processes.
According to its documentation, ISO 27001 was developed to
"provide a model for establishing, implementing, operating,
monitoring, reviewing, maintaining and improving an information
security management system."
19. • ISO 27001 uses a top-down, risk-based approach
and is technology-neutral. The specification defines
a six-part planning process:
• Define a security policy.
• Define the scope of the ISMS.
• Conduct a risk assessment.
• Manage identified risks.
• Select control objectives and controls to be
implemented.
• Prepare a statement of applicability.
26. The specification includes details for documentation, management
responsibility, internal audits, continual improvement, and corrective
and preventive action. The standard requires cooperation among all
sections of an organization.
The 27001 standard does not mandate specific information security
controls, but it provides a checklist of controls that should be
considered in the accompanying code of practice, ISO/IEC
27002:2005. This second standard describes a comprehensive set of
information security control objectives and a set of generally
accepted good practice security controls.
27. ISO 27001 is designed to help organizations establish and maintain
effective information security controls through continual
improvements.
Developed in October, 2005 by International standards Organization,
ISO 27001 implements principles of the Organization for Economic
Cooperation and Development(OECD) on governing the security of
information and networks.
The standard creates a road map for the secure design,
implementation, management and maintenance of IT processes in
the organization.
28. Corporate Governance
Corporate governance refers to the way a corporation is governed.
Corporate governance refers to the set of systems, principles and
processes by which a company is governed and deals with
determining ways to take effective strategic decisions.
They provide the guidelines as to how a company can be directed or
controlled such that it can fulfil its goals and objectives in a manner
that adds to the value of the company and is also beneficial for all
stakeholders in the long term.
Stakeholders, in this case, would include everyone ranging from the
board of directors, management, shareholders to customers,
employees and society
29. IT Governance
• IT is a subset discipline of Corporate Governance.
• IT Governance is actually a part of the overall Corporate
Governance Strategy of an organization. In simple words, IT
Governance is putting structure around how organizations align
IT strategy with business strategy
• An IT governance framework answers some key questions, such
as how the IT department is functioning overall, what key metrics
management needs and what return IT is giving back to the
business from the investment it’s making.
30. IT Governance continues……
• The primary goals of IT Governance are to assure that the investments in IT
generate business value, and to mitigate the risks that are associated with
IT. This can be done by implementing an organizational structure with well-
defined roles for the responsibility of information, business processes,
applications and infrastructure.
• Organizations and businesses need a structure or framework to ensure that
the IT function is able to sustain the organization’s strategies and objectives.
• The framework and level we need depends on the size, industry or
applicable laws or regulations.
• In general, the larger and more regulated the organization, the more detailed
the IT governance structure should be.
32. IT Governance Framework
A IT governance framework includes three elements:
• Governance principles – the principles by which all IT
initiatives will be governed
• Governance structure – the roles and responsibilities of
the major stakeholders in the IT governance decision-
making process, including committees and organizational
elements at the branch level
• Governance process – the various stages required to
review, assess and approve or reject new IT initiatives
Implementing good IT governance requires a framework.
33. COBIT
• The framework Control Objectives for Information and related Technologies
(COBIT) was developed in 1996, from the Information Systems Audit and
Control Association (ISACA), is probably the most popular.
• Basically, it’s a set of guidelines and supporting tool set for IT governance that
is accepted worldwide.
• It’s used by auditors and companies as a way to integrate technology to
implement controls and meet specific business objectives.
• COBIT 2019 is the only business framework for the governance and
management of enterprise IT.
34. • This evolutionary version incorporates the latest thinking in enterprise
governance and management techniques, and provides globally
accepted principles, practices, analytical tools and models to help
increase the trust in, and value from, information systems.
• COBIT 5 builds and expands on COBIT 4.1 by integrating other major
frameworks, standards and resources, including ISACA’s Val IT and
Risk IT, Information Technology Infrastructure Library (ITIL) and
related standards from the International Organization for
Standardization (ISO).
35. What is ISACA?
• ISACA stands for Information Systems Audit and Control Association. It
develops controls and guidance for information governance, security, control,
and audit professionals.
• This international association focuses on IT governance, providing
benchmarks and governance tools for organizations that employ information
systems. ISACA is behind the creation, sponsorship, and driving of the COBIT
framework
36. COBIT
COBIT is a framework for developing, implementing,
monitoring and improving information technology (IT)
governance and management practices.
The COBIT framework is published by the IT Governance
Institute and the Information Systems Audit and Control
Association (ISACA).
The goal of the framework is to provide a common language
for business executives to communicate with each other about
goals, objectives and results.
The original version, published in 1996, focused largely on
auditing. The latest version, published in 2013, emphasizes the
value that information governance can provide to a business'
success.
It also provides quite a bit of advice about enterprise risk
management.
37. COBIT
The name COBIT originally stood for "Control Objectives for Information
and Related Technology," but the spelled-out version of the name was
dropped in favor of the acronym in the fifth iteration of the framework.
COBIT 5 is based on five key principles for governance and management of
enterprise IT:
Principle 1: Meeting Stakeholder Needs
Principle 2: Covering the Enterprise End-to-End
Principle 3: Applying a Single, Integrated Framework
Principle 4: Enabling a Holistic Approach
Principle 5: Separating Governance From Management
COBIT 2019 NEW VERSON
( Holistic: characterized by the belief that the parts of something are intimately interconnected and
explicable only by reference to the whole.)
38. • Today, COBIT is used globally by all IT business process
managers to equip them with a model to deliver value to
the organization, and practice better risk management
practices associated with the IT processes. The COBIT
control model guarantees the integrity of the
information system.
• It was designed to be a supportive tool for managers—
and allows bridging the crucial gap between technical
issues, business risks, and control requirements.
39. • COBIT is a thoroughly recognized guideline that can be applied to any
organization in any industry. Overall, COBIT ensures quality, control, and
reliability of information systems in an organization, which is also the most
important aspect of every modern business.
40. Goals of the COBIT Framework
There are four primary goals of the COBIT framework:
1.To help organizations achieve their objectives for the governance and
management of enterprise IT.
2.To provide a comprehensive set of best practices for enterprise IT governance
and management.
3.To promote alignment between enterprise IT and the business goals of the
organization.
4.To provide a common language for enterprise IT governance and
management.