SlideShare uma empresa Scribd logo

ISO27001_COBIT_Students.pptx

Transferir como PPTX, PDF
J
jojo82637

iso27001,ppt iso,ISO27001 ppt

Educação
1 de 40
Security models, Frameworks, Standards and Methodologies
Chapter Outline • Models • Frameworks • Standards • Methodologies
Models & Framework  Model is a high level construct representing processes, variables and relationships. Thus, model is an abstract, conceptual construct without providing specific guidance on or practices for implementation.  A framework is defined as a support structure in which another software project can be organized or developed.  While a model is abstract and conceptual, a framework is linked to demonstrable work. Furthermore, frameworks set assumptions and practices that are designed to directly impact implementations. In contrast, models provide the general guidance for achieving the goals, but without getting into the details of practice and procedures.
Standards  A standard is a published document that contains a technical specification or other precise criterion designed to be used consistently as a rule, guideline or definition.  Standards help to make life simpler and to increase the reliability and effectiveness of many goods and services that we use.  They are the summary of best practices and are created by bringing together the experiences and expertise of all interested parties- the producers, sellers, buyers, users and regulators of a particular material, product, process or service.  An important point to note is that standards are designed for voluntary use and do not impose any regulations.  However, laws and regulations may refer to certain standards, and make compliance with them compulsory.
Methodology • A methodology is a codified set of recommended practices, sometimes accompanied by training materials, formal educational programs, worksheets and diagramming tools. • It is ‘a body of practices, procedures and rules used by those who work in a discipline or engage in an inquiry.’
A methodology is a way to systematically solve a problem. It is a combination of two things together – the methods you’ve chosen to get to a desired outcome and the logic behind those methods. On the other hand, a framework is a structured approach to problem solving. Frameworks provide the structural components you need to implement a model. It is a skeletal structure around which something can be built. A framework is a collection of reusable components that offer a consultant shortcuts to avoid developing a structure from scratch, each time they start an engagement. Some frameworks take a more rigid approach to consulting, while others are more lenient throughout the engagement lifecycle. Such frameworks provide enough room for creativity, allowing consultants to cherry pick components according to their clients’ needs or style of work. Methodology, on the other hand, has its limitations in terms of creativity because it is based on a set of pre-defined rules.
Topics to be covered • ISO 27001 (Framework/Standard) • COBIT (Framework/Standard) • SSE-CMM: System Security Engineering Capability Maturity model (Framework) • Methodologies for IS security • IAM: InfoSec assessment methodology • IEM: InfoSec evaluation methodology • SIPES: Security incident policy enforcement system
ISO 27001 • It is an ISM standard. • Its purpose is to help organizations to establish and maintain the ISMS. • It is the set of requirements that must be met if you want your ISMS to be formally certified. • Being ISO 27001 approved is a certification which shows that the business has defined and implemented effective security process.
ISO 27001  ISO 27001 (formally known as ISO/IEC 17799:2005) is a specification for an information security management system (ISMS).  An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organization's information risk management processes.  According to its documentation, ISO 27001 was developed to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system."
• ISO 27001 uses a top-down, risk-based approach and is technology-neutral. The specification defines a six-part planning process: • Define a security policy. • Define the scope of the ISMS. • Conduct a risk assessment. • Manage identified risks. • Select control objectives and controls to be implemented. • Prepare a statement of applicability.
PDCA Approach
1. PLAN-Establish content  Define ISMS scope  Define policy  Identify risks  Assess risks  Select control objectives
2. DO-Implement and operate • Implement risk treatment plan • Deploy controls
3. CHECK- Monitor and review • Monitor processes • Regular reviews • Internal audits
4. ACT-Maintain and improve • Implement improvements • Corrective actions • Preventive actions • Communicate with stakeholders
Implementation context of PDCA cycle in ISO 27001
 The specification includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action. The standard requires cooperation among all sections of an organization.  The 27001 standard does not mandate specific information security controls, but it provides a checklist of controls that should be considered in the accompanying code of practice, ISO/IEC 27002:2005. This second standard describes a comprehensive set of information security control objectives and a set of generally accepted good practice security controls.
 ISO 27001 is designed to help organizations establish and maintain effective information security controls through continual improvements.  Developed in October, 2005 by International standards Organization, ISO 27001 implements principles of the Organization for Economic Cooperation and Development(OECD) on governing the security of information and networks.  The standard creates a road map for the secure design, implementation, management and maintenance of IT processes in the organization.
Corporate Governance Corporate governance refers to the way a corporation is governed. Corporate governance refers to the set of systems, principles and processes by which a company is governed and deals with determining ways to take effective strategic decisions. They provide the guidelines as to how a company can be directed or controlled such that it can fulfil its goals and objectives in a manner that adds to the value of the company and is also beneficial for all stakeholders in the long term. Stakeholders, in this case, would include everyone ranging from the board of directors, management, shareholders to customers, employees and society
IT Governance • IT is a subset discipline of Corporate Governance. • IT Governance is actually a part of the overall Corporate Governance Strategy of an organization. In simple words, IT Governance is putting structure around how organizations align IT strategy with business strategy • An IT governance framework answers some key questions, such as how the IT department is functioning overall, what key metrics management needs and what return IT is giving back to the business from the investment it’s making.
IT Governance continues…… • The primary goals of IT Governance are to assure that the investments in IT generate business value, and to mitigate the risks that are associated with IT. This can be done by implementing an organizational structure with well- defined roles for the responsibility of information, business processes, applications and infrastructure. • Organizations and businesses need a structure or framework to ensure that the IT function is able to sustain the organization’s strategies and objectives. • The framework and level we need depends on the size, industry or applicable laws or regulations. • In general, the larger and more regulated the organization, the more detailed the IT governance structure should be.
IT Governance
IT Governance Framework A IT governance framework includes three elements: • Governance principles – the principles by which all IT initiatives will be governed • Governance structure – the roles and responsibilities of the major stakeholders in the IT governance decision- making process, including committees and organizational elements at the branch level • Governance process – the various stages required to review, assess and approve or reject new IT initiatives Implementing good IT governance requires a framework.
COBIT • The framework Control Objectives for Information and related Technologies (COBIT) was developed in 1996, from the Information Systems Audit and Control Association (ISACA), is probably the most popular. • Basically, it’s a set of guidelines and supporting tool set for IT governance that is accepted worldwide. • It’s used by auditors and companies as a way to integrate technology to implement controls and meet specific business objectives. • COBIT 2019 is the only business framework for the governance and management of enterprise IT.
• This evolutionary version incorporates the latest thinking in enterprise governance and management techniques, and provides globally accepted principles, practices, analytical tools and models to help increase the trust in, and value from, information systems. • COBIT 5 builds and expands on COBIT 4.1 by integrating other major frameworks, standards and resources, including ISACA’s Val IT and Risk IT, Information Technology Infrastructure Library (ITIL) and related standards from the International Organization for Standardization (ISO).
What is ISACA? • ISACA stands for Information Systems Audit and Control Association. It develops controls and guidance for information governance, security, control, and audit professionals. • This international association focuses on IT governance, providing benchmarks and governance tools for organizations that employ information systems. ISACA is behind the creation, sponsorship, and driving of the COBIT framework
COBIT  COBIT is a framework for developing, implementing, monitoring and improving information technology (IT) governance and management practices.  The COBIT framework is published by the IT Governance Institute and the Information Systems Audit and Control Association (ISACA).  The goal of the framework is to provide a common language for business executives to communicate with each other about goals, objectives and results.  The original version, published in 1996, focused largely on auditing. The latest version, published in 2013, emphasizes the value that information governance can provide to a business' success.  It also provides quite a bit of advice about enterprise risk management.
COBIT  The name COBIT originally stood for "Control Objectives for Information and Related Technology," but the spelled-out version of the name was dropped in favor of the acronym in the fifth iteration of the framework.  COBIT 5 is based on five key principles for governance and management of enterprise IT: Principle 1: Meeting Stakeholder Needs Principle 2: Covering the Enterprise End-to-End Principle 3: Applying a Single, Integrated Framework Principle 4: Enabling a Holistic Approach Principle 5: Separating Governance From Management COBIT 2019 NEW VERSON ( Holistic: characterized by the belief that the parts of something are intimately interconnected and explicable only by reference to the whole.)
• Today, COBIT is used globally by all IT business process managers to equip them with a model to deliver value to the organization, and practice better risk management practices associated with the IT processes. The COBIT control model guarantees the integrity of the information system. • It was designed to be a supportive tool for managers— and allows bridging the crucial gap between technical issues, business risks, and control requirements.
• COBIT is a thoroughly recognized guideline that can be applied to any organization in any industry. Overall, COBIT ensures quality, control, and reliability of information systems in an organization, which is also the most important aspect of every modern business.
Goals of the COBIT Framework There are four primary goals of the COBIT framework: 1.To help organizations achieve their objectives for the governance and management of enterprise IT. 2.To provide a comprehensive set of best practices for enterprise IT governance and management. 3.To promote alignment between enterprise IT and the business goals of the organization. 4.To provide a common language for enterprise IT governance and management.

Recomendados

standards1.pdf
standards1.pdfstandards1.pdf
standards1.pdfKarthick Panneerselvam
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptxPrashant Singh
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016Hafiz Sheikh Adnan Ahmed
 
CELOE MRKI Lecture Notes 02 v0.1_old.pptx
CELOE MRKI Lecture Notes 02 v0.1_old.pptxCELOE MRKI Lecture Notes 02 v0.1_old.pptx
CELOE MRKI Lecture Notes 02 v0.1_old.pptxDandzaPraditya
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Yerlin Sturdivant
 
CISSPills #3.02
CISSPills #3.02CISSPills #3.02
CISSPills #3.02Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
Principal 4 Enabling A Holistic Approach
Principal 4 Enabling A Holistic ApproachPrincipal 4 Enabling A Holistic Approach
Principal 4 Enabling A Holistic ApproachMohammad Reda Katby
 
Unit 4 standards.ppt
Unit 4 standards.pptUnit 4 standards.ppt
Unit 4 standards.pptClashWithGROUDON
 

Recomendados

standards1.pdf
standards1.pdfstandards1.pdf
standards1.pdfKarthick Panneerselvam
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptxPrashant Singh
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016Hafiz Sheikh Adnan Ahmed
 
CELOE MRKI Lecture Notes 02 v0.1_old.pptx
CELOE MRKI Lecture Notes 02 v0.1_old.pptxCELOE MRKI Lecture Notes 02 v0.1_old.pptx
CELOE MRKI Lecture Notes 02 v0.1_old.pptxDandzaPraditya
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Yerlin Sturdivant
 
CISSPills #3.02
CISSPills #3.02CISSPills #3.02
CISSPills #3.02Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
Principal 4 Enabling A Holistic Approach
Principal 4 Enabling A Holistic ApproachPrincipal 4 Enabling A Holistic Approach
Principal 4 Enabling A Holistic ApproachMohammad Reda Katby
 
Unit 4 standards.ppt
Unit 4 standards.pptUnit 4 standards.ppt
Unit 4 standards.pptClashWithGROUDON
 
IT Governance.pptx
IT Governance.pptxIT Governance.pptx
IT Governance.pptxFaith Shimba
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerEnclaveSecurity
 
CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)Sam Mandebvu
 
CHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aCHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aMaximaSheffield592
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security FrameworkKarthikeyan Dhayalan
 
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500PECB
 
Information security policy how to writing
Information security policy how to writingInformation security policy how to writing
Information security policy how to writingPasangdolmoTamang
 
12 Best Privacy Frameworks
12 Best Privacy Frameworks12 Best Privacy Frameworks
12 Best Privacy FrameworksAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
What are policies procedures guidelines standards
What are policies procedures guidelines standardsWhat are policies procedures guidelines standards
What are policies procedures guidelines standardsManish Chaurasia
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit processDivya Tiwari
 
COBIT
COBITCOBIT
COBITAi Lun Wu
 
Integrating sms and isms
Integrating sms and ismsIntegrating sms and isms
Integrating sms and ismsSeptafiansyah P
 
01 integrated management system telkom 2016 opening
01 integrated management system telkom 2016 opening01 integrated management system telkom 2016 opening
01 integrated management system telkom 2016 openingwisnu wardhana, i nyoman
 
ISO 37301 Compliance Management Systems
ISO 37301 Compliance Management SystemsISO 37301 Compliance Management Systems
ISO 37301 Compliance Management SystemsNimonik
 
Internal auditor 9001 day 1
Internal auditor 9001 day 1Internal auditor 9001 day 1
Internal auditor 9001 day 1Dr Madhu Aman Sharma
 
Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Chandan Singh Ghodela
 
gray_audit_presentation.ppt
gray_audit_presentation.pptgray_audit_presentation.ppt
gray_audit_presentation.pptKhalilIdhman
 
Comparison of it governance framework-COBIT, ITIL, BS7799
Comparison of it governance framework-COBIT, ITIL, BS7799Comparison of it governance framework-COBIT, ITIL, BS7799
Comparison of it governance framework-COBIT, ITIL, BS7799Meghna Verma
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsPECB
 
Iso 55000 white_paper_english
Iso 55000 white_paper_englishIso 55000 white_paper_english
Iso 55000 white_paper_englishKaizenlogcom
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4MiaBumagat1
 
Presentation Activity 2. Unit 3 transv.pptx
Presentation Activity 2. Unit 3 transv.pptxPresentation Activity 2. Unit 3 transv.pptx
Presentation Activity 2. Unit 3 transv.pptxRosabel UA
 

Mais conteúdo relacionado

Semelhante a ISO27001_COBIT_Students.pptx

IT Governance.pptx
IT Governance.pptxIT Governance.pptx
IT Governance.pptxFaith Shimba
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerEnclaveSecurity
 
CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)Sam Mandebvu
 
CHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aCHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aMaximaSheffield592
 
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500PECB
 
Information security policy how to writing
Information security policy how to writingInformation security policy how to writing
Information security policy how to writingPasangdolmoTamang
 
What are policies procedures guidelines standards
What are policies procedures guidelines standardsWhat are policies procedures guidelines standards
What are policies procedures guidelines standardsManish Chaurasia
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit processDivya Tiwari
 
Integrating sms and isms
Integrating sms and ismsIntegrating sms and isms
Integrating sms and ismsSeptafiansyah P
 
01 integrated management system telkom 2016 opening
01 integrated management system telkom 2016 opening01 integrated management system telkom 2016 opening
01 integrated management system telkom 2016 openingwisnu wardhana, i nyoman
 
ISO 37301 Compliance Management Systems
ISO 37301 Compliance Management SystemsISO 37301 Compliance Management Systems
ISO 37301 Compliance Management SystemsNimonik
 
Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Chandan Singh Ghodela
 
gray_audit_presentation.ppt
gray_audit_presentation.pptgray_audit_presentation.ppt
gray_audit_presentation.pptKhalilIdhman
 
Comparison of it governance framework-COBIT, ITIL, BS7799
Comparison of it governance framework-COBIT, ITIL, BS7799Comparison of it governance framework-COBIT, ITIL, BS7799
Comparison of it governance framework-COBIT, ITIL, BS7799Meghna Verma
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsPECB
 
Iso 55000 white_paper_english
Iso 55000 white_paper_englishIso 55000 white_paper_english
Iso 55000 white_paper_englishKaizenlogcom
 

Semelhante a ISO27001_COBIT_Students.pptx (20)

IT Governance.pptx
IT Governance.pptxIT Governance.pptx
IT Governance.pptx
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
 
CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)
 
CHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aCHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, a
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security Framework
 
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
 
Information security policy how to writing
Information security policy how to writingInformation security policy how to writing
Information security policy how to writing
 
12 Best Privacy Frameworks
12 Best Privacy Frameworks12 Best Privacy Frameworks
12 Best Privacy Frameworks
 
What are policies procedures guidelines standards
What are policies procedures guidelines standardsWhat are policies procedures guidelines standards
What are policies procedures guidelines standards
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit process
 
COBIT
COBITCOBIT
COBIT
 
Integrating sms and isms
Integrating sms and ismsIntegrating sms and isms
Integrating sms and isms
 
01 integrated management system telkom 2016 opening
01 integrated management system telkom 2016 opening01 integrated management system telkom 2016 opening
01 integrated management system telkom 2016 opening
 
ISO 37301 Compliance Management Systems
ISO 37301 Compliance Management SystemsISO 37301 Compliance Management Systems
ISO 37301 Compliance Management Systems
 
Internal auditor 9001 day 1
Internal auditor 9001 day 1Internal auditor 9001 day 1
Internal auditor 9001 day 1
 
Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001
 
gray_audit_presentation.ppt
gray_audit_presentation.pptgray_audit_presentation.ppt
gray_audit_presentation.ppt
 
Comparison of it governance framework-COBIT, ITIL, BS7799
Comparison of it governance framework-COBIT, ITIL, BS7799Comparison of it governance framework-COBIT, ITIL, BS7799
Comparison of it governance framework-COBIT, ITIL, BS7799
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO Standards
 
Iso 55000 white_paper_english
Iso 55000 white_paper_englishIso 55000 white_paper_english
Iso 55000 white_paper_english
 

Último

ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4MiaBumagat1
 
Presentation Activity 2. Unit 3 transv.pptx
Presentation Activity 2. Unit 3 transv.pptxPresentation Activity 2. Unit 3 transv.pptx
Presentation Activity 2. Unit 3 transv.pptxRosabel UA
 
Measures of Position DECILES for ungrouped data
Measures of Position DECILES for ungrouped dataMeasures of Position DECILES for ungrouped data
Measures of Position DECILES for ungrouped dataBabyAnnMotar
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPCeline George
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designMIPLM
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfVanessa Camilleri
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfPatidar M
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptxmary850239
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfErwinPantujan2
 
Millenials and Fillennials (Ethical Challenge and Responses).pptx
Millenials and Fillennials (Ethical Challenge and Responses).pptxMillenials and Fillennials (Ethical Challenge and Responses).pptx
Millenials and Fillennials (Ethical Challenge and Responses).pptxJanEmmanBrigoli
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxlancelewisportillo
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management SystemChristalin Nelson
 
Integumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptIntegumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptshraddhaparab530
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...Nguyen Thanh Tu Collection
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Celine George
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfJemuel Francisco
 
Oppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and FilmOppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and FilmStan Meyer
 

Último (20)

ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4
 
Presentation Activity 2. Unit 3 transv.pptx
Presentation Activity 2. Unit 3 transv.pptxPresentation Activity 2. Unit 3 transv.pptx
Presentation Activity 2. Unit 3 transv.pptx
 
Measures of Position DECILES for ungrouped data
Measures of Position DECILES for ungrouped dataMeasures of Position DECILES for ungrouped data
Measures of Position DECILES for ungrouped data
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERP
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-design
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdf
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdf
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
 
Millenials and Fillennials (Ethical Challenge and Responses).pptx
Millenials and Fillennials (Ethical Challenge and Responses).pptxMillenials and Fillennials (Ethical Challenge and Responses).pptx
Millenials and Fillennials (Ethical Challenge and Responses).pptx
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management System
 
Integumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptIntegumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.ppt
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
Paradigm shift in nursing research by RS MEHTA
Paradigm shift in nursing research by RS MEHTAParadigm shift in nursing research by RS MEHTA
Paradigm shift in nursing research by RS MEHTA
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
 
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptxYOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
 
Oppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and FilmOppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and Film
 

ISO27001_COBIT_Students.pptx

  • 2. Chapter Outline • Models • Frameworks • Standards • Methodologies
  • 3. Models & Framework  Model is a high level construct representing processes, variables and relationships. Thus, model is an abstract, conceptual construct without providing specific guidance on or practices for implementation.  A framework is defined as a support structure in which another software project can be organized or developed.  While a model is abstract and conceptual, a framework is linked to demonstrable work. Furthermore, frameworks set assumptions and practices that are designed to directly impact implementations. In contrast, models provide the general guidance for achieving the goals, but without getting into the details of practice and procedures.
  • 4. Standards  A standard is a published document that contains a technical specification or other precise criterion designed to be used consistently as a rule, guideline or definition.  Standards help to make life simpler and to increase the reliability and effectiveness of many goods and services that we use.  They are the summary of best practices and are created by bringing together the experiences and expertise of all interested parties- the producers, sellers, buyers, users and regulators of a particular material, product, process or service.  An important point to note is that standards are designed for voluntary use and do not impose any regulations.  However, laws and regulations may refer to certain standards, and make compliance with them compulsory.
  • 5. Methodology • A methodology is a codified set of recommended practices, sometimes accompanied by training materials, formal educational programs, worksheets and diagramming tools. • It is ‘a body of practices, procedures and rules used by those who work in a discipline or engage in an inquiry.’
  • 6. A methodology is a way to systematically solve a problem. It is a combination of two things together – the methods you’ve chosen to get to a desired outcome and the logic behind those methods. On the other hand, a framework is a structured approach to problem solving. Frameworks provide the structural components you need to implement a model. It is a skeletal structure around which something can be built. A framework is a collection of reusable components that offer a consultant shortcuts to avoid developing a structure from scratch, each time they start an engagement. Some frameworks take a more rigid approach to consulting, while others are more lenient throughout the engagement lifecycle. Such frameworks provide enough room for creativity, allowing consultants to cherry pick components according to their clients’ needs or style of work. Methodology, on the other hand, has its limitations in terms of creativity because it is based on a set of pre-defined rules.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16. Topics to be covered • ISO 27001 (Framework/Standard) • COBIT (Framework/Standard) • SSE-CMM: System Security Engineering Capability Maturity model (Framework) • Methodologies for IS security • IAM: InfoSec assessment methodology • IEM: InfoSec evaluation methodology • SIPES: Security incident policy enforcement system
  • 17. ISO 27001 • It is an ISM standard. • Its purpose is to help organizations to establish and maintain the ISMS. • It is the set of requirements that must be met if you want your ISMS to be formally certified. • Being ISO 27001 approved is a certification which shows that the business has defined and implemented effective security process.
  • 18. ISO 27001  ISO 27001 (formally known as ISO/IEC 17799:2005) is a specification for an information security management system (ISMS).  An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organization's information risk management processes.  According to its documentation, ISO 27001 was developed to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system."
  • 19. • ISO 27001 uses a top-down, risk-based approach and is technology-neutral. The specification defines a six-part planning process: • Define a security policy. • Define the scope of the ISMS. • Conduct a risk assessment. • Manage identified risks. • Select control objectives and controls to be implemented. • Prepare a statement of applicability.
  • 21. 1. PLAN-Establish content  Define ISMS scope  Define policy  Identify risks  Assess risks  Select control objectives
  • 22. 2. DO-Implement and operate • Implement risk treatment plan • Deploy controls
  • 23. 3. CHECK- Monitor and review • Monitor processes • Regular reviews • Internal audits
  • 24. 4. ACT-Maintain and improve • Implement improvements • Corrective actions • Preventive actions • Communicate with stakeholders
  • 25. Implementation context of PDCA cycle in ISO 27001
  • 26.  The specification includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action. The standard requires cooperation among all sections of an organization.  The 27001 standard does not mandate specific information security controls, but it provides a checklist of controls that should be considered in the accompanying code of practice, ISO/IEC 27002:2005. This second standard describes a comprehensive set of information security control objectives and a set of generally accepted good practice security controls.
  • 27.  ISO 27001 is designed to help organizations establish and maintain effective information security controls through continual improvements.  Developed in October, 2005 by International standards Organization, ISO 27001 implements principles of the Organization for Economic Cooperation and Development(OECD) on governing the security of information and networks.  The standard creates a road map for the secure design, implementation, management and maintenance of IT processes in the organization.
  • 28. Corporate Governance Corporate governance refers to the way a corporation is governed. Corporate governance refers to the set of systems, principles and processes by which a company is governed and deals with determining ways to take effective strategic decisions. They provide the guidelines as to how a company can be directed or controlled such that it can fulfil its goals and objectives in a manner that adds to the value of the company and is also beneficial for all stakeholders in the long term. Stakeholders, in this case, would include everyone ranging from the board of directors, management, shareholders to customers, employees and society
  • 29. IT Governance • IT is a subset discipline of Corporate Governance. • IT Governance is actually a part of the overall Corporate Governance Strategy of an organization. In simple words, IT Governance is putting structure around how organizations align IT strategy with business strategy • An IT governance framework answers some key questions, such as how the IT department is functioning overall, what key metrics management needs and what return IT is giving back to the business from the investment it’s making.
  • 30. IT Governance continues…… • The primary goals of IT Governance are to assure that the investments in IT generate business value, and to mitigate the risks that are associated with IT. This can be done by implementing an organizational structure with well- defined roles for the responsibility of information, business processes, applications and infrastructure. • Organizations and businesses need a structure or framework to ensure that the IT function is able to sustain the organization’s strategies and objectives. • The framework and level we need depends on the size, industry or applicable laws or regulations. • In general, the larger and more regulated the organization, the more detailed the IT governance structure should be.
  • 32. IT Governance Framework A IT governance framework includes three elements: • Governance principles – the principles by which all IT initiatives will be governed • Governance structure – the roles and responsibilities of the major stakeholders in the IT governance decision- making process, including committees and organizational elements at the branch level • Governance process – the various stages required to review, assess and approve or reject new IT initiatives Implementing good IT governance requires a framework.
  • 33. COBIT • The framework Control Objectives for Information and related Technologies (COBIT) was developed in 1996, from the Information Systems Audit and Control Association (ISACA), is probably the most popular. • Basically, it’s a set of guidelines and supporting tool set for IT governance that is accepted worldwide. • It’s used by auditors and companies as a way to integrate technology to implement controls and meet specific business objectives. • COBIT 2019 is the only business framework for the governance and management of enterprise IT.
  • 34. • This evolutionary version incorporates the latest thinking in enterprise governance and management techniques, and provides globally accepted principles, practices, analytical tools and models to help increase the trust in, and value from, information systems. • COBIT 5 builds and expands on COBIT 4.1 by integrating other major frameworks, standards and resources, including ISACA’s Val IT and Risk IT, Information Technology Infrastructure Library (ITIL) and related standards from the International Organization for Standardization (ISO).
  • 35. What is ISACA? • ISACA stands for Information Systems Audit and Control Association. It develops controls and guidance for information governance, security, control, and audit professionals. • This international association focuses on IT governance, providing benchmarks and governance tools for organizations that employ information systems. ISACA is behind the creation, sponsorship, and driving of the COBIT framework
  • 36. COBIT  COBIT is a framework for developing, implementing, monitoring and improving information technology (IT) governance and management practices.  The COBIT framework is published by the IT Governance Institute and the Information Systems Audit and Control Association (ISACA).  The goal of the framework is to provide a common language for business executives to communicate with each other about goals, objectives and results.  The original version, published in 1996, focused largely on auditing. The latest version, published in 2013, emphasizes the value that information governance can provide to a business' success.  It also provides quite a bit of advice about enterprise risk management.
  • 37. COBIT  The name COBIT originally stood for "Control Objectives for Information and Related Technology," but the spelled-out version of the name was dropped in favor of the acronym in the fifth iteration of the framework.  COBIT 5 is based on five key principles for governance and management of enterprise IT: Principle 1: Meeting Stakeholder Needs Principle 2: Covering the Enterprise End-to-End Principle 3: Applying a Single, Integrated Framework Principle 4: Enabling a Holistic Approach Principle 5: Separating Governance From Management COBIT 2019 NEW VERSON ( Holistic: characterized by the belief that the parts of something are intimately interconnected and explicable only by reference to the whole.)
  • 38. • Today, COBIT is used globally by all IT business process managers to equip them with a model to deliver value to the organization, and practice better risk management practices associated with the IT processes. The COBIT control model guarantees the integrity of the information system. • It was designed to be a supportive tool for managers— and allows bridging the crucial gap between technical issues, business risks, and control requirements.
  • 39. • COBIT is a thoroughly recognized guideline that can be applied to any organization in any industry. Overall, COBIT ensures quality, control, and reliability of information systems in an organization, which is also the most important aspect of every modern business.
  • 40. Goals of the COBIT Framework There are four primary goals of the COBIT framework: 1.To help organizations achieve their objectives for the governance and management of enterprise IT. 2.To provide a comprehensive set of best practices for enterprise IT governance and management. 3.To promote alignment between enterprise IT and the business goals of the organization. 4.To provide a common language for enterprise IT governance and management.