• Home

  • Documents

  • Integration of COBIT, Balanced Scorecard & SSE-CMM … of COBIT, Balanced Scorecard &...
1
Integration of COBIT, Balanced Scorecard & SSE-CMM as a strategic Information Security Management (ISM) framework James E. Goldman, Suchit Ahuja Computer & Information Technology, Purdue University B k d/I P dS l ti Background / Issues Multiple frameworks for Information Security Management (ISM) ISO 27001 Information Security Management System ISO 27002 Information Security Controls COBIT Controls for processes Multiple frameworks for Strategic Alignment of Business & IT Balanced Scorecard Project Portfolio Management M lti l f kf Mti &M t Approach Integration is achieved by bridging the gaps or mitigating the weaknesses , that one framework inherently contains, using the methodology prescribed by the second Proposed Solution Integration of COBIT, Balanced Scorecard & SSE-CMM for strategic ISM ALIGN Business + IT + ISM Strategies ESTABLISH clear TRACEABILITY + GOVERNANCE USE of STANDARDIZED METRICS for Performance Management Multiple frameworks for Metrics & Measurement SEI CMM SSE CMM COBIT process area 4.0 - “Measure & Evaluate (ME)” Problem Each framework addresses only a specific area within ISM domain Integration of two or more frameworks often consists of gaps Lack of alignment between Business + IT + InfoSec strategies L k f TRACEABILITY framework and using SSE-CMM as an evaluation mechanism Previous Work Metrics based Security Assessment (Information Security and Ethics: Social and Organizational, 2004) Using ISO 27001 and SSE-CMM Mapping of processes for effective integration of COBIT and SEI-CMM IT Governance Institute, 2005 Mapping of COBIT with ITIL and ISO 27002 (IT Governance Institute, 2008) F ff i d li f IT ihb i Lack of TRACEABILITY For effective management and alignment of IT with business Proposed Solution # Weaknesses / Risks / Gaps Mitigation Mechanism 1 COBIT 1.1 Lack of alignment of COBIT process areas with Use a cascading balanced scorecard approach to align # Weaknesses / Risks / Gaps Mitigation Mechanism 2 Balanced Scorecard 2.1 Can cause disagreement and tension between top and The use of COBIT Information Classification / Criteria with clear COBIT Information Criteria can help classify information directly for audit purposes. This is similar to Information Classification KGI: Key Goal Indicator is defined as a measure of what has to be accomplished Mitigation of Gaps in BSC and COBIT frameworks business strategy business strategy with information security strategy 1.2 Lack of standardized Maturity Model Use metrics from cascading BSC and Key Performance Indicators (KPI), Key Goal Indicators (KGI) and Critical Success Factors (CSF) to aggregate the metrics 1.3 A maturity model that is mainly a stand-alone analysis tool Use SSE-CMM mapping to COBIT areas 1.4 Audit and Information Security reporting gaps Using a cascading BSC would establish an information security reporting mechanism via KPIs, tension between top and middle management regarding information protection priority Classification / Criteria, with clear prioritization can mitigate risks arising from conflicts 2.2 Terminates at the “Initiatives” level without indicating what processes need to be implemented Create a mapping between COBIT processes and BSC initiatives 2.3 Lack of traceability to information security level Use of COBIT control processes over appropriate process areas that are related to information security management 2.4 Audit and Information Security reporting gaps Using a cascading balanced scorecard approach would establish an information security reporting to Information Classification Matrix developed by National Security Agency (NSA) for InfoSec Assessment Methodology (IAM) to be accomplished KPI: Key Performance Indicator is a measure of how well the process is performing Use of KPIs and KGIs (already defined by management and aligned with business strategy) to establish a reporting mechanism for Information Security Management (ISM) that communicates the performance of the operational KGIs and CSFs while measuring maturity via SSE-CMM mechanism via KPIs, KGIs and CSFs while measuring maturity via SSE-CMM processes, used in order to achieve desired ISM objectives 48F-350.pdf 1 3/10/2009 1:51:24 PM

Integration of COBIT, Balanced Scorecard & SSE-CMM … of COBIT, Balanced Scorecard & SSE-CMM as a strategic Information Security Management (ISM) framework James E. Goldman, Suchit

  • Upload
    dohanh

  • View
    230

  • Download
    1

Embed Size (px)

Citation preview

Page 1: Integration of COBIT, Balanced Scorecard & SSE-CMM … of COBIT, Balanced Scorecard & SSE-CMM as a strategic Information Security Management (ISM) framework James E. Goldman, Suchit

Integration of COBIT, Balanced Scorecard & SSE-CMM as a strategic Information Security Management (ISM) framework

James E. Goldman, Suchit AhujaComputer & Information Technology, Purdue University

B k d / I P d S l tiBackground / Issues• Multiple frameworks for Information Security Management (ISM)

• ISO 27001 Information Security Management System• ISO 27002 Information Security Controls• COBIT Controls for processes

• Multiple frameworks for Strategic Alignment of Business & IT• Balanced Scorecard• Project Portfolio Management

M lti l f k f M t i & M t

Approach• Integration is achieved by bridging the gaps or mitigating the weaknesses, that one

framework inherently contains, using the methodology prescribed by the second

Proposed Solution• Integration of COBIT, Balanced Scorecard & SSE-CMM for strategic ISM

• ALIGN Business + IT + ISM Strategies• ESTABLISH clear TRACEABILITY + GOVERNANCE• USE of STANDARDIZED METRICS for Performance Management

• Multiple frameworks for Metrics & Measurement• SEI CMM• SSE CMM• COBIT process area 4.0 - “Measure & Evaluate (ME)”

Problem• Each framework addresses only a specific area within ISM domain• Integration of two or more frameworks often consists of gaps• Lack of alignment between Business + IT + InfoSec strategies

L k f TRACEABILITY

y , g gy p yframework and using SSE-CMM as an evaluation mechanism

Previous Work• Metrics based Security Assessment (Information Security and Ethics: Social and

Organizational, 2004)• Using ISO 27001 and SSE-CMM

• Mapping of processes for effective integration of COBIT and SEI-CMM • IT Governance Institute, 2005

• Mapping of COBIT with ITIL and ISO 27002 (IT Governance Institute, 2008) F ff i d li f IT i h b i• Lack of TRACEABILITY • For effective management and alignment of IT with business

Proposed Solution

# Weaknesses / Risks / Gaps Mitigation Mechanism1 COBIT1.1 Lack of alignment of

COBIT process areas with Use a cascading balanced scorecard approach to align

# Weaknesses / Risks / Gaps Mitigation Mechanism2 Balanced Scorecard2.1 Can cause disagreement and

tension between top andThe use of COBIT Information Classification / Criteria with clear

COBIT Information Criteria can help classify information directly for audit purposes. This is similar to Information Classification

KGI: Key Goal Indicator is defined as a measure of what has to be accomplished

Mitigation of Gaps in BSC and COBIT frameworks

pbusiness strategy

pp gbusiness strategy with information security strategy

1.2 Lack of standardized Maturity Model

Use metrics from cascading BSC and Key Performance Indicators (KPI), Key Goal Indicators (KGI) and Critical Success Factors (CSF) to aggregate the metrics

1.3 A maturity model that is mainly a stand-alone analysis tool

Use SSE-CMM mapping to COBIT areas

1.4 Audit and Information Security reporting gaps

Using a cascading BSC would establish an information security reporting mechanism via KPIs,

tension between top and middle management regarding information protection priority

Classification / Criteria, with clear prioritization can mitigate risks arising from conflicts

2.2 Terminates at the “Initiatives” level without indicating what processes need to be implemented

Create a mapping between COBIT processes and BSC initiatives

2.3 Lack of traceability to information security level

Use of COBIT control processes over appropriate process areas that are related to information security management

2.4 Audit and Information Security reporting gaps

Using a cascading balanced scorecard approach would establish an information security reporting

to Information Classification Matrix developed by National Security Agency (NSA) for InfoSec Assessment Methodology (IAM)

to be accomplishedKPI: Key Performance Indicator is a measure of how well the process is performing

Use of KPIs and KGIs (already defined by management and aligned with business strategy) to establish a reporting mechanism for Information Security Management (ISM) that communicates the performance of the operational p g ,

KGIs and CSFs while measuring maturity via SSE-CMM

y p gmechanism via KPIs, KGIs and CSFs while measuring maturity via SSE-CMM

p pprocesses, used in order to achieve desired ISM objectives

48F-350.pdf 1 3/10/2009 1:51:24 PM

coj
Typewritten Text
2009 - 48F-350 - Integration of COBIT, Balanced Scorecard & SSE-CMM as a strategic Information Security Management (ISM) framework - Suchit Ahuja - SAET

SSE-CMM - University of California, Davisnob.cs.ucdavis.edu/classes/ecs235b-2013-02/slides/sli27.pdf · 2013. 6. 2. · SSE-CMM Model! • Process capability: range of expected results

SSE-CMM - University of California, Davisnob.cs.ucdavis.edu/classes/ecs235b-2013-02/slides/sli27.pdf · 2013. 6. 2. · SSE-CMM Model! • Process capability: range of expected results

Documents
Comparing COBIT 4.1 and COBIT 5

Comparing COBIT 4.1 and COBIT 5

Documents
C i g COBIT4 1 Comparing COBIT4.1 and COBIT 5m.isaca.org/COBIT/Documents/Comparing-COBIT.pdfComparing COBIT 4.1 and COBIT 5 Abstract COBIT 5 integrates Risk IT, Val IT, BMIS and COBIT

C i g COBIT4 1 Comparing COBIT4.1 and COBIT 5m.isaca.org/COBIT/Documents/Comparing-COBIT.pdfComparing COBIT 4.1 and COBIT 5 Abstract COBIT 5 integrates Risk IT, Val IT, BMIS and COBIT

Documents
Comparación de CobiT 5 con CobiT 4.1

Comparación de CobiT 5 con CobiT 4.1

Technology
CobiT CobiT CobiT CobiT CobiT CobiT CobiT CobiT , ITIL and

CobiT CobiT CobiT CobiT CobiT CobiT CobiT CobiT , ITIL and

Documents
COBIT, BSC, SSE-CMM 1 Running head: COBIT, BSC ... - CERIAS · COBIT, BSC, SSE-CMM 2 Abstract The purpose of this study is to explore the integrated use of Control Objectives for

COBIT, BSC, SSE-CMM 1 Running head: COBIT, BSC ... - CERIAS · COBIT, BSC, SSE-CMM 2 Abstract The purpose of this study is to explore the integrated use of Control Objectives for

Documents
Introduction to COBIT 5 - NUS STMI · Introduction to COBIT 5 About COBIT 5 This one-day “Introduction to COBIT 5” course provides an introduction to the COBIT 5 governance framework

Introduction to COBIT 5 - NUS STMI · Introduction to COBIT 5 About COBIT 5 This one-day “Introduction to COBIT 5” course provides an introduction to the COBIT 5 governance framework

Documents
mountainview Achieving IT Governance with COBIT, ITIL ... · Achieving IT Governance with COBIT, ITIL, ISO20000, CMM, ISO17799, etc. Abstract: ... The enforcement of IT controls and

mountainview Achieving IT Governance with COBIT, ITIL ... · Achieving IT Governance with COBIT, ITIL, ISO20000, CMM, ISO17799, etc. Abstract: ... The enforcement of IT controls and

Documents
Cobit® 5 Comparação com Cobit® 4

Cobit® 5 Comparação com Cobit® 4

Technology
La necesidad de crear software seguro - Vicente … · •OWASP CLASP •Cigital Software Security Touchpoints •OWASP OpenSAMM •BSIMM •SSE CMM . Construcción de software seguro

La necesidad de crear software seguro - Vicente … · •OWASP CLASP •Cigital Software Security Touchpoints •OWASP OpenSAMM •BSIMM •SSE CMM . Construcción de software seguro

Documents
The Systems Security Engineering Capability Maturity Model · 2010. 2. 9. · 23 SSE-CMM Organizational ... BP.09.06 Provide Operational Security Guidance Goals • All system issues

The Systems Security Engineering Capability Maturity Model · 2010. 2. 9. · 23 SSE-CMM Organizational ... BP.09.06 Provide Operational Security Guidance Goals • All system issues

Documents
IT Governance Self Assessment in Higher Education Based … · IT Governance Self Assessment in Higher Education Based on COBIT Case Study: ... CMM, ISO 27001 and Six Sigma ... The

IT Governance Self Assessment in Higher Education Based … · IT Governance Self Assessment in Higher Education Based on COBIT Case Study: ... CMM, ISO 27001 and Six Sigma ... The

Documents
Integration of COBIT, Balanced Scorecard and SSE - CMM as ...ceur-ws.org/Vol-456/paper3.pdf · Integration of COBIT, Balanced Scorecard and SSE - CMM as a strategic Information Security

Integration of COBIT, Balanced Scorecard and SSE - CMM as ...ceur-ws.org/Vol-456/paper3.pdf · Integration of COBIT, Balanced Scorecard and SSE - CMM as a strategic Information Security

Documents
COBIT 5 | Foundation - ITpreneurscampus.itpreneurs.com/itpreneurs/LPEngine/Cobit/Foundation/English… · — co COBIT 5 Process Mapping COBIT 5 IT-related Goals to Processes (Contd.)

COBIT 5 | Foundation - ITpreneurscampus.itpreneurs.com/itpreneurs/LPEngine/Cobit/Foundation/English… · — co COBIT 5 Process Mapping COBIT 5 IT-related Goals to Processes (Contd.)

Documents
COBIT 5 Online Collaborative Environmentitil.se/itilse_documents/COBIT5-Laminate.pdf · COBIT® 5: Enabling Information COBIT® 5: Enabling Processes Other Enabler Guides COBIT®

COBIT 5 Online Collaborative Environmentitil.se/itilse_documents/COBIT5-Laminate.pdf · COBIT® 5: Enabling Information COBIT® 5: Enabling Processes Other Enabler Guides COBIT®

Documents
Switch CLI Reference Guide for SSE-G48-TG4 SSE-G24-TG4 SSE ... · PDF fileSSE-G48-TG4 SSE-G24-TG4 SSE-X24S SSE-X24SR SSE-X3348S SSE-X3348SR SSE-X3348T SSE-X3348TR SBM-GEM-X2C SBM-GEM-X2C+

Switch CLI Reference Guide for SSE-G48-TG4 SSE-G24-TG4 SSE ... · PDF fileSSE-G48-TG4 SSE-G24-TG4 SSE-X24S SSE-X24SR SSE-X3348S SSE-X3348SR SSE-X3348T SSE-X3348TR SBM-GEM-X2C SBM-GEM-X2C+

Documents
COBIT, BSC, SSE-CMM 1 Running head: COBIT, BSC ... - · PDF fileRunning head: COBIT, BSC, SSE-CMM Integration of COBIT, Balanced Scorecard and SSE-CMM as a strategic ... mapping of

COBIT, BSC, SSE-CMM 1 Running head: COBIT, BSC ... - · PDF fileRunning head: COBIT, BSC, SSE-CMM Integration of COBIT, Balanced Scorecard and SSE-CMM as a strategic ... mapping of

Documents
A COBIT 5 OverviewA COBIT 5 Overview - Information Technology

A COBIT 5 OverviewA COBIT 5 Overview - Information Technology

Documents
COBIT Ecopetrol S.A. IT COBIT 5 - Information … · COBIT® Process Assessment Model PAM :Using COBIT ... Sai K. Honig CISA CIA IT 10 Honig COBIT ITIL HIPAA ... 2014 COBIT 5 Risk

COBIT Ecopetrol S.A. IT COBIT 5 - Information … · COBIT® Process Assessment Model PAM :Using COBIT ... Sai K. Honig CISA CIA IT 10 Honig COBIT ITIL HIPAA ... 2014 COBIT 5 Risk

Documents
Cobit v5.0 BSC de TI con COBIT

Cobit v5.0 BSC de TI con COBIT

Documents
Security Extensions for CMMI Webinar... · CMMI – SSE-CMM CMMI SSE-CMM Org Process Focus (L3) Org Process Definition (L3) Org Process Performance (L4) Org Innovation and Deployment

Security Extensions for CMMI Webinar... · CMMI – SSE-CMM CMMI SSE-CMM Org Process Focus (L3) Org Process Definition (L3) Org Process Performance (L4) Org Innovation and Deployment

Documents
Comparing COBIT 4.1 and COBIT 5 - ISACA

Comparing COBIT 4.1 and COBIT 5 - ISACA

Documents
Lessons Learned from a Joint CMMI and SSE-CMM Class B ...€¦ · and IA-related evidence at the organizational level For SSE-CMM, an agreed-upon mapping between CMMI ®, SSE-CMM

Lessons Learned from a Joint CMMI and SSE-CMM Class B ...€¦ · and IA-related evidence at the organizational level For SSE-CMM, an agreed-upon mapping between CMMI ®, SSE-CMM

Documents
Cobit 4.1 vs Cobit 5

Cobit 4.1 vs Cobit 5

Documents
SSE-X3548S/SSE-X3548SR QoS

SSE-X3548S/SSE-X3548SR QoS

Documents
COBIT 5 Online Collaborative Environment - · PDF file2/15/2014 · COBIT® 5 COBIT 5 Online Collaborative Environment ... COBIT® 5 for Risk Other Professional Guides COBIT 5 Principles

COBIT 5 Online Collaborative Environment - · PDF file2/15/2014 · COBIT® 5 COBIT 5 Online Collaborative Environment ... COBIT® 5 for Risk Other Professional Guides COBIT 5 Principles

Documents
COBIT 5 ISACA's new Framework for IT Governance, Risk ... COBIT 5.0 Framework.pdf · COBIT 5 ISACA’s new framework for IT Governance, Risk, ... COBIT 5© ISACA Mapping IT ... COBIT

COBIT 5 ISACA's new Framework for IT Governance, Risk ... COBIT 5.0 Framework.pdf · COBIT 5 ISACA’s new framework for IT Governance, Risk, ... COBIT 5© ISACA Mapping IT ... COBIT

Documents
COBIT Self-assessment Guide: Using COBIT 5

COBIT Self-assessment Guide: Using COBIT 5

Documents
COBIT 5 & COBIT 5 for Risk An overview - ISACA · • Cobit 5.0 SME Reviewer • Cobit for Risk development workshop and SME reviewer • Cobit for Risk Scenarios Guide Task Force

COBIT 5 & COBIT 5 for Risk An overview - ISACA · • Cobit 5.0 SME Reviewer • Cobit for Risk development workshop and SME reviewer • Cobit for Risk Scenarios Guide Task Force

Documents
COBIT 5 Implementation - SAS Management Inc.saservices.com.ph/.../uploads/2017/12/COBIT-5-Implementation.pdf · 1 | COBIT 5 Implementation . Program Overview . COBIT ® 5 is the latest

COBIT 5 Implementation - SAS Management Inc.saservices.com.ph/.../uploads/2017/12/COBIT-5-Implementation.pdf · 1 | COBIT 5 Implementation . Program Overview . COBIT ® 5 is the latest

Documents