| Listen on Mave | Listen on Yandex Music |
Ruslan Rakhmetov, Security Vision
Along with the most authoritative foreign organisations working on the problems of methodological support of information security, such as ISO (International Organization for Standardization), NIST (National Institute of Standards and Technology) and CIS (Center for Internet Security), stands ISACA. The acronym ISACA originally stood for Information Systems Audit and Control Association, but recently ISACA has been used as a proper name.
The ISACA organisation was established in 1969 and currently has over 150000 members from 188 countries. The organisation, together with IS experts from various industries and countries, develops guidance documents in the field of IT governance, information security and risk management (e.g. COBIT frameworks, Risk IT, CMMI and others), and certifies cyber security and cyber risk management professionals (e.g. CISA, CISM, CRISC, CDPSE and others). In today's post, we'll look at the COBIT framework, one of the most authoritative information security documents from ISACA.
COBIT (Control Objectives for Information and Related Technologies) is an IT governance framework with a focus on information security and cyber risk management. The first version of this framework saw the light of day in 1996, the most popular version COBIT 5 was released in 2012, and 2019 saw the release of the updated COBIT 2019 framework, which is updated to reflect today's cyber threats and technologies and provides greater flexibility in implementation and customisation. COBIT 2019 is built on two sets of principles:
1. Principles that describe the requirements for an enterprise information and technology management system:
1.1 Providing benefits to stakeholders;
1.2 Integrity of the components of the corporate information and technology management system;
1.3 The dynamism of the management system and its adaptability to changes in processes, technologies, and the company's strategy;
1.4 The corporate information and technology management system should be separate and independent from the structure of the company's management system;
1.5 The management system should meet the requirements and interests of the company. 1.6;
1.6 The corporate information and technology management system should be universally applicable regardless of the specific way and place of information processing.
2. Principles describing the requirements to the framework for building the corporate information and technology management system:
2.1 The framework should be built on a conceptual model that takes into account key components and the relationships between them to ensure logical coherence and automation capability;
2.2 The framework should provide flexibility and openness to accommodate changes in context and conditions;
2.3 The framework should comply with applicable legislation, core standards and frameworks.
The processes to ensure secure management of corporate information and technology according to COBIT 2019 are divided into 5 categories (domains) comprising 40 processes, which we outline below.
1. EDM (Evaluate, Direct and Monitor, i.e. Evaluate, Direct and Monitor) - Evaluate options, assist top management in decision making and monitor progress towards goals, including:
1.1 Developing and implementing a framework for building a corporate information and technology management system;
1.2 Gaining the benefits of investing in a corporate information and technology management system;
1.3 Minimise cyber risks;
1.4 Optimisation of resource expenditure;
1.5 Involvement of stakeholders in the work of the corporate information and technology management system.
2. APO (Align, Plan and Organise) - management of all components and processes of the company's IT infrastructure, including:
2.1 Management of the framework for building a corporate information and technology management system;
2.2 Management of IT strategy;
2.3 Management of corporate IT architecture;
2.4 Innovation Management;
2.5. IT product, service, and programme portfolio management; 2.6;
2.6. Budget and cost management. 2.7;
2.7. Human Resource Management;
2.8. Management of relationships with business stakeholders; 2.9;
2.9. Management of service agreements. 2.10;
2.10. Management of relations with manufacturers (vendors); 2.11;
2.11. Management of quality of processes, procedures, results;
2.12. Management of cyber risks;
2.13. Management of the IS management system;
2.14. Management of IT assets containing corporate data. 3.
3. BAI (Build, Acquire and Implement) - management of IT solutions and their implementation in business processes, including:
3.1 Management of investment programmes;
3.2 Management of requirements for IT solutions;
3.3 Managing the identification of suitable IT solutions and their acquisition or development, support, operation;
3.4. Managing the availability and scalability of computing resources;
3.5 Managing organisational change;
3.6. IT infrastructure change management;
3.7. Managing approvals and procedures for IT infrastructure changes;
3.8 Knowledge Management;
3.9 IT Asset Management;
3.10. Configuration management;
3.11. IT project management.
4. DSS (Deliver, Service and Support) - management of IT services operation, including their security, including:
4.1 Manage IT operations for uninterrupted service delivery;
4.2. Managing user requests and IT incidents;
4.3. Managing operational problems;
4.4. Managing IT continuity in the event of disruptions;
4.5. Cybersecurity management to keep cyber risks at acceptable levels and reduce damage from exploitation of IS vulnerabilities and incidents;
4.6 Manage business process controls to ensure the security of information processed.
5. MEA (Monitor, Evaluate and Assess) - Managing the achievement of internal and external metrics and objectives, including:
5.1 Managing performance and compliance of indicators;
5.2 Management of the internal control system;
5.3 Management of compliance with legal and contractual requirements;
5.4 Management of internal compliance audits
