COBIT vs. ISO 17799 (27002) - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

COBIT vs. ISO 17799 (27002)

Description:

COBIT vs. ISO 17799 (27002) Erica Elliott Stephanie Park Questions For IT Managers How far should we go and is the cost justified by the benefit? – PowerPoint PPT presentation

Number of Views:507
Avg rating:3.0/5.0
Slides: 21
Provided by: infosysUn2
Category:
Tags: cobit | iso

less

Transcript and Presenter's Notes

Title: COBIT vs. ISO 17799 (27002)


1
COBIT vs. ISO 17799 (27002)
  • Erica Elliott
  • Stephanie Park

2
Questions For IT Managers
  • How far should we go and is the cost justified by
    the benefit?
  • What are the indicators of good performance?
  • What are the critical success factors?
  • What are the risks of not achieving our
    objectives?
  • What do others do?
  • How do we measure and compare?

3
The History of ISO 17799
  • The standard was published in 2000 in its first
    edition, which was updated in June 2005. It can
    be classified as current best practice in the
    subject area of information security management
    systems.
  • It provides information to responsible parties
    for implementing information security within an
    organization.
  • It can be seen as a basis for developing security
    standards and management practices within an
    organization to improve reliability on
    information security in inter-organizational
    relationships.

4
What is ISO 17799?
  • As mentioned, the standard simply offers
    guidelines it does not contain in-depth
    information on how information security should be
    implemented and maintained.
  • Suggests that nothing be implemented until after
    an in-depth risk assessment of the current
    controls.
  • It is important to understand that the controls
    mentioned in the standard are not organized or
    prioritized according to any specific criteria.
    Each control should be given equal importance and
    should consider the systems and projects
    requirement specification and design stage.
    Failure to do this will result in less
    cost-effective measures or even failure in
    achieving adequate security.
  • ISO 17799 warns that no set of controls will
    achieve complete security. It encourages
    additional intervention from management to
    monitor, evaluate and improve the effectiveness
    of security controls to support the business
    objectives of the organization.

5
Under ISO
  • Measurements based on legal requirements include
  • Protection and nondisclosure of personal data
  • Protection of internal information
  • Protection of intellectual property rights
  • Best practices mentioned are
  • Information security policy
  • Assignment of responsibility for information
    security
  • Problem escalation
  • Business continuity management

6
Implementation under ISO
  • When implementing a system for information
    security management several critical success
    factors are to be considered
  • The security policy, its objectives and
    activities reflect the business objectives.
  • The implementation considers cultural aspects of
    the organization.
  • Open support from and engagement of senior
    management are required.
  • Thorough knowledge of security requirements, risk
    assessment and risk management is required.
  • Effective marketing of security targets all
    personnel, including members of management.
  • The security policy and security measures are
    communicated to contracted third parties.
  • Users are trained in an adequate manner.
  • A comprehensive and balanced system for
    performance measurement is available, which
    supports continuous improvement by giving
    feedback.

7
Structure of ISO 17799
  • The standard contains 11 security control
    clauses, collectively containing a total of 39
    main security categories.
  • First, each main security category has a control
    objective. This states what the control is to
    achieve. Second, each has one or more controls
    that can be applied to achieve the controls
    objective.
  • a. Security Policy (1)
  • b. Organizing Information Security (2)
  • c. Asset Management (2)
  • d. Human Resources Security (3)
  • e. Physical and Environment Security (2)
  • f. Communications and Operations Management (10)
  • g. Access Control (7)
  • h. Information Systems Acquisition, Development
    and Maintenance (6)
  • i. Information Security Incident Management (2)
  • j . Business Continuity Management (1)
  • k. Compliance (3)

8
COBIT
  • The main theme Business orientation.
  • It is designed to be employed not only by users
    and auditors, but also, as a comprehensive
    guidance for management and business process
    owners.
  • The overall objective to understand the issues
    and strategic importance of IT so the enterprise
    can sustain its operations and implement the
    strategies required to extend its activities into
    the future.

9
Governance under COBIT
  • IT governance aims to ensure that expectations
    for IT are met and IT risks are mitigated.
  • It is the responsibility of the board of
    directors and executive management.
  • It consists of the leadership and organizational
    structures and processes that ensure that the
    organizations IT sustains and extends the
    organizations strategies and objectives.
  • At the heart of the governance responsibilities
    of setting strategy, managing risks, delivering
    value and measuring performance are the
    stakeholder values.

10
Governance under COBIT (Cont)
  • The purpose of IT governance is to direct IT
    endeavors, to ensure that IT meets the following
    objectives
  • Alignment of IT with the enterprise and
    realization of the promised benefits
  • Use of IT to enable the enterprise and
    realization of the promised benefit
  • IT governance enables the enterprise to take full
    advantage of its information, thereby maximizing
    benefits, capitalizing on opportunities and
    gaining competitive advantage.

11
COBIT Framework
  • The framework starts from a simple and pragmatic
    premise To provide the information that the
    organization needs to achieve its objectives, IT
    resources need to be managed by a set of
    naturally grouped processes.
  • The grouped processes are
  • Plan and Organize
  • Acquire and Implement
  • Deliver and Support
  • Monitor

12
COBIT Guidelines
  • Action-oriented and generic.
  • Provide management direction for getting the
    enterprises information and related processes
    under control, monitoring achievement of
    organizational goals, monitoring performance
    within each IT process, and benchmarking
    organizational achievement.

13
Maturity Models in COBIT
  • Management can map where the organization is
    today, where it stands in relation to the best in
    class in its industry and to international
    standards, and where the organization wants to
    be.
  • Critical success factors (CSFs) define the most
    important management-oriented implementation
    guidelines to achieve control over and within its
    IT processes.

14
Similarities
  • As COBIT is an internationally recognized
    standard for control of governance of IT and ISO
    17799 is equally recognized and established in
    the field of information security management,
    these two standards do not compete against each
    other, in fact they are mutually complementary.
    COBIT by its nature is broader and ISO/IEC 17799
    tends to be deeper in the area of security.

15
(No Transcript)
16
Differences
  • ISO 17799 provides security controls. It does not
    provide implementation guidance and does not
    specifically address how these processes fit into
    the overall IT management processes.
  • COBIT is focused on controls and metrics. It also
    lacks a security component but provides a more
    global view of IT processes at the IT
    organization management principles than ITIL.

17
Main goal of ISO 17799
  • ISO 17799 aims to improve the practices and
    organizations around information security. It
    defines a global approach to security management
    that touches the responsibilities and
    organizations responsible for security as well as
    the policies, critical asset classification, and
    risk management. It is best used when security
    certification and overall definition of all
    security processes logical and physical is
    needed and basic rules for security defined.

18
Main Goal of COBIT
  • COBIT compiles an up-to-date international set of
    generally accepted control objectives for
    day-to-day use by business managers and IT
    managers. It addresses IT governance and the key
    performance indicators associated with process
    improvement. COBIT has clearly been influenced by
    problems raised by the insurance industry.
    Mergers and acquisitions, unification of
    processes, outsourcing and audits are main
    chapters of the COBIT framework.

19
Managerial Recommendations
  • As previously stated COBIT and ISO 17799 do not
    compete against each other, in fact they are
    mutually complementary
  • Therefore, we recommend that management use COBIT
    and ISO 17799 together to provide a more global
    view of IT processes while increasing security
    controls

20
References
  • http//www.isaca.org/Template.cfm?SectionHomeTem
    plate/ContentManagement/ContentDisplay.cfmConten
    tID26409
  • http//rickyboeykens.spaces.live.com/blog/cns!7EE4
    0084F422EFB2!142.entry
  • http//17799-news.the-hamster.com/issue10-news11.h
    tm
  • http//www.17799.com/papers/iso17799scope.pdf
  • http//www.isaca.org/Content/ContentGroups/Researc
    h1/Deliverables/AligningCOBIT,ITIL.pdf
Write a Comment
User Comments (0)
About PowerShow.com