Use of the COBIT Security Baseline

Minnesota Office of the Legislative Auditor

COBITBarry Caplin

Chief Information Security OfficerMinnesota Department of Human Services

Christopher BuseInformation Technology Audit Manager



Agenda

• Need for an Information Security governance framework

• COBIT Framework overview

• Use of COBIT in the audit process

• Use of the COBIT Security Baseline at DHS


About Us

• Barry Caplin– CISO for DHS– Member of ISACA, ISSA, InfraGard– CISSP, CISA, CISM, ISSMP

• Christopher Buse– IT Audit Manager for OLA– Active in ISACA– CPA, CIA, CISA, CISSP


Information Security Governance

Why Adopt a Framework?



“a framework to provide assurance that information security strategies are aligned with business objectives and consistent with applicable laws and regulations” – www.isaca.org

• Regulations – HIPAA, MGDPA, IRS, SSA, etc.

• Establish a program• Based on Standards, Industry Best Practice



With Information Security Governance:• information security strategy supports

business• senior management supports information

security• defined roles and responsibilities• reporting and communication



With Information Security Governance:• regulatory issues and impact understood• information security policies support

business goals and objectives• procedures and guidelines support

information security policies

Happiness is sure to follow!



Without Information Security Governance:• unclear security strategy inconsistently

supports business• senior management can’t understand or

support information security• Ad hoc roles and responsibilities• Lack of reporting and communication



Without Information Security Governance:JIT:• regulatory compliance efforts• information security policies

Out of sync with business

Surprises Conflict



Who needs Security Governance?

We do!


Industry Best Practice

What do we need?

• Established and Proven methodology• National or International acceptance• Ability to Measure/Audit


The 10000 Foot View

Information Security Governance Hierarchy

Information LifecycleManagement

Compliance

Information Policy

Information RiskManagement

Information SecurityGovernance Framework


COBIT

What’s it all About?


What is COBIT

• Control Objectives For Information and Related Technology

• Governance framework– Collection of controls that should be done at various

levels in an organization

– Outline of what must be done, not how

• Supporting toolset– Management

– Auditors


Strengths

• Outstanding support

• Incorporates work done by many others

• Business focused

• Publicly available


Support

• Overseen by the IT Governance Institute– Nonprofit and vendor neutral– Heavily supported– Well represented by industry, academia, & government

• COBIT R&D managed by a Steering Committee– Core team and working groups worldwide– Many expert reviewers– User feedback

• Now in 4th edition


Information Sources

• Over 40 recognized standards and best practices• Sources underlying version 4.0 changes

– Committee of Sponsoring Organisations of the Treadway Commission• Internal Control—Integrated Framework, 1994• Enterprise Risk Mangement—Integrated Framework, 2004

– Office of Government Commerce, IT Infrastructure Library, 1999-2004– ISO/IEC 17799, Code of Practice for Information Security Management– Software Engineering Institute

• SEI Capability Maturity Model, 1993• SEI Capability Maturity Model Integration, 2000

– Project Management Institute, Project Management Body of Knowledge– Information Security Forum, The Standard of Good Practice for

Information Security, 2003


Business Focus

• IT resources must be– Managed through standard

processes– To meet business

requirements

• Metrics and maturity models to measure performance

• Responsibilities of business and IT process owners identified


COBIT Framework

• 34 processes, grouped into 4 domains– Plan and Organize– Acquire and Implement– Deliver and Support– Monitor and Evaluate

• Handout: P07 Manage IT Human Resources


Products

• Framework– Control Objectives– Control Practices– Management Guidelines

• Assurance– IT Assurance Guide– Control Objectives for SOX

• Governance– Implementation Guide– Quickstart– Security Baseline– Board Briefing


Cost


Still Interested

• Visit the COBIT Website– http://www.isaca.org

• Watch our local ISACA chapter for training opportunities– http://www.mnisaca.org


COBIT as an Audit Tool

Use of the COBIT Framework in the Office of the Legislative Auditor


Planning

• COBIT Summary Table used to scope projects– Audit Focus: Data integrity and confidentiality – Question: What control processes have a

primary or secondary impact


Reporting

• Criteria used to help draft report comments• Discussions about issue severity follow maturity

model format


COBIT as a Management Tool

Use of the COBIT Security Baseline at the Department of Human Services


MN DHS

• Mission - helps people meet their basic needs so they can live in dignity and achieve their highest potential

• Consumers include:– seniors who need help paying for hospital and nursing

home bills or who need home-delivered meals– families with children in a financial crisis– parents who need child support enforcement or child

care money– people with physical or developmental disabilities who

need assistance to live as independently as possible


MN DHS

• Direct service through• DHHS – Deaf and Hard of Hearing Services• SOS – State Operated Services includes

– RTC’s – Regional Treatment Centers, including St. Peter, Moose Lake

– Forensics – St. Peter, Moose Lake, METO (MN Extended Treatment Options)

– State-run group homes– New community-based treatment centers– State-run nursing home – Ah-Gwah-Ching


MN DHS

• Administrations (Divisions)• CFS – Children and Family Services – Child

Support Enforcement, Endangerment, Social Services, Medical/Welfare Eligibility

• Chemical and Mental Health Services– including SOS

• Health Care Administration and Operations• Continuing Care• FMO – Finance and Management Operations –

including Information Security, IT


MN DHS

• Programs are state-administered, county-delivered

– Including MinnesotaCare, Medical Assistance, General Assistance Medical Care, mental health services, alternative care services, chemical dependency services and regional treatment center services

• One of the largest state agencies• 2500 CO, 5000 SOS distributed staff• State and Federal funding


COBIT Use in State

• Chosen by CISO/Security Domain team for statewide security implementation

• Separate agency implementation

• Additional technical standards chosen: PCI, OWASP


COBIT and Security

• COBIT Security Baseline

• Includes mapping to ISO17799

• Guide for DHS implementation

• Identifies 39 “steps” (high-level projects)

• Multiple sub-projects


Maturity Model

Measure the maturity of the team/unit/organization to the high level control objectives. Are the processes:

• 0 – non-existent• 1 – Initial/Ad-Hoc• 2 – Repeatable but Intuitive• 3 – Defined Process• 4 – Managed and Measurable• 5 – Optimized


Initial Baseline

Assess maturity of DHS Body of Policy and ISS projects and implementation using Maturity Model– Self rating - ISS– “inner circle” units – central IT, MSD– Business customers – HCO, CFS, SOS, etc.


Implementation Steps

• Review initial maturity assessments• Gap analysis• Selection of initial metrics• Prioritization of Phase 1 COBIT projects• Documentation• Implement Phase 1 projects• Assess• Iterate


Security Baseline Projects

Plan and Organize

• Step 1 - Define the Information Architecture– Security requirements– Projects:

• HIPAA Security Standard implementation

• ZOCA II



Acquire and Implement

• Step 10 – Identify Automated Solutions– Consider security risks of automated solutions– Projects:

• Vendor Security Questionnaire

• Risk Assessment

• Vulnerability Assessment



Monitor and Evaluate• Step 38 – Monitor Performance of Security

Controls– Periodically: Assess Controls, Reassess

Exceptions, Evaluate Effectiveness, Monitor Compliance

– Projects:• Vulnerability Assessment• IPW – Information Policy Workgroup• SPCR – Security Policy Compliance Review


Information Lifecycle Management

Concept Analysis Design Develop Deploy Operate

I.T. SecurityRisk

Management

BusinessContinuityPlanning

PrivacyRisk

Management

BusinessRisk

Management

PrivacyRequirementsAnalysis (PIA)

PrivacyPlan (PIA)

PreliminaryRisk Analysis

BusinessRisk Analysis

Project RiskTracking

IT RiskMitigation Plan

(TRA)

IT SecurityTest Plan

IT Risk Audit& Certification

IT RiskRequirements

Plan (TRA)

BusinessImpact

AnalysisBCP/DRP

IncidentResponse

Plans

BCP/DRPTesting &

Maintenance

PrivacyAudit

Project Risk Management

ProgramAudit

*From http://www.cacr.math.uwaterloo.ca/conferences/2005/psw/gingras.ppt


Supporting Work

• Risk Analysis• Business Impact Analysis (BIA)• Business Continuity Plan (BCP/DRP)• Test Plans• Vulnerability Analysis• Incident Response Plan


Discussion?

Date post:	15-Jan-2015
Category:	Business
Upload:	barry-caplin
View:	5,501 times
Download:	1 times