The CobiT Security Baseline
The Control Objectives for Information and Related Technology (CobiT) is a comprehensive set of resources that contains the information organizations need to adopt an IT governance and control framework. The scope of CobiT includes security, in addition to other risks that can occur on an IT infrastructure.
CobiT identifies critical steps for information security. The CobiT framework process model consists of 34 generic IT processes grouped into four domains: plan and organize; acquire and implement, deliver and support; and monitor and evaluate. CobiT provides more than 300 detailed control objectives that contain policies, procedures, practices, organizational responsibilities and audit guidelines that enable the review of IT processes against these control objectives.
The CobiT framework of four domains and 34 generic IT processes includes important security objectives. These objectives are identified as the CobiT Security Baseline and are organized into 39 essential steps to help organizations plan their information security:
1: Based on a business impact analysis (BIA) for critical business processes, identify data that must not be misused or lost, services that need to be available and transactions that must be trusted. The business must consider the security requirements for:
* Who may access and modify data.
* What data retention and backup are needed.
* What availability is required.
* What authorization and verification are needed for electronic transactions.
2: Define specific responsibilities for the management of security and ensure that they are assigned, communicated and properly understood. Be aware of the dangers of delegating too many security roles and responsibilities to one person. Provide the resources required to exercise responsibilities effectively.
3: Consistently communicate and regularly discuss the basic rules for implementing security requirements and responding to security incidents. Establish minimum dos and don’ts, and regularly remind people of security risks and their personal responsibilities.
4: When hiring, verify with reference checks.
5: Obtain the skills needed to support the enterprise security requirements through hiring or training. Verify annually whether skills are up-to-date.
6: Ensure that no key security task is critically dependent on a single resource.
7: Identify what, if anything, needs to be done with respect to security obligations to comply with privacy, intellectual property rights and other legal, regulatory, contractual and insurance requirements.
8: Discuss with key staff what can go wrong with IT security that could significantly impact the business objectives. Consider how best to secure services, data and transactions that are critical for the success of the business.
9: Establish staff understanding of the need for responsiveness and consider cost-effective means to manage the identified security risks through security practices and insurance coverage.
10: Consider how automated solutions may introduce security risks. Ensure that the solution is functional and that operational security requirements are specified and compatible with current systems. Obtain comfort regarding the trustworthiness of the solution through references, external advice, contractual arrangements, etc.
11: Ensure that the technology infrastructure properly supports automated security practices.
12: Consider what additional security requirements are needed to protect the technology infrastructure itself.
13: Identify and monitor sources for keeping up-to-date with security patches and implement those appropriate for the enterprise infrastructure.
14: Ensure that staff knows how to implement security in day-to-day procedures.
15: Test the system, or major changes, against functional and operational security requirements in a representative environment so the results are reliable. Consider testing how the security functions integrate with existing systems.
16: Perform final security acceptance by evaluating all test results against business goals and security requirements involving key staff.
17: Evaluate all changes, including patches, to establish the impact on the integrity, exposure or loss of sensitive data, availability of critical services and validity of important transactions. Based on this impact, perform adequate tests prior to making the change.
18: Record and authorize all changes, including patches (possibly emergency changes after the fact).
19: Ensure that management establishes security requirements and regularly reviews compliance of internal service-level agreements and contracts with third-party service providers.
20: Ensure that third parties provide an adequate contact with the authority to act on security requirements and concerns.
21: Consider the dependence on third-party suppliers for security requirements, and mitigate continuity, confidentiality and intellectual property risk.
22: Identify critical business functions and information, and those resources (e.g., applications, third-party services, supplies and data files) that are critical to support them. Provide for the availability of these resources in the event of a security incident to maintain continuous service. Ensure that significant incidents are identified and resolved in a timely manner.
23: Establish basic principles for safeguarding and reconstructing IT services, including alternative processing procedures, how to obtain supplies and services in an emergency, how to return to normal processing after the security incident and how to communicate with customers and suppliers.
24: Together with key employees, define what needs to be backed up and stored off-site to support recovery of the business, (e.g., critical data files, documentation and other IT resources, and secure it appropriately. At regular intervals, ensure that the backup resources are usable and complete.
25: Implement rules to control access to services based on the individual’s need to view, add, change or delete information and transactions. Especially, consider access rights of service providers, suppliers and customers.
26: Ensure that responsibility is allocated to manage all user accounts and security tokens to control devices, tokens and media with financial value. Periodically review the actions and authority of those who manage user accounts. Ensure that these responsibilities are not assigned to the same person.
27: Detect and log important security violations. Ensure that they are reported immediately and acted upon in a timely manner.
28: To ensure that counterparties can be trusted and transactions are authentic when using electronic transaction systems, ensure that the security instructions are adequate and compliant with contractual obligations.
29: Enforce the use of virus-protection software throughout the enterprise’s infrastructure and maintain up-to-date virus definitions. Use only legal software.
30: Define policy for what information can come into and go out of the organization, and configure the network security systems (e.g., firewall), accordingly. Consider how to protect physically transportable storage devices. Monitor exceptions and follow up on significant incidents.
31: Ensure that there is a regularly updated and complete inventory of the IT hardware and software configuration.
32: Regularly review whether all installed software is authorized and properly licensed.
33: Subject data to a variety of controls to check integrity (accuracy, completeness and validity) during input, processing, storage and distribution. Control transactions to ensure that they cannot be repudiated.
34: Distribute sensitive output only to authorized people.
35: Define retention periods, archival requirements and storage terms for input and output documents, data and software. Ensure that they comply with user and legal requirements. While in storage, check continuing integrity and ensure that data cannot be retrieved.
36: Physically secure the IT facilities and assets, especially those most at risk to a security threat, and if applicable, obtain expert advice.
37: Protect computer networking and storage equipment (particularly mobile equipment) from damage, theft, accidental loss and interception.
38: Have key staff periodically:
* Assess adequacy of security controls against defined requirements and vulnerabilities.
* Reassess what security exceptions need to be monitored on an ongoing basis.
* Evaluate how well the security mechanisms are operating. Check for weaknesses, such as intrusion detection, penetration and stress testing, and test contingency plans.
* Ensure that exceptions are acted upon.
* Monitor compliance to key controls.
39: Obtain, where needed, competent external resources to review the information security control mechanisms. Assess compliance with laws, regulations and contractual obligations relative to information security. Leverage their knowledge and experience for internal use.
Uday O. Ali Pabrai, Security+, CISSP, CHSS, chief executive of ecfirst.com consults in the areas of enterprise security and regulatory compliance, is author of the best-selling “Getting Started With HIPAA,” and co-created the Security Certified Program. He can be reached at upabrai@certmag.com.
CobiT identifies critical steps for information security. The CobiT framework process model consists of 34 generic IT processes grouped into four domains: plan and organize; acquire and implement, deliver and support; and monitor and evaluate. CobiT provides more than 300 detailed control objectives that contain policies, procedures, practices, organizational responsibilities and audit guidelines that enable the review of IT processes against these control objectives.
The CobiT framework of four domains and 34 generic IT processes includes important security objectives. These objectives are identified as the CobiT Security Baseline and are organized into 39 essential steps to help organizations plan their information security:
1: Based on a business impact analysis (BIA) for critical business processes, identify data that must not be misused or lost, services that need to be available and transactions that must be trusted. The business must consider the security requirements for:
* Who may access and modify data.
* What data retention and backup are needed.
* What availability is required.
* What authorization and verification are needed for electronic transactions.
2: Define specific responsibilities for the management of security and ensure that they are assigned, communicated and properly understood. Be aware of the dangers of delegating too many security roles and responsibilities to one person. Provide the resources required to exercise responsibilities effectively.
3: Consistently communicate and regularly discuss the basic rules for implementing security requirements and responding to security incidents. Establish minimum dos and don’ts, and regularly remind people of security risks and their personal responsibilities.
4: When hiring, verify with reference checks.
5: Obtain the skills needed to support the enterprise security requirements through hiring or training. Verify annually whether skills are up-to-date.
6: Ensure that no key security task is critically dependent on a single resource.
7: Identify what, if anything, needs to be done with respect to security obligations to comply with privacy, intellectual property rights and other legal, regulatory, contractual and insurance requirements.
8: Discuss with key staff what can go wrong with IT security that could significantly impact the business objectives. Consider how best to secure services, data and transactions that are critical for the success of the business.
9: Establish staff understanding of the need for responsiveness and consider cost-effective means to manage the identified security risks through security practices and insurance coverage.
10: Consider how automated solutions may introduce security risks. Ensure that the solution is functional and that operational security requirements are specified and compatible with current systems. Obtain comfort regarding the trustworthiness of the solution through references, external advice, contractual arrangements, etc.
11: Ensure that the technology infrastructure properly supports automated security practices.
12: Consider what additional security requirements are needed to protect the technology infrastructure itself.
13: Identify and monitor sources for keeping up-to-date with security patches and implement those appropriate for the enterprise infrastructure.
14: Ensure that staff knows how to implement security in day-to-day procedures.
15: Test the system, or major changes, against functional and operational security requirements in a representative environment so the results are reliable. Consider testing how the security functions integrate with existing systems.
16: Perform final security acceptance by evaluating all test results against business goals and security requirements involving key staff.
17: Evaluate all changes, including patches, to establish the impact on the integrity, exposure or loss of sensitive data, availability of critical services and validity of important transactions. Based on this impact, perform adequate tests prior to making the change.
18: Record and authorize all changes, including patches (possibly emergency changes after the fact).
19: Ensure that management establishes security requirements and regularly reviews compliance of internal service-level agreements and contracts with third-party service providers.
20: Ensure that third parties provide an adequate contact with the authority to act on security requirements and concerns.
21: Consider the dependence on third-party suppliers for security requirements, and mitigate continuity, confidentiality and intellectual property risk.
22: Identify critical business functions and information, and those resources (e.g., applications, third-party services, supplies and data files) that are critical to support them. Provide for the availability of these resources in the event of a security incident to maintain continuous service. Ensure that significant incidents are identified and resolved in a timely manner.
23: Establish basic principles for safeguarding and reconstructing IT services, including alternative processing procedures, how to obtain supplies and services in an emergency, how to return to normal processing after the security incident and how to communicate with customers and suppliers.
24: Together with key employees, define what needs to be backed up and stored off-site to support recovery of the business, (e.g., critical data files, documentation and other IT resources, and secure it appropriately. At regular intervals, ensure that the backup resources are usable and complete.
25: Implement rules to control access to services based on the individual’s need to view, add, change or delete information and transactions. Especially, consider access rights of service providers, suppliers and customers.
26: Ensure that responsibility is allocated to manage all user accounts and security tokens to control devices, tokens and media with financial value. Periodically review the actions and authority of those who manage user accounts. Ensure that these responsibilities are not assigned to the same person.
27: Detect and log important security violations. Ensure that they are reported immediately and acted upon in a timely manner.
28: To ensure that counterparties can be trusted and transactions are authentic when using electronic transaction systems, ensure that the security instructions are adequate and compliant with contractual obligations.
29: Enforce the use of virus-protection software throughout the enterprise’s infrastructure and maintain up-to-date virus definitions. Use only legal software.
30: Define policy for what information can come into and go out of the organization, and configure the network security systems (e.g., firewall), accordingly. Consider how to protect physically transportable storage devices. Monitor exceptions and follow up on significant incidents.
31: Ensure that there is a regularly updated and complete inventory of the IT hardware and software configuration.
32: Regularly review whether all installed software is authorized and properly licensed.
33: Subject data to a variety of controls to check integrity (accuracy, completeness and validity) during input, processing, storage and distribution. Control transactions to ensure that they cannot be repudiated.
34: Distribute sensitive output only to authorized people.
35: Define retention periods, archival requirements and storage terms for input and output documents, data and software. Ensure that they comply with user and legal requirements. While in storage, check continuing integrity and ensure that data cannot be retrieved.
36: Physically secure the IT facilities and assets, especially those most at risk to a security threat, and if applicable, obtain expert advice.
37: Protect computer networking and storage equipment (particularly mobile equipment) from damage, theft, accidental loss and interception.
38: Have key staff periodically:
* Assess adequacy of security controls against defined requirements and vulnerabilities.
* Reassess what security exceptions need to be monitored on an ongoing basis.
* Evaluate how well the security mechanisms are operating. Check for weaknesses, such as intrusion detection, penetration and stress testing, and test contingency plans.
* Ensure that exceptions are acted upon.
* Monitor compliance to key controls.
39: Obtain, where needed, competent external resources to review the information security control mechanisms. Assess compliance with laws, regulations and contractual obligations relative to information security. Leverage their knowledge and experience for internal use.
Uday O. Ali Pabrai, Security+, CISSP, CHSS, chief executive of ecfirst.com consults in the areas of enterprise security and regulatory compliance, is author of the best-selling “Getting Started With HIPAA,” and co-created the Security Certified Program. He can be reached at upabrai@certmag.com.
Comentários