ISACA Journal - 2012 Volume 6

ed gelbstein, Ph.d., has worked in IT for more than 40 years and is the former director of the United Nations (UN) International Computing Centre, a service organization providing IT services around the globe to most of the organizations in the UN System. Since leaving the UN, Gelbstein has been an advisor on IT matters to the UN Board of Auditors and the French National Audit Office (Cour des Comptes) and is also a faculty member of Webster University, Geneva, Switzerland. He is a regular speaker at international conferences covering audit, risk, governance and information security and is the author of several publications. Gelbstein lives in France and may be contacted at ed.gelbstein@gmail.com.

Demonstrating Due Diligence in the
Management of Information Security

A 1992 Datamation magazine article, titled “How Good Is Your Data Center? Maybe You Should Find Out Before Your Boss Does,” 1 had a big impact on this author. He has followed the title’s advice ever since and encourages others to adopt it.

COBIT ® 5 for Information Security provides an excellent, up-to-date and practical tool kit for practitioners, managers and auditors, which has helped the author continue to heed the advice of that 1992 article.

3. Determine the need for certification, whether process (e.g., 27001), professional (e.g., CISM®) or end user (e.g., tests leading to an attestation of the successful completion of a training program).

4. Complete audits of the same domains as self-assessments. Audits are independently conducted, evidence-based and supported by standards and guidelines. 2

5. Complete penetration tests (i.e., ethical hacking).

Each of these is briefly examined and discussed later in this article.

Do you have something to say about this article?

Visit the Journal pages of the ISACA web site ( www.isaca. org/journal), find the article, and choose the Comments tab to share your thoughts.

Go directly to the article:

This article discusses how COBIT 5 for Information Security can be applied to maximum effect and to complement other tools to assess the extent to which due diligence has been exercised to provide appropriate information security.

While the components of information security, i.e., requirements definition, strategy and policies, technology, processes, and people (including system and data custodians), are common to all organizations, like snowflakes, no two implementations are identical.

The parameters that make a difference include organizational requirements, culture, the level of resources available and employee engagement. Then, there are other differences such as the individual capability maturity levels associated with processes. The consequence of this is that what may be “good enough” for one organization, may be totally inadequate for another.

COBIT® 5 includes a discussion of pain points and trigger events, any of which may initiate a need to determine whether appropriate due diligence has been exercised. This article suggests five complementary activities to get this done:

1. Determine metrics (i.e., what gets measured, by whom, how it is analyzed and reported).

2. Perform self-assessments of gap analysis (e.g., against COBIT 5 practices), vulnerabilities, controls and risk.

PAIn POIn TS AnD TrIgger eVen TS

COBIT 5 includes an excellent description of both
pain points and trigger events in section 2. 3 (and
they appear again in section 2. 5 and in some of
the appendices). Being aware of how information
security performance is perceived by senior
management and other parts of the business is
of fundamental importance to
assure alignment.
The scope of information
security has grown enormously
in the last 50 years and its focus
continues to shift as technology
and computer literacy become
increasingly powerful and
sophisticated. In the early days,
there were few users of computer
systems, which consisted of
mainframes linked to dumb
terminals. Some work was done in real time,
the bulk in batch processing. Confidentiality was
the prime concern, and access controls were a
key activity.
As mainframe architectures evolved, real-time
computing became widespread and availability
became a further important requirement. Whatever
networking existed was proprietary and hacking
was, by and large, a hobby that began to grow
when personal computers first became available
in the 1970s. Acoustic couplers and a low-speed
dial-up link were enough. And, of course, hacking
was clearly targeted to specific computers.
”
“While the components of information security…are common
to all organizations,
like snowflakes, no
two implementations
are identical.