360 likes | 375 Views
Click to see next slide. COBIT5@MAVIM Speed up your GDPR program Develop your IT Management System Accelerate your Information Security System … WITHOUT expensive consultancy fees….. ! Greet Volders Managing Consultant Voquals N.V. Deliverables included in this service offering.
E N D
Click to see next slide COBIT5@MAVIMSpeed up your GDPRprogramDevelop your IT Management SystemAccelerate your Information Security System… WITHOUT expensive consultancy fees….. !Greet Volders Managing ConsultantVoquals N.V.
Deliverables included in this service offering • Complete content of COBIT5 • Available in the DataBase • Presentable on your website • GDPR compliant processes & documents • Necessary procedures • Useful Information • Practical examples & templates Greet Volders _ Voquals N.V. MAVIM / COBIT5
Deliverables included in this service offering • Based on COBIT for Security • Mapped to: • ISO27001:2013 • ISF (Information Security Forum) and • NIST (National Institute of Standards and Technology) • Additional integrated content • RACI • Level1 Process Capability Assessment • IT related goals and metrics • Specific templates for some processes • Cross-reference to ITIL Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - homepage • On the home page, you get access to the 4 most important parts of COBIT5, being : • The processes, with flow and descriptions • KPI’s based on the IT-related goals and KPI’s defined by Voquals • Level 1 Process Capability Assessment execution & results • RACI based on the standard RACI provided in COBIT5 Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - Processes • In this solution, you do not only manage your IT-related processes, but ALL company processes in an integrated, coherent way. • All organisationational structures are linked with the processes. • Reporting is done in a consistent way. Do you want to learn a about ... COBIT5, Processes and reporting Voquals 4 GDPR Voquals 4 Info Security The END Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - GDPR • Part of the management processes is GDPR Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - GDPR • GDPR contains all required processes, • and useful information, such as definitions, templates, examples Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - GDPR example process • Example : Manage Data Processor Agreeement • With detailed description of the 2 sub-processes Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - GDPR example process With detailed description of the 2 sub-parts • With detailed description of the 2 sub-parts • Including links to Data Processor information • With detailed description of the 2 sub-parts • Including links to Data Processor information • And an example Data Processors’ Agreement Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - GDPR After the GDPR, do you want to learn a about ... COBIT5, Processes and reporting Voquals 4 GDPR Voquals 4 Info Security The END Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - Security & Compliance 1 of the pre-defined views is related to Information Security & Compliance Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - Security & Compliance Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - Security & Compliance Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - Security & Compliance Available description of the Manage Security process The same exist for all the other processes on the schema Greet Volders _ Voquals N.V. MAVIM / COBIT5
How to protect from Logical Attacks • We explain some examples to mitigate the threat of Logical Attacks : • Security Process Goals, • related metrics, resulting in • Security Specific Actions Greet Volders _ Voquals N.V. MAVIM / COBIT5
How to protect from Logical Attacks Security Specific Process Goals • Information security requirements • are embedded within the enterprise architecture and translated into a formal information security architecture • Information security architectureis • understood as part of the overall enterprise architecture • is aligned and evolves with changes to the enterprise architecture • Information security architecture framework and methodology are used to enable reuse of information security components across the enterprise. Related Metrics • Number of exceptions to information security architecture standards • Number of deviations between information security architecture and enterprise architecture • Date of last review and/or update to information security controls applied to enterprise architecture • Percent of projects that use the information security architecture framework and methodology • Number of people trained in the information security framework and methodology Security Specific Activities Ensure inclusion of information security artefacts, policies and standards in the architecture repository. Ensure that information security is integrated across all architectural domains (e.g., business, information, data, applications, technology). Greet Volders _ Voquals N.V. MAVIM / COBIT5
How to protect from Logical Attacks Related Metrics 1. • Number of updates of the information security policy • Management approval of the information security policy Security Specific Process Goals • 1. An information security policy framework is defined and maintained. • 2. A comprehensive information security strategy is in place and is • aligned with the overall enterprise and IT strategy • 3. cost-effective, appropriate, realistic, achievable, enterprise-focussed and balanced • 4. aligned with long-term enterprise strategic goals and objectives. 2. • Number of updates of the information security policy • Management approval of the information security policy 3. • Percent and number of initiatives for which a value metric (e.g., ROI) has been calculated • Enterprise stakeholder satisfaction survey feedback on the effectiveness of the information security strategy 4. • Percent of projects in the enterprise and IT project portfolios that involve information security • Percent of IT initiatives/projects that have information security Security Specific Activities Ensure that information security requirementsare included in the definition of target IT capabilities. Define the target state for information security. Define and agree on the impact of information security requirements on enterprise architecture, acknowledging the relevant stakeholders. Greet Volders _ Voquals N.V. MAVIM / COBIT5
How to protect from Logical Attacks • Related Metrics 3. • Average time between change and update of accounts • Number of accounts (vs. number of authorised users/staff) information security strategy Security Specific Process Goals • 3. All users are uniquely identifiable and have access rights in accordance with their business roles. • 4. Physical measures have been implemented to protect information from unauthorisedaccess, damage and interference when being processed, stored or transmitted. Security Specific Activities 3. Authenticate all access to information assets based on their security classification, co-ordinatingwith business units that manage authentication within applications used in business processes to ensure that authentication controls have been properly administered. 4. Administer all changes to access rights (creation, modifications and deletions) to take effect at the appropriate time, based only on approved and documented transactions authorisedby designated management individuals. 4. • Percent of periodic tests of environmental security devices • Average rating for physical security assessments • Number of physicalsecurity-related incidents Greet Volders _ Voquals N.V. MAVIM / COBIT5 Greet Volders _ Voquals N.V. MAVIM / COBIT5
How to protect from Logical Attacks • Related Metrics 1. • Number of enterprise and IT processes with which information security is integrated • Percent of processes and practices with clear traceability to principles • Number of information security breaches related to non-compliance with ethical and professional behaviour guidelines Security Specific Process Goals • 1. The information security governance system is embedded in the enterprise. • 2. Assurance is obtained over the information security governance system. 2. • Frequency of independent reviews of governance of information security • Frequency of governance of information security reporting to the executive committee and board • Number of external/internal audits and reviews • Number of non-compliance issues Security Specific Activities Evaluate the extent to which information security meets the business and compliance/regulatory needs. Articulate principles that will guide the design of information security enablers and promote a security-positive environment. Understand the enterprise’s decision-making culture and determine the optimal decision-making model for information security. Greet Volders _ Voquals N.V. MAVIM / COBIT5
How to protect from Logical Attacks Security Specific Process Goals • 1. A system is in place that considers and effectively addresses enterprise information security requirements. • 2. A security plan has been established, accepted and communicated throughout the enterprise. • 3. Information security solutions are implemented and operated consistently throughout the enterprise. Security Specific Activities Define the scope and boundaries of the ISMS Define an ISMS in accordance with enterprise policy and aligned with the enterprise, the organisation, its location, assets and technology. Conduct internal ISMS audits at planned intervals. Maintain, as part of the enterprise architecture, an inventory of solution components that are in place to manage security-related risk. • Related Metrics 1. • Number of key security roles clearly defined • Number of security-related incidents 3. • Number of services with confirmed alignment to the security plan • Number of solutions developed with confirmed alignment to the security plan 2. • Level of stakeholder satisfaction with the security plan throughout the enterprise • Number of security solutions deviating from the plan • Number of security solutions deviating from the enterprise architecture Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - Security & Compliance After Information Security & Compliance,do you want to learn a about ... COBIT5, Processes and reporting Voquals 4 GDPR Voquals 4 Info Security The END Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - ICT Processes • IT processes are part of the Supportive Processes • In this part, you find 4 possible views on the complete set of 37 COBIT5 processes • If you click in ICT, you receive the COBIT5 Process Reference Model Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - COBIT Processes • All 37 COBIT5 processes are present in this overview • Via this schema you can consult all the processes • This can be done by clicking on the process-box Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - COBIT Processes, example After clicking on the process, you receive the detailed flow, with – at the right, the introduction to this process. For each of the detailed boxes exists a description, which can be seen by clicking on each box. These are the steps for “Manage Security Services” Process DSS05 in COBIT5. Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - COBIT Processes, example By clicking on 1 box, you receive the detailed content of that process. See example for the last practice of “Managing Security Services”, Periodic Reporting. Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - COBIT Processes • By clicking on the tree-structure, you find the processes grouped into : • Primary • Management • Supportive processes Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - COBIT Processes • Under Supportive Processes, you find all IT-related views on the processes • ICT, which contains the complete COBIT5 process set • IT Service Management = ITIL oriented • IT Project Management • Security & Compliance Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - COBIT Processes • The ICT processes are divided in : • Governance of IT (EDM processes) • Management of IT (APO-, BAI-, DSS-processes) • Monitor, Evaluate and Assess (MEA processes) Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - IT Service Processes • Another view on your IT processes can easily be created. • This schema shows the example for IT Service Management • The next schema is focusing on IT Development • All the processes mentioned on this schema refer to the – already created – COBIT5 processes • In this way it’s easy to create your own process structure. Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - IT Project Delivery Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - KPI’s • Other management tools available are : • Level 1 Process Capability Assessment • KPI’s (Key Performance Indicators) • RACI (Responsibility matrix) Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - Level 1 Level1 Process Capability Assessment is based on the COBIT5 Process Assessment Model (PAM), which enables assessments by enterprises to support process improvement. Level 1 is the assessment against the practices and work products, which are specific for each process. Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - KPI’s • The Key Performance Indicators, based on • the IT-related goals, • the Goals & Metrics per process, and • specific experience of Voquals. Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - RACI Identifies who is Responsible or Accountable for the Practice / Activities, and who is Consulted and Informed about the Practice / Activities Greet Volders _ Voquals N.V. MAVIM / COBIT5
Website - Processes After the generic information on the COBIT5 solution, do you want to learn a about ... COBIT5, Processes and reporting Voquals 4 GDPR Voquals 4 Info Security The END Greet Volders _ Voquals N.V. MAVIM / COBIT5
More Information - Coordinates VoqualsN.V. Greet Volders Phone +32 14 22 54 04 Genebroek 34 Mobile +32 475 63 45 06 2450 Meerhout, Belgium E-mailGvolders@voquals.be Websitewww.voquals.be MAVIM See video’s for more information on MAVIM and their other solutions • Business Process & Quality Managementand demonstration • Governance, Risk & Complianceand demonstration • Application Implementation Managementand demonstration • IT Portfolio Managementand demonstration • Strategic Portfolio Managementand demonstration • Enterprise Architectureand demonstration Greet Volders _ Voquals N.V. MAVIM / COBIT5