Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
ANALYSIS AND DISCUSSION governance controls. Thus, in order for information security
While it is impossible to totally secure information systems, measures to become effective, security should not be built
systems risk can be substantially reduced through effective only like a staircase of combined measures; the measures
management practices.10 Computer security technologies have should be mutually dependent on each other.15
had a difficult time keeping pace with advances in computing Appropriate controls are necessary to protect organizations
such that the growing emphasis on user friendliness has, from legal suits against negligent duty and compliance to
to some extent, adversely affected the deployment of some computer misuse and data protection legislation.16 Internal
control mechanisms, which often leads to compromises in control is broadly defined as a process, affected by an entity’s
security design and causes problems for systems controllers board of directors, management and other personnel, designed
and auditors.11 to provide reasonable assurance regarding the achievement
In 70 percent of the aforementioned cases, the attack of objectives in the following categories: effectiveness and
happened due to the lack of effective controls rather than efficiency of operations, reliability of financial reporting, and
weak security layers. compliance with applicable laws and regulations.17 In this
It has been stated that information security is primarily respect, the COBIT 5 framework helps enterprises implement
a people problem in which technology is designed and sound governance enablers in which processes are one of the
managed by people, leaving opportunities for human error.12 seven enabler categories for governance and management of
In these cases, the identification of IT access control policies enterprise IT (GEIT).18 Currently, implementations of IS control
is required to direct best-practice approaches within the frameworks are on the rise worldwide due to compliance and
IT security program of an organization.13 Thus, the cases regulatory requirements to various regulations and standards.19
prove that while hardening the technical layers is important The key guiding principle for any control implementation
to prevent data breaches, the involvement of humans in is to decide on the appropriate level of security since
information security is equally important and many examples organizations are not in a position to ensure maximum
exist where human activity can be linked to security issues.14 security. In this respect, the amount spent should be in
proportion to the criticality of the system, cost of the control
ROLE OF IT CONTROLS and probability of the occurrence of an event, as appropriate
The shift from technical to nontechnical methods employed controls are also necessary to protect organizations from
by hackers has led organizations to aim for an optimal mix lawsuits against negligent duty and compliance to computer
of technical and nontechnical aspects of IS as well as the misuse and data protection legislation.20 Organizations
incorporation of best practices for comprehensive generic IS frequently view information security as compliance with laws
Figure 3—Data Breach Case Vulnerabilities Mapped With IS Security-related COBIT Practices
Case
Studied COBIT 5 Management Practices Inputs Description Outputs To
1, 2, 4 APO13.01 Establish and maintain an Outside COBIT • ISMS policy APO01.02
information security management (enterprise • ISMS scope statement DSS06.03
system (ISMS). security approach)
(Deliver through supporting activities)
DSS05.01 Protect against malware. • Malicious software APO01.04
(Deliver through supporting activities) prevention policy APO12.02
• E valuations of potential APO12.03
threats
DSS05.02 Manage network and APO01.06 • Connectivity security APO01.04
connectivity security. APO09.03 policy MEA02.08
(Deliver through supporting activities) • Results of penetration
tests
DSS05.03 Manage endpoint security. APO03.02 • Information architecture • Security policies for APO01.04
(Deliver through supporting activities) APO09.03 •M odel, OLAs, SLAs endpoint devices
BAI09.01 •R esults of physical
DSS06.06 inventory checks
• Reports of violations
RACI
DSS05.04 Manage user identity and APO01.02 • Definition of IT-related • Approved user access Internal
logical access. APO03.02 roles and responsibilities rights
(Deliver through supporting activities) • Information architecture •R esults of reviews of
model user accounts and
privileges
DSS05.05 Manage physical access • Approved access Internal
to IT assets. requests DSS06.03
(Deliver through supporting activities) • Access logs
DSS05.06 Manage sensitive APO03.02 • Security event logs Internal
documents and output devices. • S ecurity incident
(Deliver through supporting activities) characteristics
• Security incident tickets
3 APO10.05 Monitor supplier • S upplier compliance
performance and compliance. monitoring criteria
(Deliver through supporting activities) • S upplier compliance
monitoring review
results
DSS05.04 (see above)
Together Foster Optimal Security Investment,” 2009, Discipline,” Computers & Security, vol. 20, 2001,
www.thecomplianceauthority.com/iso-itil-a-cobit.php p. 504-508
22 Nicho, M.; “An Information Governance Model for 25 Op cit, Nicho
Information Security Management,” in Mellado, D.; L. 26 Yadav, S. B.; “A Six-view Perspective Framework for
E. Sánchez; E. Fernández-Medina; M. Piattini, Eds.; IT System Security: Issues, Risks, and Requirements,”
Security Governance Innovations: Theory and Research, International Journal of Information Security and Privacy,
IGI Global, 2012 vol. 4, 2010, p. 61-92