Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
COBIT® 5
Abstract
This white paper will discuss the key elements of the General Data Protection Regulation (GDPR), the importance
of governance of enterprise IT (GEIT) and the role of COBIT® 5 in establishing a framework for governance, the
connections between COBIT 5 and the compliance requirements of GDPR, and key tips and takeaways for
implementation efforts for GDPR using COBIT 5.
Introduction—The Clock is Ticking on GDPR
The May 25, 2018, deadline for General Data Protection US Gramm-Leach-Bliley Act (GLBA), the US Patriot Act, and
Regulation (GDPR) compliance is fast approaching, yet many many more. In recent years, EU data protection authorities
multinational companies are still behind in their preparations. have become much more active, in the wake of some major
Adopted by the European Parliament and the European events regarding privacy. The GDPR is much more aggressive
Council in April 2016, the EU Data Protection reform replaces than previous requirements, with tougher consequences for
the Data Protection Directive, and is a sweeping regulation violations. However, the GDPR language does leave room for
mandating organizations to meet very stringent requirements interpretation: It uses the term “reasonable” in its definition of
regarding data protection over the personal data of EU citizens. the required level of protection regarding personal data, but it
For the first time, this requirement also impacts companies does not define what “reasonable” actually means. This offers
based outside of Europe that do business in Europe. This the GDPR governing body wide latitude when it comes to
compliance will affect security and privacy teams handling assessing fines for noncompliance.
personally identifiable information (PII), including basic identity
information; addresses (including Internet addresses); and The bottom line: It does not matter where an enterprise is. If
health, biometric, ethnic, political or sexual information. It is an the enterprise hosts private information on an EU citizen, then
important development that enterprises must address. it is liable for protecting that data. This will have a drastic effect
on the way companies hold, store and use data regarding
Why is GDPR different? The requirements to protect personal customers, employees, suppliers or any other individuals. It
information are not new, but they have been significantly is forcing many non-EU companies to rethink their strategy
growing with the explosion of cloud computing and storage. in the European market, and here is why: Any company that
The cloud, security and compliance are major areas of stores or processes personal information about EU citizens
focus within the GDPR. From a regulatory perspective, this must comply. Specific criteria triggering compliance include:
type of implementation is nothing new. To date, the world 1) A business’s physical presence in the EU, or 2) A business’s
has seen EU privacy directives, the US Health Insurance processing of the personal data of EU residents, even if the
Portability and Accountability Act (HIPAA), Safe Harbor, the business maintains no physical presence in the EU.
1 Article 5, General Data Protection Regulation—principles relating to processing of personal data, https://www.privacy-regulation.eu/en/5.htm
2 ISACA, COBIT 5: A Business Framework for the Governance and Management of Enterprise IT, page 27, USA, 2012
Services,
People, Skills and
Information Infrastructure
Competencies
and Applications
SOURCE: ISACA, COBIT 5: A Business Framework for the Governance and Management of Enterprise IT, figure 12, USA, 2012
GOVERNANCE MANAGEMENT
Evaluate, Direct and Align, Plan and Build, Acquire and Deliver, Service and Monitor, Evaluate and
Monitor Organize Implement Support Assess
EDM01 Ensure APO01 Manage the IT BAI01 Manage DSS01 Manage MEA01 Monitor,
Governance Management Programs and Operations Evaluate
Framework Framework Projects and Assess
Setting and Performance
DSS02 Manage Service
Maintenance and
APO02 Manage BAI02 Manage Requests and
Conformance
Strategy Requirements Incidents
EDM02 Ensure Benefits Definition
Delivery MEA02 Monitor,
APO03 Manage DSS03 Manage
Evaluate and
Enterprise BAI03 Manage Problems
Assess the
EDM03 Ensure Risk Architecture Solutions
System of
Optimization Identification DSS04 Manage Internal Control
and Build
APO04 Manage Continuity
EDM04 Ensure Resource Innovation
MEA03 Monitor,
Optimization BAI04 Manage DSS05 Manage Evaluate
Availability and
APO05 Manage Security and Assess
Capacity
EDM05 Ensure Portfolio Services Compliance
Stakeholder With External
Transparency BAI05 Manage Requirements
APO06 Manage Budget DSS06 Manage
Organizational
and Costs Business
Change
Process
Enablement
Controls
APO07 Manage Human
Resources
BAI06 Manage
Changes
APO08 Manage
Relationships
BAI07 Manage
Change
APO09 Manage Service Acceptance and
Agreements Transitioning
SOURCE: ISACA, COBIT 5: A Business Framework for the Governance and Management of Enterprise IT, figure 16, USA, 2012
Defining High-risk Data and Impact For each individual, all personal data must be processed
transparently, and only for the purpose specified. Companies
Assessments
must provide a “reasonable” level of data protection and
Companies must conduct data protection impact assessments privacy. Data must be processed securely to protect against
(DPIAs) when using new technologies for any data deemed unauthorized access, loss or damage. This must be done
of high risk to the rights and freedoms of EU citizens. Those using appropriate technical/organizational measures.
assessments also must describe how the company is GDPR does not define what that means, but it is safe to
addressing the risk through systematic and extensive processing presume that if the data are lost or stolen, the enterprise is
or monitoring activities. This is akin to a risk assessment, which clearly in breach of compliance. These are the primary
assesses the risk and measures in place to address it. These are COBIT processes to consider:
the primary COBIT processes to consider: • EDM05 Ensure Stakeholder Transparency
• EDM02 Ensure Benefits Delivery
• APO01 Manage the IT Management Framework
• EDM03 Ensure Risk Optimization
• APO02 Manage Strategy
• APO11 Manage Quality
• APO03 Manage Enterprise Architecture
• APO12 Manage Risk
• APO10 Manage Suppliers
• APO13 Manage Security
Some companies must appoint a data protection officer (DPO), • MEA02 Monitor, Evaluate and Assess the System
who oversees the company’s data security strategy and overall of Internal Control
GDPR compliance. Which enterprises are required to have a
• MEA03 Monitor, Evaluate and Assess Compliance With
DPO? The requirement applies to those that process or store
External Requirements
large amounts of EU citizen data, process or store personal
data, regularly monitor data subjects, or are public authorities.
These are the primary COBIT processes to consider:
Hironori Goto
CISA, CRISC, CISM, CGEIT, ABCP, Five-I, LLC,
Japan, Director
Mike Hughes
CISA, CRISC, CGEIT, Haines Watts, UK, Director
Leonard Ong
CISA, CRISC, CISM, CGEIT, CPP, CFE, PMP, CIPM,
CIPT, CISSP ISSMP-ISSAP, CSSLP, CITBCM, GCIA,
GCIH, GSNA, GCFA, Merck & Co., Inc.,
Singapore, Director
R.V. Raghu
CISA, CRISC, Versatilist Consulting India Pvt. Ltd.,
India, Director
Jo Stewart-Rattray
CISA, CRISC, CISM, CGEIT, FACS CP, BRM Holdich,
Australia, Director
Ted Wolff
CISA, Vanguard, Inc., USA, Director