As a result of its initiative to improve information security with the help of COBIT, a Middle East bank realized several benefits, including:
- Improved integration of information security within the organization
- Informed risk decisions and risk awareness
- Improved prevention, detection and recovery
- Reduced (impact of) information security incidents
- Enhanced support for innovation and competitiveness
- Improved management of costs related to the information security function
- Better understanding of information security
Obtaining buy-in from senior management is a common complaint among information security professionals. However, at one Middle East bank in Kuwait, the information security manager did not have that problem when implementing COBIT to define the enterprise’s information security principles because senior management at the bank was already well aware of the industry-accepted framework. As a result, his assessment report was quickly completed, quickly accepted and greatly appreciated.
The organization uses many standards and frameworks, including ISO 27001, the Payment Card Industry Data Security Standard (PCI DSS) and the IT Infrastructure Library (ITIL), and wanted to align its department processes and principles with a common framework that is highly flexible and adaptable, and has controls and processes in common with other industry frameworks. The organization found this in COBIT, which in its latest edition—COBIT 5—offers detailed mapping with other frameworks including International Organization for Standardization (ISO) standards, The Open Group Architecture Framework (TOGAF) and the Project Management Body of Knowledge (PMBOK).
No other framework provides such detailed mapping with various, industry-accepted standards. The bank has used COBIT 5 and COBIT 5 for Information Security for a number of projects:
- COBIT 5 Tool Kit was used to identify the statement of applicability (SOA) for each domain, along with the corresponding 37 processes and 210 practice statements.
- The COBIT 5 principles have been mapped to the information security department’s current processes with an objective to identify any potential gaps. (See the Supporting Evidence column in figure 1 for results of the mapping.)
- All gaps identified in the assessment were addressed based on recommended guidelines for each of the practice statements.
Information Security Principles
As outlined in COBIT 5 for Information Security, information security principles communicate the rules of the enterprise in support of the governance objectives and enterprise values, as defined by the board and executive management. These principles need to be:
- Limited in number
- Expressed in simple language and state, as clearly as possible, the core values of the enterprise
These principles (figure 1) are generic and applicable to all enterprises and can be used as a basis for developing information security principles unique to the enterprise.
Benefits of COBIT 5 Implementation
The bank achieved its goals in a short time—just three months—improving a number of processes, including:
- Ensure governance framework setting and maintenance
- Ensure benefits delivery
- Ensure risk optimization
- Ensure resource optimization
- Ensure stakeholder transparency
- Manage the IT management framework
- Manage strategy
- Manage enterprise architecture
- Manage innovation
- Manage requirements definition
- Manage assets
- Manage continuity
Conclusion
The bank plans to continue using this assessment framework on an annual basis and as other projects warrant it. The latest version of COBIT is easy to understand and implement, particularly the tool kit, which provides all the required information needed to use COBIT within the organization.
Abbas K, CISA, CISM, CGEIT, COBIT 5 (Foundation), CEH, C|CISO, PRINCE2
Has more than 14 years of experience with cross-functional sectors of information security and information risk. He is the manager of information security at a leading regional bank in the Middle East. Previously, he has worked with Ernst & Young and KPMG. He is well versed in IT standards and frameworks, such as COBIT, ISO 27001, PCI DSS, TOGAF and ITIL.