CObIT-ISF Coverage

ISF Benchmark Information Security Assurance Programme 13
Security Governance Framework
Traditional Focus Area
CObIT 5 EDM EDM01 EDM02 EDM03 EDM04 EDM05 APO APO01 APO02 APO03 APO04 APO05 APO06 APO07 APO08 APO09 APO10 APO11 APO12 APO13 BAI BAI01 BAI02 BAI03 BAI04 BAI05 BAI06 BAI07 BAI08 BAI09 BAI10 DSS DSS01 Evaluate, Direct and Monitor Ensure Governance Framework Setting and Maintenance Ensure Benefits Delivery Ensure Risk Optimisation Ensure Resource Optimisation Ensure Stakeholder Transparency Align, Plan and Organise Manage the IT Management Framework Manage Strategy Manage Enterprise Architecture Manage Innovation Manage Portfolio Manage Budget and Costs Manage Human Resources Manage Relationships Manage Service Agreements Manage Suppliers Manage Quality Manage Risk Manage Security Build, Acquire and Implement Manage Programmes and Projects Manage Requirements Definition Manage Solutions Identification and Build Manage Availability and Capacity Manage Organisations Change Enablement Manage Changes Manage Change Acceptance and Transitioning Manage Knowledge Manage Assets Manage Configuration Deliver, Service and Support Manage Operations
8 10 7 4 8 18 17 12 17 10 3 9 13 8 3 10 8 22 15 12 17 9 10 7 9 14 9 10 20
12 3 X X X 5 X X X X
15
18
13
X 1 X
Stakeholder Value Delivery
Quick Win Additional Focus
Information Security Strategy
Security Direction
DSS02 DSS03 DSS04 DSS05 DSS06 MEA MEA01 MEA02 MEA03
Manage Service Requests and Incidents Manage Problems Manage Continuity Manage Security Services Manage Business Process Controls Monitor, Evaluate and Assess Monitor, Evaluate and Assess Performance and Conformance Monitor, Evaluate and Assess the System of Internal Control Monitor, Evaluate and Assess Compliance with External Requirements
4 1 8 41 19 11 14 4
X 2 X X
ISF Benchmark
15 2 X X
1 18 2 X X X 4 X X X X 9 X X X X X X Information Security Strategy Stakeholder Value Delivery 13 3 X X 3 X X X X X X X X X 6 13 2 X X 2 X X X 6 X X X X 5 12 1 X X X X 5 X X X X Managing Information Risk Assessment 4 10 1 X X X X X 3 X X 5 5 12 1 X X X X X X X X X Confidentiality Requirements Integrity Requirements Availability Requirements 12 1 Information Risk Treatment 5 1 X Legal and Regulatory Compliance 1 0 Information Privacy 9 0 Information Security Policy 5 X 11 1 X 5 X Information Security Function 2 0 2 X Staff Agreements 4 X X X 9 2 X Security Awareness Programme X 6 0 3 X X Security Awareness Messages 8 1 X 3 X X Security Education / Training 10 Roles and Responsibilities 5 Information Classification 5 Document Management 3 Sensitive Physical Information 4 5 11 1 X X X X X X X X X 4 5 11 1 X X X X X X X X X X X X 4 X X 6 X X X X 0 2 X X 0 1 X 1 X X X X X 1 X X X 0 X X 2 X 2 X 3
X 3 X X
X X X
8 X X X X
Security Direction
2 X
X X
1 X
Information Security Assurance Programme
X X 1
1 X
Information Risk Assessment Methodologies
X 1
X 1
X 1
X X
2 X
2 X
X X
X X 1 X X 1 X 1 X 2 X X X 0 1 X X X 0 X 0 X 0 1 X X 1 0 X 1 X X 2 X X 0 X 0 X 0 0
10 1
2 5 0 2 X 1 X Information Classification Document Management Sensitive Physical Information Asset Register Application Protection Browser-based Application Protection Customer Access Arrangements Customer Contracts 3 0 4 0 Access Control 2 0 User Authorisation 1 0 Access Control Mechanisms 1 0 Sign-on Process 0 0 2 0 Computer and Network Installations 0 1 0 Server Configuration 0 1 0 Virtual Servers 0 1 0 Network Storage Systems 0 1 0 Back-up 8 Change Management 4 Service Level Agreements 7 Security Architecture 4 Critical Infrastructure 2 0 5 0 1 0 3 0 1 5 0 X 3 0 0 1 0 0 0 1 0 0 0 1 0 0 3 X X X 1 0 0 0 0 0 0 1 0 0 0 0
X 3 X
3 X
Roles and Responsibilities
3 X
X X
X X X 1
3 X
X X X 1 X X X 0 X X 0 X X 0 X 0 X 0 X 0 X 0 0 X X 0 X X 0 X 0 X 0 X 0 X 0 X 0 X 0 0
8 0
X 0 2 1 4 0 X X X Service Level Agreements Security Architecture Critical Infrastructure Cryptographic Solutions Information Leakage Protection Network Device Configuration Physical Network Management External Network Connections 1 0 1 0 Firewalls 1 0 Remote Maintenance 1 0 Voice over IP (VoIP) Networks 1 0 Telephony and Conferencing 0 0 1 0 Patch Management 0 1 0 Malware Awareness 0 1 0 Malware Protection Software 0 3 0 Security Event Logging 0 5 0 System / Network Monitoring 1 Intrusion Detection 9 5 7 0 X X 2 X X X X 2 1 4 0 X 0 0 1 0 1 0 1 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 3 X 3 Emergency Fixes 2 Forensic Investigations
X X
X X
X X
Change Management
X 0
X X 1 X
1 X
1 X
2 X
1 X
X X
Information Security Incident Management
X 0 0 0 0 0 0
X 0
X 0
X 0
X 0
X 0 0 0
X 0
X 0
X 0
X 0 1 X
1 4 9 0 X X X 0 X 1 0 3 0 Emergency Fixes Forensic Investigations Local Environment Profile Office Equipment Remote Environments Mobile Device Configuration Mobile Device Connectivity 1 0 1 0 Portable Storage Devices 1 0 Consumer Devices 1 0 Email 7 0 External Supplier Management Process 3 3 5 0 Hardware / Software Acquisition 1 2 0 Outsourcing 0 1 0 Cloud Service Contracts 0 3 0 System Development Methodology 1 4 0 Quality Assurance 5 Specifications of Requirements 2 System Design 1 System Build 3 Systems Testing 0 0 2 0 3 3 0 X X 0 X 0 0 1 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 0 0 1 X X X X 2 X X X X 0 X 0 X 3 X 3 X X X X
1 0
Intrusion Detection Information Security Incident Management
1 X
1 X
1 X
X X X 0 X X 1 X
X X 0 0 0
X 0
X 0
X 0
X 0
X 0
X 0
X 0 2 X X 0 0 0 0 0
5 0
X 0 0 2 0 X 2 X System Design System Build Systems Testing Security Testing System Promotion Criteria Installation Process Post-implementation Review Physical Protection 2 0 1 0 Power Supplies 1 0 Hazard Protection 1 0 Business Continuity Strategy 1 0 Business Continuity Programme 0 0 1 0 Resilience 2 4 0 Crisis Management X 0 2 0 Business Continuity Planning 0 1 0 Business Continuity Arrangements 0 1 0 Business Continuity Testing 6 Security Audit Management 4 Security Audit Process Planning 4 Security Audit Process Fieldwork 5 Security Audit Process Reporting 1 0 1 0 X 2 0 3 0 X 0 4 0 X 3 X 0 3 0 3 X 3 0 3 0 X 1 4 0 X 3 X X 0 0 0 0 0 0 0 0 0 1 X 0 X 1 0 0
5 X X X X
Specifications of Requirements
2 X
1 X
1 X
X X 0 0 0 0 X 0 0 0 0 X 0 0 0 0
X X 0
0 0 4 2 X X 1 X Security Audit Process Planning Security Audit Process Fieldwork Security Audit Process Reporting Security Audit Process Monitoring Security Monitoring Information Risk Reporting 4 1 X 0 X X 2 5 1 X 0 X X 2 0 4 1 X X 1 14 4 X X X X X X X X 0 X X 7 X 9 3 X X 0 X X X 5 X X X 7 0 X 2 3 X X
6 1
X 0
X 4 X X
Security Audit Management
1 X
X 1 X
Monitoring Information Security Compliance
1 X
1 X
1 X
2 X X
2 X X
2 X X
1 X

CObIT-ISF Coverage

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

CObIT-ISF Coverage

Hochgeladen von

Copyright:

Verfügbare Formate

ISF Benchmark Information Security Assurance Programme 13

Security Governance Framework

Traditional Focus Area

Stakeholder Value Delivery

Quick Win Additional Focus

Information Security Strategy

DSS02 DSS03 DSS04 DSS05 DSS06 MEA MEA01 MEA02 MEA03

Information Security Assurance Programme

Information Risk Assessment Methodologies

Roles and Responsibilities

Information Security Incident Management

Intrusion Detection Information Security Incident Management

Security Audit Management

Monitoring Information Security Compliance

Das könnte Ihnen auch gefallen