ISO/IEC 2

The ISO (International Organization for Standardization) and the IEC (International Electro Technical Commission) have established a joint committee, ISO/IEC JTC 1, in order to deal with their mutual interest in the area of information technology. This committee has a number of subcommittees with different responsibilities. The committee responsible for information security standards and practices is the SC27. The most recent one in this range is the ISO27001 which specifies Information Security Management System (ISMS) standards. This system is designed for all organisations in every sector. It is a management system and not a technology specification. It is the first of a series of international information security standards which are all in the 27000 range [94]. The ISO27000 range has a strong relation with the other ISO standards, for example Quality Management (ISO9000), Business Continuity Management (BS25999), IT Service Management (ISO20000) and others. The ISO/IEC27001 ISMS standard adopts the Plan, Do, Check, Act (PDCA) process approach. This PDCA approach encourages continuous improvement, since information security is a complex and dynamic matter this PDCA approach is a prerequisite for good ISMS [238]. The precursor of the ISO Security standard, the British Standard (BS7799), and ISO27001 are both examples of standards that offer guidance on how to approach information security through means that have been proven to work in many organisations [239]

ISO/IEC 27002

The objective of the ISO/IEC 27002 is to provide information to organisations responsible for implementing information security [94]. It is a best practice for developing and maintaining security standards and management practices within organisations to improve reliability on information security in extended enterprise relationships. It specifies 138 security controls in 11 domains. It emphasises the importance of risk management and elaborates that it is not mandatory to implement every control in each domain (only those controls that are relevant). The controls vary in the domain of: security policy, organisational security, asset classification and control, personnel security, physical and environmental security, communications and operations management, access control, systems development and maintenance, business continuity management and compliancy.

The combination of the ISO 27001 and 27002 standard provides a useful model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System. ISO provides a clear description of a security policy and implementation of its interventions [175]. In this research we use the ISO27002

controls (version 2005) as a source of potential core interventions that is going to be examined by experts on numerous perspectives.

COBIT

Control Objectives for Information and related Technology (COBIT) has been an internationally accepted set of guidance materials for IT governance since 1992. It is developed by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI) [240]. The aim of COBIT is to translate business objectives to IT Goals to IT processes to assist in the actual implementation of effective IT governance throughout an enterprise. In December 2005 version 4 was introduced. In version 4.0 the overlap with the ITIL framework was reduced and the alignment with ITIL practices improved, which led to a director relation to the business objectives [237]. Several information security controls (according to the Code of Practice) were introduced in the COBIT framework. In December 2007 COBIT4.1 was developed which was mainly driven by studies performed by the University of Antwerp Management School [108], [105]. COBIT currently receives more attention because the current version 5 is more suitable and better applicable to compliance requirements. This version helps organisations to operationalise their IT in such a way that they are compliant with regulations such as Sarbanes-Oxley (SOX), Committee of Sponsoring Organizations of the Treadway Commission (COSO), Basel III and PCI DSS for payment card industries.

ENTERPRISE GOVERNANCE OF IT COBIT5 2011 IT GOVERNANCE COBIT4 2005 IT MANAGEMENT COBIT 3 2000 IT CONTROL COBIT2 1998 IT AUDIT COBIT1 1996 Time Figure 27: Evolution of COBIT.

COBIT is appreciated for its enterprise wide perspective and integration with project management standards such as PMBOK, Prince2 and architecture frameworks such as TOGAF. The COBIT version 4.1 is updated as a result of the University of Antwerp Management School studies and COBIT users input [108]. This resulted in the COBIT5 for Information Security [56]. It is more pragmatic in nature now and therefore more suited to adoption by the mid-market segment. The perception of the complexity of COBIT is reduced with version 5. Important changes that contribute to the ‘acceptance’ of COBIT by mid- market organisations are:

− Enhanced executive overview and clear directives [209];

− Improvement of the list of business goals and IT goals as a result of Antwerp Management

School studies [241], [187], [105] , [109] , [215];

− Explanation of goals and metrics in the framework section [217];

− Better definitions of the core concepts. It is important to mention that the definition of a

control objective changed, shifting more towards a management practice statement;

− Improved control objectives as a result of updated control practices and Val IT21 _activities;

− Application controls have been reworked to be more effective, based on work to support

controls effectiveness assessment and reporting.

In order to successfully execute the business objectives, for example to be compliant with regulation, an IT organisation can effectively use the facilitating function of IT. The COBIT framework contributes to this by making a direct link from business objectives to organisational –security- controls. The improvements for version 5 are based on the view of enterprise governance defined by ISACA’s Taking Governance Forward (TGF) initiative. The COBIT 5 Process model reflects the main topics and demonstrates the incorporation of industry best practices. Relevant industry standards and best practices are mapped on COBIT5 in the appendix of the COBIT5 for Information Security. The most relevant ones are mentioned below (taken from COBIT5 for Information Security, page 59 [56]):

− The 2011 Standard of Good Practice for Information Security, Information Security Forum

(ISF), UK, 2011

− ISO/IEC 27000 series

− National Institute of Standards and Technology (NIST)

− Operationally Critical Threat, Asset, and Vulnerability Evaluation SM (OCTAVE),

Carnegie Mellon Software Engineering Institute (SEI)

− Payment Card Industry Data Security Standards (PCI DSS)

− The Business Model for Information Security (BMIS ) [209]

− Common Security Framework (CSF), Health Information Trust Alliance (HITRUST), USA,

2009

21 Val IT is a governance framework (based on COBIT) that consists of a set of guiding principles, and a number of processes conforming to those principles that are further defined as a set of key management practices (www.isaca.org).

− Health Insurance Portability and Accountability Act (HIPAA)/Health Information

Technology for Economic and Clinical Health (HITECH), USA, 1996 and 2009, respectively

With respect to this research and its objective, to get the top interventions and their framework accepted by the mid-market, I would like to emphasise the following main considerations for the mid-market:

1. Since, businesses are more web-centric, focused risks related to information are increasing. In order to keep up with information security risks that might impact the business continuity it requires more Business and IT alignment. COBIT enables business and IT alignment and because it also incorporated security management it also enables business and security alignment;

2. Business executives require understanding and control of IT-related investments throughout the lifecycle [242]. COBIT provides a proven method to assess whether IT services and new initiatives are meeting with business requirements and are likely to deliver the benefits expected;

3. This mid-market segment requires standardisation, preferably by an international accepted standard [4]. COBIT is a widely adapted and accepted international standard. And ISACA has a proven community and track record throughout the world. It provides an authoritative, international set of generally accepted practices that helps boards of directors, executives and managers increase the value of IT and reduce related risks; 4. This mid-market segment requires an out-of-the-box framework of principles and controls

to contribute to policy development [233]. COBIT provides guidance in principles and controls to initiate and maintain a clear policy. The minimum standards provided by other bodies such as NIST, ISF can be integrated in the COBIT framework, or left our if desired [237];

5. This mid-market segment requires a clear insight in investments on IT and security [62]. COBIT provides directions to ensure that (IT) investments support the business. It relies on respected project management practices such as Prince2 and PMBOK;

6. If stricter EU regulations require an IT Governance framework COBIT is likely to be the one, due to its proven track record and wide acceptance by enterprises and financial institutions [60] [91];

7. From a business security perspective, measure, monitor and act (PDCA) are at the core of the mitigation of risks. This mid-market segment requires a framework that enforces that principle. It requires insights into its security maturity level in order to take necessary steps to the desired ambition level. Because of the adoption of ISO’s ISMS and a Maturity Model this segment can benefit directly. COBITs’ maturity model taken from 4.1 or the ISO15504 maturity reference models can be applied in the overall framework.

The application of capability and maturity models enables more efficient and successful auditing and benchmarking (Sox audits, DNB Audits [91]; GBA audits22_{, EDP audits, NEN} audits or ISO audits). In this research it is the objective to explore a core set of Information Security interventions that contribute to measuring, monitoring and thus improve the maturity level of the organisation. Thus the objective is to examine interventions and not the effect of the applicability of individual standards or frameworks such as ISO2700X. The ISO27000 is used as repository to examine the intervention candidates through the use of experts and mid-market organisation validation.

4.4.2 SELECTING THE SOURCE OF INTERVENTION CANDIDATES

To achieve acceptance in the target market segment, a widely adopted standard is desired [87], referring to a holistic approach to information security that addresses people, processes, legislation, and IT aspects [238]. For the qualitative collection of the data, a combination of qualitative research and quantitative research is performed. The initial step was to select a framework or norms that encompass intervention candidates that might be relevant for mid-markets. To collect this data numerous sources with technical controls, process controls were reviewed and compared due to the current literature on framework and control mapping [237]. The selection of candidate interventions is subject to several perspectives that needed to be considered. These perspectives are based on the “Ten Deadly

Sins of Information Security Management” which was published in 2004 by Von Solms

and Von Solms [194]. The authors list numerous dimensions that require attention when successfully adopting Information Security.