August 31, 2015: Volume 3: 2015
PRESIDENT’S MESSAGE
Dear ISACA Greater Houston Chapter Members and Friends,
It has been a typical hot, steamy August in Houston and the chapter! We concluded our 2nd Annual Cyber Security Conference & 1st Annual
Analytics/GRC Conference on August 17 with over 180 members and guests attending and sponsorships with great prizes from Accretive Solutions, Audimation Services, Berkeley Research Group, Coalfire, Identity Automation, and University of Texas Masters Program in Identity Management. It was a successful conference that we know will be bigger, better, and more value-added next year. To do so, we need to begin planning soon. If you would be interested in serving on the 3rd Annual Cyber Security Conference planning committee, please send me an email at [email protected]
Our new website is live! Same great URL:
www.isacahouston.org or you can access the chapter website from your MyISACA tab at www.isaca.org. Great thanks to our own Mary Hall for her dedication and diligence in this project. The new website has richer features than our old website and more integration with ISACA’s main website allowing members to efficiently navigate for news, events, tools, and resources between the international website, your profile on MyISACA, and our local chapter website when you login with your member credentials.
Join us for a premiere event within the Houston Information Security Community through a combination of ISACA, ISC2, ISSA, HTCIA, and InfraGard Chapters featuring Stuart McClure, CEO at Cylance
discussing Next Generation Attacks. Stuart has been visionary for a new approach to threat detection, protection and response. His leadership sets the strategic direction, operational execution, and fiscal investments of the company. Stuart is one of the leading experts and practical thinkers in the computer security industry today. With a highly regarded 25-year history in the security industry, Stuart has led some of the most notable companies in the space. Prior to Cylance, Stuart was EVP, Global CTO and General Manager of the Security Management Business Unit for McAfee/Intel where
ISACA GREATER HOUSTON CHAPTER - NEWSLETTER AUGUST 2015
CHAPTER
LEADERS
Norman Lee Comstock, Jr., CISA,CGEIT
Chapter President & Membership Director Harvey H. Nusz, CISA,CRISC Vice President Richard Kenneth Hare, CISA,CRISC
Secretary
Glenn Melvin McQueary, II, CISA,CISM
Treasurer
Muhammad Akhtar Siraj, CISA
Immediate Past President Susana Duran-Oliver Board Member & Certification Coordinator Mary C. Hall,
CISA,CRISC Board Member & Webmaster Paul Vanek, CISA Board Member & Audit Committee Chair Joseph Ponnoly, CISA,CISM,CGEIT Board Member- Communications & Newsletter Editor
2
day vulnerabilities and emerging threats in embedded and critical infrastructure. Before McAfee, Stuart helped formalize the cyber security program at Kaiser Permanente, a $34 billion healthcare company. In 1999, Stuart started Foundstone, Inc., a global consulting and products company, which was acquired by McAfee in 2004. Stuart is the founding creator and lead-author of the most successful security book series of all time: Hacking Exposed. This book is now on version 7. He is widely recognized for his extensive and in-depth knowledge of security, and is one of the industry's leading authorities in information security today. Members of ISACA can sign up under the member rate. Registration is active for the September 10th event at http://southtexasissa.eventbrite.comOur friends at HOU.SEC.CON greatly value the relationships that they have with ISACA and are offering our members a discount on access to the conference taking place on October 15, 2015. This will be the only ISACA event in October. The ticket sales website is at https://houstonseccon6.eventbrite.com. There is a link towards the bottom right of the page that is labeled “Enter promotional code”. Please click on that link, a box will appear. Enter “0NonProfit6.0” in that box and click “Apply” to get a $15 discount on your Attendee ticket. The discount is not applicable for a VIP ticket. If you plan to attend, please register as soon as possible. Ticket sales will be closing on Oct 1, and they will likely sell out before then.
Norman Lee Comstock, Jr. Chapter President
(Managing Director, Berkeley Research Group
P age
3
UPCOMING EVENTS
COMMITTEES
Education Committee: Chair: Harvey H Nusz Certification Committee Chair: Susana Duran-Oliver Research Committee Chair: Dr Ken Stavinoha Event Management CommitteeChair: Rich Hare
Sponsorships Committee Chair: Carlos Lozano Audit Committee Chair: Paul Vanek Professional Growth & Networking Committee Chair: Denise Hester Membership Committee Chair: Norman Comstock Joint Meeting of ISACA, ISC2, ISSA, HTCIA, and InfraGard Chapters
of Houston TX
Thursday, September 10th, 2015, 10.30 AM to 1:00 PM Next Generation Attacks
Speaker: Stuart McClure, CEO Cylance
Stuart McClure is well known globally as a leading information security expert, as the founder of Foundstone Inc and as co-author of Hacking Exposed, now in its 7th volume. Currently he is CEO of Cylance, focusing on threat detection, protection and response.
Prior to Cylance, Stuart was EVP, Global CTO and General Manager of the Security Management Business Unit for McAfee/Intel. During his tenure at McAfee, Stuart established an elite team of security researchers called TRACE, who have to their credit discovery of several zero-day vulnerabilities and emerging threats in embedded and critical infrastructure. Before McAfee, Stuart oversaw the cyber security program at Kaiser Permanente.
In 1999, Stuart started Foundstone, Inc., which was later acquired by McAfee in 2004.
Time 11.30 AM to 1:00 PM with lunch
Location: HESS - Houston Engineering and Scientific Society Club
5430 Westheimer at Yorktown (near Gallaria) (Free Garage Parking)
Register for the event on our website www.isacahouston.org or at
http://southtexasissa.eventbrite.comP
age
4
We meet on 3rd Thursday of every month from 10:30 am until 1:30 PM.
Location: Our luncheon meetings are normally at Hess Club. But one-day conferences are held at Crown-Plaza Hotel and other locations.
1. Hess Club, 5430, Westheimer Rd, Houston (Galleria Area)
2. Crowne Plaza Hotel, 1700 Smith Street, Houston TX 77002 (downtown) To register for the meetings or events, please register on-line using C-Event.
Meeting date Topic, Speaker & Location September 17, 2015
(Thursday)
10:30 to 2 PM (3 CPEs)
10:30 - 11:30AM
Morning Session: "Why You Absolutely Must Utilize a Framework in Auditing Disaster Recovery" Speaker: Harvey Nusz
This presentation will review the DRII Framework at a high level and give you auditable steps in each of the 10 domains, focusing on the top 10 mistakes to avoid in DR. It will also discuss DR aspects of virtualization, cloud computing and IAM in various corporations.
Harvey Nusz has been enamored with BCP/DR before he took a three day class in DR and recommended as an auditor that Sundstrand and Falk plan to back each other up before that was popular. He has been on both sides of the equation, having audited a large bank’s annual test and that of other companies, and having created or managed the creation and testing of 15 plans. He has led approximately 50 tests, ranging from table top to full DR Tests, and has experience in 8 of the 10 DRII domains. Harvey was also one of the regular DR Domain instructors of ISSA, South Texas Chapter, in the previous version of the CISSP Body of Knowledge, and marveled at how that domain mimicked DRII’s 10 domains.
Harvey has noticed over the years that while many fine professionals have their CISA, a fair number appear to have difficulty auditing a BCP/DR Program, not knowing what to look for. This session is a small effort to assist in building that knowledge amongst fellow CISAs.
Harvey, whose company is 4IT Security, Governance & Compliance, just completed a project to implement an IAM Product, and is now assisting a client of Insight Global as a Data Privacy Compliance Analyst. While he enjoyed his time in north Texas, Harvey is very glad to be back in Houston.
Concurrent Morning Session: "Using Report Reader to Import Data From PDF Files" ISACA IDEA SIG hosted by Audimation Services Speaker: Christian Tan 12:00 - 1:00 PM Luncheon Session Topic: "Agile Software Security Assurance" Speaker: Mark Feferman (Vaunted Group)
1:00 - 2:00 PM Afternoon Session: "The Use of ACL Analytics at Hess
Corporation" ISACA ACL SIG Speaker: Tenleigh Sweeney (Hess Corporation) Total 3 CPEs offered
Early Registration: $25 Members, $30 Non-Members, $10 Students (for morning session, lunch and ACL SIG)
Location:
P
age
5
OCTOBER 2015 ISACA event is clubbed with HOU.SEC.CON 2015
THE HOUSTON SECURITY CONFERENCE OCTOBER 14-15, 2015 Details are at: http://www.houstonseccon.com/v6/
Register at: https://houstonseccon6.eventbrite.com
CERTIFICATION TRAINING CLASSES
CISA FALL REVIEW CLASSESCISA Fall Review Classes will be held on Saturdays Oct 24, Oct 31, Nov 7, Nov 14 and Nov 21, 2015 in St. Thomas University, Houston TX. The sessions are from 8:00 am – 3:00 pm. Those who already have the books can register just for the class with no book cost.
Those interested may please contact Susana Duran-Oliver, Certification Coordinator. Her mail id is: [email protected]. Class schedules are as given below:
Dates Time (8:00 - 3:00) Building Classroom
Oct 24, Saturday The Process of Auditing Information System
(Chapter 1) Hughes House Room: 108
Oct 31, Saturday IT Governance and Management of IT (Chapter 2) Hughes House Room: 108 Nov 7, Saturday Information System, Acquisition, Development &
Implementation (Chapter 3)
Hughes House Room: 108 Nov 14, Saturday Information Systems, Operations, Maintenance and
Support (Chapter 4)
Hughes House Room: 108 Nov 21, Saturday Protection and Information (Chapter 5) Hughes House Room: 108
6
CPEs FOR ATTENDING ISACA MEETINGS AND EDUCATIONAL EVENTS
We have created a website which displays your earned CPE: 1. Please follow the below instructions to access the site.
2. Copy link to your browser: http://www.cvent.com/d/9rq9w8/3W
First time members will need to register:
Enter your first and last name as listed with ISACA Enter your email address as listed with ISACA Click on the sign-up button
You will receive an email within a few minutes asking you to log in and update your password. Use the link on the email to update your password.
Note: If the information submitted does not match our records you will receive and error message.
P
age
8
JOB POSTINGS
Local Job Postings
For details, visit our website:http://www.isacahouston.org/
OVER 50 NEW CYBERSECURITY JOBS AT THE DEPARTMENT OF
HOMELAND SECURITY (DHS)
THE DEPARTMENT OF HOMELAND SECURITY (DHS) IS RESPONSIBLE FOR SAFEGUARDING OUR NATION’S CRITICAL INFRASTRUCTURE FROM PHYSICAL AND CYBER THREATS THAT CAN AFFECT NATIONAL SECURITY, PUBLIC SAFETY, AND ECONOMIC PROSPERITY. DHS IS ACTIVELY RECRUITING (HTTP://WWW.DHS.GOV/HOMELAND-SECURITY-CAREERS/DHS-CYBERSECURITY ) DYNAMIC (HTTP://WWW.DHS.GOV/HOMELAND-SECURITY-CAREERS/DHS-CYBERSECURITY PROFESSIONALS IN ITS NATIONAL (HTTP://WWW.DHS.GOV/HOMELAND-SECURITY-CAREERS/DHS-CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER (NCCIC) TO HELP PROTECT THE NATION’S CYBERSPACE.
HOW TO APPLY
EMPLOYMENT OPPORTUNITIES ARE POSTED ON USAJOBS AT DHS.USAJOBS.GOV. KEYWORD “NCCIC”, OR SEARCH/VISIT FOLLOWING VACANCY ANNOUNCEMENTS OR VISIT http://www.dhs.gov/homeland-security-careers/dhs-cybersecurity
ABOUT NCCIC
NCCIC IS A 24X7 CYBER SITUATIONAL AWARENESS, INCIDENT RESPONSE, AND MANAGEMENT CENTER THAT IS A NATIONAL NEXUS OF CYBER AND COMMUNICATIONS INTEGRATION FOR THE FEDERAL, STATE, LOCAL, TERRITORIAL, AND TRIBAL GOVERNMENTS, THE INTELLIGENCE COMMUNITY, LAW ENFORCEMENT, THE PRIVATE SECTOR, AND INTERNATIONAL ENTITIES.
QUALIFIED CANDIDATES MUST HAVE KNOWLEDGE, SKILLS, AND EXPERIENCE IN, BUT NOT LIMITED TO:
INFORMATION SYSTEMS AND ARCHITECTURE
DESIGN INCIDENT RESPONSE
MALWARE AND FORENSIC INCIDENT ANALYSIS
INFORMATION SECURITY PROGRAM AND PROJECT MANAGEMENT
INFORMATION ASSURANCE
GATHERING AND ANALYZING INCIDENT DATA
DEVELOPING AND IMPLEMENTING INFORMATION SYSTEMS SECURITY PROGRAMS, POLICES, AND PROCEDURES
LEADING TEAMS IN CYBER INCIDENTS AND RESPONSES
IDENTIFYING AND ANALYZING CYBER SECURITY THREATS AND PROVIDING MITIGATION STRATEGIES
IDENTIFYING AND EXPLOITING VULNERABILITIES,
VULNERABILITY SCANNING AND PENETRATION TESTING
EVALUATING SECURITY INCIDENT RESPONSE POLICIES
REVIEWING PROPOSED NEW SYSTEMS, NETWORKS, AND SOFTWARE DESIGNS FOR POTENTIAL SECURITY RISKS
TO LEARN MORE ABOUT THE NCCIC VISIT: http://www.dhs.gov/
ABOUT-NATIONAL-CYBERSECURITY-COMMUNICATIONS-INTEGRATION-CENTER MISSION CRITICAL VACANCIES THAT YOU CAN SHARE WITH THOSE IN YOUR NETWORK WHO WOULD BE INTERESTED IN COMPLETING AN APPLICATION.
PLEASE HELP RAISE AWARENESS ABOUT THESE GREAT OPPORTUNITIES BY POSTING ON SOCIAL MEDIA, BLOGS, IN E-NEWSLETTERS, AND SENDING OUT EMAILS.
PLEASE SPREAD THE WORD BY USING THIS LINK:
P
age
9
CONTACT US
Our new website is live. Accessible using the same URL:
HTTP://WWW.ISACAHOUSTON.ORG/
Please sign in using your ‘ISACA credentials’. You can also access it from www.isaca.org by clicking on MyISACA tab, logging in and then clicking ‘Visit Chapter website’. The website is hosted by ISACA and is linked to ISACA International website. You can easily access ISACA International information from our website. It also has a ‘members only’ section. Chapter presentations and newsletters (archived) will also be posted on the website. Members also can register for Chapter Events directly from the website. Members can also access LinkedIn and Twitter groups (of the Chapter) directly from the website.
Special thanks to Mary Hall, our webmaster. The GHC Board would also like to acknowledge Nancy
Taubin's (ISACA International) continued assistance in our website development.
Please also join our Twitter and LinkedIn groups for social and professional interaction among
the members of the Chapter:
Twitter: @ISACAHouston
10
Mailing Address:
ISACA Houston Chapter
P.O. Box 2424Houston, TX 77252-2424
For details of our Board Members and Committees :
P
age
11
NEWS & NOTES
Implementing NIST Cybersecurity Framework for Critical Infrastructures
using COBIT 5 - Part II
-Joseph Ponnoly
CISM, CISA, CGEIT, CISSP, MBA, MS
NIST Cybersecurity Framework (CSF) 2014 for critical infrastructures, as described in Part I,
defined high level security functions and security control activities and their categories and
sub-categories, to protect critical infratructure services from identified risks and for detectng,
responding to and recovering from cyber security incidents.
Part II of this article will
discuss how NIST CSF can
be implemented using
COBIT 5 framework based
on the governance and
management of IT and the
relevant business processes
and associated risks.
Why COBIT 5.0?
COBIT 5.0 is referred to in
NIST CSF as one of the
standards/ frameworks to
implement the
cybersecurity functons and
activities (outcomes) listed
by CSF. It is listed along with
CCS CSC
Fig 1: NIST Cyber Security
Framework Core Functions and Categories (Courtesy: NIST, USA)
(SANS Critical Security Controls), ISA Standard for security of industrial automation and critical
control systems, ISO 27001/27002 and NIST SP 800-53 A. We will see how COBIT 5.0 is an
12
gives these standards the business perspective to make them more effective.
COBIT is a business governance framework developed by ISACA. It integrates various
frameworks and standards such as ISO 31000 (for Enterprise Risk Management), ISO
27001/27002/27005 (for Information Security Management), ITIL for IT Service Management,
PMBOK / PRINCE 2 (Project Management), Zachman Framework / TOGAF for IT Architecture,
ISO 38500:2008 (for Governance of Enterprise IT) and NIST SP 800-30 and 800-53A dealing with
risk assessments and IT controls to mitigate risk. COBIT, thus, is an integrated framework and
adopts a risk-based approach to governing and managing IT in Enterprises and is ideally
suited for implementing NIST CSF.
P
age
13
Governance & Management of Enterprise IT
COBIT 5 makes a clear distinction between governance and management of Enterprise IT.
Enterprise Governance is the responsibility and function of the Governance Board (Board of
Directors) or Senior Executives and focuses on defining the organizational mission and vision
and setting directions for achieving
them. Operational Management
focuses on operational activities
involving planning, building, operating
and monitoring business processes
and applications, aligning them with
organizational/enterprise objectives
and enabling them using IT for
achieving effectiveness and
efficiency. COBIT framework and
standards can easily be tailored to
meet the needs of Enterprise IT
Fig 3: COBIT 5 Governance and Management Key Areas (Courtesy: ISACA)
governance and management and for managing cybersecurity risks of any enterprise
including critical infrastructures (as defined in Part I of this article).
COBIT 5 thus takes a holistic view of Enterprise IT and considers seven categories of enablers for
effective governance and management of Enterprise IT to optimize value from IT while
managing risk. . The business enabler functions listed by COBIT are:
Principles, policies and frameworks
Processes
Organizational structures
Culture, ethics and behavior
Information
Services, infrastructure and applications
14
Fig 4: Scope of COBIT 5 for Risk (Courtesy: ISACA)
The risk function is considered from the perspective of the seven business enablers, described
above. Enterprise Risk management or ERM standards (based on COSO ERM, ISO 31000,
ISO/IEC 27005 and other standards) are considered as an integral part of governance and
management of IT. They support and expand the these business enabler functions and
provide a business perspective to enterprise risk.
The business risk function provides input to the Risk Management function. Risk Management
relies on the core risk business processes and the risk scenarios that are mapped to these risk
function enablers. Risk Management is implemented by the COBIT process reference model
that can be expanded by the inputs or detailed guidelines from IT Management frameworks
and standards such as ITIL, ISO 27001/27002, PMBOK / PRINCE2 and TOGAF.
COBIT Process Reference Model
The process reference model in COBIT lists a number of governance and management
processes that relate to IT activities within the enterprise. It also provides a framework for
measuring and monitoring IT performance.
P
age
15
Fig 5: COBIT 5 Process Reference Model (Courtesy: ISACA)
Organizations would need to adapt COBIT processes to suit their unique environments for
managing IT processes and risk.
Risk Management
Risk Management, as mentioned above, is a key component of NIST Cybersecurity
Framework (CSF). These are specifically described in COBIT by the processes listed below:
Sr Executive Level
EDM (Evaluate, Direct & Monitor)
o
EDM03- Ensure Risk Optimization
Business Management / Process Level
APO (Align, Plan & Organize)
o
APO-012 Manage Risk
o
APO 013 Manage Security
MEA (Monitor Evaluate & Assess)
o
MEA 02- Monitor Evaluate & Assess System of Internal Controls
16
Operational Management Level:
BAI (Build, Acquire & Implement)
o
BAI-09 Manage Assets
o
BAI-10 Manage Configuration
DSS (Deliver, Service & Support)
o
DSS 04- Manage Continuity
o
DSS 05 – Manage Security Services
o
DSS-06 - Manage Business Process Controls
The Risk Management process as defined by NIST CSF and the associated COBIT processes
and enablers are illustrated in the graphics below:
Senior Executive Level would focus on organizational/enterprise/business risk. Business Process
owners would focus on critical infrastructure risk management dealing with asset
management and vulnerability and threat management. Operational level implementation
would focus on security operations for securing the critical infrastructure and assets.
Fig 6: Risk Management Implementation (Courtesy: NIST, USA)
P
age
17
scenarios that can be considered in the business context. The process would involve
collecting relevant risk data, in analyzing risk and in responding to risk.
Fig 7: The Risk Management Process (APO 012) (Courtesy: ISACA)
PART III - NIST CYBERSECURITY FRAMEWORK IMPLEMENTATION STEPS
The seven step implementation process as specified by NIST CSF can now be considered from
a COBIT perspective.
1. Prioritize and Scope
The organizational mission and drivers and stakeholder needs are identified and listed.
Information security governance must be considered as the responsibility of the Board of
Directors and Senior Executives.
The relevant COBIT processes and guidelines are:
EDM 01.01 Evaluate the governance system
APO 01 - Consistent management approach, organizational roles and
responsibilities, skills and competencies
APO 02.01 – Enterprise direction, strategy and objectives
APO 03.01 – Enterprise architecture
Some other factors to be considered are:
- Risk architecture
age
18
2. Orient: Identify related systems, assets, regulatory requirements and overall risk approach.
Identify threats to and vulnerabilities of the critical systems, assets, applications and data
identified.
The COBIT processes that contain detailed guidelines are:
APO (Align, Plan and Organize)
o
APO 01- Manage the IT management Framework
o
APO 03 – Manage Enterprise Architecture
o
APO 07 – Manage Human Resources
o
APO 09 – Manage Service Agreements
o
APO-012 Manage Risk
o
APO 013 Manage Security
BAI (Build, Acquire and Implement)
o
BAI-03 Manage Solutions Identification and Build
o
BAI 06 – Manage Changes
o
BAI-09 Manage Assets
o
BAI-10 Manage Configuration
DSS (Deliver, Service and Support)
o
DSS 01- Manage Operations
o
DSS 02 – Manage Service Requests and Incidents
o
DSS 03 – Manage Problems
o
DSS 02 – Manage Service Requests and Incidents
o
DSS 04- Manage Continuity
o
DSS 05 – Manage Security Services
o
DSS-06- Manage Business Process Controls
MEA (Monitor, Evaluate and Assess)
o
MEA 02- Monitor Evaluate & Assess System of Internal Controls
o
MEA 03- Monitor Evaluate & Assess Compliance with External Regulations
CSF Profile for the Enterprise
3. Create a current Profile
CSF Profile is created for an organization or Enterprise by selecting the core CSF
categories (ID, PR, DE, RS, RC) and subcategories of security function activities based
on the organization’s business needs, business drivers and risk assessment. The current
profile shows the ‘as is’ state.
NIST CSF Implementation Guide maps the categories and subcategories to COBIT 5
framework and also to other implementation frameworks. (Please see Appendix A).
4. Conduct risk assessment (on a continuing basis)
Risk Assessment is an important step in the cyber security management process. Risk
assessments involve identification of critical assets and identification of vulnerabiltiies of
systems, networks and applications that could be exploited to compromise data and IT
P
age
19
likelihood and likely impact to the business or enterprise, described in dollar terms or on
a high/medium/low rating scale.
IT risk is a combination of the probability of the threat event (threat event frequency)
and its impact (probable loss magnitude). If the risk is aove the risk threshold (or risk
tolerance level determined by Sr Management), then countermeasures including
controls will have to be implemented to reduce risk and bring it to an acceptable level
as defined by the enterprise.
5. Create target profile
The target profile is the ‘to be state’ based on the CSF Profile categories and
subcategories selected (see Appendix A). This will also consider the result of risk
assessments and the control gaps identified.
CONTROLS IMPLEMENTATION & MONITORING
6. Determine, analyze and prioritize gaps & Action Plan
The control gaps identified must be analyzed and prioritized with reference to the
target profile created. This will lead to an action plan. Since COBIT has a business focus,
the control categories must be defined within the risk function business perspective as
defined by the the seven business enablers mentioned earlier.
7. Implement action plan for countermeasures and controls to reduce risk.
Road map, timelines and associated project plans must be created to implement the
action plan. This may also involve identification of required GRC tools for
implementation. Hardware, software, tools and skilled resources for implementation,
may have to be identified and documented for management approval and
impleementation roll-out.
IMPLEMENTATION TIERS (MATURITY MODEL)
CSF Implementation Tiers are associated with the risk management process maturity,
integrated risk management program and external participation, as specified by the
framework. For example, in a tier 3 repeatable process, risk management practices are
formally approved and formulated as policy directives, as against ad-hoc practices in tier 1
and absence of policies in tier 2. In tier 3, there would be an organization-wide approach to
managing cyber security risk. Consistent methods are in place to respond effectively to
changes in risk. Risk-based management decisions are made particularly in sharing of
information with external entities.
In Tier 4 these practices are optimized.
COBIT also has a tiered approach to risk management as described in EDM 03- risk
optimization governance process. There are process capability levels (PCLs) defined in COBIT.
Thes are similar to the CSF’s implementation tiers. They can be mapped as listed below:
CSF Tier 1 (Partial) -> PCL 0 (incomplete) and PCL 1 (performed)
CSF Tier 2 (Risk Informed) -> PCL 2 (Managed)
CSF Tier 3 (Repeatable) -> PCL 3 (Established)
20
Process Capability Assessments can be performed using ISO 15504 standard using a rating
scale as listed below, and these are adopted by COBIT for each process:
N- Not achieved (0 to 15%)
P- Partially achieved (15 to 50%)
L – Largely Achieved (50 to 85%)
F- Fully Achieved (85 to 100%)
CONCLUSION
NIST CSF can be implemented using COBIT 5 framework, as it is an integrated framework,
giving the business perspective to governance and management of IT. Since COBIT does not
exclude but brings within its umbrella the various Enterprise Risk Management and IT
Management frameworks and standards, enterprises would benefit and see business value in
implementing the cyber security framework of NIST for critical infrastructures using COBIT 5
framework, business enablers and process reference model.
References
1. Executive Order no. 13636, Improving Critical Infrastructure Cybersecurity, DCPD -
201300091, February 12, 2013 .
http://www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf
2. The DHS Critical Infrastructure program provides a listing of the sectors and their
associated critical functions and value chains.
http://www.dhs.gov/critical-infrastructure-sectors
3. NIST Cybersecurity Framework-2014
http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
4. SANS Critical Security Controls
http://www.sans.org/critical-security-controls/
P
age
21
Joseph Ponnoly
ISACA Greater Houston Chapter - NEWSLETTER