COBIT® 5 for Information Security
The material in this appendix is taken from an ISACA® document titled COBIT® 5 for Information Security.1 I have included it here as a convenient compliance resource to refer to since it is mentioned in Chapter 8, “Integrating Compliance with Web Application Security,” and in several places throughout the book.
The information is reproduced verbatim from the ISACA publication. The references within this information include mention of Appendix B and Appendix F. For clarity, these appendices are COBIT® 5 for Information Security appendices and not appendices from this book. Since this is copyrighted information, I have not made any changes whatsoever.
To access the full COBIT® 5 for Information Security publication, please go to www.isaca.org. ISACA is an independent, nonprofit, global association that engages in the development, adoption, and use of globally accepted, industry-leading knowledge and practices for information systems. ISACA® and COBIT® are trademarks registered by ISACA® in the United States and other countries.
F.3 Secure Development
Description of the Service Capability
Figure 45 describes the service capability for secure development services.
Figure 45—Secure Development Services: Description of the Service Capability | |
|---|---|
Service Capability | Description |
Develop secure coding practices. | The design and delivery of coding practices, examples and content demonstrating secure coding and development (development of code that can withstand attacks) for a given set of languages and environments |
Develop secure infrastructure libraries. | The design and delivery of language- and environment-specific information security modules that provide essential or critical information security functions |
Attributes
Figure 46 describes attributes for secure development services.
Figure 46—Secure Development Services: Attributes | ||
|---|---|---|
Service Capability | Supporting Technology | Benefit |
Develop secure coding practices. | • Compilers, linkers • Secure coding resources (books, courses, examples) • Static and binary analysis tools • Code scanners | • Decreased likelihood of vulnerabilities in code • Assistance in conforming with compliance standards |
Develop secure infrastructure libraries. | • Development languages • Secure coding resources (books, courses) • Code scanners • Static and binary analysis tools • Compilers, linkers | • Protection of intellectual property • Decreased likelihood of vulnerabilities in software development |
Goals
Figure 47 describes goals for secure development services.
Figure 47—Secure Development Services: Goals | ||
|---|---|---|
Service Capability | Quality Goal | Metric |
Develop secure coding practices. | Accurate identification of all information risk and resulting business risk/effects to a given asset or entity | Number of new types of risk discovered via incidents not covered in report |
Develop secure infrastructure libraries. | Improvements in information security configuration of systems in alignment with information security requirements | Number of information security issues discovered after an information security assessment of the hardened system |
F.4 Security Assessments
Description of the Service Capability
Figure 48 describes the service capability for security assessment services.
Figure 48—Security Assessment Services: Description of the Service Capability | |
|---|---|
Service Capability | Description |
Perform information security assessments. | Performance of an information security assessment of a given entity, system, process, procedure, application or organisational unit for information security issues |
Perform information risk assessments. | Process of providing identification, evaluation, estimation and analysis of threats to and vulnerabilities of an given entity, system, process, procedure, application or organisational unit to determine the levels of risk involved (potential for losses), and using the analysis as a basis for identifying appropriate and cost-effective measures as well as the determination of an acceptable level of risk |
Attributes
Figure 49 describes attributes for security assessment services.
Figure 49—Security Assessment Services: Attributes | ||
|---|---|---|
Service Capability | Supporting Technology | Benefit |
Perform information security assessments. | • Vulnerability scanner • Fuzzers, sniffers • Protocol analysers • Passive and active network analysers • Honeypots • Endpoint agents • Application scanners • Compliance management • Reporting tools • Remote access (if needed), network, side channels, virtual private networks (VPNs) | • Identification of information security vulnerabilities • Identification of gaps that could lead to compliance issues |
Perform information risk assessments. | • Same as above: • Vulnerability scanner • Fuzzers, sniffers • Protocol analysers • Log analyser • Passive and active network analysers • Honeypots • Endpoint agents • Application scanners • Compliance management • Reporting tools • Remote access (if needed), network, side channels, VPNs | • Provision of risk rating for information security practices • Help in prioritising vulnerabilities based on risk • Insight into ways to mitigate risk based on business needs |
Goals
Figure 50 describes goals for security assessment services.
Figure 50—Security Assessment Services: Goals | ||
|---|---|---|
Service Capability | Quality Goal | Metric |
Perform information security assessments. | Accurate identification of all information security weaknesses, deficiencies, exposures, vulnerabilities and threats to a given asset or entity | Number of items discovered via incidents not covered in report |
Perform information risk assessments. | Accurate identification of all information risk and resulting business risk/effects to a given asset or entity | Areas of new risk discovered via incidents not covered in report |
F.5 Adequately Secured and Configured Systems, Aligned With Security Requirements and Security Architecture
Description of the Service Capability
Figure 51 describes the service capability for adequately secured systems services.
Figure 51—Adequately Secured Systems Services: Description of the Service Capability | |
|---|---|
Service Capability | Description |
Provide adequately secured hardened and configured systems, in line with information security requirements and information security architecture. | Provide the information security-related configuration, settings and system hardening to ensure that the information security posture of a given system is based on a set of requirements or architectural designs. |
Provide device information security protection. | Provide device-specific information security measures and activities. |
Provide physical information protection. | Provide adequate, specific information security measures for data and information that exist in non-digital forms, including documents, media, facilities, physical perimeter and transit. |
Attributes
Figure 52 describes attributes for adequately secured systems services.
Figure 52—Adequately Secured Systems Services: Attributes | ||
|---|---|---|
Service Capability | Supporting Technology | Benefit |
Provide adequately secured hardened and configured systems, in line with information security requirements and information security architecture. | • File Transfer Protocol (FTP) • CMDB update methods • Signature verification solutions • File integrity monitoring • Kernel modules • Information security requirements and information security architecture • System management • Patch management • Virtualisation management • Cloud management | • Reduced unauthorised access to data • Reduced external and internal threats • Simplified compliance |
Provide device information security protection. | • Device-specific platform OS • Platform management console/systems | • Confidentiality in case of theft • Prevention of unauthorised access to specific devices • More explicit information security for specific devices |
Provide physical information protection. | • Closed-circuit television (CCTV) • Locks • Alarms • Access control • Vaulting • Intelligence reports • First responder interfaces • Facilities management solutions • Fire protection systems • Time locks • Physical access solutions | • Protection of physical assets from external and internal threats |
Goals
Figure 53 describes goals for adequately secured systems services.
Figure 53—Adequately Secured Systems Services: Goals | ||
|---|---|---|
Service Capability | Quality Goal | Metric |
Provide adequately secured hardened and configured systems, in line with information security requirements and information security architecture. | Improvements in information security configuration of systems in alignment with information security requirements | Number of information security issues discovered after an information security assessment of the hardened system |
Provide device information security protection. | Improvements in information security configuration of device in alignment with information security requirements | Number of information security issues discovered after an information security assessment of the secured device |
Provide physical information protection. | Physical controls in line with information security requirements | Number of incidents not discovered by review/assessment Number incidents detected not addressed by existing controls |
F.6 User Access and Access Rights in Line With Business Requirements
Description of the Service Capability
Figure 54 describes the service capability for user access and access rights services.
Figure 54—User Access and Access Rights Services: Description of the Service Capability | |
|---|---|
Service Capability | Description |
Provide authentication services. | Provide a set of capabilities for performing user or entity identification using a set of factors as determined by the information security policy or access control requirements. |
Provide information security provisioning services. | Provide a set of capabilities for creating, delivering and managing the information security-enabling technologies to a given system, entity, application, service or device. |
Evaluate information security entity classification services. | Evaluate the categories, classification, information security level and sensitivity for a given entity, system, process, procedure, application, service or organisational unit. |
Provide revocation services. | Provide a set of capabilities for cancelling, withdrawing or terminating information security rights or abilities for a given system, entity, application, service, process, procedure, organisational unit or device. |
Provide user authentication and authorisation rights in line with business requirements. | Provide a set of capabilities and management practices for performing user identification using a set of factors as determined by the information security policy or access control requirements as defined by the business requirements. |
Attributes
Figure 55 describes attributes for user access and access rights services.
Figure 55—User Access and Access Rights Services: Attributes | ||
|---|---|---|
Service Capability | Supporting Technology | Benefit |
Provide authentication services. | • Biometrics • Certificates • Dongles • Smart cards • Embedded device IDs • One-time passwords (OTPs), fobs, cellular telephones • Username/passwords • Identity as a Service (IDaaS), barcodes, universal • product code (UPC) • Certificate revocation list (CRL), ID federation • Root certificates • Key management services • Location services • Reputation services • Public key infrastructure (PKI) | • Prevention of unauthorised access to systems/data • Assurance that every entity has only the necessary level of access • Safeguarding of sensitive information • Verification of the identity of users accessing systems |
Provide information security provisioning services. | • Open Mobile Alliance (OMA) Device Management (DM) provisioning • Subscriber identity module (SIM), certificates, root certificates • Local and remote encryption services • Key management services • Location services system and device Management solutions • Software distribution solutions • HR data feed | Appropriate and timely access to needed systems for employees |
Provide information security entity classification services. | • Diagram and visualisation tools • Classification tools • CMDB • Enterprise architecture • Classification standards • Release candidate push solutions | Enables appropriate grouping and categorisation of information security entities to classify the appropriate level of risk |
Provide revocation services. | • SIM, certificates, root certificates • Local and remote encryption services • Key management services • Location services • HR data feed • PKI | • Prevention of systems access by unauthorised users • after their privileges have been revoked (due to termination or role change) • Reduced likelihood of an internal attack |
Provide user authentication and authorisation rights in line with business requirements. | • SIM, certificates, root certificates • Local and remote encryption services • Key management services • Location services • PKI | • Verification that users have appropriate level of access to needed systems only • Reduced exposure of sensitive data • Reduced likelihood of internal attack |
Goals
Figure 56 describes goals for user access and access rights services.
Figure 56—User Access and Access Rights Services: Goals | ||
|---|---|---|
Service Capability | Quality Goal | Metric |
Provide authentication services. | Accurate, complete and timely authentication of all entities and/or services | • Number of entities or services not under the authentication service • Completeness of authentication factors supporting information security requirements |
Provide information security provisioning services. | Accurate, complete and timely provisioning of all services and information security elements for entities, devices or services | • Number of incomplete provisioning transactions • Number of inaccurate provisioning transactions • Average delay in provision • Violation of maximum delay in provisioning |
Provide information security entity classification services. | Accurate and complete classification of all entities | • Number of inaccuracies in classification • Number of classes not defined for entities discovered • Number of changes required to existing classifications |
Provide revocation privilege services. | Accurate, complete, and timely revocation of all entities and/or services | • Number of failed revocations for targets • Completeness of revocations supporting information security requirements • Delay in revocation of entities and services for a given target |
Provide user authentication and authorisation rights in line with business requirements. | Accurate, complete, and timely authentication and proper authorisation of all entities and/or services | • Number of entities or services not under the authentication or authorisation service • Completeness of authentication and authorisation factors supporting information security and business requirements |
F.7 Adequate Protection Against Malware, External Attacks and Intrusion Attempts
Description of the Service Capability
Figure 57 describes the service capability for protection against malware and attacks services.
Figure 57—Protection Against Malware and Attacks Services: Description of the Service Capability | |
|---|---|
Service Capability | Description |
Provide information security and countermeasures for threats (internal and external). | Plan, implement, maintain and improve measures, countermeasures and activities including, but not limited to, actions, processes, devices or systems, addressing threats and vulnerabilities as identified in the risk assessments, information security policies and information security strategy. Remain up to date on emerging technologies. |
Provide data protection (in host, network, cloud and storage). | Provide a set of capabilities and management practices for implementing protection, confidentiality, integrity and availability of data in all of their states including, but not limited to, at rest or in transit, locally and externally, short-term and long-term. |
Attributes
Figure 58 describes attributes for protection against malware and attacks services.
Figure 58—Protection Against Malware and Attacks Services: Attributes | ||
|---|---|---|
Service Capability | Supporting Technology | Benefit |
Provide information security and countermeasures for threats (internal and external). | • Encryption • PKI, deep packet inspection (DPI), sniffers • Firewalls • Packet analyser, sensors • Compliance management • Information security requirements and information security architecture • CMDB • System patch management • Virtualisation management • Cloud management • Vendor-supplied dashboards and management agents • Vendor-supplied updates • Open source software (OSS) repositories • Vendor information security advisories and KBs, honeypots, tarpits • Antimalware, antirootkit, antispyware, antiphishing • Browser protection, sandboxing, content inspection • Reputation services | • An up-to-date reference for remediating threats • Prevention of internal and external attacks |
Provide data protection (in host, network, cloud and storage). | • PKI, sniffers, DPI • Encryption services • Data loss prevention (DLP) • System and device management solutions • Software distribution solutions • Remote management systems • Virtualisation and cloud management solutions • Document management • Data classification systems • Application-centric data management solutions • Data obfuscation solutions | • Ability for data to be stored and transferred securely • Confidentiality, integrity and availability |
Goals
Figure 59 describes goals for protection against malware and attacks services.
Figure 59—Protection Against Malware and Attacks Services: Goals | ||
|---|---|---|
Service Capability | Quality Goal | Metric |
Provide information security and countermeasures for threats (internal and external). | Maximised protection against known and unknown threats | Number of information security-related incidents |
Provide data protection (in host, network, cloud and storage). | Maximised data protection for all data states | Number of data exposures |
____________________________
1Excerpt from Information Systems Audit and Control Association, “Appendix F: Detailed Guidance: Services, Infrastructure and Application Enabler,” in COBIT® 5 for Information Security (Rolling Hills, IL: ISACA, 2012). Reprinted with the permission of ISACA®.