La gouvernance au cœur de la transformation numérique - Comment COBIT 5 peut répondre à ce nouveau contexte - Illustrations
1. « Comment placer la Gouvernance au cœur de la
transformation numérique ?»
(2/2)
Les jeudis de l’AFAI
Patrick Stachtchenko 2 Avril 2015
1Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
3. Comment COBIT 5 peut
répondre à ce nouveau
contexte : Illustration?
3Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
4. COBIT 5 : Vue d’ensemble– COBIT 5 Framework
• A Business Framework for the Governance and Management of Enterprise IT (94 p)
• COBIT 5 Principles : Where did they come from? (12 p)
– COBIT 5 Enabler Guides
• Processes (37 IT processes) (230 p), Information (Business and IT) (90 p), …
– COBIT 5 Professional Guides
• Implementation (78 p) + Toolkit (17 files), Risk (244 p) and Risk Scenarios (294 p), Assurance (318 p),
Security (220 p), Cloud Governance : Questions Boards of Directors Need to Ask? (9 p)…
– Practices and Guidance using COBIT 5
• Configuration Management (88 p), Vendor Management (178 p), ...
• COBIT Assessment Program : Model (144 p), Self Assessment (24 p), User Guide
– White Papers / Vision Series / Studies / Surveys
• Social Media, Business Benefits and Security, Governance and Assurance Perspectives (10 p)
• Cloud Computing, Business Benefits with Security, Governance and Assurance Perspectives (10 p)
• Big Data Impacts and Benefits (14 p), Top Business / Technology Issues Survey Results (34 p), …
– Professionals Standards and Guidance
• ITAF, A Professional Practices Framework for IS Audit / Assurance, 3rd Edition (148 p)
– Audit/Assurance Programs
• EDM/APO/DSS/BAI (25p /Process), Software Assurance (35 p), Outsourcing IT Environments (39 p),
BYOD (39 p), …
– Knowledge Center (Over 100 topics : for each topic discussions, documents and publications,
events, journal articles, external links, wikis, blog posts), Elibrary (> 500 Publications), Academia, ..
• Performance Management, Business Analytics, Casinos and Gambling, Solvency 2, OS/400,…
– COBIT Focus (4 x year) : COBIT Case studies, Articles, Updates, …
– COBIT 5 Online : Multiphase project. Capabilities for accessing, understanding and applying COBIT 54
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
5. COBIT 5 : Vue spécifique (Information Security)
– COBIT 5 Professional Guides
• Information Security (220 p)
– Practices and Guidance using COBIT 5
• Securing Mobile Devices (138 p), Transforming Cyber Security (190 p), European
Cybersecurity Implementation Series (146 p),…
– White Papers / Vision Series / Studies / Surveys
• Cybersecurity : What the Board of Directors Needs to Ask? (20 p)
• Security as a Service: Business Benefits with Security, Governance and Assurance
Perspectives (18p)
• Business Continuity Management, Emerging Trends (15 p)
• Web Application Security, Business and Risk Considerations (16 p)
• Security Considerations for Cloud Computing (80 p)
• Advanced Persistent Threat (APT) Awareness Study Results (20 p), …
– Audit / Assurance programs
• VPN Security (33 p), Biometrics (47 p), Voice-over Internet Protocol (VoIP) (42 p), …
– Knowledge Center, Elibrary, …
• Security Tools, Physical Security, Network Security, …
– COBIT 5 Online
• Security Specific View 5
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
6. COBIT 5 : Etude Globale sur la Gouvernance (ISACA 2014)
• White papers
– Issues that have just begun to, or will soon impact enterprise operations
• Research projects
• Knowledge Center
– Over 100 topics
– Discussions, Documents and Publications, Events and Online Learning, Journal
Articles, User Contributed External Links, Wikis, Blog Posts
• Academia
– Model Curricula
– Teaching Material (for Academia advocates)
• Elibrary
– All ISACA publications
– 525 external books
• Career Center
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 6
7. COBIT 5 : Les publications récentes
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 7
8. ISACA en résumé : Knowledge 2015
• DevOps Overview 16 p
• Internet of Things : Risk and Value Consideratrions 13 p
• IS Auditing Tools and Techniques : IS Audit Reporting 46 p
• Getting Started With Governance 8 p
• Overview of Digital Forensics 14 p
• DevOps Series
• Industrial Control Systems (ICS) 2nd Q
• Internal Controls 1st Q
• Operational Risk Management/Basel Using COBIT 5 ?
• PCI DSS (Payment Card Industry Data Security Standard) 1st Q
• Security, Audit and Control Features SAP ERP, 4th Edition 1st Q
• + Travaux des comités et task forces (Emerging Business and Technology Committee,
Privacy Task Force, Audit/Assurance Programs based on COBIT 5, etc…)
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 8
Ensemble du knowledge développé en respectant les principes de COBIT 5
9. ISACA en résumé : Knowledge 2014
• Deliver, Service and Support Audit/Assurance Programs 1-6 (25 p / process)
• A Global Look at IT Audit Best Practices (45 p)
• IT Control Objectives for Sarbanes Oxley using COBIT 5, 3rd Edition (142 p)
• Build, Acquire and Implement Audit/Assurance Programs 1-10 (25 p / process)
• Risk Scenarios Using COBIT 5 for Risk (294 p)
• Align, Plan and Organize Audit/Assurance Programs 1-13 (25 p / process)
• European Cybersecurity Implementation Series
– Overview (26 pages)
– Assurance (24 pages)
– Resilience (25 pages)
– Risk Guidance (24 pages)
– Audit/Assurance Program (47 pages)
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 9
10. ISACA en résumé : Knowledge 2014
• Cybersecurity : What the Board of Directors Needs to Ask? (20 p)
• Implementating the NIST Cybersecurity Framework (108 p)
• COBIT 5 Principles : Where did they come from? (12 p)
• Advance Persistent Threat Awareness Study Results (20 p)
• ITAF 3rd Edition (148 p)
• Controls and Assurance in the Cloud : Using COBIT 5 (266 p)
• Relating the COSO Internal Control Integrated Framework and COBIT (22 p)
• Vendor Management Using COBIT 5 (178 p)
• Evaluate, Direct and Monitor Programs 1-5 (25 p / process)
• Genrating Value from Big Data Analytics (12 p)
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 10
11. ISACA en résumé : Knowledge 2013
• Security as a Service (18 p)
• COBIT 5 : Enabling Information (90 p)
• Advanced Persistent Threats : How to manage the Risk to Your
Business? (132 p)
• COBIT 5 for Risk (244 p)
• Configuration Management Using COBIT 5 (88 p)
• Privacy and Big Data (12 p)
• Transforming Cybersecurity (190 p)
• COBIT 5 for Assurance (318 p)
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 11
12. ISACA en résumé : Knowledge 2013
• Responding to Targeted Cyberattacks (88 p)
• Cloud Governance : Questions Boards of Directors Need to Ask? (9 p)
• Big Data : Impacts and Benefits (14 p)
• Software Assurance Audit/Assurance Program (35 p)
• Identity Management Audit/Assurance Program (40 p)
• COBIT Assessment Programme Using COBIT 5 (144 p)
• Outsourced IT Environments Audit/Assurance Program (39 p)
• Personally Identifiable Information Audit/Assurance Program (34 p)
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 12
13. COBIT 5 : Contenu
Illustrations
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 13
14. Contenu : COBIT 5 Enabling Information
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 14
15. COBIT 5 Deliverables : Enabling Information (90 pages)
• Introduction: Benefits, Target Audience, Prerequisite Knowledge, Overview and Scope
• COBIT 5 Principles applied to Information
– COBIT 5 Principles
• Goals Cascade for the Enterprise (Function Goals)
• Examples of Information Items that support the Enterprise Value Chain Goals (Governance, Management
and Operations Items for 8 Functional areas : Human Resources (22 items), Procurement (20 items), …)
• Examples of Information Items supporting IT-related Goals (Quality Criteria, Related Metrics) (69 items)
• The COBIT 5 Information Model
– COBIT 5 Information Model Overview
• Information Stakeholders : Examples for Customer Data (8), IT Strategy (8), Supply Chain Software
Specification Document (6), Hospital Patient Records (9) (Description, Stakes)
• Information Goals : Examples for each of the 15 information quality criteria
• Lifecycle : Examples for Supplier Information, Retention Requirements, IT Change Management Data
• Good Practices : Examples for the 11 information attributes
– Additional Examples of COBIT 5 Information Model Use
• 5 sample use cases : Building IS Specifications, Definition of Information Protection Requirements, etc..
• Comprehensive Information Item Description : Illustration for Risk Profile (Lifecycle and stakeholders,
Goals, Good Practices, Link to other enablers)
• Addressing Information Governance and Management Issues Using COBIT
– Information Governance and Management Issues Reviewed in this Chapter (9 issues)
• For each Issue : Issue Description and Business Context, Affected Information, Affected Goals, Enablers to
Address the Issue
• Appendix A : Reference to other Guidance (DAMA-DMBOK Framework, ISO 15489-1:2001)
• Appendix B : Example Information Items Supporting Functional Area Goals (8 areas, 179 items)
• Appendix C : Example Information Items Supporting IT-related Goals (1 area, 69 items) 15
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
16. Information
Exemple de critères d’appréciation
Qualité intrinsèque : valeurs des données en conformité ave les valeurs réelles
• Exactitude : correcte et fiable
• Objectivité : non biaisée et impartial
• Crédibilité : considérée comme vraie et crédible
• Réputation : bien considérée en termes de source et de contenu
Qualité contextuelle et représentationnelle : s’applique à la tache de l’utilisateur de l’information
et est présenté de manière claire et intélligible
• Pertinence : applicable et utile pour la tâche à effectuer
• Exhaustivité : pas absente et à un niveau suffisant pour la tâche à effectuer
• Actualité : suffisamment à jour pour la tâche à effectuer
• Quantité d’information appropriée : appropriée pour la tâche à effectuer
• Représentation concise : représentée de manière compacte
• Représentation consistante : présentée dans le même format
• Interprétabilité :dans des langages, symboles et unités appropriés, et définitions claires
• Compréhensibilité : facilement compréhensible
• Facilité de manipulation : facile à manipuler et appliquer aux différentes tâches
Qualité d’accès/Sécurité : que l’on peut accéder et disponible
• Disponibilité/Opportun : disponible lorsque cela est requis, facilement et rapidement récupérable
• Restriction d’accès: accès restreint aux personnes et actions autorisées
16
• Multiples périmètres possibles pour la sécurité des informations. Problématique de recouvrement.
• La sécurité traite le plus souvent au minimum toutes les problématiques liées aux « accès non valides »
• Aussi, les aspects intégrité/disponibilité/confidentialité, identification/authentification/non
répudiation/habilitation sont à couvrir au minimum
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
17. Information
Les niveaux/attributs
• L’utilisation de ces niveaux permet de déterminer les niveaux de protection et les mécanismes de protection
à mettre en œuvre à chaque niveau:
• Où est conservée l’information?
• Comment peut-on y avoir accès?
• Comment sera-t-elle structurée et codifiée?
• Quelle sorte d’information? Quel est le niveau d’information?
• Quels sont les délais de rétention? Quelles autres informations sont requises pour que cette information soit
utile et utilisable?
• Niveau physique : Support de l’information (média : papier, signaux électriques, ondes sonores)
• Niveau empirique: Canal d’accès (interfaces utilisateurs)
• Niveau syntactique: Code/langage/format
• Niveau sémantique: Sens de l’information
• Type d’information : financier/non financier, interne/externe, valeurs prévisionnelles/valeurs observées
• Actualité de l’information : information sur la passé, le présent, le futur
• Niveau d’aggrégation : ventes par année, trimestre, mois, …
• Niveau pragmatique : Utilisation de l’information
• Période de rétention : pendant combien de temps faut-il conservée l’information avant de la détruire
• Statut de l’information : information est opérationnelle ou historique
• Nouveauté: nouvelle connaissance ou confirmation de la connaissance existente (information/confirmation)
• Contingence: information requise pour précéder l’information pour qu’elle soit considérée comme de l’information
• Niveau social : Contexte (contrats, loi, culture)
17Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
18. Description complète d’un élément d’Information - Profil de Risque
Description de toutes ses dimensions. Cela peut être utile pour traiter des
questions telles que :
• « Risk Managers »
– A quoi ressemble une profil de risque?
– Quels sont les critères de qualité d’un profil de risque et comment peuvent-ils être atteints?
– Qui sont les principales parties prenantes?
– Quels sont leurs intérêts?
– Quelles sont les bonnes pratiques?
– Quels sont les leviers concernés, etc… ?
• Auditeurs
– Comment puis-je revoir la qualité d’un profil de risque?
– Quels sont les critères à analyser?
• Parties Prenantes
– Quelles sont mes responsabilités dans le cycle de vie du profil de risque?
Le contexte professionnel et business est décrit dans COBIT 5 for Risk, COBIT 5
for Security et COBIT 5 for Assurance
18
Information : Exemple « Profil de Risque »
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
19. 19
Information : Exemple « Risk Profile »
Cycle de vie et Parties Prenantes
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 Copyright ISACA
20. 20
Information : Exemple « Risk Profile »
Objectifs
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Copyright ISACA
21. 21
Information : Exemple « Risk Profile »
Bonnes Pratiques
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Copyright ISACA
22. 22
Information : Exemple « Risk Profile »
Connexion aux autres leviers
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Copyright ISACA
23. 23
Information : Exemple « Risk Profile »
Fiche de Scénario de risque
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Copyright ISACA
• 20 Types de Scénario de risque
• >100 Fiches de Scénario de risque détaillées
24. Fiche de Scénario de Risque
ECP : La sécurité des système d'information 24
Copyright ISACA
Patrick Stachtchenko
28. 28
Information : Exemples de préoccupations à traiter
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Copyright ISACA
29. Contenu : Securing Mobile Devices
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 29
30. COBIT 5 Deliverables : Securing Mobile Devices (138 pages)
• Introduction : What is a mobile device? Mobile Device Use – Past Present Future
• Mobile Device Impact on Business and Society : Mobility and Flexibility, Patterns of
Work, Organizational Perimeter, Other Impacts
• Threats, Vulnerabilities and Associated Risks : Physical, Organizational, Technical
• Security Governance : Business Case, Standardized Enterprise Solutions, BYOD,
Combines Scenario, Private Use of Mobile Devices, Defining the Business Case
• Security Management for Mobile Devices : Categories and Classification, Existing
Security Controls, 7 Enablers
• Hardening Mobile Devices : Device and SIM card, Permanent Storage, Removable
Storage and Devices, Connectivity, Remote Functionality
• Mobile Device Security Assurance: Auditing and Reviewing Mobile Devices,
Investigation and Forensics for Mobile Devices
• Guiding Principles for Mobile Device Security : 8 principles
• Appendix A. Mappings of COBIT 5 and COBIT 5 for Information Security
• Appendix B. Hardening Mobile Devices
• Appendix C. Sample Audit Steps in Forensics and Investigation
30Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
31. Illustration pour la sécurité des mobiles
31
• Enjeux : bénéfices attendus,…
• Type de mobiles et de connexions
• Classement par catégorie d’actifs
• Niveaux de sécurité par catégorie d’actifs
• Type de Risques par catégorie de risques
• Nature de Risques par cible, par type d’information, par facteur de risque
• Exemples de vulnérabilités/menaces/risques
• Exemple d’options de réponses aux risques pour chaque levier
• Principes de sécurité des SI, Objectifs associés, Principes de sécurité des mobiles
• Directives de sécurité des SI, Thèmes couverts, Directives de sécurité des mobiles
• Standards de sécurité des mobiles, Aspects centralisés, Clauses couvertes
• Procédures opérationnelles
• Processus de sécurité des mobiles et connexion aux processus SI
• Attributs de l’Organisation de sécurité, Responsable Sécurité des SI, Responsable Sécurité
des Mobiles
• Comportement attendu en sécurité des SI, Comportement attendu en sécurité des mobiles
• Compétences du responsable sécurité des mobiles, Compétences des utilisateurs
• Formation : perspective, thèmes clés, contenu
• Compétences responsable sécurité des SI
• Capacités de Services, architecture et applications : types de services par domaine
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
32. Enjeux
• “Internet of things”
– 10 Milliards d’appareils connectés à internet
– 20 – 50 Milliards d’appareils en réseau
– 1,7 Milliards de mobiles connectés à internet
• Impacts
– Notion de bureau (anywhere, moins de locaux)
– Horaire de travail (anytime)
– Périmètre de l’entreprise (système ouvert, cloud, partenaires, voiture de
location, …)
– Vies privée et professionnelle (emails, contacts, agenda, etc…)
– Efficacité au travail / productivité / flexibilité
– Responsabilités
– Fonction supports (7/7, 24/24), process, formation,…
– Nouveaux Risques
32
Exemple Sécurité des Mobiles
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
33. Exemple Sécurité des Mobiles
Types de mobiles et de connections
• Téléphone cellulaire traditionnel
• Smartphones et PC de poche
• Unités auxiliaires : clés usb, haut-parleurs ou écouteurs sans fil, GPS,…
• Appareils non téléphoniques sans fil : tablettes,…
• Automobile : appareils électroniques connectés tels qu’une aide de
navigation GPS, diagnostic, fermeture/ouverture automatique,…
• Vêtements « intelligents »
• Jouets et “robots” (drones, caméras, aspirateurs, tondeuses, …)
• Implants (pompes à insuline,…),…
• Public Cloud
• Autres mobiles
• Private Cloud
• Entreprise
• GSM, GPRS/Edge, 3.5 G, 4G/LTE, Bluetooth, WLAN/802.x, NFC,…
33Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
34. Exemple Sécurité des Mobiles
Classement par catégorie d’actif
Categorie Appareils Exemples
1 Data storage (limited), basic telephony and messaging
services, proprietary OS (limited), no data processing
capability
Traditional cell phones
2 Data storage (including external) and data processing
capabilities, standardized OS (configurable), extended
services
• Smartphones
• Early pocket PC devices
3 Data storage, processing and transmission
capabilities via alternative channels, broadband
Internet connectivity, standardized OS (configurable),
PC-like capabilities
• Advanced smartphones
• Tablet PCs
34
Copyright ISACA
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
35. Niveaux de risque par catégorie d’actif
Categorie/Risque Categorie 1 Categorie 2 Categorie 3 Categorie 4
Physique
Theft Faible Moyen Fort Fort
Loss Moyen Moyen Moyen Moyen
Damage/destruction Fort Fort Fort Fort
Organisationnelle
Agglomeration/heavy users Faible Faible Fort Fort
Complexity/diversity Faible Moyen Fort Fort
Technique
Activity monitoring, data retrieval Faible Fort Fort Fort
Unauthorized network connectivity Faible Moyen Fort Fort
Web view/impersonation Faible Moyen Fort Fort
Sensitive data leakage Faible Fort Fort Fort
Unsafe sensitive data storage Moyen Fort Moyen Moyen
Unsafe sensitive data transmission Faible Fort Moyen Fort
Drive-by vulnerabilities Faible Fort Fort Fort
Usability Faible Faible Fort Fort
35
Exemple Sécurité des Mobiles
Copyright ISACAPatrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
36. Types de risque par catégorie d’actif
Risques physiques
• Incapacité de travailler pour une longue durée
• Accès à l’information (emails, contacts, rendez-vous, historique
d’utilisation, éléments détruits, codes, …); souvent données non chiffrées
• Usurpation d’identité
Mais des possibilités pour limiter ces risques
• Appareil de localisation et de suivi
• Capacités de fermeture à distance
• Capacités de blocage de la carte SIM
36
Exemple Sécurité des Mobiles
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
37. Types de risque par catégorie d’actif
Risques organisationnels
• Réplication des droits d’accès privilégiés
• Nature sensible des données conservées pour les cadres
• Complexité d’utilisation (richesse des fonctionnalités,…) : erreurs,
data roaming, …
• Cycle de vie court (gestion, formation,..)
37
Exemple Sécurité des Mobiles
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
38. Risques techniques : “Activity monitoring, data retrieval »
Cible Risque
Messaging Generic attacks on short message service (SMS) text, multimedia messaging service (MMS)-
enriched transmission of text and contents
Retrieval of online and offline email contents
Insertion of service commands by SMS cell broadcast texts
Arbitrary code execution via SMS/MMS
Redirect or phishing attacks by Hypertext Markup Language (HTML)-enabled SMS text or email
Audio Covert call initiation, call recording
Open microphone recording
Pictures/
video
Retrieval of still pictures and videos, for example, by piggybacking the usual “share” functionality in
most mobile apps
Covert picture or video taking and sharing, including traceless wiping of such material
Geolocation Monitoring and retrieval of GPS positioning data, including date and time stamps
Static data Contact list, calendar, tasks, notes retrieval
History Monitoring and retrieval of all history files in the device or on SIM card (calls, SMS, browsing, input,
stored passwords, etc.)
Storage Generic attacks on device storage (hard disk or solid-state disk [SSD]) and data replicated there
38
Exemple Sécurité des Mobiles
Copyright ISACA
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
39. Risques techniques : “Sensitive Data Leakage Risk »
Type d’information Risque
Identity International Mobile Equipment Identity (IMEI), manufacturer device ID,
customized user information
Hardware/firmware and software release statistics, also disclosing known
weaknesses or potential zero-day exploits
Credentials User names and passwords, keystrokes
Authorization tokens, certificates (Secure Multipurpose Internet Mail
Extensions [S/MIME], Pretty Good Privacy (PGP), etc.)
Location GPS coordinates, movement tracking, location/behavioral inference
Files All files stored at OS/file system level
39
Exemple Sécurité des Mobiles
Copyright ISACA
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
40. Risques techniques : “Usability Risk »
Facteur de risque Risque
Frequent change of hardware
as part of the mobile contract
In upgrading to “state-of-the-art” devices, users are compelled to familiarize
themselves with new and complex features. This creates a significant risk of
human error and resulting security issues.
Users’ limited familiarity with
their devices
The number of features and apps may appear overwhelming to the average
user. This creates a high risk of inadvertent actions, errors and security
breaches.
Limitations to configurability,
opaque OSs
As OSs become less transparent, configuration and device management is
restricted. This reduces the amount of organizational control over mobile OSs.
Mandatory services
prescribed by the OS or
contract
Consumer-based services run in the background, creating potential security
issues. Security management may not be able to control these activities where
the contractor sees them as essential.
Proliferation of pay-as-you-go
and subscription services
Users are facing more and more opt-in challenges for activation or extension of
applications. This creates contractual and security-related risk.
Mandatory cloud sign-in as
prerequisite to accessing
certain services
Mobile devices may become dysfunctional or restricted if the mandated
services are not activated. This creates additional security risk when users
naturally opt in to these services.
40
Exemple Sécurité des Mobiles
Copyright ISACA
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
41. Exemples de vulnérabilités
Vulnerabilité Menaces Risque
Information travels across wireless
networks that are often less secure than
wired networks.
Malicious outsiders can do harm to the
enterprise.
Information interception resulting in a breach
of sensitive data, damage to enterprise
reputation, compromised adherence to
regulation, legal action
Mobility provides the users with the
opportunity to leave enterprise boundaries,
thereby eliminating many security controls.
Mobile devices cross boundaries and network
perimeters, carrying malware, and can bring this
malware into the enterprise network.
Malware propagation, which can result in data
leakage, data corruption and unavailability of
necessary data; physical theft
Bluetooth technology makes it very
convenient for many users to have hands-
free conversations; however, it is often left
on and is then discoverable.
Hackers can discover the device and then
launch an attack.
Device corruption, lost data, call interception,
possible exposure of sensitive information
Unencrypted information is stored on the
device.
In the event that a malicious outsider intercepts
data in transit or steals a device, or if the employee
loses the device, the data are readable and usable.
Exposure of sensitive data, resulting in
damage to the enterprise, customers or
employees
Lost data may affect employee productivity. Mobile devices may be lost or stolen due to their
portability. Data on these devices are not
always backed up.
Workers dependent on mobile devices unable
to work in the event of broken, lost or stolen
devices, and data that are not backed up
The device has no authentication
requirements applied.
If the device is lost or stolen, outsiders can
access the device and all its data.
Data exposure, resulting in damage to the
enterprise and liability and regulation issues
The enterprise is not managing the device. If no mobile device strategy exists, employees
may choose to bring in their own, unsecured
devices. While these devices may not connect to
the virtual private network (VPN), they may
interact with emails or store sensitive documents.
Data leakage, malware propagation,
unknown data loss in the event of device loss
or theft
The device allows installation of
unverified/unsigned third-party applications.
Applications may carry malware that propagates
Trojan horses or viruses. The applications may
also transform the device into a gateway for
malicious outsiders to enter the enterprise network.
Malware propagation, data leakage, intrusion
to the enterprise network
41
Exemple Sécurité des Mobiles
Copyright ISACA
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
42. Exemple Sécurité (Sécurité des Mobiles)
Principes, Directives, Référentiels, …
• Principes de Sécurité de l’Information
• Venir en appui du business (6 sous-principes)
• Protéger le business (4 sous-principes)
• Promouvoir un comportement responsable en ce qui concerne la sécurité de
l’Information (2 sous-principes)
• Directives
• Directive Générale concernant la Sécurité de l’Information
• Directives concernant la Sécurité de l’Information pilotées par la fonction Sécurité de
l’Information
• Contrôles d’accès
• Protection des Informations Personnelles
• Sécurité physique et de l’environnement
• Réponse aux incidents
• Directives concernant la Sécurité de l’Information pilotées par les autres fonctions
• Continuité des activités et plan de reprise
• Gestion des actifs
• Comportements attendus
• Acquisition, Dévelopement et Maintenance des Solutions
• Gestion des fournisseurs
• Exploitation
• Conformité
• Gestion des risques
42Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
43. Principes, Directives et Référentiels : Principes
Principe Objectif Sécurité des Mobiles
Focus on the business Ensure that information security is integrated
into essential business processes
Analyze business processes with mobile device
dependencies, and prioritize accordingly
Deliver quality and value
to stakeholders
Ensure that information security delivers value
and meets business requirements
Perform stakeholder analysis (internal and external)
and derive requirements for mobile devices
Comply with relevant
legal and regulatory
requirements
Ensure that statutory obligations are met,
stakeholder expectations are managed and
civil or criminal penalties are avoided
Identify laws, regulations and governance rules for
mobile device use, and define requirements
Provide timely and
accurate information on
information security
performance
Support business requirements and manage
information risk
Establish mobile device key performance indicators
(KPIs) and regular reporting
Evaluate current and
future information
threats
Analyze and assess emerging information
security threats so that informed, timely
action to mitigate risk can be taken
Identify threats to mobile devices (at all levels),
anticipate future threats through technology
innovation, and collect evidence on incidents and
breaches
Promote continuous
improvement in
information security
Reduce costs, improve efficiency and
effectiveness, and promote a culture of
continuous improvement in information
security
Establish a continuous improvement process for
mobile device security, and include BYOD scenarios
as well as vendor patching
Adopt a risk-based
approach
Ensure that risk is treated in a consistent and
effective manner
Maintain mobile device categorization and keep the
risk heat map up to date
43
Exemple Sécurité des Mobiles
Copyright ISACA
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
44. Principes, Directives et Référentiels : Principes
Principe Objectif Sécurité des Mobiles
Protect classified
information
Prevent disclosure of classified (e.g.,
confidential or sensitive) information to
unauthorized individuals
Establish data classification for information resident
on, or flowing through, mobile devices. Include
cloud services and storage. Align mobile device
identity and access management with corporate
identity and access management (IAM).
Concentrate on critical
business applications
Prioritize scarce information security resources
by protecting the business applications on
which an information security incident would
have the greatest business impact
Regularly perform a business impact analysis (BIA)
on mobile devices as assets, related processes and
resulting categories of impact (financial,
nonfinancial)
Develop systems
securely
Build quality, cost-effective systems on which
business people can rely (e.g., that are
consistently robust, accurate and reliable)
Establish software life cycle controls for self-
developed and vendor apps on mobile devices, and
include app onboarding in BYOD scenarios
Act in a professional and
ethical manner
Ensure that information security-related
activities are performed in a reliable,
responsible and effective manner
Apply governance to mobile device policies,
standards and key operating procedures
Foster an information-
security-positive culture
Provide a positive information security
influence on the behavior of end users, reduce
the likelihood of information security incidents
occurring and limit their potential business
impact
Educate end users about mobile device security,
particularly in BYOD scenarios. Provide useful tools
and aids to enable user self-protection.
44
Exemple Sécurité des Mobiles
Copyright ISACA
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
45. Principes, Directives et Référentiels : Directives
Directive concernant l’utilisation des Mobiles Thème Directives : la Sécurité de l’Information
Analyze business processes with mobile device dependencies, and prioritize
accordingly
Mobile device
strategy
• Information security policy
• Business continuity and disaster recovery policy
Perform stakeholder analysis (internal and external) and derive requirements
for mobile devices
Mobile device
strategy
• Information security policy
Identify laws, regulations and governance rules for mobile device use, and
define requirements
Governance
compliance
• Information security policy
• Compliance policy
Establish mobile device KPIs and regular reporting Governance
compliance
• Information security policy
• Compliance policy
Identify threats to mobile devices (at all levels), anticipate future threats
through technology innovation, and collect evidence on incidents and breaches
Risk • Risk management policy
Establish a continuous improvement process for mobile device security, and
include BYOD scenarios as well as vendor patching
Mobile device
life cycle
• Information systems acquisition, software
development and maintenance policy
Maintain mobile device categorization and keep the risk heat map up to date Risk • Risk management policy
Establish data classification for information resident on, or flowing through,
mobile devices. Include cloud services and storage. Align mobile device identity
and access management with corporate IAM
ISMS asset
management
• Information security policy
• Asset management policy
Regularly perform a BIA on mobile devices as assets, related processes and
resulting categories of impact (financial, nonfinancial)
Mobile device
strategy
• Information security policy
• Business continuity and disaster recovery policy
Establish software life cycle controls for self developed and vendor apps on
mobile devices, and include app onboarding in BYOD scenarios
Mobile device
life cycle
• Information systems acquisition, software
development and maintenance policy
Apply governance (see chapter 3) to mobile device policies, standards and key
operating procedures
Governance • Information security policy
Educate end users about mobile device security, particularly in BYOD scenarios.
Provide useful tools and aids to enable user self-protection
Security culture • Rules of behavior policy
45
Exemple Sécurité des Mobiles
Copyright ISACAPatrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
46. Mobiles : Principes, Directives et Référentiels : Standards
Clause Aspects centralisés Aspects BYOD
Acquisition Process for acquisition by the enterprise, link to
procurement or purchasing processes
• Provide users with subsidized/preferential arrangements OR
• Specify approved devices
Onboarding Process for onboarding any device presented by user, including opt-in clauses
Provisioning Process for provisioning hardware, OS,
standardized apps, optional apps
Configuration Process for developing, testing, deploying and
updating configuration, link to general config mgmt
Process for partial configuration of device with organizational standard (user
must have opted in and signed)
Systems and data
management
Process for security-related systems and data
management, linked to general systems mgmt.
Process for partial systems and data management activities (user must have
opted in and signed)
Organizational
risk
Preapplied security controls for organizational risk
(user agglomeration, diversity and complexity)
Preapplied security controls, e.g., security axioms, for any device
Physical risk Preapplied security controls for loss, theft, damage Preapplied security controls for loss, theft, damage, etc.
Technical risk Preapplied security controls for all categories of
technical risk
• Preapplied security controls for the standardized part of the device
• Mandatory guidance for user self-protection (minimum requirements)
Exception/inciden
t management
Process for logging, treating and resolving
exceptions and incidents, link to business
continuity/disaster recovery
Process for:
• Identifying incidents, containment, resolution and ex post impact
• Isolating, quarantine and removal
Life span Process for aging devices in line with life
span/innovation, including risk of obsolete devices
Process for aging devices in line with life span/innovation and cost of
supporting obsolete devices vs. risk of operating obsolete devices
Decommissioning Process for:
• Decommissioning end-of-business-life devices
• Secure disposal
Removal Process for:
• Initiating removal, secure organizational data disposal, apps removal
• Offboarding device (not user) and replacement
46
Exemple Sécurité des Mobiles
Copyright ISACA
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
47. Principes, Directives et Référentiels : Procédures opérationnelles
• Audit des mobiles
• Gestion des changements
• Gestion des Patchs
• Protection des Malware
• Chiffrement, VPN, encapsulation
• Dommage, pertes, vols
• …
47
Exemple Sécurité des Mobiles
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
48. Structures organisationnelles
• Composition
• Les structures sont composées de membres qui sont ou représentent des parties
prenantes internes et externes. Ils ont un rôle spécifique en fonction du contexte de
la structure
• Périmètre
• Frontières des droits décisionnels de la structure organisationnelle
• Niveau d’autorité
• Décisions que la structure est autorisée à prendre
• Principes opérationnels
• Modalités pratiques de fonctionnement de la structure (fréquence des réunions,
documentation, règles,…)
• Pouvoirs de délégation
• Structure peut déléguer ces droits décisionnels (ou un sous-ensemble) à d’autres
structures qui lui sont rattachées
• Procédures d’escalade
• Le circuit d’escalade décrit les actions nécessaires en cas de problèmes pour prendre
des décisions
48Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Exemple Sécurité (Sécurité des Mobiles)
49. Structures organisationnelles
• Directeur de la Sécurité de l’Information (ou SI)
• Comité de pilotage de la Sécurité de l’Information (ou SI)
• Manager de la Sécurité de l’Information (ou SI)
• Comité de pilotage des Risques
• Responsible de la Sécurité de l’Information au sein des fonctions “business”
49Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Exemple Sécurité (Sécurité des Mobiles)
50. Structures Organisationnelles
Aspect Caractéristiques (Manager Sécurité de
l’Information)
Caractéristiques (Spécialiste
Sécurité des Mobiles)
Mandat Overall responsibility for the management of information
security efforts
Operational responsibility for securing
mobile devices
Reporting Reports to the CISO (or, in some enterprises, to the business unit
leads)
Reports to the information security
manager
Périmètre Application information security, infrastructure information
security, access management, threat management, risk
management, awareness program, metrics, vendor assessments
Mobile device security management and
monitoring
Niveau d’autorité,
droits de décision
Overall decision-making authority over information security
domain practices
Recommends and implements concepts,
controls and processes for mobile device
security management and monitoring
Droits de
Délégation
Should not delegate decisions related to information security
domain practice
No delegation
Escalade Issues escalated to the CISO Issues escalated to the information
security manager
Responsabilité Accountability; responsibility in small and medium-sized
enterprises, delegation to experts in larger enterprises
Responsibility
Points de contact : Juridique, Services Généraux, Gestion des Risques, Achats,
Développement, Technologie Informatique, Audit, Utilisateurs
50
Exemple Sécurité des Mobiles
Copyright ISACA
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
51. Exemple Sécurité (Sécurité des Mobiles)
Compétences
• Position (Fiche mission, Evolution, …)
• Education (Diplômes, …)
• Qualifications (Certifications, …)
• Expérience
• Savoir/Connaissance, Savoir faire, Savoir être
• Disponibilité / Rétention (accès aux ressources externes)
• Formation
• Evaluation
51Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
52. Exemple Sécurité (Sécurité des Mobiles)
Compétences
• Gouvernance de la Sécurité de l’Information
• Elaboration de la Stratégie de la Sécurité de l’Information
• Gestion des Risques de l’Information
• Architecture de la Sécurité de l’Information
• Exploitation de la Sécurité de l’Information
• Evaluation, test et conformité de l’Information
52Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
53. Personnes et Compétences : Compétences
Compétences Manager/Spécialiste Sécurité des
Mobiles
Utilisateur
Governance Extensive skills and experience Awareness
Strategy formulation Ability to set mobile device security strategy Awareness
Risk management Recognition of mobile device risk and treatment
options
Recognition of mobile device risk,
avoidance or mitigation behavior
Architecture
development
Extensive skills and experience in mobile
architectures
Reasonable understanding of mobile
architecture and inherent risk
Operations Extensive skills and experience in operating mobile
device
architectures, including back end
Experience with operating mobile
devices commensurate with device
complexity
Assessment, testing,
compliance
Ability to perform/support assessments, extensive
testing
skills, awareness and in-depth understanding of
compliance requirements
Awareness of compliance
requirements, basic understanding of
assessments,
ability to participate in testing
53
Exemple Sécurité des Mobiles
Copyright ISACA
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
54. Personnes et Compétences : Formation
Perspective Thèmes Clés Contenu
Basics Mobile device features Basics and background for use, OS, popular apps, typical risks, security
points to note
Basics for senior
management
Mobile device features Basics (in a very short time), how to set an example for all employees,
governance and how to communicate it, making security a top priority, eye-
opening demonstrations of how easy it is to attack the device, etc.
Business Business-related
services and apps
Onboarding, access and identity management, apps and services offered by
the organization, security ground rules, policy and standards, etc.
Outside the
enterprise
Travel-related security Connectivity, foreign networks, what to do when traveling (and what not to
do), typical security risk, local warnings, etc.
Private Private use and
security
Popular services and apps, associated risk and security issues, attacks and
defense, golden rules of private use (governance), etc.
Advanced Using advanced
features and related
security
Knowing the device, advanced apps and features, self preservation and
what to do in security, organizational testing and participation, how to
become a key user, etc.
Management Mobile device security
manager skills
Basic/intermediate/advanced series of training courses for information
security managers or specialists
Management
refresher
Mobile device security
manager skills
Regular update on trends, emerging technologies and risk, new security
management techniques, etc.
54
Exemple Sécurité des Mobiles
Copyright ISACA
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
55. Personnes et Compétences : Compétences du RSSI
Domaine Compétences Génériques Compétences relatives au Mobiles
Governance Ability to:
Define metrics that apply to information
security governance
Define a full set of mobile device security metrics and
measurements
Create a performance measurement model Define mobile device performance indicators for measurement
Develop a business case justifying
investments in information security
Develop a business case for mobile devices, including
standardized solutions vs. partial or full BYOD
Knowledge of:
Legal and regulatory requirements Specific legal and regulatory requirements for mobile device
use, including telecommunications and IT
Roles and responsibilities required for
information security
Mobile device security roles and responsibilities, including end-
user responsibilities as defined for the enterprise
Methods to implement information security
governance policies
Implementing information security governance for mobile
device possession and use
Fundamental concepts of governance Fundamental concepts of governance
Internationally recognized standards,
frameworks and best practices
Internationally recognized standards for mobile devices, mobile
OSs, telephony, data transmission, etc.
Technical skills:
Good understanding of information security
practices that apply to the specific business
Understanding of business dependencies on mobile devices and
resulting security requirements
55
Exemple Sécurité des Mobiles
Copyright ISACAPatrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
56. Personnes et Compétences : Compétences
Domaine Compétences Génériques Compétences relatives au Mobiles
Strategy Ability to:
Understand the enterprise culture and values Understand the enterprise culture and values
Define an information security strategy that is aligned with
enterprise strategy
Define a mobile device security strategy in line with the information
security strategy
Develop information security policies and devise metrics Develop a mobile device use policy and mobile device security standard
Knowledge of:
Information security trends, services and disciplines Mobile device trends, innovative apps, market developments, emerging
risk, new paradigms in mobile work, etc.
Technical skills:
Broad understanding of various information security disciplines Broad understanding of various information security disciplines
Risk Mgmt Knowledge of:
Information asset classification model Mobile device inventory and asset classification, including hardware,
apps, data and information assets
Risk assessment and analysis Mobile device risk assessment
Business processes and essential functions Business processes and functions depending on mobile devices and services
Industry standards Industry standards
Risk-related laws and regulations
Risk frameworks and models
Technical skills:
Risk associated with information security practices and activities Risk associated with mobile device use and mobile security
Risk analyses and mitigating controls Risk analyses and mitigating controls
56
Exemple Sécurité des Mobiles
Copyright ISACAPatrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
57. Personnes et Compétences : Compétences
Domaine Compétences Génériques Compétences relatives au Mobiles
Architecture
development
Knowledge of:
Interaction of technologies with business
and information security policies
Interaction of mobile devices (technology, services, apps, etc.) with
business and general information security
Information security architectures Mobile architectures
Application design review and threat
modeling
Application design review (mobile apps) and threat modeling
(device side, network provider side, etc.)
Methods to design information security
practices
Methods to design mobile security practices (organization and end
user)
Managing information security programs,
policies, procedures and standards
Emerging technologies and development
methodologies
Emerging mobile technologies and app development tools
Technical Skills
Deep and broad knowledge of IT and
emerging trends
Deep and broad knowledge of anything that moves (i.e., anything
that could be seen as a mobile device in the broadest sense)
Technical design capabilities Technical design capabilities
Strong subject matter expertise in
computer operations
Reasonable expertise in computer operations, strong expertise in
linking mobile devices to back-end/data center operations
57
Exemple Sécurité des Mobiles
Copyright ISACA
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
58. Personnes et Compétences : Compétences
Domaine Compétences Génériques Compétences relatives au Mobiles
Operations Knowledge of:
Log monitoring, log aggregation, log analysis Log monitoring, log aggregation, log analysis
Technical Skills
In-depth knowledge of OSs, authentication,
firewalls, routers, web services, etc.
Application design review (mobile apps) and threat modeling
(device side, network provider side, etc.)
Assessment,
testing,
compliance
Knowledge of:
IS audit standards, guidelines and best practices IS audit standards, guidelines and best practices relevant to
mobile devices
Audit planning and project management
Local laws and regulations
Technical Skills
Audit-related tools, gap analysis, analytics, etc. Audit and investigation tools for mobile devices
58
Exemple Sécurité des Mobiles
Copyright ISACA
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
59. Exemple Sécurité (Sécurité des Mobiles)
Ethique, Culture, Comportement
Aussi bien pour les organisations que pour les individus
Ensemble des façons de penser et d'agir et de règles / attitudes
explicites ou implicites qui caractérisent une entité
• Valeurs
• Comportement
• Prise de risques
• Non conformité
• Résultats (positif, negatif, …) : apprendre, blâmer, …
• Incitations
• Eléments disuasifs
59Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
60. Exemple Sécurité (Sécurité des Mobiles)
Ethique, Culture, Comportement
Comportements attendus
• 8 comportements attendus
Leadership
• Communication, Exemplarité, Règles
• Incitations
• Sensibilisation
60Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
61. Culture, Ethique, Comportement
Comportement de Référence En ce qui concerne l’utilisation des Mobiles
Information security is practiced in daily operations. Security management and monitoring processes are applied to mobile devices to the agreed extent
(standardized/BYOD/combined). End users understand and apply security measures completely and
in a timely manner.
People respect the importance of information
security principles and policies.
Users are aware of, and ideally actively involved in, defining mobile device security principles and
policies. These are updated frequently to reflect day-to-day reality as experienced by the users
People are provided with sufficient and detailed
information security guidance and are encouraged
to participate in and challenge the current
information security situation.
Mobile device security is a fluid process with regular challenges by users. Security guidance for
mobile devices is simple, to the point and relates to typical day-to-day security risk. The security
situation is frequently and jointly assessed by users and security managers.
Everyone is accountable for the protection of
information within the enterprise.
Security managers and users share accountability for mobile device security. This includes business
use and private use (in BYOD scenarios). Users have a clear understanding about their
accountability and act responsibly when using mobile devices.
Stakeholders are aware of how to identify and
respond to threats to the enterprise.
All mobile device users are stakeholders— regardless of their hierarchical position within the
enterprise. There is full awareness of the risk, threats and vulnerabilities associated with mobile
device use. Response to threats and incidents is well understood, exercised frequently and auditable
Management proactively supports and anticipates
new information security innovations and
communicates this to the enterprise. The enterprise
is receptive to accounting for and dealing with new
information security challenges.
Security management and end users cooperatively identify, test and adopt innovation in mobile
device technology and use. Management and end users foster innovation by identifying and
presenting new business cases for technology, mobile services and other types of added value. The
enterprise aims at staying in front of the curve in mobile device use.
Business management engages in continuous
cross-functional collaboration to allow for
efficient and effective information security
programs.
Mobile device use (and technology) programs are in place and form part of the IT innovation
strategy. Security innovations are actively adopted and incorporated as key projects.
Business functions cooperate with information security to maximize the return on information
security for mobile services and devices.
Executive management recognizes the business
value of information security.
Executive managers act as end users and recognize the value they derive from their use of mobile
devices and associated services. They participate in training and awareness activities.
61
Exemple Sécurité des Mobiles
Copyright ISACA
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
62. Exemple Sécurité (Sécurité des Mobiles)
Services : Applications, Infrastructure, ….
• Capacité de services
• Technologie en appui
• Bénéfices attendus
• Objectifs et indicateurs de performance
• Architecture
• Réutilisation
• Acquisition / Développement
• Simplicité
• Agilité
• Ouverture
62Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
63. Services : Infrastructure, Applications, …. : Illustrations Sécurité de
l’Information
• Architecture de sécurité
• Sensibilisation à la sécurité
• Développement sécurisé
• Evaluation de la sécurité
• Systèmes configurés et sécurisés de manière adéquate en ligne avec les
exigences de sécurité et avec l’architecture de sécurité
• Accès des utilisateurs et droits d’accès en ligne avec les besoins
business
• Protection adéquate envers les logiciels malvaillants, les attaques
externes et les tentatives d’intrusions
• Réponse aux incidents adéquate
• Tests de sécurité
• Monitoring et services d’alerte concernant les évènements relatifs à la
sécurité
63
Exemple Sécurité (Sécurité des Mobiles)
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
64. Services : Infrastructure and Applications, ….
• Security architecture
• Security awareness
• Secure development
• Security assessments
• Adequately secured and configured systems
• User access and access rights in line with business requirements
• Adequate protection against malware, external attacks and intrusion attempts
• Adequate incident response
• Security testing
• Monitoring and alert services for security-related events
• Device Management
• Device Structure
• Device Oss
• Applications
• Connectivity
64
Exemple Sécurité des Mobiles
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
65. Services : Infrastructure and Applications, ….
Device Management
• Overarching device management system
• Identity and access management (IAM)
• Malware protection (including attacks and intrusions)
• Security testing and monitoring
• Incident response
65
Exemple Sécurité des Mobiles
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
66. Services : Infrastructure and Applications, ….
Device Structure
• Enhanced SIM card functionality
• Hardware add-ons for security purposes
• Use of inbuilt processors for specific security tasks
• Firmware modifications (own security builds)
66
Exemple Sécurité (Sécurité des Mobiles)
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
67. Services : Infrastructure and Applications, ….
Device Oss
• Kernel modifications (usually done through firmware updates)
• OS “tweaking” tools, registry and configuration editors
• Modifications to factory reset
• Modifications to the first responder interface
• Device/SIM interaction changes
• Remote control interfaces (usually provided by the vendor)
• Secure coding tools and resources
67
Exemple Sécurité des Mobiles
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
68. Services : Infrastructure and Applications, ….
Applications
• Antivirus
• Application patching
• Control risk assessments
• Penetration testing
68
Exemple Sécurité des Mobiles
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
69. Services : Infrastructure and Applications, ….
Connectivity
• Secure coding resources and tools specifically for protecting
existing connections
• Technical tools such as fuzzers, sniffers, protocol analyzers
• Remote configuration and control solutions
• Cloud access management
69
Exemple Sécurité des Mobiles
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
70. Services : Infrastructure, Applications,…
70
Exemple Sécurité (Sécurité des Mobiles)
Service Device Management Device
Structure
Device Operating
System
Device
Applications
Device
Connectivity
Architecture/
plan services
Configuration
management Database
(CMDB), asset
Management systems
Reporting agents,
policy management
solutions, vulnerability
scanners
Cloud access
management
Awareness Training courses, news
feeds
Knowledge bases,
vendor and
industry
advisories
Knowledge bases, vendor
and industry advisories,
computer Emergency
response team (CERT)
advisories
Training tools,
Collaboration tools
Email, social
media, news feeds
Development Compilers,
linkers, secure
coding resources
Secure coding resources,
code scanners, static and
binary analysis tools
Secure coding
resources
Secure coding
resources
Assessments Threat and vulnerability
Risk assessment (TVRA)
Log analyzers,
flash readers
Log analyzers, other tools Reporting tools Fuzzers, sniffers,
Protocol analyzers,
Network analyzers,
honeypots
Secured and
Configured
systems
Firmware, vendor
tools
Kernel and related,
Security model, first
Responder interface,
System and patch
management, OS tools
CMDB tools and
agents
Remote
Configuration and
control solutions
Copyright ISACA
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
71. Services : Infrastructure, Applications,…
71
Exemple Sécurité des Mobiles
Service Device Management Device
Structure
Device Operating
System
Device
Applications
Device
Connectivity
Access
rights
Biometrics,
dongles, smart
cards (SIM),
Embedded device
IDs, embedded
processors,
location services
Public key infrastructure
(PKI) and encryption,
configuration
management tools,
software Distribution
tools, provisioning
Encryption and related
apps, Provisioning and
IAM tools
Cloud access
management
Malware
and attack
protection
Central anti-malware
solutions
Vendor
advisories,
Other advisories,
Device
management
CMDB, patch
management, knowledge
bases, software
distribution, firewalls, IDS
PKI, antivirus,
anti-malware,
Packet analyzers,
IDS agents, honeypots,
tarpits, Browser
protection, sandboxing
Remote
Configuration and
control solutions,
Virtualization and
cloud apps
Incident
response
TVRA, business continuity
Management (BCM) and IT
service continuity
Management (ITSCM),
Vendor advisories, industry
advisories
Vendor
advisories,
Industry
advisories
Memory inspection
tools, network analyzers,
log analyzers, reverse
engineering, malware
analysis, Security
information and event
management (SIEM)
App and data
inspection tools,
backup and restore,
Vendor recovery tool
sets, vendor forensics
tools
Cloud recovery
tools
Monitoring
and alerting
Central log management,
Alerting systems,
management dashboards,
Network operations centers
Vendor tools System logs, Monitoring
agents, reporting agents
Monitoring tools Traffic monitoring,
Network analyzers,
cloud logging
Copyright ISACA
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
72. Exemple IT (Sécurité) (Sécurité des Mobiles)
72
Processus IT
• 129 objectifs des processus IT
• 207 pratiques IT
• 1108 activités IT
• 266 indicateurs de performance IT
• 26 rôles IT+ Business en IT
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Business et IT
• 17 objectifs business
• 17 objectifs IT
• 59 indicateurs de performance IT
Processus Sécurité
• 79 objectifs des processus de sécurité
• 188 pratiques de sécurité
• 378 activités de sécurité
• 154 indicateurs de performance de sécurité
73. Exemple Sécurité (Sécurité des Mobiles)
Pour le processus IT, Manage Operations
73Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 Copyright ISACA
74. Exemple IT (Sécurité) (Sécurité des Mobiles)
Pour le processus IT, Manage Operations
74
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Copyright ISACA
75. Exemple Sécurité (Sécurité des Mobiles)
Pour le processus IT, Manage Operations
75
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Copyright ISACA
76. Exemple Sécurité (Sécurité des Mobiles)
Processus Sécurité qui viennent s’ajouter aux Processus IT
Pour le processus IT, Manage Operations
76Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
77. Exemple Sécurité (Sécurité des Mobiles)
Processus Sécurité qui viennent s’ajouter aux Processus IT
Pour le processus IT, Manage Operations
77Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
Copyright ISACA
78. Processus
IT Process Mobile Device Security Management Process
EDM01 Ensure governance framework
setting and maintenance
Reflect governance in mobile device use policy, maintain policy in line with general process
EDM02 Ensure benefits delivery Mobile device value optimization process
EDM03 Ensure risk optimisation Mobile device security risk management process
APO03 Manage enterprise architecture Subsidiary process for mobile devices that substantiates security solutions as part of overall architecture
APO04 Manage innovation Subsidiary mobile device (security) innovation process
APO05 Manage portfolio Subsidiary process for mobile devices to identify and obtain funds for security management
APO06 Manage budget and costs Subsidiary mobile device security budgeting process
APO09 Manage service agreements Subsidiary process for mobile device service level agreements (SLAs) and operating level agreements (OLAs)
BAI06 Manage changes Subsidiary processes for mobile device change management and emergency changes
DSS04 Manage continuity Subsidiary process for mobile device service continuity management; autonomous process (subsidiary to
business continuity/disaster recovery) for mobile device business recovery
DSS03 Manage problems Subsidiary processes for mobile devices security problems and known errors
MEA03 Monitor, evaluate and assess
compliance with external requirements
Subsidiary process for identifying and interpreting external compliance requirements for mobile devices
78
Exemple Sécurité des Mobiles
Copyright ISACA
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
79. Exemple Sécurité (Sécurité des Mobiles)
Information
79
• Objectifs et indicateurs de performance
• Cycle de vie
• Bonnes pratiques
• Responsabilités
• Contraintes
• Contenu
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
80. Exemple Sécurité (Sécurité des Mobiles)
Information
80
• Stratégie
• Budget
• Plan
• Directives
• Exigences
• Sensibilisation
• Rapport de revues
• Tableau de bord
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
81. Information
Type d’information
• Replicated emails, contacts, calendars and notes
• Music, movies and other content that users have acquired
• Mobile banking and micropayments
• Airline ticketing and electronic boarding card (similar for railways)
• Vendor app stores and related transactions
• Social networking and cloud services
• Geolocation data
• Device coupling with other devices (vehicles, buildings, public networks, etc.) and
semi permanent “partnership” data
• Voice, video and data connection information (semi permanent)
• Original data created by the mobile device (pictures, videos, waypoints, etc.)
• Chat and file transfer information, for example, notes taken from popular Internet
telephony software
• Information stored by telecommunications providers as mandated by law, for
example, connection date and time stamps
81
Exemple Sécurité des Mobiles
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
82. 82
COBIT 5 Online
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
COBIT 5 Online is a multi-phase initiative by ISACA to address a wide
variety of member needs for accessing, understanding and applying the
COBIT 5 framework. The primary objective of this inaugural version is to
provide easy access to online versions of COBIT 5 publications.
While retaining all of the stylistic conventions of print editions, the online
editions greatly simplify the process of navigating, searching and exporting
the principles, practices, analytical tools and models that make COBIT 5 an
essential resource for the governance and management of enterprise IT.
The new online service will include features such as :
• Access to publications in the COBIT 5 product family
• Access to other, non-COBIT, ISACA content and current, relevant GEIT
material
• Ability to customize COBIT to fit the needs of your enterprise with
access for multiple users
• Access to tools : Goals planner, RACI Planner, Self Assessment, …
COBIT 5 Online
83. Annexe
COBIT 5 : Autres Publications
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015 83
84. COBIT 5 Deliverables : A Business Framework for the
Governance and Management of Enterprise IT (94 pages)
• Executive Summary
• Overview of COBIT 5
• Principle 1 : Meeting Stakeholders Needs
• Principle 2 : Covering the Enterprise from End-to-end
• Principle 3 : Applying a Single Integrated Framework
• Principle 4 : Enabling a Holistic Approach
• Principle 5 : Separating Governance from Management
• Implementation Guidance
• The COBIT 5 Process Capability Model
• Appendices
84Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
85. COBIT 5 Deliverables : A Business Framework for the
Governance and Management of Enterprise IT
• Appendix A : References
• Appendix B : Detailed Mapping 17 Enterprise Goals –17 IT- related Goals
• Appendix C : Detailed Mapping 17 IT‐related Goals – 32 IT-related Processes
• Appendix D : 22 Stakeholder Needs and 17 Enterprise Goals
• Appendix E : Mapping of COBIT 5 with most relevant related standards and frameworks
(ISO/IEC 38500, ITIL V3 2011 - ISO/IEC 20000, ISO/IEC 27000 Series, ISO/IEC
3100 Series, TOGAF, CMMI, PRINCE2)
• Appendix F : Comparison between COBIT 5 Information Reference Model and the COBIT
4.1 information criteria
• Appendix G : Detailed description of COBIT 5 Enablers
• Appendix H : Glossary
• Appendix G: Detailed description of COBIT 5 Enablers
• Introduction
• COBIT 5 Enabler : Principles, Policies and Frameworks
• COBIT 5 Enabler : Processes
• COBIT 5 Enabler : Organisational Structures
• COBIT 5 Enabler : Culture, Ethics and Behaviour
• COBIT 5 Enabler : Information
• COBIT 5 Enabler : Services, Infrastructures and Applications
• COBIT 5 Enabler : People, Skills and Competencies
85Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
86. COBIT 5 Deliverables : Enabling Processes (230 pages)
• Introduction
• The Goals Cascade and Metrics for Enterprise Goals and IT-related Goals
– COBIT 5 Goals Cascade : Stakeholders Drivers, Stakeholders Needs, Enterprise Goals, IT Goals, Enabler Goals
– Using the COBIT 5 Goals Cascade
– Metrics : Enterprise, IT
• The COBIT 5 Process Model
– Enabler Performance Management
• The COBIT 5 Process Reference Model
– Governance and Management Processes (5 governance processes and 32 management processes)
– Reference Model
• COBIT 5 Process Reference Guide Contents
– Generic Guidance for Processes :
• EDM : Evaluate, Direct and Monitor
• APO : Align, Plan and Organize
• BAI : Build, Acquire and Implement
• DSS : Deliver, Service and Support
• MEA : Monitor, Evaluate and Assess
• Appendix A : Mapping between COBIT 5 and legacy ISACA Frameworks (COBIT 4.1, Val IT
2.0, Risk IT Management Practices)
• Appendix B : Detailed Mapping 17 Enterprise Goals and 17 IT-related Goals
• Appendix C : Detailed Mapping 17 IT-related Goals and 37 IT‐related Processes
86
• 129 IT Process Goals
• 266 IT Process Goal Metrics
• 207 IT Practices
• 26 business and IT roles in IT Practices
• 1108 IT Activities
17 Enterprise Goals, 17 IT-related Goals, 59 IT-related Goals metrics
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
87. COBIT 5 Deliverables : Enabling Processes
• Process identification : Label, Name, Area, Domain
• Process description
• Process purpose statement
• IT goals and metrics supported
• 17 IT Goals, 59 IT-related Goals Metrics
• Process goals and metrics
• Governance : 15 IT Process Goals and 37 IT Process Goal metrics
• Management : 114 IT Process Goals and 229 IT Process Goal metrics
• RACI chart
• 26 Business and IT Roles concerned with the 207 IT Practices
• Detailed description of the process practices
• Description, inputs and outputs with origin/destination, activities
• Governance : 12 IT Governance Practices and 79 IT Governance Activities
• Management : 195 IT Management Practices and 1029 IT Management Activities
• Related guidance
87Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
88. COBIT 5 Deliverables : Information Security (220 pages)
• Executive Summary: Introduction, Drivers, Benefits, Target Audience, Conventions
• Information Security
• Information Security Defined
• COBIT 5 Principles
• Using COBIT 5 Enablers for Implementing Information Security in Practice
• Introduction
• Enabler : Principles, Policies and Frameworks
• Enabler : Processes
• Enabler : Organizational Structures
• Enabler : Culture, Ethics and Behaviour
• Enabler : Information
• Enabler : Services, Infrastructure and Applications
• Enabler : People, Skills and Competencies
• Adapting COBIT 5 for Information Security to the Enterprise Environment
• Introduction
• Implementing Information Security Initiatives
• Using COBIT 5 to connect to other frameworks, models, good practices and standards
• Appendix A to G : Detailed Guidance for each of the 7 categories of enablers
• Appendix H : Detailed Mappings
• Acronyms, Glossary
88Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
89. COBIT 5 Deliverables : Information Security
• Appendix A Detailed Guidance : Principles, Policies and Frameworks
• 3 high level security principles with 12 elements : Objective and description
• 13 types of policies : scope, validity, goals (5 driven by security function, 8 driven by other functions)
• Appendix B Detailed Guidance Processes (see next page)
• Appendix C Detailed Guidance : Organizational Structures
• 5 types of security-related organizational structures : Composition, Mandate, Operating principles,
Span of control, Authority level, Delegation rights, Escalation path, RACI chart, Inputs/Outputs
• Appendix D Detailed Guidance : Culture, Ethics and Behaviour
• 8 types of security-related expected behaviours
• Appendix E Detailed Guidance : Information
• 34 types of security-related information stakeholders
• 10 types of security related information : goals, life cycle, good practice
• Appendix F Detailed Guidance : Services, Infrastructure and Applications
• 10 types of security services : 27 security-related service capabilities (supporting technology, benefit,
quality goal, metric)
• Appendix G Detailed Guidance : People, Skills and Competencies
• 7 types of security set of skills and competencies : description, experience, education, qualifications,
knowledge, technical skills, behavioural skills, related role structure
• Appendix H Detailed Mappings (ISO/IEC 27001, ISO/IEC 27002, ISF, NIST)
89Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
90. COBIT 5 Deliverables : Information Security
Processes Enabler
• Process Identification : Label, Name, Area, Domain
• Process Description
• Process Purpose Statement
• Security-specific Process Goals and Metrics
• Governance : 8 Security Process Goals and 17 Security Process Goals related Metrics
• Management : 71 Security Process Goals and 137 Security Process Goals related Metrics
• Security-specific Process Practices, Inputs/Outputs and Activities
• Description of governance/management practice, security-specific inputs and outputs in addition to
COBIT 5 inputs and outputs with origin/destination, security-specific activities in addition to COBIT
5 activities
• Governance : 12 Security Governance Practices and 31 Security Governance Activities
• Management : 176 Security Management Practices and 347 Security Management Activities
• Related Guidance
90Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
91. COBIT 5 Deliverables : Risk (244 pages)
• Executive Summary: Introduction, Terminology, Drivers, Benefits, Target Audience, Overview
and Guidance on use of Publication, Prerequisite Knowledge
• Risk and Risk Management
• The Governance Objective : Value Creation
• Risk : Risk Categories, Risk Duality, Interrelationship between Inherent, Current and Residual Risk
• Scope of Publication (Two Perspectives on Risk : Risk Function and Risk Management Perspectives)
• Applying the COBIT 5 Principles to Managing Risks
• The Risk Function Perspective
• Introduction to Enablers
• The 7 Enablers
• The Risk Management Perspective and using COBIT 5 Enablers
• Core Risk Processes
• Risk Scenarios
• Generic Risk Scenarios
• Risk Aggregation
• Risk Response
• How this Publication Aligns with Other Standards
• ISO 31000, ISO/IEC 27005:2011, COSO ERM
• Appendix A : Glossary
• Appendix B : Detailed Risk Governance and Management Enablers
• Appendix C : Core Risk Management Processes
• Appendix D : Using COBIT 5 Enablers to Mitigate IT Risk Scenarios (20 scenarios)
• Appendix E : Comparison of Risk IT with COBIT 5
• Appendix F : Comprehensive Risk Scenario Template
91Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
92. COBIT 5 Deliverables : Risk
• Appendix A. Detailed Guidance : Principles, Policies and Frameworks
• 7 high level risk principles : Principle and Explanation
• 18 types of risk policies : Scope, Validity, Management Commitment and Accountability, Risk
Governance, Risk Management Framework
• Appendix B. Detailed Guidance Processes (see next page)
• 12 key risk function supporting processes
• 2 key risk management supporting processes
• Appendix C. Detailed Guidance : Organizational Structures
• 5 key risk-related organizational structures : Composition, Mandate, Operating principles, Span of
control, Authority level, Delegation rights, Escalation path, RACI chart, Inputs/Outputs
• 17 other relevant structures for Risk : Description, Role in risk process
• Appendix D. Detailed Guidance : Culture, Ethics and Behavior
• 8 types of general behavior, 8 types of risk professional behavior, 7 types of management behavior
• Appendix E. Detailed Guidance : Information
• 13 types of risk related information items : stakeholders, stakes, goals, life cycle, good practices, links
to other enablers
• Appendix F. Detailed Guidance : Services, Infrastructure and Applications
• 6 types of risk services (description, goal, benefit, good practice, stakeholders, metric)
• 3 types of risk infrastructure (description), 5 types of risk applications (description)
• Appendix G. Detailed Guidance : People, Skills and Competencies
• 11 types of risk set of skills and competencies (description) and 2 risk roles (description, experience,
education, qualifications, knowledge, technical skills, behavioral skills, related role structure)
92Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
93. COBIT 5 Deliverables : Risk
• Process Identification : Label, Name, Area, Domain
• Process Description
• Process Purpose Statement
• Risk-specific Process Goals and Metrics
• Risk Function
• Governance : 5 Risk Process Goals and 12 Risk Process Goals related Metrics
• Management : 14 Risk Process Goals and 24 Risk Process Goals related Metrics
• Risk-specific Process Practices, Inputs/Outputs and Activities
• Description of governance/management practice, risk-specific inputs and outputs in
addition to COBIT 5 inputs and outputs with origin/destination, risk-specific activities in
addition to COBIT 5 activities
• Risk Function
• Governance : 9 Risk Governance Practices and 28 Risk Governance Activities
• Management : 50 Risk Management Practices and 80 Risk Management Activities
• Risk Management
• Governance : 2 Risk Governance Practices and 12 Risk Governance Activities (69 actions)
• Management : 6 Risk Management Practices and 26 Risk Management Activities (103 actions)
93Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
94. COBIT 5 Deliverables : Assurance (318 pages)
• Executive Summary: Introduction and Objectives, Drivers, Benefits, Target Audience,
Document Overview and Guidance on its use, Prerequisite Knowledge
• Assurance
• Assurance defined : 3 party relationship, subject matter, suitable criteria, execution, conclusion
• Scope of Publication: Two Perspectives, Assurance Function and Assurance
• Principles of providing Assurance (Engagement types)
• Assurance Function Perspective : Using COBIT 5 Enablers for Governing and Managing an
Assurance Function
• Introduction to Enablers
• The 7 Enablers
• Assessment Perspective : Providing Assurance Over a Subject Matter
• Core Assurance Processes
• Introduction and Overview of the Assessment Approach
• Determine the scope of the Assurance Initiative (Phase A)
• 3 aspects to be taken into account (stakeholders, goals, 7 enablers), 14 steps, an example
• Understand the Enablers, Set Suitable Assessment Criteria and Perform the Assessment (Phase B)
• Achievement of goals (2 steps), 7 enablers (37 steps)
• Generic Approach for Communicating on an Assurance Initiative (Phase C)
• 2 aspects (document and communicate) and 5 steps
• How this publication relates to other Standards
• ITAF, 2nd Edition, International Professional Practices Framework (IPPF) for Internal Auditing
Standards 2013, Statement on Standards for Attestation Engagements N° 16 (SSAE 16)
• Appendix A : Glossary
• Appendix B : Detailed Enablers For Assurance Governance and Management
• Appendix C : Core Assurance Processes
• Appendix D : Example Audit / Assurance Programmes (3 examples : Change Management,
Risk Management, BYOD) 94
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
95. COBIT 5 Deliverables : Assurance
• Appendix A. Detailed Guidance : Principles, Policies and Frameworks
• 4 areas : Covered by ITAF, 2nd Edition (18 sections of ITAF)
• Appendix B. Detailed Guidance Processes (see next page)
• 11 key processes supporting assurance provisioning
• 3 key core assurance processes
• Appendix C. Detailed Guidance : Organizational Structures
• 4 key assurance-related organizational structures : Composition, Mandate, Operating principles,
Span of control, Authority level, Delegation rights, Escalation path, RACI chart, Inputs/Outputs
• 12 other relevant structures for Assurance : Description, Stake in Assurance provisioning
• Appendix D. Detailed Guidance : Culture, Ethics and Behavior
• 5 types of enterprise wide behavior, 8 types of assurance professional behavior, 10 types of
management behavior : Behavior, Key Objective/Suitable criteria/outcome,
Communication/Enforcement actions, Incentives and rewards actions, Raising awareness actions
• Appendix E. Detailed Guidance : Information
• 18 types of information items supporting assurance : stakeholders, stakes, goals, life cycle, good
practices, links to other enablers
• 5 types of additional information items input : description
• Appendix F. Detailed Guidance : Services, Infrastructure and Applications
• 8 types of assurance services (description, goal, benefit, good practice, stakeholders)
• 8 types of assurance supporting applications (description, goal, benefit, good practice, stakeholders)
• Appendix G. Detailed Guidance : People, Skills and Competencies
• 16 types of assurance set of skills and competencies : description, experience, education,
qualifications, knowledge, technical skills, behavioral skills 95
Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
96. COBIT 5 Deliverables : Assurance
• Process Identification : Label, Name, Area, Domain
• Process Description
• Process Purpose Statement
• Assurance-specific Process Goals and Metrics
• Processes Supporting Assurance Provisioning
• Governance : 8 Assurance Process Goals and 11 Assurance Process Goals related Metrics
• Management : 11 Assurance Process Goals and 19 Assurance Process Goals related Metrics
• Core Assurance Processes
• Management : 11 Assurance Process Goals and 17 Assurance Process Goals related Metrics
• Assurance-specific Process Practices, Inputs/Outputs and Activities
• Description of governance/management practice, assurance-specific inputs and outputs
in addition to COBIT 5 inputs and outputs with origin/destination, assurance-specific
activities in addition to COBIT 5 activities
• Processes Supporting Assurance Provisioning
• Governance : 9 Assurance Governance Practices and 28 Assurance Governance Activities
• Management : 50 Assurance Management Practices and 80 Assurance Management Activities
• Core Assurance Processes
• Management : 17 Core Assurance Practices and 88 Core Assurance Activities (124 actions)
96Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015
97. COBIT 5 Deliverables : Implementation (78 pages)
• Introduction
• Positioning GEIT
• Taking the first steps towards GEIT
• Identifying implementation challenges and success factors
• Enabling change
• Implementation life cycle tasks, roles and responsibilities
• Using the COBIT 5 components
• Appendix A : Mapping Pain Points to COBIT 5 Processes
• Appendix B : Example Decision Matrix
• Appendix C : Mapping Example Risk Scenarios to COBIT 5 Processes
• Appendix D : Example Business Case
• Appendix E : COBIT 4.1 Maturity Attribute Table
97Patrick Stachtchenko Jeudis de l'AFAI 2 Avril 2015