What the COBIT Maturity Model Provides

By: Chris Cathers, Secure Digital Solutions

In this new world of cyber threats, weekly data breach news and executive stakeholder concerns we enter a phase that requires a discussion of what Information Security 2.0 should look like. With this in mind it is time to consider revising (or creating) A CISO Playbook.

In my discussions with clients across multiple industries there is one common theme: Regulatory pressures are increasing as a result of recent fraud and data breach.

It is no surprise that regulators and auditors are increasing scrutiny of information security controls. Using a control framework (e.g. NIST, ISO) as the base of recommended controls is not enough to manage information security effectively. Effective management includes understanding the maturity of the process and expertise of the people in the organization responsible for supporting the specified controls.

As an example, if DLP (Data Loss Prevention system) is implemented to prevent extraction loss of confidential information, it is not enough just to have a DLP solution, you need to have the expertise to run the solution, the appropriate reporting and decision support in place when an alert happens, the appropriate metrics delivered to the appropriate people along with policies to support this. This is how a CISO can define an effective process supporting the controls.

In order to elevate information security, we suggest adding a level of measurement above just the existence of controls and risk associated with deficiencies, and measuring your program through the lens of Awareness, Policy/Procedure, Accountability, Measurability, Expertise, and Automation.  As COBIT 4.1 suggests, these maturity attributes mentioned are critical to understanding the full breadth of capability within the information security processes that actually support the chosen control framework(s) and regulation(s).  This approach truly provides an advantage to a CISO Playbook and allows the CISO to look at all of the parts that make up the whole instead of simply a classical audit perspective of “on” or “off” relative to if a control is in place or not in place.

To learn more about how to achieve this process with significant performance and planning metrics, read more about our cloud-based platform, Accliviti.