Table of Contents
Purpose of This Publication
Introduction
What Is Cybersecurity?
Cybercrime and Advanced Persistent Threats (APTs)
Cyberwarfare
Other Relevant Threats
The COBIT 5 Product Family
Transforming Cybersecurity Using COBIT 5
1. Impact of Cybercrime and Cyberwarfare on Business and Society
Trends and Game Changers
Business and Organizational Impact
Individual and Societal Impact
Legal and Regulatory Impact
2. Threats, Vulnerabilities and Associated Risk
Vulnerability and Threat Categorization
Identifying Systemic Weaknesses
Integrating Attack and Incident History
Organizational Risk
Organizational Design and Structural Risk
Organizational Governance, Compliance and Control Risk
Cultural Risk
Social Risk
People Risk
Individual Culture Risk
Risk Associated With Human Factors
Emergence Risk
Technical Risk
Architecture-related Risk
Application Layer Risk
Risk Related to the Operating System Layer
IT Infrastructure Risk
Technical Infrastructure Risk
3. Security Governance
The Business Case
Governing Cybersecurity Transformation
Establish Current State
Define Target State
Strategic and Systemic Transformation
Applying COBIT 5 to Cybersecurity Governance
Evaluate, Direct and Monitor (EDM)
Align, Plan and Organize (APO)
Mapping COBIT 5 to Val IT and Risk IT
4. Cybersecurity Management
Existing Security Controls
Principles, Policies and Frameworks
Information Security Principles
Information Security Policy
Cybersecurity Policy
Cybersecurity Management Standard
Cybersecurity Key Operating Procedures (KOPs)
Processes
Security Management Processes
Security Monitoring Processes
Continuity-related Processes
Organizational Structures
Culture, Ethics and Behavior
Defining Model Behaviors
Daily Operations
Importance of Principles and Policies
Sufficient and Detailed Guidance
Accountability
Stakeholder Awareness of Threats
Innovation Support
Business Management Cross-functional Involvement
Executive Management Recognition
Information
Protecting Sensitive Information
Protecting Personal Information
Protecting Information in the Cloud
Services, Infrastructure and Applications
Security Architecture
Security Awareness
Secure Development
Security Assessments
Adequately Secured and Configured Systems
User Access and Access Rights in Line With Business Requirements
Adequate Protection Against Malware, External Attacks and Intrusion Attempts
Adequate Incident Response
Security Testing
Monitoring and Alert Services for Security-related Events
People, Skills and Competencies
Security Management Skills
End-user Skills
Cybersecurity Training
5. Cybersecurity Assurance
Auditing and Reviewing Cybersecurity
Audit Universe
Audit Objectives
Planning and Scoping
Legal Considerations
Privacy and Data Protection
Logging, Data Retention and Archiving
Audit Data Storage and Archiving
Cybersecurity Investigation and Forensics
Investigative Requirements
Privacy Concerns
Investigative Approach—Ex Post
Investigative Approach—Real Time
Chain of Custody
E-discovery
6. Establishing and Evolving Systemic Security
The Cybersecurity System
Attack Anatomy
Mapping Vulnerabilities, Threats and Risk
Systemic Governance, Management and Assurance
Identifying Potential Security Improvements
Targeting Cybersecurity Investments
Applying COBIT 5 to Systemic Security
7. Guiding Principles for Transforming Cybersecurity
Principle 1. Know the potential impact of cybercrime and cyberwarfare.
Principle 2. Understand end users, their cultural values and their behavior patterns.
Principle 3. Clearly state the business case for cybersecurity, and the risk appetite of the enterprise.
Principle 4. Establish cybersecurity governance.
Principle 5. Manage cybersecurity using principles and enablers.
Principle 6. Know the cybersecurity assurance universe and objectives.
Principle 7. Provide reasonable assurance over cybersecurity.
Principle 8. Establish and evolve systemic cybersecurity.
Appendix A. Mappings of COBIT 5 and COBIT 5 for Information Security to Cybersecurity
Processes Enabler Mappings
Services, Infrastructure and Applications Enabler Mapping
People, Skills and Competencies Enabler Mapping
Appendix B. Intelligence, Investigation and Forensics in Cybersecurity
Appendix C. Sources
List of Figures
Acronyms
