Transcription
COBIT, BSC, SSE-CMM 1Running head: COBIT, BSC, SSE-CMMIntegration of COBIT, Balanced Scorecard and SSE-CMM as a strategicInformation Security Management (ISM) frameworkBySuchit AhujaA Directed ProjectSubmitted in Partial FulfillmentOf the Requirement for the DegreeofMaster of SciencePurdue University, West LafayetteJuly 2009College of Technology
COBIT, BSC, SSE-CMM 2AbstractThe purpose of this study is to explore the integrated use of Control Objectives forInformation Technology (COBIT) and Balanced Scorecard (BSC) frameworks for strategicinformation security management. The goal is to investigate the strengths, weaknesses,implementation techniques, and potential benefits of such an integrated framework. Thisintegration is achieved by “bridging” the gaps or mitigating the weaknesses that are recognizedwithin one framework, using the methodology prescribed by the second framework. Thus,integration of COBIT and BSC can provide a more comprehensive mechanism for strategicinformation security management – one that is fully aligned with business, IT and informationsecurity strategies. The use of Systems Security Engineering Capability Maturity Model (SSECMM) as a tool for performance measurement and evaluation can ensure the adoption of acontinuous improvement approach for successful sustainability of this comprehensiveframework. There are some instances of similar studies conducted previously:!metrics based security assessment (Goldman & Christie, 2004) using ISO 27001 andSSE-CMM!mapping of processes for effective integration of COBIT and SEI-CMM (IT GovernanceInstitute, 2007a)!mapping of COBIT with ITIL and ISO 27002 (IT Governance Institute, 2008) foreffective management and alignment of IT with businessThe factor that differentiates this research study from the previous ones is that none of theprevious studies integrated BSC, COBIT and SSE-CMM, to formulate a comprehensiveframework for strategic information security management (ISM) that is aligned with business, IT
COBIT, BSC, SSE-CMM 3and information security strategies. Therefore, a valid opportunity to conduct this research studyexists.
COBIT, BSC, SSE-CMM 4Table of ContentsAbstract . 2!List of Figures . 6!List of Tables . 8!List of Appendices . 8!Acknowledgements . 9!Introduction . 10!Statement of the Problem . 12!Significance of the Problem . 15!Statement of the Purpose . 18!Definitions. 22!Assumptions. 23!Delimitations . 24!Limitations . 25!Review of Literature . 26!Purpose of COBIT: IT Governance or Security Controls? . 26!Strengths of COBIT . 27!Weaknesses of COBIT. 28!Purpose of Balanced Scorecard (BSC) . 29!Weaknesses of BSC . 32!
COBIT, BSC, SSE-CMM 5The importance of security measurement and performance evaluation . 33!Conclusion of Review of Literature. 38!Procedures . 40!Gap Analysis of COBIT and BSC frameworks . 40!Mitigation of Gaps based on previous research and added value from current efforts . 40!The formulation of the integrated framework . 50!COBIT – BSC Gap Analysis . 52!Scenario 1: The standalone use of Balanced Scorecard (BSC) in order to achieve alignmentbetween business strategy, IT strategy, and ISM strategy. . 52!Scenario 2: The standalone use of COBIT for information security management. 54!Findings. 57!Information / IT Governance Gap (#2.1) . 59!Business Alignment Gap (#1.1) . 60!InfoSec Audit and Up-Reporting Gaps (#1.2, 2.2) . 61!Maturity Measurement Gaps (#1.3, 1.4, 2.3, 2.4) . 63!Conclusions . 68!Discussion about risk management within the strategic ISM framework . 70!Recommendations for future work . 71!References . 72!Appendix A – Cascading balanced scorecard example . 81
COBIT, BSC, SSE-CMM 6List of FiguresFigure 1. Primary drivers for ISM deployment (Ernst & Young, 2008). . 13!Figure 2. Perception of information security strategy (Ernst & Young, 2008). . 14!Figure 3. Significance of regulatory compliance in ISM (Pironti, 2006) . 16!Figure 4. IT Governance global status report of 2008 (IT Governance Institute, 2008) . 17!Figure 5. Solutions/Frameworks used for ISM (IT Governance Institute, 2008). . 20!Figure 6. Balanced Scorecard pyramid. (Kaplan & Norton, 1996). . 30!Figure 7. Balanced Scorecard domains. (Kaplan & Norton, 1996) . 31!Figure 8. Balanced Scorecard cascade. (Kaplan & Norton, 1996) . 31!Figure 9. List of Maturity Models for Security (Ozkan, Hackney & Bilgen, 2007). . 36!Figure 10. Comparison of SSE-CMM to related models (SSE-CMM.org, 2009). 38!Figure 11. Cascading BSC Gaps (Goldman & Ahuja, 2009) . 41!Figure 12. COBIT Gaps (Goldman & Ahuja, 2009) . 42!Figure 13. Application of frameworks at different levels of the organization for securitymanagement (Da Cruz & Labuschagne, 2006) . 44!Figure 14. Information Security KPI & KGI mapping to business level (Grembergen & Haes,2005) . 45!Figure 15. SSE-CMM Process Areas (Goldman & Christie, 2004) . 46!Figure 16. SSE-CMM (v. 3.0) Process Areas . 47!Figure 17: SSE-CMM (v. 3.0) Process Areas . 47!Figure 18: SSE-CMM (v. 3.0) Capability Maturity Levels . 48!Figure 19. COBIT domains mapping with SEI-CMM PAs - summary chart (Mallette, 2005) . 49!Figure 20. Mitigation of Gaps (Goldman & Ahuja, 2009) . 58!
COBIT, BSC, SSE-CMM 7Figure 21. Information Classification Matrix & COBIT Information Criteria. 60!Figure 22. COBIT - Cascading BSC Mapping . 61!Figure 23: Cascading KPIs & KGIs for mitigation of Audit/Up-Reporting Gaps . 62!Figure 24: Organizational impact of a COBIT implementation (ITGI, 2008) . 68!
COBIT, BSC, SSE-CMM 8List of TablesTable 1 . 56!Table 2 . 64!Table 3 . 65!Table 4: Core Functional Areas - Business BSC Perspectives . 81!Table 5: Objectives mapped to strategy. 82!Table 6: Measurements mapped to objectives . 82!Table 7: Fixing targets for future . 83!Table 8: Organization-level initiatives. 83!Table 9: IT BSC strategies mapped to Business BSC perspectives. 84!Table 10: IT Measurements . 84!Table 11: Targets . 84!Table 12: IT Organizational Level Initiatives. 85!Table 13: HIPAA-COBIT-InfoSec BSC mapping . 85!Table 14: COBIT Security Objectives Mapping . 86!Table 15: Targets . 86!Table 16: Initiatives . 86!List of AppendicesAppendix A – Cascading balanced scorecard example . 80
COBIT, BSC, SSE-CMM 9AcknowledgementsI am heartily thankful to my faculty advisor and chair of my advisory committee, Prof.Jim Goldman, whose guidance and support enabled me to complete this project. Prof. Goldman’svision and passion for the subject inspired me to work hard to accomplish the objectives of thisproject, while his unconditional support allowed me to present at reputed conferences and gatherinvaluable feedback on the research. I also thank Prof. Jeff Brewer and Prof. Lorenzo Martino,who have supported me as members of my advisory committee and helped me refine my work.I offer my regards and gratitude to Prof. Khalid Moidu, for inspiring me to work towardsmy Master’s degree and for providing me with opportunities that have contributed greatly to myknowledge, learning and growth. I also owe many thanks to my supervisor, Pam Buroff-Murr,for her unruffled support and understanding.Lastly, I thank God; my parents, especially my mom, who has been a pillar of strength;and my friends for their love, blessings and patience.
COBIT, BSC, SSE-CMM 10IntroductionThreats to security of business information, information-based assets, intellectualproperty, and privacy of personal information are increasing. According to Privacy RightsClearinghouse (2009), a consumer privacy protection foundation, more than 250 million recordscontaining sensitive personal information were involved in security breaches in the U.S. sinceJanuary 2005. In order to proactively deal with these growing threats and to protect the securityand privacy of information-based assets, organizations are increasingly adopting informationsecurity management systems (ISMS). Although organizations use several establishedinternational standards and frameworks like ISO27001, ISO 27799, ISO27002, NIST, FIPS,ANSI, etc. for information security management, the primary driving factor for suchimplementations are regulatory compliance requirements (Turner, Oltsik & McKnight, 2008). Inorder to be compliant with requirements of applicable industry regulations like Health InsurancePortability and Accountability Act (HIPAA), Sarbanes-Oxley (SOX), Gramm Leach Bliley Act(GLBA), Children's Online Privacy Protection Act (COPPA), Family Educational Rights andPrivacy Act (FERPA), etc., organizations adopt ISMS and frameworks. The IT organization alsoadopts best practices and supporting tools like IT Infrastructure Library (ITIL), ControlObjectives for Information Technology (COBIT), Capability maturity Model Integration(CMMI), Six Sigma, etc. for IT service, support, quality management and information securitymanagement.The strategic integration of these frameworks and tools is not easy for the organization assuccessful implementation is dependent upon a range of factors, from organizational culture totraining of employees (Elci, Ors & Preneel, 2008). Organizations can gain additional value andbenefits by using a combination of standards and best practices (for strategic ISM). This is
COBIT, BSC, SSE-CMM 11supported by studies showing the combination of ISO, ITIL and COBIT (Turner, Oltsik &McKnight, 2008). There are also other examples of combination of standards such as ISO andSSE-CMM that have been used for metrics based security assessment (Goldman & Christie,2004) and other studies that show the mapping of processes for effective integration of COBITand SEI-CMM (IT Governance Institute, 2007a). A research report released by the ITGovernance Institute (2008) in collaboration with the Office for Government Commerce (OGC)maps COBIT with ITIL and ISO 27002, stating that using this combination of standards and bestpractices can lead to effective management and alignment of IT with business.This study proposes the integrated use of Control Objectives for Information Technology(COBIT) and Balanced Scorecard (BSC) frameworks for strategic information securitymanagement. The goal is to investigate the strengths, weaknesses, implementation techniques,and potential benefits of such an integrated framework. Such an integrated framework bridgesthe gaps or mitigates the weaknesses that are recognized within one framework, using themethodology prescribed by the second framework. Thus, the integration of COBIT and BSC canprovide a more comprehensive mechanism for strategic ISM – one that is fully aligned withbusiness, IT and information security strategies. It is also important to measure and evaluate theperformance of the integrated “strategic information security management framework” using astandards based model, like the Systems Security Engineering Capability Maturity Model (SSECMM). This will enable evaluation of the effectiveness of the framework and enhance the ISMprocess by adoption of a continuous improvement approach. This study aims to design acomprehensive ISM framework while trying to add value to previously established principles.
COBIT, BSC, SSE-CMM 12Statement of the ProblemOrganizations are increasingly using ISM frameworks in order to mitigate risks andreduce threats to business assets (mainly information assets). A purely technical approach toimplementation of information security controls proves insufficient in addressing the strategicobjectives of the organization. As displayed inFigure 1 below, according to the results of a Global Information Security Survey (Ernst& Young, 2008), the primary drivers for investment and implementation of such ISMframeworks are mainly regulatory compliance requirements, loss of revenue, loss of stakeholderconfidence, loss to brand and reputation, etc. According to a survey by Computer Weekly(2008), the deployment of such controls is generally counter-productive as 68 percent ofsurveyed staff admitted to bypassing their employer’s information security controls in order todo their jobs. This indicates that the investment made by the organization (for technology alone)will either provide low or inadequate returns, resulting in revenue losses and even higheroperational expenditures. It also establishes the fact that there is a gap between the informationsecurity controls and the overall business and IT strategy of the organization. Hence, a morecomprehensive approach to ISM is being recommended by several IT security and governanceorganizations.
COBIT, BSC, SSE-CMM 13Figure 1. Primary drivers for ISM deployment (Ernst & Young, 2008).Since the implementation of ISM frameworks is more reactive than proactive, the focus ismostly on implementation of technical controls to prevent security and privacy breaches. As aresult, the strategic significance of the ISM framework is either never realized fully or the truepotential to transform the business, by using the ISM framework strategically, is ignored. Thisleads to the existence of ISM processes and procedures that are not aligned with the businessobjectives of the organization. This fact is highlighted in Figure 2 below, which shows that only18% of the organizations surveyed had information security strategy as an integrated part of theiroverall business strategy. The results of this survey show that alignment between business, ITand information security strategies is still not being taken into consideration while deployingISM processes. A well-aligned approach will not only help mitigate risks and apply technicalcontrols, but also potentially provide benefits to the business. Interestingly, a small number oforganizations have started realizing the value of investing in well-aligned business, IT andinformation security strategies, thereby boosting investment in governance, risk and compliancemanagement as well. According to AMR Research (2008), governance, risk management, and
COBIT, BSC, SSE-CMM 14compliance (GRC) spending exceeded 32B for 2008, up 7.4% from 2007, as companies shifttoward identifying, assessing, and managing risk across numerous business and IT areas.Figure 2. Perception of information security strategy (Ernst & Young, 2008).The above discussion implies that any new ISM framework that is developed, mustaddress not only information security processes and controls, but also the alignment of suchprocesses and controls with an organization’s overall business and IT strategies. Moreover, it isimperative to take into consideration the aspects of governance, risk and compliance to build atruly comprehensive framework. Therefore, the goal of this research study is to develop anintegrated framework that addresses the need for information security requirements as well asalignment between business, IT and information security strategies.
COBIT, BSC, SSE-CMM 15Significance of the ProblemStrategic information security management is gaining increasing importance withinorganizations, becoming almost imperative as security threats continue to escalate (Sipior &Ward, 2008). According to a new study by McAfee (2009), data theft and breaches fromcybercrime may have cost businesses as much as 1 trillion globally in lost intellectual propertyand expenditures for repairing the damage in 2008. According to a survey by Deloitte Financialand Advisory Services (2009), 91% of public corporations expect fraud to increase or remain thesame in 2009. The number of information security incidents reported by federal agencies jumpedfrom 5,146 in fiscal 2006 to 12,986 in 2007, with a 70 percent increase in unauthorized access tofederal networks alone, according to a report from the U.S. Office of Management (Aitoro,2008). Figure 3 below points to an obvious lack of effective information security measures - bothtechnical and management-focused, because regulatory compliance is often the primary driverfor deployment of ISM programs within an organization (Pironti, 2006). It is critical fororganizations to implement effective solutions for information security management that arebased on strategic objectives. The focus of information security is generally more towardsdeploying technical tools and systems instead of using a comprehensive framework that includespeople, processes, technology, procedures and policy (Siegel, Sagalow, & Serritella, 2003).The use of tools and systems alone, can lead to gaps in an organization’s business, IT andinformation security units. These gaps can also be further exploited due to lack of organizationalIT governance mechanisms, resulting in a non-aligned approach to information securitymanagement. Although establishing an information security management system (ISMS) canaddress most issues, there are still certain other gaps that need to be addressed in areas likegovernance, alignment and management (Business Software Alliance, 2003).
COBIT, BSC, SSE-CMM 16Figure 3. Significance of regulatory compliance in ISM (Pironti, 2006)According to a survey conducted by Society for Information Management (2008), a lackof alignment of business, IT, and information security translates into lower revenues forcompanies. As shown in Figure 4 below, the fact stated above is further validated by an ITGovernance Global Status Report (IT Governance Institute, 2008) indicating that between 2005and 2008 the number of organizations reporting a disconnect between IT strategy and businessstrategy increased by almost 30%.
COBIT, BSC, SSE-CMM 17Figure 4. IT Governance global status report of 2008 (IT Governance Institute, 2008)Another important reason for the low success rate of ISM programs across variousorganizations is the lack of corporate governance and ownership of information security issues.Information security management must be considered as part of the business and it is imperativeto assign responsibility for managing information security to board level, as business informationis a valuable and critical corporate asset. In order to mitigate risks caused by inadequatecorporate governance with respect to information security management, a holistic andcomprehensive framework for information security management must be developed such that itnot only addresses technical aspects of security but also takes into account business alignment,IT governance, and measurement and evaluation (Von Solms, 2001).
COBIT, BSC, SSE-CMM 18Statement of the PurposeThe purpose of this research study is to formulate an ISM framework that is aligned withbusiness, IT and information security strategies. The main components of such an organizationalISM framework consist of:1. Information Security Process Management and Control SystemCOBIT is an international open standard that defines requirements for the control andsecurity of sensitive data and provides a reference framework (ISACA, 2008). COBITconsists of process domains and detailed process controls that can be applied to the ISMfunctions within an organization. According to Von Solms (2005), COBIT positions itselfas ‘the tool for information technology governance’ and it is therefore not exclusive toinformation security. It also embeds Information Security governance within a widerInformation Technology governance framework, which is good because it provides anintegrated platform (architecture/structure) for wider Information Technologygovernance. Thus, COBIT can be used to satisfy the requirement of a management andcontrol system for ISM. According to PriceWaterhouseCoopers (2006), between 2003and 2006, the awareness of COBIT has tripled amongst the general IT population, whileawareness in the general population of the existence of COBIT has increased by 50percent.2. Business/IT/Information Security Alignment mechanismThe existence of a management and control framework for ISM does not necessarilyguarantee that the ISM practices are aligned with business and IT strategy. Hence, amechanism that aligns business, IT and information security strategies is extremelycrucial for the successful implementation of a comprehensive ISM framework. An ISM
COBIT, BSC, SSE-CMM 19framework that provides robust security and controls but does not fit the organizationalobjectives would fail to achieve its full purpose and be detrimental to business functions.In order to avoid such a situation, it is important to use an alignment mechanism. Thebalanced scorecard (BSC) is a strategic planning and management system that is usedextensively in business and industry, government, and nonprofit organizations worldwideto align business activities to the vision and strategy of the organization, improve internaland external communications, and monitor organization performance against strategicgoals (Balanced Scorecard Institute [BSCI], 2009). The usefulness of the BSC has madeit arguably the most successful and widely accepted mechanism that organizations adoptin order to achieve strategic alignment. The total usage of BSC has doubled between1993 and 2006 with about 57% of global companies working with the BSC in one ormore functions (Rigby, 2009). The use of a cascading BSC approach can lead to theeffective communication of the key drivers of success to every business unit andemployee within an organization, while also providing an opportunity for contribution tothe overall success of an organization (Niven, 2006). Therefore, it is imperative to use aBSC approach in conjunction with COBIT, in order to align information securityprocesses and controls with the broader business strategy and ensure the development ofa strategic ISM framework.3. Measurement and Performance Evaluation mechanismThe implementation of a strategic framework for ISM would be incomplete if its successcannot be quantitatively measured. In order to achieve this, a standardized performancemanagement and evaluation mechanism is required. COBIT provides a stand-alonematurity model for each of its domains, but it cannot be used as a comprehensive
COBIT, BSC, SSE-CMM 20measurement tool (Simonsson, Johnson, & Wijkström, 2007). The SSE-CMM modeldescribes the essential characteristics of an organization’s security engineering processthat must exist to ensure good security engineering (SSE-CMM.org, 2009). SSE-CMM isinternationally recognized and a widely accepted model for measurement and evaluationof the maturity of security processes and controls across the organization. Thedeployment of an SSE-CMM approach can help the organization develop a continuousimprovement approach to ISM and achieve higher levels of competence and capability asrelated to ISM processes and procedures.Figure 5. Solutions/Frameworks used for ISM (IT Governance Institute, 2008).The proposed integration of COBIT, Balanced Scorecard and SSE-CMM, can potentiallylead to the development of strategically aligned ISM framework. In order to fulfill the
COBIT, BSC, SSE-CMM 21requirements for such a comprehensive framework, organizations are increasingly using anintegrated approach of more than one tool or mechanism. This is evident in Figure 5 above,from the IT Governance Global Status Report (IT Governance Institute, 2008), which shows thata large number of organizations use an internally developed framework to address their ISMrequirements, which usually consists of more than one internationally recognized tool ormechanism.
COBIT, BSC, SSE-CMM 22DefinitionsInformation Security Management (ISM): refers to the management of information securitycontrols, processes, policies, people, procedures, and systems as well as the evaluation of theperformance of the implemented processes.Strategic ISM: is the integration of the ISM as a core part of the business in order to leverage itfor t
maps COBIT with ITIL and ISO 27002, stating that using this combination of standards and best practices can lead to effective management and alignment of IT with business. This study proposes the integrated use of Control Objectives for Information Technology (COBIT) and Balanced Scorecard (BSC) frameworks for strategic information security
