the role of the chief information security officer › images › site_images › ... · •...

Advisor: Prof. André Vasconcelos

Co-advisor: Prof. Miguel Mira da Silva

Instituto Superior Técnico

The Role of the Chief Information

Security Officer

Tiago Martins Catarino

28/04/2017


Motivation

2

• Uncertainty as to which standards and guides define the CISO’s intervention range.

• In the literature, it is not clear which is the system of interest that should be within

CISO’s intervention area.

28/04/2017


Research Problem

• How can an organization implement the CISO’s role using COBIT 5 for

Information Security in ArchiMate?

o Can we perform a gap analysis between the organization’s AS-IS to what is defined in the COBIT 5 for

Information Security, regarding:

Processes and base practices;

Key practices;

Information types;

Roles.

o Can the ArchiMate notation model all the concepts defined in the COBIT 5 for Information Security?

o Can we identify inconsistencies between the RACI charts, defined in COBIT 5 Enabling Processes, and the

CISO’s role addressed by COBIT 5 for Information Security?

3 28/04/2017


Theoretical Background

• COBIT 5

o COBIT 5 Framework;

o COBIT 5 for Information Security.

4 28/04/2017


Theoretical Background

• Enterprise Architecture

o ArchiMate

Provides instruments to enable enterprise architects to describe, analyze and visualize the

relationships among business domains in an unambiguous way.

5 28/04/2017


Objectives

• Propose a method using ArchiMate to integrate COBIT 5 for Information Security with

EA principles, methods and models in order to properly implement the CISO’s role.

o Create a method that:

Figures out what processes and activities, key practices and business functions that the CISO

should be held responsible;

Identifies information types that the CISO is responsible to originate;

Finds what organization’s roles are performing the CISO’s job;

Hopefully improves the information security maturity level of the organization;

Identifies inconsistencies between roles’ assignments, in particular the CISO’s role.

6 28/04/2017


Proposal

7

1. Model COBIT 5 for

Information Security

2. Model Organization’s

EA

3. Information Types’

mapping

4. Processes Outputs’

mapping

5. Key Practices’ mapping

6. Roles’ mapping

7. Analysis & TO-BE

Design

28/04/2017


Demonstration

• CISO’s Business Functions and Information Types viewpoint (COBIT 5 for Information Security)

8

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

28/04/2017


Demonstration

• DemoCorp’s Business Functions and Information Types viewpoint

9

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

28/04/2017


Demonstration

• DemoCorp to COBIT 5 for Information Security’s Information Types viewpoint

10

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

28/04/2017

DemoCorp COBIT 5


Demonstration

• DemoCorp to COBIT 5 for Information Security’s Information Types Missing viewpoint

11

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

28/04/2017


Demonstration

• DemoCorp to APO01 Manage the IT Management Framework Process viewpoint

12

No links between

the process’s

outputs of COBIT 5

and DemoCorp

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

28/04/2017


Demonstration

• DemoCorp to COBIT 5 for Information Security’s Key Practices viewpoint

13

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

28/04/2017

DemoCorp COBIT 5


Demonstration

• DemoCorp to COBIT 5 for Information Security’s Missing Practices viewpoint

14

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

28/04/2017


Demonstration

• DemoCorp to COBIT 5 for Information Security’s Roles viewpoint

15

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

28/04/2017

DemoCorp

COBIT 5


Demonstration

• Migration Viewpoint: Information Types (General)

16

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

28/04/2017


Evaluation

• CISO’s evolution in DemoCorp

17

2008

2014

2016

CISO’s role became an organic structure

The ISMS (Information Security Management

System) was certified according to the ISO 27001

requirements

CISO’s role was created to address the

certification requirements of a production’s

process

28/04/2017


Evaluation

• The following solution’s objectives were fully achieved:

1. Figure out what processes and activities, key practices and business functions that the

CISO should be held responsible for;

2. Identify information types that the CISO is responsible for originating;

3. Identify which organization roles are performing the CISO’s job;

4. Improve the information security maturity level of the organization;

5. Identify inconsistencies between roles’ assignments, in particular the CISO’s role.

18 28/04/2017


Communication

• 13th European Mediterranean & Middle Eastern Conference on Information

Systems (EMCIS)

o Paper accepted in the EMCIS conference as a full paper (June 23, 2016).

o Title: Inconsistencies in Information Security Roles

19 28/04/2017


Conclusion

20

• Main Contributions

o A method for implementing the CISO’s role using COBIT 5 for Information Security in

ArchiMate, which comprises 7 steps;

o Identification of inconsistencies between roles’ assignments, in particular the CISO’s role,

which are defined in the assignments matrix charts of COBIT 5 Enabling Processes, and

the roles addressed by COBIT 5 for Information Security.

28/04/2017


Conclusion

21

• Future Work

o Develop a solution’s proposal that addresses the inconsistencies detected;

o Demonstrate and evaluate the method in different industries;

o Specialize the proposed method by industry/type of organization (e.g. SME and Banking);

o Extend the research proposal in order to comprise others architectural levels (application

and technology layers).

28/04/2017

Advisor: Prof. André Vasconcelos

Co-advisor: Prof. Miguel Mira da Silva


The Role of the Chief Information

Security Officer

Tiago Martins Catarino

22 28/04/2017

the role of the chief information security officer › images › site_images › ... · •...

Documents