the role of the chief information security officer › images › site_images › ... · •...
TRANSCRIPT
Advisor: Prof. André Vasconcelos
Co-advisor: Prof. Miguel Mira da Silva
Instituto Superior Técnico
The Role of the Chief Information
Security Officer
Tiago Martins Catarino
28/04/2017
Instituto Superior Técnico
Motivation
2
• Uncertainty as to which standards and guides define the CISO’s intervention range.
• In the literature, it is not clear which is the system of interest that should be within
CISO’s intervention area.
28/04/2017
Instituto Superior Técnico
Research Problem
• How can an organization implement the CISO’s role using COBIT 5 for
Information Security in ArchiMate?
o Can we perform a gap analysis between the organization’s AS-IS to what is defined in the COBIT 5 for
Information Security, regarding:
Processes and base practices;
Key practices;
Information types;
Roles.
o Can the ArchiMate notation model all the concepts defined in the COBIT 5 for Information Security?
o Can we identify inconsistencies between the RACI charts, defined in COBIT 5 Enabling Processes, and the
CISO’s role addressed by COBIT 5 for Information Security?
3 28/04/2017
Instituto Superior Técnico
Theoretical Background
• COBIT 5
o COBIT 5 Framework;
o COBIT 5 for Information Security.
4 28/04/2017
Instituto Superior Técnico
Theoretical Background
• Enterprise Architecture
o ArchiMate
Provides instruments to enable enterprise architects to describe, analyze and visualize the
relationships among business domains in an unambiguous way.
5 28/04/2017
Instituto Superior Técnico
Objectives
• Propose a method using ArchiMate to integrate COBIT 5 for Information Security with
EA principles, methods and models in order to properly implement the CISO’s role.
o Create a method that:
Figures out what processes and activities, key practices and business functions that the CISO
should be held responsible;
Identifies information types that the CISO is responsible to originate;
Finds what organization’s roles are performing the CISO’s job;
Hopefully improves the information security maturity level of the organization;
Identifies inconsistencies between roles’ assignments, in particular the CISO’s role.
6 28/04/2017
Instituto Superior Técnico
Proposal
7
1. Model COBIT 5 for
Information Security
2. Model Organization’s
EA
3. Information Types’
mapping
4. Processes Outputs’
mapping
5. Key Practices’ mapping
6. Roles’ mapping
7. Analysis & TO-BE
Design
28/04/2017
Instituto Superior Técnico
Demonstration
• CISO’s Business Functions and Information Types viewpoint (COBIT 5 for Information Security)
8
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
28/04/2017
Instituto Superior Técnico
Demonstration
• DemoCorp’s Business Functions and Information Types viewpoint
9
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
28/04/2017
Instituto Superior Técnico
Demonstration
• DemoCorp to COBIT 5 for Information Security’s Information Types viewpoint
10
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
28/04/2017
DemoCorp COBIT 5
Instituto Superior Técnico
Demonstration
• DemoCorp to COBIT 5 for Information Security’s Information Types Missing viewpoint
11
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
28/04/2017
Instituto Superior Técnico
Demonstration
• DemoCorp to APO01 Manage the IT Management Framework Process viewpoint
12
No links between
the process’s
outputs of COBIT 5
and DemoCorp
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
28/04/2017
Instituto Superior Técnico
Demonstration
• DemoCorp to COBIT 5 for Information Security’s Key Practices viewpoint
13
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
28/04/2017
DemoCorp COBIT 5
Instituto Superior Técnico
Demonstration
• DemoCorp to COBIT 5 for Information Security’s Missing Practices viewpoint
14
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
28/04/2017
Instituto Superior Técnico
Demonstration
• DemoCorp to COBIT 5 for Information Security’s Roles viewpoint
15
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
28/04/2017
DemoCorp
COBIT 5
Instituto Superior Técnico
Demonstration
• Migration Viewpoint: Information Types (General)
16
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
28/04/2017
Instituto Superior Técnico
Evaluation
• CISO’s evolution in DemoCorp
17
2008
2014
2016
CISO’s role became an organic structure
The ISMS (Information Security Management
System) was certified according to the ISO 27001
requirements
CISO’s role was created to address the
certification requirements of a production’s
process
28/04/2017
Instituto Superior Técnico
Evaluation
• The following solution’s objectives were fully achieved:
1. Figure out what processes and activities, key practices and business functions that the
CISO should be held responsible for;
2. Identify information types that the CISO is responsible for originating;
3. Identify which organization roles are performing the CISO’s job;
4. Improve the information security maturity level of the organization;
5. Identify inconsistencies between roles’ assignments, in particular the CISO’s role.
18 28/04/2017
Instituto Superior Técnico
Communication
• 13th European Mediterranean & Middle Eastern Conference on Information
Systems (EMCIS)
o Paper accepted in the EMCIS conference as a full paper (June 23, 2016).
o Title: Inconsistencies in Information Security Roles
19 28/04/2017
Instituto Superior Técnico
Conclusion
20
• Main Contributions
o A method for implementing the CISO’s role using COBIT 5 for Information Security in
ArchiMate, which comprises 7 steps;
o Identification of inconsistencies between roles’ assignments, in particular the CISO’s role,
which are defined in the assignments matrix charts of COBIT 5 Enabling Processes, and
the roles addressed by COBIT 5 for Information Security.
28/04/2017
Instituto Superior Técnico
Conclusion
21
• Future Work
o Develop a solution’s proposal that addresses the inconsistencies detected;
o Demonstrate and evaluate the method in different industries;
o Specialize the proposed method by industry/type of organization (e.g. SME and Banking);
o Extend the research proposal in order to comprise others architectural levels (application
and technology layers).
28/04/2017
Advisor: Prof. André Vasconcelos
Co-advisor: Prof. Miguel Mira da Silva
Instituto Superior Técnico
The Role of the Chief Information
Security Officer
Tiago Martins Catarino
22 28/04/2017