How To Learn About Next Generation Attacks

ISACA GREATER HOUSTON CHAPTER - NEWSLETTER AUGUST 2015 PRESIDENT S MESSAGE Dear ISACA Greater Houston Chapter Members and Friends, It has been a typical hot, steamy August in Houston and the chapter! We concluded our 2nd Annual Cyber Security Conference & 1st Annual Analytics/GRC Conference on August 17 with over 180 members and guests attending and sponsorships with great prizes from Accretive Solutions, Audimation Services, Berkeley Research Group, Coalfire, Identity Automation, and University of Texas Masters Program in Identity Management. It was a successful conference that we know will be bigger, better, and more value-added next year. To do so, we need to begin planning soon. If you would be interested in serving on the 3rd Annual Cyber Security Conference planning committee, please send me an email at president@isacahouston.org Our new website is live! Same great URL: www.isacahouston.org or you can access the chapter website from your MyISACA tab at www.isaca.org. Great thanks to our own Mary Hall for her dedication and diligence in this project. The new website has richer features than our old website and more integration with ISACA s main website allowing members to efficiently navigate for news, events, tools, and resources between the international website, your profile on MyISACA, and our local chapter website when you login with your member credentials. Join us for a premiere event within the Houston Information Security Community through a combination of ISACA, ISC2, ISSA, HTCIA, and InfraGard Chapters featuring Stuart McClure, CEO at Cylance discussing Next Generation Attacks. Stuart has been visionary for a new approach to threat detection, protection and response. His leadership sets the strategic direction, operational execution, and fiscal investments of the company. Stuart is one of the leading experts and practical thinkers in the computer security industry today. With a highly regarded 25-year history in the security industry, Stuart has led some of the most notable companies in the space. Prior to Cylance, Stuart was EVP, Global CTO and General Manager of the Security Management Business Unit for McAfee/Intel where CHAPTER LEADERS Norman Lee Comstock, Jr., CISA,CGEIT Chapter President & Membership Director Harvey H. Nusz, CISA,CRISC Vice President Richard Kenneth Hare, CISA,CRISC Secretary Glenn Melvin McQueary, II, CISA,CISM Treasurer Muhammad Akhtar Siraj, CISA Immediate Past President Susana Duran-Oliver Board Member & Certification Coordinator Mary C. Hall, CISA,CRISC Board Member & Webmaster Paul Vanek, CISA Board Member & Audit Committee Chair Joseph Ponnoly, CISA,CISM,CGEIT Board Member- Communications & Newsletter Editor August 31, 2015: Volume 3: 2015

he was responsible for a $3 billion consumer and corporate security products business. During his tenure at McAfee, Stuart established an elite team of security researchers called TRACE, which frequently discovered 0- day vulnerabilities and emerging threats in embedded and critical infrastructure. Before McAfee, Stuart helped formalize the cyber security program at Kaiser Permanente, a $34 billion healthcare company. In 1999, Stuart started Foundstone, Inc., a global consulting and products company, which was acquired by McAfee in 2004. Stuart is the founding creator and lead-author of the most successful security book series of all time: Hacking Exposed. This book is now on version 7. He is widely recognized for his extensive and in-depth knowledge of security, and is one of the industry's leading authorities in information security today. Members of ISACA can sign up under the member rate. Registration is active for the September 10th event at http://southtexasissa.eventbrite.com Our friends at HOU.SEC.CON greatly value the relationships that they have with ISACA and are offering our members a discount on access to the conference taking place on October 15, 2015. This will be the only ISACA event in October. The ticket sales website is at https://houstonseccon6.eventbrite.com. There is a link towards the bottom right of the page that is labeled Enter promotional code. Please click on that link, a box will appear. Enter 0NonProfit6.0 in that box and click Apply to get a $15 discount on your Attendee ticket. The discount is not applicable for a VIP ticket. If you plan to attend, please register as soon as possible. Ticket sales will be closing on Oct 1, and they will likely sell out before then. Norman Lee Comstock, Jr. Chapter President (Managing Director, Berkeley Research Group ) Page2

UPCOMING EVENTS Joint Meeting of ISACA, ISC2, ISSA, HTCIA, and InfraGard Chapters of Houston TX Thursday, September 10th, 2015, 10.30 AM to 1:00 PM Next Generation Attacks COMMITTEES Education Committee: Chair: Harvey H Nusz Certification Committee Chair: Susana Duran-Oliver Speaker: Stuart McClure, CEO Cylance Stuart McClure is well known globally as a leading information security expert, as the founder of Foundstone Inc and as co-author of Hacking Exposed, now in its 7 th volume. Currently he is CEO of Cylance, focusing on threat detection, protection and response. Prior to Cylance, Stuart was EVP, Global CTO and General Manager of the Security Management Business Unit for McAfee/Intel. During his tenure at McAfee, Stuart established an elite team of security researchers called TRACE, who have to their credit discovery of several zero-day vulnerabilities and emerging threats in embedded and critical infrastructure. Before McAfee, Stuart oversaw the cyber security program at Kaiser Permanente. In 1999, Stuart started Foundstone, Inc., which was later acquired by McAfee in 2004. Time 11.30 AM to 1:00 PM with lunch Location: HESS - Houston Engineering and Scientific Society Club 5430 Westheimer at Yorktown (near Gallaria) (Free Garage Parking) Research Committee Chair: Dr Ken Stavinoha Event Management Committee Chair: Rich Hare Sponsorships Committee Chair: Carlos Lozano Audit Committee Chair: Paul Vanek Professional Growth & Networking Committee Chair: Denise Hester Membership Committee Chair: Norman Comstock Register for the event on our website www.isacahouston.org or at http://southtexasissa.eventbrite.com Page3

Monthly Luncheon meetings ISACA Greater Houston Chapter - NEWSLETTER We meet on 3 rd Thursday of every month from 10:30 am until 1:30 PM. Location: Our luncheon meetings are normally at Hess Club. But one-day conferences are held at Crown- Plaza Hotel and other locations. 1. Hess Club, 5430, Westheimer Rd, Houston (Galleria Area) 2. Crowne Plaza Hotel, 1700 Smith Street, Houston TX 77002 (downtown) To register for the meetings or events, please register on-line using C-Event. Meeting date September 17, 2015 (Thursday) 10:30 to 2 PM (3 CPEs) Topic, Speaker & Location 10:30-11:30AM Morning Session: "Why You Absolutely Must Utilize a Framework in Auditing Disaster Recovery" Speaker: Harvey Nusz This presentation will review the DRII Framework at a high level and give you auditable steps in each of the 10 domains, focusing on the top 10 mistakes to avoid in DR. It will also discuss DR aspects of virtualization, cloud computing and IAM in various corporations. Harvey Nusz has been enamored with BCP/DR before he took a three day class in DR and recommended as an auditor that Sundstrand and Falk plan to back each other up before that was popular. He has been on both sides of the equation, having audited a large bank s annual test and that of other companies, and having created or managed the creation and testing of 15 plans. He has led approximately 50 tests, ranging from table top to full DR Tests, and has experience in 8 of the 10 DRII domains. Harvey was also one of the regular DR Domain instructors of ISSA, South Texas Chapter, in the previous version of the CISSP Body of Knowledge, and marveled at how that domain mimicked DRII s 10 domains. Harvey has noticed over the years that while many fine professionals have their CISA, a fair number appear to have difficulty auditing a BCP/DR Program, not knowing what to look for. This session is a small effort to assist in building that knowledge amongst fellow CISAs. Harvey, whose company is 4IT Security, Governance & Compliance, just completed a project to implement an IAM Product, and is now assisting a client of Insight Global as a Data Privacy Compliance Analyst. While he enjoyed his time in north Texas, Harvey is very glad to be back in Houston. Concurrent Morning Session: "Using Report Reader to Import Data From PDF Files" ISACA IDEA SIG hosted by Audimation Services Speaker: Christian Tan 12:00-1:00 PM Luncheon Session Topic: "Agile Software Security Assurance" Speaker: Mark Feferman (Vaunted Group) 1:00-2:00 PM Afternoon Session: "The Use of ACL Analytics at Hess Corporation" ISACA ACL SIG Speaker: Tenleigh Sweeney (Hess Corporation) Total 3 CPEs offered Early Registration: $25 Members, $30 Non-Members, $10 Students (for morning session, lunch and ACL SIG) Location: Crowne Plaza Downtown, 1700 Smith Street, Houston, Texas 77002 Page4

OCTOBER 2015 ISACA event is clubbed with HOU.SEC.CON 2015 THE HOUSTON SECURITY CONFERENCE OCTOBER 14-15, 2015 Details are at: http://www.houstonseccon.com/v6/ Register at: https://houstonseccon6.eventbrite.com CERTIFICATION TRAINING CLASSES CISA FALL REVIEW CLASSES CISA Fall Review Classes will be held on Saturdays Oct 24, Oct 31, Nov 7, Nov 14 and Nov 21, 2015 in St. Thomas University, Houston TX. The sessions are from 8:00 am 3:00 pm. Those who already have the books can register just for the class with no book cost. Those interested may please contact Susana Duran-Oliver, Certification Coordinator. Her mail id is: certifications@isacahouston.org. Class schedules are as given below: Dates Time (8:00-3:00) Building Classroom Oct 24, Saturday The Process of Auditing Information System Hughes House Room: 108 (Chapter 1) Oct 31, Saturday IT Governance and Management of IT (Chapter 2) Hughes House Room: 108 Nov 7, Saturday Information System, Acquisition, Development & Hughes House Room: 108 Implementation (Chapter 3) Nov 14, Saturday Information Systems, Operations, Maintenance and Hughes House Room: 108 Support (Chapter 4) Nov 21, Saturday Protection and Information (Chapter 5) Hughes House Room: 108 For registration for the exams, please visit www.isaca.org/certification for details Page5

CPEs FOR ATTENDING ISACA MEETINGS AND EDUCATIONAL EVENTS We have created a website which displays your earned CPE: 1. Please follow the below instructions to access the site. 2. Copy link to your browser: http://www.cvent.com/d/9rq9w8/3w First time members will need to register: Enter your first and last name as listed with ISACA Enter your email address as listed with ISACA Click on the sign-up button You will receive an email within a few minutes asking you to log in and update your password. Use the link on the email to update your password. Note: If the information submitted does not match our records you will receive and error message.. Page6

Page7

JOB POSTINGS OVER 50 NEW CYBERSECURITY JOBS AT THE DEPARTMENT OF HOMELAND SECURITY (DHS) THE DEPARTMENT OF HOMELAND SECURITY (DHS) IS RESPONSIBLE FOR SAFEGUARDING OUR NATION S CRITICAL INFRASTRUCTURE FROM PHYSICAL AND CYBER THREATS THAT CAN AFFECT NATIONAL SECURITY, PUBLIC SAFETY, AND ECONOMIC PROSPERITY. DHS IS ACTIVELY RECRUITING (HTTP://WWW.DHS.GOV/HOMELAND-SECURITY-CAREERS/DHS- CYBERSECURITY ) DYNAMIC CYBERSECURITY PROFESSIONALS IN ITS NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER (NCCIC) TO HELP PROTECT THE NATION S CYBERSPACE. HOW TO APPLY EMPLOYMENT OPPORTUNITIES ARE POSTED ON USAJOBS AT DHS.USAJOBS.GOV. KEYWORD NCCIC, OR SEARCH/VISIT FOLLOWING VACANCY ANNOUNCEMENTS OR VISIT http://www.dhs.gov/homeland-security-careers/dhs-cybersecurity ABOUT NCCIC NCCIC IS A 24X7 CYBER SITUATIONAL AWARENESS, INCIDENT RESPONSE, AND MANAGEMENT CENTER THAT IS A NATIONAL NEXUS OF CYBER AND COMMUNICATIONS INTEGRATION FOR THE FEDERAL, STATE, LOCAL, TERRITORIAL, AND TRIBAL GOVERNMENTS, THE INTELLIGENCE COMMUNITY, LAW ENFORCEMENT, THE PRIVATE SECTOR, AND INTERNATIONAL ENTITIES. QUALIFIED CANDIDATES MUST HAVE KNOWLEDGE, SKILLS, AND EXPERIENCE IN, BUT NOT LIMITED TO: INFORMATION SYSTEMS AND ARCHITECTURE DESIGN INCIDENT RESPONSE MALWARE AND FORENSIC INCIDENT ANALYSIS INFORMATION SECURITY PROGRAM AND PROJECT MANAGEMENT INFORMATION ASSURANCE GATHERING AND ANALYZING INCIDENT DATA DEVELOPING AND IMPLEMENTING INFORMATION SYSTEMS SECURITY PROGRAMS, POLICES, AND PROCEDURES LEADING TEAMS IN CYBER INCIDENTS AND RESPONSES IDENTIFYING AND ANALYZING CYBER SECURITY THREATS AND PROVIDING MITIGATION STRATEGIES IDENTIFYING AND EXPLOITING VULNERABILITIES, VULNERABILITY SCANNING AND PENETRATION TESTING EVALUATING SECURITY INCIDENT RESPONSE POLICIES REVIEWING PROPOSED NEW SYSTEMS, NETWORKS, AND SOFTWARE DESIGNS FOR POTENTIAL SECURITY RISKS TO LEARN MORE ABOUT THE NCCIC VISIT: http://www.dhs.gov/ ABOUT-NATIONAL-CYBERSECURITY-COMMUNICATIONS-INTEGRATION-CENTER MISSION CRITICAL VACANCIES THAT YOU CAN SHARE WITH THOSE IN YOUR NETWORK WHO WOULD BE INTERESTED IN COMPLETING AN APPLICATION. PLEASE HELP RAISE AWARENESS ABOUT THESE GREAT OPPORTUNITIES BY POSTING ON SOCIAL MEDIA, BLOGS, IN E- NEWSLETTERS, AND SENDING OUT EMAILS. PLEASE SPREAD THE WORD BY USING THIS LINK: HTTP://1.USA.GOV/1FBNHFS AND THE HASHTAG #DHSCYBER OR THE HANDLE @DHSGOV Local Job Postings For details, visit our website: http://www.isacahouston.org/ Page8

CONTACT US Our new website is live. Accessible using the same URL: HTTP://WWW.ISACAHOUSTON.ORG/ Please sign in using your ISACA credentials. You can also access it from www.isaca.org by clicking on MyISACA tab, logging in and then clicking Visit Chapter website. The website is hosted by ISACA and is linked to ISACA International website. You can easily access ISACA International information from our website. It also has a members only section. Chapter presentations and newsletters (archived) will also be posted on the website. Members also can register for Chapter Events directly from the website. Members can also access LinkedIn and Twitter groups (of the Chapter) directly from the website. Special thanks to Mary Hall, our webmaster. The GHC Board would also like to acknowledge Nancy Taubin's (ISACA International) continued assistance in our website development. Please also join our Twitter and LinkedIn groups for social and professional interaction among the members of the Chapter: Twitter: @ISACAHouston LinkedIn: ISACA-Houston Chapter Page9

Mailing Address: ISACA Houston Chapter P.O. Box 2424Houston, TX 77252-2424 For details of our Board Members and Committees : see http://isacahouston.org/ Page10

NEWS & NOTES Implementing NIST Cybersecurity Framework for Critical Infrastructures using COBIT 5 - Part II -Joseph Ponnoly CISM, CISA, CGEIT, CISSP, MBA, MS NIST Cybersecurity Framework (CSF) 2014 for critical infrastructures, as described in Part I, defined high level security functions and security control activities and their categories and sub-categories, to protect critical infratructure services from identified risks and for detectng, responding to and recovering from cyber security incidents. Part II of this article will discuss how NIST CSF can be implemented using COBIT 5 framework based on the governance and management of IT and the relevant business processes and associated risks. Framework Core Functions and Categories (Courtesy: NIST, USA) Why COBIT 5.0? COBIT 5.0 is referred to in NIST CSF as one of the standards/ frameworks to implement the cybersecurity functons and activities (outcomes) listed by CSF. It is listed along with CCS CSC Fig 1: NIST Cyber Security (SANS Critical Security Controls), ISA Standard for security of industrial automation and critical control systems, ISO 27001/27002 and NIST SP 800-53 A. We will see how COBIT 5.0 is an overarching framework that supports and includes these standards and best practices. COBIT Page11

5.0 does not exclude them, and relies on them for detailed implementation guidelines and gives these standards the business perspective to make them more effective. COBIT is a business governance framework developed by ISACA. It integrates various frameworks and standards such as ISO 31000 (for Enterprise Risk Management), ISO 27001/27002/27005 (for Information Security Management), ITIL for IT Service Management, PMBOK / PRINCE 2 (Project Management), Zachman Framework / TOGAF for IT Architecture, ISO 38500:2008 (for Governance of Enterprise IT) and NIST SP 800-30 and 800-53A dealing with risk assessments and IT controls to mitigate risk. COBIT, thus, is an integrated framework and adopts a risk-based approach to governing and managing IT in Enterprises and is ideally suited for implementing NIST CSF. Fig 2: COBIT 5 coverage of other standards and frameworks (Courtesy: ISACA) Page12

Governance & Management of Enterprise IT COBIT 5 makes a clear distinction between governance and management of Enterprise IT. Enterprise Governance is the responsibility and function of the Governance Board (Board of Directors) or Senior Executives and focuses on defining the organizational mission and vision and setting directions for achieving them. Operational Management focuses on operational activities involving planning, building, operating and monitoring business processes and applications, aligning them with organizational/enterprise objectives and enabling them using IT for achieving effectiveness and efficiency. COBIT framework and standards can easily be tailored to meet the needs of Enterprise IT Fig 3: COBIT 5 Governance and Management Key Areas (Courtesy: ISACA) governance and management and for managing cybersecurity risks of any enterprise including critical infrastructures (as defined in Part I of this article). COBIT 5 thus takes a holistic view of Enterprise IT and considers seven categories of enablers for effective governance and management of Enterprise IT to optimize value from IT while managing risk.. The business enabler functions listed by COBIT are: Principles, policies and frameworks Processes Organizational structures Culture, ethics and behavior Information Services, infrastructure and applications People, skills and competencies. Page13

COBIT 5.0 and Cyber-risk management ISACA Greater Houston Chapter - NEWSLETTER Fig 4: Scope of COBIT 5 for Risk (Courtesy: ISACA) The risk function is considered from the perspective of the seven business enablers, described above. Enterprise Risk management or ERM standards (based on COSO ERM, ISO 31000, ISO/IEC 27005 and other standards) are considered as an integral part of governance and management of IT. They support and expand the these business enabler functions and provide a business perspective to enterprise risk. The business risk function provides input to the Risk Management function. Risk Management relies on the core risk business processes and the risk scenarios that are mapped to these risk function enablers. Risk Management is implemented by the COBIT process reference model that can be expanded by the inputs or detailed guidelines from IT Management frameworks and standards such as ITIL, ISO 27001/27002, PMBOK / PRINCE2 and TOGAF. COBIT Process Reference Model The process reference model in COBIT lists a number of governance and management processes that relate to IT activities within the enterprise. It also provides a framework for measuring and monitoring IT performance. Page14

Fig 5: COBIT 5 Process Reference Model (Courtesy: ISACA) Organizations would need to adapt COBIT processes to suit their unique environments for managing IT processes and risk. Risk Management Risk Management, as mentioned above, is a key component of NIST Cybersecurity Framework (CSF). These are specifically described in COBIT by the processes listed below: Sr Executive Level EDM (Evaluate, Direct & Monitor) o EDM03- Ensure Risk Optimization Business Management / Process Level APO (Align, Plan & Organize) o APO-012 Manage Risk o APO 013 Manage Security MEA (Monitor Evaluate & Assess) o MEA 02- Monitor Evaluate & Assess System of Internal Controls o MEA 03- Compliance with External Regulations Page15

Operational Management Level: BAI (Build, Acquire & Implement) o BAI-09 Manage Assets o BAI-10 Manage Configuration DSS (Deliver, Service & Support) o DSS 04- Manage Continuity o DSS 05 Manage Security Services o DSS-06 - Manage Business Process Controls The Risk Management process as defined by NIST CSF and the associated COBIT processes and enablers are illustrated in the graphics below: Senior Executive Level would focus on organizational/enterprise/business risk. Business Process owners would focus on critical infrastructure risk management dealing with asset management and vulnerability and threat management. Operational level implementation would focus on security operations for securing the critical infrastructure and assets. Fig 6: Risk Management Implementation (Courtesy: NIST, USA) The Risk Management Process (APO-12) in COBIT 5 relies on the seven business enablers and considers various risk factors internal, external and IT-related and also takes into account risk Page16

scenarios that can be considered in the business context. The process would involve collecting relevant risk data, in analyzing risk and in responding to risk. Fig 7: The Risk Management Process (APO 012) (Courtesy: ISACA) PART III - NIST CYBERSECURITY FRAMEWORK IMPLEMENTATION STEPS The seven step implementation process as specified by NIST CSF can now be considered from a COBIT perspective. 1. Prioritize and Scope The organizational mission and drivers and stakeholder needs are identified and listed. Information security governance must be considered as the responsibility of the Board of Directors and Senior Executives. The relevant COBIT processes and guidelines are: EDM 01.01 Evaluate the governance system APO 01 - Consistent management approach, organizational roles and responsibilities, skills and competencies APO 02.01 Enterprise direction, strategy and objectives APO 03.01 Enterprise architecture Some other factors to be considered are: - Risk architecture - Business drivers Page17

- Compliance requirements (as defined by MEA 03- compliance with external regulations process) 2. Orient: Identify related systems, assets, regulatory requirements and overall risk approach. Identify threats to and vulnerabilities of the critical systems, assets, applications and data identified. The COBIT processes that contain detailed guidelines are: APO (Align, Plan and Organize) o APO 01- Manage the IT management Framework o APO 03 Manage Enterprise Architecture o APO 07 Manage Human Resources o APO 09 Manage Service Agreements o APO-012 Manage Risk o APO 013 Manage Security BAI (Build, Acquire and Implement) o BAI-03 Manage Solutions Identification and Build o BAI 06 Manage Changes o BAI-09 Manage Assets o BAI-10 Manage Configuration DSS (Deliver, Service and Support) o DSS 01- Manage Operations o DSS 02 Manage Service Requests and Incidents o DSS 03 Manage Problems o DSS 02 Manage Service Requests and Incidents o DSS 04- Manage Continuity o DSS 05 Manage Security Services o DSS-06- Manage Business Process Controls MEA (Monitor, Evaluate and Assess) o MEA 02- Monitor Evaluate & Assess System of Internal Controls o MEA 03- Monitor Evaluate & Assess Compliance with External Regulations CSF Profile for the Enterprise 3. Create a current Profile CSF Profile is created for an organization or Enterprise by selecting the core CSF categories (ID, PR, DE, RS, RC) and subcategories of security function activities based on the organization s business needs, business drivers and risk assessment. The current profile shows the as is state. NIST CSF Implementation Guide maps the categories and subcategories to COBIT 5 framework and also to other implementation frameworks. (Please see Appendix A). 4. Conduct risk assessment (on a continuing basis) Risk Assessment is an important step in the cyber security management process. Risk assessments involve identification of critical assets and identification of vulnerabiltiies of systems, networks and applications that could be exploited to compromise data and IT resources. Risk assessments have to consider the threat / loss event frequencies or their Page18

likelihood and likely impact to the business or enterprise, described in dollar terms or on a high/medium/low rating scale. IT risk is a combination of the probability of the threat event (threat event frequency) and its impact (probable loss magnitude). If the risk is aove the risk threshold (or risk tolerance level determined by Sr Management), then countermeasures including controls will have to be implemented to reduce risk and bring it to an acceptable level as defined by the enterprise. 5. Create target profile The target profile is the to be state based on the CSF Profile categories and subcategories selected (see Appendix A). This will also consider the result of risk assessments and the control gaps identified. CONTROLS IMPLEMENTATION & MONITORING 6. Determine, analyze and prioritize gaps & Action Plan The control gaps identified must be analyzed and prioritized with reference to the target profile created. This will lead to an action plan. Since COBIT has a business focus, the control categories must be defined within the risk function business perspective as defined by the the seven business enablers mentioned earlier. 7. Implement action plan for countermeasures and controls to reduce risk. Road map, timelines and associated project plans must be created to implement the action plan. This may also involve identification of required GRC tools for implementation. Hardware, software, tools and skilled resources for implementation, may have to be identified and documented for management approval and impleementation roll-out. IMPLEMENTATION TIERS (MATURITY MODEL) CSF Implementation Tiers are associated with the risk management process maturity, integrated risk management program and external participation, as specified by the framework. For example, in a tier 3 repeatable process, risk management practices are formally approved and formulated as policy directives, as against ad-hoc practices in tier 1 and absence of policies in tier 2. In tier 3, there would be an organization-wide approach to managing cyber security risk. Consistent methods are in place to respond effectively to changes in risk. Risk-based management decisions are made particularly in sharing of information with external entities. In Tier 4 these practices are optimized. COBIT also has a tiered approach to risk management as described in EDM 03- risk optimization governance process. There are process capability levels (PCLs) defined in COBIT. Thes are similar to the CSF s implementation tiers. They can be mapped as listed below: CSF Tier 1 (Partial) -> PCL 0 (incomplete) and PCL 1 (performed) CSF Tier 2 (Risk Informed) -> PCL 2 (Managed) CSF Tier 3 (Repeatable) -> PCL 3 (Established) CSF Tier 4 (Adaptive) -> PCL 4 (Predictable) and PCL 5 (Optimizing). Page19

Process Capability Assessments can be performed using ISO 15504 standard using a rating scale as listed below, and these are adopted by COBIT for each process: N- Not achieved (0 to 15%) P- Partially achieved (15 to 50%) L Largely Achieved (50 to 85%) F- Fully Achieved (85 to 100%) CONCLUSION NIST CSF can be implemented using COBIT 5 framework, as it is an integrated framework, giving the business perspective to governance and management of IT. Since COBIT does not exclude but brings within its umbrella the various Enterprise Risk Management and IT Management frameworks and standards, enterprises would benefit and see business value in implementing the cyber security framework of NIST for critical infrastructures using COBIT 5 framework, business enablers and process reference model. References 1. Executive Order no. 13636, Improving Critical Infrastructure Cybersecurity, DCPD - 201300091, February 12, 2013. http://www.gpo.gov/fdsys/pkg/fr-2013-02-19/pdf/2013-03915.pdf 2. The DHS Critical Infrastructure program provides a listing of the sectors and their associated critical functions and value chains. http://www.dhs.gov/critical-infrastructure-sectors 3. NIST Cybersecurity Framework-2014 http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf 4. SANS Critical Security Controls http://www.sans.org/critical-security-controls/ 5.NIST Cyber security framework implementation Guide, ISACA Page20

ISACA Greater Houston Chapter Joseph Ponnoly ISACA Greater Houston Chapter - NEWSLETTER Page21