Cobit Security Checklist

Security Checklist for the XYZ Company

1. PO1.3 Assessment of Current Capability and Performance

2. PO2.3 Data Classification Scheme

3. AI6.1 Change Standards and Procedures

4. DS4.1 IT Continuity Framework

5. DS5.2 IT Security Plan

6. DS5.3 Identity Management

7. DS5.5 Security Testing, Surveillance and Monitoring

8. DS5.9 Malicious Software Prevention, Detection, and Correction

9. DS5.10 Network Security

10. ME1.3 Monitoring Method

Supporting Explanation for Check-list Item Number 1

The first step in a security checklist for XYZ Company is COBIT PO1.3, an assessment of the current capability and performance of solution and service delivery. The assessment should measure IT's contribution to business objectives, functionality, stability, complexity, costs, strengths, and weaknesses. While this assessment will be useful for security purposes, all areas of IT can use it because security capabilities are a subset of overall IT capabilities. It will provide a baseline to which to compare future changes. Since XYZ is not a new company, they must have existing infrastructure and services in place. Thus, having a baseline is advantageous because it will allow IT to show tangible improvements to executives, which will help procure financing for future IT endeavors.

Assessing current capabilities will also prevent them from building solutions from scratch when a similar one already exists. By reducing re-work, XYZ can use their funds to the utmost effect. Another side effect of the assessment will be groundwork for the identification of the company's information assets, which will be important in future steps such as data classification. According to COBIT, the assessment should also measure IT's strengths and weaknesses. Some of the weaknesses will undoubtedly be security related and give XYZ Company areas on which to focus improvements.

To accomplish the assessment, IT will have to interview people across the enterprise. In XYZ Company's case, this will include manufacturing facilities, suppliers, and its university research centers. Additionally, IT will perform customer surveys for its website and other sales channels. External auditing of the findings is not necessary because there is little motivation for employees to overstate capabilities. If they do, their resulting targets will be unreachable and thus they will under perform later. If they understate their capabilities, they will be chided for current inefficiencies. Thus, the overall assessment should be accurate. The most cost effective way to aggregate the data will be though a database, on which analysts can perform queries later. IT personnel will also have to travel to the locations to assess the security capabilities, as getting accurate security assessments from non-security personnel will be difficult. This will probably be the most expensive facet of the assessment.

This assessment is recommended for XYZ Company because they have a complex value chain as well as multiple sites. Their sales through multiple channels have created the opportunity for fragmented information systems across sites. Additionally, the universities where they conduct offsite research will undoubtedly have their own security procedures. This creates the opportunity for nonconforming security practices, including ones of which IT may not even be aware. Documenting all these procedures is important in developing a comprehensive enterprise-wide security plan, as fixing unknown weaknesses is virtually impossible. Creating the security plan is covered in a later checklist item.

Supporting Explanation for Check-list Item Number 2

After completing the assessment of current capabilities, the next step is to establish an enterprise-wide classification scheme, as outlined in COBIT PO2.3. Classifications should represent the criticality and sensitivity of the information. The assessment of capabilities should provide a good starting point as the company has already identified all information-based processes. Classifying the information assets is important because all companies have limited resources. If XYZ Company tried to apply the same security procedures across all its information assets the costs would be exorbitant. Protecting past press releases, for instance, does not warrant the same protection as the herbal formulas. Therefore, spending the same money to secure them is not prudent. The classification scheme will allow XYZ to spend only what is necessary to secure their information assets. Another important aspect of the classification scheme is identifying the information assets' owners. IT will then have a contact that will prove valuable should anything befall the asset.

To accomplish this classification, the recommended tool is an information asset table. This way, there is a single place where all the assets are recorded. A simple database would provide the most efficient way of determining the assets with characteristics in common. Items such as herbal supplement formulas, customer credit cards, and products under development would have the highest value, both in terms of actual and total loss, which includes potential loss from the tarnished corporate image. Three groups for asset value are common: high, medium, and low. While more groups may add additional granularity, they will also create additional employee confusion as to which category the information belongs. The Compliance and Risk department should be ultimately responsible for collecting the data; however, the CEO, CIO, and other executives should be consulted and accountable for its contents.

To make the task of cataloging all the assets manageable, one way is to approach it as two separate logical pieces. The first is enterprise applications, an example of which would be the inventory management application at XYZ's factories. The inventory management application is important because it allows the factory to operate more efficiently. Another example is the instructions for the machines that package the supplements. The instructions to operate the machines are more valuable because without them, XYZ cannot produce any products, which is its only source of revenue. The best

...