Spawned from a humble white paper titled “Control Objectives” and developed into broader guidance on control objectives, the COBIT framework is celebrating its 20th anniversary this year.COBIT was first published in April 1996 and is now in its fifth version. Initially, COBIT was intended to provide guidance for auditors. As it gained use, there were calls for greater guidance for internal control.
The next iteration, COBIT 2, was published in 1998 and offered additional guidance for controls. As an audit and controls guidance framework, COBIT 2 gained broader exposure. The marketplace then began asking ISACA to provide greater assistance in managing the entire IT function. Additional guidance was developed and COBIT 3rd Edition was released as a management framework in 2000.
IT governance is more inclusive than management, and the marketplace needed still greater guidance on aligning IT strategy with management. Thus, COBIT 4.0 was released as an IT governance framework in 2005. Market feedback indicated that the structure of the control objectives was more complicated than necessary, so two years later COBIT 4.1 was released with a reduced set of control objectives.
The latest evolution of the framework, COBIT 5, was published in 2012 and provides a comprehensive business framework for the governance of enterprise IT. COBIT 5 presents a model for the alignment of overall enterprise strategy with IT strategy, operates on a relatively simple foundation of five principles with seven enablers, and is aligned with several significant internationally recognized standards bodies, such as ISO/IEC and ITIL. More than 800 people provided input into the design of COBIT 5, which required nearly two years to develop and is now available in 16 languages.
COBIT user surveys have shown that COBIT 5 is very beneficial in helping enterprises manage their risks and more clearly demonstrate the delivery of value to stakeholders. In a recent survey of COBIT 5 purchasers and downloaders, more than 9 in 10 said they would recommend COBIT 5 to others.
Because governance guidance must reflect the needs of practitioners, and as the technological and threat landscapes evolve, COBIT also will continue to evolve to best serve its users.
To access infographics, testimonials and information on COBIT’s history—or to submit your own COBIT stories and photos—click here.
The unprecedented leak of 11.5 million files from the database of the world’s fourth biggest offshore law firm is riveting. As details continue to emerge about the Panama Papers leak, the money laundering and secretive tax regimes and high-profile clientele make for a juicy story. But from an enterprise data security perspective, here at Code42 we’re shaking our heads.
It’s hard to imagine a situation where the stakes for data protection could be higher. This is an organization whose entire “empire” is built on “secret” data. And it was an all-or-nothing game: Mossack Fonseca will likely never recover to earn the trust of a future client—tax evader or otherwise. If there ever was an organization that warranted exceptional network security tools and data security measures, Mossack Fonseca was it.
A data security wake-up call for honest law firms everywhere If a massive international law firm dealing exclusively in extremely sensitive data is this easily hacked, how vulnerable is your average, above board law firm?
According to the statistics, the answer is “very.” John McAfee penned an article for Business Insider in which he concludes that “law firms are easy pickings for hackers.” Bloomberg found that 80 percent of large U.S. law firms were hacked in 2015. Even more alarming, in the 2015 ABA Technology Survey, 23 percent of firms surveyed said they “don’t know” if they’ve experienced a breach, and only 10 percent have any sort of cyber liability coverage. For a cohort that knows a thing or two about liability lawsuits—and certainly knows that “ignorance of the law” is a poor defense—this is surprising.
Data protection is a high-stakes game for every law firm And while a data breach at your average law-abiding law firm isn’t likely to result in indictments for fraud, the stakes are still extremely high. “The implications of law firm breaches are mind boggling,” Philip Lieberman, president of Lieberman Software, told Computer Business Review.
Most clearly, a firm stands to destroy every shred of trust with its clients—a reputation bomb that will be tough to recover from. In many cases, a leak could compromise legal proceedings and eliminate advantages by placing litigation strategy and privileged information out in the open.
Even if a firm’s clients and reputation escapes unscathed, data loss of any kind can trigger significant financial impact. A damaged laptop, or ransomware that holds data hostage, can leave an associate without access to critical information. The loss of billable hours quickly adds up. Add to that breach reporting requirements and potential fines, and the ROI of modern enterprise data security tools is easily apparent.
It will be interesting to watch the continued fallout from the Panama Papers, and we’re happy to count this as a win for the “good guys.” But as it dominates headlines and newsfeeds, we hope it’s also a major reminder for law firms—and enterprises in every industry—to re-examine what they’re doing to protect their data.
Customize Your Panorama Deployment to Meet Your Needs
In my last blog post, I described the overall benefits of moving to a network security management solution such as Panorama. I also hinted at three additional steps you can take to ensure optimal performance of your management platform. In this blog post, I’ll go into more detail on these three steps.
Step 1. Move from Virtual Machine (VM) to a Hardware Platform
Deploying Panorama on a VM is a great option for those who want fewer appliances in their security deployments, but it can come with drawbacks. You have to ask a VM management team to add processing power when VM resources are oversubscribed. Deploying a hardware appliance (either an M-100 or M-500 appliance) in your network ensures available resources when you need them. Free yourself from dependence on third-party hardware vendors.
Step 2. Add Dedicated Log Collectors
Combining management and log collection into one piece of hardware may work in some instances, especially for small networks; but, as soon as your log retention increases, you are sacrificing valuable management resources for logging.
Adding dedicated log collectors (additional M-100 or M-500 appliances) to your Panorama deployment will increase log ingestion rates, lengthen log retention, and free up valuable resources. Adding log collectors strategically across your distributed deployment will also cut back on the need to backhaul all logs over WAN links and provide better access to configuration-wide data for analysis.
Step 3. Deploy Panorama in High Availability (HA)
It’s no secret, HA decreases the chance of downtime for hardware. Panorama can be deployed in HA, effectively increasing availability and eliminating single points of failure. Improve availability by deploying Panorama in HA.
Check back next week for the final post in this series where I’ll share the importance of planning for the future state of a company when deploying Panorama. In the meantime, watch the Panorama demo to learn more.
Technology, including its byproducts, is most likely value-neutral. By itself, it seems unable to commit any wrongdoing. And yet, we find so many scenarios in which technology provides a breeding ground for nurturing a wrongful act, as if luring people to take advantage of it. Features offering anonymity, as in the case of e-currency, offer confidentiality assurance. But they could also mask illegitimate or illegal transactions. Bitcoin can neither prevent, nor should it promote, illegal use of its currency system. But then, once the system is open for everyone’s use, who would guard against morally or legally improper use of the system? Apparently, technology appears to be a weak partner in the process of prevention or detection of moral compromises, but this may change in the future.
Remoteness from the locus of impact of a transaction seems to embolden actors, even when they know that they are acting illegally. We know well how people abuse technology, but we do not have good insights as to why people would indulge in such acts. Broad answers include people’s greed, poor reward systems and attitude. These may or may not be the drivers of immorality, and even if they are, they do not offer a good understanding of why humans lean toward the abuse of technology.
And yet, there is some good news. Automated systems with direct interfaces to, for example, train travelers can be expected to diffuse bribery and generate more robust environment to nurture moral acts. Empowering people with technology may not be easy, but when done right, it is capable of producing significant behavioral change.
What do you think? I am particularly interested in known or possible reasons as to why technology seems to be the culprit in individual or organizational wrongdoing.
On April 5–6 in The Hague, the Dutch government hosted its International NCSC One Conference 2016, an annual cybersecurity event it has held since 2008. Nearly 1,000 people from government, industry, and academia attended the conference, including from across Europe, the United States, Russia, and Japan. The theme of this year’s One Conference, “Protecting Bits & Atoms,” was chosen to focus on the increasingly connected physical and digital worlds.
The Netherlands is aggressively focusing on cybersecurity. In fact, as European companies and governments have paid growing attention to cybersecurity in recent years, the Dutch are emerging as leaders on cybersecurity matters in the EU, lending their support to activities at the EU level, as well as globally.
The Dutch have made cybersecurity a priority for their EU Presidency, which runs from January through June 2016. The government expects the EU Network and Information Security (NIS) Directive, the text of which was preliminarily agreed to in December, to go into effect on its watch. As of this writing, the latest expectations are that the Directive will be adopted by the European Council in May and published in the Official Journal of the European Union in June. At that point, its implementation clock starts ticking. After three years of activity in Brussels to finalize the Directive, Member States, such as the Netherlands, now will take a larger role, working with European policymakers to make the Directive a reality through its implementation.
The Dutch are eager to help industry and governments prepare for the Directive. A full track of the One Conference was devoted to EU policies, providing the European Commission with a platform to explain the forthcoming requirements on industry – namely risk management, security, and incident notification. The Dutch National Cyber Security Centre (NCSC) pulled together Member State national Computer Security Incident Response Teams (CSIRTs) in a public “meet and greet” to share best practices and kickstart the CSIRT coordination network laid out in the NIS Directive. Although CSIRTs in Europe are not new, not all Member States currently have them, and the NIS Directive instructs Member States to set them up and for them to coordinate via a secretariat hosted by the European Union Agency for Network and Information Security (or, as it’s more commonly known, ENISA).
The Dutch also plan to pull their peers together in May, when the Ministry of Security and Justice will host a meeting on cybersecurity for high-level officials from the Member States, as well as industry, called “Enabling partnerships for a digitally secure future for EU.” The purpose of the meeting is to examine best practices in cybersecurity and to discuss future developments in terms of strengthening European cooperation. One of the meeting’s themes is public-private partnerships.
These efforts are not new; the Netherlands’ actions in cybersecurity have been building. In April 2015, the country held the Global Conference on Cyberspace, which defined global challenges and opportunities related to the Internet. Coming out of that conference, the Dutch launched the Global Forum on Cyber Expertise (GFCE), a forum for cyber capacity building. In the GFCE over 50 organizations and states work together on practical initiatives to strengthen cybersecurity, fight cybercrime, protect online data, and support e-governance.
Not only are the Dutch efforts welcome and important, but their approach is essential. The Netherlands views public-private partnerships as the path to more effective cybersecurity. Patricia Zorko, Deputy National Coordinator for Security and Counterterrorism in the Ministry of Security and Justice, appealed to One Conference attendees to share their expertise. She urged organizations to make cybersecurity a priority in their boardrooms, reflecting the Dutch government’s belief, and that of a growing number of organizations in Europe, that cybersecurity must be seen as much more than an IT issue.
The Dutch government points out that The Hague has a unique ability to play a pivotal role in cybersecurity. The city already is the “International City of Peace and Justice” (it is the United Nations’ second city, after New York), and the Dutch see themselves extending that mission into helping keep cyberspace resilient and facilitating a thriving global digital economy. Having witnessed and participated for years in discussions about cybersecurity public-private partnerships, it is inspiring when those partnerships begin to crystallize and result in concrete actions, such as the Global Forum on Cyber Expertise. Palo Alto Networks looks forward to supporting initiatives and policies in the Netherlands, and throughout the EU to increase our collective, global cyber resilience.
