End users, the very community of individuals chartered to preserve the integrity of your business, embody a profound vulnerability point within your network’s security infrastructure. By the year 2020, IDC expects mobile workers, in the United States alone, will account for nearly three quarters of the total workforce*. As a result, IP addresses are no longer an effective proxy for end users as they are constantly moving to different physical locations and using multiple devices, operating systems, and application versions to access the data they need. It’s now critical to an organization’s risk posture to identify who the network’s users are – beyond IP address – and the inherent risks they bring based on the device being used.
To control the threat exposure unknowingly caused by the end user community and protect your organization from breaches, leverage User-ID, user-based access controls, on your Palo Alto Networks next-generation firewall (NGFW). With User-ID, you can allow access to sanctioned applications based on user identity information, rather than IP address, providing visibility into who is using what applications on the network, and who is transferring files and possibly introducing threats into your organization.
When applied correctly, user-based access controls can reduce incident response times and strengthen your organization’s security posture. Outlined below are five key points to consider when applying User-ID technology to your NGFW security infrastructure.
1. Understand the organization’s user environment and architecture
To do this, ask yourself the following questions:
Which locations does my organization operate in? An organization might operate in several different locations, such as a main campus, branch offices or remote locations.
What authentication method is used in each location? Do users log in directly to directory servers, or are they authenticated and authorized on wireless LAN (WLAN) controllers, VPN systems or network access control (NAC) devices?
What are the operating systems (OS) in each location? There could be heterogeneous environments with Windows®, Mac and Linux capabilities, or homogenous environments with only one OS.
How do endpoints log on to the network? Are endpoints identified and authenticated prior to logging on to the network?
2. Figure out supported user-to-IP mapping strategies, and determine the ones you will use
Figure out what user-to-IP mapping strategies are supported by your next-generation firewall. A number of mechanisms are typically supported to identify users – third party proxy servers, WLAN controllers, terminal services agents, directory service logs, and more.
Based on discoveries in the first step, select the user-to-IP mapping strategies that apply to your environment.
3. Implement the selected user-to-IP mapping strategy for user visibility
Implement the selected strategy to gain visibility into user’s behavior. Collaboration with other team members, such as IT architects, security operators and network admins, is critical here.
This visibility will enable the identification of activities and usage patterns tied to users, instead of IP address, including insights such as top users and browsing history; top apps accessed by users in the marketing group in the last 24-hours; or Software-as-a-Service (SaaS) application usage broken down by user – all providing valuable data points around which to formulate appropriate user-based access controls.
Share the visibility reports and data with other team members with whom you collaborated.
4. Ensure business policies exist to justify user-based access controls
Before rolling out User-ID-based controls, ensure supporting business policies exist that define access parameters. Typically, such policies are established by human resources (HR) and legal. If such policies do not exist, collaborate with HR and legal to establish policies, leveraging the user-based reports as your guide.
In addition, when defining user-based access controls, it’s best to do so in terms of groups, rather than individual users. Instead of marketers, Jane, John and Joe, think of the three individual users as the marketing group. This will go a long way to simplify policies and keep administrative overhead to a minimum.
5. Implement user-based access policy
Once corresponding business policy is aligned and user groups defined, user-based access controls can be implemented. Create a list of security rules that whitelist acceptable applications and websites, and deny access to ALL else, and then implement the policy, one group at a time.
The user groups impacted by the new access controls will likely have questions. Communication is key here. Let the impacted user groups know what you plan to do and when you plan to do it. Organizations can also consider forming a special incident response team to field the higher-than-average volume of inquiries related to the implementation to ease the minds of users and drive a smooth execution.
With these considerations in mind, implement User-ID on your Palo Alto Networks NGFW security infrastructure to defend against successful cyberattacks and make the most of your security investment.
To learn more about the benefits of leveraging User-ID, user-based access controls, on your Palo Alto Networks NGFW:
Here’s some good news for the countless businesses getting ready for the migration to Windows 10: Microsoft recently announced that its Windows 10 Anniversary Update features security updates specifically targeted to fight ransomware. No defense is completely hack-proof, but it’s great to see the biggest names in the tech world are putting ransomware at the top of their list of concerns.
Patching holes, preventing users from “clicking the link” Microsoft released a guide on how the latest Windows 10 Anniversary Update specifically enhances protection against ransomware. The company focused on eliminating the vulnerabilities hackers have exploited in the past, and says its updated Microsoft Edge browser has no known successful zero-day exploits or exploit kits to date.
The company says its smart email filtering tools helped identify some 58 million attempts to distribute ransomware via email—in July 2016 alone. But what if a phishing email does reach gullible and mistake-prone end users? Microsoft says it has invested in improving its SmartScreen URL filter, which builds a list of questionable or untrustworthy URLs and alerts users should they click on a link to a “blacklisted” domain.
Thanks to security upgrades, Microsoft says Windows 10 users are 58 percent less likely to encounter ransomware than those running Windows 7.
Better threat visibility for IT On the response end, the Windows 10 Anniversary Updates also sees the launch of the Windows Defender Advanced Threat Protection (ATP) service. The basic idea behind Windows Defender ATP is to use contextual analytics of network activity to see signs of attacks that other security layers miss. Microsoft says the new service gives “a more holistic view of what is attacking the enterprise…so that enterprise security operations teams can investigate and respond.” Better visibility of your users’ activities—now that’s something we at Code42 can get behind.
Using the intelligence of the “hive mind” to fight ransomware One impediment to the fight against ransomware has been organizations’ reluctance to share information on attacks, both attempted and successful. We already know that new strains of ransomware emerge daily, but without this shared knowledge, even older strains are essentially new and unknown (and thus remarkably effective) to most of the enterprise world. The sheer size and market share of Windows puts Microsoft in a unique position to solve this problem. Its threat detection products are now bringing together detailed information on the millions of attempted ransomware attacks that hit Windows systems every day. With Microsoft now focused on fighting this threat, we’re eager to see the company leverage the intelligence of this hive mind to beat back the advance of the ransomware threat.
What does Microsoft say about ransomware recovery? It’s important to note that responding to a ransomware attack is not necessarily the same as recovering from an attack. In other words, Windows 10 says it can help you detect successful attacks sooner and limit their impact—but how does it help you deal with the damage already done? How does it help you recover the data that is encrypted? How does it help you get back to business?
The Windows 10 ransomware guide makes just one small mention of recovery, urging all to “implement a comprehensive backup strategy.” However, Microsoft offers a rather antiquated look at backup strategies, leaving endpoint devices uncovered, focusing on user-driven processes instead of automatic, continuous backup, and even suggesting enterprises use Microsoft OneDrive as a backup solution. As we’ve explained before, OneDrive alone is insufficient data protection. It’s an enterprise file sync-and-share solution (EFSS), built to enable file sharing and collaborative productivity—not continuous, secure backup and fast, seamless restores.
Making the move to Windows 10? Make sure your backup is ready Most enterprises are at least beginning to plan for the move to Windows 10, as they should be. The new OS offers plenty of advantages, not least of which are security features that undoubtedly make Windows 10 more hack-resistant. But as security experts and real-world examples continually show, nothing can completely eliminate the risk of ransomware. That’s why your recovery strategy—based on the ability to quickly restore all data—is just as critical as your defense strategy.
Moreover, as more organizations make the move to Windows 10, they’re seeing that the ability to efficiently restore all data is the key ingredient to a successful migration. Faster, user-driven migrations reduce user downtime and IT burden, and guaranteed backup eliminates the data loss (and resulting lost productivity) that plagues the majority of data migration projects.
In many spheres of employment, the application of Artificial Intelligence (AI) technology is creating a growing fear. Kevin Maney of Newsweek vividly summarized the pending transformation of employment and the concerns it raises in his recent article “How artificial intelligence and robots will radically transform the economy.”
In the Information Security (InfoSec) community, AI is commonly seen as a savior – an application of technology that will allow businesses to more rapidly identify and mitigate threats, without having to add more humans. That human factor is commonly seen as a business inhibitor as the necessary skills and experience are both costly and difficult to obtain.
As a consequence, over the last few years, many vendors have re-engineered and re-branded their products as employing AI – both as a hat-tip to their customer’s growing frustrations that combating every new threat requires additional personnel to look after the tools and products being sold to them, and as a differentiator amongst “legacy” approaches to dealing with the threats that persist despite two decades of detection innovation.
The rebranding, remarketing, and inclusion of various data science buzzwords – machine intelligence, machine learning, big data, data lakes, unsupervised learning – into product sales pitches and collateral have made it appear that security automation is the same as AI security.
We are still at the very early days of the AI revolution. Product and service vendors are advancing their v1.0 AI engines and are predominantly focused on solving two challenges – sifting through an expanding trove of threat data for actionable nuggets and replicating the most common and basic human security analyst functions.
Neither challenge is particularly demanding of an AI platform. Statistical approaches to anomaly detection, data clustering and labeling processes meet all the criteria for the first security challenge, while “expert system” approaches of the 1970s and 1980s tend to be adequate for most of the second challenge. What’s changed is volume of data that decisions must be based upon and the advances in learning systems.
What is confusing many security technology buyers at the moment lies with the inclusion of AI buzzwords around products and services that are essentially delivering “automation.”
Many of the heavily marketed value propositions have to do with automating many of the manual tasks that a threat analyst or incident responder would undertake in their day-to-day activities, such as sifting through critical alerts, correlating them with other lesser alerts and log entries, pulling packet captures (PCAPs) and host activity logs, overlaying external threat intelligence and data feeds, and presenting an analytics package for a human analyst to determine the next actions. All these linked actions can of course be easily automated using scripting languages if the organization was so inclined.
The automation of security event handling doesn’t require AI – at least not the kind or level of AI that we anticipate will cause a global economic and employment transformation.
The AI v1.0 being employed in many of today’s products may be best thought of as assembly-line robots – replicating repeated mechanical tasks, not necessarily requiring any “intelligence” as such. That automation obviously brings efficiencies and consistency to incident investigation and response – but by itself isn’t yet having an impact on an organization’s need to employ skilled human analysts.
As organizations get more comfortable sharing and collectively pooling data, the security community can anticipate the advancement and incorporation of better learning systems – driving down an incremental AI v1.1 path – in which process automation efficiently learns the quirks, actions and common decisions of the environment within which it is operating. One example would be assessing an analytics package that was automatically compiled by determining similarities with previously generated and actioned packages, assigning a prioritization and routing to the correct human responder. It may sound like a small but logical process of automation, but requires another level and class of math, and “intelligence” to learn and tune an expert decision making process.
In my mind, Security AI v2.0 lies in an intelligence engine that not only dynamically learns through observing the repeated classification of threats and their corresponding actions, but is able to correctly identify suspicious behaviors it has never seen before, determine the context of the situation and initiate the most appropriate actions on behalf of the organization.
That might include the ability to not just identify that a new host has been added to the network and appears to be launching a port scan against the active directory server, but to predict whether the action may be part of a penetration test (pentest) by understanding the typical pentest delivery process, typical targets of past pentests and the regular cadence or scheduling of pentests within the organization. The engine could then arrive at an evidence-based conclusion, track down and alert the business owners of the suspected activity and, while waiting for confirmation, automatically adjust threat prevention rules and alerting thresholds to isolate the suspicious activity to minimize potential harm.
The success of Security AI lies in determining actions based off incomplete and previously unclassified information – at which point the hard-to-retain “tier-one” security analyst roles will disappear like so many assembly-line jobs in the motor vehicle industry have in the past couple decades.
Let’s pretend you’re planning a big trip, and you need a nice place to stay. After considering different options online, you find a place that sounds great. The photos appear perfect.
So, here’s the question. When you arrive, will the lodging match your expectations…or is it just too good to be true?
When you’re choosing among CISSP® training providers, we know you’re sorting through a variety of companies and often times, big, beautiful claims. To ensure you aren’t surprised when you reach the CISSP certification exam, here are three myths debunked.
Myth #1: Pass rates of 90%+ are guaranteed.
What you should know: No training provider knows exactly which questions and real-world scenarios will be on the exam, so there’s no way to guarantee a pass rate.
The CISSP certification exam is very tough, and it’s constantly being updated to reflect our ever-changing cyber world. Not to mention, there are a variety of unknown variables when each person takes the exam.
The notion that a company will prepare you for the exact questions on the exam is impossible.
Bottom line: (ISC)² does not provide pass rate information to any training providers – including our very own (ISC)² Official and Approved Training Providers. Be careful with any company that guarantees a pass rate.
Myth #2: Any training company can get you a CISSP exam voucher.
What you should know: (ISC)² and (ISC)² Official Training Providers are the only authorized organizations with the ability to offer CISSP exam vouchers.
What happens if an unauthorized company says they can get exam vouchers for you? For example, “all you need to do is give them your Pearson VUE credentials.”
You should know you’re putting yourself at risk. Sharing your Pearson VUE credentials with unauthorized companies or individuals violates the terms of the (ISC)² Non-Disclosure Agreement. Doing this means you:
May lose your CISSP certification
Can be indefinitely suspended from retaking the exam
Will lose the money you’ve paid for the exam
Bottom line: When you go through official channels for exam vouchers, you completely eliminate these risks. (ISC)² and our Official Training Providers will never ask you for your Pearson VUE credentials.
Myth #3: Passing the exam is the one and only thing that matters.
What you should know: There’s more at stake here.
It’s easy to slip into the mindset that passing the exam is the only thing that matters. In this mindset, training can quickly turn into a series of memorization drills and brain dumps.
But step back for a moment. The CISSP certification was created to measure whether you have the experience, knowledge and critical thinking skills to be effective at your job.
Yes, we help you prepare for test day. Just as important, though, we never lose sight of the bigger picture: inspiring a safe and secure cyber world and developing professionals who can protect their organizations.
Because we create and manage the CISSP Common Body of Knowledge (CBK®), our training seminars always include the most current information. Plus, all of our instructors have the CISSP certification themselves. This means our instructors can help you:
Understand how to apply the most current best practices in real-world scenarios
Build critical thinking skills to enable you to think beyond the tasks at hand
Address today’s security problems, and discover tomorrow’s challenges before they even happen
Bottom line: When you choose (ISC)² or one of our (ISC)² Official Training Providers, you are on the way to becoming the most well-rounded and effective information security professional possible.
“You can’t do today’s job with yesterday’s methods and be in business tomorrow.”
–Unknown
To execute your strategy, you need to build business capabilities. In order to ensure a business will be successful in the future, an organization must understand how it defines success and must know if it has the capability today to do better or to do more to achieve this success.
What Is Business Capability?
A business capability (or, simply, capabilities) describes a unique, collective ability that can be applied to achieve a specific outcome. A capability model describes the complete set of capabilities an organization requires to execute its business model or fulfill its mission. An easy way to grasp the concept is to think about capabilities as organization-level skills embedded in people, process and/or technology.
Business capability defines an organization’s capability to successfully perform a unique business activity. Business capability is used for managing units of strategic business change and providing the mandate for programs and project portfolios.
Capabilities typically:
Form the building blocks of the business but do not have an independent purpose of their own
Represent stable business functions
Are unique and independent from each other
Are abstracted from the organizational model and can be defined for any organizational unit
Capture the business’s best interests
Since a business capability model describes the complete set of capabilities an organization requires to execute its business mission, vision and objectives, skills associated with various areas within the business are considered capability components (figure 1).
Figure 1—Examples of Capability Components
Name
Recruitment Management
Roles
User
•Recruiter
Stakeholders
•Manager
•Candidate
Processes
Evaluation of new hire requisitions
Recruitment/sourcing of candidates
Screening and selection of candidates
Hiring of candidate
Information
Candidate/applicant details
Position description
Recruitment agency data
Industry standard role definitions
Tools/Technologies
Recruitment management application
Human resources application
Social media applications
Source: Oluwaseyi Ojo. Reprinted with permission.
These include:
People
Processes
Information
Tools/technologies
Organization units
Functions/roles
Business services
Information and data
Application services
Applications
Infrastructure
Infrastructure services
Why Assess Business Capability?
Organizations face many questions such as:
How should we organize ourselves?
We have many outsourced capabilities. How do we support cooperation with our partners?
How do we adopt new technology and integrate it into our existing landscape?
How do we make sure that security standards are implemented in a consistent way?
What is the impact of this new acquisition on our business processes?
Who is the authoritative source for customer products, etc.?
How do we align our technology portfolios with our strategy road map?
To address these questions, businesses develop a business capability model to describe the rationale of how an organization creates, delivers and captures value (figure 2).
Figure 2—Mapping Capability to the Organization
Source: Oluwaseyi Ojo. Reprinted with permission.
Business capabilities should be mapped to the respective functions or organizational units that provide or utilize these skills. Once a capability is identified as being used across multiple business units within the organization, it is important to consider that changes to that capability will impact multiple organizational areas involved. Often, when transformation maps for new technologies are created, it is important to understand that changes in a solution or service a business provides internally or externally can have a significant downstream impact on other parts of the organization. Figure 3 is the starting point for a business capability model. This matrix represents all the business capabilities that an organization performs. Each cell is a business capability.
Figure 3—Example of a Capability Model
Source: United Kingdom Government Reference Architecture (UKRA) v1.0
The columns (functional management) reflect the high-level value chain for the organization or are major groupings of business capabilities that are meaningful to the business. The rows (capability management) reflect the fundamental purpose of a business capability, and there are normally 3 rows, namely:
Strategy
Management
Operations
Using the COBIT 5 Framework to Develop Business Capability
Enterprise architecture recognizes that the organization is a system and the cross-cutting concerns must first be addressed at the overall level, i.e., the enterprise. It recognizes that one cannot solve every detailed problem at once. Effective ways to deconstruct the problem must be found. Focusing on business capabilities that support business strategy first, then delving into the design of those capabilities, forms an effective way to consider people, process and technology together.
Mapping business capabilities to business strategy is key. Business strategy elaborates on the business vision (enterprise goals), sets the direction for the business and determines where to focus executive attention. It identifies high-level initiatives in support of strategic themes expressed in strategic business objectives.
At this point, there is a need to create a capability map.
Business Capability Map
“Business-capability mapping is the process of modeling what a business does to reach its objectives (its capabilities), instead of how it does it (its business processes).”
The first step is to identify the highest-level capabilities of the business and add these as elements to the capability map. For example, the highest-level capabilities for the whole organization might be:
Service/Product Development
Service/product delivery
Business operations, etc.
The next step is to deconstruct these high-level capabilities into lower-level capabilities and add these lower-level capabilities as subcapabilities in the map. One way to figure out how to deconstruct the business into capabilities is to identify the key services or products that the business offers and list the high-level activities that enable the business to offer these things. For example, if a company builds software applications, it would need to perform market analysis, product development, advertising and sales, distribution, and so on. These are all capabilities that support the business.
It is advisable to continue deconstructing the capabilities until the desired level of detail is achieved. For each capability that is added to the map, a description of that capability can be included in the details view. In addition, the attributes can be defined and related material such as text documents, spreadsheets or presentations can be attached.
After a network of capabilities has been mapped, business groups can group together capabilities that share a common attribute (i.e., an organizational unit, a business goal). For example, all the capabilities related to strategic planning in one business group can be grouped together and all the capabilities related to business operations in another. The next step is to create references to the processes that implement the capability.
How COBIT 5 Develops Business Capability
COBIT 5 is a framework rather than a standard and, as a result, it is designed to be adapted by adopting organizations. A core principle of the design of COBIT 5 is to align systematically with cognate frameworks and standards. COBIT provides best practice guidance for the complete life cycle of IT investment. It comes with a suite of management tools with supporting guidance.
Evaluate, Direct and Monitor Domain
The Evaluate, Direct and Monitor (EDM) domain covers governance. Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritization and decision making; and monitoring performance, compliance and processes against agreed-on direction and objectives.
To develop business capabilities, the following COBIT 5 processes must be considered under the governance layer of COBIT 5:
EDM01 Ensure Governance Framework Setting and Maintenance
EDM02 Ensure Benefits Delivery
EDM03 Ensure Risk Optimization
EDM04 Ensure Resource Optimization
These processes address the objective of business capabilities. Name of COBIT process: EDM01 Ensure Governance Framework Setting and Maintenance. Brief description of process: This process focuses on providing governance of enterprise, prepare and maintain effective enabling structures, principles, processes and practices, with clarity of responsibilities and authority to achieve the enterprise’s mission, goals and objectives.
How to use it for developing business capabilities: To develop business capabilities, a strong governance system must be prepared, implemented and effectively maintained, this will help the organization to continually identify and engage with the enterprise’s stakeholders, understand their requirements, document these requirements, obtain their support, buy-in and commitment; this will also help to drive the development of business capabilities that will achieve the enterprise’s goals and objectives. Name of COBIT process: EDM02 Ensure Benefits Delivery.2 Brief description of process: This process focuses on optimizing the value contribution to the business from the business processes.
How to use it for developing business capabilities: Developing business capabilities is an investment; this helps to continually evaluate the investment and strategic alignment to determine the likelihood of achieving enterprise objectives and delivering value at a reasonable cost. It also helps to identify and make judgments on any changes in direction that need to be given to management to optimize value creation and realization. With a defined balanced set of performance objectives, metrics, targets and benchmarks, monitoring the key business goals and metrics to determine the extent to which the business capabilities are generating the expected value and benefits to the enterprise is crucial. Name of COBIT process: EDM03 Ensure Risk Optimization. Brief description of process: This process focuses on ensuring that the enterprise’s risk management framework is established and monitored.
How to use it for developing business capabilities: While developing business capabilities, a new risk can be introduced or an existing risk which was once low can be triggered and this becomes high or critical; this helps to define the enterprise’s risk appetite and tolerance and also ensures these are understood, articulated and communicated. To develop sustainable business capabilities, organizations must proactively evaluate risk factors in advance of pending strategic enterprise decisions and ensure that risk-aware enterprise decisions are made. This helps to determine the level of risk that the enterprise is willing to take when developing business capabilities in order to meet its objectives (risk appetite). Name of COBIT process: EDM04 Ensure Resource Optimization. Brief description of process: This process ensures adequate and sufficient capabilities (people, process and technology) are available to support enterprise objectives effectively.
How to use it for developing business capabilities: To develop business capabilities, resources need to be optimized; this focuses on establishing and maintaining resources (people, process and technology) needed to develop business capabilities. Resources are key to develop and sustain business capabilities. The resource needs of the enterprise must be met in the optimal manner that will increase likelihood of benefit realization and readiness for future change. Resources must be allocated to best meet enterprise priorities within budget constraints and overall enterprise goals and objectives.
Align, Plan and Organize Domain
The Align, Plan and Organize (APO) domain covers the use of information and technology and how best it can be used in an enterprise to help achieve enterprise goals and objectives. It also highlights the organizational and infrastructural form IT is to take to achieve the optimal results and to generate the most benefits from the use of IT.
To develop business capabilities, the following COBIT 5 processes must be considered under the management layer of COBIT 5:
APO02 Manage Strategy
APO03 Manage Enterprise Architecture
APO05 Manage Portfolio
DSS06.01 Align control activities embedded in business process with enterprise objectives.
These processes address the objective of business capabilities. Name of COBIT process: APO02 Manage Strategy. Brief description of process: This process focuses on setting business goals and objectives.
How to use it for developing business capabilities: To execute your strategy, you need to build your business capabilities. The primary reason for developing business capabilities is to support and achieve the business goals and objectives. To develop business capabilities, the enterprise direction must be clearly defined; understood and strategic plans aligned with business goals and objectives. This helps ascertain priorities in order to develop the right business capabilities. Name of COBIT process: APO03 Manage Enterprise Architecture. Brief description of process: This process focuses on establishing a common architecture for effectively and efficiently realizing enterprise strategies.
How to use it for developing business capabilities: Enterprise architecture is a conceptual tool that helps organizations get a deeper understanding of their own structure and the way they work. It provides a map of the enterprise, and it is a “route planner” for business and technology change. To develop business capabilities, organizations must connect strategy to execution; enterprise architecture enables flexibility and adaptability, so that business capabilities can keep pace with changes in strategy. Enterprise architecture provides a balanced approach to the selection, design, development and deployment of all the solutions (business capabilities) to support the enterprise. Name of COBIT process: APO05 Manage Portfolio. Brief description of process: This process focuses on evaluating, prioritizing and balancing programs and services, managing demand within resource and funding constraints, based on their alignment with strategic objectives, enterprise worth and risk.
How to use it for developing business capabilities: This process establishes the portfolio strategy, defines portfolio governance and monitors and controls the portfolio. The objective of this process is to identify projects and initiatives that the organization will focus on to develop business capabilities and align them with strategic goals, objectives and business needs. In addition, a budget is secured and allocated to ensure that projects are prioritized, organized and staffed. Monitoring the status and performance of projects and initiatives is used to build, deliver and improve products and services. Name of COBIT practice: DSS06.01 Align control activities embedded in business processes with enterprise objectives. Brief description of practice: This practice in the Deliver, Service and Support (DSS) domain focuses on assessing and monitoring the execution of the business process activities and related controls, based on enterprise risk, to ensure that the processing controls are aligned with business needs.
How to use it for developing business capabilities: This practice helps to identify and document control activities of key business capabilities to satisfy control requirements for strategic, operational, reporting and compliance objectives; prioritize control activities based on the inherent risk to the business and identify key controls and continually monitor control activities on an end-to-end basis to identify opportunities for improvement.
The continual assessment and monitoring are important to ensure that the right business capabilities are properly developed and improved.
These COBIT 5 practices, if properly and painstakingly implemented will help achieve the desired business capabilities.
Conclusion
Capabilities are purely business views of the business, whether the capability is automated or not. It is a capability if the business can and does have this ability—even if it is weak. Capabilities can provide both strategic and operational investment guidance. Capabilities can be easily and subjectively assessed. Once assessed, capability analysis can be applied to a wide variety of organizational problems.
Is an experienced enterprise and security architect. He has assisted several organizations in developing and improving their business capabilities using best practice standards and frameworks to translate their business vision, goals and strategies into effective road maps that described the enterprises’ present and future states that enabled them to evolve in order to gain and maintain their competitive advantages. He is an ISACA exam writer for CRISC and CISM exams. He can be contacted through his LinkedIn profile.
