Implementation Life Cycle “Posterized” in Free COBIT 5 Download

COBIT 5’s Seven Phases of the Implementation Life Cycle have been “posterized” into a free download that illustrates the framework’s program management, change enablement and continual improvement life cycle.

The poster is part of the COBIT 5 framework for the governance and management of enterprise IT, which is highly valued by commercial, not-for-profit and public-sector organizations. Enterprise executives, IT professionals and business consultants depend on its globally accepted principles, practices, analytical tools and models to drive business value from trusted information and technology. Among the more popular elements from COBIT® 5 are the diagrams illustrating important practical concepts.

The July COBIT 5 poster centers on the Seven Phases of the Implementation Life Cycle diagram. The seven phases include:

Phase 1—What Are the Drivers? Which identifies current change drivers and creates at executive management levels a desire to change that is then expressed in an outline of a business case.
Phase 2—Where Are We Now? Which aligns IT-related objectives with enterprise strategies and risk, and prioritizes the most important enterprise goals, IT-related goals and processes.
Phase 3—Where Do We Want To Be? Which sets a target for improvement followed by a gap analysis to identify potential solutions. Some solutions will be quick wins and others more challenging, long-term tasks.
Phase 4—What Needs To Be Done? Which plans feasible and practical solutions by defining projects supported by justifiable business cases and developing a change plan for implementation.
Phase 5—How Do We Get There? Which provides for the implementation of the proposed solutions into day-to-day practices and the establishment of measures and monitoring systems to ensure that business alignment is achieved and performance can be measured.
Phase 6—Did We Get There? Which focuses on sustainable transition of the improved governance and management practices into normal business operations and monitoring achievement of the improvements using the performance metrics and expected benefits.
Phase 7—How Do We Keep the Momentum Going? Which reviews the overall success of the initiative, identifies further governance or management requirements and reinforces the need for continual improvement. It also prioritizes further opportunities to improve GEIT.

COBIT® 5 – The Seven Phases of the Implementation Life Cycle

View Full Size PDF

Previous COBIT 5 posters of the month include:

June 2016:  COBIT 5—Summary of Process Capability Model
May 2016:  COBIT 5—Process Reference Model
April 2016:  COBIT 5—Governance and Management Key Areas
March 2016:  COBIT 5—Enterprise Enablers
February 2016:  Roles, Activities and Relationships
January 2016:  Goals Cascade
December 2015: Governance Objective: Value Creation
November 2015: COBIT 5 Principles

For more information on COBIT 5 click here, and to see/download all of the COBIT 5 posters, click here.

Peter Tessin, Technical Research Manager, ISACA

[ISACA Now Blog]

Cyberthreat Information Sharing: An Industry Imperative to Increase Australia’s Cyber Resilience

It’s no doubt cybersecurity provides longevity to a business and can help differentiate it from its competitors – for both good and not so good reasons. Organisations, both in the public and private sector, need to have strong cybersecurity fundamentals to provide trust and confidence to citizens, businesses and customers alike.

As we have seen, though, the threat landscape is not abating and it will continue to evolve. Our cyber adversaries are becoming more sophisticated, sharing tools, exploits and attack methods, and automating their processes. In doing so, they have achieved a clear competitive advantage in cyberspace and are eroding trust in today’s digital age.

This new challenging reality is true for Australian organisations, as it is for global businesses alike. The Australian government is taking important steps to help raise its cyber resilience and approach to cybersecurity with the release of the Cyber Security Strategy in April 2016. As Australian Prime Minister Malcom Turnbull has said, “the Australian Government has a duty to protect our nation from cyber attack and to ensure that we can defend our interests in cyberspace. We must safeguard against criminality, espionage, sabotage, and unfair competition online.”

Australia’s Cyber Security Strategy has five main themes:

  • A national, cyber public-private partnership
  • Strong cyber defences (including cyberthreat information sharing)
  • Global responsibility and influence
  • Growth and innovation
  • A “cyber smart nation”

These are laudable goals, but if we aspire to put an end to the breaches we read about in the headlines almost daily, a partnership is needed to achieve these.

One key way for industry to play a valuable role is to participate in voluntary cyberthreat information sharing. Operationalising threat information sharing, both within and across industries, and between the private and public sectors, will dramatically shift the balance of power, close the competitive gap, and realise exponential leverage against cyber adversaries by driving up the cost of successful attacks.

What Is Meant by Cyberthreat Information Sharing?

Cyberthreat information sharing is the sharing of information about threats and incidents so that all entities can better protect and defend their networks. The information in question is generally technical in nature, such as bot command-and-control servers, malware samples, malware analysis results, and indicators of compromise. In short, it is about sharing attack information. What’s most critical is to learn about the kinds of actors targeting organisations, the tools they have available, and the tactics they employ – all to help organisations to prevent attacks and defend their networks more effectively.

What to Share and How

First, let’s define the attributes of what should be shared:

  • Threat Indicators: forensic artefacts that describe the attacker’s methodology.
  • Adversary’s Campaign Plan: a collection of threat indicators for each link in the cyberattack lifecycle attributed to a specific adversary group.
  • Context: additional non-campaign plan intelligence about an adversary group that is helpful for organisations to understand the adversary. This includes things like motivation, country of origin, and typical targets.
  • Adversary Dossier: campaign plans + context: a collection of threat indicators attributed to a specific adversary campaign or playbook (campaign plans), plus any additional context about the adversary group.

Our mission should be to share all of the above but, most importantly, an adversary group dossier. Doing so will enhance the assessment of the adversary group’s potential, material impact to the targeted organisation, giving a better opportunity for that organisation to detect and prevent the attack, as well as deter an adversary.

The information itself is important – but it must be actionable. This means that it must arrive in as close to real time as possible. As we have observed in some of the largest breaches, the best resourced security teams cannot scale manual responses to automated threats — only through automating prevention and detection can organisations be fast enough to adequately secure networks. Thus, government and industry must collaboratively build a robust, automated information sharing architecture, capable of turning threat indicators into widely distributed security protections in near-real time.

Resistance to Sharing and Other Barriers to Success

Increasing cyberthreat information sharing in our country is easier said than done, for a number of reasons. First, there is apprehension amongst organisations that information sharing could negatively impact them. Many feel that that by sharing information that could be classified as sensitive and privileged, they would be giving the upper hand to their competitors. This sentiment from the business community is valid and should be acknowledged. But, as noted above, we should focus on sharing attack information – not information on who has been breached.

Some of the other challenges and perceived barriers to greater cyberthreat information sharing that will need to be addressed are:

  • Privacy: Laws should not unduly prohibit the sharing of personal information that is necessary to identify and prevent attacks. At the same time, the Australian government should ensure that there are responsible privacy protections in place related to cyberthreat information sharing.
  • Trust among private sector competitors: Some organisations consider cyberthreat information to be their own proprietary intellectual property (IP) and do not want to share it. We need to reverse this notion. The more we continue to treat this information as IP, and the more we keep it in silos within our own organisations, the greater opportunity the adversary has to strike again. Adversaries share tools, exploits and attack methods – so should we. Everyone should have access to the same body of threat information and collaborate to quickly translate it into security controls to use within their own organisations and their collective customer base.
  • Antitrust concerns: There is a fear among some companies that sharing threat information between organisations makes them vulnerable to antitrust violations. The Australian government should clarify that cybersecurity threat information voluntarily shared, or received, by a private entity with another private entity is exempt from antitrust laws.
  • Over-classification: The government, in some instances, may “over-classify” cyberthreat information it receives from both internal and external sources. It takes a significant effort —and valuable time — to declassify that same information to share with private companies and the public at large.

Where to Go From Here

We urge the Australian government as well as industry to quickly put into action the recommendations for greater cyberthreat information sharing as laid out in the new Cyber Security Strategy. Cybersecurity threat information sharing within and across industries and with the public sector must be embraced by everyone. The faster organisations can share information, the better we can serve to protect each other and push the cost back to the adversary. Until the public and private sectors truly collaborate to build systemic information sharing partnerships, it’s like we’re combating our adversaries with technological weapons that have no ammunition.

[Palo Alto Networks Research Center]

 

Announcing the LabyREnth Capture the Flag (CTF) Challenge

We’re proud to announce that LabyREnth, the Unit 42 Capture the Flag (CTF) challenge, is open to the public and ready to test your malware analysis and reverse engineering skills. You’ll have until 11:59pm on August 14th, 2016 to run through more than 25 challenges built by some of the industries best threat researchers and security engineers.

Whether you are an experienced threat researcher looking to win renown or a student just getting started, there are challenges that are built to surprise and hopefully show you something new. You’ll also have the opportunity to win part of $16,000 of rewards if you’re among the first to complete the tracks. The CTF is open worldwide, including for Palo Alto Networks partners, please refer to the official rules for more eligibility.

These challenges bring together amazing learning opportunities for all levels across the security industry, all with serious prizes. Our goal is to drive threat intelligence education by sharing challenges based the daily life of our engineers, helping improve skills and develop the next generation of analysts.

Watch the @unit42_intel Twitter and #labyREnth hashtag for updates and winners.

Join the LabyREnth now.

[Palo Alto Networks Research Center]

Africa CACS Keynote Herman Konings to Introduce “Cathedral Thinking”

Trend analyst and consumer psychologist Herman Konings will present the Africa CACS 2016 closing keynote address, titled Cathedral Challenges: What Happens After What Comes Next? Konings is a genuine storyteller who inspires the spectator on an engaging course about the amazing world of passions and interests, trends and future expectations, and about what is and what will be.

Africa CACS will take place at the InterContinental Nairobi, Kenya, from Monday, 8 August to Tuesday, 9 August. For more information click here.

The following is a question-and-answer session with Konings.

ISACA NOW:  What major societal trends do you see in the near and long terms?
KONINGS:  To understand trend watching, it is vitally important to know what a trend is. It is not, as many think, a term exclusively associated with the world of marketing, fashion or design. At its most essential, a trend can be defined as the direction in which something/anything tends to move and which has a consequential impact on the society, culture or business sector through which it moves.

Trends are, therefore—as London-based trend forecaster Martin Raymond describes—a fundamental part of our emotional, physical and psychological landscape; and by detecting, mapping and using them to anticipate what is new and next in the world or business, we are contributing to better understanding the underlying ideas and principles that drive and motivate us as consumers, citizens, users, creators, and decision makers.

From a global point of view, interesting (societal) trends are, among other things, the growth of life expectancy (and the related overpopulation), the digitization of jobs, the sustainability (including mobility) challenge and the collaborative mindset of Generation Y. I have the strong conviction that these global trends are “true” global trends, not only relevant for Northern America, Europe or the Far East, but in the “long-near” (= within 5 to 10 years) also self-evident for Africa.

ISACA NOW:   As a trend watcher, what have you learned about the portability of trends? Does a trend in Europe, for example, generally translate into a trend elsewhere? Can you predict portability? Also, can you predict which trends will move from fad to mainstay?
KONINGS:  A legitimate question is whether trends are portable from one region or even continent to another. Can a trend detected in Europe take root in, for example, Sub-Saharan Africa? The answer is quite complex. One has to take into consideration different demographic, economic, socio-cultural, technological, ecological, political and—maybe the most tricky of all—psychological circumstances. On the other hand—and this is promising—the profound globalization of the 21st century means that younger generations (the so-called “Millennials”—GEN Y—and “Digital Aboriginals” —GEN Z) are behaving more and more in the same way as their peers on other continents. The similarities within a global age group have never been more pronounced as within the group of teenagers and twenty-somethings of today. This will obviously enhance the portability of trends associated with young adults.

ISACA NOW:  What will attendees of Africa CACS take away from your presentation?
KONINGS:  On 9 August, I will introduce the idea of “Cathedral Thinking.” Short-term, instant-gratification thinking seems to fail. Both consumers and business leaders are reconsidering the idea of long-term thinking. Like builders of cathedrals in medieval times (in Europe), when fathers passed the task on to sons, who in turn passed the task on to their sons. Once initiated to the job, cathedral builders knew exactly that neither they, nor their children, grandchildren or even grand-grandchildren would be joining in the housewarming party of that cathedral.

The attendees of my presentation at Africa CACS will learn, among other things, about sensors leading to an Internet that is more adapted to the individual, turning the Internet of Things into an Internet of Me. I will also be discussing the humanization of the digital and “augmented intelligence,” the joint forces of hyper-cognitive intelligence (supercomputers) and both social and emotional intelligence of (bio only) humans.

For more information on Africa CACS, click here.

[ISACA Now Blog]

Palo Alto Networks Researchers Discover Two Critical Internet Explorer Vulnerabilities

Palo Alto Networks researchers discovered two new critical Internet Explorer (IE) vulnerabilities affecting IE versions 9, 10, and 11. Both are included in Microsoft’s July 2016 Security Bulletin, and documented in Microsoft Security Bulletin MS16-084.

In our continued commitment to the security research community, these vulnerabilities were disclosed to Microsoft through our participation in the Microsoft Active Protections Program (MAPP) program, which ensures the timely, responsible disclosure of new vulnerabilities and creation of protections from security vendors.

Palo Alto Networks is a regular contributor to vulnerability research. Our researchers have discovered more than 80 critical Microsoft vulnerabilities over the past 20 months and also been recognized for contributions to Adobe, Apple and Android vulnerability research. By proactively identifying these vulnerabilities, developing protections for our customers, and sharing them with vendor such as Microsoft for patching, we are removing weapons used by attackers to compromise enterprise, government and service provider networks.

[Palo Alto Networks Research Center]

English
Exit mobile version