Cobit Security Checklist
Security Checklist for the XYZ Company
1. PO1.3 Assessment of Current Capability and Performance
2. PO2.3 Data Classification Scheme
3. AI6.1 Change Standards and Procedures
4. DS4.1 IT Continuity Framework
5. DS5.2 IT Security Plan
6. DS5.3 Identity Management
7. DS5.5 Security Testing, Surveillance and Monitoring
8. DS5.9 Malicious Software Prevention, Detection, and Correction
9. DS5.10 Network Security
10. ME1.3 Monitoring Method
Supporting Explanation for Check-list Item Number 1
The first step in a security checklist for XYZ Company is COBIT PO1.3, an assessment of the current capability and performance of solution and service delivery. The assessment should measure IT's contribution to business objectives, functionality, stability, complexity, costs, strengths, and weaknesses. While this assessment will be useful for security purposes, all areas of IT can use it because security capabilities are a subset of overall IT capabilities. It will provide a baseline to which to compare future changes. Since XYZ is not a new company, they must have existing infrastructure and services in place. Thus, having a baseline is advantageous because it will allow IT to show tangible improvements to executives, which will help procure financing for future IT endeavors.
Assessing current capabilities will also prevent them from building solutions from scratch when a similar one already exists. By reducing re-work, XYZ can use their funds to the utmost effect. Another side effect of the assessment will be groundwork for the identification of the company's information assets, which will be important in future steps such as data classification. According to COBIT, the assessment should also measure IT's strengths and weaknesses. Some of the weaknesses will undoubtedly be security related and give XYZ Company areas on which to focus improvements.
To accomplish the assessment, IT will have to interview people across the enterprise. In
1. PO1.3 Assessment of Current Capability and Performance
2. PO2.3 Data Classification Scheme
3. AI6.1 Change Standards and Procedures
4. DS4.1 IT Continuity Framework
5. DS5.2 IT Security Plan
6. DS5.3 Identity Management
7. DS5.5 Security Testing, Surveillance and Monitoring
8. DS5.9 Malicious Software Prevention, Detection, and Correction
9. DS5.10 Network Security
10. ME1.3 Monitoring Method
Supporting Explanation for Check-list Item Number 1
The first step in a security checklist for XYZ Company is COBIT PO1.3, an assessment of the current capability and performance of solution and service delivery. The assessment should measure IT's contribution to business objectives, functionality, stability, complexity, costs, strengths, and weaknesses. While this assessment will be useful for security purposes, all areas of IT can use it because security capabilities are a subset of overall IT capabilities. It will provide a baseline to which to compare future changes. Since XYZ is not a new company, they must have existing infrastructure and services in place. Thus, having a baseline is advantageous because it will allow IT to show tangible improvements to executives, which will help procure financing for future IT endeavors.
Assessing current capabilities will also prevent them from building solutions from scratch when a similar one already exists. By reducing re-work, XYZ can use their funds to the utmost effect. Another side effect of the assessment will be groundwork for the identification of the company's information assets, which will be important in future steps such as data classification. According to COBIT, the assessment should also measure IT's strengths and weaknesses. Some of the weaknesses will undoubtedly be security related and give XYZ Company areas on which to focus improvements.
To accomplish the assessment, IT will have to interview people across the enterprise. In