{"id":25,"date":"2007-02-09T14:17:37","date_gmt":"2007-02-09T21:17:37","guid":{"rendered":"http:\/\/blog.cosaint.net\/?p=25"},"modified":"2023-09-11T13:15:21","modified_gmt":"2023-09-11T13:15:21","slug":"cobit-and-security-awareness-training","status":"publish","type":"post","link":"https:\/\/www.empowerelearning.com\/blog\/cobit-and-security-awareness-training\/","title":{"rendered":"COBIT and Security Awareness Training"},"content":{"rendered":"<p>COBIT (Control Objectives for Information and Related Technology &#8211; ISBN 1-933284-37-4) was developed by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI). It&#8217;s a much broader standard than <a href=\"https:\/\/www.empowerbpo.com\/blog\/iso-17799-and-security-awareness-training\/\" rel=\"nofollow noopener\" target=\"_blank\">ISO 17799<\/a> since it applies to the entire IT structure of an organization (rather than just information security) and provides a mechanism for assessing the maturity of an organization&#8217;s IT processes in 34 areas.<\/p>\n<p>COBIT doesn&#8217;t have a section dedicated to information security awareness and training, but there are specific references to it in the following sections:<\/p>\n<p><!--more--><\/p>\n<ul>\n<li>PO6 Communicate management aims and direction.<\/li>\n<li>PO7 Manage IT human resources.<\/li>\n<li>DS5 Ensure systems security.<\/li>\n<li>DS7 Educate and train users.<\/li>\n<\/ul>\n<p><img decoding=\"async\" class=\"alignnone\" title=\"Cobit Maturity Model\" src=\"https:\/\/www.empowerbpo.com\/blog\/wp-content\/uploads\/2007\/02\/cobit.jpg\" alt=\"Cobit Maturity Model\" width=\"500\" height=\"256\" align=\"center\" border=\"0\" \/><\/p>\n<p style=\"text-align: center;\">Although COBIT makes no specific recommendations as to best practices, it does provide a series of maturity models that enable an organization to gauge how well it is doing. The COBIT maturity model for training (DS7 &#8211; Educate and Train Users) specifies the following requirements for each of its 5 maturity levels:<\/p>\n<table class=\" aligncenter\" style=\"border-collapse: collapse; height: 818px;\" border=\"0\" width=\"610\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td style=\"border-right: #c1ccd9; border-top: green 1.5pt solid; border-left: #c1ccd9; width: 43px; border-bottom: green 0.75pt solid; background-color: transparent; padding: 0in 5.4pt 0in 5.4pt;\" valign=\"top\"><strong><span style=\"font-size: 8pt;\">Level<\/span><\/strong><\/p>\n<p>&nbsp;<\/td>\n<td style=\"border-right: #c1ccd9; border-top: green 1.5pt solid; border-left: #c1ccd9; width: 120px; border-bottom: green 0.75pt solid; background-color: transparent; padding: 0in 5.4pt 0in 5.4pt;\" valign=\"top\"><strong><span style=\"font-size: 8pt; mso-fareast-font-family: 'Arial Unicode MS'; mso-bidi-font-family: 'Arial Unicode MS';\">Definition <\/span><\/strong><\/p>\n<p>&nbsp;<\/td>\n<td style=\"border-right: #c1ccd9; border-top: green 1.5pt solid; border-left: #c1ccd9; width: 428px; border-bottom: green 0.75pt solid; background-color: transparent; padding: 0in 5.4pt 0in 5.4pt;\" valign=\"top\"><strong><span style=\"font-size: 8pt;\">Requirement<\/span><\/strong><\/p>\n<p>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 43px; background-color: transparent; mso-border-top-alt: solid green .75pt; border: #c1ccd9; padding: 0in 5.4pt 0in 5.4pt;\" valign=\"top\"><span style=\"font-size: 8pt;\">0<\/span><\/p>\n<p>&nbsp;<\/td>\n<td style=\"width: 120px; background-color: transparent; mso-border-top-alt: solid green .75pt; border: #c1ccd9; padding: 0in 5.4pt 0in 5.4pt;\" valign=\"top\"><span style=\"font-size: 8pt;\">Non-Existent<\/span><\/p>\n<p>&nbsp;<\/td>\n<td style=\"width: 428px; background-color: transparent; mso-border-top-alt: solid green .75pt; border: #c1ccd9; padding: 0in 5.4pt 0in 5.4pt;\" valign=\"top\"><span style=\"font-size: 8pt;\">There is a complete lack of any training and education programme.<\/span><\/p>\n<p>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 43px; background-color: transparent; border: #c1ccd9; padding: 0in 5.4pt 0in 5.4pt;\" valign=\"top\"><span style=\"font-size: 8pt;\">1<\/span><\/p>\n<p>&nbsp;<\/td>\n<td style=\"width: 120px; background-color: transparent; border: #c1ccd9; padding: 0in 5.4pt 0in 5.4pt;\" valign=\"top\"><span style=\"font-size: 8pt;\">Initial\/Ad Hoc<\/span><\/p>\n<p>&nbsp;<\/td>\n<td style=\"width: 428px; background-color: transparent; border: #c1ccd9; padding: 0in 5.4pt 0in 5.4pt;\" valign=\"top\"><span style=\"font-size: 8pt;\">Employees have been identifying and attending training courses on their own. Some of these training courses have addressed the issues of ethical conduct, system security awareness and security practices.<\/span><\/p>\n<p>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 43px; background-color: transparent; border: #c1ccd9; padding: 0in 5.4pt 0in 5.4pt;\" valign=\"top\"><span style=\"font-size: 8pt;\">2<\/span><\/p>\n<p>&nbsp;<\/td>\n<td style=\"width: 120px; background-color: transparent; border: #c1ccd9; padding: 0in 5.4pt 0in 5.4pt;\" valign=\"top\"><span style=\"font-size: 8pt;\">Repeatable but Intuitive<\/span><\/p>\n<p>&nbsp;<\/td>\n<td style=\"width: 428px; background-color: transparent; border: #c1ccd9; padding: 0in 5.4pt 0in 5.4pt;\" valign=\"top\"><span style=\"font-size: 8pt;\">Informal training and education classes are taught &#8230; Some of the classes address the issues of ethical conduct and system security awareness and practices.<\/span><\/p>\n<p>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 43px; background-color: transparent; border: #c1ccd9; padding: 0in 5.4pt 0in 5.4pt;\" valign=\"top\"><span style=\"font-size: 8pt;\">3<\/span><\/p>\n<p>&nbsp;<\/td>\n<td style=\"width: 120px; background-color: transparent; border: #c1ccd9; padding: 0in 5.4pt 0in 5.4pt;\" valign=\"top\"><span style=\"font-size: 8pt;\">Defined Process<\/span><\/p>\n<p>&nbsp;<\/td>\n<td style=\"width: 428px; background-color: transparent; border: #c1ccd9; padding: 0in 5.4pt 0in 5.4pt;\" valign=\"top\"><span style=\"font-size: 8pt;\">Formal classes are given to employees in ethical conduct and in system security awareness and practices. Most training and education processes are monitored &#8230;<\/span><\/p>\n<p style=\"text-align: center;\">\n<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 43px; background-color: transparent; border: #c1ccd9; padding: 0in 5.4pt 0in 5.4pt;\" valign=\"top\"><span style=\"font-size: 8pt;\">4<\/span><\/p>\n<p>&nbsp;<\/td>\n<td style=\"width: 120px; background-color: transparent; border: #c1ccd9; padding: 0in 5.4pt 0in 5.4pt;\" valign=\"top\"><span style=\"font-size: 8pt;\">Managed and Measurable<\/span><\/p>\n<p>&nbsp;<\/td>\n<td style=\"width: 428px; background-color: transparent; border: #c1ccd9; padding: 0in 5.4pt 0in 5.4pt;\" valign=\"top\"><span style=\"font-size: 8pt;\">All employees receive ethical conduct and system security awareness training. All employees receive the appropriate level of system security practices training in protecting against harm from failures affecting availability, confidentiality and integrity. Management monitors compliance &#8230;<\/span><\/p>\n<p>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td style=\"border-right: #c1ccd9; border-top: #c1ccd9; border-left: #c1ccd9; width: 43px; border-bottom: green 1.5pt solid; background-color: transparent; padding: 0in 5.4pt 0in 5.4pt;\" valign=\"top\"><span style=\"font-size: 8pt;\">5<\/span><\/p>\n<p>&nbsp;<\/td>\n<td style=\"border-right: #c1ccd9; border-top: #c1ccd9; border-left: #c1ccd9; width: 120px; border-bottom: green 1.5pt solid; background-color: transparent; padding: 0in 5.4pt 0in 5.4pt;\" valign=\"top\"><span style=\"font-size: 8pt;\">Optimised<\/span><\/p>\n<p>&nbsp;<\/td>\n<td style=\"border-right: #c1ccd9; border-top: #c1ccd9; border-left: #c1ccd9; width: 428px; border-bottom: green 1.5pt solid; background-color: transparent; padding: 0in 5.4pt 0in 5.4pt;\" valign=\"top\"><span style=\"font-size: 8pt;\">Sufficient budgets, resources, facilities and instructors are provided for the training and education programmes. There is a positive attitude with respect to ethical conduct and system security principles.<\/span><\/p>\n<p>&nbsp;<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><em>Note: The above table is a condensed version of the full DS7 maturity model.<br \/>\nFor a full version, download a copy of COBIT 4.0 from the <a href=\"http:\/\/www.isaca.org\/\" target=\"_blank\" rel=\"noopener nofollow\">ISACA website<\/a>.<\/em><\/p>\n<p align=\"left\">In order to achieve a 4 or 5 on the maturity scale, a comprehensive security awareness training program is clearly necessary. And a suitable LMS can help to provide the management monitoring required by levels 3 and above.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>COBIT (Control Objectives for Information and Related Technology &#8211; ISBN 1-933284-37-4) was developed by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI). It&#8217;s a much broader standard than ISO 17799 since it applies to the entire IT structure of an organization (rather than just information security) and provides a [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-25","post","type-post","status-publish","format-standard","hentry","category-compliance"],"_links":{"self":[{"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/posts\/25","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/comments?post=25"}],"version-history":[{"count":0,"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/posts\/25\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/media?parent=25"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/categories?post=25"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/tags?post=25"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}