COBIT and Security Awareness Training

COBIT (Control Objectives for Information and Related Technology) was developed by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI). It’s a much broader standard than ISO 27000 since it applies to the entire IT structure of an organization (rather than just information security) and provides a mechanism for assessing the maturity of an organization’s IT processes in 34 areas.

COBIT doesn’t have a section dedicated to information security awareness and training, but there are specific references to it in the following sections:

 PO6 Communicate management aims and direction

 PO7 Manage IT human resources

 DS5 Ensure systems security

 DS7 Educate and train users

Although COBIT makes no specific recommendations as to best practices, it does provide a series of maturity models that enable an organization to gauge how well it is doing. The COBIT maturity model for training (DS7 – Educate and Train Users) specifies the following requirements for each of its 5 maturity levels:

Level Definition Requirement

0      Non-Existent - There is a complete lack of any training and education program.

1      Initial/Ad Hoc - Employees have been identifying and attending training courses on their own. Some of these training courses have addressed the issues of ethical conduct, system security awareness and security practices.

2      Repeatable but Intuitive - Informal training and education classes are taught that address the issues of ethical conduct and system security awareness and practices.

3      Defined Process - Formal classes are given to employees in ethical conduct and in system security awareness and practices, training and education processes are monitored.

4      Managed and Measurable - All employees receive ethical conduct and system security awareness training. All employees receive the appropriate level of system security practices training in protecting against harm from failures affecting availability, confidentiality and integrity. Management monitors compliance.

5      Optimized  - Sufficient budgets, resources, facilities and instructors are provided for the training and education programs. There is a positive attitude with respect to ethical conduct and system security principles.