COBIT (Control Objectives for Information and Related Technology – ISBN 1-933284-37-4) was developed by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI). It’s a much broader standard than ISO 17799 since it applies to the entire IT structure of an organization (rather than just information security) and provides a mechanism for assessing the maturity of an organization’s IT processes in 34 areas.
COBIT doesn’t have a section dedicated to information security awareness and training, but there are specific references to it in the following sections:
- PO6 Communicate management aims and direction.
- PO7 Manage IT human resources.
- DS5 Ensure systems security.
- DS7 Educate and train users.
Although COBIT makes no specific recommendations as to best practices, it does provide a series of maturity models that enable an organization to gauge how well it is doing. The COBIT maturity model for training (DS7 – Educate and Train Users) specifies the following requirements for each of its 5 maturity levels:
Level
|
Definition
|
Requirement
|
0
|
Non-Existent
|
There is a complete lack of any training and education programme.
|
1
|
Initial/Ad Hoc
|
Employees have been identifying and attending training courses on their own. Some of these training courses have addressed the issues of ethical conduct, system security awareness and security practices.
|
2
|
Repeatable but Intuitive
|
Informal training and education classes are taught … Some of the classes address the issues of ethical conduct and system security awareness and practices.
|
3
|
Defined Process
|
Formal classes are given to employees in ethical conduct and in system security awareness and practices. Most training and education processes are monitored …
|
4
|
Managed and Measurable
|
All employees receive ethical conduct and system security awareness training. All employees receive the appropriate level of system security practices training in protecting against harm from failures affecting availability, confidentiality and integrity. Management monitors compliance …
|
5
|
Optimised
|
Sufficient budgets, resources, facilities and instructors are provided for the training and education programmes. There is a positive attitude with respect to ethical conduct and system security principles.
|
Note: The above table is a condensed version of the full DS7 maturity model.
For a full version, download a copy of COBIT 4.0 from the ISACA website.
In order to achieve a 4 or 5 on the maturity scale, a comprehensive security awareness training program is clearly necessary. And a suitable LMS can help to provide the management monitoring required by levels 3 and above.