What is security management with COBIT 2019 and how to apply it
Managed Security Service
DSS05 – Protecting company information to maintain the level of information security risk acceptable to the company in accordance with the security policy.
objective
Minimize the business impact of operational information security incidents and vulnerabilities.
Management Practice
DSS05.01 Protect against malicious software Implement and maintain preventive, detection and corrective measures (especially up-to-date security patches and virus control) across the enterprise to protect information systems and technology from malicious software (e.g. ransomware, malware, viruses, worms, spyware , spam).
DSS05.02 Manage network security and connectivity Use security measures and related management procedures to protect information across all connectivity methods.
DSS05.03 Manage endpoint security Ensure that endpoints (eg laptop, desktop, server and other mobile and network devices or software) are secured to a level equal to or greater than the security requirements defined for information processed, stored or transmitted.
DSS05.04 Manage user identity and logical access Ensure that all users have access rights to information in accordance with business requirements. Coordinate with business units that manage their own access rights in business processes.
DSS05.05 Manage physical access to I&T assets Define and implement procedures (including emergency procedures) to grant, limit and revoke access to facilities, buildings and areas, according to business need. Access must be justified, authorized, recorded and monitored for all persons, including employees, temporary workers, customers, suppliers, visitors or third parties.
DSS05.06 Manage confidential documents and output devices Establish appropriate physical safeguards, accounting practices, and inventory management against sensitive IT assets such as special forms, negotiable instruments, special-purpose printers, or security tokens.
DSS05.07 Manage vulnerabilities and monitor infrastructure for security-related events Using a portfolio of tools and technologies (e.g., intrusion detection tools), manage vulnerabilities and monitor infrastructure for unauthorized access. Ensure that security tools, technologies, and detection are integrated into overall event monitoring and incident management.
Skills
Information Security (SCTY) The selection, design, justification, implementation and operation of controls and management strategies to maintain security, confidentiality, integrity, availability, accountability and relevant compliance of information systems with relevant legislation, regulations and standards.
Penetration Testing (PENT) The assessment of organizational vulnerabilities through the design and execution of penetration tests that demonstrate how an adversary might subvert the organization's security goals or achieve specific adversary objectives. Penetration testing can be a stand-alone activity or an aspect of acceptance testing prior to an approval to operate, providing insight into the business risks of various vulnerabilities.
Security Administration (SCAD) The provision of operational and administrative security management services. Typically includes authorizing and monitoring access to IT facilities or infrastructure, investigating unauthorized access, and ensuring compliance with applicable legislation.
Translated by 4MATT Technology from the original Process Symphony: Security Service Management–DSS05 (COBIT2019)
Tags: ServiceNow, Snow Software, Software Asset Management, Software Asset Management, SAM, FINOps, ITAM, ITSM, Flexera, Cloud Management governance framework, design factors, contact us, governance structures, it governance, online course , design guide, governance objective, cobit certification 2019, corporate governance, it business, leave a comment, cobit exam 2019, it management, information governance, free materials, isaca released, cobit framework, cobit 2019 benefits, outlet of decisions, developed by isaca, certificate programs, designed to evolve, best practices, capacity levels, microsoft power, information management, control objectives, social networks, foundation bridge, brazilian companies, it professionals, governance components, organizational structures, certification exams, business processes, performance management, governance certification, implementing nist using cobit, ti, power bi, managed ti, design and implementation, governance framework, implementation guides, design factors, cobit implementation, best practices, implementation guide, effective governance, digital transformation, project management, governance strategy, security cybernetics, business objectives, cobit certification, cascade of goals, information technology