PharmUniverse Caselet:

Using COBIT 5 for Information Security

Disclaimer
ISACA has designed and created PharmUniverse Caselet: Using COBIT 5 for
Information Security (the Work) primarily as an educational resource for educational
professionals. ISACA makes no claim that use of any of the Work will assure a successful
outcome. The Work should not be considered inclusive of all proper information,
procedures and tests or exclusive of other information, procedures and tests that are
reasonably directed to obtaining the same results. In determining the propriety of any
specific information, procedure or test, security governance and assurance professionals
should apply their own professional judgement to the specific circumstances presented
by the particular systems or information technology environment.

ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: info@isaca.org
Web site: www.isaca.org

2
2013 ISACA. All rights reserved.
Reservation of Rights
2013 ISACA. All rights reserved. No part of this publication may be used, copied,
reproduced, modified, distributed, displayed, stored in a retrieval system or transmitted in
any form by any means (electronic, mechanical, photocopying, recording or otherwise)
without the prior written authorization of ISACA. Reproduction and use of all or portions of
this publication are permitted solely for academic, internal and non-commercial use and
for consulting/advisory engagements, and must include full attribution of the materials
source. No other right or permission is granted with respect to this work.

Provide Feedback: www.isaca.org/information_security_caselets

Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center
Follow ISACA on Twitter: https://twitter.com/ISACANews
Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial
Like ISACA on Facebook: www.facebook.com/ISACAHQ

3
2013 ISACA. All rights reserved.
Acknowledgements
Researcher
Krag Brotby, CISM, CGEIT, Brotby & Associates, USA

Board of Directors
Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, International President
Allan Boardman, CISA, CISM, CGEIT, CRISC, ACA, CA (SA), CISSP, Morgan Stanley, UK, Vice President
Juan Luis Carselle, CISA, CGEIT, CRISC, Wal-Mart, Mexico, Vice President
Ramses Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, Six Sigma Black Belt, Dell, Spain, Vice President
Theresa Grafenstine, CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA, US House of Representatives, USA, Vice President
Vittal Raj, CISA, CISM, CGEIT, CFE. CIA, CISSP, FCA, Kumar & Raj, India, Vice President
Jeff Spivey, CRISC, CPP, PSP, Security Risk Management Inc., USA, Vice President
Marc Vael, Ph.D., CISA, CISM, CGEIT, CRISC, CISSP, Valuendo, Belgium, Vice President
Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, Past International President
Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Past International President
Christos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, INTRALOT S.A., Greece, Director
Krysten McCabe, CISA, The Home Depot, USA, Director
Jo Stewart-Rattray, CISA, CISM, CGEIT, CRISC, CSEPS, BRM Holdich , Australia, Director

Knowledge Board
Christos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, INTRALOT S.A., Greece, Chairman
Rosemary M. Amato, CISA, CMA, CPA, Deloitte Touche Tohmatsu Ltd., The Netherlands
Steven A. Babb, CGEIT, CRISC, Betfair, UK
Thomas E. Borton, CISA, CISM, CRISC, CISSP, Cost Plus, USA
Phil J. Lageschulte, CGEIT, CPA, KPMG LLP, USA
Anthony P. Noble, CISA, Viacom, USA
Jamie Pasfield, CGEIT, ITIL V3, MSP, PRINCE2, Pfizer, UK

Academic Program Subcommittee

Kameswara Rao Namuduri, Ph.D., CISA, CISM, CISSP, University of North Texas, USA, Chairman
Umesh R. Hodeghatta, Xavier Institute of Management, India
Joshua Onome Imoniana, Ph.D., CGEIT, Universidade Presbiteriana Mackenzie, Brazil
Matthew Liotine, Ph.D., CBCP, CSSBB, MBCI, University of Illinois at Chicago, USA
Nebil Messabia, Canada
Kumar Srikanteswaran, CISA, CMA, PMP, India
Sadir Vanderloot, CISA, CISM, CCNA, CCSA, NCSA, Sheffield Hallam University, Sweden
Ype van Wijk, Ph.D., RE, RA, Rijksuniversiteit Groningen, The Netherlands
Hiroshi Yoshida, Ph.D., CGEIT, CRISC, Nagoya Bunri University, Japan
4
2013 ISACA. All rights reserved.
Student Book

This caselet was developed to support

the Information Security Student Book:
Using COBIT 5 for Information Security,
www.isaca.org/information_security_student_book.

5
2013 ISACA. All rights reserved.
Agenda
Company Profile PharmUniverse

Background Information

The Problems

Your Role

Your Tasks

Figures

Notes

Questions

Glossary

6
2013 ISACA. All rights reserved.
Company Profile PharmUniverse
International pharmaceutical company with 1,500 employees
Founded nine years ago, headquartered in Boston, Massachusetts, USA
Small offices in Los Angeles, California, USA; Dsseldorf, Germany, and
Singapore
Is the result of the work of a senior researcher in the pharmaceutical
industry who discovered a new formula for a drug shown to greatly
reduce the likelihood of lung and other blood clots
Currently has an eight percent share in the blood clot prevention drug
market

7
Background Information

What we do

Financials

Org. Structure

Operational

Industry

8
Background Information

What we do Pharmaceutical company that has obtained venture

capital, hired several other researchers, patented the
Financials formula and established its viability in clinical tests
Has the approval of the US Food and Drug
Org. Structure
Administration (FDA) for this drug only by prescription.
Marketing Although the product did not initially penetrate the
market very well, negative publicity associated with the
Industry side effects of competing drugs has greatly reduced the
market share of several of the industry leaders, leaving
ample room for PharmUniverse to grow.

9
Background Information

What we do Focuses on innovation because the management and

board of directors are not content for the company to be
Financials either a conventional or a single-product company
Has been trying to develop another formula that greatly
Org. Structure
increases peoples resistance to bacterial infectionsa
Marketing type of bacterial infection inoculation drug that promises
to help prevent bacterial pneumonia infections,
Industry something medical science has thought impossible for
centuries
Is almost ready for FDA testing of the new drug
Recently launched an effort to develop a drug that will
reduce memory loss in the elderly

10
Background Information

What we do Has grown from an upstart, small-scope operation to a

company with revenue of nearly US $500 million in 2012
Financials and with operating reserves of approximately US $20
million
Org. Structure
Market share increased sales volume in dollars by the
Marketing end of last year, and the goal this year is to increase
market share to 10 percent
Industry Was privately held from its inception until 2009, when it
went public with a stock share strike price of US $7 per
share on the NASDAQ Stock Exchange. The stock has
risen to approximately US $15 per share and is paying a
six percent annual dividend.

11
Background Information

What we do Figure 1Organisational Chart

Financials

Org. Structure

Marketing

Industry

12
2013 ISACA. All rights reserved.
Background Information
The board of directors:
What we do
Is best characterised by diversity
Financials Has some members who have served in positions with
pharmaceutical and biomedical companies, but the
Org. Structure majority do not have this kind of background
Is anything but risk averse, and pushes the CEO to offer
Marketing generous incentives to researchers who develop new
formulas likely to result in new and profitable
Industry pharmaceutical products

The CEO:
Is a member of the executive council, which meets
bimonthly to create, evaluate and, in some cases, change
corporate objectives.

13
2013 ISACA. All rights reserved.
Background Information
The Research team:
What we do
Although this team does not, in a strict sense,
Financials comprise a business unit, for all practical purposes it
functions like one.
Org. Structure It receives a yearly budget that is more than ample for
a unit of fewer than 60 employees. Most of these
Marketing employees are scientists, who are led by a seasoned
business professional with more than 20 years of
Industry
experience managing scientific research teams in
business settings.

14
2013 ISACA. All rights reserved.
Background Information
The Research team:
What we do
The team manager reports to the vice president (VP) of
Financials research, who reports to the CEO. The team is
accountable for meeting a long list of objectives, of which
Org. Structure the most critical are the number of:
Patents filed and granted per year
Marketing Hours of labor to produce a viable formula for each drug
product
Industry Viable formulas (regardless of whether they are patented)
created per year
Marketing and sales of products are handled completely
independently of the research team.

15
2013 ISACA. All rights reserved.
Background Information
PharmUniverse spends a large proportion of its yearly
What we do
budget on marketing, attempting to win the trust of
customers and potential customers.
Financials
Despite being a relative newcomer in the market, these
Org. Structure efforts have generally been successful.
Another round of well-publicised problems recently
Marketing found in competing drugs has also given a boost to
PharmUniverses marketing efforts.
Industry

16
2013 ISACA. All rights reserved.
Background Information
The pharmaceutical industry is extremely competitive.
What we do The ability to streamline the process of inventing
formulas and testing them to determine whether they
Financials are viable as products is what makes a company in this
arena successful.
Org. Structure Industrial espionage is common in the pharmaceutical
industry. Obtaining competitors drug formulas before
Marketing products go to market is a huge advantage for
competitors because it greatly reduces the time and
Industry resources needed in the costly research process.
At the same time, having a formula stolen is a worst-case
scenario for a pharmaceutical company. The companys
profits from a new product are likely to be minimised.

17
2013 ISACA. All rights reserved.
The Problems
You are faced with the challenge of establishing an information security
governance programme in a company that is relatively new and has never had
more than a very small IT security function that focused mostly on firewalls and
intrusion prevention systems (IPSs) before you arrived.

With the exception of you, no one on the executive management team knows
much about information security, and although your current budget adequately
covers the salaries of your security team and a few network security initiatives that
were started before you arrived, the CEO has told you that he has a wait and see
attitude towards information security.

18
2013 ISACA. All rights reserved.
The Problems
You interpret the CEOs comments to mean that if information security does not
produce visible results by the next fiscal year, your budget could be cut back
significantly and you may even lose your job.

As you become acquainted with how PharmUniverse works, you realise that the
brain trust of this company is not the sales or marketing organisation, nor is it
executive-level management, but rather it is the research division.

The output of this unit is, almost without exception, potentially very valuable
intellectual property that must be kept out of the hands of competitors at all costs.

19
2013 ISACA. All rights reserved.
The Problems
The members of this unit, the manager in particular, are faced with tremendous
pressure to come up with new, viable formulas. If they do, they are handsomely
rewarded. If they do not, they are treated progressively more harshly andalmost
without exceptionterminated.

In the past, several terminated researchers departed the company under extremely
hostile circumstances; a few of them went to work for competitors shortly after.

Currently, several researchers are under a great deal of pressure to produce or

else.

20
2013 ISACA. All rights reserved.
The Problems
Another issue of potential concern to you is that most of the employees in this
organisation are scientists who are used to working in environments where ideas
and research data are freely exchanged within and outside of research teams.

Most of them (and the VP of research) barely know what file permissions or virtual
private networks (VPNs) are, and even if they did, they would not be inclined to use
either because doing so would be an inconvenience that would slow their research
progress.

The fact that the research division now uses cloud services for data storage is also
something that has caught your attention.

21
2013 ISACA. All rights reserved.
The Problems
Ben Dorian: Research Team Manager
The research team manager is Ben Dorian. He is highly focused on achieving the
goals handed to him by his boss, the VP of research. He is by no means a scientist.
Instead, he is a numbers person all the way through, and the most important
numbers to him are the ones that represent the progress of his unit.
He is polite, but very driven. You have tried to establish a communication channel
with him, but he is so busy that all he has had time for so far is a few short
telephone conversations with you.

22
2013 ISACA. All rights reserved.
The Problems
Sudha Patel: Chief Scientist, Research Unit
The chief scientist of the research unit, Sudha Patel, is the founder of
PharmUniverse. She played the major role in the discovery of the companys blood
clot prevention drug and led the company during its early stages.
When venture capitalists funded the company, they insisted that an experienced
CEO with business know-how be hired and that Sudha be moved to a position in
which her talents could be used.
She epitomises the spirit of innovation within the company and, to date, has more
than 10 patents to her credit. Highly respected as a scientist by the rest of the
scientific staff, she is viewed by many within the research unit as the real leader.
Sudha is extremely knowledgeable about networking and application
developmentto the point that network operations staff members have sometimes
turned to her for help for difficult operational issues.
At the same time, she knows little about information security, although she is not at
all opposed to the idea of it.

23
2013 ISACA. All rights reserved.
The Problems
Although your impressions of the adequacy of PharmUniverses security controls
are based on limited observations, it does not appear that the current controls in
place are adequate.
You have learned that vulnerability analysis and penetration testing have, in the
past, been performed only before audits were to be conducted.
When you asked the executive council members about the companys information
security policy and standards, they were unaware that both existed. Later, you
found that these documents (which were far from being complete) existed, but had
not been widely distributed.
Your conversations with the C-level officers have given you a good idea concerning
an information security framework to guide your governance efforts, and both the
CEO and CIO liked your framework document and signed off on it a week ago.

24
2013 ISACA. All rights reserved.
Your Role
You are the chief information security
officer (CISO) of PharmUniverse, an
international pharmaceutical company
with 1,500 employees.
You report to the chief information officer
(CIO) who reports to the chief executive
officer (CEO).
You have been on this job for only two
months.
The Information Security Department
consists of a staff of three full-time
information security professionals and an
administrative assistant to support you.
Two staff members are in Boston with you.
2013 ISACA. All rights reserved.
You have:
12 years of experience as an
information security manager
(three of which as a CISO)
Four years of experience in the
pharmaceutical industry
An undergraduate degree in
business and have taken many
professional courses in a variety of
IT, management and business-
related areas
Earned your Certified Information
Security Manager (CISM )
certification three years ago
25
Your Tasks
You need to develop a desired state of the information security practice that includes a
set of information security characteristics/attributes in connection with the business needs
and action plan that you are creating.
You must select 10 information security attributes for PharmUniverse.
Provide a clear and complete rationale for each security attributes. The rationale must
include a discussion of the pros and cons associated with each. For example, suppose you
choose level 3 Established Process for security risk management as a security attribute.
Your goal is to have:
An enterprisewide information security policy that is signed off by senior
management, documented and widely distributed and a defined security awareness
programme
A training effort that systematically reaches all employees who have access to
computers, but is tailored to the needs of each major group of employees
Orderly change control processes in place for risk management so that, for example,
whatever changes are made to the information security policy are systematic and
documented

26
2013 ISACA. All rights reserved.
Your Tasks

You must base security attributes on one/combination of these: COBIT 5, ISO/IEC

15504, Six Sigma Quality Indicators, US National Institute of Standards and
Technology [NIST] Special Publication [SP] 800-053.
Incorporate these into your information security action plan

27
2013 ISACA. All rights reserved.
Your Tasks The Pros

You need to list pros and cons in the exemplary case at hand.

Pros include (but are not limited to):

Increased effectiveness of the security policy as a control solution because
widespread distribution of it increases the likelihood of employees becoming
familiar with it and adhering to its provisions
A security policy that is kept in alignment with PharmUniverses risk profile
A security and training programme that provides increased return on investment
(ROI) because training is adapted to the needs of specific groups and the risk profile
that applies to them

28
2013 ISACA. All rights reserved.
Your Tasks The Cons
Cons include (but are not limited to):
Financial costs
Lack of available resources to perform tasks (analysing and rewriting policy
provisions, creating and delivering tailored training programmes, etc.) that are likely
to require months to perform
The likelihood of employee resistance to change, especially amongst scientists if
they are required to complete information security awareness sessions and change
procedures

29
2013 ISACA. All rights reserved.
 30
2013 ISACA. All rights reserved.
Notes
PharmUniverses existence and success revolves around intellectual property (IP).

If its IP ends up in the hands of competitors, the future of this company will not be
bright. Impact assessments may be the most useful to communicate potential
compromise.

PharmUniverses information security practice needs to develop an information-

centric security framework in which risk related to the creation, handling and
storage of IP and cost-effective risk mitigation measures (controls) are the major
focus.

The lack of understanding of security is a problem and creates the need to educate
management and staff and increase overall security support and awareness.

It might be a good idea to prioritise possible solutions in terms of probability,

impact and cost and getting quick wins as an effective strategy to win over skeptical
management.

31
2013 ISACA. All rights reserved.
Discussion Questions
1. What are the most important business issues and goals for
PharmUniverse?
2. What are the managerial, organisational and technological issues and
resources related to this case?
3. What role do different decision makers play in the overall planning,
implementing and managing of the information technology/security
applications?
4. What are some of the emerging IT security technologies that should be
considered in solving the problem related to the case?
5. How can the chief information security officer (CISO) in this scenario
most effectively communicate the risk to senior management?
6. Which model (e.g., Process Capability Model ), framework (e.g., COBIT)
or standards (e.g., ISO/IEC 15504) is most likely to fit in with
PharmUniverses culture and operations?
7. What kinds of control strategies are most central to securing critical
data?

32
2013 ISACA. All rights reserved.
Questions for assignment: 4, 5 and 7

33