There is no doubt that social media has penetrated the daily lives of billions of people. According to Statista, the number of monthly users of social media is slated to reach 3.02 billion people by 2021, which is around one-third of the world’s population. With social media becoming second nature to so many people in every corner of the world, the risk associated with its use is staggering.
We are online all the time creating a permanent archive of ourselves and our families. For many people, our personal posts spread into our professional lives as well. This has gotten us into the current state we’re in. Can we separate our personal selves from our business selves online? Will that post affect me professionally? Will the post affect the company I work for? All these questions are being played out online on a daily basis.
Understanding that social media is fluid and can change in an instant is a fact often overlooked by corporations. Keeping the lid on news or scandals, true or not, is difficult to manage. Some companies find themselves in social media scandals not of their own making.
Let’s go back to August 2017 and the “Unite the Right” rally in Charlottesville, Virginia. Violence erupted during the rally when protesters and counter-protesters clashed. Hundreds of photos were taken and posted online by the media, protestors and onlookers.
In many of the photos, protesters were seen carrying TIKI torches. When was the last time you saw a TIKI torch? According to the company’s website, “A yard illuminated by TIKI torches quickly came to symbolize the ultimate backyard gathering.” And now TIKI was catapulted into the public eye in a way that nowhere near symbolized the backyard gathering they envisaged. The riots forced TIKI to make public announcements on their website and social platforms denouncing the way their products were used in this circumstance.
As of July of this year, TIKI has only tweeted 443 times and has a scant 820 followers since they put up their Twitter profile in 2009 – hardly a robust Twitter following. But tweet they did once their products were seen associated with violence. The tweet relating to the riots has since been removed from their Twitter feed.
Many organizations’ social media policies remain vague with only skeletal guidelines on overall usage. Endless stories of turf wars on who controls social media along with a lack of general understanding of what can go wrong are pervasive organizational issues. For the most part, policies focus on the marketing aspects of social media rather than potential risk.
Now let’s toss a bit of social engineering into this mix. Social engineering is widely used by cybercriminals to gather data and figure out the best way to infiltrate an organization. They will scan the social profiles of staff, research the social profiles of the organization and evaluate the effectiveness and frequency of responses. Then they will launch their attack. An overwhelming amount of malware and ransomware attacks use social engineering to send believable phishing links to unsuspecting individuals.
The session I will give on social media risk at the GRC Conference next month in Nashville, Tennessee, USA, isn’t a story about how far we’ve come; it’s about the rapid pace by which we got here. It’s about the massive amount of information that can be mined about individuals, the places they work and the opportunities that become available to cybercriminals as a result. Understanding the inherent risks of social media is the first step in mitigating the dangers that may arise from its use.Category: Risk Management Published: 7/16/2018 3:00 PM
Editor’s note: Luke Williams, author, professor of marketing at the NYU Stern School of Business and founder of the W.R. Berkley Innovation Labs, will give the closing keynote address at the GRC Conference 2018, to take place 13-15 August in Nashville, Tennessee, USA. Williams recently visited with ISACA Now to discuss how enterprises can spark more innovation, the concept of disruptive hypotheses and more. The following is a transcript of the interview, edited for length and clarity:
ISACA Now: How, if at all, is entrepreneurship different from it was 10 years ago?
In the past 10 years, the public perception of “entrepreneurship” has shifted toward “disruptive entrepreneurship,” which is about trying completely new products and business models that haven't been tried before. Instead of staying small, disruptive entrepreneurship is focused on high-growth businesses.
We often contrast small business entrepreneurs as sort of “incremental” entrepreneurs; they're incrementally improving business models that have already been established. So, someone who wants to open a shoe store might take their own incremental spin on it, but that's pretty much what it is. Disruptive entrepreneurship is a different form of entrepreneurship and it requires a completely different skill set. As a result, it requires a different approach to education.
Ten years ago, this approach was very much focused on the business plan: this long, elaborate document with all these sorts of financial projections. There was emphasis on getting the plan right. There was little emphasis on prototyping and experimenting. That has been a significant shift in the last 10 years. What we’re really educating entrepreneurs on today is far less about writing a business plan and far more about putting that focus, time, and energy into trying out your idea.
ISACA Now: What are some of the most common missteps made by people who are starting their first business?
I think the biggest misstep or mistake is that people are focused on finding problems to solve. We’re obsessed (in America in particular) with problem-solving. We almost use “problem-solving” as a label for thinking. The problem with problems is they’re seductively clear. They’re screaming for your attention, which typically means that problems are all that are getting anyone's attention.
The richest areas for innovation are found in the seemingly unbroken aspects of the situation you're focused on, precisely because nobody else is looking at these things. Because nothing appears to be wrong, or because it’s not broken enough to be really a problem, that doesn't mean that there’s not an opportunity there.
Often, an adequate idea blocks the emergence of a better idea. Because something is adequate, people don’t feel the need really to look at an alternative way of delivering their model. If it’s not broken, they don’t see the need to spend the time and attention to fix it.
ISACA Now: What type of management style most lends itself to fostering innovative thinking among employees?
What I’m going to talk about at the conference is the difference between sustaining leadership and disruptive leadership.
Sustaining leadership means incrementally improving what you’re currently doing. It’s all about maintaining the continuity of the current business.
Building options for the organization’s future is about managers introducing prolific discontinuity into the business – not waiting for disruption to happen, but rather being proactive. You've got to disrupt yourselves.
There are a lot of managers running around saying they value innovation. Where I find the disconnect most readily occurs is in the metrics; most managers find they’re rewarding the status quo, basically incentivizing people to keep the existing system of continuity. They have to fix that disconnect and figure out how to actually start rewarding effort rather than result.
ISACA Now: Which themes from Disrupt: Think the Unthinkable to Spark Transformation in Your Business tend to surprise people the most? What kind of feedback have you heard that are kind of new, a-ha moments for people?
There’s a tool called “disruptive hypothesis.” With a regular hypothesis, we make a reasonable prediction of what we can do, and then we test that prediction. An example: if your phone wasn't working, you would predict that the battery was flat, so you'd charge your phone. If your phone starts working, your hypothesis was correct; if it doesn't, you need to formulate another hypothesis.
That’s OK for sustaining leadership. If you want to start growing through innovation, you have to get out of the habit of making reasonable predictions and into the habit of making unreasonable provocations.
So, you might start thinking, “Well, why does a phone even need a battery?” The difference is profound. The point of a “disruptive hypothesis” is to give yourself deliberate permission to be wrong and try to create a new idea.
If you’re in a brainstorm session and everyone’s nodding and going “Yeah! Great idea! We can implement that tomorrow!” it means it’s incremental; one of your competitors is already doing it or will be soon. A disruptive hypothesis is an intentionally unreasonable statement that gets everyone’s thinking flying in a different direction.
Another takeaway from the book, I talk about the “cult of personality” problem with innovation. It forms out of celebrity CEOs – Steve Jobs, Jeff Bezos, and Elon Musk – and reminds us that they’re role models of innovation. It’s all about their personalities, and it’s not productive. It’s not about actually creating new products and services. For all of us as innovators, our most important job is to educate and create more innovators. We need to treat innovation as a skill. This isn’t about asking them to change their personality.
I often use the metaphor of cooking; there’s cooking show on every channel. Weirdly, we have a problem teaching people to cook, because it’s nothing more than, “We show you how to take the ingredients and arrange them into a meal.” It’s the same with innovation. Those recipes are ideas, and those recipes (your ideas) make the ingredients (your resources) more valuable. The cooking metaphor is powerful for people because this isn’t about inventing anything new; it’s just rearranging things we already have.Category: ISACA Published: 7/13/2018 3:09 PM
It is an amazing time to be alive for many reasons, one of which is the ability to communicate almost seamlessly and securely with people from all over the world. Technology allows us to connect with individuals with whom we most likely never would have before.
Remote communication was the initial goal; however, as the internet evolved, so did the risk of sending and receiving unaltered accurate and complete data remotely. With the Transport Layer Security (TLS) technology protocol, secure remote communication and data transmission between businesses and individuals is possible.
The objective of TLS is to provide confidentiality and integrity of data between multiple applications based on a set of communication rules. However, this ability does not come without risk. The ultimate goal is the confidentiality, integrity and availability of data in transit. How do we ensure the data is only accessible to the authorized recipient and that it accurate, complete and available when needed? Message authentication, non-repudiation, and integrity checks are functions performed to achieve the overall goal. Because of the ever-present threat posed by individuals seeking to steal and/or modify messages in transit, the TLS protocol continues to evolve, which requires security professionals and developers to be informed on revisions and make necessary modifications to their infrastructure.
The foundation for the TLS protocol is based on the Public Key Infrastructure technology. This technology is used to create and manage both the public keys and digital certificates needed to ensure the privacy, authenticity and accessibility of transmitted information. This process is triggered by a function known as the handshake. This is the initial communication between the two parties, the client and the server. This is when the keys are initiated and the digital certificate is validated to allow for secure communication. There are challenges associated with this process, one of which is establishing trust in the certificate, and the other is relying on and communicating with a website that may not have been implemented, configured and properly patched, which could lead to all types of inefficiencies and vulnerabilities.
While the risks and challenges associated with this technology may be difficult, it is obviously much easier to address them internally within the enterprise as opposed to them existing externally, which is next to impossible to address. Therefore, enterprises should focus on how best to implement and properly maintain the technology and how it fits into the overall information security program, which starts with a look at the information security policy and procedures of the organization as well as the risk management process. The TLS protocol is an acceptable approach to implementing tools and techniques to mitigate the risk associated with data transmission. However, a holistic approach to information security that will include safeguards to protect data at rest should be taken.
Each tool, technique, and process should work cohesively to protect the enterprise’s information assets because there is no silver bullet. There is no one technology that will mitigate all risks and address all challenges. Therefore, it is a matter of choosing the best tool for the organization and ensuring there are trained individuals in place to install and maintain such complex tools.Category: Security Published: 7/12/2018 3:02 PM
Recognition of service and of outstanding achievements has long been an ISACA tradition, and it has been my pleasure to volunteer on the ISACA Awards Working Group, which was charged with enhancing the prestige and increasing global participation in the ISACA Awards Program. We have made great progress over the last couple of years in creating a peer recognition program, soliciting nominations from our membership and inviting distinguished colleagues to fairly peer-review the nominations, identifying the “best of the best” among a rather elite professional community.
Our 2018 class of recipients lived up to that reputation, and we celebrated their accomplishments during the awards presentation at EuroCACS in Edinburgh, Scotland in May. Terry Grafenstine, 2017-18 ISACA board chair, presented each recipient with his or her award after the audience viewed a short video on the importance of recognition activities and how we can inspire future generations.
Recipients celebrate on stage and with their families and colleagues.
Jack Freund, recipient of the ISACA John W. Lainhart IV Common Body of Knowledge Award, brought his wife and 10-year-old daughter (and possible future ISACA member if her lawyer/racecar driver/veterinarian career falls through) to celebrate with him. Jack has been instrumental in developing the CRISC certification and maintaining the quality of the exam content.
Upon learning of his award selection, Mark Thomas, a top-rated speaker at many ISACA meetings and recipient of the ISACA John Kuyers Award for Best Speaker, said, “I am honored to receive this award, and appreciate all that ISACA does for our professional community.” This is a common remark from our humble honorees, who dedicate so much of their time, energy, expertise and passion toward advancing ISACA’s purpose and promise.
2018 ISACA Global Achievement Recipients pose with 2017-18 ISACA Chair Terry Grafenstine.
CISM and CRISC Exam Top Scorers pose with 2017-18 ISACA Board Chair Terry Grafenstine.
We are inspired by Gail Coury, recipient of the ISACA Chair’s Award for her dedication to advancing women in technology and supporting ISACA’s philanthropic initiatives, and Nikesh Dubey, an active author and reviewer for the ISACA Journal. We appreciate the knowledge shared by Ahmet Efe in his outstanding articles about COBIT, and we value the leadership Christian Palomino has provided in the CGEIT and CISM working groups. Additionally, our Certification Exam Top Scorers outdid themselves with seven honorees this year for our five certifications: CISA (tie), CISM, CRISC, CGEIT and CSX Practitioner (tie).
To meet these outstanding ISACA contributors during the awards presentation was truly my honor, and now I’m eager to help select the 2019 award recipients. But the Awards Working Group and I can’t do it without your help!
The 2019 ISACA Awards call for nominations is now open, and I ask each ISACA member to think about the incredible articles and speakers you have learned from and the volunteer leaders you have met throughout your ISACA journey. ISACA needs you to nominate them so we can publicly recognize their contributions. Our Global Achievement Awards and our Chapter Awards nominations close 15 August and will be presented in 2019.
To learn more about the ISACA Awards Program and to submit a nomination, visit our webpage.
To learn more about the 2018 ISACA Award recipients, download the 2018 Awards Booklet.Category: ISACA Published: 7/10/2018 2:59 PM
Last year, I passed the Certified Information Security Manager (CISM) exam and, surprisingly to me, earned the top global score. It is a great achievement for me in my professional educational activities, and I was glad to be recognized at the 2018 EuroCACS conference in Edinburgh, Scotland. Below are some insights and guidance from my experience that I hope will be useful to other CISM candidates.
Why CISM certification is important for me
CISM is a worldwide-recognized certification and is of great benefit for me as an information security professional and for my organization. It helps me to advance my career and be recognized among other information security practitioners.
In my professional activities, CISM certification helps me to adapt and adopt best practices, standards and frameworks that best fit my organization and align our information security program with business objectives and regulatory requirements. In addition, it helps my organization get competitive advantages, provide our customers with professional expertise, secure products and put in place advanced security services that meet their demands.
If you decide to take the CISM exam and become certified, it would be a good incentive for your professional growth and great opportunity to advance your career.
I would like to share some tips for preparing for and passing the CISM exam that may be useful for you.
Before you start
I recommend identifying the study materials and additional resources you’ll need to prepare for the exam and accomplish your goal.
I used the following study materials:
The CISM Review Manual helps to refresh your existing knowledge in the field of information security and also get additional knowledge and relevant information. The CISM Review Questions, Answers and Explanations Database is a very useful resource during the preparation and before passing the exam. It helps you evaluate the level of knowledge in each CISM domain and test your readiness for an exam. It also helps to test yourself in conditions that mimic the actual CISM exam.
This might be enough if you already have a broad knowledge and work experience in the field of information security. If not, ISACA’s exam prep courses and additional resources may be useful. You may also join the CISM Exam Study Community to connect with other professionals who are on the path to CISM certification or have already successfully passed the CISM exam.
Preparing for the exam
During the preparation for the exam, I reviewed each domain in the CISM Manual and then answered relevant study questions in the Q&A Database after each domain. After the full preparation, it may be useful to dedicate additional time to:
After the exam preparation, you should have a strong understating of the underlying information security management principles, concepts, methodologies and frameworks. Try to map the study material to real-world tasks and scenarios to better understand the knowledge statements and how they can be applied to accomplish your work tasks. If you don’t have enough experience, you may contact other professionals and experts in your organization or in your professional community.
Taking the CISM exam
Before taking the exam, I recommend reviewing the exam information and recommendations regarding the exam process and time management, contained in CISM Review Manual.
During the exam:
After passing the exam
If you successfully passed the CISM exam and became certified, do not forget about continuous professional educational activities. It is especially important in such rapidly changing business, regulatory and technology environments. In addition, ISACA conferences and online events may be beneficial for you.
I hope some of these tips are helpful on your path toward certification. Good luck!Category: Certification Published: 7/9/2018 3:12 PM
The deep web and darknet comprise a sort of parallel world compared to the public internet we’re used to.
Deep web: Part of the web that has not yet been indexed by common search engines.
Darknet: Set of publicly accessible contents that are hosted in the websites whose IP address is hidden but to which anyone can access as long as you know the address; Set of private content exchanged in a closed network of computers for file sharing.
While the deep web is only getting bigger – it is the largest growing category of new information on the internet – the darknet isn’t particularly vast and it’s not even particularly secret. In fact, the darknet is a collection of websites that are publicly visible yet hide the IP addresses of the servers that run them. That means anyone can visit a darknet site, but it can be very difficult to figure out where they’re hosted—or by whom.
When news sites mistakenly describe the darknet as accounting for 90% of the internet, they’re confusing it with the so-called deep web, the collection of all sites on the web that aren’t reachable by a search engine. Those unindexed sites do include the darknet, but they also include much more mundane content like registration-required web forums and dynamically created pages like your Gmail account—hardly the scandalous stuff 60 Minutes might have in mind. The actual darknet, by contrast, likely accounts for less than .01% of the web.
"I bought a gun on the web"
The ability to anonymously access content makes the deep web very attractive for criminals. Networks that provide anonymity, such as Tor, represent a valuable instrument for cyber criminals to create and participate in online exchanges for any kind of illegal goods, including weapons, drugs and malware. Black markets for stolen credit card numbers and hacking services also are available on the deep web, where it can be easier to hide from law enforcement agencies.
Buying weapons, false passports and other illegal items on the darknet is easier every day and can generally be done in a few minutes. For every 5,000 people connected, there is a user who is navigating on the darknet and doing something illegal, all thanks to Tor, Tails and other navigation systems that are easy to use and downloadable for anyone. After installing the software, the doors of the internet armory will magically open. Therefore, it becomes less complicated to get a new identity with a passport or a false driver’s license, to buy drugs or to exchange child pornography.
The domain suffix “.onion” implicitly explains the operation of the darknet: a system in which the different “layers” of the onion represent the various servers all over the world on which the sites of illegal goods rest for a few seconds, practically not traceable, because the connection jumps from a virtual place to another without the knowledge of the same users who host the illegal bytes. And, so, browsing hidden Wiki or Silk Road, we come across EuroGuns, where, after you have registered with any account, even a fake one, you can put your hands on semiautomatic weapons and guns used for war. Other users may take a ride on UKPassport, where by uploading a photo you can buy a working passport for about £1,000 or browse forums that terrorists use to meet.
On EuroGuns, a more economical gun is a 7.65-caliber that costs €600, which most of the time can be paid in bitcoin. The weapon arrives in pieces, each shipped with different carriers and through a chain of people who only know the previous sender, finally arriving to the final purchaser, who only has to re-assemble the parts. The only way to be discovered is by talking of the bargain: in this way, a young Roman was arrested after he boasted of the undertaking on YouTube, with selfies taken of himself with new guns and bullets.
The darknet is browsed mainly at night, especially by young people between the ages of 12 and 24. Around 90% of ".onion" domains are illegal, with 60-80% related to pornography and child pornography.
The culture of the darknet is perhaps best represented in the forums, where the language used is that of hackers and characterized by the use of many non-alphabetic characters and impolite terminologies. After a few weeks of apprenticeship, the use of the right terms and the acquisition of a certain reputation within the forum – which takes all countermeasures to protect itself against the presence of newcomers or infiltrated law enforcers – the more accredited users request the links to the illegal sites where forbidden products or services can be found. Terrorist organizations have their own forums, where they trade, exchange and buy special software and high-tech equipment.
For the police forces of the world, the only way to intervene is by infiltrating inside the web, trying to acquire the confidence of criminals and to arrange meetings outside the net – a method that has not yet brought significant results. One law enforcement success was the identification of Ross Ulbricht, creator of the portal of the illegal black market named “Silk Road,” arrested in 2013 by the FBI. But the site was restored shortly after and is a virtual cancer that spreads: for one deleted file, thousands duplicate and multiply.
Still, the darknet is no longer the safe place many criminals envision. In the US, the Department of Justice has announced the results of a big operation against the darknet, which has led to 35 arrests and the seizure of weapons, drugs and about $26 million. The operation lasted a year and included the involvement and collaboration of several entities that worked together to combat this growing and serious threat.
Editor’s note: For more insights on the topic, download ISACA’s darknet tech brief.Category: Security Published: 7/5/2018 3:00 PM
There is nothing quite like the birth of a child to redirect our thinking from our daily patterns and prompt us to consider the big-picture view of where our world is heading.
I recently was blessed to become a grandfather for the first time as we joyfully welcomed a beautiful little girl to our family. While the immediate aftermath of her arrival is exciting in its own right, I am especially intrigued by the long-view for my new granddaughter and all of the other children who are being born into what many are terming Generation Alpha.
What will my granddaughter’s life look like in an era when technological advancements will create new opportunities that are impossible for us to fathom? Will her favorite middle school teacher be a human being or an intelligent machine? If she decides to play soccer in high school, will her matches be officiated by referees like me, or by more advanced and precise video refereeing and goal-line technology? On her 21st birthday in 2039, will she be summoning a driver-less vehicle to take her home safely after sipping her first margarita? Will her wedding planner be a robot? As she embarks upon her professional path, which career fields will be available to her, and what modalities will she be using to acquire the necessary education, training and practical experience needed to position her for success?
It is fun to let our imaginations run wild in envisioning the future, and there are many tantalizing possibilities to ponder. The reality, however, is that our likelihood of correctly predicting which technologies will reshape society 10, 25, or 50 years into the future is slim, at best. That said, we do know that the pace of technology-driven change is only going to accelerate. Those with the innovation bug are “standing on the shoulders of giants,” building upon the advancements that we are adopting today. ISACA has always evangelized the importance of good technology and information governance, but the importance of this governance today is not only about effectiveness and efficiency, nor is it only about enhancing organizational business performance and enabling business outcomes. Governance will evolve to consider boundaries for innovation and assurance of social and ethical responsibility. And this means responsible governance for technology and information will become even more pronounced – and perhaps just a given – during the course of my granddaughter’s lifetime.
As future innovations stream to market – presenting new opportunities in both our personal and professional lives – we must apply and assure the appropriate safeguards and controls to guard against the risks of unintended consequences. The disciplined approach to governance will not take stronger root unless we prioritize digital ethics and social responsibility. Today, these concepts are generally not top of mind, as the race to embrace disruptive technologies, and to meet the challenges of digital transformation through business model innovation, take precedence, resulting in products rushed to market without appropriate consideration given to security and privacy. This is problematic enough today, as evidenced by the increasing number of data breaches and cyberattacks we have experienced. In the years to come, be aware of the dark clouds overhead when malicious uses of artificial intelligence and new developments such as quantum computing become forces with which society will have to reckon. Just as my granddaughter must learn to crawl before she can walk, and walk before she can run, enterprises must train themselves to take responsible, security-minded measures on the path from ideation to launching new products.
Appeasing shareholders with a few strong quarters of growth, or even a few strong years, is nice, but the path to sustainable enterprise success will depend upon treating consumers with genuine concern for their well-being – and for society’s as well. An enterprise failing to take good-faith measures to look out for its customers will ultimately be subject to a profound backlash from the public, as many of the biggest names on the enterprise landscape have already discovered. As the risk-reward continuum for deploying new technologies becomes more pronounced at both ends of the spectrum, enterprises will need expanded training and ingrained protocols that give digital ethics and social responsibility sharpened emphasis in a new era of technological potency.
At ISACA, we are building up to our 50th anniversary year in 2019, which gives us cause to reflect upon the momentous, technology-driven strides our professional community has helped set in motion since the organization was founded in 1969. It is even more stirring to consider what ISACA’s impact will be over the next 50 years, as the global technology workforce serves as an even more transformative engine to propel society forward.
There is no doubt that technology advancements will enrich the lives of my granddaughter and her generation, providing incredible experiences and accomplishments that that will go well beyond what is available to her parents’ generation (we are already way past mine!). As promising as this may be, I want my granddaughter to live in a society that not only prioritizes the positive potential of new technologies, but also takes into account its impact on individuals and society. Imagine this: a generation that maximizes all the gifts technology has to offer by exercising due diligence and regard for the welfare of those around them. Some may think this is a lot to ask, and perhaps a grandfather dreaming; I choose to think otherwise, remaining optimistic that it is simply the way it will be.
Editor’s note: This post originally published on CSO.Category: ISACA Published: 7/3/2018 3:02 PM
This week, in my home state of California, the state legislature passed, and the governor signed, AB 375, officially known as the California Consumer Privacy Act of 2018. The legislation will take effect January 1, 2020. The good news for privacy professionals is that this bill resembles in many ways the European Union’s General Data Protection Regulation (GDPR). Much of the same data classification, business logic, and tracking of consent and preferences developed to comply with the GDPR should translate to this California law.
However, there are some key differences, which I will highlight below.
A little background and a race against time
While work on AB 375 began in February 2017, its passage yesterday is a direct response to current events. The legislation lists as one of its raisons d’être the recently disclosed actions of Cambridge Analytica, and a ballot measure, the “California Consumer Privacy Act,” that was designed to push the bill along. The measure had overwhelming popular support, and June 28 was the last day that the measure could be pulled from the ballot.
With the passage of AB 375, Alastair Mactaggart, chairman of Californians for Consumer Privacy and the major force behind the ballot measure, announced that the measure would be pulled, as was previously promised if the bill passed. The bill and the ballot measure were very similar, but by passing the bill, the California Legislature preserved its right to amend the law going forward and limited consumers’ rights of redress to breaches as opposed to all violations.
Taking GDPR a few steps further
There are several key differences between AB 375 and GDPR. The major ones are the right for consumers to sell their personal information (and by explicit reference in section 1798.125 (b), the right for a business to offer incentives to consumers to allow their information to be collected and sold), and, under section 1798.115, the consumer has the right to direct a business that sells the consumer’s information to disclose: a) what they are collecting; b) what they are selling; and c) what they are transferring for other business uses.
The right to offer incentives is a huge leap forward in that is allows firms to offer something (not necessarily money) in exchange for the resale of a consumer’s personal data, but it also establishes ownership rights in a whole new way. It’s one thing to control the use of one’s data, it’s still another to allow it only with compensation. It will be very interesting to see the market (consumers and data collectors) set the price. How much is your information worth?
California rightly excludes, under section 1798.145, the obligations where none of the covered activities take place in California and do not involve individuals who are in California at the time of data collection.
As an information security professional, I have always used California (SB 1386), Massachusetts (201 CMR 17.00), Nevada (N.R.S. § 603A.010) and Texas (Texas Medical Records Privacy Act) as my state regulatory privacy proxies. I will immediately add AB 375 to that list and predict that the consumer backlash to the events and disclosures of 2016-2018 will cause other states to pick up where California has left off.
Author’s note: Bill Bonney is a security evangelist, author and consultant, and formerly Vice President and Chief Strategist at encryption software maker FHOOSH. Before FHOOSH, Bonney held numerous senior information security roles in industries including financial services, software and manufacturing. Bonney holds patents in data protection and classification, is an advisor to technology incubator CyberTECH, and is on the San Diego CISO Roundtable board of directors. He holds a Bachelor of Science degree in Computer Science and Applied Mathematics from Albany University.Category: Privacy Published: 6/29/2018 4:04 PM
Automation is the biggest driving factor for change in most modern industries. By 2030, it’s estimated that automation could fully replace more than 800 million jobs, and in the meantime, automation is changing how we work, how we plan our businesses, and how we engage with others.
The main appeal of automation is cost reduction; if you can pay $500 a month to have a machine do what a salaried individual making $3,000 a month was doing, you can easily save $2,500 a month ($30,000 a year). And thanks to general advancements in technology, apps like automated payment platforms, automated marketing software, and even automated trading software are becoming more available and more affordable for small- to mid-sized businesses.
But with the rise in automation, there will be new security threats, and conversely, some security advantages, to watch for.
First, let’s talk about some of the biggest advantages you’ll see when adopting more automation:
But what vulnerabilities could automation hold for your enterprise?
Automation won’t ruin your plans for system security, nor is it a catch-all solution to improve your security standards. If you want to be an effective cybersecurity or IT professional, you need to learn the key strengths and weaknesses that automation brings to the table and learn how to adapt your strategies accordingly.
Only through understanding and integration will you be able to make the most of your new systems and compensate for their flaws.
Editor’s note: For more insights on the impact of automation, listen to this month’s ISACA 50th Anniversary series podcast.Category: Security Published: 7/2/2018 3:02 PM
In our recent Journal article about merging internal audit departments, we discussed a practical approaching to taking a skills inventory and then using that skills inventory as one of the primary inputs in making staffing decisions following a merger or acquisition.
In taking a skills inventory, however, it is important for audit management to not overlook critical skills that do not often show up on an auditor’s resume. Many of these can be just as important to the overall success of the department as subject matter expertise and technical skills.
The audit manager should understand which people on his or her team fill these vital, often unofficial roles. For example, who is comfortable talking with external stakeholders? Who can deliver bad news? Who is good at writing and editing and making reports look good? Who loves teaching and coaching? Who has a knack for networking and connecting people? Who champions team building, employee morale and recognition?
For most of us, the idea that personality, communication and compatibility (i.e., teamwork) play as important a role in team success as skill and expertise is old knowledge. But what is less clear is how many audit managers have gone through the process of defining what their critical “soft” roles are clearly enough to be able to ensure those roles remain filled.
What would you add to this list? What are those unofficial/undefined roles that are critical to the success of your organization?
Read Kevin Alvero, Randy Pierson and Wade Cassels’ recent Journal article:
“Merging Internal Audit Departments,” ISACA Journal, volume 3, 2018.
The Internet of Things (IoT) has positively exploded into our daily lives. We see IoT devices everywhere, from our workplace to our homes. It is inevitable that a new technology will become ubiquitous after it hits the headlines, and thanks to the IoT, many have done just that--repeatedly—even if the headlines aren’t always positive.
For instance, my daughter had an IoT toy that experienced a similar furor—a beloved doll called “My Friend Cayla.” My daughter would ask the doll a question, which was then sent to an app that converted it to text. The text was then used to look the answer up online before returning the answer to the doll, and Cayla would then speak the answer back to my daughter. That’s cute and exciting for a toy, but for a privacy expert, it was a bit creepy. In fact, German regulators agreed on the last sentiment and were concerned. They saw “My Friend Cayla” more as “My Spy Cayla,” and banned the doll on the grounds that it was a surveillance device. Negative headlines, indeed; and in fact, the IoT has been disparaged more than once for worries over surveillance and tracking, thanks to Cayla and other devices like the Amazon Echo.
But look at the bright side—it can also be technology used for good. IoT wearables have saved lives, including the life of a 42-year-old patient at the Lady of Lourdes Medical Center that had been admitted with a heart arrhythmia. At the time, doctors had two courses of action, each dependent on knowing how long the arrhythmia had been occurring. With permission, they accessed the patient’s Fitbit and were able to ascertain the facts they needed to give him life-saving treatment. Beneficial IoT tech doesn’t even have to be worn—these days, you can even get a "smart mattress" that collects data on your sleeping patterns and helps improve your overall state of health.
To make the most of what can be empowering technology, that technology must be simultaneously optimized to do its job while also not exposing personal data, as they do generate a generous amount of it. They also, generally, are custodians of other Personally Identifiable Information (PII), such as name, address, passwords and even your physical location. In the case of the man saved by his Fitbit, his wife gave consent to the doctors at that time to use that information created by the device, but what should or could be done if a location-enabled IoT device was utilized criminally to stalk someone?
With the following tips, you can help to keep the risk of leaked or stolen information to a minimum.
Five Tips to Keep You and Your IoT Device Safe
Tip #1: Buy Your IoT Device from a Known Supplier
Tip #2: Secure Your Wi-Fi
Our homes are now becoming the hub of IoT devices. The “smart-home” is no longer science fiction but attainable for many people able to purchase devices such as the Nest, Ring Doorbell, and Amazon Echo that are easily available. To keep your smart home secure, you need to keep your home router secure. One of the main security issues of routers is that many come with default passwords. These passwords are often guessable, or brute forced by hackers. Change your router password to be complex as soon as you set up the router.
Tip #3: Keep your IoT Device Up to Date
The WannaCry ransomware cyberattack was a stark reminder that software updates are not a luxury, but a vital necessity. Applying patches to computer software is just good, standard security practice--this is no less true of IoT devices. Unfortunately, research by Ubuntu found that 40% of consumers never actively update their smart device. If you can directly update your IoT device firmware, you should. If not, look to see how those devices are automatically updated, and if they are not, consider not using them.
Tip #4: Keep Your Mobile Secure Too
Mobile apps and IoT devices often go together - the IoT sensors transfer data back to the app so it can be visualized by the human operator. Keeping your mobile phone secure by ensuring that the latest updates are installed helps keep your IoT-generated data safe. Also, make sure that the app you use with an IoT device is downloaded from a safe site, such as the manufacturer’s website or a legitimate app store. When you install the mobile app, check out the settings and ensure privacy permissions reflect your comfort level, including the configuration of the location services.
Tip #5: Device Stock Check
IoT devices are meant to connect to one another. In a home setting, for example, you can use Alexa to switch IoT light bulbs on and off, or open and close curtains, and so on. As such, you could potentially end up with several individual IoT devices linked together, so keeping an IoT device inventory would be smart. A tool like Cujo could help, as it keeps track of all devices connected to the internet, so you know what you need to secure, allowing you to then more easily control any situation. Keeping track of how your devices are operating will let you have an early view of unauthorized access.
Editor's Note: Avani will be speaking on a panel in the session “Increasing Trust in the IoT Through Auditing” at the upcoming GRC Conference 2018 in Nashville, Tennessee, USA.Category: Security Published: 6/25/2018 3:08 PM
The IT department has risen to prominence as one of the more integral components of successful, modernized organizations. However, in the midst of this growth, IT has also become increasingly expensive for many of these companies. Discovering what it looks like to manage a cost-effective IT department could be the difference between running a profitable business and straining to make ends meet.
Three Highly Effective Ways to Lower IT Expenses
According to an article coauthored by consultant Kevin Coyne in Harvard Business Review, there are two key points to keep in mind whenever you pursue cost savings, regardless of the organization or department.
“First, forget about finding a single idea that would radically change the cost structure of your organization or department, thereby solving your problem in one go,” Coyne writes. “(If such an idea existed, it would most likely entail so much risk that the organization would never be willing to implement it.)”
Instead, Coyne suggests reaching your goal through a combination of at least 10 different actions. Additionally, he notes that the degree of organizational disruption caused by the cost-cutting will typically be proportional to the degree of reduction that’s done. Incremental actions may reduce costs by 5 or 10 percent, whereas serious restructuring may be able to lower costs by 25 percent or more.
Assuming that you aren’t looking to slash your IT expenses by 25 or 50 percent, here are some incremental steps you can take to quickly and effectively lower costs.
Don’t compromise on security
While there’s a time and place for lowering costs and eliminating superfluous IT expenditures, don’t be shortsighted in compromising on security at the expense of a few dollars. It’s far better to invest in cybersecurity than it is to deal with a costly attack that damages your brand and costs exponentially more to correct.
It’s up to you to find the sweet spot, so to speak. You must discover the optimal amount to spend, without opening your company to risk or falling behind on the innovation curve. This will require constant tweaking and regular optimization – so stay dialed in!Category: Security Published: 6/22/2018 2:59 PM
When faced with an obstacle, how do you take the first step? I have found it helps to follow the steps outlined in Lisa Avellan’s article “Five Simple Steps When You Don’t Know Where to Start”:
Today’s obstacles in business are typically around managing information security and the growing cyberthreats. As you are faced with security obstacles, these 5 steps can help:
When it comes to managing information security, I would add a sixth step to Avellan’s list: breathe and repeat. Repeated assessments and tests allow for continuous, targeted improvements that allow for optimal risk mitigation over the long term.
Read Tyler Hardison’s recent Journal article:
“Building a Strong Security Posture Begins With Assessment,” ISACA Journal, volume 3, 2018.
Editor’s note: P.W. Singer, strategist and senior fellow at the New America Foundation, will deliver the closing keynote address at ISACA’s 2018 CSX North America conference, to take place 15-17 October in Las Vegas, Nevada, USA. Singer recently visited with ISACA Now to discuss pressing cybersecurity considerations that governments much grapple with, the multi-faceted impact of artificial intelligence and more. The following is a transcript of the interview, edited for length and clarity:
ISACA Now: What are the primary strategic considerations for governments today when it comes to protecting their people from cyberthreats?
The essential problem is that all the issues we've been dealing with the last 10 years – cybercrime, IP thefts, botnets, etc. – are still with us, but we also now have a series of new challenges to face. Governments, not just national, but state and local governments, have to understand the combination of how the internet is changing, and, in turn, the threat landscape. We are nearing the 50-year mark of internet history, an amazing moment when you consider the change, but it is also shifting. Once it was just an internet of people communicating, but it is also now one of “things” operating.
This, of course, brings enormous gains and efficiencies, but also massively grows the attack surface, as well as raises the consequences of attacks, shifting them to the physical realm. In turn, the internet has become one of web 2.0 via social media, where we all share information but also now spread and fight disinformation (what I call LikeWar). Add in the rise of issues like ransomware, hybrid threats from states and criminals, the blight of mega breaches, and it’s a daunting time. So, the key for governments is to ensure they are keeping pace with these shifts in internet use and threats.
ISACA Now: How do you envision malicious uses of AI reshaping the threat landscape in the coming years?
AI – and by that, I mean everything from machine learning to neural networks, will be used by bad actors in everything from developing malware to scoping out for vulnerabilities. But one area I think we really are not ready for is “deep fakes.” created by AI. These hyper realistic videos, that aren’t actually true, will be weaponized against people, companies and governments. We’ve already seen examples tested in labs, where you can create a video of a speech that someone never gave, to how actresses have been put in adult films they never appeared in. This is just the start, where AI will be used to attack our very perceptions and sense of reality, in a malicious manner.
ISACA Now: Which new or emerging technologies can be most useful to governments in bolstering their security capabilities?
AI! Every technology has both good and bad uses, by good and bad people. For instance, AI is the very means to detect emergent cyber threats, scope out new anomalies before they can cause harm, sift through vast amounts of noise. Indeed, the means to detect AI-created deep fakes is other AI that can hunt for their tells. As I explore in an upcoming book, this creates a strange new world where the AIs battle, with us humans in the middle as the target.
ISACA Now: What appealed to you about joining the New America Foundation?
It is an organization that tackles the questions of what happens when technology and policy come crashing together, so people there are always wrestling with fascinating and important questions. At a recent staff meeting, for instance, we had people who were working on topics as varied as how to help the U.S. Army with cybersecurity to aiding the Rhode Island state government on adoption policy reform.
The 7th annual IT Audit Benchmarking Survey shed light on several IT challenges that are at the top of the agenda for executive management and will have a direct impact on IT audit plans for many enterprises in 2018.
While the survey highlighted several key challenges, I will be drilling more in-depth into one key aspect, which is the co-sourcing of IT audit. Within the survey, it was noted that IT audit’s role has grown since 2012, in that half of all organizations now have a designated IT audit director. Such growth emphasizes the importance of the IT audit role. Given the current technological advancements, IT audit plans are required to be aligned and inclusive of the risks that accompany them. That not only requires a different set of skills that are needed in order to have value-added audit results, but also requires internal management to reconsider their IT audit plans.
Before applying a co-sourcing practice, management should assess its current internal IT audit skills in order to clearly understand what should be added by the co-sourced team and what can be covered by the internal department. In order to conduct such an assessment, management should have started to identify the technological areas for the upcoming IT audits during the early planning stages. Moreover, the internal audit department holds a better understanding regarding the scoped systems, infrastructure, and processes, whereas such details will require further time for the co-sourced team to grasp. Accordingly, audit deadlines should take this into account while preparing the plan in order to deliver valuable audit results.
Another point that should be taken into consideration prior to co-sourcing is the emphasis of knowledge-sharing by the co-sourced team to ensure that the skills of the internal team members have been elevated and enhanced by the co-sourced practice.
Co-sourcing practice is applied by management in order to leverage the business and technical exposure of such individuals within the areas lacked by the internal IT auditors. Management should not utilize the co-sourcing practice to enforce a complete transformation of the internal audit to match the co-sourcing company. Having that said, management should always ensure that the company’s internal practices are applied and taken into consideration throughout the co-sourcing team’s deliverables and work.Category: Audit-Assurance Published: 6/18/2018 3:02 PM
The Certified Information Systems Auditor (CISA) certification has truly benefited my professional aspirations.
In 1997, when I transitioned from active duty as a Captain in the US Army, I had a 10-year-old computer science degree and not a great deal of experience in corporate America, particularly in the financial services industry. The extent of my background at that time was having an IRA. Fortunately, I was able to gain an entry level position as an IT Auditor at Prudential Insurance Company of America (now Prudential Financial) in Newark, New Jersey, through their junior military officer (JMO) hiring program.
It became very clear that on-the-job training was not going to be sufficient for me. During my first couple of months, I concluded that pursuing the CISA professional certification would give me the jump-start I needed to gain a baseline understanding of IT audit and risk management, IT general controls, and IT auditing—especially with regards to assessing applications and the technology environments they resided in. Studying for six months, two nights a week and a number of weekends, becoming a member of my local ISACA chapter, and taking full advantage of the available local chapter CISA preparation courses and materials enabled me to successfully pass the CISA examination and become a credentialed IT audit practitioner.
The professional payoff was immediate for my career development. Understanding IT risk management and associated controls to establish or maintain a well-controlled IT environment served to differentiate me from others in competing for positions and, honestly, just helped me be more successful in meeting or exceeding expectations. While these foundational audit and risk management skills helped to launch my IT audit career, more importantly, they also served to enhance what I had to offer in other risk management and project management roles.
As a result of increased threats to the digital processing environments and subsequent increased regulatory expectations, financial services companies gained an increased appreciation for employees who have the skills that the CISA certification fosters. Since my initial IT auditor role, I have continued to leverage the knowledge and experiences gained through not just the efforts required to gain the CISA certification, but also through completing required continuing education to stay abreast of emerging technologies and becoming a more active participant in ISACA-provided training (such as webinars, local chapter offerings, and attending or presenting at national conferences).
Whether managing IT or operational audit responsibilities at Wachovia, Wells Fargo, or TIAA, a mission-based company where I am fortunate to currently work, or performing project/risk management roles at previous employers such as Goldman Sachs and Ernst & Young, having an IT audit and risk management perspective has been a huge component of my personal success. I am grateful that for 40 years, ISACA has continued to provide the CISA certification, and I encourage all my employees and mentees to pursue the CISA to grow as professionals.Category: Certification Published: 6/19/2018 9:01 AM
The National Institute of Standards and Technology (NIST) Cybersecurity Framework, also known as the Framework for Improving Critical Infrastructure Cybersecurity and commonly referred to as CSF, is top of mind for many organizations.
Whether driven by the May 2017 Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, the need for a common framework between business partners or as a way to measure best practices, many organizations are considering adopting NIST’s framework as a key component of their cybersecurity strategy.
Initially designed by NIST to protect critical infrastructure, the framework is seeing much wider adoption across industries and organizations of various types and sizes. The CSF provides guidance and was built to be customized by organizations to meet their unique business and mission goals.
If you are embarking on implementing CSF, some areas to consider:
True to any successful risk management framework, CSF or not, a suitable implementation requires a determination of business impact, risk appetite/tolerance and actual threat vectors, among other key variables. Proper knowledge and true understanding of one’s organizational risks is required when implementing CSF (or any risk management framework for that matter). By going about CSF the wrong way, your end results may belie the true state of your organization’s risk, resulting in false confidence in your current program and potentially misguided investments in resources.
Here are five practical tips to effectively implementing CSF:
It is best to plan on integrating CSF into your business as a long-term strategy. CSF is not a one-time, quick checklist, so best to allocate the proper resources to ensure a successful implementation for long-term, effective risk management.Category: Security Published: 6/15/2018 2:59 PM
Where calls to “get ready for GDPR” permeated last year’s InfoSecurity Europe conference in London, keynote speakers at this year’s event—conducted just 10 days after the European Union’s regulatory enforcement deadline—put a stronger spotlight on GDPR compliance and sunk more serious messaging teeth into their talks.
Nowhere was this more evident than during the event’s “EU’s GDPR Is Here– Now What?” panel, where two enterprise privacy and security officers, a Microsoft cyber senior executive and a UK GDPR policy lead weighed the realities and rigor of the new regulatory environment.
Vivienne Artz, chief privacy officer for Thompson Reuters, said the organization has “put its house in order. Privacy, privacy and security by design are the new normal.”
Critical to Thompson Reuters progress, according to Artz, was senior management buy-in. GDPR support and change “must be a top-down exercise. Privacy cannot be delegated to a department. It is each individual who is now personally responsible,” she noted.
GDPR’s requirement that organizations report security breaches within a 72-hour period reinforces the individual employee awareness and activation, especially of documented, regularly practiced breach notification policies, according to Artz.
“If you don’t have a breach notification policy, you’re fried,” Artz declared.
Artz and Trainline security director Mieke Kooij emphasized understanding the regulation’s fine details, and working collaboratively, and very actively, across IT, audit, assurance and legal. For instance, “there are new things defined as ‘breach,’” and org-wide awareness is essential to avoid complaints and penalties, said Kooij.
The enterprise leaders emphasized their need for more automated services and tools to support regulatory requirements, such as data sourcing, mapping, data types and data access—a theme echoed by Johnnie Konstantas, Microsoft Enterprise Cybersecurity Group senior director. She said Microsoft, and most other technology and cloud service vendors, are deploying such capabilities given that GDPR lays additional burdens on the always accelerating pace of change in “applications, services and data … and of the supply chain. All of it as a very dynamic environment.”
And while not asserting the Information Commissioner’s Office (ICO) will “fry” non-compliant enterprises, technology policy head Nigel Houlden said “It’s fair to say there are some panicking” given GDPR’s requirements and impact across EU-based organizations and all entities that do business or have customers in the region.
“If an organization is willful, disregardant and neglectful of GDPR, you will be investigated. You will feel the force of … the authority of enforcement,” Houlden said. “We will not ignore anything, even the smallest complaint, if there is harm done.”
So, while leading up to the GDPR enforcement deadline, an ISACA survey asked participants about their GDPR readiness, maybe now the question should be along the lines of whether you are GDPR
Editor’s note: For more GDPR resources from ISACA, visit www.isaca.org/gdpr.Category: Privacy Published: 6/14/2018 3:00 PM
The ISACA Journal has been at the heart of ISACA’s knowledge community for more than 40 years, a tradition we are proud to carry forward into the future.
The ISACA Journal has remained a valued asset to ISACA’s professional community because it has continually evolved to meet the needs and interests of practitioners amid the ever-changing technology landscape. This year, for example, the Journal has highlighted key industry topics such as the future of data protection, innovation governance and smart transformation, with more timely content in the pipeline for the coming months. As much as we focus on the type of content that will be most relevant to Journal readers, we are equally mindful of the way in which the Journal audience is consuming content in the digital era.
In recognition of how more and more professionals prefer to read publications—the Journal included—we are refocusing the way we deliver the Journal with added emphasis on our digital presence, allowing this valuable knowledge resource to better serve our professional community and help us move more quickly toward the goal of realizing the positive potential of technology.
Effective with volume 4, 2018, of the ISACA Journal (July/August edition), you will receive Journal content exclusively in a digital format unless you choose to opt in to receive the print edition. If you wish to continue receiving the print edition, you must opt in by 26 June 2018 to ensure uninterrupted delivery. To do so, follow these simple steps:
Accessing the Journal online allows members of ISACA’s professional community to explore the Journal alongside ISACA’s extensive collection of online content, including white papers, audit and assurance programs, blog posts, podcasts, and insights from our network of affiliates, such as the Massachusetts Institute of Technology Center for Information Systems Research and Wapack Labs. As technology transforms the way people consume information, we will continue to identify opportunities that will enhance the robust digital experience for the Journal audience and make the Journal an even more esteemed resource for ISACA’s professional community.
This is an exciting time as ISACA approaches its 50th anniversary celebration in 2019. As we look toward the organization’s future, whether accessing content digitally, in print, or whatever comes next, members of ISACA’s professional community can count on the Journal providing the knowledge resources needed to navigate digital disruption and advance their careers. Opt in today to continue uninterrupted print delivery!Category: ISACA Published: 6/13/2018 3:14 PM
While some cybersecurity teams may be anxious to get involved with master data management (MDM), there are prerequisites that we strongly recommend be in place prior to starting down the implementation path. Having a well-defined software development life cycle (SDLC) in place is important. Even more important is that adherence to the SDLC be institutionalized. Tied into this is the architecture review board, which should be reviewing all significant changes or new implementations of data, systems, technology, etc. These 2 processes should be addressed in the information security policy and, where applicable, the data governance policy.
With these building blocks in place, the following steps will get you started mapping a data protection plan that can be outlined in a governance standard document and referenced in your company’s information security policy and data governance policy:
In the process of implementing the previous list, the cybersecurity team should perform the governance role of defining the levels of security for each data type based on its classification (e.g., public, confidential and restricted).
Ensure that your classification names align with your company’s documented management terms and that they are congruent with the corporate document management definitions.
It is important to outline which data require encryption during transmission, what data require encryption at rest and what data requirements apply if the data are transmitted to a 3rd party. Within this guidance, cybersecurity also sets the standards for compliance, which should include considerations for Payment Card Industry Data Security Standard, General Data Protection Regulation, personally identifiable information, the Health Insurance Portability and Accountability Act, etc.
Read Sonja Hammond and Chip Jarnagin’s recent Journal article:
“Cybersecurity vs. Master Data Management,” ISACA Journal, volume 3, 2018.