Has GDPR Been a Success So Far?

ISACA Now Blog - 2019年09月13日 07:19:44

Since 25 May, 2018, the General Data Protection Regulation (GDPR) has been providing unified rules for data processing, requiring wider protection for the rights and interests of data subjects, and establishing important guidelines around the flow of information in the European Union. One year later, the first “anniversary” of the GDPR offered an exceptional opportunity to assess past achievement and to set goals for the future that were summarized in the communication from the European Commission to the European Parliament titled “Data protection rules as a trust-enabler in the EU and beyond – taking stock.” The report shows that, despite being described as a giant leap to the unknown, measures taken by the relevant stakeholders ensure the success of the new regulation.

The document focuses on legal framework, data protection governance systems, data subjects, controllers and international flow of personal data. Generally, the Commission concludes that the application of the GDPR should be considered successful in many areas, because many objectives set by the European legislators have been achieved. This success extends beyond the borders of Europe since the regulation has a global impact. On the other hand, as pointed out by the Commission, there are still aspects of the GDPR that need further action from the stakeholders.

Besides being a legal act, the GDPR is an instrument fostering a European “data protection culture.” Application of and compliance with the GDPR requires actions from all actors involved, such as legislators, supervisory authorities, data subjects and controllers. Adoption of the relevant measures were intended to change their cultures and behaviors. So those stakeholders were invited to contribute to the process of establishing the practices surrounding GDPR through public commenting or working with various authorities such as the European Data Protection Board.

For instance, parliaments and other regulatory bodies carried out the revision of the current legal framework, and, as a result, several laws have been adopted, amended or repealed. Most supervisory authorities have successfully adopted the necessary measures to effectively exercise their competences provided by the GDPR. Furthermore, the European Data Protection Board, as a platform of cooperation for these authorities, and the European Court of Justice, traditionally interpreting European law, provide guidance in order to achieve a more harmonized practice.

Meanwhile, data subjects and controllers have become more aware of the rules regarding data processing. Individuals are more mindful of controlling their personal data; thus, they exercise the rights provided by the GDPR more effectively than ever. On the other hand, controllers had to revise their activities, and to make the necessary modifications in order to comply with the new provisions.

The regulation provides unified rules for the proper flow of information within, from and into the European Economic Area. Instruments such as adequacy decisions or standard contractual clauses have been successfully applied in the past as well as under the GDPR. On the other hand, new institutions – e.g. certifications or codes of conduct – have been regulated to further ease trans-border transfer of personal data and to provide wide protection to data subjects. Furthermore, from the US through the Middle East to the Far East, many countries have adopted measures in order to harmonize their data privacy legislations with the GDPR, sometimes adapting to the new regime of data protection, sometimes even copying certain solutions or institutions. Thus, the impact of the regulation may be felt beyond the borders of the EU.

On the other hand, there are certain areas where the objectives of the GDPR have yet to be achieved. For instance, supervisory authorities should exploit all opportunities provided by the new regulation, especially in the field of cooperation. In a unified European area of data protection, the interactions and cooperation between these institutions, such as joint investigations or mutual assistance procedures, are inevitable but have not yet taken hold. The sanctioning system introduced by the GDPR, especially the system of fines, needs to be further harmonized. Since last fall, there is a growing number of cases in which supervisory authorities imposed so-called “GDPR fines.” Contrary to the intent of the GDPR, the amounts of these fines significantly vary among the member states. Therefore, efforts should be taken to ensure that violations of the GDPR will result in the same sanctions everywhere across the member states, otherwise so-called “forum shopping” might occur. Furthermore, international flow of personal data should be further considered. Certification schemes or codes of conduct may serve as useful instrument for facilitating trans-border data flows. Yet, the application of these tools on a national as well as European level lags other provisions of the GDPR. Finally, legal harmonization of GDPR and the adoption of new laws needs to be continued, such with the ePrivacy Regulation, which requires further revision of the legislative framework.

One might ask whether the GDPR is a success? Although it has only been applied a little more than a year, the GDPR has already made a great impact on almost all aspects of our lives, activating different stakeholders and providing wider protection to data subjects. Thus, as an instrument fostering a European “data protection culture,” the regulation is highly successful. On the other hand, deficiencies defined by the Commission in the communication may and – hopefully will be – resolved in the near future. And since the document is only the first one in the line of reports on the implementation of the GDPR, count on the progress of further harmonization being continuously monitored.

Category: Privacy Published: 9/16/2019 3:08 PM
カテゴリー: ISACA

Third-Party Vendor Selection: If Done Right, It’s a Win-Win

ISACA Now Blog - 2019年09月12日 07:15:22

The benefits that can be realized from using third parties to support the delivery of products and services are always part of any good sales pitch by prospective vendors. Often these benefits include reductions in operational spend, scalability, improved delivery time, specialized capabilities, and the availability of proprietary tools or software, all of which equate to a competitive advantage for companies leveraging third-party relationships effectively.

Companies recognize and capitalize on these advantages: A study in 2017 of nearly 400 private and public companies reported that two-thirds of those companies have over 5,000 third-party relationships, according to a report released by the Audit Committee Leadership Network. This staggering statistic illustrates how deeply organizations have come to rely on third parties for everything from back-office activities (payroll, help desk, business continuity infrastructure, etc.) to customer-facing roles (call center, sales and distribution, marketing, etc.). But this heavy reliance also elevates third-party risk management from a “nice to have” capability to a business imperative.

While these relationships provide the opportunity for an organization to realize significant benefits, they also introduce a number of potential risks. Before deciding to outsource responsibilities, business leaders must have a broad understanding of their organization’s risk landscape and develop an approach to evaluate the risks introduced by using third parties. Shifting the focus from saving money to creating value is one way companies can start thinking differently about how they manage third parties.

How Do I Know What I Should Outsource?
The most essential step is knowing the value your organization brings to the market.

As an example: If your company is known for developing and distributing high-quality instruments, outsourcing your manufacturing operations is not the best place to start. Issues with that third-party relationship are likely to be customer-facing and impact your hard-earned reputation for precision and quality. Additionally, the skillsets and facilities required to manufacture your product may not be widely available, making your business effectively a hostage of your vendor.

In contrast, if you decide to outsource a function like a payroll, even though poor performance might be an annoyance for employees, it is easily remedied by switching to one of the many alternatives available. There also is no direct customer impact in the short term, so your reputation remains intact.

The most successful outsourcing relationships allow companies to focus on the value they deliver to the market by outsourcing activities that require significant resources or specialized abilities but are outside an organization’s core competencies and not aligned with their long-term strategic vision.

How Should I Perform Due Diligence on Potential Third Parties?
Once you have identified which processes can be outsourced as well as their inherent risks, you can begin performing due diligence on potential vendors. The level of due diligence should be tailored to the significance of the relationship as well as the potential risks it poses. Document your requirements and request prospective vendors to address each item directly, rather than allowing the vendor to give you their boilerplate sales pitch, as they are typically designed to gloss over or avoid known weaknesses.  Make sure you are comfortable with any capability or control gaps and have considered whether internal resources can shoulder the additional burden.

We Have Selected a Third Party to Engage – Now What?
Once you have determined the process to be outsourced, identified the inherent risks associated with that process, performed your due diligence, and selected a vendor, it is time to formalize the relationship with a contract – typically a Statement of Work (SOW) – that includes both adequate safeguards and defined performance targets.

Those charged with contract negotiation (typically Legal and/or Procurement) need to be acutely aware of the value you expect the third party to provide to structure an effective contract. To avoid potential conflicts of interest, purchasing managers should not be responsible for negotiating vendor contracts without oversight, as they are often incentivized by operational goals, and less likely to consider the broader enterprise risk landscape.

While most vendor contracts contain defined Service Level Agreements (SLAs) for operational metrics, like timeliness and accuracy, they often don’t include provisions like the mandatory disclosure of system/data breaches, timely communication of relevant audit observations, insurance requirements, periodic reporting on financial viability, etc., leaving organizations in a tough spot when issues stemming from a third-party relationship arise.

How Can I Make Sure My Outsourced Provider Is Meeting Expectations and Minimizing the Inherent Risk to My Organization?
The best way to illustrate this step is to steal from an old cliché: “Treat others how you wish to be treated.” That is, if you want your third parties to share your values and protect the interests of your organization that same way you would, not only is it important to formalize critical details of the relationship in the contract but also to help them understand the business context around the service they provide. The more you treat your third parties like partners rather than vendors, the more likely they are to perform in line with your organization’s values. Mix in a reasonable number of SLAs designed around the identified risks with clearly assigned accountability for monitoring SLA performance, and you will be positioned to identify threats or emerging risks that could impact your organization before they damage your bottom line – or worse – end up as front-page news.

Editor’s note: For additional insights on the topic, download ISACA’s recent white paper on managing third-party risk.

Category: Risk Management Published: 9/12/2019 3:04 PM
カテゴリー: ISACA

US Government Innovates Cyber Job Fulfillment

ISACA Now Blog - 2019年09月11日 03:58:12

Cybersecurity professionals believe their teams are understaffed, many teams have unfilled positions, open positions often take six months or more to fill, and job candidates often are not qualified for the positions for which they applied, as evidenced in the last several State of Cybersecurity annual surveys conducted by ISACA.

However, it seems progress is being made on the cyber staffing shortfall, at least anecdotally. At the 10th Annual Billington Cybersecurity Summit conducted 4-5 September in Washington DC, the theme of cyber workforce development was discussed in several sessions. Specifically, a number of speakers employed at various US agencies commented on the progress the US government has made in using creative and innovative approaches to hiring individuals for cybersecurity roles.

The Office of Management and Budget (OMB), for example, is piloting a cybersecurity reskilling effort according to Grant Schneider, federal CISO at the OMB. As part of the Federal Cyber Reskilling Academy, US federal employees are offered an opportunity to be trained in cybersecurity.

The Federal Bureau of Investigation (FBI) asks new hires to take an aptitude test to gauge their potential ability to perform cyber tasks. Thus, for example, if an individual is hired to be an analyst (perhaps because of language or data skills) but scores high for cyber on the aptitude test, the FBI will encourage the individual to pursue employment within the Bureau in cybersecurity.

A number of speakers from several US agencies stressed that the government has shifted its hiring practices to focus on aptitude versus requiring specific degrees or skills (and in many instances have eliminated the degree requirement). In one example, government-employed cyber professionals worked very closely with government recruiters to vet candidates and help establish aptitude for cyber roles.

The US government has also had recent successes in hiring industry experts at its agencies. Often these employees started in government, left public service to work in the private sector, and are now returning to the public sector, sometimes via a partnership arrangement with industry. Often individuals want to work for the government, fulfilling a need to give back or serve the public. As Katherine Arrington, chief information security officer, Office Undersecretary of Defense for Acquisition, noted, “We need to reduce the bureaucracy to facilitate that. We’re moving in the right direction.”

As ISACA’s State of Cybersecurity reports note, retention of qualified cyber professionals can be challenging. This is especially true in government, where public sector cybersecurity jobs often don’t pay as well those in the private sector. The government, however, has had recent successes with hiring cyber professionals at a higher pay grade than in the past (particularly for civilian employees) and increasing renumeration via bonuses (for military personnel) according to Jack Wilmer, deputy CIO for cybersecurity and senior information security officer, Department of Defense.

It’s encouraging to see the progress the US government is making in tackling the cybersecurity workforce shortage. The private sector should take note and consider adopting some of these successful tactics.

Category: Security Published: 9/11/2019 2:59 PM
カテゴリー: ISACA

How to Prepare for Taxation in a Digitalized Economy

Journal Author Blog Posts - 2019年09月10日 03:53:37

While IT professionals and auditors are not required to be tax experts, they do need to have a certain level of mindfulness with regard to taxation within the digitalized economy going forward as tax collection is slowly but surely becoming part of the natural business ecosystem where taxation happens by default.

IT professionals and auditors should consider the following to better address taxes within the digitalized economy:

  • Regarding the client’s business structure, does it deliver highly digitalized services and does it have an international economic presence?
  • Does the client have sufficient IT controls in place to identify the origin of its users of digitalized services provided? Controls such as bank account details, IP addresses, customer addresses might suffice, although they can be changed or anonymized. This information should be used to bill the client and apply the correct Value Added Tax (VAT)/Goods and Services Tax (GST) rates, which is a fully digitized process.
  • Does the client make use of freelance or contract workers within the gig economy? If so, payments to them should be made after withholding taxes (dependent on the jurisdiction in which the worker resides). This is also a digitalized process in most instances.

The following IT internal controls questions should also be answered:

  • Do the current IT internal controls ensure accurate tax reporting?
  • Does the current point-of-sale system or accounting software identify the location of the customer buying digital services? If so, does the software make provisions for the specific tax requirements in the country of the customer?
  • Is the accounting software set up in such a way that would enable withholding taxes for payments made to temporary/contract/freelance workers?
    Though the previous points are not an exhaustive list of considerations, they do provide guidance to illustrate the holistic approach of professional services required by Industry 4.0 and beyond.

Read Helena Strauss' recent Journal article:

"Digital Transformation of Taxation," ISACA Journal, volume 5, 2019.

Category: Audit-Assurance Published: 9/9/2019 3:02 PM BlogAuthor: Helena Strauss, CISA, CA(SA) PostMonth: 9 PostYear: 2,019
カテゴリー: ISACA

CISOs Must Address Their Blind Spot for Effective Oversight of ICS Security

ISACA Now Blog - 2019年09月10日 02:02:44

Cybersecurity resilience of Industrial Control Systems (ICS), Building Management Systems (BMS) and other Operational Technology (OT) systems is falling behind, a critical challenge considering the potential impact of a cyberattack on ICS and OT could result in the loss of lives and/or major environmental damage. These grave threats, of course, are in addition to the financial, reputational and compliance impacts of cyber incidents that affect all industries. Given the high stakes, it is time for the CISO to step up, learn about the unique characteristics of ICS and OT, and collaborate with the industrial control engineers, in order to take proper responsibility over ICS and OT cybersecurity.

I have gained experience in this area through my work on a project I conducted for the Israel National Cyber Directorate (INCD), in which we worked to provide the Israeli ICS sector with a practical tool allowing enterprises to conduct a cyber risk assessment of their ICS network. In working to develop the tool, we met with a range of OT engineers and cybersecurity professionals to draw upon their expertise and insights. Through those interactions, a concerning pain point was identified – ineffective working relations and processes between the two groups, leading to poor cyber resilience for ICS networks.

Clearly, there is a leadership vacuum that needs to be filled. Among many in the industry, there is a debate about who should assume ultimate responsibility over ICS security – the CISO or OT engineers. I believe that the CISO is best-suited to do so, given the CISO’s grounding in risk management practices and controls for cyber risk mitigation. But to properly oversee this area, CISOs must address their blind spot regarding risks in the OT environment. Since CISOs generally do not possess much knowledge of OT processes and systems as well as their sensitivity to change, they tend to overlook potential consequences if something goes wrong. Conversely, business executives might have familiarity with OT processes, but they tend to have less understanding of cyber risk, focusing instead on productivity and process reliability.

ICS and OT systems, such as Building Management Systems (BMS) and surveillance cameras, can be found in most modern organizations. ICS is a collective term used to describe different types of control systems and associated instrumentation, which include the devices, systems, networks, and controls used to operate and/or automate industrial processes. ICS are used in critical infrastructure – areas such as the manufacturing, transportation, energy, and water treatment industries, which are essential to the health, safety, security and economic well-being of governments and society as a whole. OT systems, meanwhile, include the hardware and software systems that monitor and control physical devices in the field, such as devices that monitor temperature in industrial environments.

The convergence of IT and OT provides enterprises greater integration and visibility of the supply chain, including critical assets, logistics, plans, and operation processes. Having a thorough view of the supply chain can help organizations improve strategic planning and remain competitive. On the other hand, however, the convergence of IT and OT expands attack vectors for cybercriminals, allowing them to take advantage of poorly protected OT infrastructure.

This is part of the challenge for CISOs, who have several places to turn for guidance in shoring up this common blind spot. CISOs and others interested to learn more about reducing ICS security risk would be well-served to explore NIST’s Cybersecurity Framework Manufacturing Profile. Additionally, the ISA/IEC 62443 series of standards provides a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems. And on the certification front, ISACA’s CISM credential can help CISOs develop a risk-based approach to managing security challenges that may arise on the ICS and OT landscape.

Editor’s note: Weisberg will present additional insights on “Illuminating the CISO’s ICS Blind Spot” at Infosecurity ISACA North America Expo and Conference, to take place 20-21 November 2019 in New York City, USA.

Category: Security Published: 9/10/2019 2:49 PM
カテゴリー: ISACA

Improve ROI From Technology By Addressing the Digital Risk Gap

ISACA Now Blog - 2019年09月07日 01:37:49

All too often, IT and risk management professionals seem to be speaking a different language—that is, if they even speak at all. Bridging the Digital Risk Gap, the new report jointly authored by RIMS, the risk management society®, and ISACA, promotes understanding, collaboration and communication between these professionals to get the most out of their organizations’ technological investments.

Digital enterprise strategy and execution are emerging as essential horizontal competencies to support business objectives. No longer the sole purview of technical experts, cybersecurity risks and opportunities are now a core component of a business risk portfolio. Strong collaboration between IT and risk management professionals facilitates strategic alignment of resources and promotes the creation of value across an enterprise.

ISACA’s Risk IT Framework acknowledges and integrates the interaction between the two professional groups by embedding IT practices within enterprise risk management, enabling an organization to secure optimal risk-adjusted return. In viewing digital risk through an enterprise lens, organizations can better realize a broader operational impact and spur improvements in decision-making, collaboration and accountability. In order to achieve optimal value, however, risk management should be a part of technology implementation from a project’s outset and throughout its life cycle. By understanding the technology life cycle, IT and risk management professionals can identify the best opportunities for collaboration among themselves and with other important functional roles.

IT and risk management professionals both employ various tools and strategies to help manage risk. Although the methodologies used by the two groups differ, they are generally designed to achieve similar results. Generally, practitioners from both professions start with a baseline of business objectives and the establishment of context to enable the application of risk-based decision making. By integrating frameworks (such as the NIST Cybersecurity framework and the ANSI RA.1 risk assessment standard), roles and assessment methods, IT and risk management professionals can better coordinate their efforts to address threats and create value.

For example, better coordination of risk assessments allows organizations to improve performance by identifying a broader range of risks and potential mitigations, and ensures that operations are proceeding within acceptable risk tolerances. It also provides a clearer, more informed picture of an enterprise’s risks, which can help an organization’s board make IT funding decisions, along with other business investments. Leveraging the respective assessment techniques also leads to more informed underwriting—and thus improves pricing of insurance programs, terms of coverage, products and services.

Overall, developing clear, common language and mutual understanding can serve as a strong bridge to unite the cultures, bring these two areas together and create significant value along the way.

The report is available to RIMS and ISACA members through their respective websites. To download the report, visit RIMS Risk Knowledge library at or For more information about RIMS and to learn about other RIMS publications, educational opportunities, conferences and resources, visit To learn more about ISACA and its resources, visit

Category: Risk Management Published: 9/9/2019 3:02 PM
カテゴリー: ISACA

How Responsible Are Cloud Platforms for Cloud Security?

ISACA Now Blog - 2019年09月05日 22:48:59

These days, just about every software platform or app available has some kind of cloud functionality. They might host your data in the cloud, give you cross-platform access to your account, or allow you to upload and download files anywhere. This is remarkably convenient, and a major breakthrough for productivity and communication in the workplace, but it also comes with its share of vulnerabilities. A security flaw could make your data available to someone with malicious intentions.

Cloud security is a complex topic that comprises many different considerations, including the physical integrity of the data center where your data is held and the coding of the software that allows you to access it. A trustworthy cloud developer should take precautions and improve cloud security the best it can—but how responsible should the developer be for ensuring the integrity of their system?

Cloud Platform Responsibilities
There are many potential points of vulnerability that could compromise the integrity of a cloud account. However, not all of them are controllable by the cloud developer—as we’ll see.

Let’s start by focusing on the areas of security that a cloud developer and service provider could feasibly control:

  • Physical data storage and integrity. Most cloud platforms rely on massive, highly secured data centers where they store user data and keep it safe. Because cloud platforms are the only ones with access to these data centers, they’re the ones responsible for keeping them secure. That often means creating redundancy, with multiple backups, and physical protective measures to guard against attacks and natural disasters.
  • Software integrity. The cloud platform is also responsible for ensuring the structural integrity of the software. There shouldn’t be any coding gaps that allow someone to forcibly enter and/or manipulate the system.
  • API, communication, and integration integrity. One of the biggest potential flaws in any app is its connection points to other users and other integrations. If the app allows message exchanges, it should be secured with end-to-end encryption. If there are any active API calls to integrate with other applications, these need to be highly secure.
  • User controls and options. It’s also important for cloud apps to include multiple options and features for users to take charge of their own security. For example, this may include the ability to create and manage multiple types of users with different administrative privileges.

Other Responsibilities
However, there are some other points of vulnerability outside the realm of a cloud provider’s direct control. For example:

  • Network encryption and security. There isn’t much a cloud platform can do if end users are relying on a public network, or one that isn’t secured with encryption and a strong password. This is a responsibility that falls squarely on the shoulders of the end user.
  • Hardware and endpoint security. While the software development process requires a developer to have some level of understanding of the hardware being used to access their apps, they’re limited in their understanding of those inherent vulnerabilities. There also isn’t much a cloud platform can do if their end users are using outdated devices, or devices with massive security flaws.
  • Password and account protection habits. It’s almost entirely the end users’ responsibilities to create strong passwords and protect their own accounts. If they end up choosing weak passwords, or if they never change those passwords, no amount of built-in security can help them. The same is true if they fall for phishing schemes, or if they voluntarily give their password to someone. Along similar lines, it’s important that a developer’s end users understand the nature of online scams, but this is generally outside the realm of their control.
  • Malware. When malware is installed on a device, it could gain access to everything else on that device, including being able to spy on actions performed within the cloud app. Unless a cloud app deliberately scans for malware, there’s no way for it to tell that it’s installed. It’s the end user’s responsibility to take preventative measures, such as avoiding suspicious download links and installing antivirus software to run occasional scans.

Even if these aren’t directly within the control of a cloud platform provider, there are steps a cloud authority can take to improve them, or mitigate their potential vulnerabilities. For example, a cloud provider can’t guarantee good password creation and adjustment habits, but they may be able to educate their users on the importance of good password habits and/or force them to update their passwords regularly.

Overall, cloud platforms should be held to high security standards, but there are limits to what they can control. Digital security in all its forms needs to be a team effort; even a single vulnerability can compromise the entire system.

Editor’s note: For additional insights on this topic, download ISACA’s white paper, Continuous Oversight in the Cloud.

Category: Cloud Computing Published: 9/6/2019 3:00 PM
カテゴリー: ISACA

Digital Transformation Oversight Extends Beyond Technology

Journal Author Blog Posts - 2019年09月04日 03:16:50

Digital transformation. Digitalization. Digitization. Three business terms in common use today that describe the differences in scope of the organizational digital effort, in this case in order of decreasing scope. Unfortunately, the first word of the term “digital transformation” seems to receive all the attention, with the second word left to scrabble for the scraps. This could be because digital technology efforts are already difficult enough if they are considered in a corporate context rather than as a silo, while the associated transformation efforts—largely involving people and business transformation—are even more difficult. For technology efforts however, forgoing the people component readily results in the expectations of the investment not being met.

The distinction between the scope of the three previous terms is important from a governance context, as it drives the nature of the oversight required. In this case, a board, concerned not only with compliance, but also with the organization’s sustainability as part of an approved corporate strategy, would generally be more interested in the scope and impact of digital transformation and less in digitization.

Given that a board is concerned with an organization’s sustainability and competitiveness, it is particularly interested in the alignment between business and IT, the associated capital and operating costs, and the (strategic) benefits this investment and expenditure would enable. It would also be interested in ensuring that the capability exists to properly leverage the investment to benefit stakeholders such as shareholders, customers, employees and regulators. Note that the latter 2 sentences have implications for the organization’s entire operating model—people, process and technology—and its business model.

The value created by digital transformation materializes in the organization’s business model in the way the organization makes its money. So, if an organization’s operating model becomes more efficient—resulting in lower operating costs per unit of sales or per product/service sold—shareholders will see this as increasing profitability. If digital transformation results in greater integration across the organization, then customers will see this in the consistent way the enterprise communicates with its customers across all its channels, whether branch, kiosk, telephone, mobile, Internet or other.

My recent Journal article helps bring it all together for the practitioner, illustrating how the operating model, people, the business model and measures of success are all key components of the oversight of digital transformation, and the relationships between them in the context of the organization’s strategic milieu. It ultimately explains why digital transformation demands quality oversight at the micro, meso and macro levels and describes steps that help protect the organization from sub-optimal digital transformation decisions that could hamper rather than grow the organization’s competitiveness and sustainability.

Read Guy Pearce's recent Journal article:

"Enhancing the Board’s Readiness for Digital Transformation Governance," ISACA Journal, volume 5, 2019.

Category: COBIT-Governance of Enterprise IT Published: 9/3/2019 3:01 PM BlogAuthor: Guy Pearce, CGEIT PostMonth: 9 PostYear: 2,019
カテゴリー: ISACA

Cybersecurity a Central Ingredient in Evolving Digital Business Models

ISACA Now Blog - 2019年08月30日 07:06:47

About the only thing shifting as fast as the cyber threat landscape is the typical enterprise’s org chart. As enterprises aim to keep pace with the rapidly evolving digital economy, many are restructuring internal departments, hiring criteria and the processes by which they develop and distribute products, all with the overarching objective of becoming more proficient at rapidly responding to new opportunities in the marketplace. In making these well-intentioned adjustments, the ability for enterprises to establish robust, broadly integrated cybersecurity as a core capability of their recalibrated operation will be one of the best predictors of whether these changes will prove successful.

The Expanding Footprint of Data in the Enterprise
The degree of difficulty in achieving solid, enterprise-wide cybersecurity posture is difficult not only because cyber threats continue to grow in volume and sophistication, but because of the expanding footprint of data in the enterprise. Call data the new gold, the new air, the new oil – whichever metaphor you prefer – and the reality remains that the need to leverage data is becoming increasingly essential across lines of business. That is one of the main reasons why security teams must not look at themselves as the sole implementer and enforcer of sound security practices, but rather spread security awareness and adoption of clear policies with their colleagues as an ongoing, sustained point of emphasis. More than 8 in 10 respondents to ISACA’s research say that establishing a stronger culture of cybersecurity would increase their organization’s profitability, and this will only become more on-target as organizations increasingly embrace digital business models. The rising profile of data analytics factors in heavily, as referenced in a recent McKinsey article, which noted that “as companies adopt massive data analytics, they must determine how to identify risks created by data sets that integrate many types of incredibly sensitive customer information. They must also incorporate security controls into analytics solutions that may not use a formal software-development methodology.”

The cloud is another area in which proactively bolstering security capabilities will be critical in the new enterprise environment. While cloud computing is certainly not new, turning to cloud providers has become increasingly attractive for many enterprises whose traditional server-based approach no longer is sufficient for storing and protecting their data. Modern cloud platforms supply enterprises with an array of options that provide data storage and protection that can lead to dramatically improved scalability and flexibility. While new, sophisticated security capabilities are being integrated into today’s cloud platforms, these capabilities are not always integrated into organizations’ security programs, whether due to discomfort with trying new approaches or just the challenge of carving out time to explore them amid the usual, day-to-day challenges. This is a missed opportunity for enterprises to enhance their security programs and derive additional value from their investments in the cloud.

Turning DevOps into DevSecOps
Another dynamic elevating the importance of broader integration of security principles is DevOps. In an era in which business velocity can reach a dizzying pace, enterprises have turned to DevOps to move faster and more efficiently in their builds, deliveries and deployments. The problem is, security oftentimes is an afterthought in this process, which puts developers in the difficult position of trying to figure out security best practices on their own. Working security into the DevOps program – referred to as DevSecOps – allows the security team to become involved during the design phase and ensure that critical security flaws are identified and addressed before they require costly fixes that become increasingly costly later in the process. Similarly, Agile development methodology needs to take cybersecurity considerations into account, such as ensuring that all data is properly categorized and that a comprehensive, risk-based approach to safeguarding the data is in place.

Historically, we have seen enterprises are typically more attentive to positioning themselves to sell products and increase revenue than to protecting themselves and their customers from security threats. But as we near a new decade – the 2020s – the pace at which enterprises will realign to thrive in a technology-driven digital economy will only accelerate. We remain in the early stages of this era of digital transformation. Consider the way technologies such as artificial intelligence/machine learning, robotics, and the ongoing proliferation of connected devices will create new business opportunities that result in new methods of product development and ushering products to market. Anything less than deeply ingrained cybersecurity throughout the enterprise will not work going forward. By integrating sound cybersecurity practices in all areas of the organization, implementing new security capabilities that are baked into modern cloud services and turning DevOps into DevSecOps, enterprises will have the flexibility to re-imagine their business models while retaining a stable foundation on which to innovate.

Editor's note: This blog post originally appeared in CSO. 

Category: Security Published: 9/3/2019 3:02 PM
カテゴリー: ISACA

Know Who Your Customers Really Are or Prepare for Trouble

ISACA Now Blog - 2019年08月30日 06:41:06

Recently in the UK, the women’s national football team manager, Phil Neville, called for all social media accounts to be verified and accountable as the result of a spate of racist postings, and asked for a boycott of social media until the situation is addressed. He said that one of his fellow footballers had demanded that people are verified and give passport details and addresses to be held accountable for their postings. As he said, “You can be an egg on Twitter and no one knows who you are.”

Now it’s probably a sorry state of affairs if the footballer is handing out cybersecurity advice to the world of technology practitioners but that’s in fact exactly what has happened. Needless to say, Twitter responded with a typically uncommitted answer where they “will continue to liaise closely with our partners to identify meaningful solutions to this unacceptable behavior.”

So, to be clear, they won’t verify peoples’ identities as that will not suit their business model. Think how many users they will lose if everyone has to upload passport details before tweeting.

This is not a one-off problem. Depending on which report you want to look at, the problem of fake accounts and duplicate accounts is rife. Facebook deleted more than 2 billion fake accounts in the first quarter of the year, between 9 and 15% of active Twitter account may be social bots and a Twitter audit estimates that only 40-60% of Twitter accounts represent real people. It’s even possible for people to fake the verified indicator on LinkedIn.

So, why is this a problem for information security practitioners?

Multiple reasons, really. Fake actors are spreading misinformation about your products, impersonating you and selling counterfeit products, phishing your staff and customers, and putting in links to malware in postings on your social media sites, among many exploits. And when it goes wrong, your organization loses business and gets bad PR. Further, there will be no chance of catching the perpetrator as you don’t know who they are since the social media platform did not have a know-your-customer process.

So, any review you carry out on the use of social media in your organization should be based on the knowledge that no one knows who anyone else is and your marketing people should have processes in place that takes this into account, along with a response plan for when something inevitably goes wrong.

I’ll be presenting on this topic and other social media exploits in my session, “Auditing Social Media and its Cyber Threats,” at EuroCACS/CSX 2019, to take place 16-18 October in Geneva, Switzerland.

Category: Risk Management Published: 8/30/2019 3:01 PM
カテゴリー: ISACA

Auditing Green IT

Journal Author Blog Posts - 2019年08月30日 02:09:03

Sustainability has become a key focus in the 21st century. Both society and organizations recognize the importance of sustainability in their day-to-day functions and demand guidelines that help them implement, control and improve practices in this regard. Many IT organizations have begun to implement green IT practices. Based on our experience applying an extension of COBIT in different organizations to audit green IT, we believe that the following steps should be considered:

  1. Understand the scope—Due to the novelty of green IT, many organizations do not fully understand the scope of green IT practices. Thus, it is important to differentiate between green-by-IT practices (in which IT is used to reduce the negative impact that other areas have on the environment) and green-in-IT practices (in which sustainable practices are applied in IT itself to reduce its negative environmental impact).
  2. Conduct a systematic and progressive green IT assessment—Assessing all the processes established by COBIT (adapting them to green IT) is unfeasible. So, it is advisable to group COBIT processes using a maturity model. This allows auditors to conduct a more organized and progressive audit, assessing first and ensuring compliance with the most basic and necessary processes of the first maturity levels before assessing more complex processes of higher levels.
  3. Implement improvement actions—We have also guided organizations toward the improvement of the practices they carry out. Organizations should develop improvement plans and progressively implement the processes level by level of maturity.

We believe that these 3 steps can help you not only when properly assessing green IT, but also when establishing a strategy to implement and improve the processes and practices that are carried out. This will benefit your work as auditors, making the entire audit process simpler and more complete, and it will help organizations achieve better results in green IT.

Read J. David Patón-Romero, Maria Teresa Baldassarre, Moisés Rodríguez and Mario Piattini's recent Journal article:

"Auditing Green IT Governance and Management With COBIT 5," ISACA Journal, volume 4, 2019.

Category: Audit-Assurance Published: 8/29/2019 2:56 PM BlogAuthor: J. David Patón-Romero, CISA, PMP, Maria Teresa Baldassarre, PMP, Moisés Rodríguez, CISA and Mario Piattini, CISA, CRISC, CISM, CGEIT, PMP PostMonth: 8 PostYear: 2,019
カテゴリー: ISACA

Trsar Family Helps Ensure ISACA’s Growth in ‘Good Hands’

ISACA Now Blog - 2019年08月29日 04:09:43

Editor’s note: As ISACA celebrates its 50th anniversary in 2019, we are telling stories of the members, volunteers and staff who have contributed to ISACA’s growth and global impact. Below is an excerpt from a feature article on the ISACA staff father-son duo of Terry Trsar and Tim Trsar. Read the full feature article on Terry and Tim in the ISACA 50th Anniversary Story Gallery.

Terry Trsar was instrumental in building many of ISACA’s most well-known programs. His son, Tim Trsar, is helping take them to new heights.

Collectively, the affable father-son duo continues to leave a significant imprint on ISACA’s trajectory of growth and expanded global impact.

Terry Trsar worked at ISACA for 20 years, beginning in 1995, overseeing many of ISACA’s core areas, such as conferences, training and certification, and serving as chief professional development officer for many years. Tim Trsar, one of his four sons, started in ISACA’s marketing department in 2016, less than a year after his father retired. Suffice it to say, there is plenty of talking shop when the two get together.

“I think it’s kind of cool that Tim is involved in programs that were initiated back when I was there building them with other staff and teams,” said Terry, sitting alongside Tim on a recent afternoon at ISACA’s global headquarters. “When he talks about the CACS conference or some of our certification programs or training weeks, it makes me feel good that they are still vital ISACA programs that are doing well and that remain in good hands. They’re in Tim’s good hands, and everyone else’s good hands. I get excited about that.”

Following in the footsteps of mom or dad can be a tough sell for children, who often are eager to chart their own path. Going to a different college, moving to a different area or choosing a different line of work is often the preferred approach. Not so for Tim, who was thrilled to follow his father’s long and distinguished career at ISACA.

“I’d say it was sort of the opposite of being resistant,” Tim said of pursuing a career at ISACA. “I looked up to my dad.”

In the case of the mark Terry left on ISACA, there is plenty to look up to. It’s fitting that Terry began his time at ISACA in a different millennium, given the dramatic evolution that has unfolded since. Terry recalled attending his first ISACA conference shortly after he started in 1995, and members of the ISACA board added an outing to see “The Net,” a movie set in the rudimentary days of the internet in which a floppy disk played a key part in the plot. Just like the internet, ISACA has progressed remarkably in the years since, with Terry helping to drive that growth. Both ISACA’s staff size (around 20 when he started) and membership (around 15,000 when he started) are now roughly 10 times as large today.

“I love to build. I’m always building something, always doing something, so ISACA was perfect for me when I came because it was still fairly young and we had a lot of growth ahead of us,” Terry said. “There were always things to do and build. I loved it because it was like being an entrepreneur. I enjoyed that immensely.”

He also initially found the close-knit nature of ISACA’s modestly sized staff, working in close quarters in ISACA’s former Rolling Meadows, Illinois, USA, location, appealing. Whether it was in the early days converging on the fax machine to listen for the hum of incoming CISA exam registrations as the deadline neared, planning conference programs, or a range of other team efforts, the back-and-forth made the job fun.

“I think you’d hear this from anybody that you’d bring in here from the time that I worked here – the fun for all of us was working with the other staff because it was all extremely collaborative,” Terry said. “We all had our specific responsibilities, but we all worked together on many projects, and the volunteers were a big part of that and just a blast to work with.”

Tim, growing up as the second-oldest of four Trsar brothers, picked up on his dad’s passion for his job, and developed an especially favorable view of ISACA while traveling with the family to various ISACA conferences. Young Tim even helped stuff bags at one CACS conference in Chicago, foreshadowing his whatever-it-takes approach to his current role as marketing manager.

As Tim grew older, Terry detected that he would be a great contributor at ISACA, and helped set the opportunity in motion with some of his former colleagues.

“I knew Tim would be a good fit [at ISACA] because he is very creative, very passionate about his work, and the one thing I think you have to be above everything else at ISACA is able to multitask, and Tim is the ultimate multitasker – believe me,” Terry said. “You should see what his life is like, when he used to play in a band and work several jobs. He always has a million things going on at once.”

Today’s ISACA has a much larger, more sophisticated and more specialized marketing function than during Terry’s time, and Tim quickly carved out a niche marketing ISACA conferences as well as assisting the marketing team with video and other creative elements.

In between assignments, Tim hears plenty about his dad from many ISACA colleagues who fondly recall working alongside his father: “Great guy.” “Problem-solver.” “Knowledgeable.” “A joy to work with.”

“When I first started, I would report back to my dad all the nice things that people said about him: ‘I talked to so-and-so today and they said all these nice things about you,’” Tim said. “And then it turned out I was having the same conversation with everybody.”

Category: ISACA Published: 8/29/2019 8:56 AM
カテゴリー: ISACA

Keys to More Effective Vendor Risk Management

ISACA Now Blog - 2019年08月28日 06:20:05

Certain industries have a better conceptual understanding of their supply chain than others. For instance, in manufacturing, it’s very clear that raw materials come in one end and out the other comes a completed, processed product for consumption. Those products may get shipped to another manufacturer for integration into their products or off to the consumer for their use. You can link these organizations together and build a map showing the full supply chain network. Indeed, this is often done to help planners, engineers, and managers better understand what their exposure is to hiccups in that chain. For other companies, however, this connection to the full breadth of vendors is more difficult to understand. The work is more evanescent as digital transformation makes work between companies seamless.

In a new ISACA white paper, Managing Third-Party Risk, I wanted to help organizations better understand how to build a third-party or vendor risk management program to better manage their cyber risk posture. When the basic building blocks of these vendor risk technologies and processes are in place, it allows other risk disciplines such as operational risk, privacy risk, country risk, etc., to gain a better handle on their loss exposure as well.

The white paper covers topics in the order in which the vendor process would be executed, starting with a discussion around governance and how foundational it is to have vendor roles clarified, procurement procedures locked down (not just anybody should be able to buy services), data sharing agreements solidified, and the collection of metadata secured (which feeds the next part of the assessment).

The main thrust of the paper is how to assess how much cyber risk a particular vendor poses to your organization. This involves triaging all your vendors and sorting them into buckets, with the riskier buckets meaning more evaluation. For those that need it, I discuss a series of artifacts that you should ask for and tests you should run.

I close with a discussion on what to do with that assessment data. I discuss how to threat model vendors and feed that into your risk assessment, and how to improve upon vendor risk evaluations done with a simple heatmap (such as focusing on the economic impact to the organization using cyber risk quantification). The paper ends with a discussion of ongoing monitoring and what to do with vendors exhibiting bad control posture.

I hope you find this white paper helpful in either establishing a new vendor risk management program or improving the maturity of your existing one. As companies continue transforming their operations with digital technologies, it’s inevitable that an organization will share its data (and its customers’ data) with more and more partners. Let’s be sure that the solutions are in place to help protect that data and engender trust in our digital economy by managing that vendor risk well.

About the author: Jack Freund, Ph.D., CISA, CRISC, CISM, is director, risk science for RiskLens, member of the Certified in Risk and Information Systems Control (CRISC) Certification Working Group, coauthor of Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, IAPP Fellow of Information Privacy, and ISACA’s 2018 John W. Lainhart IV Common Body of Knowledge Award recipient.

Category: Risk Management Published: 8/28/2019 2:55 PM
カテゴリー: ISACA

Ethics in IT: An Emerging Frontier in the Enterprise Governance of IT

Journal Author Blog Posts - 2019年08月27日 02:47:15

Trust. Privacy. Transparency. Three words that have invaded our technology lexicon. In an age of fashionable falsehoods, it is probably not surprising that these words permeate almost any aspect of our lives in technology, in government and even in our organizations. People are concerned that a loss of privacy is touted as the cost of security or better service, and their trust is shaken, driven by the fact that some organizations are not always forthcoming with the truth about their deployment of technology.

Should we care? The European Union (EU) seems to think so, given rigorous legislation such as the General Data Protection Regulation (GDPR), which demands data privacy and security by design for citizens of the EU by organizations that collect and use any data about those citizens.

Countries such as Australia, Brazil, Japan, South Korea and Thailand also seem to see sense in this approach, given the development of their own privacy regulations in alignment with GDPR. So does California, perhaps but one of many US states , but one with a gross domestic product (GDP) larger than most countries. Some organizations will, however, continue to see such regulation as a burden and a cost, whereas others will see it as a key part of protecting basic human rights.

The World Economic Forum (WEF) finds that computing is already in our clothing and is becoming an integral part of our bodies, with prosthetics already able to send messages back to our brains, thus blurring the line between man and machine. There is also the untold impact quantum computing and nanotechnology will have on us.

As computing sees the convergence of the biological, the physical and the digital, a complexity arises in terms of how it should be governed to protect humans. For example, consider the datafication of children by their parents in a social media age—children are unaware of the extent of the digital footprint they have that can start even before they are born by posting a pregnancy sonar image—which raises a new set of ethics questions.

Ethics concerns doing what is right and, coupled with technology, it is about ensuring that technology is applied for the good of humankind, rather than being about finding new ways to exploit or even enslave it. My recent Journal article aims to explore a little more about the role of ethics in technology, given that computing will undoubtedly impact our lives in ways we cannot yet begin to imagine. In particular, the article argues that ethics (and culture) are as significant to the overall business of IT governance as are any of the other domains of enterprise governance of IT (EGIT).

Read Guy Pearce's recent Journal article:

"Acknowledging Humanity in the Governance of Emerging Technology and Digital Transformation," ISACA Journal, volume 4, 2019.

Category: COBIT-Governance of Enterprise IT Published: 8/26/2019 2:57 PM BlogAuthor: Guy Pearce, CGEIT PostMonth: 8 PostYear: 2,019
カテゴリー: ISACA

Improving Cybersecurity Awareness Through Hacking

ISACA Now Blog - 2019年08月24日 01:51:46

Cybersecurity awareness is a topic that most organizations and leaders know is important, but is typically treated as a check box requirement to remain compliant with regulations or mandates placed on the enterprise. Most leaders will argue that cybersecurity awareness training is very important but only marginally effective.

To be honest, how effective is most cybersecurity awareness training? The standard requirement that each individual complete mandatory training every year looks good on paper, but doesn’t provide the needed impact in order to make a difference and increase the security awareness of the users in an organization. For example, most people who are required to go through annual security awareness training for the US Department of Defense likely have half of the answers memorized for the mandatory computer-based training. In fact, many people let the videos play while they do other work and then simply bounce back to the training when it is time to answer questions and advance to the next section.

Enterprises can’t expect that providing training when an employee is hired and refresher courses once a year will arm the employees with the knowledge and understanding to not fall prey to cybercriminal attacks. In fact, the cybercriminals have all seen the required security awareness training modules and have a blueprint of what “not” to do. Cybercriminals are always looking for new ways to infiltrate and attack organizations. So why not think like the enemy and create a cybersecurity awareness training program that resembles what the real cybercriminals will do?

Everything from the marketing of the cybersecurity awareness program to the actual training itself needs to be rebranded, constantly updated and customized to the target audience. Cybersecurity awareness training needs to change and adapt as quickly as the cybercriminals change their attack methods. This means continual training based on the latest trends and attack vectors that are constantly evolving. The most important attribute of a successful cybersecurity awareness program is the effectiveness of the training. To drive up effectiveness, the training must be relevant and retain the attention of participants.

What better way to engage your employees than to include them as part of the actual training program and its activities? Make the training interactive and personal. Show them how a hacker will attempt to steal their identity, include them in a phishing campaign and entice them with [fake] confidential information through trojans or malicious software.

Consumers of cybersecurity awareness training want to learn how it is applicable. They want to know how to lock down privacy on Facebook and other social media applications, or how their Home Depot credit card information is easily obtained on the dark web, or what personally identifiable information (PII) of theirs is circulating the dark web. A majority of end users find hacking fascinating, and they want to learn more about it and how it could impact them. Utilize the curiosity as a training mechanism. Branding your cyber awareness training as a monthly opportunity to hack your coworker and then showing them how the cyber criminals are “hacking” the user will increase awareness and strengthen cybersecurity practices.

I will be presenting more on hacking your coworker to improve cybersecurity awareness at the Infosecurity ISACA North America Expo and Conference, to take place 20-21 November 2019 in New York City. I look forward to walking through specific examples and results of the hacking your coworker training across several organizations.

Category: Security Published: 8/26/2019 2:57 PM
カテゴリー: ISACA

Learning to Secure AI

Journal Author Blog Posts - 2019年08月22日 22:15:52

The trends appear to be presenting themselves all over the place; TV commercials, online ads, corporate product announcements, etc., are all saying the same thing: Artificial intelligence (AI) adoption and use are exploding. As an information security and assurance professional, I admit that I did not really know much about this emerging technology, so I decided to begin the process of becoming educated on the subject, even if only at an introductory level. I started performing online research to understand the current market size, future growth projections, how to achieve certification and education and, most important, approaches to governing and securing use of AI solutions.

My company presently allocates each employee a modest annual training budget, so I leveraged those funds to select a training provider and begin taking AI classes as I performed my research for my recent Journal article. I gravitated towards edX as their curriculum was 100% free, but also provided certificates after completing courses and quizzes, which is also useful for IT certification continuing professional education (CPE). As I completed my AI edX courses and online research, I wanted to structure my ISACA Journal article in a conversational and informative matter starting with defining AI and addressing some common misconceptions. From there, I wanted to address market size, projected growth trends and who the players are in the market. I believe this is always important because this information provides important context on what to expect in the near term and long term and which organizations to keep your eye on.

This biggest challenge I encountered was when it came to research and learning how to secure AI solutions. While AI is not new (it has been researched, discussed and developed over the past several decades), it has only become commercially adopted within the past 10 years and is still in its infancy. I did not find a free-to-use, mainstream security framework or set of publications that discussed how to directly approach AI security. Through several online articles and the completion of the introductory edX courses, I managed to Frankenstein the article together, and my hope is that at least 1 reader will learn something valuable that will assist or empower their enterprise in securing the use of AI solutions. My secondary challenge is, if you can write a related article or audit program, please do. It will benefit us all!

Read Adam Kohnke's recent Journal article:

"Preparing for the AI Revolution," ISACA Journal, volume 4, 2019.

Category: Security Published: 8/22/2019 3:00 PM BlogAuthor: Adam Kohnke, CISA, CISSP PostMonth: 8 PostYear: 2,019
カテゴリー: ISACA

How Cybersecurity Can Better Support Digital Transformation Business Goals

ISACA Now Blog - 2019年08月22日 06:44:26

Consumers are demanding we offer outstanding user experiences and technology interfaces, and we need to strategize how we both safeguard and leverage ever-growing portfolios of data and systems to differentiate ourselves from our competitors. Yet, often our cybersecurity programs and business goals seem to be at odds. Digital transformation (DX) strives to provide outstanding customer experience, personalization, convenience, agility, and cost savings. None of these are traits most organizations would ascribe to their cybersecurity team! I offer below some high-level guidance to bring cybersecurity closer to DX goals.

Embed Security Into Your Culture and Processes
Security controls fall into three major categories: people, process, and technology. In many cases, organizations consider technical controls to be the panacea to safeguard assets from attacks. Technology is scalable, configurable, and consistent in its application of rules. Yet technology functions exactly as designed, not as intended, leaving opportunities for exploitation – often within weak processes and human-elected shortcuts supported by your culture.

For culture, look at what your organization rewards. Do good results justify breaking the rules? Can projects and changes push forward without consulting security? If you celebrate the “heroes/fire-fighters” that save the day when incidents occur, do you also reward the teams that develop reliable and secure applications? IT security processes such as patching, privileged access management, API security review and inventory, change management, and adherence to architecture standards are not glamorous, yet breakdowns in these core areas facilitate most incidents.

In addition to IT processes, business processes must support your goals. For example, with self-service being a DX standard for consumers, business should define “normal” predicted volumes for transactions such as new account openings, profile updates and other measurable key activities so security can program alerts when those thresholds are exceeded. And, business teams should be prepared to review those alerts. Perhaps your DX offerings are more successful than anticipated, or perhaps this is a symptom of a well-engineered attack leveraging known business processes.

Enable Agility by Clarifying Risk Classification and Tolerance for the Entire Organization
If you asked three different groups – let’s say Sales, Customer Support, and Security – to assess the same scenario that contains some level of risk, you would likely receive three different risk classification levels. In all probability, your security team will classify it as “high risk.” Except for organizations that regularly deal with life safety, very few have well-defined matrices of what constitutes medium versus high risk. Almost all leverage vague qualifiers, such as material versus serious or severe harm. We need clear monetary amounts and thresholds – fatalities, volume of records exposed or corrupted, existing or new customers lost, etc. – to guide consistent risk classification and decisions.

Two of my favorite questions to ask when assessing the risk of a new initiative are:

  • What are we doing today, versus what you’re proposing?
  • What’s the risk if we don’t move forward with this?

Answers to both of these questions help set perspective for potential losses associated with missed opportunities as well as improved (not perfect!) security controls that may be gained over status quo. These questions, along with your other initial security risk evaluation questions, help form a consistent process for your business triage of where to allocate finite resources and time. If the risk level doesn’t rise to a defined threshold, then business can proceed without further security consultation. In other words, this is a “good risk” that falls within defined risk acceptance thresholds – let it run. 

Include Detection and Response Capabilities in Your Security Strategy
One of the biggest strategy errors in security is to overspend on prevention mechanisms to the detriment of detection and response capabilities. Similar to the risk determination above to triage where to allocate your security team’s finite time and resources, you need to spend your security budget where it provides the most value. There is no foolproof method to prevent undesired access into your systems – new exploits will always be created. In every breach case I’ve researched, there were multiple opportunities to identify and contain an event once inside, yet multiple breakdowns in processes and culture enabled the intrusion (or error) to progress into a larger impact. Your detection and response plans should be ready for any significant event, regardless of the entry vector.

Further complicating detection and response readiness is the complexity of shared security models within multiple X-aaS implementations that comprise most “Cloud First” strategies. Even if you can detect anomalous activity now within your on-premise services, once you migrate them into a hosted infrastructure, platform, or software environment, will those alerts function in the same way? If you receive an alert, who has the responsibility and access to make any required changes to contain and minimize further impact – and within what timeframe? Make sure your vendors have the capability and customer service mindset to partner through detection and response, and include relevant Service Level Agreements (SLAs) within your contracts. Finally, maintain an inventory of hosting agreements, RACI charts, SLAs, and contacts to streamline decisions and assign actions during events.

In our world of DX, the cybersecurity function becomes both a provider and consumer of customer experience, personalization, convenience, agility, and cost savings to support business goals. Is your team ready?

Category: Security Published: 8/22/2019 3:00 PM
カテゴリー: ISACA

Exploring COBIT 2019’s Value for Auditors

ISACA Now Blog - 2019年08月21日 03:14:46

COBIT 2019 is a terrific resource for a wide range of business technology professionals. In ISACA's 19 September 2019 Professional Guidance webinar (free registration), “COBIT 2019 – Highly Relevant for Auditors,” we will focus on assurance professionals and the benefits they can obtain from COBIT 2019.

For that purpose, we will first quickly revisit the key COBIT 2019 concepts. We will then discuss the features of COBIT 2019 that are most relevant for auditors, such as the design factors and design guide, the governance and management objectives, and the new process capability scheme.

The design factors and design guide are intended to design a governance system, which prioritizes the 40 governance and management objectives and helps determine which focus area guidance is to be used. When assurance professionals have to develop their audit plans, they usually take a risk-based approach that considers enterprise objectives. This is exactly how the design factors can and should be used by assurance professionals to prioritize their audit plans. The goals cascade, risk scenarios, current IT issues and other elements are included as design factors.

The governance and management objectives, the process practices and activities are in essence language, concept and level of abstraction – equivalent to control objectives and control practices – and therefore can be used to develop audit programs and serve as suitable criteria for audit assignments. The process activities can also be used to develop detailed assurance steps.

COBIT 2019 contains a new process capability assessment scheme as part of its performance management guidance. The new scheme is based on CMMI and assigns capability levels to each process activity. The relevance for assurance professionals is twofold: based on the audit plan where governance and management objectives are prioritized, one can define target capability levels for the process component of each governance and management objective in scope of the assurance engagements, thus defining which process practices and activities will be in scope of the audit programs. Closely related, assurance professionals can use the capability levels to report process performance in their assurance engagements.

In addition to the above, assurance professionals should consider the non-process components of governance and management objectives when building their audit universes, plans and programs. COBIT 2019 indicates that not only are processes important governance components, but that organizational structures, culture and behaviors, information streams, skills and behaviors are important. For that reason, we encourage assurance professionals to consider them when conducting their engagements. The current COBIT 2019 performance management guidance does not yet fully support these other types of components – initial guidance for organizational structures and information quality is included in COBIT 2019, while guidance for other components is yet to come.

I look forward to this webinar further demonstrating the relevance of COBIT 2019 for assurance professionals and look forward to hearing your questions and suggestions for further guidance.

Category: COBIT-Governance of Enterprise IT Published: 8/21/2019 3:00 PM
カテゴリー: ISACA

The Role of Ethics in Risk Management

Journal Author Blog Posts - 2019年08月20日 05:22:38

Most people are aware of and talking about risk management. However, barring a handful of high-profile and sophisticated IT organizations, for most enterprises, it is more talk vs. the actual implementation of risk management practices. It is a no-brainer that everything in IT should have active risk management practice embedded into it. When done correctly, it ensures service quality and lowers the risk of outages. While authoring my recent ISACA Journal article, “Rethinking Risk: A New Ethics of Enterprise IT,” I conducted an Internet search of “Ethics in IT” to see if it is an issue and to learn whether ethics issues in IT are reported. I only got a few hits and realized that it appears that ethical behavior in IT is neither measured nor reported, except that the “people” factor kept popping up, especially in terms such as “people are our most important asset” and “our people innovate and are best.” However, in my opinion, people are unpredictable and susceptible to political-management pressures, and us-vs.-them and an I/we-have-the-best-solution mind-sets. All these factors do not go well with the overall purpose of IT and are detrimental to our dependency on IT services, which are embedded into our lives. Therefore, there is a need for ethical behavior of IT professionals, and it should be part of overall governance and risk management practices. Also, in my personal observation, people follow processes out of fear or fear of non-compliance, and there might be an opportunity for them to believe in the process or control vs. seeing it as a nuisance.

Depending on which industry one is in, a service issue can be as catastrophic as loss of business to loss of lives. Whenever a catastrophic  event occurs, organization go through lessons learned and perhaps find a technology fix but rarely ever fix behavior.

It would be beneficial if management/consultants/auditors started observing trends in behavior. In my opinion, the only way this can happen is by having an unbiased view of how things are being done. This unbiased view should be insulated from departmental politics and management/executive pressure. I would encourage open dialogue when it comes to ethical behavior risk to processes such as change management, incident management, problem management and architectural-design decisions, not to mention my favorite, bending to vendor/technology pressures. I know this is easier said than done unless management is willing to change itself—hence this process must start at the Risk IT principle “Establish Tone at the Top and Accountability."

Read Rajesh Srivastava's recent Journal article:

Rethinking Risk: A New Ethics of Enterprise IT," ISACA Journal, volume 4, 2019.

Category: Risk Management Published: 8/19/2019 4:28 PM BlogAuthor: Rajesh Srivastava, CISA, CGEIT, ISO 20000, ITIL Expert, PMP PostMonth: 8 PostYear: 2,019
カテゴリー: ISACA

Five Ways to Identify Early Leadership Opportunities as a Young Professional

ISACA Now Blog - 2019年08月20日 04:03:58

It has been said that leadership cannot be learned and that it is an innate ability. While that may be true to a degree, there are steps young professionals can take to hone their innate leadership abilities through experience early in their careers. If you are seeking to be seen as a potential leader or how to attain future leadership positions at your company or organization, here are a few steps you can take to position you on the right path.

1. Grow Your Network to Grow Your Potential Leadership Opportunities
While leadership opportunities available to you may appear to be narrow based on your limited experience or conversely may seem endless if you are at a large organization or school, use your creativity to uncover the right leadership opportunities for you. Consider expanding your network and looking for leadership opportunities by joining and becoming active in student or professional groups, industry organizations, nonprofits, or even community groups that fit your interests. You can grow as a leader while also giving back to your company, organization and community.

2. Connect with Leaders You Admire
Look around your life and workplace for leaders you want to learn from and boldly ask them to serve as your mentors or sponsors. Take time to meet with them regularly – it can be 30 minutes once a month over a cup of coffee. Prepare in advance for your conversations so you can make the most of your time and theirs. Ask specific questions to obtain their advice from their own experience. You do not know if you do not ask – they were once in the same position that you are. They may also be able to provide ideas for leadership opportunities that could be a good fit for your skills and interests as they get to know you better. You do not have to forge a path to leadership alone – look to leaders in your reach and expand your circle as you navigate your own path to leadership.

3. Learn the Difference Between a Mentor and a Sponsor – and Seek Both
Large companies may have a formal mentorship program that matches you with a mentor, but this is certainly not mandatory for mentorship. Mentoring can take many forms – it can be informal or formal, it can last a season or length of a career, it can be strictly professional or evolve into a friendship. Both mentors and sponsors can support your career growth – while a mentor serves as an advisor and sounding board, a sponsor serves as an advocate. A sponsor can help open doors for you to leadership opportunities both inside and outside your company. Both types of relationships can be utilized to grow your leadership skills and opportunities – and can also serve as a growth opportunity for your mentors and sponsors.

4. Know Your Strengths, Weaknesses and How They Both Can Be Opportunities for Growth
Some leaders are powerful persuaders and others are influential speakers, while the best leaders possess both skills. You may already be well aware of your strengths or need some assistance in articulating them. Either way, it is prudent to do an assessment of your strengths to determine what kind of leadership role is right for you. Having an unbiased perspective of your strengths and weaknesses (which can also be considered areas for growth) can be useful to tell the story of who you are as a potential leader. Ask your peers, managers, mentors and friends to validate your strengths. They may help you see past your blind spots and uncover leadership skills you did not realize you had.

5. Determine If/What Leadership is Right for You and Continue to Re-Assess Your Decision
The final piece to figure out is what type of leadership is the right fit for you. You can do this by following these tips and using your experiences to determine your ultimate leadership style goal. You may find leadership fits your personal life but not your professional life or vice versa – or that leadership does not interest you at this point in time. Your goals may change over time as you continue on your career journey, depending on what opportunities present themselves. Remain open to new opportunities that may push you out of your comfort zone and re-assess your decision as you move forward professionally to determine if you are still headed in the right direction.

Editor’s note: For more resources for young professionals, visit

Category: ISACA Published: 9/4/2019 10:21 AM
カテゴリー: ISACA