Leveraging Employee Resource Groups to Build Diverse IT Audit Teams

Journal Author Blog Posts - 2018年11月13日 05:02:32

The business case for diversity is well-established. Research studies clearly indicate that diverse and inclusive organizations benefit from increased productivity, enhanced problem solving and heightened levels of employee engagement over their more homogenous peers. But how does an organization successfully attract and retain the best and brightest IT audit talent in an ever-increasing competitive market? Sure, you could try to compete with the Silicon Valley (California, USA) firms by upgrading your employee perks to include on-site spas, car washes and free gourmet meals. But there is a more effective strategy—one that is often overlooked—and it does not involve offering free frittatas. Employee resource groups (ERGs) can be a very valuable tool to recruit new talent and ensure that existing employees feel welcomed and valued.

Role of ERGs in Employee Recruitment and Retention
ERGs can assist with both recruitment and retention. Employees from diverse backgrounds may be reluctant to join or stay with an organization if nobody “looks like them.” RELX Group has been working to leverage relationships with its African Ancestry Network (AAN) and historically black colleges and universities such as Morehouse College (Atlanta, Georgia, USA), with a goal of expanding its recruiting process for IT audit and other technical positions to diverse candidates. In turn, Morehouse students will gain exposure to RELX professionals who may be able to serve as mentors and provide guidance to students in the technology and IT audit fields.

Dispelling the Myth of ERG Boundaries
Many employees feel that just because they are not part of a specific demographic group, an ERG may not embrace them or they cannot or should not attend particular events. That is simply not the case. RELX’s AAN, for example, has expansive programming that goes beyond the US observance of Black History Month celebrations and are intended to benefit employees at large. The AAN sponsors events around breast cancer awareness, financial planning, project management 101, and how to effectively use LinkedIn to expand and maintain your professional network, among others. As a result, many AAN events are attended by employees that are not of African ancestry.

Our recent Journal article discusses the value of leveraging ERGs as one of several practical strategies for creating and maintaining a diverse and inclusive IT audit team. 

Read Asim Fareeduddin and Femi Richards’ recent Journal article:
Effective Strategies for Creating and Maintaining a Diverse and Inclusive IT Audit Team,” ISACA Journal, volume 6, 2018.

Category: Audit-Assurance Published: 11/12/2018 3:13 PM BlogAuthor: Asim Fareeduddin, CISA, CISM, CIPP, CPA, Femi Richards, CCEP, CIPP PostMonth: 11 PostYear: 2,018
カテゴリー: ISACA

COBIT 2019 Makes Framework Easier to Understand, Customize

ISACA Now Blog - 2018年11月09日 01:41:07

Practitioners charged with effective governance of information and technology have a tremendous new resource to draw upon with a significant refresh to the COBIT framework. Today, the first two books of COBIT 2019 have been released, with additional publications to follow later this year.

I could go on for hours about the elements of COBIT 2019 that I believe will be well-received by our passionate global community of COBIT users (and considering I am one of those passionate COBIT users, if I catch you in person at an ISACA event, I might just do so). For the purposes of this blog post, I will put forward a list of five aspects of COBIT 2019 that I consider especially appealing.

1. Sharper clarity. Past iterations of COBIT, most recently COBIT 5, helped practitioners across the world solve countless business challenges and help their enterprises better manage and govern enterprise IT. There was a lot to like, but that doesn’t mean they were perfect. In COBIT 2019, we have identified areas for improvement to ensure that COBIT users are able to extract even more value from the framework while making the content more accessible and straightforward.

For example, I often was asked to describe the COBIT 5 enablers, and it was difficult for me to succinctly explain, so I started calling them ingredients. We now have transitioned to referring to them as components of a governance system, a much clearer characterization. Throughout the COBIT 2019 publications, the terminology is less academic and more applicable, allowing users to streamline the adoption timeline.

2. New focus areas. I’m enthused about the new focus areas that are set up to organize certain hot governance topics, such as small/medium sized businesses, cybersecurity, digital transformation, cloud computing, privacy and DevOps.

While the COBIT framework has thrived for 20-plus years because it addresses core business principles that are every bit as true now as they were in the 1990s, it nonetheless was important to provide updated guidance pertinent to key drivers of the current technology landscape, and COBIT 2019 takes a big step forward in that regard.

3. New design factors. COBIT 2019 highlights new factors that can influence the design of an enterprise’s governance system and position organizations for success in the use of information and technology. These include:

  • Enterprise strategy
  • Enterprise goals
  • Risk profile
  • Enterprise size
  • Threat landscape
  • Compliance requirements
  • Role of IT
  • Sourcing model for IT
  • IT implementation methods
  • Technology adoption strategy

These design factors take into account enterprise strategy and allow users to better customize COBIT to a specific organizational structure.

4. Updated goals cascade. The new goals cascade supports the prioritization of governance and management objectives based on enterprise goals.  Starting with stakeholder drivers and needs, this model seeks to avoid the frequent misunderstanding that these goals indicate purely internal objectives of the IT department within an enterprise. The alignment goals have also been consolidated, reduced, updated and clarified where necessary. These goals are organized using the Balanced Scorecard view and include example metrics to measure the achievement of each goal.

5. Integration between the CMMI maturity model and our current capability model. Performance management is an essential part of a governance and management system. It expresses how well the system and all components of an enterprise work, and how they can be improved up to the required level. As such, it includes concepts and methods such as capability and maturity levels. COBIT 2019 performance management leverages both the current capability model and the CMMI maturity model using the following principles:

  • Simple to understand and use
  • Consistent with and supports the COBIT conceptual model
  • Provides reliable, repeatable and relevant results
  • Flexible
  • Supports different types of assessments

Editor’s note: For more information on COBIT 2019, its publications and guidance, and new training opportunities, visit

Category: COBIT-Governance of Enterprise IT Published: 11/13/2018 7:56 AM
カテゴリー: ISACA

A Career in Artificial Intelligence

Journal Author Blog Posts - 2018年11月08日 23:33:56

The amount of data accumulated by 2020 worldwide is predicted to exceed 44 zettabytes (or 44 trillion gigabytes), and the data growth rate is about 1.7 megabytes per second for every human being. To manage and understand it, artificial intelligence (AI) was developed, and its use has been increasing at an rapid rate. We see this in the products that are coming to market. 

This new technology is affecting us in many ways:

  • How we live (e.g., digital home assistants such as Apple’s Siri and Amazon’s Alexa)
  • How information is obtained (e.g., sensors, chatbots, automated data searching)
  • How we communicate (e.g., language translation)
  • How we react to security and privacy attacks (e.g., network anomaly detection, fraud detection)
  • How we get around (e.g., driverless vehicles)
  • How we detect and prevent crimes

In my recent Journal article, we look at where the data come from (e.g., sensors, data files, audio and video information), how AI is used, the software technology behind it (e.g., machine learning, virtual agents), the areas of knowledge needed to apply it (e.g., mathematics, computer science principles and techniques, software programming, analytical skills) and where we can get the training (e.g., online, college, universities). Once we have this understanding, we review the current job market, the AI position descriptions (e.g., business intelligence developer, software engineer, data scientist, solution architect) and associated salaries.

The intent of this article is to enlighten the reader about personal AI skills and requirements and additionally to provide guidance on how to go forward with this knowledge if you are interested in becoming someone who molds our future. From the information I have gathered, it has become clear that AI technology can be a benefit to auditors (e.g., when finding internal instances of fraud), aid information security in detecting and responding to cyberattacks, and help privacy professionals look for data breaches.

I encourage you to read the article and share any insights and knowledge you may have on AI as a career path.

Read Larry Wlosinski’s recent Journal article:
Is Artificial Intelligence a Career Path for You?,” ISACA Journal, volume 6, 2018.

Category: Security Published: 11/8/2018 3:07 PM BlogAuthor: Larry G. Wlosinski, CISA, CRISC, CISM, CAP, CBCP, CCSP, CDP, CIPM, CISSP, ITIL V3, PMP PostMonth: 11 PostYear: 2,018
カテゴリー: ISACA

Building Cyber Resilience Through a Risk-Based Approach

ISACA Now Blog - 2018年11月08日 08:13:29

For many organizations to have an effective cyber culture, they must also have a mature cyber culture. A recent cybersecurity culture study conducted by ISACA and CMMI Institute found that only 5 percent of organizations believe no gap exists between their current and desired cybersecurity culture. A full third see a significant gap. That’s why I found it so valuable to sit down with cybersecurity leaders across the public, private and non-profit sectors to have a discussion in the UK last week about cyber maturity, what it means to people and how we can help organizations value being more prepared.

The general consensus at our session, “The Future of Cyber Maturity and Benchmarking,” was that our work must start at the top with the board. We must be speaking in terms the boards will understand and getting boards to value cybersecurity as a business enterprise risk issue that must be managed as such. This hasn’t happened yet to the degree it needs to. The cybersecurity culture study confirms this feedback in that 58 percent of respondents cited a corresponding lack of a clear management plan or KPIs.

Another key word involved in maturity is resilience. No organization is ever completely bulletproof from an attack. The idea is to train and plan thoroughly, ensure that the organization as a whole is as prepared as possible, and if/when an attack happens, is in a position to respond to the attack efficiently and effectively. That’s a resilient organization and the best we can ask for when it comes to cyber crime.

As organizations become more resilient, they must honor the need to effectively manage risk. The risk equation includes workforce readiness, security operations and capability maturity. Your workforce must be thoroughly trained to understand the risk at all levels.

The group was heavily focused on moving away from the old way of managing risk. Risk is not managing compliance or a checklist. It is truly about building resilience through a risk-based approach.

A quality maturity model looks at people, processes and technology, and takes all these elements into consideration. However, the discussion was largely around the workforce readiness and how to motivate people to do what needs to be done. Asking the right questions as technology leaders is a start. Are we doing the right things? Are we doing them well? How can we ensure the board is informed and engaged, and that we are focused on areas of greatest risk?

As technology leaders and assurance professionals, we discussed the need to be ahead of the curve, implementing cybersecurity as a business imperative, rather than waiting for an accident and reacting at that time. An organization must know its risk appetite and its risk posture.

All of this counsel goes for organizations of any size and at all places within the organization. We discussed the importance of supply chains, micro businesses and small and medium enterprises (SMEs) having special considerations as they build capabilities. SMEs do often have a much smaller staff to work with, but the responsibility to manage the risk remains the same, thus making a focused and strategic approach all the more important.

A mature organization is one that has truly examined its risk and understands it from the top down, with buy-in to protect the organization from each and every employee. I look forward to continuing this important discussion.

Category: Risk Management Published: 11/8/2018 3:06 PM
カテゴリー: ISACA

Remembering Tim

ISACA Now Blog - 2018年11月08日 01:07:00

Tim Mason, ISACA Chief Experience Officer and SVP, Operations, and a six-year member of ISACA’s executive leadership, passed away unexpectedly on 31 October. As members of ISACA’s professional community, we extend our condolences to Tim’s family.

Tim’s leadership and his commitment to incredible member and customer experiences are the cornerstone of his very successful professional career. What I will recall as his most high-impact contribution to ISACA is Tim’s work with me in 2015 to define our organizational Values as well as our Purpose and Promise, centered on helping practitioners and their enterprises realize the positive potential of technology. Both were unanimously approved by the ISACA Board of Directors, and together with our Values they form the foundation for our ongoing transformation to an organizational culture of ONE. These are not just words on a wall. From this foundation, and driven by Tim’s leadership experience and energy, the ISACA community has benefitted from a wellspring of new capabilities and offerings. These include sophisticated digital marketing and analytics, an accredited training organization program, online learning and webinars, a heightened focus on product management, and a customer experience center, to name only a few. Our members and customers have seen, felt and experienced the incredible difference Tim brought to the workplace, and around the world, every day.

I walked the office floor last week following the announcement of Tim’s passing to comfort our employees during this difficult time. I was struck by many the comments I heard about Tim, including how he always said hi to everyone he passed in the hallways, his regular check-ins and counseling of staff on their career development, how his sense of humor, sarcastic at times, often helped to get through the most stressful of times, and that “he was the best boss I ever had.” Tim recognized that accomplishing great things not only requires hiring great people, but also supporting and nurturing them.

What I will remember beyond Tim’s professional accomplishments and contributions is the person Tim was outside of work. He had a real love for the outdoors, with a relentless passion for spending time on his Wisconsin farm (where he spent his final days) working the fields, hunting and fly fishing. Tim had an incredible knack for woodworking, and my wife and I will cherish forever a serving tray he made for us for no other reason than “just because.”

Most of all, he was a family man and father. Tim’s wife Brenda was, and will always be, his rock and the love of his life. His children, Nicholas and Caitlyn, were always top of mind, and his stories of what they have accomplished showed how proud he was of them. And then there’s Makenna—his granddaughter, and the apple of his eye. Yes, she had “Papaw” wrapped tightly around her little finger, and the vignettes Tim would share about her quips and antics, with this gleam in his eye, grin on his face, and warmth in his heart will remain with me forever. This was the real Tim.

Dr. Seuss said, “Don’t cry because it’s over, smile because it happened.” Tim, we’re doing a lot of smiling in your memory, and we’re going to miss you a whole lot. Godspeed, my friend.

Editor’s note: Memorial donations in Tim’s honor will benefit the Epilepsy Foundation.

Category: ISACA Published: 11/7/2018 10:33 AM
カテゴリー: ISACA

Faces of ISACA: Kyla Guru

ISACA Now Blog - 2018年11月07日 04:16:26

Editor’s note: The ISACA Now series titled “Faces of ISACA” highlights the contributions of members of ISACA’s global professional community, as well as providing a sense of their lives outside of work. Today, we spotlight Kyla Guru, a leader in spreading cybersecurity awareness among young people and an active proponent of ISACA’s SheLeadsTech program.

Kyla Guru is in a hurry to make her presence felt in the cybersecurity field.

While many of her fellow teenagers still are figuring out what they want to pursue in college – or if they want to go to college at all – Guru already is spreading cybersecurity awareness as founder of Bits N’Bytes Cybersecurity, which lists as its goal to immerse the youngest members of society in cybersecurity concepts.

“These students need to be able to see the role models in cybersecurity, realize how much potential there is for growth and impact in the industry on a grander scale, and feel empowered about developing the necessary skills, both technical and interpersonal, starting now,” said Guru, a junior at Deerfield High School in suburban Chicago, Illinois, USA. “It’s all about showing them that these roles are not for one type of person, and that there are opportunities, mentors, classes, and resources, to help us catalyze change right now.”

With that type of mindset, it’s no wonder Guru is zooming down the fast track in exploring the cybersecurity field. Guru, whose father, Naganat, is a longtime ISACA member, founded Bits N’ Bytes during her freshman year of high school, and considers the “passion project” a major piece of her identity. She said her interest in cybersecurity grew from conversations with her family around the dinner table, and accelerated when she attended a cybersecurity workshop at Purdue University the summer before she began high school.

“My fascination for these topics quickly turned into a string of past-midnight conversations in the lobby of our dorm, discussing about just how much of the Internet is ‘unknown,’ ‘unseen,’ or ‘unheard,’ Guru said. “It is knowing the relevance of these studies, and an urging pull to study the unknown, that continues to fuel my passion for cybersecurity.”

In addition to becoming intrigued by the cybersecurity field generally, Guru also is a proud “steminist” who is interested in addressing the gender gap within the technology workforce. In June, Guru co-directed “GirlCon Chicago,” the city’s first all-female high school tech conference, which included a video message of support from Facebook executive Sheryl Sandberg. In pursuing sponsorship for the conference with ISACA’s Chicago Chapter, she became aware of ISACA’s SheLeadsTech program.

“With ISACA’s support, a network of female leaders from the Chicagoland area, and steady collaboration with their SheLeadsTech program, our all-high school team was able to unite over 180 female students and 50 professionals from around the Midwest in engaging in the future of technology,” Guru said. “ISACA helped ensure that our event was the most rewarding and fulfilling experience for all our attendees.

“One thing I know our team learned from our partnership with ISACA’s energetic team was that you never know what could come out of asking questions with good intention. This was justification for most of the bold moves that went into making GirlCon. Looking forward, I am certain that my collaboration with the SheLeadsTech program has opened many doors to further collaboration, and I look to the program as a support system as I continue my tech journey.”

Beyond high school, Guru intends to study computer science and cybersecurity, in addition to gaining a strong background in business and analytics. By the time Guru’s professional career begins in earnest, there is unlikely to be a client appointment or board meeting capable of fazing her. Her presentation experience includes delivering a TEDx talk titled “Hacking a Solution to Global Cybercrime,” a presentation that allowed her to reach new audiences with her message of how cybersecurity is much more tangible in our lives than many people realize.

“My grander vision for my future is to find myself constantly shape-shifting for new solutions, challenging myself intellectually, and making progressive changes to the dynamics of society that fundamentally impact lives,” Guru said.

Naganat Guru is thrilled to see his daughter share his passion for technology, and said organizations such as ISACA “need the new generation of leaders like Kyla.”

“This is one of the best things that has happened to me and our family,” he said of his daughter’s beyond-her-years contributions in the cybersecurity realm. “I became a CISA in 1998 when Kyla was not even born, but she has achieved so many laurels in the last few years that I cannot probably accomplish in my lifetime. … I may sound biased since I’m her father, but this is true: Kyla is a born leader.”

Category: ISACA Published: 11/7/2018 3:09 PM
カテゴリー: ISACA

Data Security and Access to Voters’ Personal Data by Political Parties: An EU Case Study

ISACA Now Blog - 2018年11月03日 03:46:21

Editor’s note: The ISACA Now blog is featuring a series of posts on the topic of election data integrity. ISACA Now previously published a US perspective and UK perspective on the topic. Today, we publish a post from Laszlo Dellei, providing an EU perspective.

Brexit and the 2016 US presidential election showed that microtargeting voters to deliver them certain political messages may gradually alter voters’ decisions. While less publicized, concerns related to election data integrity also exist throughout the EU. The European Parliament has conducted several public hearings on this topic and the Commission is supporting Member States to secure their local and national elections, as well as their citizens’ participation in EU elections.

The Commission recently published a communication on free and fair European elections, which outlines all the efforts made by the institutions to make sure that the upcoming EU elections in 2019 will be held democratically. The EU’s strategy is to combine data protection, cybersecurity, cooperation, transparency, and appropriate sanctions.

For instance, the Commission proposes introducing financial penalties of 5 percent of the annual budget of the European party or political foundation concerned if they infringe the data protection rules in an attempt to influence the outcome of elections to the European Parliament.

Another key aspect of this strategy is the implementation of General Data Protection Regulation (GDPR) equipped to help prevent and address unlawful use of personal data. Therefore, the Commission prepared specific guidance to highlight the data protection obligations of relevance in the electoral context.

In parallel, the Commission published recommendations to enhance the efficient conduct of the 2019 EU elections. Key points are as follows:

  • The EU encourages Member States to establish and support a national elections network to ensure cooperation in connected fields (such as data protection authorities, media regulators, cybersecurity authorities, law enforcement etc.).
  • It is also recommended to encourage and facilitate the transparency of paid online political advertisements and communications.
  • Member States should also take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of network and information systems used for the organization of elections.
  • Member States are encouraged to set up awareness-raising activities aimed at increasing the transparency of elections and building trust in the electoral processes.

Sources of voter data in Hungary
In my country, Hungary, the relevant regulations and practices may reveal certain risks and problems in this respect. Current rules providing protection of voters’ personal data, especially provisions governing integrity and security of such information, will be revised.

During microtargeting, information may be used to deliver political messages to the recipients. In addition to the name and political preferences of the data subject, the processing of physical or email addresses and mobile phone numbers are necessary for the intended targeting. In this regard, Hungarian legislation provides several opportunities for the political parties to access voters’ personal data.

Among the legal sources, information provided to the parties by the election offices is of paramount importance. Candidates and nominating organizations (mostly political parties) may request the names and addresses of voters in the voter register from the relevant electoral office for campaign purposes. The information may be provided by age, gender, or address of the data subjects. Although these data do not contain information on the voters’ political opinion or party affiliation, the data may be used to obtain additional information for the purposes of microtargeting.

Secondly, political parties usually communicate with their supporters via various methods including physical or email addresses, land or mobile phone numbers, etc. The sources of this information may vary. It may be collected from the data subject at a campaign rally or other events organized by the party. Supporters may provide the party with their contact details when – for instance – they sign an initiative for a referendum, or when they support another political action with their signature. During the elections, political parties may also use this data for campaign purposes.

The main risk concerning the processing of personal data of voters by political parties arises from the lack of comprehensive legislation and effective supervision. The current regulation concerning electoral procedure predates the GDPR and the 2016 events (Brexit and the election in the US). Furthermore, there is no specific legislation concerning political campaign activities; only the provisions of the Privacy Act of 2011 had previously been applied. Therefore, the relevant laws do not focus on the possibility of microtargeting and thus the importance of integrity and safety of voters’ personal data.

Given the global events of recent years, the focus on the integrity and security of voters’ personal data will be a priority from a legislative standpoint as well as from the point-of-view of the relevant actors in the EU and around the world. The lack of regulation and effective supervision in this regard may lead to serious consequences that could harm democracy and erode society’s trust in its institutions.

Although the GDPR and the Privacy Act provide for a wider protection for data subjects, and thus for voters, it is necessary to adopt such regulations that define certain technological requirements and other safeguards to prevent misuse and to provide integrity of voters’ data.

Author’s note: Laszlo Dellei is an experienced, certified and internationally recognized InfoSec, Cybersecurity, Security, Privacy and ITSM professional, with a multidisciplinary background. Laszlo received his B.S. degree in Information Technology from the Dennis Gabor College and the MBA in Information Management specialized in Security from the Metropolitan University. Furthermore, Laszlo proudly holds, among others, the following internationally recognized credentials: C|CISO, CISA, CGEIT, CRISC, ITIL and ISO27001. Laszlo is dealing with the referred disciplines for almost 15 years. As the CEO of Kerubiel Kft, besides management tasks, he also is responsible for high‐priority operations in the following domains: Physical Security, Environmental Security, Cyber and Information Security. Laszlo also is a registered and active security expert of the European Commission. Furthermore, he is a member of the Hungarian Chamber of Judicial Experts, Gold Member of ISACA, member of the EC‐ Council, and member of John von Neumann Computer Society.

Category: Risk Management Published: 11/5/2018 3:01 PM
カテゴリー: ISACA

Remembrances Pour in for Tim Mason

ISACA Now Blog - 2018年11月03日 03:35:29

The loss of Tim Mason, ISACA Chief Experience Officer and SVP, Operations, who unexpectedly passed away this week at age 59, has prompted an outpouring of love, respect and admiration for Tim from staff colleagues and throughout the professional community.

Here is a sampling of some of the comments we have received about Tim and his ISACA legacy:

From Robb Micek, ISACA Senior Vice President, Shared Services and CFO:
“One thing Tim and I used to tease each other about was the ‘traditional’ love/hate relationship between organizational leaders of Marketing and Finance. Tim would tell me stories of the many challenges he would have with CFOs prior to joining ISACA regarding funding for his marketing programs. Those stories would often start with him saying to me, “You know, bud ...,” and then he would retell the story. While there were several times where we did not have the financial resources for all the things the ISACA Marketing and Communications team wanted to do, Tim and I developed a strong partnership in part because he knew I understood the value of investment in those functions and would try to work together to figure out creative ways to “get to yes” when we could. … I feel incredibly lucky to have had Tim as one of my closest friends. I still cannot believe I am not going to have the opportunity to talk to him, share advice and ideas, trade anecdotes about the most important things in our lives – our families.”

From Jo Stewart-Rattray, CISA, CISM, CGEIT, CRISC, FACS CP, past board director of ISACA, chair of ISACA’s Women’s Leadership Council and director of information security and IT assurance at BRM Holdich:
“When my husband, James, was recovering from cancer and it was clear that he wasn’t well, Tim showed him such thoughtfulness, including staying with James one night when he wasn’t up for making it out to the restaurant. That sort of kindness is never forgotten. Tim also had a terrific sense of humor, and teased that he could sense I was about to make a big statement in the boardroom whenever I clicked my pen. Tim will be sorely missed.”

From Ken Kujundjic, ISACA Senior Vice President, EBD and Managing Director, Mainland China:
“Like many of us, I am having a hard time processing this news. Tim was a respected figure not only at ISACA but in the association industry. During my time at ISACA, Tim and I worked closely on many initiatives and we traveled together on many business trips. I could share any one of his many accomplishments during his time at ISACA, but I would rather like to remember his dry sense of humor. Tim could find humor in just about anything and had the ability to see the bright side of things. I will miss Tim as a valued colleague but more importantly as a friend.”

From Kristen Kessinger, ISACA Senior Manager, Media Relations:
“I had the opportunity to report directly to Tim for several months, and got to know him much better as a person during that time. I once told him that he made me nervous at first, but once I saw him melt into a puddle at the mention of his granddaughter, he no longer had the ability to be intimidating! He was so encouraging of my career and professional advancement, and he was determined to make me a more confident person. I saved a bunch of emails he sent to me while serving as my mentor, and I am so glad to have those memories of his good advice and kind words. In my most recent interaction with Tim, he called me over to look at a new video of (his granddaughter) Makenna driving his tractor. He was so excited, and his whole face was lit up. She is going to have a very proud guardian angel for the rest of her life.”

From Marie Gilbert, ISACA Director, Consumer Insights and Market Planning:
“Tim loved brand research and he loved cool research techniques. He latched on to the term ‘Euclidean distances’ when we started the market monitor brand mapping. I can hear him saying it and see him smiling. I will miss him terribly.”

Editor’s note: To find out more about ISACA’s Purpose and Promise that Tim set in motion, view this video.

Category: ISACA Published: 11/2/2018 1:57 PM
カテゴリー: ISACA

Understanding Big Data and Machine Learning Projects

ISACA Now Blog - 2018年10月31日 01:46:19

Big data and machine learning have rocketed to the top of the corporate agenda. Executives look with admiration at how Google, Amazon and others have eclipsed competitors with powerful new business models derived from an ability to exploit data. They also see that big data is attracting serious investment from technology leaders such as IBM and Hewlett-Packard. Meanwhile, the tide of private-equipment and venture-capital investments in big data continues to swell.

AI/machine learning also continued to rise toward the top of technologies considered to have the highest potential to deliver transformative value to organizations. While placing second in these rankings according to ISACA’s 2018 Digital Transformation Barometer, AI/machine learning went from 18 points behind big data in 2017 to just 3 points behind big data in 2018. As the perceived value of AI continues to increase, the proportion of organizations planning to deploy AI continues to increase as well, with a 35 percent increase over the 2017 report.

What audit, risk, assurance and security practitioners and executives should know about big data and machine learning projects
Perhaps you have heard about a new algorithm that can drive a car? Invent a recipe? Detect fraud ? Scan a picture and find your face in a crowd? It appears every week that companies are discovering new uses for algorithms that adapt as they encounter new data. Machine learning has tremendous potential to transform companies, but in practice it is usually far more mundane than robot drivers and chefs. Think of it simply as a branch of statistics, designed for a world of big data. Executives who want to get the most out of their companies’ data should understand:

  • What it is
  • What it can do
  • What to watch out for when using it

The enormous scale of data available to firms can pose several challenges. Of course, big data may require advanced software and hardware to handle and store it. Machine learning is about how the analysis of the data must also adapt to the size of the dataset. This is because big data is not just long but wide as well.

Big data projects versus traditional IT projects
“90% of the effort in successful machine learning is not about the algorithm or the model or the learning. It’s about the logistics.”
From Machine Learning Logistics by Dunning and Friedman (O’Reilly, 2017)

Logistics are not the only issue that matters for success. Connecting AI and machine learning projects to real business value is of huge importance. The social and cultural structures of your organization make a big difference, as well.

The following table shows the distinction between big data and traditional IT projects, tapping into COBIT 5 components (Five Principles, Seven Enablers, Trigger Events, Pain Points and the seven phases of Program Management used in the life cycle model).




Develop a new shared understanding of customers’ needs and behaviors

Predict future growth markets

Install an ERP system

Automate a claims-handling process

Optimize supply chain performance


Change how employee think about use of data

Challenge the assumptions and biases employees bring to decision-making

Use new insights to serve customers better, build new businesses and predict outcomes

Improve efficiency

Lower costs

Increase productivity


Develop theories

Build hypotheses

Identify relevant data

Conduct experiments

Refine hypotheses in response to findings

Repeat the process

Define desired outcomes

Redesign work processes

Specify technology needs

Develop detailed plans to deploy IT

Manage organizational change and train users

Implement plans


IT professionals with engineering, computer science, and math backgrounds (in some cases)

People who know the business

Data scientists

Cognitive and behavioral scientists

IT professional with engineering, computer science, and math backgrounds

People who know the business


Employee bases decision on data and evidence

Employee uses data to generate new insights in new contexts

Project comes in on time to plan, and within budget

Project achieves the desired process change

In conclusion, big data and machine learning projects involve new technology and new development approaches, and are inherently risky. If you are doing significant data exploration or discovery with big data, you will occasionally fail—which is not really a problem if you learn from the failures. Big data and machine learning projects are still more like R&D than production applications.

Category: COBIT-Governance of Enterprise IT Published: 10/31/2018 2:59 PM
カテゴリー: ISACA

The Outlook for Auditors and Infosec Professionals in the Fourth Industrial Revolution

ISACA Now Blog - 2018年10月26日 07:04:06

The Future of Jobs Report 2018, published by the World Economic Forum, presents a well-researched reading with a thorough and comprehensive coverage of global industries and regions. The essence of the report can be captured in the preface by Klaus Schwab, founder and executive chairman, World Economic Forum, which states “Catalysing positive outcomes and a future of good work for all will require bold leadership and an entrepreneurial spirit from businesses and governments, as well as an agile mindset of lifelong learning from employees.”

It was Peter Drucker who said in a 1992 essay for Harvard Business Review that “In a matter of decades, society altogether rearranges itself – its worldview, its basic values, its social and political structures, its arts, its key institutions. Fifty years later a new world exists. And the people born into that world cannot even imagine the world in which their grandparents lived and into which their own parents were born. Our age is such a period of transformation.”

The transformative society, often called a knowledge society, has now gone past the initial technological innovations and is traversing the digital expressway. This no longer require 50 years for a full cycle of change, but just five years.

The report, which addresses a Fourth Industrial Revolution taking place from 2018-2022, puts forth succinctly that the impending transformations, if managed well, can lead to good work, good jobs and improved quality of life, or otherwise can result in widening skill gaps, greater inequality and broader polarization.

The key points are as follows:

  • Four specific technological advances – ubiquitous high-speed mobile internet; artificial intelligence; widespread adoption of big data analytics; and cloud technology – are set to dominate the 2018–2022 period as drivers positively affecting business growth.
  • Significant change is at hand in composition of value chain and the geographical base of operations.
  • Lots of specific human tasks can be automated by 2022.
  • The demand for traditional skills will diminish, paving the way for requirement for new skills like those of data analysts and scientists, software and application developers, and those with expertise in e-commerce, social media, machine learning, big data, process automation, information security analysis, human-machine interaction, robotics engineering and blockchain. Also included in this list are human-specific skills, such as training, organizational development and innovation managers.
  • Companies prefer to hire new permanent staff with relevant skills, so existing employees should develop mindsets focused on a lifelong pursuit of learning, knowledge acquisition and re-skilling.
  • Policymakers, regulators and educators will need to play a fundamental role in helping those who are displaced to repurpose their skills or retrain to acquire new skills.

While this report contains a wealth of valuable information, let us analyze how it impacts the fields of specific interest to ISACA’s professional community.

The report identifies an increase in cyber threats as one of many trends set to negatively impact business growth up to 2022, and increasing adoption of new technology such as big data, mobile internet, artificial intelligence and cloud technology as being among the many trends set to positively impact business growth. But all of the factors are only going to positively impact the cybersecurity profession, as advances in technology and its associated increasing cyber threats will only require more and more cybersecurity professionals.

The report also identifies stable roles, new roles and redundant roles, in which information security analysts are in both stable and new roles, which is very heartening and as expected.

Auditors have been mentioned under redundant roles, probably because it is thought that artificial intelligence can take over routine decisions on auditing and assessment. Though it is true to some extent, auditing as a profession will never diminish completely, as newer technologies will always bring in newer threats and loopholes, which need to be plugged-in by trained auditors. For sure, auditing techniques will evolve tremendously under AI, but the work can never be fully delegated to robots or be completely automated, because while humans can create super-intelligent computers which are completely predictable, humans themselves remain unpredictable. Therefore, human auditors are here to stay.

ISACA and the AICPA should continue to develop and evolve newer standards on auditing to render assurance services for the enterprises advancing technologies as part of the Fourth Industrial Revolution.

Author’s note: The views expressed in this article are the author’s views and do not represent those of the organization or of the professional bodies to which he is associated.

Category: Audit-Assurance Published: 10/26/2018 3:03 PM
カテゴリー: ISACA

Transparent Use of Personal Data Critical to Election Integrity in UK

ISACA Now Blog - 2018年10月26日 03:43:42

Editor’s note: The ISACA Now blog is featuring a series of posts on the topic of election data integrity. ISACA Now previously published a US perspective on the topic. Today, we publish a post from Mike Hughes, providing a UK perspective.

In some ways, the UK has less to worry about when it comes to protecting the integrity of election data and outcomes than some of its international counterparts. The UK election process is well-established and proven over may years (well centuries), and therefore UK elections are generally conducted in a very basic manner. Before an election, voters receive a poll card indicating the location where they should go to vote. On polling day, voters enter the location, provide their name and address, and are presenting with a voting slip. They take this slip, enter the voting booth, pick up a pencil and put a cross in the box next to their candidate of choice. Voters then deposit this paper slip in an opaque box to be counted once polls are closed in the evening.

Pretty simple (and old-fashioned). Yet, despite the UK’s relatively straightforward election procedures, the Political Studies Association reported in 2016 that the UK rated poorly in election integrity relative to several other established democracies in Western Europe and beyond. More recently, there are strong suspicions that social media has been used to spread false information to manipulate political opinion and, therefore, election results. Consider that one of the biggest examples is the Cambridge Analytica data misuse scandal that has roiled both sides of the Atlantic, and it is fair to say that the matter of election integrity has only become more of a top-of-mind concern in the UK since that 2016 report, especially during the campaigning phase.

Rightfully so, steps are being taken to provide the public greater peace of mind that campaigns and elections are being conducted fairly. In 2017, the Information Commissioner launched a formal inquiry into political parties’ use of data analytics to target voters amid concerns that Britons’ privacy was being jeopardized by new campaign tactics. The inquiry has since broadened and become the largest investigation of its type by any Data Protection Authority, involving social media online platforms, data brokers, analytics firms, academic institutions, political parties and campaign groups. A key strand of the investigation centers on the link between Cambridge Analytica, its parent company, SCL Elections Limited, and Aggregate IQ, and involves allegations that data, obtained from Facebook, may have been misused by both sides in the UK referendum on membership of the EU, as well as to target voters during the 2016 United States presidential election process.

The investigation remains ongoing, but the Information Commissioner needed to meet her commitment to provide Parliament’s Digital Culture Media and Sport Select Committee with an update on the investigation for the purposes of informing their work on the “Fake News” inquiry before the summer recess. A separate report, “Democracy Disrupted? Personal Information and Political Influence”, has been published, covering the policy recommendations from the investigation. This includes an emphasis on the need for political campaigns to use personal data lawfully and transparently.

Social media powers also should draw upon their considerable resources to become part of the solution. Facebook, Google and Twitter have indicated they will ensure that campaigns that pay to place political adverts with them will have to include labels showing who has paid for them. They also say that they plan to publish their own online databases of the political adverts that they have been paid to run. These will include information such as the targeting, actual reach and amount spent on those adverts. These social media giants are aiming to publish their databases in time for the November 2018 mid-term elections in the US, and Facebook has said it aims to publish similar data ahead of the local elections in England and Northern Ireland in May 2019.

All of these considerations are unfolding in an era when the General Data Protection Regulation has trained a bright spotlight on how enterprises are leveraging personal data. As a society, we have come to understand that while the big data era presents many unprecedented opportunities for individuals and organizations, the related privacy, security and ethical implications must be kept at the forefront of our policies and procedures.

As I stated at the start of this article, the UK’s election system is a well-proven, paper-based process that has changed very little over many, many years. One thing is certain: sometime in the not-too-distant future, our paper-based system will disappear and be replaced by a digital system. There will then be a need for a highly trusted digital solution that provides a high level of confidence that the system cannot be tampered with or manipulated. These systems aren’t there yet, but technologies such as blockchain may be the start of the answer. Technology-driven capabilities will continue to evolve, but our commitment to integrity at the polls must remain steadfast.

Category: Risk Management Published: 10/29/2018 3:04 PM
カテゴリー: ISACA

Key Considerations for Assessing GDPR Compliance

ISACA Now Blog - 2018年10月24日 02:46:52

The European Union General Data Protection Regulation (GDPR), which took full effect in May this year, solidifies the protection of data subjects’ “personal data,” harmonizes the data privacy laws across Europe and protects and empowers EU citizens’ data privacy, in addition to changing the way data is managed and handled by organizations.

The GDPR regulation affects people across the globe. The scope of GDPR is quite wide-ranging, and can apply to many global institutions with operations in Europe. Certainly, GDPR has created more power for data regulators, due to the severe potential financial penalties for non-compliance (maximum of 4 percent of annual global turnover or €20 Million, whichever is higher).

A few of the key things to know about GDPR are:

  • The regulation governs how institutions collect, record, use, disclose, store, alter, disseminate, and process the personal data of individuals in the EU.
  • If a breach involves personal data, the Data Protection Authorities must be notified within 72 hours.
  • It governs the rights of data subjects, including rights to access, rectification, erasure, restricting processing, data portability, and rights in relation to automated decision-making and profiles.

How do I assess my GDPR compliance?
All these are essential reasons for institutions to ensure that the proper governance and tactical steps are taken for compliance with GDPR regulation. The GDPR Audit Program Bundle developed by ISACA does just this by helping provide institutions with a guide for assessing, validating, and reinforcing the GDPR regulations by which institutions must abide. The audit program was developed to provide enterprises with a baseline focusing on several key areas and their respective sub-processes, that covers all key components of GDPR, including:

  • Data governance
  • Acquiring, identifying and classifying personal data
  • Managing personal data risk
  • Managing personal data security
  • Managing the personal data supply chain
  • Managing incidents and breaches, create and maintain awareness
  • Properly organizing a data privacy organization within your institution

Also included are key testing steps involving control category types and frequency to help facilitate the effective discussion and analysis as it fits your institution. The important thing to remember is that there is no absolute right way to go about becoming GDPR-compliant. However, a robust and thorough review of your GDPR environment as it pertains to data processing for your institution is required to ensure a proper baseline is used to assess compliance and successfully execute a GDPR compliance program.

Editor’s note: ISACA has addressed both general and particular audit perspectives for GDPR through its new GDPR Audit Program Bundle. Download the audit program bundle here. Access a complimentary white paper, “How To Audit GDPR,” here.

Category: Privacy Published: 10/24/2018 3:03 PM
カテゴリー: ISACA

Concerted Effort Needed to Assure Data Integrity in Electoral Process

ISACA Now Blog - 2018年10月22日 22:40:05

The motivations of cybercriminals are as diverse as their forms of attacks. Many cybercriminals are after money, naturally, but plenty of other incentives exist, including the allure of exerting power and influence. Unfortunately, one of the most impactful ways to do so involves tampering with the integrity of elections, a rising concern in the United States and around the world.

While election security is not a new topic, it took on increased prominence in the US in the aftermath of the 2016 presidential election and has prominently surfaced again in the build-up to November’s midterm elections. Although allegations of nation-state interference in the US election process has commanded much of the media attention, protecting the overall data integrity of elections is a much more encompassing issue than any attempt by a nation-state to influence a particular election cycle or campaign. Working to enhance the reliability of the information systems and technology that assures data integrity in the electoral process will be an ongoing challenge requiring bipartisan attention and support from leaders at all levels of the government.

Encouragingly, this challenge is clearly on the radar of US elected officials, with a bill to establish the National Commission on the Cybersecurity of United States Election Systems and the Secure Elections Act among the efforts to drive toward solutions. A recently formed Task Force on Election Security, composed of members of the Homeland Security Committee and House Administration Committee, allowed for members from both committees to interact with election stakeholders, as well as cybersecurity and election infrastructure experts, to analyze the effectiveness of the US election system. The task force produced a final report and future recommendations, with the goal of maintaining free, fair and secure elections.

While the attention on this topic in Washington, D.C., is an important starting point, there must be extensive collaboration between federal agencies and the state officials who are charged with direct oversight of elections. Many state officials face the massive undertaking of securing elections with small IT staffs and few cybersecurity professionals on their teams. Given the high stakes involved and the growing complexities of the threat landscape, election systems require more dedicated resources to ensure the appropriate people, processes and technology are in place to stave off threats to election data integrity, whether intentional or otherwise. The federal government must provide the funding so that states are able to update vulnerable voting machines and modernize their IT infrastructures. Federal funding allowing for the training of election officials and poll workers about cyber risks would be another worthwhile investment. Further, since elections are generally run at the state level, states and federal agencies need to increase coordination to allow for real-time notifications of security breaches and threats. This could also present an opportunity for the government to tap into the capabilities of the private sector to strengthen election security.

Additionally, as the task force recommended, states should conduct post-election audits in order to ensure the election was not compromised, as well as identify and limit future risks. The implementation of post-election audits is an immediate step the government can take to limit future vulnerabilities while also strengthening public trust in the process – an important consideration that should not be overlooked.

One intriguing longer-term solution for election data integrity is the deployment of blockchain technology. Blockchain is now being embraced by many different sectors and agencies, and was recently used in West Virginia for absentee voting leading up to the midterms. Blockchain has the ability to secure a permanent record that is timestamped and signed, and can therefore not be altered in any way. Developing this cyberattack-resilient database could prove to be a critical step toward mitigating any potential manipulation or voting fraud.

While audit, governance, risk and information/cyber security professionals are charged with many important responsibilities, helping to solidify the data integrity of elections is among the most vital. In the US and around the world, fair and trustworthy elections are an indispensable component of free societies. Losing trust in the outcomes of elections would lead to a level of discord that would have a profoundly destabilizing impact. The events of the past few years have reinforced that protecting the integrity of the electoral system in this new era will require a significant investment in attention and resources. So be it. The alternative, taking our election security for granted, no longer is a viable path.

Category: Risk Management Published: 10/22/2018 3:02 PM
カテゴリー: ISACA

The Path to Improved Cybersecurity Culture

ISACA Now Blog - 2018年10月19日 04:42:13

The recent ISACA-CMMI Institute cybersecurity culture research illustrates the accomplishments and gaps that are seen in organizations’ cybersecurity culture. The survey-driven research focuses on culture and continuous improvement, both essential components to a successful cyber risk management program.

In this blog post, I will highlight some of the survey’s findings and then discuss ways you can improve your organization’s cybersecurity culture.

Some positive steps I noticed:

  • 75% of organizations are getting management more involved with cybersecurity culture
  • Most organizations can identify business benefits realized through better cybersecurity
  • 87% think that better cybersecurity would improve profitability or viability

Some gaps:

  • 60% of organizations do not have very successful employee buy-in
  • 42% of firms do not have a cybersecurity culture plan
  • 55% think the CISO owns cybersecurity culture

Achieving a strong cybersecurity culture requires action on many fronts: people, process, technology and outside partners. Culture is people and process. Technology and outside partners are supporting players. Details matter. It’s great that most organizations are getting management more involved. However, it is important that the C-level regularly communicates the importance of security to management and to employees. An annual communication to all employees will not work.

Continuous, incremental improvement is vital. In fact, the root of the word “culture” is “to grow.” Incremental improvement applies to both overall culture and specific elements, like risk management. An effective risk management program is the basis for a good cybersecurity culture.

What factors inhibit continuous improvement of risk management programs (and associated cyber security culture)? Humans can grow but do not accept dire reports of impending disaster – think of Cassandra and the Trojan Horse. Humans may, however, accept incremental adjustments in risk awareness or mitigations. Another reason risk management programs fail to get support is that the CISO is not seen as a “business partner” with other top executives. A promising metric for me was that 87% of respondents believe that better security can lead to better business outcomes. CISOs need to speak in terms of business benefits in order to be a business partner with other CXOs. CISOs also need to build personal relationships with their C-level peers.

Process is the next critical piece of the cultural puzzle. I’m not talking about cybersecurity processes like “patch management” or “privileged identity management.” I am referring to the processes to build a cybersecurity culture. One thing I noticed in the survey is that 55% of respondents think the CISO is responsible for corporate cybersecurity culture and only 6% assign this to HR. I believe that any cultural change must be supported by a partnership involving HR or other “people-focused” centers of influence. Cybersecurity culture is really not different than any other type of culture and established cultural transformation processes can be harnessed for cybersecurity. Businesses have been changing or reviving cultures for years; there is no need to reinvent the wheel.

One resource for cultural transformation is John Kotter’s eight-step model for transformation. Cultural change is the last step in the transformation process. It is preceded by defining a sense of urgency, forming a powerful coalition and five additional enabling steps. Another model for organizational change is Jay Galbraith’s Star model. He highlights the five functions needed in designing an organization: strategy, structure, processes, rewards and people.

These functions can be utilized to create or transform the security organization and culture that you want in your business.

Category: Security Published: 10/23/2018 3:14 PM
カテゴリー: ISACA

The Beginnings of a New Privacy Framework Through NIST

ISACA Now Blog - 2018年10月19日 04:23:07

NIST conducted a workshop on 16 October in Austin, Texas, USA, to discuss plans for a voluntary privacy framework, and attendees had the opportunity to have a robust discussion about what such a framework should entail. The workshop was attended by individuals from industry, academia, and government.

The need for a framework, according to NIST, is because we live in an “increasingly connected and complex environment with cutting-edge technologies such as the Internet of Things and artificial intelligence raising further concerns about an individual’s privacy. A framework that could be used across industries would be valuable in helping organizations identify and manage their privacy risks.” It would also assist an organization in preparing and maintaining a comprehensive privacy plan.

“I think being able to have guidance at a federal level that takes into consideration key other privacy legislation and regulations as well as standards will be important,” said Paula deWitte, computer scientist, author, and privacy attorney. “The comment at the workshop about relentless interoperability of standards and the framework will be key to its usability.”

NIST discussed how the process for creating the privacy framework was largely aligned with how its Cybersecurity Framework was created, with collaboration from the public, and iteratively. NIST envisions the privacy framework as being “developed through an open, transparent process, using common and accessible language, being adaptable to many different organizations, technologies, lifecycle phases, sectors and uses and to serve as a living document.”

“The Cybersecurity Framework is more about critical infrastructure. Privacy is a different beast, and frankly, a bigger lift. We don’t even have a clear definition for privacy. On top of that, privacy is multi-dimensional. One must look at privacy from its impact on the individual, groups, and society,” said deWitte.

“The major elephant in the room identified at the hearing is that we don’t have a grip on what data needs to be protected and where the company’s data is. By that I mean, we don’t fully understand what data must be kept private and we must consider that organizations must be in complete control of data throughout its entire lifecycle including from procuring it, to storing it, to sharing it (as appropriate) to disposing of it,” said Harvey Nusz, Manager, GDPR, and ISACA Houston Chapter President.

With more work to do on the general strategic front, the group determined the overall approach for the framework would be enterprise risk management, a focus both Nusz and deWitte applaud, while offering words of caution.

“I agree that we need to fit the framework into an enterprise risk management approach, but how do we actually define and conduct risk management? Risk management encompasses all types of enterprise risk, so there is the issue of how one defines risk. Is anyone using a good methodology for risk management we can all get behind?” said deWitte.

“Every organization should at a minimum create a risk register,” said Nusz. “That needs to be part of privacy planning.”

The workshop attendees discussed that the risk-based approach represents the reality that privacy has moved beyond a compliance, checklist mentality. It is now a viable business model with data considered an asset. The key is identifying the acceptable level of risk and owning responsibility if something goes wrong.

“This creates legal questions because our laws are written for the physical world, but if my identity is stolen, it can encompass legal issues of including jurisdiction, standing and damages. Who has jurisdiction in the cyber world? Law always lags technology, so all of this has yet to be determined,” said deWitte.

“We have an opportunity to build trust with consumers through the way we handle their privacy,” said Nusz. “I look forward to this challenge and working with NIST to see it recognized.”

Some of the ideas for how to put the framework in practice to improve trust with consumers included: incorporating human-centered research in work done to protect privacy, attempts to de-identify information and be as transparent as possible with the process, as well as leveraging privacy enhancing techniques.

NIST will take the feedback from the hearing and build an initial outline, which it will present at a workshop in early 2019. To stay current on the privacy initiative, please visit the NIST Privacy Framework website.

Category: Privacy Published: 10/19/2018 3:01 PM
カテゴリー: ISACA

My Organization’s HIPAA Data Got Hacked: Now What?

ISACA Now Blog - 2018年10月17日 03:53:19

You’ve been hacked, and electronic protected health information (ePHI) has been exposed. You have certain compliance requirements, and there are also (intertwined with the needs of compliance) reasonable steps to take to halt the compromise and protect your patients. You may be working with managed service partners who want you to think that everything is fine, but due diligence demands you trust no one and assume the worst (even if you are not yet convinced that ePHI was actually exposed). You must start moving – but what are your first steps? You need to stop the immediate breach, recover your data, follow the law, bolster your security, and consider hiring an incident response company.

Plug the leak.
The highest priority when you get hacked is to make sure that you have successfully blocked access to the intruders. To better understand what has happened (e.g., how broadly data was accessed, the specific methods used by the attackers, their location, etc.), perform a risk assessment. You want to know the time the hack took place and its duration; whether the attack was due to insiders or outsiders; whether someone on your staff is at fault (whether intentionally or not); and whether electronic protected health data was accessed and/or stolen. Incident response firms can potentially help you through this process, as described below.

Get help with data recovery.
HIPAA compliance requires data backup, as indicated by the US Department of Health & Human Services. Being able to rapidly restore your ePHI via RAID data recovery and other means is important, though, especially given the proliferation of ransomware within healthcare. A strong and credible data recovery company will help you know how well you can restore your information, as well as your data backup integrity, through testing. Data backup stipulations should be within your contingency plan. Responding to a security event relies on well-constructed contingency and data restoration plans, the steps of which can be implemented most effectively through partnership with a data recovery service.

Follow state and federal law.
You must be aware which agencies must be contacted in your state and within the federal government. Since the passing of the Health Information for Economic and Clinical Health Act (HITECH), which was part of the American Recovery and Reinvestment Act of 2009 (ARRA) and was first enforced in 2013, you are responsible for protecting ePHI whether you are a healthcare covered entity (CE) or a business associate (BA) handling health records for a CE. (See more on that law and the HHS’s Breach Notification Rule below.) You need to contact the Office for Civil Rights (OCR) within the HHS no more than 60 days following the hack. As advised by Mahmood Sher-Jan of ID Experts, be aware that regulators may want to see the individual notification messages you send to patients or users – so ensure that those are compliant, too.

The parameters for notifying agencies and people of this incident are outlined in the Breach Notification Rule. First, make sure that the rule applies. The HHS specifically states that the only relevant data for notifications is unsecured protected health information (so you are safe if the data is encrypted and the hacker does not have a key). Once you determine that the data accessed was not properly secured, you want to start preparing notifications for individuals, the HHS, and – under certain circumstances – the media. If a business associate is breached, it only must worry about notifying the relevant covered entity:

HHS – Whenever you experience a hack, you must report it to the Secretary of the HHS through this portal. It is important to contact the agency right away when there is ePHI of more than 500 people involved – within 60 days and “without unreasonable delay,” per the agency. When the number of impacted individuals is lower than 500, you can report annually for the previous year – as long as you do so no more than 60 days into the next year (i.e., February 29 or March 1).

Individuals – A healthcare organization has to send a notice to anyone who was affected by the hack by email (if you have a signed authorization to send these notifications to the person electronically) or first-class mail. When a firm does not have the current contact details for 10 or more people, they need to take alternative means to get the word out by either sending an announcement to the local media (broadcast or print) in areas where the patients or consumers live, or by posting information about the hack on their website homepage within 90 days. A toll-free number should be available and live for at least 90 days, so that affected people can learn basic information about the compromise. If the number of people for which contact information is outdated is lower than 10, the healthcare company can use a different means of alternative contact, such as telephone or another written format.

Media – Finally, you must contact “prominent” media organizations within areas that are home to 500 or more people whose data was exposed. Just the same as the deadline for contacting the HHS for a larger (500+) hack, you have 60 days maximum to make this contact – and it should happen “without unreasonable delay.”

Covered entity – Business associates do not need to be concerned with the above contact parameters since that aspect is handled by the healthcare firm. However, they do need to notify the covered entity that is involved. Regardless of the number of people whose ePHI is exposed, the BA must get official notice of breach discovery to the covered entity within 60 days.

Improve your security to mitigate risks.
When you get hacked, you want to fix whatever the most immediate vulnerability is right away. However, some steps to address risk can wait until you have thwarted the invasion and have sent out notifications as required by law. Having assessed the risk of the applicable environment (above), a comprehensive assessment should be performed, revealing any other risks that exist and what security steps you can take to keep the hack from occurring again.

Consider working with an incident response (IR) firm.
When you experience a hack, it is critical to move quickly, and having help is fundamental. So that you take the right steps in the first two hours and the first 24 hours, contract with a company that specializes in incident response – one aspect of which is data recovery. Through that function, IR specialists can help determine the exact data that was accessed and vulnerable to the attacker, which limits the scope and reduces the set of notifications that must be sent. With an IR firm, you do not need to handle any of the above steps on your own, grappling to determine if a bad actor remains within your network or how to reestablish your defenses. You will not have to think about contacting the attorneys that need to be involved, or which staff members can shut down hacked email accounts. You simply put their details in your incident response plan. They can then get to work immediately.

Responding rapidly to a healthcare hack
If your HIPAA data is hacked, you want to be able to move quickly and confidently. Whether you recover from the attack yourself or work with an outside organization, the process involves mitigating the immediate issue, recovering the data, sending notifications, improving security long-term, and considering an IR partnership. One way or another, it is key that you are prepared for these events and ready for fast movement in response so that the attack does not turn into a string of violations and lawsuits.

Category: Security Published: 10/17/2018 3:00 PM
カテゴリー: ISACA

Board Involvement in Digital Strategy and Oversight

Journal Author Blog Posts - 2018年10月15日 22:00:45

In light of digital transformation, boards of directors (BoD) often recognize the need for more engagement in digital strategy and oversight. At the same time, many of them are seeking advice on how to realize this type of involvement. Our goal is to enable board members to learn from their peers and translate best practices of other organizations to their own context. To inspire them, we discuss the board IT governance mechanisms that were established at the University of Antwerp (Belgium).

The University of Antwerp: The Context
Like many organizations, the University of Antwerp has become increasingly dependent on IT. No central business forum existed to decide which projects would be executed and which not, swamping the IT department with many requests they could not deliver against. This situation often led to frustration on the business side, a tension that was also reported to and known by some board members. Furthermore, in 2016, a new rector came at the head of the University of Antwerp. The newly appointed rector strongly believes it is the task of the BoD to create a long-term vision, also regarding IT-related issues.

Two New Governing Structures
A widely acknowledged strategy to increase the involvement of the BoD in IT-related decision-making and control is to enhance its IT expertise. Yet the various board members of the university are elected by different university entities. As a result, little room exists to thoughtfully compose the board on the basis of the university’s needs and to increase its IT expertise. Therefore, the university chose an alternative path, creating 2 committees that assist the board in IT-related decision-making and control (figure 1).

Figure 1—Committees Assisting the Board of Directors

  1. The IT governance committee is responsible for short-term decisions and portfolio management of IT-enabled investments. Its main goal is to manage the IT-enabled investment portfolio more effectively and transparently and make sure it is in line with the overall organizational strategy. However, the aim of the committee is not to go into the technical details, but to discuss the investments from a business perspective. The IT governance committee includes representatives of all university entities, including 4 directors. All other directors are always welcome to join.
  2. The digital strategy think tank’s task is to keep an eye on the impact of technological developments on the university and consider how societal and market challenges could be addressed leveraging technology. The BoD is represented in this committee; that is, the rector and one other board member are included.

Our recent Journal article shows how BoDs can actively engage in the IT debate, even those boards with a limited amount of IT expertise.

Read Steven De Haes, Laura Caluwe, Anant Joshi and Tim Huygh’s recent Journal article:

How Boards Engage in Digital Strategy and Oversight: The Case of the University of Antwerp,” ISACA Journal, volume 5, 2018.

Category: COBIT-Governance of Enterprise IT Published: 10/15/2018 3:03 PM BlogAuthor: Steven De Haes, Ph.D., Laura Caluwe, Anant Joshi, Ph.D., and Tim Huygh PostMonth: 10 PostYear: 2,018
カテゴリー: ISACA

ISACA’s Inaugural SheLeadsTech™ Day of Advocacy in DC: Congressional Visits Highlight Cyber Education and Workforce Issues

ISACA Now Blog - 2018年10月12日 02:49:15

Dozens of women in the SheLeadsTech program attended ISACA’s first fly-in advocacy event in Washington, DC, just a week ago with a plan to bring their voices and views to US Congressional leaders on a host of relevant legislation. After hearing speakers discuss professional development and other issues facing women in technology, delegations visited 12 offices representing California, the District of Columbia, Illinois, Maryland, New York, Pennsylvania and Virginia.

ISACA’s SheLeadsTech program seeks to increase the representation of women in technology leadership roles and the tech workforce through raising awareness, preparing to lead, and building global alliances. For this inaugural advocacy day, SheLeadsTech focused efforts on the NIST Reauthorization Bill, the future of IT audit and the role emerging technologies will play in it, and the need for a qualified federal cybersecurity workforce.

The NIST Reauthorization Bill (H.R. 6229) not only reauthorizes the National Institute of Standards and Technology but also further supports and strengthens the research and development programs of NIST, such as cybersecurity, artificial intelligence (AI), Internet of Things, quantum computing. Focusing on emerging technologies could improve the United States’ cybersecurity workforce, as well as foster further development of AI and IoT. The bill also could expand opportunities for women in the cybersecurity workforce, leaders noted.

Other bills of interest to the ISACA community are H.R. 935 – Cyber Security Education and Federal Workforce Enhancement Act, which establishes an Office of Cybersecurity Education and Awareness Branch within the Department of Homeland Security to provide recommendations to enhance the cybersecurity and computer security workforce. The bill specifically requires reporting on the causes of high dropout rates of women and minority students enrolled in science, technology, engineering and math (STEM) programs. Additionally, H.R. 2709, S. 1246 – Women and Minorities in STEM Booster Act takes important steps toward SheLeadsTech’s goal to increase the representation of women in technology leadership roles and the tech workforce, and H.R. 3137– Promoting Women in STEM Act provides avenues for SheLeadsTech goals to increase the number of women in STEM career and technical education programs.

Anne Marie Zettlemoyer, cybersecurity strategist and visiting fellow at the National Security Institute, who previously served as a special adviser to the U.S. Secret Service, and Olivia Crowley, who serves in the Army National Reserves and works for a government contractor, both spoke about the importance of security clearances. They noted these processes can take long to obtain and keep clearance, which reduces the ability for cyber experts to accept short-term assignments in federal posts. The government needs to partner with private business to offer tours of digital service as a cyber reservist, they suggested.

Zettlemoyer urged the ISACA community and lawmakers to consider the wide reach that a cyber workforce can have. “College isn’t for everyone, but a good living is,” she said. “There are several areas in cybersecurity that don’t require a university degree and can be treated as a trade; providing that opportunity would not only lift our national intelligence and security but also our economy.” She believes that retraining and investing in people whose jobs have diminished are perfect for careers in cybersecurity. “Talent and aptitude are not discriminate, but opportunity often is. We need people to answer the call, and that means looking at non-traditional backgrounds for talent. For example, coal miners are known for their exceptional analytical skills and the ability to problem-solve and react quickly when conditions change in the mine; these analytical skills can translate into triaging alerts with the proper training. Cyber as a trade can offer a high-tech path back into the workforce for them.”

SheLeadsTech advocacy attendee Sanja Kekic, president of the ISACA Belgrade chapter and member of the global SheLeadsTech Chapter Engagement Working Group, was among those inspired by the SheLeadsTech event. She plans to create an advocacy day for her chapter. “Being able to educate members of the Serbian parliament about cybersecurity and the technology workforce, especially under the SheLeadsTech banner, would be an amazing experience for our chapter,” she said.

Category: ISACA Published: 10/11/2018 3:04 PM
カテゴリー: ISACA

ISACA SheLeadsTech™ Day of Advocacy: Inspiring Speakers, Relatable Journeys

ISACA Now Blog - 2018年10月11日 06:22:20

“My career journey wasn’t through luck; it was hard work and putting myself in situations where I wasn’t always comfortable,” said SheLeadsTech Advocacy Day keynote speaker DeAndra Jean-Louis, Vice President, Global Services Operations at Workday. Providing insights from positions at IBM, Aon-Hewitt and Arthur Andersen, among others, Jean-Louis said her start as a model, after attaining a mathematics degree from Louisiana State University, spurred her to become a technology leader. “Modeling is a business – you’re an entrepreneur: working hard, working under contracts, building a book of business, building relationships, selling yourself as the product.”

Jean-Louis said she’d been told to “stay in her lane” throughout her education; a guidance counselor had advised her to have more realistic goals even as she wanted to be a doctor. Yet, she wrote down ambitious goals – to one day be a computer programmer, to work as a professional model, and to live in New York City and Europe. These all came true. She is now drafting a new list.

Being told to “stay in your lane” was a common thread with the SheLeadsTech inaugural Day of Advocacy speakers this week in Washington, D.C. Panel moderator and ISACA Women’s Leadership Advisory Council chair Jo Stewart-Rattray shared that her guidance counselor had advised that she join the police force, and she ended up studying psychology and education. Panelist Anna Murray, CEO of tmg-e*media, was an English major with a journalism career, and it wasn’t obvious to her that she would hit her stride in technology. “Younger women don’t understand that if they have communication and analytical skills, they can have successful careers in tech. We need English, economics, and other liberal arts majors.”

In her keynote, Jean-Louis shared a list of things to “always be,” which included: uncomfortable, meaning to always challenge yourself; building your brand and championing yourself; curious; building your ecosystem; making peace with failure and questioning the status quo. Whether in your personal life or while leading a team, acting with intention and clear goals is key to success. “I build strategy maps,” she shared, “that define the objectives for financial, customer, and internal business processes, including the learning and growth of employees. Every time I have an issue, I go back to my strategy map, and look at the resources and operations – you need the right people and the right mechanisms to drive success.”

Engaging young women and girls in technology goes well beyond science, technology, engineering and math (STEM) classes, SheLeadsTech speakers believe. Panelist Pam Nigro, president of the ISACA Chicago chapter, discussed the chapter’s partnership with and sponsorship of Girl Con, which is open to girls from eighth grade through high school. Girl Con’s sessions all demonstrate how tech is a part of every career path you enter; Nigro said that partnering with schools and organizations that teach kids how to be safe online can include education on privacy, cybersecurity, audit, governance and risk management as careers.

The panel’s conversation included a discussion on differing views of mentoring (it was posited that men don’t have mentors, they have champions, and women should try to do the same for other women: invite them to meetings that they wouldn’t attend otherwise, speak highly of their skills and recommend them for positions). Panelist Melody Balcet, director of global cybersecurity program for the AES Corporation, encouraged attendees to remain flexible and accept change. “Where we come from, our cultural norms, shape our career paths. Sometimes we’re forced to make changes – we lose a job, get divorced. Moving and uprooting makes many women uncomfortable, but people and kids are resilient. You can create what is important to you. Seek what makes you the best you.”

ISACA chapters may be planning a SheLeadsTech event soon; join the SheLeadsTech community in Engage to learn more about the program and how your chapter can engage, empower and elevate women in technology. Sign up for the SheLeadsTech newsletter at

Category: ISACA Published: 10/10/2018 4:46 PM
カテゴリー: ISACA

Deployment of Emerging Technology in FinTech

ISACA Now Blog - 2018年10月10日 01:58:57

Fighting poverty and achieving a high economic growth rate are two key priorities for developing countries.

Achieving both of these goals is reliant on financial inclusion. Developing a national digital transformation strategy that focuses on transforming the traditional economy to a digitized economy is the best way to accelerate the run rate in achieving this end goal. 

The journey to financial inclusion is reliant on fintechs; disruptors in the financial sector, driving innovative transformation and changing the way financial services are delivered, the medium of transactions and the approach to business analysis.

Unlike traditional financial services firms, fintechs are not tied by legacy systems which can delay progress: they can move faster toward new and innovative services by adopting new technologies and redefining standards and expectations within the industry. Fintechs can quickly deploy emerging technologies like blockchain, artificial intelligence and machine learning – technologies that will fundamentally change the world of financial services. PWC UK notes that already “Some large financial institutions are also relying on blockchain for internal transactions between territories, effectively reducing the internal cost of moving money.”

Rapid development in consumer technologies also means customers’ expectations have grown and they now expect a level of personalization and customization which can only be addressed through automation and keeping up with the pace of emerging technologies. Further, these technologies can be used to streamline customer service through the use of chatbots and automated tools. Electronic payments, biometric-enabled authentication and blockchain for digital transactions will all improve security and reduce fraud while increasing customer satisfaction – making them core to new financial services solutions.

Artificial intelligence and machine learning in particular have the ability to improve fraud detection and reduce the need for human oversight by up to 50%. Financial Fraud Action UK (FFA UK) stated this year that fraud costs the UK £2 million every day (according to 2016 figures), and experts expect to see costs reaching $32 billion yearly on online credit card fraud alone by 2020. Artificial intelligence can play a key part in detecting this, automating the process and reducing occurrences by following different approaches like oversampling, undersampling, and combined class methods.

Governments and banks are already seeing the benefits of these emerging technologies. There are two particular examples where their deployment is lowering the cost of financial transactions. In April 2018, the National Bank of Egypt announced that it has joined a large initiative focusing on the research and application of blockchain, with R3. More than 200 banks and international companies have joined this initiative.

By 2021, Dubai will be using blockchain technology for more than 50% of financial transactions, expecting to save 11 billion AED by doing so. When announcing its blockchain strategy, Dubai predicted a 300 million dollar blockchain market across the financial sector, healthcare, transportation, urban planning, smart energy, digital commerce, and tourism.

Emerging technologies readiness
The Emerging Technologies Readiness Survey, published in Egypt during August 2018 by my team, collected the responses of 91 executives from different sectors across technology, banking and fintech. The results show that almost 74% are already using emerging technologies, with almost 29% using big data, 18% machine learning, 17% artificial Intelligence, and almost 8% are using blockchain.

Figure 1: Emerging Technologies Readiness Survey

The main driver behind adopting emerging technologies was business improvements, with 62% of respondents using emerging technologies citing this.

Figure 2: Emerging Technologies Readiness Survey

Half of respondents said their companies measured the ROI after using these technologies, but a surprising 32% do not measure the ROI and almost 18% were unsure whether their company does or does not.

Figure 3: Emerging Technologies Readiness Survey

Almost 70% of respondents whose companies were yet to adopt emerging technologies in their business stated that they have plans to deploy one or more within the next five years.

Figure 4: Emerging Technologies Readiness Survey

When asked which emerging technologies they were most interested in deploying, almost 34% of respondents said they would consider blockchain, nearly 35% said artificial intelligence, 41% said big data, and nearly 30% said machine learning.

Figure 5: Emerging Technologies Readiness Survey

Embracing emerging technologies for financial inclusion in developing countries
It is clear that emerging technologies will be essential to accelerate the goals of developing countries in achieving high economic growth rates and in driving financial inclusion and a thriving digital economy. Yet, traditional Financial Services firms can’t adopt themselves easily to these emerging technologies because of their legacy systems They can, however, partner with fintechs to get the benefit of emerging technologies deployment and achieve great mutual success.

Fintechs, traditional financial services firms, technology companies and governments need to develop and build digital transformation strategies together – strategies that include a plan of secure emerging technologies deployment and that have a clear vision of how they will maximize the benefits and minimize the risks of these technologies.

Security readiness for emerging technologies
Using emerging technologies is not only beneficial in terms of innovative new financial services, but also improves the security of information systems.

At the same time, emerging technologies such as machine learning and artificial intelligence will increasingly be used for cyber-attacks and many are not yet equipped to withstand these attacks. Two-thirds of respondents to the survey see potential risks from emerging technologies, with almost 59% saying their companies also realize these potential risks. A somewhat smaller 44% said their companies have a risk mitigation plan for emerging technologies.

Figure 6: Emerging Technologies Readiness Survey

Figure 7: Emerging Technologies Readiness Survey

Figure 8: Emerging Technologies Readiness Survey

Despite the concerns around risks, most respondents could see a great opportunity for using emerging technologies to improve the level of information security at their companies, with almost 81% saying they will use emerging technologies for that purpose.

Figure 9: Emerging Technologies Readiness Survey

Editor’s note: Mahmoud Abouelhassan will provide further insights on this topic on 30 October at ISACA’s CSX Europe 2018 conference in London.

Category: Risk Management Published: 10/12/2018 3:05 PM
カテゴリー: ISACA