Taking Precautions With Smart Home Gadget Security

ISACA Now Blog - 2019年07月17日 03:02:02

Smart home gadgets have been among the most popular holiday, housewarming and any-occasion gifts for the last few years. Whether it’s an interconnected home security system, a pet camera, or a voice-activated assistant like the Amazon Echo, homeowners and renters alike love having these tech gadgets in their homes.

In fact, research has shown that homes with smart home devices sell faster and for more than those without. Additionally, renters show great interest in living in rentals that have interconnected gadgets and are willing to pay more for these units. Therefore, many landlords have been rushing to turn their properties into smart homes.

Unfortunately, many users of these devices are unaware of the safety implications that come with them. Most smart gadgets are connected to your home’s Wi-Fi, which is linked to a large network that hackers can access. With this information in mind, many smart gadget owners are wondering just how much their safety is threatened by their tech gadgets – and what can be done about it. Let’s take a closer look.

The Interconnected Worldwide Web
When you set up your home or apartment internet connection, you typically put a password on the connection. That way, neighbors and passers-by can’t steal your internet and slow down your bandwidth.

Many people believe that this simple password is enough to protect them against hacking attempts, but it’s not. It’s certainly better than a public network, but it’s still pretty easy for hackers with any level of experience to crack.

Plus, the worldwide web is aptly named because it’s completely interconnected, providing inviting access points to hackers. Charles Henderson, professional security specialist for IBM, told The NY Times that it just takes one access point to create a catalyst of problems.

“If one device gets compromised, it could be the same as allowing an attacker to plug into the entire network,” he says.

Security Products Aren’t Perfect
Consumers often fall victim to cybersecurity threats simply because they believe they’re impenetrable. Because a reputable business builds and sells these gadgets, they’re trustworthy, right?

While most companies in the smart tech sector do their best to create high-quality products, there’s no such thing as a perfect, impenetrable device. Most devices are released before they’re perfect, and the company will produce patches and updates to repair vulnerabilities along the way.

A recent cybersecurity breach is a great example of this problem. Orvibo, a Chinese-based organization that creates smart home devices and sells them globally, recently experienced a breach compromising billions of smart home devices. Billions of device owners had their records and privacy compromised as a result of a security hole. The breach revealed more than just an invasion of privacy. It indicated a larger issue of personal identity theft.

“Using the information on Orvibo's database, it would be relatively easy to build a complex picture of any given user,” wrote James Gelinas of “The database contains a number of telltale entries like location, username, device ID, and email addresses. So, anyone with basic knowledge of the user would be able to identify them with these bits and pieces.”

Take Precautions
These breaches are disconcerting, but they don’t mean users should have to say goodbye to smart home devices. Instead, they should simply take a few precautions. You wouldn’t leave home without locking all the doors and windows, and the same goes for managing security devices.

Perform research on the best ways to keep your devices safe and locked down from privacy invaders and identity thefts. In the meantime, here are a few recommended measures:

  • Use strong passwords and change them often.
  • Apply all updates sent to your devices.
  • Use a virtual private network (VPN) to connect your smart devices.
  • Consider biometric authentication for smart home devices.
  • Remove personal information from smart home devices.

As you apply these simple steps for securing your home network, you’ll experience greater peace of mind while enjoying the luxuries of your smart gadgets.

Category: Security Published: 7/17/2019 3:01 PM
カテゴリー: ISACA

Reimagining the Enterprise Landscape Through Advanced Technology

ISACA Now Blog - 2019年07月16日 01:19:10

Editor’s note: Stafford Masie, CEO of Google Africa (2006–09) and Non Executive Board Member at ADvTECH, will be the closing keynote speaker at the 2019 Africa CACS conference, to take place 19-20 August in Johannesburg. Masie, an inventor, mentor and keen observer of how to humanize technology, recently visited with ISACA Now to discuss how enterprises in Africa and beyond can take advantage of the major technological forces of the day, such as artificial intelligence and advances in fintech. The following is a transcript, edited for length and clarity:

ISACA Now: In what ways do organizations need to “wake up” to the realities of today’s change environment?
In each industry vertical we are experiencing incredible disruption, but this isn't due to traditional known competition. Technology now allows organizations to expand beyond their core focus and deliver on services that were previously unimaginable. Additionally, this innovation, incurring this metamorphic competitive atmosphere, is “inorganic” – we are discovering that organizational sustainability is derived from unlocking external latent human capital on the outside of your business versus only focusing on core competences and excellence. The call today is to become a *co-creative* ecosystem and deliver on outcomes derived from combinatorial innovation. Accenture provided the industry with a transversal benchmark: “The benchmark for innovation excellence is being a company for which 75% of current revenue comes from business activities that began in the last three years!” The most important call to action for all leaders today is “Reimagination!”

ISACA Now: From your experience at Google, how has Google made the greatest impact in Africa over the past decade?
It has been almost 10 years since I worked at Google. Establishing their presence in South Africa, with an incredible team, was such a privilege. Every business is challenged with discoverability, and Google is the world’s most powerful platform to achieve this – applicable to any size of business. Since its establishment in South Africa, the mere economic impact from consumers searching for services and being delivered relevant business access in this regard has been significant. The launching of localized maps, search, YouTube, etc., has unlocked massive value and given South Africans an amazing online experience. I will never forget how hard the team worked on delivering all these capabilities leading up to the soccer World Cup; everyone attending the games, local and internationally, primarily utilized Google's services to navigate the country and the events. It is very difficult to measure the actual “impact” because people have utilized Google when they need a plumber, when needing an answer while studying, all the way through to seeking help when your child’s fever spikes. Besides these obvious impacts on the surface, I know that Google has done so much silent work enabling/accelerating Africa's internet infrastructure on the western and eastern seaboards and also all the terrestrial capacity we access today.

ISACA Now: Where do you see the future of fintech headed?
About eight years ago when I founded the mobile point of sale (mPOS) company “Thumbzup,” the term “fintech” wasn't widely used or understood. Today it represents a diverse ecosystem of innovation spanning disparate payments mechanisms through to the modernization of the traditional banking system. This is all great for the consumer – expansive digital and physical methods of settling merchants and doing business electronically. The impact on a merchant’s business is significant because there are now so many options to accept omnichannel payment and generally manage your business electronically. There are two trends I am watching closely: 1) The convergence of the telecommunications, retail, banking and over-the-top tech sectors; each of these sectors believe they own the last mile and are all attempting to own the “store of value.” 2) The continual emergence of Bitcoin and its redefinition of the exchange of value without the need for a so-called trusted intermediary. Many folks believe that Bitcoin, and the broader cryptocurrency space, will hurt the existing incumbents. I do not. I believe we have the formal economy serviced by electronic mechanisms, the informal economy serviced by cash and then we have an un-defined “third economy” that Bitcoin will ultimately unlock. The transaction types and financial use cases for and by bitcoin in this “third economy” are difficult to envision or predict today but will have immeasurable impact on humanity.

ISACA Now: You have some experience with AI – which applications of AI do you consider most promising in the near future?
Tim O'Reilly said it beautifully: “The fundamental design pattern of technology is to allow us humans to do things that were previously impossible.” I think this is so very much more applicable specifically to artificial intelligence. There are many amazing neural network applications being developed and employed by organizations today; the list is too long to highlight here. But, the most interesting aspect of AI is watching disparate species of artificial intelligences augmenting each of us right now. This results in the emergence of a fascinatingly new organizational archetype; I call it an “algorithmic marketplace.” An example would be Uber, a business that owns an artificial intelligence platform augmented and enabled by big data and real-time feedback loops from its participants, the drivers and the riders – all of it combining to give us a form of transportation that was previously unimaginable. This is a metaphor for future businesses which, because of these AIs, will have to metamorphosize to orchestrate services in this manner. It’s not just a big artificial intelligence engine but rather a symphony of human machine symbioses, within and outside an organization.

ISACA Now: On the other side of the AI equation, what concerns you most about potential misuses of AI going forward, and what should be done to mitigate those concerns?
I tend to be an optimist regarding artificial intelligence but I believe we are already seeing AIs programmed with unfortunate fitness functions. … We need to understand that AI is our superpower but inequality is our kryptonite! A dystopian future has never been more possible and real. But, it doesn’t have to be this way! If we do let machines put us out of work, it will be because of a failure of imagination and a lack of will to make a better future. We do not have to do more with less humans to improve operating margins and increase so-called productivity. We should consider doing what was previously impossible with humans augmented by AIs: deliverable new services that were previously unimaginable!

Category: ISACA Published: 7/16/2019 2:56 PM
カテゴリー: ISACA

Defining the ROI of Automation

Journal Author Blog Posts - 2019年07月15日 23:58:24

In his opening remarks to the general session of the Institute of Internal Auditors (IIA) 2018 Midyear Meetings in Orlando (Florida, USA), IIA Global Board Chairman Naohiro Mouri said that throughout his international travels while in office, he rarely heard from audit practitioners about the “pain of automation” despite the oft-cited benefits of automation technologies and their potential to revolutionize the internal audit function. His comments sparked the idea for our ISACA Journal, volume 4, article, "The Pain of Automation." Our goal was to provide some ideas and best practices that might help ease the pain of automation.

One of our recommendations toward helping automation initiatives go more smoothly was to have clearly definable return on investment (ROI) goals and metrics, and while these are obviously important for ensuring automation technology performs and imparts value, they can also be useful in communication efforts.

For example, our company, Nielsen, recently celebrated the first anniversary of its Robotic Process Automation (RPA) Center of Excellence, and included in the internal communication that went out was a dashboard with metrics such as total project counts, the impact of RPA in terms of hours saved across various business units and the geographic distribution of projects. This was not the first time this dashboard had been shared. This was a great way to use KPIs to communicate to the broader company the scope and progress of RPA projects, quantify and visualize their value, and reinforce the idea that the work is ongoing.

Celebrating progress and wins is an important part of any ongoing initiative, and RPA is no different. Making KPIs highly visible can help boost motivation and morale and help make sure everyone is on the same page in terms of where the organization stands.

Read Wade Cassels, Jane Traub, Kevin Alvero and Jessica Fernandez's recent Journal article:

"The Pain of Automation: Internal Audit Functions Face Real-World Challenges Amid Optimistic Environment," ISACA Journal, volume 4, 2019.

Category: Audit-Assurance Published: 7/15/2019 2:57 PM BlogAuthor: Wade Cassels, CISA, CFE, CIA, Jane Traub, CCSA, CIA, Kevin Alvero, CISA, CFE, and Jessica Fernandez, CISA PostMonth: 7 PostYear: 2,019
カテゴリー: ISACA

Getting Creative to Solve Security Challenges in Healthcare

ISACA Now Blog - 2019年07月12日 23:20:50

A recent article about information security challenges in healthcare pointed to the lack of resources many security teams report. They face staff shortages, lack of expertise and tight budgets. They find themselves unable to do the work they believe needs to be done.

In thinking about any problem, I always focus on what can be done. The truth is, there’s almost always something that can be done even if you can’t fix the bigger problem. After all, part of risk management is making any risk smaller, so why not approach resource challenges in the same way?

Solving Small Team Concerns
When faced with a small security team, one healthcare organization decided to distribute the security team’s work across the infrastructure teams. Though they had two people dedicated to information security, they also shifted the culture and expectations so that everyone, from the service desk analyst to the desktop analyst to the server and network engineers, knew that security was part of their job. They eventually added the applications leads to the mix to ensure security was truly an IT department focus, not just a security team focus. This had the effect of extending the security team without adding people. And it created numerous added benefits because now managing and monitoring security was not “someone else’s job,” it was everyone’s job.

Update job descriptions, set expectations, train staff in information security fundamentals (according to their job function), auditing and monitoring. Give them the tools to be effective members of the IT department knowing that, in today’s environment, security is everyone’s job. When the server team adopts system-hardening processes and audits those results on their own, security is improved far more effectively than if you have some security team person harping on hardening servers. The same holds true for managing application security. When the apps team understands how to assess, deploy and test for secure applications, security is improved at the point of origin rather than fixing a defect later (and for those of you familiar with Lean, this is a core concept). Building security into the standard work of each team not only teaches them about security in their area of expertise (while adding to their job expertise and often their satisfaction), it enhances the organization overall.

Addressing Lack of Expertise
There is a growing industry of security service providers. Everyone is facing talent shortages, but healthcare can be particularly hard hit because financial margins don’t allow for spending top dollar for talent in a highly competitive field such as information security. Some healthcare organizations manage to recruit and retain top talent by offering excellent working conditions and continuous professional development – but that doesn’t mean you can find, retain or reward those individuals in a tight job market. That’s where professional services can come in. Renting security monitoring, for instance, can be less expensive on an annual basis than adding another person. So, having a 24x7 security monitoring and alerting service may be an excellent approach to improving security without adding additional staff. Look for services you can use on a subscription basis or on an as-needed basis to add to your security program without breaking the bank.

Managing on Tight Budgets
The other major complaint that often arises is lack of budget to purchase and implement new security tools such as network monitoring or user behavior analytics. While these tools provide tremendous benefit when implemented and used correctly, two things are true. Tools purchased are often only partially implemented because healthcare IT has so many spontaneous projects and needs that teams become overwhelmed or distracted. So, buying the latest tool may not really solve the problem. Secondarily, if you lack the budget to buy new tools, your very first step should be to re-assess the tools you do have. Sometimes you haven’t fully implemented the tool or implemented it in the most advantageous manner. Sometimes you have poor processes wrapped around the use of the tool that could be improved. If you’re not fully utilizing what you have, that should be your first effort.

Sometimes you can find add-ons or expansions to your existing tools that may be less expensive than bringing in a whole new software solution. Have your vendors come in and talk with you about what else their solutions can do for you. Sometimes there are no cost or low cost solutions you wouldn’t have considered.

Still other times, if you feel strongly that you need a particular tool, have the vendor help you make the business case. They should be able to provide industry data, comparison data and benefits data. If they help you implement a proof of concept implementation, take lots of notes about the before and after state so you can gather data to make your case.

Get Creative with Training
There are a lot of excellent training opportunities available to enhance the security skills of your team. Some are very expensive, but many are not. Try to negotiate for training dollars or training credits with major vendors when you sign a new contract or large purchase. Vendors will often toss these in if asked. If your expense is limited to travel (and not paying for the course), your training dollars will go much further. Look for online or distance learning options to reduce travel expense, and consider free webinars from industry leaders (ISACA, SANS, HIMSS, etc.) as well as vendor webinars, which may be skewed toward their product but may also educate on the broader topic at hand. Keeping staff trained will enhance their job satisfaction and improve your organization’s security. Additionally, certifications in security or auditing areas add credibility to your work and may help you make the case for more people or more funds.

Make the Business Case
Too often, those requesting additional resources fail to make the compelling business case. Make sure you have put together a concise document explaining the current state, the risk of that state, the proposed solution and why the investment is required. It may not always be approved, but you’re unlikely to get anything you need without it. And, as a leader, it’s good practice to present a professional business case in support of your requests.

None of these ideas will solve the problem of being short-staffed or under-budgeted, but they will help mitigate these risks while you work to make the business case to your executive team about why they need to support these kinds of investments. It’s often hard to fight for dollars to prevent the “hypothetical” event (the same problem exists with business continuity planning). Healthcare executives should understand that healthcare data is at the center of the target for attackers and, ultimately, they need to make the investments needed to keep the organization as safe as possible. In the meantime, you can reduce your risks by taking small, meaningful steps toward your goals.

Author’s note: For additional articles and resources focused on IT leadership, visit Susan’s website,

Category: Security Published: 7/15/2019 10:21 AM
カテゴリー: ISACA

Practically Implementing DevSecOps

Journal Author Blog Posts - 2019年07月11日 23:21:40

The explosion of DevSecOps has caused a lot of excitement and worry within the cybersecurity community. It is no longer of question of should an organization implement DevSecOps, but rather when and how? While the scope and complexity of DevSecOps may initially seem daunting to security professionals, there are a few important points that can be kept in mind to implement an effective DevSecOps programs that can enable an organization to increase the velocity of their software releases but remain secure at the same time:

  • Remember that tools are your best friend. The speed of DevSecOps makes manual testing/review simply too cumbersome to be effective. Find out which security tools best fit into your delivery pipeline, and work with the teams to effectively integrate them so that your security controls are an integral part of the framework. At a bare minimum, you should be having secure code reviews and automated security scanning for every software deployment.
  • Automate the decision-making process. One of the key things I realized during implementing security controls in DevSecOps is that none of the automated security testing mentioned previously will make any difference if decisions are not made immediately based on their results. Jobs need to intelligently succeed/fail based on security success criteria that the security professionals and developers need to sit together and define. Certain things will be showstoppers for which the developers will need immediate feedback, while others can be fixed later, but this decision-making framework needs to be automated, with immediate results being sent back to all relevant teams.
  • There is no escape from coding. As much as I would like to say that every organization has enough budget to hire dedicated security professionals with deep coding experience, that is simply not realistic. DevSecOps often needs security professionals to roll up their sleeves and dig in to the code to find out why jobs are failing, application programming interface (API) calls are not being triggered, etc., and developers will get frustrated if security professionals are not able to provide answers for such problems. Investing in security training for developers and coding training for security professionals will reap huge dividends in the future and help break down silos, enabling a faster cultural shift to DevSecOps at the ground level.

Read Taimur Ijlal's recent Journal article:

"Three Strategies for a Successful DevSecOps Implementation," ISACA Journal, volume 4, 2019.

Category: Security Published: 7/11/2019 2:45 PM BlogAuthor: Taimur Ijlal, CISA, CISSP, CIPP/E PostMonth: 7 PostYear: 2,019
カテゴリー: ISACA

Are the British Airways and Marriott GDPR Fines a Tipping Point?

ISACA Now Blog - 2019年07月10日 23:54:03

For many months, infosec and privacy colleagues alike have been telling me that the FUD (fear, uncertainty and doubt) about the terrifying levels of EU fines under the European Union General Data Privacy Regulation (GDPR) have disappeared from the boardrooms and executive management meetings.

In many organizations, the sentiment from senior management was that GDPR was another Y2K; it looked terrifying on paper but – meh – it probably did not matter that much after all.

As the statistics from the first 12 months of GDPR rolled-in, these managerial beliefs that the regulation was all hype and no action were reinforced.

  • 206,326 cases (complaints and breach notifications) reported to the European regulators
  • 52 percent of cases closed with minimal action
  • Only 11 out of 31 countries had so far issued fines
  • The total amount of GDPR fines at that time: €55,955,871
  • … and €50m of that was to Google

There was a near-universal sigh of managerial relief and, in many organizations, privacy and data security efforts slid down the agenda … until this Monday.

On Monday, the ICO (the UK lead supervisory authority for regulating GDPR) issued its intention to fine British Airways £183.391m (around US$230m) for losing around 500,000 customers details in a card-skimming scam from an attack that commenced in June 2018.

That was then followed on Tuesday by an announcement from the same regulator of its intention to fine Marriott International £99.2m (around US$124m) for losing around 30 million EU customer details in the breach they failed to discover until 2018.

By Wednesday, any sensible organization has moved effective privacy and security right back up at the top of its risk radar. One key reason security should be there: Both of these events were effectively about the failure to adequately protect personal data against cyber-attack.

As one of the people impacted in one of those breaches – and as an infosec professional who has to constantly battle for resources – my opinion is that this just might be a second watershed moment for our sector.

The first watershed was after WannaCry and NotPetya hit, and the majority of organizations began to realize that they needed to actually take cybersecurity more seriously.

This could be the second watershed if the intention to impose substantial fines is followed through.

Let me explain this point a little further.

It is an unpalatable truth that most sensible commercial decisions are made on the basis of risk. If you have a small chance of a small fine for the mismanagement of privacy information, then most organizations will aim to manage that risk on a shoestring. They want to be seen as doing the right thing – but why spend tens of millions of any currency fixing something that probably will never cost you more than a small percentage of that budget? That was the perception of GDPR until Monday.

After the intention to impose substantial GDPR fines was announced early this week, that perception has changed. Any organization that was considering putting GDPR or cybersecurity on a modest budget is re-evaluating that choice.

Whether this is a tipping point for setting in motion better investment in cybersecurity and data privacy still relies on a few things – and the first of those will be whether the intention to impose substantial penalties materializes into reality.

Will the fines really be applied? Will they be paid? Will more mega-fines follow?

The answers to each of these questions could have just as much impact on the privacy and security sector as WannaCry and NotPetya did.

Category: Privacy Published: 7/10/2019 10:17 AM
カテゴリー: ISACA

Vendor Selection for ISO 27001:2013 Certification

ISACA Now Blog - 2019年07月10日 03:45:44

The Information Security Management Systems Certification (ISO 27001:2013) helps organizations prove they are managing the security of clients’ and stakeholders’ information, and can generate the need for three types of vendors: certification body, internal audit and implementation.

The certification body (CB) is an organization accredited by a recognized accrediting body (UKAS, ANAB, etc.,) for its competence to audit and issue certification confirming that an organization’s processes meets the requirements of the ISO 27001:2013 standard. The certification is valid for three years with a successful annual audit and no major non-conformance for the duration of the certification. Organizations that are proceeding with certification for the first time have to undergo Stage I and Stage II audits from a certification body. The stage I audit is a preliminary documentation audit in which policies, procedures, risks, objectives, etc., are audited against the standard, and readiness for Stage II is assessed. In stage II, audit implementation and effectiveness of standards are evaluated. Certification cannot be done in-house, so the CB vendor needs to be on-boarded. Apart from cost and business requirements, the organization has to ensure that it gets certified from an accredited CB.

Internal auditor audits are based on ISO 27001 standards, which is done prior to external audit (certification body stage I and stage II audit). Internal audits can be done by in-house personnel or by a vendor. If organizations are deploying in-house personnel, they have to ensure that internal audits are done independently and impartially (i.e., the auditor shall not audit his or her own work). Internal auditors that are selected should be competent with ISO 27001 Lead Auditor certification, preferably by the International Register of Certificated Auditors with a CISA or similar certification. The experience of the auditor should be at least three years. A CV and project sign-off statement from previous clients can help evaluate competency.

Implementation then involves doing a risk assessment, training, formulating policies and procedures, creating awareness training, analyzing metrics, conducting a management review meeting, etc. This activity can be performed either by in-house personnel or by a vendor. The implementation should be done by a competent ISO 27001 Lead Implementer/Lead Auditor certified preferably by IRCA, with experience of three years post-certification along with CISA, CISM, CISSP or similar certification. Again, a CV and project sign-off statement from previous clients of the implementer can be helpful.

The time required for these three activities varies, but generally, the assignment would be for three years. A point of contact who has knowledge of the entire certification cycle is recommended. Activities of the certification body and internal auditor involve preparing the audit schedule, conducting audits, audit reporting and approving a Corrective Action Plan (CAP). CAP is the plan one submits to the auditor mentioning how the identified gaps during the audit would be closed. The duration of the audit depends on the number of people, number of locations, number of processes/departments involved, etc.

Implementation is generally of a much longer duration than the audits, as it involves multiple activities being performed in parallel. Inputs of the implementer are important during audits, and they need to be deployed in the organization for a few months to complete the certification process. For an organization that has a single location and about 100 people, the certification process would typically take three-to-six months to complete.

Category: Certification Published: 7/11/2019 2:44 PM
カテゴリー: ISACA

Stripping Off the Monster Tag from IT Governance: An Inclusive Approach

ISACA Now Blog - 2019年07月09日 07:06:19

It is said that anything with two heads is a monster. I usually think of this saying when carrying out IT governance reviews, as inclusive governance seems to be a missing link.

The study of governance has been fragmented and so diverse that it has birthed different specializations. But governance is the only head that should exist in any organization. Governance represents direction, strategies, policies, regulations and actions that influence how an organization is to be managed. Governance is a singular term; however, many organizations have adopted governance as a plural term and have adopted different leadership stances and priorities over management of financial governance, health governance and/or IT governance, with financial governance taking the center stage. Ask any finance director director – he or she will tell you that they do not need to remind any board member about the importance of financial regulation and how financial performance is a reflection that the board is executing its mandate.

Through specialization, “governance” has been stripped of its overarching position. It is the board’s responsibility to ensure that direction is provided for the entire organization as much as it is the government’s role to ensure that appropriate acts and regulations are available in all industries and sectors. Any industry that is not governed is prone to abuse.

When I was first introduced to COBIT®, I viewed it as an IT framework in the same way as the majority of IT personnel and experts view it. Trainings and workshops for COBIT were to be exclusive to IT personnel, as the framework is perceived as belonging to the IT experts. The exclusivity of IT-related governance frameworks to IT has given IT a little head that has proven to be a monster in many boardrooms. With so many new technology buzzwords such as artificial intelligence, robotics, Internet of Things, red teams, blue teams, etc., this little monster will continue to terrorize board members and executives in many organizations, as many don’t know how to control it.

Reading the definition of COBIT in the COBIT 2019 Introduction and Methodology publication, I see an opportunity for governance to take its rightful position as an inclusive concept rather than the current fragmented one. COBIT is defined as a framework for the governance and management of enterprise information and technology aimed at the whole enterprise, a departure from COBIT 5, which indicated that COBIT is a framework that assists enterprises in achieving their objectives for the governance and management of enterprise IT. COBIT 5 omitted an importance phrase, “aimed at the whole enterprise.” The inclusion of this phrase in COBIT 2019 strips off the “monster” tag from IT. IT governance should no longer be viewed as an exclusive term but part of the singular governance of an organization.

The opportunity to attend COBIT trainings and workshops therefore should not be limited to IT teams but should be open to all members of the executive team, as well as the board.

Category: COBIT-Governance of Enterprise IT Published: 7/9/2019 3:04 PM
カテゴリー: ISACA

Forthright Handling of Cybercrime Essential to Improved Results

ISACA Now Blog - 2019年07月03日 22:41:34

While it is has become generally well-known that enterprises have a problem dealing with cybercrime, the true extent of the problem is much worse than many realize. In fact, even the entities that really ought to know the reality – such as legal and regulatory authorities – are generally in the dark about how many incidents are occurring and how severe they are.

In ISACA’s recently released State of Cybersecurity 2019 research, a combined 75 percent of security professionals responding to the survey assert that most enterprises underreport cybercrime, including 50 percent who believe that organizations underreport cybercrime even when legally required to report it. There is a well-known saying that the first step to solving a problem is acknowledging that there is a problem, but these numbers suggest that enterprises still would prefer to sweep cyber incidents under the rug than to face the often unpleasant realities of today’s threat landscape. There are a number of reasons why organizations resist reporting cyber incidents, but the failure to disclose incidents is short-sighted and ultimately opens the enterprise to far greater risk in the long-term.

An obvious starting point for why organizations are reluctant to report cybercrime is impact on brand name and customer trust. But this propensity for organizations to avoid reporting cyber incidents to the appropriate legal and regulatory authorities invites public relations debacles that result in far greater trouble down the road. Aside from the direct financial costs associated with cyber incidents, the damages to brand reputation and customer trust can be even more difficult from which to rebound. If organizations can demonstrate to the public that they made good-faith efforts to disclose the details of the incident and then mitigate the damage to the best extent possible, there is a fighting chance to rebuild customer relationships. Conversely, if the consequences of a breach are followed up by what is perceived as a cover-up, those customer relationships become near impossible to repair, and the executives involved with that unwillingness to accept accountability likely will see their careers permanently tarnished.

When the instinct to avoid embarrassment is not to blame for failing to report cyber incidents, the culprit might be a feeling that there is nothing to be gained from reporting the incident. Whereas when organizations are victimized by a physical break-in resulting in stolen property, a call to law enforcement is the natural next step – and likely would result in an investigation leading to an arrest – organizations are much less confident that legal authorities can help them recover stolen data or prevent the spread of digital assets stemming from cyberattacks. This, too, is a misguided reason not to report, especially as law enforcement agencies are beginning to develop more sophisticated capabilities when it comes to fighting cyber crime with each passing year. This trend will continue as public expectations mount for local law enforcement to take digital crime as seriously as enforcing parking meter violations and other traditional crime that commands their attention. Correspondingly, the amount of resources devoted to fighting cybercrime must increase to make it more realistic for law enforcement to be a viable partner in helping organizations respond to cyberattacks.

The unwillingness to report cybercrime is problematic on multiple levels. In the UK’s National Strategic Assessment of Serious and Organised Crime for 2018, it is noted that “underreporting of data breaches continues to erode our ability to make robust assessment of the scale and cost of network intrusions. Many companies are not disclosing data breaches, putting victims at risk.” The report also indicates that the public’s confidence in law enforcement’s ability to respond to cybercrime is impacted by the widespread underreporting of these incidents. In the bigger picture, the lack of trustworthy statistics around the volume of cyber incidents does a disservice to organizations of all types and sizes around the globe. Think about how much easier it would be for boards of directors to justify allocating greater resources toward cybersecurity if they had more credible and comprehensive data on the prevalence and nature of incidents from which to base their decisions.

Perhaps the evolving regulatory landscape will help mitigate this deeply ingrained problem, with the high-profile General Data Protection Regulation (GDPR) now adding to other regulations that put responsibility on organizations to report data breaches and other security incidents. There are plenty of common-sense reasons why organizations should accurately report cyber incidents, but if it takes regulatory pressure to provide additional incentive, so be it. In almost all cases in life, forthrightness and transparency is a better option than hoping others will not notice what is really happening. That certainly applies to the need for more widespread reporting of cyber incidents. Until organizations do so with more regularity, a range of important stakeholders will lack sufficient information to drive toward solutions that can make a meaningful difference in combating cybercrime.

Editor’s note: This article originally appeared in CSO.

Category: Security Published: 7/5/2019 4:33 PM
カテゴリー: ISACA

Coincidence or History?

Journal Author Blog Posts - 2019年07月01日 22:57:26

On 23 October 1969—just a few months after Apollo 11 landed on the moon—the Electronic Data Processing Auditors Association (EDPAA), later to become ISACA, was incorporated. Just six days later, on 29 October 29 1969, the first communications were sent through the ARPANET, the predecessor to the Internet. A coincidence? Perhaps—but ISACA was there.

In 1996, IBM's Deep Blue defeated chess champion Gary Kasparov for the first time, and Windows NT 4.0 was released by Microsoft. In 12 months, the number of Internet host computers went from 1 million to 10 million, and COBIT was released. A coincidence? Perhaps – but ISACA was there.

In 2007, Apple announced the release of the first iPhone. The touch-screen mobile phone originally sold for US$599.00 and, within less than 3 months of its release, more than 1 million units were sold. Twenty percent of the world’s population was now online and COBIT 4.1 was released. A coincidence? Perhaps—but ISACA was there.

In 2012, Windows 8 was released, Facebook went public and COBIT 5 was released. Almost 36% of the world’s population was now online. A coincidence? Perhaps—but ISACA was there.

It is 2019.  Almost 57% of the world’s population is now online. ISACA is 50 years old, and COBIT 2019 has just been released. It has been no coincidence that ISACA was around for each of these historic IT-related events—numerous hours were put in by both ISACA staff and volunteers to keep it there.  Each of these events helped shaped the thoughts of these ISACA volunteers, who, in turn, helped develop COBIT 2019. Today, COBIT 2019, built upon ISACA’s history, can aid with the governance and management of information and technology in your enterprise.

Read Ian Cooke’s recent Journal article:

Lessons from History," ISACA Journal, volume 4, 2019.

Category: Audit-Assurance Published: 7/1/2019 3:12 PM BlogAuthor: Ian Cooke, CISA, CRISC, CGEIT, COBIT Assessor and Implementer, CFE, CIPP/E, CIPM, CIPT, FIP, CPTE, DipFM, ITIL Foundation, Six Sigma Green Belt PostMonth: 7 PostYear: 2,019
カテゴリー: ISACA

Rebuilding Institutions for an Online World

ISACA Now Blog - 2019年07月01日 22:34:26

Editor’s note: Author and journalist Jamie Bartlett will be the closing keynote speaker at the Infosecurity ISACA North America Expo and Conference, which will take place 20-21 November 2019 in New York City. Bartlett recently visited with ISACA Now to discuss his outlook on how technology is reshaping society, beginning with his contention that the internet is killing democracy. The following is an edited transcript of the interview:

ISACA Now: One of your books, The People vs. Tech, contends that the internet is killing democracy. What do you mean by that, and what should be done about it?
It’s quite a simple argument: that the institutions of democracy – the legal system, election law, education, an informed public willing to compromise – have been created for an offline world. And yet now so much of our political life takes place online, and all the systems we have to keep democracy running don't seem to work well anymore. And more to the point, in the future this disconnect will worsen. There are many things we need to do to close the gap. For example, we need to update election law so that all micro-targeted adverts are published in a national database so that everyone can see them (to end the so called “dark ads” problem). We also need to change our education system so it focuses more on media literacy and helping people deal with information overload.

ISACA Now: The dark net is one of your major areas of interest. How concerned should the public be about what transpires on the dark net on a daily basis?
Indirectly yes. Many millions of people have their person data, or their passwords, or other personally identifiable information being sold on dark net sites. This is also true for businesses and companies. This doesn't mean I’d expect non-specialists to spend every waking hour trawling through the dark net. But it is important to bear in mind that there is an always online marketplace in stolen information. There are sites that can help you check.

ISACA Now: Tell us about your role with Demos – what drew you to it and which aspects of it have you found most rewarding?
I was excited by the prospect of using machine learning and AI to build research tools. When I set the center up in 2011, not many researchers in the social sciences were using big data tools. This was very exciting because it felt like I was at the frontier of a new research discipline – social media science – and therefore able to help create the rules and methodologies. Others have caught up now, but of course new fields open up: like the use of Internet of Things data.

ISACA Now: Given the occasionally toxic and polarizing nature of today’s social media landscape, do you consider the parts that are problematic to outweigh the upside of social media? 
In its current format and style, I’m afraid I do now. That doesn't mean there aren’t thousands of good things taking place, because obviously there are. But I think the cost of people’s focus, concentration, and willingness to engage in constructive discussion rather than slanging matches, has had an extremely negative effect on the health of our political debate. That doesn’t mean we should shut it off of course – but we may need to rethink the business model (and our education systems) so they encourage a better and healthier form of politics.

ISACA Now: As we near the 2020s, which cybersecurity themes do you expect to become especially impactful in the new decade?
Without doubt the automation of crime. Many industries are thinking about automation – driving, clerical work, fruit picking, factory work, legal analysis, even journalism. So why would criminals not think the same? They are always on the lookout for new ways of saving time and making more money. I expect far more automatic tools that scan and auto-hack software, more sophisticated AI-powered personalized phishing emails, and so on. This I think will change quite fundamentally how we understand risk in cybersecurity in the next few years. 

Category: ISACA Published: 7/2/2019 2:34 PM
カテゴリー: ISACA

Securing Your Data: The Crown Jewels of Your Enterprise

ISACA Now Blog - 2019年06月29日 00:49:33

Every organization has data that is vital for its organizational growth. Typically, most organizations build security around infrastructure, network and applications. But with data leakage becoming more prevalent, organizations are now considering data to be their crown jewel.

Data can be classified as structured data or unstructured data. Structured data is mostly stored in a database, but usually more than 80 percent of data are unstructured.

Enterprises need to protect the data from unauthorized access not only from external users but also from internal users, so virtually all organizations are building security controls around data-centric security. Data-centric security embeds controls into the data itself so that these controls are intact to the data even when the data is at rest or in motion, or while the data is being utilized in an application. In data-centric security, data is independent of the security of the infrastructure, be it device, application, network or the method of transport of data.

Data leaks not only have a negative impact on the reputation of the enterprise but also can lead to penalties/legal action from regulators. New regulations require the organization to build controls around the security and privacy of the data regardless of whether the data is intended to be used internally or intended to go outside the organization’s boundaries.

At its core, data-centric security can be considered among the following categories:

  • Data Classification – Data Classification is a process of identifying, labeling and classifying the information/data, preferably according to the sensitivity or criticality of the data. Most of the classification tools have elements of machine learning based on content and context. The classification of the data increases the effectiveness of DLP, CASB and EDRM tools.
  • Data Leakage/Loss Prevention (DLP) – DLP is a system that performs real-time scanning of data at rest and in motion, evaluates that data against existing policy definitions, identifies policy violations and automatically enforces some type of pre-defined remediation actions such as alerting users and administrators, quarantining suspicious files, encrypting data or blocking traffic outright. DLP takes time to mature and requires participation from the entire organization, especially in setting the policy.
  • Cloud Access Security Broker (CASB) – Since now most of our data is residing in the cloud, be it private, public or hybrid cloud, CASB helps in identifying, monitoring and controlling enterprise data in cloud infrastructure (including applications hosted on cloud), and extends controls to the cloud applications.This also often is referred to as Cloud DLP in terms of data-centric security.
  • Digital/Information Rights Management (IRM, DRM, ERM, EDRM) – DRM is basically the rights of the data owner/custodian of the data. It embeds the security controls into the data itself. The controls remain active even if the data is in use, and also remain active during the movement of data. This helps the enterprise to have control over the data, even if the data has left the boundary of the enterprise. Some popular controls for DRM are self-destruction of data or disallowing copy/paste/print of the document.

Data-centric Security Scenario
Suppose one of the directors of the enterprise is on leave and has no access to corporate emails or applications. An urgent board note (confidential document) needs to be vetted by him. Now the director asks his office to send the message to his personal email for review. His office sends him the board note to his personal email.

How can the security of the document be ensured?

Can we assume that after reviewing the note, he has deleted the data from his device or email inbox? Can the enterprise be 100 percent sure that the data would not be misused in future? No!

But if we enforce DRM on the document, we can set the period to the life of the document itself. We can even recall or revoke access to information that we have shared to anybody. DRM maps the policy so that the document can be protected automatically whenever it is discovered, detected, downloaded or shared.

Emergence of Data Privacy and Protection Laws
The year 2018 was significant for privacy and data protection laws in the world, with new measures such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

Bahrain also passed a new, comprehensive data protection law, making it the first Middle East country to adopt a comprehensive privacy law.

One of the most significant privacy law developments of 2019 is expected from India. India’s draft bill introduces specific rights for individuals as well as requirements that processing entities have to meet. For example, businesses will need to implement organizational and technical safeguards regarding the processing of personal data, including for cross-border data transfers. The law also calls for the establishment of a Data Protection Authority for overseeing data processing activities.

Category: Audit-Assurance Published: 7/1/2019 3:12 PM
カテゴリー: ISACA

Continuous Security Validation

ISACA Now Blog - 2019年06月26日 02:10:51

No corporate executive should feel secure.

Every day, we keep hearing about yet another company getting hacked or losing sensitive data. Many enterprises do not even realize their systems are compromised until they receive an unexpected notification from an external party. Cybersecurity remains a top risk for companies and a hot topic for boardrooms.

To fend off cyber threats, most companies focus on:

  • Hiring security professionals or third parties with expertise in various security domains
  • Establishing processes such as patch management and asset management
  • Implementing various security tools and monitoring devices
  • Creating control libraries in alignment with regulations and industry standards
  • Establishing security training and awareness programs

But, how do we know our cyber defenses actually work?

Traditional Security Validation includes testing individual controls or a set of controls to ensure that they are designed appropriately and working effectively. For example:

  • Validating that a firewall is configured according to a company’s configuration standards is considered testing of a singular control.
  • Testing a set of relevant controls to verify whether the company is in compliance with the Payment Card Industry Data Security Standard (PCI-DSS) would be considered testing a set of controls.

While testing security controls in a traditional way could serve its intended purposes, the company should not feel secure solely based on traditional point-in-time control testing. The reality is that threats and an organization’s systems change on a daily basis, and a traditional control test that was effective yesterday may no longer be effective in mitigating a threat today.

Adversaries will always look for any weakness in a company’s environment, ranging from misconfigured systems to overly permissive access rules. New threats, vulnerabilities and zero-days are identified every day.

The only effective way to combat this is to think and act like an adversary.

Continuous Security Validation allows an organization to take cyber attackers’ perspective and stress-test its security stance.

While it includes elements of traditional validation methods described above, it focuses more on walking in hackers’ shoes. The chart below depicts key characteristics of Continuous Security Validation:

To implement and execute on Continuous Security Validation, a company could leverage industry best practices. A leading framework in this area is MITRE ATT&CK™ for Enterprise (ATT&CK).

ATT&CK for Enterprise is a framework that takes the perspective of an adversary trying to hack into a company using various known attack vectors. This framework provides a library of real-world hacking activities for companies to simulate in their own networking environment.

In its simplest form, an organization could pick a relevant attack vector (e.g. exfiltration over alternative protocol) from the ATT&CK Matrix and test its cyber defenses to validate that it could withstand that particular attack. They can then review and prioritize mitigation of identified gaps.

It’s important to note that internal red-teaming (an internal group taking hackers’ perspective) is a core component of this approach whereby these teams can use real scenarios and test the actual response and detection capabilities rather than just testing controls.

Continuous Security Validation will help a company: 

  • Increase its cyber resiliency by frequent testing and validation
  • Test the effectiveness of its security controls and tools in preventing specific attack vectors
  • Develop an organizational cyber threat model to focus on higher risk areas and key information assets
  • Methodically analyze identified security observations

At the 2019 GRC Conference in Fort Lauderdale, Florida, USA, to take place 12-14 August, I will further explore Continuous Security Validation and describe how a company could use it to reduce its cyber exposure. We will also review key elements of ATT&CK for Enterprise and discuss how it can be leveraged to stand up and operate a Continuous Security Validation process.

About the author: Berk Algan is a risk management executive who takes pride in building exceptional Governance, Risk and Compliance (GRC) functions and developing high-performing teams. He currently leads the Technology & Security Risk Management group at Silicon Valley Bank.

Category: Risk Management Published: 6/27/2019 2:59 PM
カテゴリー: ISACA

Extracting More Value from IoT, Using COBIT 2019

ISACA Now Blog - 2019年06月26日 02:00:24

The time for making predictions about the number of IoT devices in future years and waiting for that time to come is long gone (however, if you really want to know, one source predicts there are going to be 75 billion IoT devices in 2025). If enterprises still have not thought about the ways IoT could bring them new value, now is certainly the right time to get started.

As the title suggests, COBIT 2019 and IoT could be a great combination for adding value to the enterprise. Auditors (including myself) need to follow the enterprises and keep up with IoT, so auditors can give reasonable assurance on topic.

Business Perspective
If an enterprise plans to adopt IoT, the most likely COBIT 2019 governance and management objectives it would have to focus on (in one of the possible scenarios) are:

  • APO03 Managed enterprise architecture
  • APO04 Managed innovation
  • APO07 Managed human resources
  • BAI10 Managed configuration
  • BAI03 Managed solutions identification and build
  • BAI07 Managed IT change acceptance and transitioning

Of course, those are only six of 40 governance and management objectives recognized by the COBIT 2019 framework. The rest of them should not be neglected by default.

To satisfy stated objectives, consider these seven components of the governance system:

  • Processes
  • Organizational structures
  • Principles, policies and frameworks
  • Information
  • Culture, ethics and behavior
  • People, skills and competencies
  • Services, infrastructure and applications

Although the components are thoroughly explained in COBIT 2019, they do not prescribe any IT-related decisions. Every enterprise needs to customize COBIT to its own needs, as there is no “one size fits all” solution.

Audit Perspective
As for auditors, we must agree there are differences when auditing technology that has been previously audited numerous times (database management systems, operating systems, etc.) compared to auditing some of the emerging technologies (such as IoT). Before you get a headache trying to figure out IoT-related risks, audit scope, etc., please continue reading.

In the ISACA Journal article “Auditing the IoT”, you’ll find important steps for conducting IoT audit engagements.

You might be asking yourself: “So, can COBIT 2019 also help?“. The answer is (obviously, if we look at the blog title) yes. Whether the organization harnessed the power of COBIT 2019 to incorporate IoT in its business or did it another way, the auditor has plenty of information in COBIT 2019 to kick-start an effective audit engagement. The rationale behind that is as follows:

  1. COBIT is a framework for the governance and management of enterprise information and technology – all the technology and information processing the enterprise puts in place to achieve its goals.
  2. Let us switch for a second to a definition of internal auditing by the Institute of Internal Auditors. Part of it states: ”It helps an organization accomplish its objectives.”

When we put one and two together, it is clear that:

  • If auditors are not aware of enterprise’s goals, they cannot fulfill their purpose; and
  • COBIT 2019 can help in getting more insight on achieving the following goal – getting value from IoT.

Auditors would be well-served to focus on the same governance and management objectives mentioned in the “Business Perspective” section of this blog, but it’s of great importance to repeat once more ... customize, customize, customize.

Category: COBIT-Governance of Enterprise IT Published: 6/26/2019 2:59 PM
カテゴリー: ISACA

50th Anniversary Q&A with ISACA CEO David Samuelson

ISACA Now Blog - 2019年06月21日 05:13:20

Editor's note: David Samuelson was appointed chief executive officer of ISACA on 1 April of 2019, the year of ISACA’s 50th anniversary. Samuelson recently visited with ISACA Now to discuss the meaning of joining the organization during its milestone year and how ISACA can draw upon its decades of industry leadership to become even more impactful in the future. The following is an abbreviated transcript of the Q&A interview. To read the full Q&A, visit the Story Gallery.

ISACA Now: You recently were named CEO of ISACA during the organization’s 50th year. What added dimension does that timing provide in terms of your outlook on this new role?
It’s a great time to join ISACA because it is at an inflection point in its history. The next 50 years are going to be very important for ISACA, and the first 50 years have made ISACA a strong, relevant, trustworthy and valuable organization to members all over the world. During the next 50 years, I hope we can double down on all of those things.

ISACA Now: While recognizing that you have only been with ISACA for a short time, what has struck you most about the organization’s history and trajectory over these past 50 years?
I think more important than its history is the passion that I’ve witnessed. The membership is palpably passionate about ISACA. I hope that I can hear the stories that are behind that passion, that can help shape how we build toward the future.

ISACA Now: You have an extensive background in education technology. What have been some of the most transformative advancements that you’ve observed in that area over the years?
The impacts in learning technologies are impacts in all technologies, such as machine learning and AI and cloud computing – the things that are prevalent for all of us now. The newest entrants in the technology world that I think are interesting and perhaps challenging for any organization is voice-first technology, like Alexa. We’re talking naturally, and things happen, either in our house or in our classroom or in our cars or with our phones. I think this represents some new challenges for old problems.

But specific to learning technologies, I think the opportunities to help an adult learner or any learner are related to understanding what they know and what they don’t know, understanding where they’re at in their learning journey, and being able to get immediate feedback as they’re learning. These are not really new ideas, but important ones to help us learn in today’s tech-enabled world. I also think the mobile and digital device revolution has changed the way people consume almost anything in their daily lives, especially for adults. For associations like us that want to communicate important, relevant, trustworthy materials, these changes around us are important for us to embrace.

ISACA Now: Along those lines, panels at ISACA’s CACS conferences this year are discussing disruptive technologies that have reshaped the ways that we live and work. What might be an example or two (personal or professional) of a disruptive technology that you have come to appreciate, from a quality of life standpoint?
I think voice-first is the first one that comes to mind. You can control a supercomputer “in the sky” with your voice, and so what does that mean? It certainly is useful to walk into your house and start a movie where you left off, or to walk into your office and start a presentation where you left off, but it also represents new challenges in terms of keeping us safe in cyberspace because, in order to have that technology, devices have to be listening to everything. So, what does that mean in terms of privacy, in terms of what people know about you – all those kinds of things? I think it’s interesting but also disruptive in the sense that you have a feature that also can be a danger. The other thing that has probably been most disruptive in all of our lives is just the power of computing that we carry with us all the time – we have access to anything, wherever we are. That’s certainly different than it was even a decade ago.

Category: ISACA Published: 6/24/2019 10:07 AM
カテゴリー: ISACA

How Small and Medium Businesses Can Leverage Cybersecurity for Client Value: Six Ways to Get Started

ISACA Now Blog - 2019年06月20日 02:28:10

Small and medium-sized businesses (SMBs) lack the resources of a large business, in both finances and personnel, making it more difficult to extract client value from a robust cybersecurity program. In fact, many SMBs probably do not have a “robust” cybersecurity program. Implementing one can be costly, and the related costs are not just one-time capital expenses, but also include recurring expenses. So, why should an SMB even consider implementing a cybersecurity program when there are plenty of other high-priority business needs that demand resources?

The bottom line is the protection of data. If data is not protected, business owners should be afraid. It’s only a matter of time before a hacker comes calling and walks away with an organization’s data. They might not actually take it; they may just copy it for their use or for sale to the highest bidder and leave the business with its own copy, perhaps not even aware the data had been copied. What if that data was the corporate payroll database with employee bank routing numbers and account numbers? How about the HR files with employee social security numbers? We’ve all heard plenty of stories about major database breaches in which employee data was compromised (meaning the culprits, at a minimum, copied the data for their own use).

So, there are some very basic reasons to implement cybersecurity best practices. Think of it as an insurance policy. We might not like paying our insurance premiums each month, but we do it to protect ourselves from the unexpected events that could be very costly. And when something does happen where you need that insurance policy, you are glad you have it. The same goes for cybersecurity programs.

Six Ways to Get Started
SMBs can start by protecting their data and their client’s data by implementing a few low-cost initiatives:

Data Identification – What data is most important to you (and your clients)? What data needs the most protection? That data is where you need to start focusing your protection efforts.
Action: Make an inventory of all your data (including client data) and prioritize it based on its importance (or sensitivity).

Policies and Procedures – Policies establish the corporate expectations for every member of the staff. Procedures explain how employees are to meet those expectations. 
Action: Update (or create) policies and procedures that place an emphasis on data protection, both for the company as well as its clients.

Awareness Training – Training supports policies and procedures by providing awareness of areas of importance as well as by helping employees better understand how corporate procedures can be implemented. Training should be a recurring event and updated to reflect current corporate priorities.
Action: Improve employee awareness with recurring cybersecurity training, especially as it relates to data protection.

Minimize the Data Footprint – If there are multiple copies of a sensitive data file (call it “file A”) in several locations (e.g., local laptops, shared network drives, email inboxes, and other document libraries), then WHEN (not IF) your company is hacked, the perpetrator would need less time to find one of the versions of file A. However, if there is only one version of file A in one place, that greatly increases the difficulty and time for a perpetrator to find the single file A. Ideally, there would also be tools in place to alert the support team of a possible breach. If it takes the perpetrator enough time to find a single copy of file A, then the alerting system may detect the activity in time to stop (or minimize) damage.
Action: Keep only one copy of files, when possible.

Data Retention – This goes hand-in-hand with the data footprint. You should keep a file only as long as needed for business and legal purposes. The longer a file is sitting on the corporate network, the greater the number of opportunities for a perpetrator to find the file. Once a file is no longer needed, delete it. Remember to consider data backups as well.
Action: Only keep files for as long as they are needed, then delete them.

Monitoring – The best policies and procedures will be of no use if they are not being followed. Training can help ensure awareness of corporate priorities, but monitoring and conducting periodic spot checks are necessary to ensure policies and procedures are being followed. This monitoring also provides insight into where awareness training may need to be improved.
Action: Monitor and conduct periodic spot checks to ensure policies and procedures are being followed.

The bottom line is, treat the company’s data, as well as your client data, as if it is your own. Think of it as a game of “keep-away” from potential perpetrators. Implement these low-cost initiatives to get you well on your way to keeping your data and your client’s data protected. Corporate executives and your clients will be so glad you did.

About the author: Ken Russman is a senior project manager with TalaTek, who holds PMP and CISSP certifications and has 20 years of experience in managing projects, strategic planning, and policies and procedures development.

Category: Security Published: 6/20/2019 2:55 PM
カテゴリー: ISACA

How to Properly Review an SOC Report

ISACA Now Blog - 2019年06月19日 03:08:46

As a follow-up to a blog post previously published by The Mako Group’s Chief Audit Executive, Shane O’Donnell, let’s dig a little deeper into what you should be reviewing when you receive your vendors’ SOC 1, SOC 2 or SOC 3 reports.

Each SOC (Security Operations Center) report follows a basic outline. You will find the vendor’s management assertion, the independent service auditor’s report, the vendor’s description of its system, and a listing of controls tested. Below are some key points to focus on when reviewing your vendors’ SOC reports.

Who Issued the Report?
When noting who issued the report, there are two important factors to be considered. First, according to the AICPA, only CPA firms can issue SOC reports. A licensed CPA firm must undergo peer reviews at least every three years. A peer review includes a review of the firm’s accounting and auditing practices to ensure they are meeting AICPA standards.

While it is important to ensure that the firm issuing the SOC report is a licensed CPA firm, there is a second, yet equally important, point to be considered. Does the firm or individual issuing the report have information technology or information security certifications? It is important to understand that SOC reports are information security related audits. These are very different from the financial audits that CPA firms typically perform.

You can encourage your vendors to engage with a CPA firm that specializes in information security. Look for certifications, such as Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), and Certified in Risk and Information Systems Control (CRISC), to name a few. These certifications are rigorous and demonstrate expert knowledge of cybersecurity and information security.

What Is the Auditor’s Opinion?
Within the SOC report, you will find an independent service auditor’s report. In this section, the auditor documents the overall opinion regarding the vendor’s system, including whether the system description was presented fairly, and whether the vendor’s controls are suitably designed and functioning as expected. The auditor’s opinion is the main reason for an SOC report, so it is important to understand the meanings of the different opinions.

There are four possible ways that the auditor can present the opinion:

  • Unqualified: The auditor fully supports the findings, with no modifications.
  • Qualified: The auditor cannot express an unqualified opinion; however, the issues are not pervasive.
  • Adverse: The auditor believes that there are material and pervasive issues. Report readers should not rely on the vendor’s system.
  • Disclaimer: The auditor is unable to express an opinion due to insufficient evidence, and the possible effects could be both material and pervasive.

The most important point to keep in mind is that you want an unqualified opinion. If any other type of opinion is found, you should also find a separate paragraph to describe the reasons for the opinion and evaluate the impact of the qualifications.

What was Included in the Audit?
Within the SOC report, the vendor will provide a description of the system in scope. Background information and a description of the software, people, procedures, and data will all be covered in the system description. Due to familiarity with your vendor’s systems and infrastructure, review this description closely to determine what they may have chosen to exclude from the audit. From there, you can determine if it is important to the security of your system and/or data.

Were Any Relevant Exceptions Noted?
Each type of SOC report will include the relevant exceptions noted during testing. This is arguably the most important element of a SOC report. You must decide which of your vendor’s controls are critical to your organization and evaluate if there are any exceptions noted in those critical areas. If you find exceptions and determine they are critical to the security of your organization’s data, you must determine the impact these will have to your organization’s security.

Category: Security Published: 6/19/2019 3:03 PM
カテゴリー: ISACA

Patch Management Practice

Journal Author Blog Posts - 2019年06月18日 03:21:08

Unpatched systems represent a very serious IT security threat with potentially extremely important consequences, as documented in a large number of high-profile breaches that exploited known unpatched vulnerabilities. Since these vulnerabilities are known, not just to attackers, but also to system administrators, and since patches exist, it is on first look surprising that unpatched systems even exist. The reality, however, is that patching is not that simple: Because of interdependencies, it must be verified that the patch is compatible with everything else in the system, e.g., an operating system patch must be compatible with the applications and databases running on top of the operating system. Sometimes, they are not, as manifested, for instance, in the recent Spectre and Meltdown vulnerability, where some application providers explicitly warned against patching. Verifications mean testing by other vendors, and this may not be a high priority for the application vendor, with an answer or full solution sometimes coming with the next release. Today’s organizations typically employ a large number of systems and applications, and making sure all of them are patched promptly is not automatic.

In light of this situation, organizations need to bolster the first line of defense, i.e., do everything possible to ensure prompt patching and, in addition, prepare a second line of defense to deal with systems that cannot or will not be patched in a reasonable time frame. Such a strategy could entail:

  • Involve high-level management who need to be aware of the risk and attempt to obtain contractual guarantees of prompt addressing of patch issues, whether in their system or application or in other systems their own systems depend on. Evaluate vendors in this respect.
  • Establish a clear line of ultimate responsibility for patching. This involves appointing someone to monitor and assess the patching risk and empower that person to carry out this task. This involves, among others, an architectural map of the systems, their function, criticality and exposure (e.g., Internet-facing) plus interconnections, as well as a monitoring tool carrying out regular scans with respect to patching. 
  • Contact the vendors regarding patch testing, compatibility and availability, and possibly carry out tests internally if necessary.
  • Propose blacklisting irresponsive vendors.
  • Propose and implement (in cooperation with relevant company units) alternative mitigating measures in case patching is not possible in a reasonable time frame. Such measures could involving agents in the unpatched systems to block exploits (although unlikely to be accepted by the vendor), putting patched intermediate servers in the path to the Internet to inspect incoming traffic, and using web application firewalls (WAFs) or sandboxing-type solutions, always taking into account possible performance issues.
  • Especially if one must live with unpatched systems, monitoring and responding to rogue activities gains importance.

Read Spiros Alexiou’s recent Journal article:
Practical Patch Management and Mitigation,” ISACA Journal, volume 3, 2019.

Category: Security Published: 6/17/2019 3:11 PM BlogAuthor: Spiros Alexiou, Ph.D., CISA, CSX-F, CIA PostMonth: 6 PostYear: 2,019
カテゴリー: ISACA

ISACA’s Future Brimming With Opportunity

ISACA Now Blog - 2019年06月15日 00:09:03

As my relationship with ISACA unfolded through various volunteer roles for the past 25 years, I have had the privilege of seeing the organization evolve – through good times and challenging times – just as many of us have experienced in our personal lives and careers.

I’ve stayed with ISACA for the long haul because regardless of the hot technology or top-of-mind regulation of the day, I have consistently been proud to serve a global organization that provides the resources needed to advance business technology professionals’ careers and strengthen the technology workforce, while addressing some of the biggest challenges in our industry.

Now that ISACA is celebrating its 50th anniversary, the math is not lost on me that I have been part of this organization for half of its illustrious history. It is an honor to begin my term as chair of the ISACA board of directors at such a consequential time for our professional community and the organizations that they serve. Whether it is helping to shape the future of IT audit, evangelizing an executive-sponsored approach to data governance, navigating the rise of automation or promoting the need for our professional community to be lifelong learners, ISACA is well-equipped to make a profound impact in the years to come. Best of all, we have so many avenues through which our professional community can set that impact in motion.

From chapter leadership roles, which I have experienced first-hand through ISACA’s Denver Chapter, to hands-on advocacy opportunities, to championing our SheLeadsTech program, and so much more – ISACA’s breadth of experiences provides a terrific complement to the organization’s core credentialing, learning and professional development resources.

One of ISACA’s greatest strengths is its diversity. Diversity will be the key to solving many of the current and future challenges in our fields, especially security. ISACA will be taking more concrete actions in this area and will serve a central role in this space. Having diverse teams – including gender, race and ethnicity – and diverse perspectives is critically important, and you will see more from me on this in the coming year.

As I begin this new role as board chair, I want to extend deep appreciation to my predecessor, Rob Clyde, whose wisdom and passion for this organization will remain tremendous assets going forward. Fortunately for all of us, Rob will remain part of the board of directors. I look forward to teaming with a talented and purpose-driven mix of board members (as listed below) in the year ahead:

2019-2020 ISACA Board of Directors

  • Brennan P. Baybeck, CISA, CRISC, CISM, CISSP, chair; Vice President - Customer Support Services Security Risk Management for Oracle Corporation
  • Rolf von Roessing, CISA, CISM, CGEIT, CISSP, FBCI, vice chair; Partner and CEO, Forfa Consulting AG
  • Tracey Dedrick, director; former Chief Risk Officer, Hudson City Bancorp
  • Pam Nigro, CRMA, CISA, CGEIT, CRISC, director; Senior Director, Information Security, GRC Practice, Health Care Service Corporation (HCSC)
  • R.V. Raghu, CISA, CRISC, director; Director of Versatilist Consulting India Pvt. Ltd.
  • Gabriela Reynaga, CRISC, CISA, GRCP, director; Founder and CEO of Holistics GRC Consultancy
  • Greg Touhill, CISM, CISSP, Brigadier General (ret), director; President of Cyxtera Federal Group, Cyxtera Technologies
  • Asaf Weisberg, CISA, CRISC, CISM, CGEIT, director; Founder and CEO, IntroSight
  • Tichaona Zororo, CISA, CISM, CGEIT, CRISC, COBIT 5 Certified Assessor, CIA, CRMA, director; Director, IT Advisory Executive with EGIT | Enterprise Governance of IT (Pty) Ltd.
  • Chris Dimitriadis, CISA, CRISC, CISM, ISO 20000 LA, director and 2015-17 board chair; Group Chief Services and Delivery Officer at INTRALOT
  • Rob Clyde, CISM, NACD Board Leadership Fellow, director and 2018-2019 board chair; Managing Director, Clyde Consulting LLC
  • David Samuelson, ISACA Chief Executive Officer

Working together with nearly a half-million engaged professionals around the world and ISACA’s professional staff, the board is committed to driving toward an ambitious and promising future. The work that ISACA’s professional community performs in audit, governance, risk and security not only is essential to the success of the organizations that we serve, but also is becoming central to the health of our broader society as artificial intelligence and other high-impact technologies become pervasive.

ISACA has experienced remarkable growth during the 25 years in which I have been an active volunteer. During that time, the technology environment has become much more complex as we have ushered in the era of digital transformation and growing cyber threats. This change environment, and the corresponding challenges that have been created, provides a healthy sense of urgency to ensure that ISACA delivers even greater value to our professional community. In a world increasingly reliant on securely and effectively leveraging technology, the need to help professionals and their enterprises around the world realize the positive potential of technology provides a shared sense of purpose, and I am proud to play a part in this important work.

Category: ISACA Published: 6/17/2019 9:57 AM
カテゴリー: ISACA

Three Steps to Begin Transforming Your Cybersecurity Program

Journal Author Blog Posts - 2019年06月14日 00:33:23

The nature of risk management has changed over the past 2 decades. Previously isolated IT infrastructures are more connected with the outside world, and organizations face an ever-expanding threat landscape. Most organizations operate in a reactive mode, typically driven by an outside-in fear and avoidance approach where priorities are based on the latest known threat or new regulation. The challenge with this approach, in addition to it being reactionary and driven by outside forces, is that it promotes a keep-the-lights-on mentality, results in an inefficient use of resources and distracts from the priority of protecting an organization’s most critical data assets.

The motivation is primarily the fear of fines and reputational risk. For a security program to succeed and reduce information technology risk, a focus on driving business value by effectively mitigating risk wherever it may live is preferred.

The Risk IT Framework developed by ISACA includes the following core principle: Make IT risk management a continuous process and a part of daily activities.

This tenet is prescient because today’s threat landscape never sleeps. Digital transformation, SensorNet, cloud and DevOps are creating dramatically expanding attack surfaces. Attackers are constantly looking for a way in, and employees are finding new ways to accidentally expose sensitive information. Annual penetration tests or security reviews do not cut it. Regulatory-focused security programs cannot keep up. So how can organizations move from a reactionary approach to a proactive, risk-centric program?

  1. Know your business—Understand what information is most important to the organization. Understand what information assets drive the business and need more protection. One-size-fits-all security is not effective and can add substantial costs when it is not warranted. Talk to internal department leaders and get to know how security programs can add value to their lines of business.
  2. Conduct a comprehensive risk assessment—Doing so will uncover where gaps in your existing programs are against appropriate regulations, standards and best practices. An assessment will provide a risk model to help identify the most likely attackers, assets they are most likely to go after and the overall impact to the organization in case of an incident.
  3. Do not stop at a checklist—While a thorough assessment will provide a list of items to be addressed, move beyond a simple checklist. Each identified gap should be surrounded by control, planning and continuous risk monitoring.

Information security and risk management are not easy fields in which to succeed. These 3 basic steps can help you start transforming your organization’s approach to cybersecurity. The benefits of doing so include reducing security technology clutter, minimizing operational expenditures, and creating a program that is business aligned and more effective at reducing risk.

Read Brian Golumbeck’s recent Journal article:
Moving Risk Management From Fear and Avoidance to Performance and Value,” ISACA Journal, volume 3, 2019.

Category: Security Published: 6/13/2019 3:03 PM BlogAuthor: Brian Golumbeck, CRISC, CISM, CCSK, CISSP, ITIL Foundation PostMonth: 6 PostYear: 2,019
カテゴリー: ISACA