@ISACA Volume 2  28 January 2015

Experience a Conversation With ISACA Journal Authors


The ISACA Journal strives to find new ways to bring you the information you need. In addition to providing new weekly online-exclusive content, the ISACA Journal is introducing a podcast to accompany each volume of the Journal. These podcasts are conversations with Journal contributors in which they discuss their recent articles and current events related to their profession. The podcast gives Journal readers an opportunity to experience the more personal side of their favorite contributors and learn from their expertise.

“These podcasts are conversations with Journal contributors in which they discuss their recent articles and current events related to their profession.”

In the volume 1 podcast, we have a conversation with “Information Security Matters” columnist Steve Ross, CISA, CISSP, MBCP, about his ISACA Journal volume 1 column, “Microwave Software.” In an informative, engaging and entertaining way, Ross discusses the dangers outdated software can pose, the attacks against JP Morgan Chase, and how cybersecurity is different from and similar to information security challenges that have occurred in the past.

To listen to the podcast, visit the ISACA Journal page of the ISACA web site.


How to Respond to Data Breaches

By Leighton Johnson, CISA, CISM, CIFI, CISSP
Leighton JohnsonThe primary goals for any incident response effort often get lost when responding to outside events, especially those involving data breaches. This confusion may occur since everyone is, due to statutory and regulatory requirements, focused on notifying affected customers. The 7 standard steps for breach response are:
  1. Detect incidents quickly—In today’s world, rapid detection of data exfiltration (data going “out the door”) is vitally important. We see many cases where the sooner the data breach is detected, the smaller the resultant effects are on the organization and its clients and customers.
  2. Diagnose incidents accurately—The breach response team starts its processes by determining factors such as the breadth and scope of the breach, which records are affected and what levels of data have been released. Several areas of focus can help in this effort:
    • Determine scope—Areas to look include customer data, corporate data repositories, external interface transactions and logs, along with online records and transactions.
    • Identify units affected.
  3. Manage the response properly—The response efforts for breaches are commonly viewed as major events for the corporation or organization. The incident response plan that has been developed by the organization needs to be followed to ensure all areas, notifications and activities are completed and not overlooked during the event. It should address:
    • Internal response—The primary guide for the response is the corporate incident response plan that has been previously developed. This document should include all areas of the organization, their requirements for actions during the response, and listings of the key operational and corporate-level personnel to be included in the response effort. All areas of the organization that have indicators of the breach will need to be identified, evaluated and remediated, if necessary, so all parts of the organization must be included in the response.
    • External notification—All affected and required external entities, including, if necessary, regulatory and statutory organizations, will need to be notified as soon as legally required once the breach event is identified and the organization moves into the response activities.
  4. Contain and minimize damage—Once the event has been identified and its full scope is realized, the next major step in the response effort is to contain the event, isolating it from the rest of the organization in order to minimize its effects. Often this is a straight-forward, but challenging task to accomplish due to the extent of the IT equipment and systems potentially affected and the corporate crisis management mentality that tends to surround the event.
  5. Restore affected services—Once the breach is contained, then the response moves to returning the organization to normal business operations. The 1st activity is to remove and eradicate the cause of the breach once it is identified and isolated. Otherwise, the business continuity plan (BCP) should be initiated for the affected areas and the recovery processes should begin. Recovering is critical to getting all the affected services back to normal operations.
  6. Determine root causes—Several options are available here, depending on what kind of breach occurred. If the breach was the result of an internal issue, then collect all evidence of the breach for forensics investigators to evaluate and assess. The 2 areas of investigation are forensics and malware analysis.
  7. Implement improvements to prevent recurrence—At the end of the response effort is the wrap-up and the review. These efforts include finalizing the report that is necessary for compliance and notification reporting. One major focus is the need for the organization to learn from the event and improve their response. Most times, this effort is accomplished through meeting with the responders and key organizational personnel and reviewing the actions taken during the response. This should focus on doing better next time, rather than placing blame on any single person or entity.

Leighton Johnson, CISA, CISM, CIFI, CISSP, is a senior security consultant for the Information Security & Forensics Management Team of Bath, South Carolina, USA.


Mobile-related Identity Management Strategies Presented at Webinar


The most likely source of a data breach is an internal actor—an employee, contractor or partner. And although employees may unintentionally cause a data breach, it is important to have an identity management strategy in place to minimize this risk. To help organizations accomplish this task, ISACA has partnered with Oracle to create the “Manage, Monitor & Audit: The Mobile User” webinar. The webinar will take place on 12 February at 11AM CST (UTC -6 hours). Members can earn 1 continuing professional education (CPE) hour by attending the webinar and completing a related quiz.

Mark Wilcox, senior principal product manager for Oracle Identity Management, will lead this webinar. Wilcox has spent the past decade working on delivering effective identity and access management solutions. During this webinar, he will discuss the way that mobile devices affect enterprise security. This webinar will also look at the role of mobile devices in an identity management strategy and what can be done to mitigate the risk that mobile devices present.

To learn more about this webinar or to register for it, visit the Manage, Monitor & Audit: The Mobile User page of the ISACA web site.


Share Your ISACA Certification Achievements


ISACA’s certifications combine the achievement of passing an exam with proven work experience, giving you the credibility you need to advance in your career. Certification proves to employers that you have what it takes to add value to their enterprise. In fact, many organizations and governmental agencies around the world require or recognize ISACA’s certifications.

For those who hold an ISACA certification, share your achievements, gain visibility in the workplace and enhance your professional credibility—accept and share your ISACA certification badge(s) on social media sites such as LinkedIn and Facebook. You can learn more about ISACA badges on the Open Badges page of the ISACA web site.

“ISACA’s certifications combine the achievement of passing an exam with proven work experience, giving you the credibility you need to advance in your career.”

Since its inception, ISACA has become a pacesetting global organization for IT governance, control, security and audit professionals. Its Certified Information Systems Auditor (CISA) certification is recognized globally and has been earned by more than 110,000 professionals. The Certified Information Security Manager (CISM) certification uniquely targets the information security management audience and has been earned by more than 25,000 professionals. The Certified in the Governance of Enterprise IT (CGEIT) designation promotes the advancement of professionals who wish to be recognized for their IT governance-related experience and knowledge and has been earned by more than 6,000 professionals. The Certified in Risk and Information Systems Control (CRISC) designation, for those who identify and manage risk through the development, implementation and maintenance of information systems controls, has been earned by more than 17,000 professionals.

If you do not currently hold an ISACA certification, you can boost your earning potential and start on the path to being recognized as an expert in your profession by taking the first step to achieving certification—registering to take the exam.

Registration is now open for the 13 June 2015 exam on the Exam Registration page of the ISACA web site. You can save US $50 by registering by the early registration deadline of 11 February.

Learn more on the Certification page of the ISACA web site.


Act Now and Submit 2015-16 Volunteer Applications


Volunteer ApplicationsYour opportunity to submit an application for the 2015-16 volunteer term will soon come to a close. The invitation to participate application period ends on Thursday, 12 February 2015. Act now and apply to participate on one of ISACA’s volunteer bodies.

Volunteering provides you an opportunity to collaborate with peers around the world, ensuring successful certification programs, insightful research and guidance, comprehensive and timely education programs, and representative professional standards.

The selection of volunteers is based on the resources needed in support of ISACA’s strategy and the responsibilities of its volunteer bodies, the relevant professional background of the candidates and ISACA’s desire to reflect a global perspective. All appointments are for a 1-year term and are ratified by ISACA’s Board of Directors.

Help shape the future of your profession. For more information on joining an ISACA volunteer body and to apply to be an ISACA volunteer, visit the Join an ISACA Volunteer Body page of the ISACA web site. Don’t delay!


Develop Your Personal Brand With a CISA Certification

Vernon Mark Lomberg, CISA, CA, Senior Audit Manager, Shares His Experience as a CISA

Vernon Mark LombergThe Certified Information Systems Auditor (CISA) certification helped Lomberg’s career by giving his expertise more credibility. “The certification gave me the all-around knowledge to be a good IT auditor because it covers each area in depth,” he says. “It also provides the recognition to others that you have the IT knowledge to apply in the real world.”

Having the CISA certification has enabled Lomberg to develop his personal brand, which has shaped his career. “My CISA gave me credibility when I was in a professional services firm and allowed the firm to promote me to clients more effectively,” he says. “The certification has also been a very strong personal brand differentiator with regard to information technology and was an important factor in securing an audit role at Westpac New Zealand.”

Lomberg finds his career rewarding because he can see how the work he does has a large impact on the business overall. “One of the best parts of my job that I feel really makes a difference is identifying technology issues which were not apparent to management and helping them find pathways to address the issues, taking into account organizational and funding constraints,” he says. “Being able to see the effect on the business when these are resolved is very rewarding.”

“The CISA certification has really helped me identify the causes and work through the solutions with the organization.”

While his career is rewarding, it can be challenging at times. Having a CISA certification has helped Lomberg rethink the way he approaches IT issues. “Sometimes technology-related problems can be complex and difficult to resolve,” Lomberg says, “but the CISA certification has really helped me identify the causes and work through the solutions with the organization.”

To learn more about the CISA certification, visit the Certification page of the ISACA web site.


Book Review:  Applied Cyber Security and the Smart Grid

Reviewed by Ibe Etea, CISA, CRISC, ACA, CFE, CIA, CRMA, ISO 9001:2008 QMS

Applied Cyber Security and the Smart GridApplied Cyber Security and the Smart Grid by Eric D. Knapp and Raj Samani explores a relatively new information security topic. This book is a valuable resource considering the relevance of the smart grid to not just the information security realm, but also to its application to modern existence and industry.

The book gives readers an introduction to the essential infrastructure of the smart grid. It provides detailed insight into inherent weaknesses within the power generation and smart grid infrastructure and provides the reader with essential tools required to protect smart grid information from malicious cyberattackers. This book’s references to the smart grid, its components and the related information security issues affiliated with smart grid operations give practitioners an important overview that would be useful in practice.

This book has 8 chapters, dual appendices covering reference models and architectures, and an index of continued reading. The book begins by introducing smart grid components and some key concepts related to it including its components; the network architecture behind its generation, transmission and distribution; and its operational protocols. The book also covers hacking techniques in the smart grid while addressing privacy concerns associated with it. It includes a discussion of supervisory control and data acquisition (SCADA) and industrial control systems (ICS). In addition, the book includes a thorough discussion of securing the smart grid.

Since this book is focused almost entirely on smart grid infrastructure, it does not have on-the-job relevance for all IT professionals. But, as the smart grid is becoming more relevant, it serves as a foundation to understand this emerging field of technology. The book concludes by outlining the possible future of the smart grid and how it will affect information security, and this is a major strength of this book—all IT professionals can learn how the future will be shaped by the smart grid.

Applied Cyber Security and the Smart Grid is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or email bookstore@isaca.org.

Ibe Etea, CISA, CRISC, ACA, CFE, CIA, CRMA, ISO 9001:2008 QMS, is a corporate governance, internal controls, fraud and enterprise risk assurance professional. He also serves as a member on the advisory council of the Association of Certified Fraud Examiners (ACFE).