@ISACA Volume 26  17 December 2014

Thank You for Another Great Year

ISACA members, you make this organization great. Without your ideas and your contributions, ISACA could not advance the profession. Your participation in the Knowledge Center, attendance at chapter meetings and presence at conferences provides the platform for ISACA to listen to your professional needs and create the resources to make your job easier. Be sure to renew your membership so that you can continue to benefit from ISACA’s numerous tools.

"In every quarter of 2014, ISACA produced new resources to answer your questions and help you advance your career"

  1. First quarter:  ISACA published the white paper Generating Value From Big Data Analytics, which explains how increased competitiveness and transformative results are achieved through imaginative uses of preexisting data.
  2. Second quarter:  Cybersecurity Nexus (CSX) was announced and will keep you informed about increased threats and vulnerabilities.
  3. Third quarter:  COBIT 5 Online was launched to improve the implementation of governance and management of enterprise IT (GEIT).
  4. Fourth quarter:  The Cybersecurity Fundamentals Certificate was introduced so you can demonstrate your expertise within the cybersecurity field.

Thank you for being part of these advancements to the IS profession. In 2015, we will continue to offer the resources you need to excel in your career. We look forward to another productive year with you. To renew your membership, visit the Membership page of the ISACA web site.

 

Understanding Data Encryption
By Bruce R. Wilkins, CISA, CISM, CGEIT, CRISC, CISSP

All too often, I hear complaints about encryption, such as “It's too hard to encrypt the simple stuff,” or “Why can't somebody invent a way to give each person his or her own key?” Looking more closely at how encryption works could lead to a better understanding of why encryption works the way it does.

There really is no simple formula for applying encryption, since its uses vary so widely. The most common use of encryption is for privacy. This is where information, through the use of an algorithm, is transformed from clear text into cipher text. The second most frequent use of encryption is when cipher text is transformed back into clear text.

The next most common use of encryption is for data integrity. Using this technique, information is run through an encryption algorithm, resulting in the original clear text and a fixed-length hash that represents the information. If the information were to be altered, the hash would be different. One also can sign the information to achieve nonrepudiation (the ability to say a particular individual sent the information and that the information has integrity).

In today’s commercial use, data encryption has progressed from the weaker algorithms of the past to the more complex of today. The progression has evolved from the Data Encryption Standard (DES) and Triple DES (3DES) to the Advanced Encryption Standard (AES). These implementations have tended to followed Kerckhoffs’s principle, which states: A cryptosystem should be secure even if everything is known about the system except the key.

Ultimately, understanding encryption is a study in itself. Organizations are dedicated to encryption and understanding the algorithms, key selection and its application. The following are some important points to remember when working with encryption:

  1. Encryption does not protect data indefinitely. Select an algorithm and key that are strong enough to protect the data until the value of the data approaches 0.
  2. Select 1 of the newer encryption algorithms and an implementation that has been certified as being implemented correctly. Note that the certifying organization and implementing organization should be independent of one another. It is believed that a certifying organization recently built implementations of an algorithm with known backdoors so that it could facilitate monitoring.
  3. Being diligent in selecting the key for the private key or root certificate encryption is critical. This decision is as important as the strength of the algorithm.
  4. Symmetrical algorithms tend to have a lesser impact on performance. Asymmetrical algorithms tend to have a greater performance impact. To improve performance, asymmetrical algorithms often leverage symmetrical algorithms in their implementations.
  5. It is critical to protect the root certificate or secret key. Data that were encrypted with the secret key would be lost if the secret key was lost. In addition, if either is compromised then the whole encryption infrastructure is compromised. To avoid this issue, never maintain the root certificate online. Unfortunately, the secret key must be online to be used.
  6. Private encryption algorithms are in use for data at rest and data in transmission. The strength of these algorithms and implementations is often not known since the algorithm is held in secret along with the key. Private encryption algorithms are excellent options for those who want to lower their visibility on the net. The common view is that these algorithms may be more secure than standard publicly known algorithms in the short term, but not in the long term.
  7. When an encryption algorithm is reported to be broken, it may or may not mean the algorithm was fully compromised. It may be a poor implementation of the algorithm, a weak key or a finite set of cipher text. It is important to understand the assumptions that were provided as part of “breaking” the algorithm.

Bruce R. Wilkins, CISA, CISM, CGEIT, CRISC, CISSP, is the chief executive officer of TWM Associates Inc. In this capacity, Wilkins provides secure engineering solutions for innovative technology and cost-reducing approaches to existing security programs.

 

Board of Directors Holds Midterm Meeting

The ISACA Board of Directors held its midterm meeting in November 2014 in San Jose, California, USA. The location and timing of the meeting enabled the board to attend an education conference hosted by the Silicon Valley (California, USA) Chapter (several board members also spoke at the event) and to have dinner with chapter leaders from that chapter, and the Sacramento (California) and the San Francisco (California) chapters.

The board also hosted a roundtable for northern California chief information security officers (CISOs) focused on the topic of cybersecurity. The discussion centered on emerging threats and ways to address them, skills gaps, and what ISACA can do to try to address cybersecurity issues and needs.

At the board meeting, the board discussed the 2014 year-end financial projections and a first draft of the 2015 budget (which was also analyzed in detail later that weekend by the Finance Committee). Progress on the Cybersecurity Nexus (CSX) program was outlined, as were future plans for CSX, and a business case for a potential ISACA education foundation was presented. A theme of the meeting was concern over the number of strategic projects ISACA currently has underway (more than 100), on top of its business as usual, and there was agreement that further prioritization efforts are needed to ensure that ISACA’s human and financial resources are used responsibly and sustainably. Because of that concern, further consideration of the education foundation was deferred for a time.

Because this was the first board meeting of Matt Loeb, CAE, ISACA’s new chief executive officer (CEO), a good portion of the meeting was dedicated to hearing his initial observations, expectations and plans.

The next meeting of the ISACA Board of Directors will take place in late February 2015 in Mumbai, India. In addition to the meeting itself, plans are underway to engage with the Indian chapters and local government and industry leaders.

 

Certification Renewal Reminder

The end of the year is approaching and Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC) certification holders have until 31 December 2014 to earn any needed continuing professional education (CPE) hours to reach 2014 annual or 3-year cycle requirements. CPE can be reported in a single total or individually as it is earned. To complete your renewal for the 2015 year, visit the Report CPE page of the ISACA web site to report your 2014 CPE, and then visit the Renew page of the ISACA web site to submit your annual certification maintenance fee.

ISACA membership provides a number of ways to earn CPE, many of which are free to members. Completing ISACA Journal quizzes and attending webinars and virtual conferences offers you opportunities to earn CPE. CPE can also be earned by attending conferences and training courses, mentoring, and serving as an ISACA volunteer. To learn more about membership and CPE, visit the How to Report and Earn CPE page of the ISACA web site.

 

Information Security Management Handbook, 2013 CD-ROMBook Review:  Information Security Management Handbook, 2013 CD-ROM
Reviewed by Joyce Chua, CISA, CISM, CITPM, ITIL, PMP

Information Security Management Handbook, 2013 is a comprehensive e-book stored on a CD-ROM. This intermediate-level book is targeted at information security professionals and auditors and contains content from previous editions of this e-book.

This resourceful handbook can be used as an information security learning guide. The latest edition has 27 new entries and includes every article included since the first edition in 1997.

It also has updates containing the latest developments in information security and recent changes to the Certified Information Systems Security Professional (CISSP) Common Body of Knowledge. The information is presented in a cogent and clear manner using the 10 domains of information security as chapters of the book.

At 7,338 pages, the book has a great amount of documentation and reporting on the latest developments in information security.

The book includes articles from many well-known experts including Ray Kaplan, Paul Henry, Dan Houser, Ed Skoudis, Rebecca Herold, Mano Paul, Anton Chuvakin, Ken Shaurette and Tom Schleppenbach. The book is divided into 10 domains, each with extensive coverage including case studies, use cases, sample policies and metrics.

The strengths of the book include:

  1. Extensive coverage of the 10 information security domains with articles that facilitate the understanding required to stay 1 step ahead of evolving threats, standards and regulations
  2. Updates to its popular earlier editions with the information needed to address the vulnerabilities created by recent innovations and trends such as digital patient privacy, service-oriented architecture, cloud computing, mobile banking, digital wallets and near-field communications
  3. Updates to each edition annually. The contents of this edition have a shelf-life of about 5 years, except for technology-related items.

One shortcoming of this book is related to its extensive coverage. It can be hard for readers to navigate the book unless they have a specific topic about which they are looking for information. Further, the book may be too difficult for IT security beginners. Fortunately, it is a PDF and, thus, readers can search for keywords pertaining to their interests. The extensive glossary also helps readers understand the various terms used in the articles.

Information Security Management Handbook is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or email bookstore@isaca.org.

Joyce Chua, CISA, CISM, CITPM, ITIL, PMP, is a global IT compliance manager for GLOBALFOUNDRIES, one of the world’s top dedicated semiconductor foundries. Chua is a member of the ISACA Publications Subcommittee.