@ISACA Volume 11  3 June 2015

Five Information Security Clauses to Include in Supplier Contracts


Supplier contracts need to include comprehensive information security-related clauses to ensure there are both revenue- and business-based incentives for them to effectively implement and maintain appropriate security controls and capabilities. Regulatory requirements, outsourcing, customer expectations and attacks that use the IT supply chain as an entry point to compromise an organization’s information infrastructure and data assets have elevated the need for organizations to focus not only on their own risk and security capabilities, but also those of their supply chain. Here are 5 types of security clauses that should be included in supplier contracts:

  1. Right to audit—“Trust, but verify” is a constant theme in the modern information risk and security strategy for most organizations. To ensure suppliers are not only implementing, but sustaining appropriate security measures, it is important to include language that allows the enterprise to audit suppliers either by themselves or through a mutually agreed-upon third party. The legal language to support these audits should provide for reasonable notice and focus audits within the scope of services that are being provided by the supplier. Right-to-audit clauses should also include a requirement to remediate any identified concerns and deficiencies within a commercially reasonable time frame.
  2. Software maintenance and accountability—In the case of an organization contracting a supplier to either develop new software or maintain custom software that another supplier has developed, it is important to ensure that security deficiencies will be remediated at the supplier’s cost within a reasonable time frame based on the severity of the issue. The covered time period should be extended and align with the expected useful life of the software that is being developed. In the case of a supplier taking over maintenance of custom software that was previously developed, either by the enterprise or another supplier, organizations can implement a reasonable time window, such as 2 years, before the supplier assumes the responsibility of addressing security issues at their cost. Until then, the supplier should be required to provide remediation of security issues within reasonable and mutually agreed-upon time frames at the organization’s cost.
  3. Verification of compliance—If you require your supplier to be compliant with regulatory requirements (e.g., the US Health Insurance Portability and Accountability Act [HIPAA], the US Gramm-Leach-Bliley Act [GLBA]) or industry standards (e.g., ISO 27001, Payment Card Industry Data Security Standard [PCI DSS]), it is recommended to contractually require them to demonstrate their compliance minimally on an annual basis. This can be accomplished through reviews, attestations from the leadership team of the supplier, or opinion statements from mutually agreed upon third parties who are hired to review the supplier’s risk and security capabilities.
  4. Disclosure of open-source software components—Many software and hardware technology solutions are developed using open-source components. Recent high-profile vulnerabilities found in open-source code, such as Heartbleed and Shellshock, have removed the romantic notions that previously existed regarding the high levels of security assumed to be associated with open-source components. It is important to have suppliers disclose an inventory of all open-source components (including the version number and acquisition source) included in the products and services they will provide. This allows the organization to make risk-based decisions on their use prior to purchase or implementation. If vulnerabilities are identified in these components, effective countermeasures can be developed and compensating controls implemented until the supplier has effectively remediated them.
  5. Flow down attestation—It is important to ensure that vendors recognize the organization’s expectations of them to monitor the security of their vendors as well. Security is only as good as its weakest link. It is often difficult for an organization to monitor suppliers beyond their direct relationship so they need to rely on the supplier to do this themselves. Explicit language must exist within the supplier agreements that requires appropriate security controls to be in place for any supplier (either direct or indirect) that has the ability to interact with the organization’s information infrastructure, data assets, and products and services.

John P. Pironti, CISA, CISM, CGEIT, CISSP, ISSAP, ISSMP, is the president of IP Architects LLC.


ISACA Webinar: Using SIEM for Threat Management


Security information and event management (SIEM) is vital for enterprises. Effective SIEM threat intelligence, visibility and integration can be used to detect breaches and develop a plan for combating them. ISACA and Intel Security have partnered to create the “Full Circle Threat Management With SIEM” webinar. This webinar will take place on 11 June at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending the webinar and passing a related quiz.

During this webinar, attendees will review the challenges that advanced attacks pose, benchmark their organization against other organizations and discover how SIEM can be used to defend against threats. Bart Lenaerts-Bergmans, group product marketing manager at Intel Security, and Terry Stuart, enterprise solutions architect at Intel Security, will lead this webinar. Lenaerts-Bergmans and Stuart will help attendees learn how to develop security strategies that effectively respond to attacks.

To learn more about this webinar or to register for it, visit the Full Circle Threat Management With SIEM page of the ISACA web site.


Practical Suggestions for Passing Certification Exams

By Kathleen Stetz, CISA, CISM, CRISC, PMP

As a teacher and mentor for exam preparation classes, I am often asked “What kind of questions will be asked and what do I need to know in order to pass the exam?” The individuals posing this question are excited to get started on the right path, and many of them purchase all available exam preparation books. Basically, they want to know how questions will be extracted from each domain within the body of knowledge.

Based on my experience helping people to prepare for these exams and my own success passing these professional certification exams on the first try, I suggest the following study approaches:

  • First and foremost, get into the mind-set of the professional organization that administers the test. Exam takers must put aside their preconceived ideas and methods, either based on their prior experience or those that may be suggested by their employers, for them to understand the standards and best practices offered by the profession. Taking exam preparation classes can certainly help to get you in the right frame of mind.
  • Get a holistic understanding of the body of knowledge. Having a high-level view of the material can help you identify the key deliverables for the major aspects that will be tested. Seeing the big picture can help test takers understand the main areas of focus. Additionally, the candidate can see how all of the functions and related processes fit together.
  • Take an operational risk view of the material. That is, understand the roles of people, processes, technologies and infrastructure of the body of knowledge as well as the adverse effects that can result if controls are not working effectively and determine the best course of action to take.
    • People—Gain knowledge of the roles and responsibilities of the key stakeholders involved with the processes throughout the body of knowledge within the discipline. This should also be extended to committees, officers, managers and quality assurance.
    • Process—Understand the key methods used within the body of knowledge. Having an end-to-end perspective of the input, transforming steps and the output for each domain helps with any sequencing questions.
    • Technology—Obtain an understanding of the types of technology used within each domain. Each technology that houses information must be protected according to the data classification to ensure data integrity, availability and confidentially—the security attributes. The candidate must gain knowledge of the purpose of the technology before understanding the threats that can be imposed upon it and the potential consequences.
    • Infrastructure—Understand the organizational policies, principles, methods, approaches, governance and forms followed in the organizational context.
  • Practice by taking mock tests and sample questions. I tell my students to get their hands on as many sample questions as possible. Those materials offered by the certifying body are the best source, since questions are formatted similarly to the actual exam. I also warn students to be careful using some outside sources, since many questions are not constructed in the same manner as the certification test, which can lead test takers a bit astray and set some false expectations. Additionally, some certifications require an understanding of the calculations to derive the correct answer, while other examinations are only looking for a candidate to have a general understanding from more of a working application perspective. If possible, partner with others who are in the same situation and/or have already taken the exam. Everyone has their area of expertise and studying with subject matter experts (SMEs) can really help someone who may be less familiar with a particular topic. Since teaching others is one of the best methods for reinforcing your learning, this method helps both parties.
  • Most important, do everything possible to establish clarity of thought. That is, remain emotionally calm before the test is distributed. Remember that having a frustrating experience right before the exam can hinder your thought process. It is equally important to develop a positive mental attitude for getting the needed confidence to put yourself in the right mind-set. Upon entering the testing room, envisioning that you already passed the test will help you to cultivate positive energy and thoughts. Being kind to yourself and others can help to relieve stress, so talk to people while waiting (if they are open to it) and be friendly.

Someone once told me that a definition of good luck is simply having opportunities that meet with your preparation, so study hard, believe in yourself, and go forth and conquer. And, do not forget to celebrate your success once you find out that you have passed.


Learn to Prevent Cyberattacks at CSX Webinar


Cyberattackers use a variety of techniques to damage enterprises. To help organizations understand how attackers think and adopt a prevention-based approach to cybersecurity, ISACA has partnered with Palo Alto Networks to create the “Crack the Code: Defeat the Advanced Adversary” webinar. This Cybersecurity Nexus (CSX) webinar will take place on 16 June at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending the webinar and passing a related quiz.

Scott Simkin, senior manager of threat intelligence at Palo Alto Networks, will examine the anatomy of actual attacks and discuss strong security strategies. Because there is no template used to carry out advanced attacks, Simkin will discuss some of the strategies attackers use, the importance of an intelligence-based approach, and how to develop strong prevention and detection practices.

To learn more about this webinar or to register for it, visit the Crack the Code: Defeat the Advanced Adversary page of the ISACA web site.


Time Is Running Out to Vote on ISACA Bylaws


ISACA members have the opportunity to vote to approve the new bylaws until 6 June at 1AM CDT (UTC -5 hours). Votes can be cast by electronic ballot or by voting in person at the ISACA annual membership meeting on 6 June at the Steigenberger Grandhotel, 71 Avenue Louise, 1050 in Brussels, Belgium, from 8 to 9AM CEST. ISACA’s vendor, Votenet Solutions Inc., emailed ISACA members their voting credentials. If you have not received your voting credentials, please contact bylaws@isaca.org.

For more information on the bylaws vote, visit the Bylaws page of the ISACA web site. Questions? Contact bylaws@isaca.org.


What Are Your Midyear Accomplishments?


June is the perfect time to review your midyear accomplishments. Are you meeting your career goals?

Assess your midyear accomplishments this week. Update your LinkedIn profile with your new skills and experiences. Join ISACA’s official LinkedIn group after you update your profile. Share ISACA’s group with your social networks to illustrate your commitment to professional excellence and to enhance your personal brand.

After reviewing your midyear accomplishments, track them in a document for your year-end review. Continue to add to your list of accomplishments by completing 2 webinars and earning free continuing professional education (CPE) hours before 2016.

Develop your soft skills within your ISACA network. Connect with other members inside the Knowledge Center or through your local chapter to brainstorm solutions, or lead a discussion about ISACA’s most recent publication. Add these activities to your list of accomplishments.

Make the last 6 months of 2015 count by using your ISACA membership to its fullest potential. If you are not an ISACA member, consider joining today at a discounted rate for membership through 2015.


Book Review:  Auditing Cloud Computing: A Security and Privacy Guide

Reviewed by Horst Karin, Ph.D., CISA, CRISC, CISSP, ITIL

Information technology is evolving faster than regulatory/legal requirements and auditors can react. This gap means new information security and data privacy risk, which cannot be detected and mitigated if no one is aware of it. Auditors also face an increased audit risk if their knowledge and audit programs are not up to date. To narrow this gap for auditors, knowledge sharing of the latest insights is key. Auditing Cloud Computing: A Security and Privacy Guide is a great resource to answer questions about auditing an outsourced computing environment and its related privacy protection.

This book is not just another publication riding the wave of cloud computing. It is a presentation of the practical experiences of 12 senior professional experts who have more than 170 years of combined experience in information security, leading-edge solutions, strategic consulting, risk management and policy/regulatory issues.

This 206-page book contains an appendix with a cloud computing checklist. The 9 chapters cover the typical areas of interest of an the IT auditor when auditing a cloud provider. The book is not too technically detailed and gives a holistic overview of threats, data risk, service delivery and legal aspects to be considered during an audit and before a corporation decides to join the cloud computing environment. Because of this focus, the book is recommended for decision-making senior or c-level management. Of course, an information security consultant/auditor who wants to prepare for the Certified Information Systems Auditor (CISA) certification exam could also use this book as study material. Its structured approach and logical flow of knowledge makes it a great read and useful reference book.

Auditing Cloud Computing was published in 2011 and was, at that time, one of the first books addressing IT and privacy audit for cloud computing. For that reason, this book serves as a great introduction to cloud computing and could become a classic in the IT auditor community. It will remain relevant in the coming years because of its focus on the fundamentals. There are many corporations currently taking or planning to take advantage of cloud technology; they must to be prepared in all aspects of cloud computing security and privacy before beginning this endeavor. Remember that one day, IT auditors will review the company’s cloud-related security and privacy controls. Being prepared beforehand is always beneficial for the auditor and auditee.

Auditing Cloud Computing: A Security and Privacy Guide is available from the ISACA Bookstore. For information, visit the ISACA Bookstore online or email bookstore@isaca.org.

Horst Karin, Ph.D., CISA, CRISC, CISSP, ITIL, is president of DELTA Information Security Consulting Inc. He has been working in SAP/IT security and risk management for 16 years. He served as chair of the ISACA Publications Committee for 3 years and is coauthor of SAP Security and Risk Management.