@ISACA Volume 13  27 June 2018

Cyberrisk: Getting the Basics Right


Sunil Bakshi During a board meeting, a board member expressed concern as to whether the organization was addressing cyberrisk. The secretary looked at the risk manager, hoping to get quick assurance. The risk manager then asked, “What do you mean by cyberrisk?” Chaos ensued. Everyone was agitated that the risk manager could even ask this question.

When the chaos subsided, the risk manager responded, “When we say risk is uncertainty in achieving the objectives of the organization, we should be more focused on the objectives of the organization and look at the threats and vulnerabilities that result in materialization of risk.” In other words, when the board member referred to cyberrisk, what he actually meant was, “Do we have the appropriate controls in place to respond to threats from the cyberworld that are likely to introduce uncertainties in achieving business objectives?”

This approach is used for most categories of risk we analyze today. Financial risk refers to threats and vulnerabilities in the system that affect financial management. Market risk refers to threats arising due to changes in the marketplace that could impact an organization’s objectives. Operational risk refers to threats and vulnerabilities in business operations that could impact the objectives of operational management and business objectives. Most risk categories actually refer to the associated threats to the objectives and vulnerabilities in the organizational ecosystem that result in the materialization of risk.

The following approaches can make enterprise risk management (ERM) more effective:

  • Enterprises need to have an enterprise-level view of their risk profile based on uncertainties in achieving business objectives and make this view binding to all the risk owners.
  • Enterprises need to build threat inventory and deploying mechanisms to monitor risk and should be supported by processes within the organization to identify and manage vulnerabilities within the organizational ecosystem, which is comprised of people, processes and technology.
  • Most of the time, different stakeholders manage threats using different approaches, which impacts uniformity in the enterprise-level view of risk. To minimize this impact, ERM should consider defining an approach for common threats that will minimize the gap.
  • Risk owners should be responsible for managing threats and vulnerabilities in their respective areas and align with the enterprise’s objectives.
  • Vulnerabilities that are exploited by a threat can be different in different operational areas depending upon the criticality of the business function from the organization’s perspective.
  • Review threats and vulnerabilities on a periodic basis or when any of the risk scenarios have changed.

The most effective way to manage risk is to create organizational awareness about threats and vulnerabilities and their effect on an organization’s objectives. An organization’s culture can help enable effective risk management.

Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP, is a consultant and trainer in IT governance and information security.


The State of Cybersecurity: Threat Landscape Exploration


To help security professionals understand the shifting cybersecurity threat landscape, recognize cybersecurity challenges and to provide strategies to address these challenges, ISACA produced the State of Cybersecurity 2018 report. ISACA surveyed security managers and practitioners around the world to gather their insights and experiences with various cybersecurity issues to produce this aid for cybersecurity professionals.

In the State of Cyber Security 2018—Part 2: Threat Landscape and Defense Techniques, current trends in the threat landscape are explored, putting particular focus on the evolution of threats. Notable threats include adversary tradecraft and motivations, and this report highlights adaptations made by enterprises to combat those and other threats.

Download this complimentary white paper to foster your comprehensive understanding of the cybersecurity landscape by visiting the State of Cybersecurity 2018 page of the ISACA website.


Build Real Skills in CSX Virtual Cyber Academy


Lectures and simulated trainings do not always provide the hands-on experience you will need to handle tomorrow's advanced cyberthreats. That is where the new Cybersecurity Nexus™ (CSX) Virtual Cyber Academy can give you an advantage. It provides a learning environment that is dynamic and offers:

  • Access to a full range of hands-on cybersecurity skills-building labs and instructional courses available 24 hours a day, on-demand
  • Training options from beginner to advanced levels conducted in a live network environment
  • The opportunity to continuously update and build technical skills through practice and assessment
  • The potential to earn more than 250 Continuing Professional Education (CPE) credit hours as more labs and courses become available

With a new self-paced subscription, the CSX Virtual Cyber Academy gives you unlimited access for a full year for less than the cost of 1 typical week-long training course.

For a limited time, save US $500 on a 1-year, unlimited-access subscription. To learn more and save, visit the CSX Virtual Cyber Academy page of the ISACA website.


Transport Layer Security White Paper Now Available


The primary method used for protecting transmitted content from tampering and eavesdropping is Transport Layer Security (TLS) protocol. TLS does come with certain risk and requirements, however. Attacks against the Secure Sockets Layer (SSL)/TLS protocol are frequent, and to mitigate risk, users must ensure trust in the certificate exchange, correctly implement and configure TLS and cipher suites, and maintain strong encryption in the environment.

ISACA’s Transport Layer Security: Key Concepts, Risk and Mitigation white paper provides basic information about the TLS protocol. It included details on what TLS is and how it is structured. It also helps guide practitioners to evaluate current enterprise TLS usage.

You can access the complimentary ISACA white paper on the Transport Layer Security: Key Concepts, Risk and Mitigation page of the ISACA website.


Optimize Knowledge Management and Internal Audit

Optimize Knowledge Management and Internal Audit
Source: EtiAmmos;
Getty Images

During an audit, auditors need to collect sufficient information to produce rational and comprehensive analyses. They may also need to document appropriate evidence to explain and defend potentially adverse findings. Conducting an audit requires all auditors to have expert knowledge of governmental regulations, business norms and practices, and frequently requires the generation of new knowledge about the regulations, norms and practices that they examine during their audit activities.

Audit plans depend heavily on the expertise of auditors, the quality and comprehensiveness of the information they collect, and the findings that they produce. Because of this, a systematic approach to knowledge management becomes critical to ensure the accuracy, efficiency and quality of audit engagements across all business disciplines.

ISACA’s Auditing and Knowledge Management white paper traces one audit team’s efforts to identify and map its knowledge and then use that information to develop a knowledge strategy and knowledge management system (KMS). This white paper will help your team discover how to optimize the quality and management of its knowledge, leading to improved services for all clients.

You can access the complimentary ISACA white paper on the Auditing and Knowledge Management page of the ISACA website.


ISACA Participates in GDPR Policy Event Hosted by US Congressional Cybersecurity Caucus


The compliance deadline for the EU General Data Protection Regulation (GDPR) was 25 May, but the conversation is just beginning.

On the deadline date, ISACA Senior Vice President of Global Affairs, Tara Wisniewski, was a featured speaker at the US Congressional Cybersecurity Caucus event on GDPR. As Wisniewski noted at the event, an ISACA survey conducted just last month found that only 29% of organizations impacted by the GDPR—that is, any organization that collects or processes data from European Union soil and any organization collecting or processing data on EU residents—planned to be fully compliant by the 25 May deadline.

When examining organizations’ differing plans for compliance, Wisniewski shares that, “ISACA has observed a broad spectrum in terms of what people are doing to come into compliance. We have seen everything from organizations fully investing in establishing processes to organizations doing almost nothing and taking the risk of waiting for case law before assessing what to do. The most successful organizations are those where the notions of security and privacy have been in the boardroom for a number of years already.”

GDPR aligns with best practices ISACA has long advocated for as an organization. “In addition to privacy, cybersecurity is a key component of GDPR, and it is not going to be possible to comply with GDPR without strong cybersecurity principles and processes,” said Wisniewski. “It also is directly related to another one of our core focus areas: audit. If GDPR is successful, audit functions will be strengthened.”

ISACA offers a number of GDPR resources, including a self-assessment, white papers, infographics, audit programs and publications, on the GDPR page of the ISACA website. Many of these resources are complimentary downloads.


ISACA Officially Launches Presence in Beijing

ISACA Officially Launches Presence in Beijing
Source: DuKai
Getty Images

ISACA formally opened its Beijing, China, location on 5 June 2018, establishing the organization’s first local presence in Mainland China to help support the region’s digital transformation and share ISACA’s business technology knowledge, expertise and experience with individuals and organizations. The Beijing facility will help localize and expand ISACA’s professional development, learning and credentialing offerings in technology audit and assurance, governance, risk, and information and cybersecurity. ISACA already has begun serving customers in China, particularly those in the banking and financial services sectors, and is also expanding active relationships with central and provincial government agencies.

ISACA’s subsidiary, CMMI Institute, is also housing a Center of Excellence in Beijing. The CMMI Center of Excellence will seek to help organizations build enterprise capability to drive business performance and mitigate business risk as many organizations across China have already adopted the Capability Maturity Model Integration (CMMI) model.

Chen Zhong, vice president of the China Software Industry Association, hopes that the introduction of ISACA’s new mainland location will increase IT audit and risk appraisal and bridge the gap between IT audit and cybersecurity. Zhong says, “With the rapid development of China's social economy, especially the popularization of network information, the IT industry has been developing rapidly as well. In comparison, the development of the IT industry's audit has lagged behind. Now, IT audits and risk appraisals will be carried out more frequently, and the links between cybersecurity and IT audits will become closer. IT auditors and related resources are, increasingly, in short supply.” ISACA started its guidance on this path earlier this year when ISACA expert advisors in China helped produce and release the Guide to China’s Regulatory Cybersecurity Implementation Framework.