@ISACA Volume 13  28 June 2017

Building a Security Program to Fit Your Enterprise


Avani Desai There seems to be no break in the cybercrime landscape these days. Organizations and the public have put security and privacy in the forefront due to the increasing number of high-profile breaches and hacks across all industries, ranging from health care to financial services to politics.

Cybercrime vectors such as phishing—the weapon of choice for most cybercriminals—are continuing to show growth across the globe, with RSA noting a 308% increase in phishing attacks in the second quarter of 2016 compared to the same quarter of the previous year. The United States currently ranks as the most phished country, but, regardless of country or industry, it is clear that cyber security threats are a real and present danger.

While every organization faces the threat of cybercrime, best practices for mitigating the risk can vary depending on local circumstance. The following 5 tips can help create a security program that works in your organization to help stem the tide of cybercrime:

  1. Identify the weakest link—Each industry sector has specific areas that are targeted by cybercriminals. For example, if your organization works in the retail sector, you are likely to have vulnerabilities at the point of sale (POS). In health care, one of the most prevalent threats is ransomware, with up to 75% of US hospitals affected by the Locky ransomware variant.
    The best starting place for a robust and effective cyber security program is to identify your weakest links. These are your cybercrime target points and can give you the understanding needed to create your personalized threat profile.
  2. Understand your assets—Knowing what data or systems are being targeted can help you focus your protection efforts. An inventory of the most attractive parts of your data and systems allows you to set up specific security measures around those valuable assets.
    People are also assets and should be included in this exercise. Know who your people are and how they interact with your data. This is especially important for those employees and third parties who have access to the assets identified as being potential targets of value. Insider threats, including those from across the vendor ecosystem, are a serious cyber security issue. Health care, for example, has seen insider-based risk (such as improper disposal) become the most prevalent problem in the first half of 2016.
  3. Promote security awareness—Employees can be one of your biggest threats, but they can also be your biggest asset. Being security savvy is one of the best ways to mitigate cyber security and privacy risk. Security awareness is about making people understand the risk of a business, where that risk originates and how to prevent it. Foster security awareness through discussion of topics such as password sharing, or consider offering a seminar explaining how employees can spot a phishing email.
    Security awareness training for all staff members should be a fundamental part of your security and privacy program. But training should not end with internal employees. External vendors and contractors should also be made aware of the expectations of your organization's security and privacy program. Many noteworthy high-profile breaches have occurred because of lax security at a third-party vendor, including the infamous 2014 Target data breach. As a result, businesses today must comply with regulations such as the US Health Insurance Portability and Accountability Act (HIPAA) for securing health information and the Payment Card Industry Data Security Standard (PCI DSS) for providers supporting companies involved with cardholder data.
  4. Use the right tool for the job—Now that you have a holistic view of the cyber security and privacy vulnerabilities within your organization and beyond, you can look at how best to mitigate those risk factors. Security awareness training among staff is a starting point, but technology also plays a key role in controlling cyberthreats. Keep abreast of changes in the cyber security and privacy technology landscape. For example, machine learning can help in the fight against cybercrime. Having a good working knowledge of what is available, especially considering your organization or sector-specific requirements, will give you a head start in combating issues. Keep in mind that advanced tools require employees who are well trained to run or administer them; consequently, it is critical to provide sufficient training to those employees.
  5. Create a robust cyber security and privacy framework—Knowledge is the foundation of effective cyber security and privacy risk management. The US National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a critical resource for informing all cyber security and privacy professionals. The CSF is based on 5 principles. Those principles are:
    • Describe the organization’s current cyber security posture
    • Describe the enterprise’s target state for cyber security
    • Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process
    • Assess progress toward the target state
    • Communicate among internal and external stakeholders about cyber security risk

Following these principles can help achieve excellence in cyber security and privacy management.

Although the approach to cyber security and privacy can be customized by organization or sector, one thing is clear: Good and robust attitudes regarding cyber security and the prevention of privacy breaches are universally essential, and they come from the top down. A recent Ponemon Institute report demonstrated that good communication from the top down is key to risk management across the company. Good communication must include third-party vendors as well. While there may be many aspects to creating a good security and privacy program for your organization, communication between staff and sharing of knowledge are the keys to making it work and keeping your information safe.

Avani M. Desai, CISA, CRISC, CIPP, CIA, CISSP, PMP, is the executive vice president at Schellman & Company Inc. Desai has more than 13 years of experience in IT audit, attestation, security and privacy. Her focus recently has been on emerging technology concerns and issues.


Getting a Strong Start in Cyber Security

Getting a Strong Start in Cyber Security
Source: DNY59/Getty

When it comes to cyber security, it is crucial that enterprises start strong. Cyber security initiatives must be built on a solid foundation. To help enterprises undertake their cyber security program from a strong position, ISACA is presenting the “Cyber Security 2017: To Get Ahead, Start at the Beginning” webinar. This webinar will take place at 11AM CDT (UTC -5 hours) on 11 July. ISACA members can earn 1 continuing professional education (CPE) hour by taking this webinar and completing a survey.

An enterprise’s starting position includes factors such as talent, acceptance of risk, response to cyberattacks and designing with security in mind. In this webinar, Frank Schettini, ISACA’s chief innovation officer, will discuss these concerns and explain how strong beginnings build the foundation for a strong future.

To learn more about this webinar, visit the Cyber Security 2017: To Get Ahead, Start at the Beginning page of the ISACA website.


Auditing Outsourced IT


Outsourced IT Audit/Assurance ProgramOutsourcing IT enables enterprises to concentrate on their core capabilities and reduce costs. Management must be able to evaluate the effectiveness of the outsourcing strategy, and the audit/assurance review relies on numerous enterprise- and vendor-related elements. To help enterprises audit outsourced IT services, ISACA has published the Outsourced IT Audit/Assurance Program.

This audit program focuses on top-level governance, guidelines and procedures and the implementation of these controls. For enterprises looking to move toward outsourcing IT, this program provides internal controls and requirements for the selection process of an IT vendor and the steps to consider during the transition. The audit program also covers monitoring and quantitative controls related to outsourced IT service delivery.

This audit program can be downloaded for US $25 for members and US $50 for nonmembers. For more information, visit the Outsourced IT Audit/Assurance Program page of the ISACA website.


CACS Conference Report Features Highlights From Las Vegas and Munich


ISACA’s newly published CACS 2017 Conference Report provides a look back at many of the highlights from last month’s North America CACS and EuroCACS conferences. The report offers a glimpse of many of the keynote addresses, conference sessions, networking events, social media highlights from the conferences and much more.

North America CACS 2017 featured record attendance for an ISACA conference, with approximately 1,500 attendees. To access the report, visit the CACS 2017 Conference Report page of the ISACA website.


Learning Security Lessons Through Penetration Testing


Many organizations struggle with cyber security. It is a topic that is as important as it is complex. That said, one fundamental question cuts to the root of executive-level concern: How do we know if we are secure? Obviously, this is a big question, but one tool in the security practitioner’s toolbox to answer this question is penetration testing.

Penetration testing (sometimes referred to as ethical hacking) is a type of testing that is designed to simulate the actions, methods and tradecraft (i.e., tools and techniques) of an actual attack. Such testing can be varied in nature. It can be performed against the whole of the environment or a targeted subset, it can focus on all layers or a single layer of the Open System Interconnection (OSI) stack, and it can include physical testing or social engineering. By testing its defenses in this way, an organization can learn valuable lessons about the security of its environment—e.g., how well their defenses do or do not hold up in an actual attack situation, how employees/processes/tools perform during a live event, how information is communicated, and numerous other valuable insights about the organization’s defensive posture.

ISACA has authored a case study of an application-layer penetration test against a willing participant. The white paper Polyverse Case Study: Moving Target Defense Against Web Application Attacks provides the results of a targeted application-focused penetration test against a willing participant, Polyverse, a provider of security services. The purpose of the paper is twofold: to illustrate some of the techniques potentially employed during the application penetration testing process and also to describe, in context, the operation of defense methods employed during an actual attack scenario.

To download the white paper, visit the Polyverse Case Study of the ISACA website.


Help ISACA Celebrate 50 Years—Share Your Memories and Predictions


Help ISACA Celebrate 50 Years—Share Your Memories and PredictionsISACA turns 50 in 2019 and we are seeking your stories, memories and ISACA artifacts to help honor our past and look forward to our innovative future.

ISACA has launched www.isaca50.org to collect those items. On that site, you will find prompts, including:

  • Tell us a story about how ISACA has supported your professional advancement.
  • How have you and your colleagues made an impact on your organization—or even the world—as a result of the roles you play in technology?
  • What is your boldest prediction about technology in the future?

You can submit your responses in text or as a video. On the anniversary site, you can also upload files, photos and videos, and find contact information if you have a physical object you wish to mail to ISACA.

Anyone who submits a story or file by 31 July 2017 will be entered into a random drawing for a US $50 gift certificate to the ISACA bookstore. For more information, visit the ISACA 50 website.