@ISACA Volume 17  23 August 2017

Is Information Security a Cost Center?


Generally, chief information security officers (CISOs) face major challenges getting approval for an appropriate budget since security is considered a cost center for organizations. This is a common misconception, considering that the security function helps the business avoid losses, even if it does not generate revenue directly. Overcoming this misconception is a challenge for many security professionals. Here are a few suggestions on acquiring an appropriate budget for information security.

Information security traditionally has been considered a cost center since it requires additional specialized resources, both technical and human. Senior management and the board of directors primarily focus on business activities and growth. Naturally, when a proposal for spending is presented to them, they wonder how it will contribute to the business. IT and information security professionals are skilled in their respective domains but may not always be cognizant of the business perspective.

To ensure approval, a CISO may consider adopting the following practices:

  • Understand business strategies and objectives. Review security strategies and objectives to ensure they are aligned with business objectives.
  • Establish a process to monitor external and internal risk factors that may have an impact on business objectives and strategies.
  • Review the risk register. Ensure that the risk assessment results are expressed in business terms. This may be achieved by:
    • Developing risk scenarios that can be easily understood by business managers. For example, nonavailability of networks may impact online service delivery, or a bug in an application may interrupt services provided to customers.
    • Asking the business function owner to assess the loss to the business in case the scenario materializes. Since business function owners monitor the business function regularly, they are in a better position to assess the impact on the business.
    • Verifying threats and their likelihood of materializing by consulting technology managers since they can evaluate why the technology may fail. For example, technology may fail due to a virus or ransomware attack, hardware failure, or failure of the network service provider.
  • Use these results to determine the controls and confirm the appropriateness of the controls with the risk owners.
  • Prepare a cost-benefit analysis for controls considering technology, operations, resources required, etc.
  • Decide on a plan to implement the controls.
  • Prepare the business case by expressing the risk assessment results in business terms.

A business case that demonstrates savings to the business by controlling possible revenue loss or business loss due to risk materialization, including security-related risk, can indirectly benefit the business. Management can understand anything expressed in terms of business benefits.

After implementing controls, the monitoring process must also be modified to conform to the business case and present management with the implemented control benefits. This helps management understand how much possible revenue loss has been averted by security. Effectively, this process will change the outlook that security is a cost center.

Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP, is a consultant and trainer in IT governance and information security.


The Importance of Audit in Mobile Computing


Source: dolphfyn/
Getty Images

Corporations, nonprofits and government entities are all responsible for collecting, storing and purging data. Safeguarding data as these processes are performed is an ongoing challenge. The ability to meet applicable external compliance expectations and satisfy customers’ needs requires significant effort. That effort and risk are compounded when data flow through and are stored on mobile devices.

IT auditors have an opportunity to mitigate the challenge of mobile computing in their organizations. Partnering with management over an assessment of data safeguards on mobile devices is the first step. Through a mobile computing audit, IT auditors can assess their organizations’ practices around areas such as remote access, data loss and malware. These audit program components can meet the following objectives and, ultimately, facilitate the enterprise’s evaluation of their mobile computing programs:

  • Ensure policies and practices that address scope, responsibilities and procedures around protection of data accessed by, transmitted by and stored on mobile devices exist.
  • Ensure remote access practices identify all users uniquely when accessing company resources.
  • Ensure security measures are adequate to address risk associated with removable media. This includes disclosure, copying or modification of enterprise data and misalignment of position responsibilities and sensitive information.
  • Ensure protections are in place to prevent operational disruptions from malware introduced into the enterprise through mobile computing.
  • Ensure incident response protocols exist for mobile device users from detection and reporting through recovery.

Conducting a formal assessment through a mobile computing audit allows an enterprise to know where its controls are working as intended and identify areas for improvement. The ISACA Mobile Computing Audit Program provides IT auditors with the tools to successfully assess the risk associated with mobile computing. To download this audit program, visit the Mobile Computing Audit Program page of the ISACA website. The program cost is US $25 for members and US $50 for nonmembers.


Using Machine Learning to Stop Malware


Getty Images

A well-trained human eye can spot malware; a professional can recognize shared features with other known malware to identify it. That being said, how do information security professionals automate machines to recognize malware on their own? As the pace of attacks threatening organizations accelerates and attacks change disguises and piggyback on clean applications, identifying them becomes even more important. ISACA and McAfee have partnered to present the “Using Machine Learning to Stop Malware” webinar to discuss the benefits of machine learning. This webinar takes place on 29 August at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Robert Leong, director of product management at Intel Security, McAfee, will lead the webinar. In it, Leong will share his experience with machine learning to help you and your organization implement this technology. This webinar will explore how machine learning works, how we can teach machines to recognize all forms of malware and why this is important to your enterprise.

To learn more about this webinar or to register for it, visit the Using Machine Learning to Stop Malware page of the ISACA website.


Adopting GDPR Using COBIT 5


The clock is ticking on the May 2018 deadline for compliance with the European Union’s General Data Protection Regulation (GDPR). Any enterprise that conducts business with at least 1 citizen of the European Union must comply with GDPR protections of personally identifiable information or face stiff penalties.

Adoption, implementation and execution of these regulations highlights the need for a solid governance function within the enterprise. If an organization lacks that function, GDPR compliance is a good reason to begin creating it.

The Adopting GDPR Using COBIT 5 white paper highlights the key elements of the GDPR, the importance of governance of enterprise IT (GEIT) and the role of COBIT 5 in establishing a framework for governance. It breaks down the GDPR into its basic components and highlights the specific COBIT processes to consider when creating your unique plan for compliance. You can access the complimentary ISACA white paper on the Adopting GDPR Using COBIT 5 page of the ISACA website. In addition, be sure to get your copy of ISACA’s companion infographic, Key Tips and Takeaways for GDPR Implementation Using COBIT 5, which features 10 GDPR implementation techniques taken from real-world implementations by enterprises.


Governance, Privacy and Security in Health Care


Health care is one of the most complex and highly regulated sectors in the world. For health care providers, device manufacturers, insurers and pharmaceutical enterprises, privacy and security are becoming more and more important. While better security and privacy is not usually a patient’s primary health care concern, nothing erodes a patient’s trust and experience faster than a provider losing records, exposing private information or otherwise acting as a less-than-optimal steward of a patient’s data.

The GEIT for Health Care white paper highlights key concerns for health care privacy and security. It covers how the size, scale and significance of the health care sector has changed and how health care usage of information technology (IT) differs from other industries and affects enterprise IT governance. It also explores what governance models and approaches can be used in clinical environments and how the evolution of technology is changing health care governance.

In addition to the GEIT for Health Care white paper, be sure to take a look at ISACA’s companion checklist for patients. The 5 Questions Patients Should Ask About Health Care Information Security was developed to outline questions that patients can ask their providers about the security and privacy of their health care records. By being informed and knowing what options exist, patients can be engaged in keeping their information safe.