@ISACA Volume 19  20 September 2017

Interesting (Cyber) Times

By Jack Freund, Ph.D., CISA, CRISC, CISM

There is an apocryphal expression that goes, “May you live in interesting times.” It is purported to be of Chinese origin and as a result has also been called the Chinese curse. On its face, someone saying this to you could seem like a good thing. After all, no one wants to live in uninteresting times. But the true meaning is ironic. Interesting times are often fraught with tumult and chaos, while uninteresting times are full of life-enhancing peace and tranquility. This dichotomy, I think, illustrates the state of cyber security today.

We live in an amazing time in history when seemingly everyone has a handheld computer that keeps them constantly connected to their friends and loved ones. They also keep us informed about topics and activities that we care about. We have embedded computers in many of our household devices and vehicles. They are rapidly automating much of the mundane banality out of our lives. You can get an alert on your phone when the dryer is done and the cat’s food dish is empty. The Internet of Things (IoT) will give us greater control over the devices in our lives and the energy they consume. We have strong regulatory frameworks to protect consumers from cybernefariousness. Our banking transactions have likely never been safer because of the oversight brought to bear on our financial institutions. Distributed ledger technology (also known as blockchain) has the potential to transform businesses by increasing automation, lowering transaction costs and disintermediating redundancy. Even wars no longer need to be fought in person. We can send remote controlled military vehicles in our stead while we safely control them from hundreds of miles away.

But we also live in terrifying times. Those handheld computers can do anything, including spy on us and collect and hoard private data about us that, if we knew, we would rather not have disclosed. That same IoT automation can be subverted to lock us out of our homes, make them unbearable to live in due to extreme noise and temperature, or clandestinely monitor everything we do and say. Those same regulatory safeguards can overwhelm the businesses for which we work and are often unable to change fast enough to keep pace with emerging technologies, leaving customers exposed. Blockchain technologies could lead to massive structural unemployment and be subverted into committing firms to irrevocable transactions (smart contracts). Being able to wage war from anywhere means that everywhere has the potential to be the battlefront.

It is for these reasons and more that your continued self-improvement in the cyberdiscipline is vital. Enterprises should leverage industry frameworks to develop their own cyber/IT risk framework, and quantify risk elements as much as they can. If something is high risk, try to determine why it is high risk. Is it because it is something that is expected to happen often? How often? Is it classified as high risk because there is a large cost associated with it if it occurs? If so, what is the cost? Articulating business impact is crucial to ensuring that risk decision makers have a vested interest in the risk scenario, and it can allow them to make decisions with guidance from IT staff. It is also necessary to follow up on control deficiencies that are risk-accepted at least annually, and this should take place well before the budgeting season to allow for proper planning to occur.

We must constantly be exploring new technologies, researching new exploits and understanding our businesses to aid in charting a path that enables as much of the promise these new technologies bring and protecting against as many of the pitfalls as possible. That is the essence of good risk management. To that end, I wish, in the most unironic way possible, that you live in interesting times.

Jack Freund, Ph.D., CISA, CRISC, CISM, is senior manager of cyberrisk framework for TIAA, member of the CRISC Certification Working Group, coauthor of Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon and IAPP Fellow of Information Privacy.


Learn How to Implement Container Technology for Scalability and Compliance


Source: Paul Taylor
/Getty Images

Scaling up new and existing services in a compliant and more secure way is critical for growth. Leveraging container technology has allowed Adobe to manage scalability, operational efficiency and productivity. Containers are not a new technology; however, innovations in container use better ensure cloud applications’ consistent alignment with existing security and compliance policies and standards. Containers also allow for easy automation of standardized security controls.

ISACA and Adobe present the “How Using Container Technology Can Help You Meet Compliance Goals” webinar to demonstrate how you can use containers to help meet your compliance requirements. This webinar takes place on 26 September at 6AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Prasant Vadlamudi, senior manager for risk and advisory at Adobe, will present the webinar. Vadlamudi has more than 9 years of experience in the audit and compliance field and is currently responsible for leading compliance efforts across Adobe enterprise cloud offerings. Using his background, he will help illustrate how best to leverage containers to ensure your enterprise’s compliance requirements are met.

To learn more about this webinar or to register for it, visit the How Using Container Technology Can Help You Meet Compliance Goals page of the ISACA website.


Discover How to Eliminate the IoT Security Blind Spot


Source: dolphfyn
/Getty Images

Our current security architecture is broken. A new approach is needed to address where current architecture is falling short, what next-generation architecture should look like, and how to deal with vulnerabilities found in Internet of Things (IoT) devices and the unmanaged endpoint. ISACA and Armis Inc. present the “Eliminate the IoT Security Blind Spot” webinar to explore IoT and next-generation architecture to ensure safety. This webinar takes place on 3 October at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Nadir Izrael, cofounder and chief technical officer at Armis Security, will present the webinar. Izrael specifically guides the technology vision used by Armis to protect unmanaged devices and IoT devices. As an expert in IoT device protection, he will help illuminate a new approach to addressing the evolving IoT endpoint and how this applies to your enterprise.

To learn more about this webinar or to register for it, visit the Eliminate the IoT Security Blind Spot page of the ISACA website.


Gain Cloud Security Insight at Virtual Summit


ISACA’s free, half-day virtual summit, Cyber Security for the Cloud, takes place on Thursday, 21 September. This summit is an opportunity to learn and discuss critical issues impacting your organization’s data and infrastructure. With presentations on security policy in cloud environments; control service scaling; IT operations, IT security, IT audit; and an interactive panel discussion, there is a lot to learn and explore in this summit right from the comfort of your own home or office.

Kevin Flynn, global director of products at Skybox Security, Kenny Scott, senior manager risk and advisory services at Adobe, and Ashwin Krishnan senior vice president, product manager and strategy at Hytrust, will present the sessions on topics including:

  • Security Policy Orchestration in Hybrid and Multi-Cloud Environments at 9:05AM-10:05AM CDT (UTC -5 Hours)
  • Scaling Control Services Across a Multi-Cloud Enterprise at 10:15AM-11:15AM CDT (UTC -5 Hours)
  • Compliance Cost and Time Down, Security Up—#YesWeCan at 11:25AM-12:25PM CDT (UTC -5 Hours)
  • Interactive Panel Discussion 12:35PM–1:00PM CDT (UTC -5 Hours)

Earn up to 4 free continuing professional education (CPE) hours by attending this ISACA, Skybox Security and Adobe hosted event. To learn more, visit the Cyber Security for the Cloud: Virtual Summit of the ISACA website.


Learn to Perform GDPR Data Protection Impact Assessments to Ensure Compliance


In 2016, the European Union (EU) adopted the General Data Protection Regulation (GDPR) as the EU data protection law. Effective 25 May 2018, the GDPR provides individuals with a wide range of rights enforceable against organizations that process personal data. The ability that organizations once had to lawfully process personal data will be limited. These new rights could significantly impact an organization's business model. Focus on an individual’s data protection represents a major shift in how organizations must comply to protect European citizens’ data. Noncompliance could result in financial penalties, so proactive efforts must be a priority for all businesses doing business in Europe or with any European contacts.

To help you address these challenges, ISACA presents the “How to Perform GDPR Data Protection Impact Assessments” webinar. The webinar will show how to conduct data protection impact assessments (DPIAs) to identify and reduce data protection risk in projects and systems, and reduce the likelihood of privacy harms to data subjects. This webinar takes place on 28 September at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Rebecca Herold, CISA, CISM, CIPM, CIPP/US CISSP, CIPT, FIP, FLMI, president of SIMBUS360 and chief executive officer of The Privacy Professor, will present the webinar. As an entrepreneur and expert with more than 25 years of systems engineering, information security, privacy and compliance experience, she will help you understand how to perform DPIAs to keep your organization compliant with GDPR.

To learn more about this webinar or to register for it, visit the How to Perform GDPR Data Protection Impact Assessments page of the ISACA website.


Discover the Power of Artificial Intelligence



Most organizations are very proficient at collecting data, but do not always know how to best leverage those data to make informed business decisions. The solution to this challenge may be artificial intelligence (AI) technologies, including machine learning and expert systems.

AI capabilities have revolutionized many industries. From banking to health care to manufacturing to government, almost any enterprise can benefit from the cost savings and increased efficiency AI technology provides. To help you explain AI capabilities to your business partners and how your enterprise can leverage AI, ISACA has released the ISACA Tech Brief: Artificial Intelligence.

This complimentary tech brief provides insight into the impact AI has on enterprises and addresses potential challenges enterprises may face when adopting AI technology. Critical questions to ask when implementing AI and expert insights are also explored. This is the second tech brief in a recurring series that is intended to offer a quick overview of a topic at a nontechnical level. Tech briefs are a great resource for IT professionals to use when educating their business partners on the basics of a technology that might hold potential in their industry.

To learn more and download the tech brief, visit the Understanding Artificial Intelligence page of the ISACA website.


Learn Proper SSH Usage


Any technology practitioner will tell you that there are as many unique, completely different technology footprints as there are enterprises themselves. Each organization is unique in how it employs technology, having its own operating systems, networking infrastructure, support components, business applications, cloud environments and bring your own device (BYOD) policies. This unique digital footprint evolves just as rapidly as organizations do themselves.

That being said, there are a few technologies that are used by most organizations deploying IT solutions. Secure Shell (SSH) technology is one of these technologies. In the SSH: Practitioner Considerations white paper, the importance of an enterprise’s SSH usage is addressed. It explores both how robust security can be ensured and how continuing SSH usage ensures that security remains uncompromised. SSH usage should be appropriately secured and routinely assessed, documented and managed in a systematic and risk-aware way.

Additionally, with SSH being a technology that most organizations use every day, ISACA’s companion chart, Recommended Controls for Secure Shell Protocol, is a good daily reference guide for practitioners. This reference table was developed to provide practitioners with an easy, on-hand reference to proper SSH usage and implementation. You can access the complimentary ISACA white paper and companion chart on the SSH: Practitioner Considerations page of the ISACA website.


ISACA Journal Volume 3, 2017, Available in Spanish


ISACA offers Spanish translations of the ISACA Journal. These full-issue translations are available for each Journal issue approximately 1-2 months after each Journal issue is released. ISACA membership is required to view the translated Journal issues. Volume 3, 2017 is available now. This Journal volume focuses on the Internet of Things (IoT) and features articles covering information security, IoT security and mobile applications. ISACA thanks the Santiago (Chile) Chapter for donating these translations.

In addition to volume 3, 2017, Spanish translations of volumes 3-6, 2016, and volumes 1-2, 2017, of the Journal are also available as complimentary downloads for ISACA members. The Spanish translations can be viewed on the Spanish page of the ISACA website or on the Journal page of the ISACA website.