@ISACA Volume 2  27 January 2016

The Hidden Costs of Open-source Software


Open-source software, freeware and free software are each unique in their intent. For the purposes of this column, only consider open-source software that can be considered free software (an older term) without ethical and sociological concerns. Open-source software affects an organization’s security posture.

One thing that is common among all open-source software is the open-source community that supports the software. Every product or application has an associated open-source community. These worldwide communities are loosely coupled developers who have the sole task of furthering the functionality of the product or application.

Members of an open-source community can make changes to the software and then recommend those changes to the open-source community for inclusion into the open-source software baseline. In this way, the open-source software is extended and the whole open-source community benefits.

Organizations that use open-source software may discover some security issues. The impact on an organization’s security posture and financial resources is directly related to the enterprise’s risk appetite. But there are some myths about open-source software.

There often is a misconception that all open-source applications and products have no cost requirement. In fact, most applications and products have a path to a commercial product or at least a financial licensing strategy that resembles a commercial product. The software is unlikely to be free forever.

Anytime the term “enterprise” is used, look for the open-source community to take the opportunity to obtain financial gain. An example of this is Red Hat Linux. It began as an open-source product with no associated costs. Today, the company does not even offer an open-source version of Red Hat Linux without an associated cost.

In some cases, the open-source software has no financial cost; however, the products required to build the open-source application have a cost. That is why it is critical to understand whether the open-source software being considered has an associated financial cost. This consideration also needs to extend to the software needed to build the open-source application. In some cases, the software needed to build the open-source application is a commercial product or an open-source product with a financial cost. In either case, a mistake in understanding the true cost of the open-source application can be quite costly depending on the licensing strategies and the size of the organization.

From a security perspective, open-source products mostly build assurance based on the size of the user base. Security selection is based on functionality and reputation. In some cases, myths or past capability of a product create prejudices for or against the product’s adoption by an organization. In the end, the amount of software assessing that is done on products is in direct relation to an organization’s risk tolerance.

There is a myth that anyone can incorporate their changes into the open-source software baseline. Anyone can submit a baseline change for consideration, but each open-source community follows an approval process that determines which changes do and do not get incorporated into the baseline. In fact, getting a modification to the baseline approved is usually an issue for government organizations. This means that any changes these organizations make will have to be reapplied, and—in the case of major releases—reengineered with each future release until the changes are adopted.

As the old adage says, there is no such thing as a free lunch. The total cost of some open-source applications and products can well exceed the cost of commercial products. It is crucial that the needed buy or build analysis be conducted to determine exactly what the organization is willing to tolerate from programmatic, security and financial risk perspectives.

Bruce R. Wilkins, CISA, CISM, CGEIT, CRISC, CISSP, is the chief executive officer of TWM Associates Inc. In this capacity, Wilkins provides secure engineering solutions for innovative technology and cost-reducing approaches to existing security programs.


Earn CPE at Data Privacy Webinar


The European Union General Data Protection Regulation (GDPR) has major implications for data protection methods in Europe. To help you better understand the significance of GDPR and in recognition of Data Privacy Day, ISACA and RSA have partnered to present the “What the GDPR Will Mean to Global Businesses” roundtable webinar. This webinar will take place on 28 January at 11AM CST (UTC -6 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and passing a related quiz.

While the GDPR will mean significant changes for data protection in Europe, it will also affect all enterprises that operate globally. This webinar will help attendees learn how to move toward GDPR compliance. Frank Cindrich, director at Pricewaterhouse Coopers, Michael Hopp, partner at Plesner Law Firm, Gabe Maldoff, Westin Fellow at the International Association of Privacy Professionals, and Marshall Toburen, GRC strategist for enterprise risk Management at RSA-Archer, are the panelists for this webinar, and ISACA’s director of privacy and assurance practices, Nancy Cohen, will moderate this panel.

To learn more about this webinar or to register for it, visit the What the GDPR Will Mean to Global Businesses page of the ISACA web site.


Share Your COBIT Knowledge


Source: ©iStock.
com/Izabela Habur

There is no substitute for real-life experience. COBIT users around the world share their experiences with COBIT through case studies, practical use articles and tips from the trainer in ISACA’s weekly, peer-reviewed e-magazine COBIT Focus. Case studies, especially, have proven extremely effective in clarifying for current and potential users the ways in which COBIT can be used and its benefits.

Consider contributing an article on your experiences with COBIT to COBIT Focus. Creating a COBIT case study is a fairly flexible process that is intended to accommodate to the greatest degree possible the needs and preferences of you and your enterprise.

Writing for COBIT Focus can help you engage with the global community of COBIT users. If you have experience working with COBIT, consider sharing your experiences in COBIT Focus and contributing to the growing body of knowledge about COBIT.

For more information, visit the COBIT Focus Submit an Article page of the ISACA web site. To submit an article, please contact mjasper@isaca.org.


New ISACA Chapter Formed in Kingston, Jamaica


ISACA is pleased to announce the formation of a chapter in Kingston, Jamaica. The Kingston Chapter is the first ISACA chapter in Jamaica. The chapter has 139 members.

Kingston Chapter President O’Niel Millwood, CISA, CISM, says that Jamaican organizations typically hire IT staff who can support multiple functions with little specialization. However, Millwood has noted that there has been a transition to increasing technology specialization, especially with respect to security, risk and audit.

Officers of the Kingston Chapter include:

  • President—O’Niel Millwood, CISA, CISM
  • Vice President—Norval West, CISSP, GIAC-GISP
  • Treasurer—Tricia-Ann Smith DaSilva, CISA, CRISC, CPA, CrFA
  • Secretary—Damian Donaldson, CISM, CISSP
  • Committee Support—Edward Alexander
  • Academic Relations—Caroline Parks
  • Committee Support—Robert Hamilton

To learn more about the 210 ISACA chapters around the world, visit the Local Chapter Information page of the ISACA web site.


Book Review:  Performing Information Governance: A Step-By-Step Guide to Making Information Governance Work

Reviewed by Maria Patricia Prandini, CISA, CRISC

“Information is the most valuable asset for the organization” is a statement often heard at corporate meetings and business conferences. Despite its importance, is information really well managed and governed at the corporate level? Are organizations satisfied with the way information governance and management processes are conducted? Are efforts toward effective information governance achieving expected results?

Performing Information Governance provides readers with detailed guidance on how governance principles and best practices should be applied to improve the information governance process. The book is organized around 3 main tracks: an overview of information governance and enterprise information management (EIM), the performance of information governance activities in EIM Projects, and the ongoing information governance processes.

Subjects covered in the publication include the main concepts and functions of information governance and management and its framework, organization, operations and main tasks. It covers ongoing information governance processes and EIM projects. Emerging topics such as big data and business intelligence are also analyzed in addition to the data quality perspective in the management processes.

Five appendices complete the publication, containing subjects such as organizational change management in information governance and the EIM system development life cycle.

The book is successful in presenting an easy-to-read resource with plenty of figures and tables that help readers understand the different perspectives of information governance. Every chapter ends with review questions and most of them cover case studies to help the reader understand the challenges of performing information governance processes in real-life situations.

As stated in the title, this publication is a step-by-step guide to making information governance work and to helping practitioners integrate information governance activities in their organizations. In this context, this book could be a useful tool for management professionals (e.g., data stewards, analysts, auditors, chief information officers) or any practitioners interested in how to apply information governance principles and guidelines on EIM projects and information processes.

Being a top asset in most organizations, information must be adequately governed and managed through well-developed processes and functions to guarantee the creation of value and stakeholder satisfaction. This book could assist in helping fulfill these organizational objectives.

Performing Information Governance: A Step-by-step Guide to Making Information Governance Work is available from the ISACA Bookstore. For more information, visit the ISACA Bookstore online or email bookstore@isaca.org.

Maria Patricia Prandini, CISA, CRISC, has a long career as a public official in different positions related to information technology in the Argentine government. Prandini was involved in the development of the National PKI and the foundation of ARCERT, the first governmental computer security incident response team (CSIRT) in Argentina. She is the past president of the ISACA Buenos Aires (Argentina) Chapter.