@ISACA Volume 20  3 October 2018

ISACA Remembers 1984-85 Board Chair, John Lainhart


John Lainhart, a former ISACA board chair who provided more than 4 decades of impactful leadership to the organization, passed away on Tuesday, 25 September 2018. He was 71.

Lainhart was a central figure in the development of ISACA’s Certified Information Systems Auditor (CISA) certification and the COBIT framework.

“John Lainhart was a passionate leader whose contributions to and impact on the IT audit, cybersecurity, governance, and risk professions are legendary at ISACA,” said Rob Clyde, CISM, NACD Board Leadership Fellow, ISACA board chair. “He is considered a mentor by many and continued to volunteer for ISACA even until the last day of his life. We will sorely miss him.”

Lainhart served as ISACA’s board chair from 1984-85 and worked to expand ISACA’s geographic reach throughout the globe. His passion for the organization extended well beyond his term as board chair; in fact, he was the lead developer of COBIT 2019, which will be released later this year. A resident of the Washington, D.C., USA, area, Lainhart held ISACA’s CISA, Certified Risk and Information Systems Control (CRISC), Certified Information Security Manager (CISM) and Certified in the Governance of Enterprise IT (CGEIT) certifications and was a member of numerous ISACA committees and working groups—most recently, the COBIT Working Group and the Future of IT Governance Steering Committee.

In addition to working for the US House of Representatives, Lainhart held positions at the US Department of Transportation (DOT), the US General Accounting Office (GAO) and IBM Global Business Services’ (GBS) Public Sector, and his most recent role was as a director in Grant Thornton Public Sector’s Cyber Risk Advisory practice.

His willingness to share his knowledge and experience with others was the hallmark of his service to ISACA.

“John leaves behind a remarkable personal and professional legacy—and I am grateful to have been so profoundly impacted by his knowledge, generosity and kind spirit,” said Theresa Grafenstine, CISA, CRISC, CGEIT, CGAP, CGMA, CIA, CISSP, CPA, ISACA board director and 2017-18 ISACA board chair. “John recognized that one of the best parts of being a leader is the ability to help others follow in your footsteps. I encourage everyone to be a John Lainhart and find people to champion.”

Lainhart is survived by his wife, Alice, his son and two daughters, and his grandchildren.


Data Protection Strategy


I have always told people that cybersecurity is a misnomer. I really do not care about technology. It is not why I have a job. More specifically, I do not care until it is time to care. The way I determine when to care is by imagining I am tying several balls of string onto a nail, throwing the balls of string across the room, and seeing where the ends of the strings land. I care where the balls of string land because these can be analogous to the endpoints where data are accessed, and the nail is where data are stored. The part of the string between where the ball lands and the nail are the pieces of technology about which I care. In short, what I care about is what my customer cares about, and that is data. So, if the data I am protecting go through technology, then I care about that technology. All other technology is to be viewed as untrusted and its security posture as unknown. This is especially true in a time when there is no such thing as a protection strategy built upon the concept of an inside and outside strategy. When you become datacentric in your thinking, everything is outside.

There are many engagements involved in trying to protect the unknown when it comes to data. Where are the data? They are in the cloud; they are in that server; we keep them in a database; the IT team knows where they are. In reality, the data are sprayed across the architecture with the fragmentation associated with how the organization and architecture grew. So, can you imagine the vulnerabilities that impacted pre-Internet security architectures when they were exposed to the Internet? It is seldom that there is a coherent approach to data architecture. This is reflected in the fact that many people confuse the organization’s business process with how their functional applications work. So, where are your data? In the application. What is your business process? For most organizations, it is whatever the application does.

This fragmentation happens even when high-value data are classified into hierarchical or non-hierarchical security classifications. In many instances, the classified, or protected, data are stored and maintained with unclassified and unprotected data. Then, the whole server, cloud, etc., is protected at the highest level. This makes it difficult to get the needed access and privilege to those people who use the data. Data strategies and implementations duplicate data and create master/slave databases that are inefficient and hard to maintain in sync across the security boundaries. So, in the end, here are a few points to consider about data:

  • Develop a data protection strategy—This strategy should be developed relative to the value of the data to the organization. This must be done from a functional perspective, then communicated in policy to the IT team (the individuals who know where data are stored). This includes roles that are performed across the organization and the access and privileges required by those roles. These roles should also consider users outside the organization. In addition, to prevent activities such as fraud and theft, job rotation and role separation should be reflected in this strategy.
  • Develop a contracting strategy for data—This strategy needs to consider all third-party services used by the organization on which data are stored, transmitted or processed. Whenever possible, and if you are a big enough organization, third parties’ protection strategies should be available for review to see their alignment with your data protection strategy.
  • Develop a data architecture—It is critical to understand the data and how they relate to business processes, i.e., the way data move through the organization, where they are stored, who needs to touch the data and how, and, finally, where and when do the data need to be processed. This includes going through your existing architecture, finding the data at rest, in process and in transmission and aligning the data with the protection strategy. This effort should also make every attempt to implement a very strict least-privilege approach. This includes reducing the number of human beings that can touch the data. All functional applications and users should access data through a trusted application that proxies all queries to the data. Firewalls and application firewalls protect general controls (i.e., servers and applications). As a result, the organization’s actual operational data need to be protected. Data should never be directly exposed to functional users. This includes directly by structured query language (SQL) statements or indirectly using a functional application. Everyone, except a trusted few (i.e., database admins [DBAs], administrators) should access data through a trusted application developed specifically for providing data.
  • Develop a contingency plan for data—I included this point separately from data architecture out of respect for our past. At one time, security was all about backups and contingency plans. It is still crucial to have a strategy for protecting data either offline or by feeding multiple data locations (cold, warm and hot strategies). The strategy should be reflective of the type of architecture the organization is using. Do not use the same strategy for a standalone computer as you would for a cloud implementation. Instead, leverage the techniques and technologies available that increase the survivability of your data.
  • Align your existing infrastructure and new IT projects with the data architecture—As part of this effort, make every attempt to de-fragment the data across the architecture. Focus on bringing like data together so that you can protect similar data with the same implementation. This effort should also focus on where investments need to be made to align the data with the protection strategy and integrate data into the data architecture.

In the end, the protection strategy for data is protect what you love at rest, in transmission and during processing. Remember to execute very strict least privilege and job-rotation strategies. There is no inside and outside when it comes to data. Data need to be valued, and that value needs to be reflected in the organization’s DNA, its infrastructure, its contracting strategy and in you. Finally, respect the past and develop a relevant contingency plan for your data.

Bruce R. Wilkins, CISA, CRISC, CISM, CGEIT, CISSP, is the chief executive officer of TWM Associates Inc. In this capacity, Wilkins provides his customers with secure engineering solutions for innovative technology and cost-reducing approaches to existing security programs.


How to Manage Your Organization’s Vendor Relations


Source: Digital Vision;
Getty Images

Organizations continue to rely more and more on third-party vendors. These vendors can add efficiency to process and help achieve revenue growth and scalability. At the end of the day though, while third-party vendors may provide you and your organization with these benefits, how much can they be trusted? If an incident occurs relating to a vendor-managed product, your customers will blame you. To safely navigate the modern business climate, your organization must develop and maintain a decisive, well-defined strategy for third-party risk management. Aligning your vendor relations management (VRM) strategy with your organization’s business model is crucial. While most organizations have some awareness about the importance of internal cybersecurity risk management, they often fail to extend that same due diligence to third-party security.

To address the critical steps needed to ensure your VRM strategy can help you establish a confident operational resilience posture to rely on your vendors for your critical business processes and protect your brand, ISACA and SAI Global present the “Aligning VRM With Organisational Resilience: How to Solve Dependency of Vendors in the Connected World” webinar. It will teach you how to thoughtfully design your third-party vendor risk framework, collect data reliability information related to vendor management frequently and how to outline a disaster recovery plan for your most critical vendors. This webinar takes place on 24 October at 8AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Simon Wilkes, IT risk management expert and pre-sales director at SAI Global, is an advisor, solutions architect and senior consultant in the ever-expanding area of IT risk management. Wilkes will lead the webinar and use his more than 15 years of experience to help you find the best way to align VRM with your organization’s needs.

To learn more about this webinar or to register for it, visit Aligning VRM With Organisational Resilience: How to Solve Dependency of Vendors in the Connected World page of the ISACA website.


New Research Reflects Enterprises’ Progress Toward Digital Transformation


Source: Yagi Studio;
Getty Images

Big data and artificial intelligence (AI)/machine learning offer the most potential as transformative technologies, according to ISACA’s 2018 Digital Transformation Barometer research, as identified by 28% and 25% of survey respondents respectively. The gap between these 2 technologies has shrunken from an 18-point gap to a 3-point gap in just 1 year. However, concerns still exist as the popularity of AI/machine learning implementation rises, with only 40% of respondents reporting confidence that their organization can accurately assess the security of systems that are based on AI/machine learning.

The survey also found that:

  • Ninety-one percent of respondents say that their organization has plans in place to take steps toward digital transformation, and that their senior leadership team is either moderately (53%) or very (29%) receptive to adopting emerging technologies.
  • Only 12% of organizations report that they intend to deploy blockchain within the next year.

To view the full survey results, visit the 2018 Digital Transformation Barometer page of the ISACA website.


ISACA’s Cybersecurity Nexus Launches New Certificates, Training and CSXP Exam


ISACA’s Cybersecurity Nexus (CSX) has launched 4 new certificates as part of its Technical Foundations series intended for entry-level security professionals and those seeking a career change to cybersecurity. The series consists of CSX Packet Analysis, CSX Network Application and Configuration, and CSX Linux Application and Configuration; those who complete these 3 courses will earn the CSX Technical Foundations Certificate.

The courses take place in a virtual, self-guided environment, allowing users to learn at their own pace in any location.

ISACA has also introduced the Cyber Academy, a self-paced subscription package with even more CSX training available on-demand to users at a discounted rate, allowing them to take their skills to the next level. Individuals can take the training any time, and new labs are added throughout the year to help users stay ahead of emerging threats.

Additionally, ISACA relaunched its CSX Practitioner (CSXP) certification exam to reflect an updated job practice. CSXP is the only comprehensive performance certification that tests an individual’s ability to perform globally validated cybersecurity skills spanning 5 security functions: identify, protect, detect, respond and recover. Following the new job practice analysis, the contents of the exam are now:

  • Domain 1—Business and Security Environment (23%)
  • Domain 2—Operational Security Readiness (23%)
  • Domain 3—Threat Detection and Evaluation (27%)
  • Domain 4—Incident Response and Recovery (27%)

ISACA’s Cybersecurity Nexus offers resources to help cybersecurity professionals at every level of their careers build the skills and knowledge that they and their organizations are seeking. For additional information on CSX, visit https://cybersecurity.isaca.org.