@ISACA Volume 20  7 October 2015

Security Project Triage Is About Resource Allocation

By Jack Freund, Ph.D., CISA, CISM, CRISC

Projects are the vehicle by which new “stuff” is added into the business environment. It makes sense, then, that it is necessary to implement the equivalent of an import inspection service to ensure the security of the new things being bolted on or forklifted in to the operating environment. What are the requirements necessary for good security project triage? At its core, this process is about being able to discriminate between projects that require scarce security resource allocation and those that do not.

In a perfect world, security analysts would be assigned to every project and serve as a backstop against bad security practices. They would sit in on every design session and review every piece of documentation. Their advice would be treated as absolute, and all would be secure. However, if your workplaces are anything like the ones where I have worked, there are too few security professionals and too many things in motion to assign a person to review each and every new thing being added and/or changed. But this is no different than anything else an organization does. Every day, decisions are being made about where to spend money, what to invest in, which new markets to open up and on which customers to dote. These are, in reality, risk decisions (even if informally treated as such). The decision maker decides that they are unwilling to suffer the consequences of not choosing to pursue one priority over another. There are parallels to this in people’s private lives: people spend the time and money that they have (both scarce resources) on what they do because they are unwilling to accept the risk associated with a different prioritization.

The same principles can be applied to project risk. It is necessary to determine which projects have the ability to cause the greatest harm to the organization, spend the limited resources there and then accept the risk associated with not engaging fully on 100% of the projects. The Project Management Body of Knowledge (PMBOK) describes a process called “Progressive Elaboration.” It describes the intuitive notion that more is known about a project at the end than at the beginning. This can be thought of like a funnel: At the top (the wide-mouthed part of the funnel), there are a large number of bad things (risk factors) that may materialize. Over the course of the project’s execution, these factors will be whittled down to reveal the real list that represents the changes being made to the environment (the narrow part of the funnel). In the beginning, the organization may know that the new project will introduce a public-facing web site, but the project team has not figured out what kind of authentication they want to use or who will be given access. By the end of the project, they will have identified which sets of customers will be able to log in using Security Assertion Markup Language (SAML) from the main customer portal.

This mind-set shapes the project triage process. First, identify the projects that map to risk factors that plot outside the organization’s loss acceptance curves and monitor them closely. For the projects that fall within the loss acceptance curves, consider giving project managers a “build your own” menu. Identify approved solutions that the organization currently has (from control catalogs) that allow them to pick preapproved, secure configurations. If at any time through the course of the execution of the project they find themselves rudderless or in need of ordering something that is not on the menu, allow them to reengage and reassess their choices and how they impact risk.

Incidentally, this can also serve as a justification for increased resource allocation during budgeting season, as it will be possible to clearly point out how many projects are not getting the benefit of hands-on security consulting and the corresponding risk that poses to the organization.

Jack Freund, Ph.D., CISA, CISM, CRISC, is senior manager of cyberrisk and controls for TIAA-CREF, member of the CRISC Certification Working Group, and coauthor of Measuring and Managing Information Risk.


Addressing Threats in the Rapidly Changing Cybersecurity Landscape


Security professionals are increasingly concerned with cloud technology and mobile devices as these areas transform the IT landscape and the way people work. This modified IT infrastructure presents numerous cybersecurity challenges, as attacks are more sophisticated than ever before. To help you better understand how to combat these challenges, ISACA and TechTarget have partnered to present “The Cyber Centric Enterprise: Maintaining a Dynamic Security Posture in a Chaotic Threat Environment” virtual conference. The conference will take place on 28 October from 7:15AM CDT (UTC -5 hours) to 4:00PM CDT (UTC -5 hours).

At this virtual conference, you will learn more about the impact of cloud computing, the deployment of the Internet of Things, and the increasing reliance on advancing analytics and monitoring. These topics will be related back to the effect they have on the cybersecurity landscape. After attending this conference, you will be able to identify and develop risk management strategies that specifically address the threats your company will encounter.

Attendees of the conference can earn 5 free continuing professional education (CPE) hours. In addition to gaining valuable insights on cybersecurity challenges, attendees can also network with peers from around the world during dedicated networking time.

To learn more about the conference or to register for it, visit the “The Cyber Centric Enterprise: Maintaining a Dynamic Security Posture in a Chaotic Threat Environment” page of the ISACA web site.


EuroCACS/ISRM Speaker Spotlight: Cybersecurity as a National Security Issue



Cybersecurity and data security have become issues of national security for governments around the world. Attendees at the 2015 European Computer Audit, Control and Security (CACS) and Information Security and Risk Management (ISRM) Conference will have the opportunity to learn how to better respond to security threats at the conference’s opening keynote address, “Fighting for National Security.”

The opening keynote address will be delivered by Jakob Scharf, former director general of the Danish Security and Intelligence Service (DSIS). When Denmark became a priority target for cyberattackers, Scharf led the country’s security efforts, which led to Denmark’s adoption of a holistic national security approach. In his time at DSIS, Scharf and his team effectively identified and countered terrorist threats. In addition to sharing key lessons he learned in his time at DSIS, he will also discuss the relationship between public and private organizations and how this can be used to share information and increase security.

To learn more about EuroCACS/ISRM, visit the EuroCACS/ISRM page of the ISACA web site.


New Volunteer Model Is More Agile and Flexible



Volunteers are critical to the success and continued growth of ISACA, and now it is more convenient than ever to share your expertise. To make ISACA more responsive and agile, the ISACA Board of Directors unanimously approved a new approach to engaging volunteers in a variety of activities.

Volunteer time commitments now range from year-long engagements to increments as short as an hour of your time, so ISACA projects enable you to get involved as your schedule permits. Professional and personal lives change, so you can now also indicate interest in volunteering at any time throughout the year when it is most convenient for you!

Your involvement helps ISACA be more innovative and responsive in addressing trends and fast-changing market needs. You can also further build your professional portfolio and network of global colleagues.

We invite you to join others in contributing your time to ISACA’s forward-thinking strategy and exciting projects. Visit the Volunteering page of the ISACA web site to learn more about the current and future volunteer options that align best with your interests and your availability. Questions? Contact volunteer@isaca.org.


Secure Your Cyberlandscape With Your ISACA Membership


“Information security is a challenging field that needs to remain current with the latest technology trends in the industry. As a security consultant, the knowledge that the ISACA Journal and other ISACA publications provide is essential and valuable. Plus, I interact with professionals who share knowledge and common interests,” says Sadasivan N G, ISACA bronze member.

As an ISACA member, you can discover the most innovative advancements in the cybersecurity field inside ISACA’s Cybersecurity Nexus (CSX). ISACA recently published Cybersecurity Guidance for Small and Medium-Sized Enterprises and Implementing Cybersecurity Guidance for Small and Medium-Sized Enterprises. Members receive discounted rates on these publications. Purchase your copies today to gain access to the practical and manageable tools to implement and maintain reliable cybersecurity practices.

Register for ISACA’s cybersecurity webinars, which offer cutting-edge thought leadership, research, and advice on current and emerging threat environments. Some recent cybersecurity webinar topics include “Cybersecurity in the Era of Cloud,” “The Rise of Mobile Malware” and “Securing Data in the Age of Mega Breaches.” As an ISACA member, you can watch 1 or more of the archived webinars and earn CPE hours after you pass a related quiz.

Make your cyberlandscape more secure with the tools and resources included with your ISACA membership. Join or renew your ISACA membership today to increase your ability to detect a cyberattack before it significantly impacts your systems.


Book Review: Secrets & Lies: Digital Security in a Networked World

Reviewed by Maria Patricia Prandini, CISA, CRISC

Few books on information technology can stand the test of time. As a field that is constantly evolving, what was proclaimed new technology a few years or months ago is outdated today. Information security publications are exposed to the same risk. New books or articles on vulnerabilities, recently developed risk analysis methodologies and new standards appear every day, making almost everything that was written in the past obsolete.

But Bruce Schneier’s Secrets & Lies: Digital Security in a Networked World is an exception to that trend. This book was originally published in 2000 and a paperback edition was released 4 years later. The primary messages of this book remain relevant today: the need to treat software as any other product and consider the software company liable if the product has a flaw; the difficulties associated with the use of digital certificates; and the fact that information security is not just a technical issue, but involves things that people know, human relationships and how people relate to computers.

This book offers the reader all of the author’s expertise and guidance on how to protect information that flows through computer networks. The book is organized in 3 parts. The 1st, titled “The Landscape,” refers to how to deal with digital threats, who the attackers are and what they seek. It provides context for the rest of the book.

The 2nd part is about technologies used for different purposes, such as cryptography, identification and authentication, network security and defenses, secure hardware, software reliability, digital certificates and credentials, and the human factor.

The final part refers to strategies and issues such as the vulnerability landscape; threat modeling and risk assessments; security processes, policies and countermeasures; product testing and verification; and the future of products. These complex subjects are clearly and thoroughly explained.

Written in straightforward language, the book is easy to understand for information security professionals, business executives and other IT professionals. It successfully shows that information security is not just a technical matter, but a business issue.

Based on his extensive experience in the field, the author discusses the myths and challenges IT managers and technicians confront when building secure systems and infrastructures. Full of practical guides, the book successfully connects business needs with information security solutions to protect digital information and to develop implementations that are practical to the user.

Real-life anecdotes make this an interesting book that illustrates how accessible information is in today’s digital world and how important it is for organizations to understand how to protect it.

Secrets & Lies: Digital Security in a Networked World is available from the ISACA Bookstore. For information, visit the ISACA Bookstore online or email bookstore@isaca.org.

Maria Patricia Prandini, CISA, CRISC, has a long career as a public official in different positions related to information technology at the Argentine Government. Prandini was involved in the development of the National PKI and the foundation of ARCERT, the first governmental computer security incident response team (CSIRT) in Argentina. She is the immediate past president of the ISACA Buenos Aires Chapter.