@ISACA Volume 23  16 November 2016

Low-cost IT: Where Are the Savings?


One of the great things about being in IT is the diverse challenges we are asked to assess during the course of a given day. Recently, a customer called me and said that he had a new chief information officer (CIO). The CIO has a company driver who, during the car ride into the office, asked why the company was not replacing desktops with low-cost IT solutions. The CIO discussed with the driver the feasibility of purchasing a US $35 device to replace the current US $1,500 device. My customer proposed this replacement to me, to which I answered, “Sure, if all we are concerned about is the unit cost of the individual hardware devices.”

Having been in the IT consulting business a fair amount of time, this is not the first time I have heard such a request. Early in my career, there was a trend of home hobbyists who were using a popular TRS-80 chip and building or purchasing home computers. As one would imagine, the thinking became “if I can get this IT to work at home, it will surely make me a champion at the office.” As a result, some unfortunate organizations started populating their infrastructure with TR-80 chip-based devices that fell out of favor well before the end of their depreciated lives. So now here we are, some 30 years later, and this trend is repeating itself.

To not dismiss the enthusiasm of the corporate driver, consider the problem again and see if the IT world has evolved. To be fair, it makes sense to look at other low-cost IT solutions, such as net books, to make an informed decision. When evaluating this idea, exclude the power users who specialize in budget prediction, accounting, modeling and so on. It is clear these applications could not be hosted on these types of devices.

The first concern that comes to mind is the security of the supply chain. The cost of these types of devices is often managed by using chip sets that were introduced up to 15 years ago, with slow clocking and minimum primary storage (1 gigabyte). The central processing unit (CPU) chip, some memory and peripherals are hard-soldered onto a motherboard, resulting in a low-cost IT device. A large corporation with significant proprietary data could be targeted with hostile chips that could have code that calls home. This type of attack is not unheard of and is a very real scenario depending on where these chips are made and the user community. To further complicate matters, finding hardware reliability statistics on some of these chips has proven to be difficult, even in one case unsuccessful.

The next consideration is the total cost of the device from a hardware and software perspective. As one would expect, the cost should include a motherboard with several output ports. At a minimum, additional costs include the cost to construct the device, a protective case, cables, keyboards, monitors and additional external SD-card storage. The total device cost should also factor in the cost of loading the software, so now the cost of the device is approaching that of netbooks.

The next consideration is the operating system the device will host. Some devices run variant operating systems. These operating systems are a form of UNIX or other open-source operating systems. This necessitates specialized browsers or reduced capability browsers in addition to non-standard Microsoft Office automation software that is not as robust as other commercial products. There are emulators that emulate popular environments, such as Microsoft Windows, but with an old chip set and minimal memory, this approach pushes the physical capabilities of the devices. In some cases, the devices are running the home edition of a commercial operating system. These versions are designed so they cannot be managed as an enterprise member device. A version of the device with the enterprise operating system will negate the attractive price of the device.

Low-cost IT devices using one-off operating systems require the organization to develop specialized hardening procedures and scripts to support the unique operating system. This is not an insignificant cost. In cases where encryption is needed for data at rest or data in transmission, the devices may have rudimentary capabilities, but those encryption keys cannot be managed from an enterprise perspective.

The next challenge with low-cost devices is how to manage them from an enterprise perspective. In today’s financial environment, most corporations have their devices delivered already hardened from a security perspective. One would have to identify a third-party vendor for providing these services. In addition, most patches and vulnerabilities are corrected in the enterprise through the use of configuration management (CM) servers that push the patches out onto the devices based on some predefined schedule. Devices using unique operating systems might have to be patched manually. Some open-source CM servers are being introduced to manage some of these devices, but this would mean replacing the existing enterprise CM servers with new CM servers, running relatively new software that also has to be hardened.

In the end, there are no free lunches. However, if the enterprise is willing to ignore its sunk costs, invest in new open-source technology, create new business processes, bring back intense business processes and do all this while providing less capability to the employee, low-cost devices can be used. Realistically, in small numbers, these devices could be hardened and managed manually in isolated virtual desktop infrastructures (VDIs) processing screen scraps, keystrokes and mouse clicks. These small VDI networks could be connected to proxies that protect Internet browsing or other activities separate from the corporate office automation network.

After I presented this analysis to the CIO, the CIO mentioned to me, “I never saw this as a security issue.” I replied, “I understand.”

Bruce R. Wilkins, CISA, CISM, CGEIT, CRISC, CISSP, is the chief executive officer of TWM Associates Inc. In this capacity, Wilkins provides secure engineering solutions for innovative technology and cost-reducing approaches to existing security programs.


Research Meets Practice in New 2017 ISACA Journal Column


Source: ©iStock.com/

A classic analogy of research and practice is that of 2 parallel tracks that never come together. The pursuit of research for its own sake or in a zone that is too far from practice is often noted. On the other hand, practice at the cost of ignoring relevant research is also not uncommon. To help merge research and practice, the 2017 ISACA Journal will feature a new column called The Practical Aspect.

The primary purpose of the column is to bring to the Journal’s readership new and unpublished practitioner experiences after molding them into existing conceptual paradigms, a frame that offers support to the idea and promotes further practice.

Each column will be coauthored by an educator and a practitioner. The educator behind this column is Vasant Raval, DBA, CISA, ACMA, a professor of accountancy at the Heider College of Business, Creighton University (Omaha, Nebraska, USA). He is a long-time ISACA Journal columnist, the coauthor of 2 books on information systems and security, and an author or coauthor of more than 70 publications. His areas of teaching and research interests include information systems control and audit, information ethics, accounting education, information security, and corporate governance.

The practitioner coauthor will change with each new column. The themes and topics of the column will vary, but will be within the realm of subject matters relevant to the ISACA readership.

This is an opportunity for practitioners to bring their experience to a wider audience. Practitioners who are interested in submitting practical experience and coauthoring articles for this column with Raval may inquire at publications@isaca.org.


Key Challenges Facing the IT Audit Profession


ISACA held 2 IT Audit Director Forums during the 2016 North America and European CACS Conferences. During these forums, IT audit directors discussed the issues facing the audit profession and the solutions to these concerns. The main topics discussed include key challenges, big data analytics and IT audit, cloud and cyber security assurance, hiring and retaining talent, privacy by design, and data visualization.

Because of the conversational and flexible nature of these forums, the participants were able to participate in a collaborative discussion. The overall findings from these open conversations provide insight to audit professionals at all levels. Knowing the challenges the IT audit profession faces can help auditors address these concerns and improve their processes.

One of the key concerns addressed during the North America forum was data lineage. The large volume of data enterprises handle and increasing number of data regulations indicate that strong data governance practices, including data lineage, are useful. More information on data lineage can be found in the ISACA Journal, volume 5, 2016 article, “Data Lineage and Compliance.”

For a high-level overview of the forums, download the Insights from the 2016 IT Audit Directors Forums white paper.


Emerging Cyber Security Challenges and Opportunities


ISACA’s CSX 2016 North America conference convened in October in Las Vegas, Nevada, USA, to discuss emerging cyber security challenges and opportunities.

Some of the key lessons that emerged from the event include:

  • Prioritize people—While automation is necessary and inevitable, addressing the global cyber security skills shortage is chiefly about people. Opening keynote speaker Brian Krebs, an investigative journalist and founder of the KrebsonSecurity blog, was among several speakers to call upon organizations to make further investments in staffing and training.
  • Do not overlook firmware—The hard-coded software frequently stored in read-only memory (ROM) is low-hanging fruit for attackers that must be accounted for with embedded controls and emphasized in organizational risk assessments, according to keynote speaker Justine Bone, director and chief executive officer of MedSec. Bone presented the findings of ISACA’s new firmware security report.
  • Take an approach that resonates with executives—Reframing discussions about return on investment into cost avoidance conversations can help garner executive-level support for strengthening security programs. A forum for chief information security officers (CISOs) prompted discussions about how to win buy-in for security programs from senior management while delving into an array of challenges affecting today’s CISOs.
  • Internet of Things (IoT) devices require comprehensive security—The proliferation of IoT devices requires security and privacy that is embedded into the strategy and design of a connected device program and emphasis on full life cycle protection. Security specific to each category of device—including strong authentication and access control, data privacy protection and robust application security—also is recommended.
  • Proactively prepare for ransomware threats—Ransomware is becoming more targeted and more expensive. Ensuring the availability of high-quality backups for their data can help organizations avoid paying ransom and incentivizing hackers.

For more insights from the globally recognized speakers at CSX North America, download the free CSX North America Conference Report. The report provides lessons from select sessions, insights from practitioners and leaders in the field, perspectives from women in cyber security, and more.


Subscribe to Monthly COBIT Focus Newsletter


The COBIT Focus email alerts you to the latest COBIT news each month. To stay informed about the newest COBIT Focus articles and COBIT-related news, be sure to subscribe to COBIT Focus, ISACA’s e-magazine featuring COBIT case studies and the latest COBIT news.

COBIT Focus case studies help users expand their knowledge through real-life implementations of COBIT. Practitioners in various industries can benefit from the implementation lessons learned by COBIT Focus authors. The new COBIT Focus mailings will also keep readers informed of upcoming COBIT-related events and ISACA resources.

COBIT Focus publishes a new article every Monday. You can access the latest COBIT Focus article here.

The first monthly COBIT Focus mailing will be sent on 18 November, so be sure to subscribe to COBIT Focus today.


New CISM Job Practice Effective 2017


To ensure that the Certified Information Security Manager (CISM) certification remains relevant to the field of information security management, ISACA routinely reviews the CISM job practice areas to evaluate if they are in line with industry demands and changes. ISACA and the CISM Practice Analysis Task Force completed a 9-month assessment of the CISM job practice. As a result, the CISM domains have been modified.

The domains are relatively the same, but the weighting has shifted slightly. The updated domain headings and weighting are as follows:

  • Domain 1—Information Security Governance: Establish and/or maintain an information security governance framework and supporting processes to ensure that the information security strategy is aligned with organizational goals and objectives. (24% of questions)
  • Domain 2—Information Risk Management: Manage information risk to an acceptable level based on risk appetite in order to meet organizational goals and objectives. (30% of questions)
  • Domain 3—Information Security Program Development and Management: Develop and maintain an information security program that identifies, manages and protects the organization’s assets while aligning to information security strategy and business goals, thereby supporting an effective security posture. (27% of questions)
  • Domain 4—Information Security Incident Management: Plan, establish and manage the capability to detect, investigate, respond to and recover from information security incidents to minimize business impact. (19% of questions)

For more information on the CISM job practice areas, visit the CISM Job Practice Areas 2017 page of the ISACA web site.