@ISACA Volume 24  30 November 2016

Cyber Security or Information Security?


Recently, the term “cyber security” has been used more often to describe the protection of sensitive information. Prior to this, “information security” was the more commonly used term. Recently, a regulator expected reporting authorities to develop cyber security policies that were distinct from information security policies. That request raised a question: What is the difference between cyber security and information security?

The word “cyber” means “relating to or characteristic of the culture of computers, information technology and virtual reality.” Organizations depend heavily on information technology for capturing, processing, storing and disseminating data through information technology. Attackers also use the same technology to access and steal information in an unauthorized manner. Securing information, therefore, is an essential requirement for enterprises today. Because most information is in electronic form, securing information may also be referred to as cyber security.

The confusion regarding these terms starts when some professionals use information security and cyber security interchangeably to mean the same thing, while others advocate that these are different terms. For the US government, cyber security seems to be the preferred term, though the law that governs federal cyber security is called the Federal Information Security Management Act (FISMA).

Some security professionals differentiate cyber security from information security. They provide one or more of the following arguments in support of this differentiation:

  • Cyber security actually is an in-depth technical solution and does not focus on the protection of physical information, e.g., paper, documents, books.
  • Cyber security includes threat intelligence and proactive security measures that are not covered by information security (in reference to global standards).
  • Cyber security addresses incident response differently than information security addresses it.

However, the argument for using these terms interchangeably does hold up when examining the objectives and expectations of an organization’s security. An organization is protecting its data and the organization uses information technology, so for that enterprise, cyber security and information security do not mean different things. The word “cyber” is known to be related to computers and, hence, it may be used to highlight the focus of security.

Therefore, when management asks security professionals to develop cyber security policies, there is no need to get confused; use the same policies related to risk assessment and protecting information assets, but use the term cyber security. And be sure not to be too concerned with the terms. After all, when it comes to an attack, attackers really do not care which term we use.

Sunil Bakshi, CISA, CISM, CGEIT, CRISC, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP, is a consultant and trainer in IT governance and information security.


Leveraging Threat Analytics to Prevent Breaches


Source: Roy
Scott/Getty Images

A cyberattacker who has control of a privileged account or an insider working against an enterprise can cause significant damage. Threat analytics are essential to detect and mitigate breaches, but only 1% of breaches are detected by monitoring programs. To help enterprises better leverage threat analytics, ISACA has partnered with CA Technologies to present the “Threat Analytics—The Key to Protecting Privileged Access and Preventing Breaches” webinar. This webinar will take place on 13 December. ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and passing a related quiz.

Mark McGovern, vice president of product management at CA Technologies, will lead this webinar. In it, he will explain approaches to analyze real-time privileged user activity information and how to detect and mitigate breaches before they harm your enterprise. Additionally, McGovern will provide some examples of real-time threat analytics.

To learn more about this webinar or to register for it, visit the Threat Analytics—The Key to Protecting Privileged Access and Preventing Breaches page of the ISACA web site.


Tips for Auditing Cyber Security


With the growing concern surrounding cyber security, it is becoming increasingly important to audit technology and related processes. To help auditors better complete this task, ISACA is offering the “Suggested Tips Auditors Need to Know About Cyber Security” webinar. This webinar will take place on 6 December at 11AM CST (UTC -6 hours). Members can earn 1 continuing professional education (CPE) hour by attending this webinar and passing a related quiz.

In this webinar, a panel of experienced audit and cyber security professionals will explain how cyber security can be integrated into various phases of the auditing process. The panelists are Vilius Benetis, Ph.D., CISA, CRISC, Martin Cullen, CISA, CRISC, CGEIT, COBIT 5 Foundation, ISO27001 LA, and Richard Hollis, Chief Executive Officer, Risk Factory Ltd., CRISC, CISM. During the webinar, they will provide practical advice that can be implemented during the audit process.

To learn more about this webinar or to register for it, visit the webinars page of the ISACA web site.


Registration Opens for First Certification Testing Window of 2017


Exams for ISACA’s Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), Certified Information Security Manager (CISM) and Certified in the Governance of Enterprise IT (CGEIT) certifications are being offered in 2017 through computer-based testing, providing exam takers with increased scheduling flexibility and decreased turnaround time for exam results.

Registration is now open for the first testing window of 2017. The CISA, CRISC, CISM and CGEIT exams will be offered in 2017 at PSI testing locations worldwide during three 8-week-long testing windows. The first testing window will be 1 May-30 June, with 28 February marking the early registration deadline.

The second testing window in 2017 will be 1 August-30 September, and the third window will be 1 November-31 December.

For more information, see the 2017 ISACA Exam Candidate Information Guide.


ISACA Call for Papers—Become a Published Author


Source: mattjeacock/
Getty Images

Are you an industry expert, thought leader or passionate professional willing to share your experiences, insights and knowledge with colleagues and peers? Become an author for ISACA content such as white papers, books and audit programs. To participate, candidates should send a brief research abstract on one of the following topics to Research@isaca.org:

  • Cyber security for auditors
  • Emerging technologies
  • IT governance

If selected, candidates will be contacted by ISACA with further direction on how to develop the content.

The call for papers is open from now until 28 February 2017. Take advantage of this great opportunity to develop content on topics relevant to your profession. Selected authors will earn continuing professional education (CPE) hours upon the completion of the content and will be recognized as the author of their publication.


Ten Cyber Security Action Items for CAEs and Internal Audit Departments

By David Brand

The results of Protiviti’s 2016 Internal Audit Capabilities and Needs Survey show 2 differentiators between top performers and the rest of the pack—a high level of board engagement in information security and the inclusion of cyber security in the audit plan. But that is just the tip of the iceberg.

Here are 10 internal audit to-dos, aimed to ensure that your organization is prepared to avoid a cyber “collision” with what is below the surface:

  1. Work with management and the board to develop and/or validate a cyber security strategy and policy.
  2. Identify and act on opportunities to improve the organization’s ability to identify, assess and mitigate cyber security risk to an acceptable level.
  3. Recognize that cyber security risk is not only external—assess and mitigate potential threats that could result from the actions of employees or business partners.
  4. Leverage relationships with the audit committee and board to a) heighten awareness and knowledge of cyberthreats, and b) ensure the board remains highly engaged with cyber security matters and up to date on the changing nature of cyber security risk.
  5. Ensure cyber security risk is integrated formally into the audit plan.
  6. Develop and keep current an understanding of how emerging technologies and trends are affecting the company and its cyber security risk profile.
  7. Evaluate the organization’s cyber security program against the US National Institute of Standards and Technology (NIST) Cybersecurity Framework, recognizing that because the framework does not reach down to the control level, your cyber security program may require additional evaluations using ISO 27001 and ISO 27002.
  8. Seek out opportunities to communicate to management that, with regard to cyber security, the strongest preventative capability has both human and technological aspects—a complementary blend of education, awareness, vigilance and technology tools.
  9. Emphasize that cyber security monitoring and cyberincident response should be a top management priority—a clear formal escalation protocol can help make the case for (and sustain) this priority.
  10. Address any IT audit staffing and resource shortages and any lack of supporting technology tools, either of which can impede efforts to manage cyber security risk.

It is important for organizations to understand that cyber security is not an IT issue—it is a business risk requiring a comprehensive risk-based approach to manage. To focus on what may be lingering below the surface, cyber security risk management strategies must be both present and effective.

Cyber security and information security are not the same thing. Each requires its own set of controls. Boards should not only be aware of cyber security risk, but they also should be engaged, at least at a high level, with the organization’s information security measures. And internal audit should integrate cyber security into its daily activities and its annual audit plan. The Arriving at Internal Audit’s Tipping Point Amid Business Transformation report covers this issue in much greater detail.

Read more on the KnowledgeLeader web site.

Editor’s Note: © 2016 Protiviti Inc. All rights reserved. This article was excerpted with permission from Protiviti’s KnowledgeLeader, a subscription-based web site that provides audit programs, checklists, tools, resources and best practices to help internal auditors and risk management professionals save time, manage risk and add value. ISACA members receive a discount on an annual subscription to the service.