@ISACA Volume 25  13 December 2017

Six Data Uses and Their Importance

By Leighton Johnson, CISA, CISM, CIFI, CISSP

Leighton Johnson In today’s business environment, most, if not all, organizations work with online information in a variety of ways. Each of these activities requires users, administrators and corporate information protection personnel to monitor and maintain the security and privacy of the information. These various ways of interacting with data require methods, processes and basic user practices to keep information safe and secure. Six of the methods to interact with data, the security criteria affected by these methods and their common protection mechanisms include:

  1. Collect the data—To collect data in a safe and secure manner, the privacy of the information from the source must be maintained. The information’s integrity (is it right and accurate?) is of vital importance to the collection activity, and the ability to collect it without other parties obtaining it is often considered the most important part of the collection process.
  2. Use the data—The use of data is commonly a standard process and is a controlled effort on the part of the collecting organization. But certain considerations need to be accounted for with this data use. Maintaining the privacy and confidentiality of the information can be critical to the organization and its business objectives. The accuracy of the information must be continuously maintained to ensure the proper view of the information and, of course, it is necessary for the information to be available for use when it is needed to ensure proper organizational processing at the right time.
  3. Access the data—Obtaining controlled access to the information is important to the users, maintainers and managers of the data since data access management provides oversight, control, accuracy and proper utilization of the information. Proper authentication to access the data ensures each authenticated user is authorized to see, use and potentially manipulate the data in the expected method. This keeps the information appropriately managed and not vulnerable to outside alteration.
  4. Maintain the data—Maintaining data affects its accuracy, integrity and confidentiality within the organization. It also affects privacy requirements in today’s business environment. Maintaining data often requires periodic review of the information, its use and its continued accuracy with respect to its initial state when originally collected by the organization.
  5. Share the data—Often, organizations will share information with outside entities, either in agreement or for sale and profit. Each of these types of sharing requires additional oversight by the organization for proper compliance with regulations or legal considerations. Today’s business operating environment has many legal considerations that organizations must consider and document or they may potentially be subject to legal actions, such as fines. The sharing of information must account for the confidentiality of the information, the original purpose the information was collected under, and now the privacy of the information and who is the subject or source of the information.
  6. Disclose the data—The disclosure of the information when unexpected and/or unwanted can lead to a vast array of organizational issues and unanticipated results. Over the past 2-3 years, we have seen the incredible effects of data breaches on organizations. The confidentiality of the information being breached has led some organizations to go out of business or receive government fines and sanctions, while other organizations that are well prepared receive just a minor dip in reputation and then recover back to pre-breach levels of income, sales and even profits. It appears the best way to handle these types of events is to be prepared, know breaches will happen, and build and follow playbooks for incident handling. Keeping the customer informed early and often does look like the best approach, especially in conjunction with using proper legal and operational counsel and advice along the way.

Information processing and management is critical to each organization’s efforts in today’s business and operational environments. Properly collecting and maintaining information is vital in each and every step of the information handling process.

Leighton Johnson, CISA, CISM, CIFI, CISSP, is a senior security consultant for the Information Security and Forensics Management Team of Bath, South Carolina, USA.


Webinar on Auditing Agile

Webinar on Auditing Agile
Source: juststock
/Getty Images

Software is a driver of growth, innovation, efficiency and productivity in an enterprise. Software delivery is the key to enterprise responsiveness. Agile software development is increasingly more popular and drives enterprise success. It not only accelerates product and service delivery, but builds high-quality products that customers value, reduces risk, eliminates waste, enhances collaboration, increases the ability to manage changing priorities and improves project visibility. While Agile impacts many components of software delivery and development, it can be audited if its methodology is understood.

To help increase your understanding of Agile audit, ISACA presents the “Auditing Agile in Agile Time” webinar. This webinar takes place on 19 December at 11AM CST (UTC -6 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Gemma Bevilacqua, CGEIT, CSM, CSP, PMI-ACP, program manager and infrastructure operations manager at DuPont Pioneer, will lead the webinar. Bevilacqua has managed many projects and programs and will use her experience with Agile project management to help aid your implementation of Agile audit in your enterprise.

To learn more about this webinar or to register for it, visit the Auditing Agile in Agile Time page of the ISACA website.


Audit Your Organization’s Shadow IT


Agility and competitiveness require the use of shadow IT. As a result, more and more organizations are adopting it. Shadow IT use can lead to rapid deployment of internal applications and cost savings, but the risk is often overlooked.

ISACA’s Shadow IT Audit/Assurance Program focuses on preventing, discovering and managing shadow IT risk. This program helps establish the effectiveness of shadow IT governance, monitoring and management. This review also includes:

  • Guidance for management to assess their shadow IT policies, procedures and operating effectiveness
  • Direction to identify weak controls that may allow for unsanctioned shadow IT usage

Conducting a formal assessment allows an enterprise to be aware of critical business applications that exist outside an organization’s IT control framework. The ISACA Shadow IT Audit/Assurance Program provides IT auditors with the tools to successfully assess the risk associated with shadow IT. This audit program is a free download for members and the cost is US $50 for nonmembers. Download this program by visiting the Shadow It Audit/Assurance Program page of the ISACA website.


Understanding Virtual Reality and Augmented Reality

Understanding Virtual Reality and Augmented Reality
Source: Paper Boat
Creative/Getty Images

With the surging popularity of augmented reality (AR) and virtual reality (VR) over the last few years and their use becoming commonplace in gaming and media outlets, most people have at least a cursory understanding of what these technologies are and how they work. But while executives may have a layman’s understanding of what AR and VR are, they may not be able to imagine how the technologies could be applied in their industries or what risk must be weighed before adoption. To help bridge that gap, ISACA has released the ISACA Tech Brief: Virtual Reality and Augmented Reality.

This complimentary tech brief contains insights on how VR and AR are being used in industries such as emergency management, training and education, medicine, and the military. This tech brief includes risk considerations, expert insights and critical questions to ask before adoption. This is the fourth tech brief in a series intended to offer quick overviews of topics at a nontechnical level. Tech briefs are a great resource for IT professionals to use when educating their business partners on the basics of a technology that might hold potential in their industry.

To learn more and download this tech brief, visit the ISACA Tech Brief: Virtual Reality and Augmented Reality page of the ISACA website.


White Paper: ROI in the Wake of Cloud Service Adoption

White Paper:  ROI in the Wake of Cloud Service Adoption
Source: Frank Peters
/Getty Images

Calculating anticipated return on investment (ROI) and ROI after cloud implementation allows an organization to see its anticipated gains vs. its actual gains post implementation. While this calculation seemingly would provide value to most organizations, the ISACA Cloud ROI Study shows that while many organizations still calculate ROI, the number of enterprises calculating cloud ROI is dropping. Enterprises that do not calculate cloud ROI often blame the lack of a reliable calculation model and justify implementation on nonfinancial business objectives.

Implementing cloud services based on nonfinancial business objectives is explored in more depth in the white paper How Enterprises Are Calculating Cloud ROI. Criteria such as enhanced business agility, shifting funding from capital expenses to operating expenses or business cases that have no specified financial outcomes are all reasons cited for organizations omitting cloud ROI calculations from the cloud implementation process. Contrastingly, this white paper will also explore what enterprises calculating cloud ROI include in their calculations. These enterprises factor both tangible costs and intangible costs (including employee time) into a quantitative, qualitative or hybrid model. This allows these enterprises to see the costs and benefits of cloud computing clearly and the efficiency of the employed cloud services.

You can access the complimentary ISACA white paper on the How Enterprises Are Calculating Cloud ROI page of the ISACA website.