@ISACA Volume 25  14 December 2016

Top 6 Cloud Asset Inventory Risk Factors

By Leighton Johnson, CISA, CISM, CIFI, CISSP

An organization preparing for a cloud deployment should answer the following asset questions for a risk assessment to successfully implement a cloud solution. These questions focus on how important the data, function, application or process being supported is to the organization. These questions are based on the Cloud Security Alliance guide for risk recommendations:

  1. How would the organization be harmed if the asset became widely public and widely distributed?—What are the confidentiality impacts if the data are breached or inadvertently released? The recent Treacherous 12 publication puts data breaches as the top threat to cloud systems and deployments. Check the data and encrypt all data no matter where they are.
  2. How would the organization be harmed if an employee of the cloud provider accessed the asset?—What could happen if the cloud service provider (CSP) personnel inadvertently or intentionally retrieve and read the data? Check the criteria for the support efforts of the CSP and its personnel on manning, response (when needed) and access to the data.
  3. How would the organization be harmed if the process or function were manipulated by an outsider?—What impact is there if someone other than designated personnel manipulates the data, processes or workflow? Check what kind of response is permitted by the organization and what the CSP will do if someone besides an authorized user obtains access to the data.
  4. How would the organization be harmed if the process or function failed to provide expected results?—What are the impacts from inappropriate processing or incorrect business logic being applied to the data, workflows or business processes? Ensure the CSP provides the required processing efforts in any type of cloud implementation, whether it is an Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS) deployment.
  5. How would the organization be harmed if the information/data were unexpectedly changed?—What are the integrity impacts if the data is altered or deleted? Always monitor the state and status of the data at all points during the use and movement of the data in and out of the cloud. Use data-at-rest encryption techniques for the data stored in the cloud as well.
  6. How would the organization be harmed if the asset were unavailable for a period of time?—What are the availability impacts if the users cannot get to the data when they need them? The cloud provides dramatic availability for data access from anywhere. Identify the criteria for availability and monitor the actual access at multiple points and times throughout the life cycle of data use in the cloud.

Leighton Johnson, CISA, CISM, CIFI, CISSP, is a senior security consultant for the Information Security and Forensics Management Team of Bath, South Carolina, USA.


Becoming Agile With DevOps


Source: Image
Source/Getty Images

Disruption is occurring across industries, and enterprises that cannot transform to meet new customer demands will fall behind. To help enterprises better embrace digital transformation, ISACA is presenting the “DevOps—Accelerating Your Enterprise’s Digital Agility” webinar. This webinar will take place on 15 December at 11AM CST (UTC -6 hours). Members can earn 1 continuing professional education (CPE) hour by attending this webinar and passing a related quiz.

DevOps is a combination of culture, automation, Lean, management, sharing and sourcing. Robert E Stroud, CRISC, CGEIT, will lead this webinar. In it, he will discuss how DevOps can help IT organizations with their digital transformation. Stroud will discuss the principles of DevOps; how it impacts assurance, compliance, governance, risk and security; and the tips and tricks to help your enterprise’s digital transformation be successful.

To learn more about this webinar or to register for it, visit the DevOps—Accelerating Your Enterprise’s Digital Agility page of the ISACA website.


Board Nominations Are Open


Nominations for the ISACA Board of Directors for the 2017-18 term are now open. Information about serving on the board, along with the attributes for members of the ISACA Board of Directors and the nomination form itself are available on the Board Nominations page of the ISACA website. The online nomination form can be sent to nominate@isaca.org.

Members may nominate themselves or other ISACA members (or both) for either the position of vice-chair or the position of director. All nominations will be acknowledged, and all candidates will be required to complete a candidate profile form that confirms the candidate’s willingness to serve if selected and provides the Nominating Committee information about the candidate. All candidates not currently on the Board of Directors (self-nominated or nominated by others) will also be asked to submit a letter of recommendation from an ISACA member outlining how the candidate demonstrates the attributes for office.

Nominations for both vice-chair and director positions close at 5:00PM CST (UTC -6 hours) on 25 January 2017. The required candidate materials for those nominated must be received at ISACA International Headquarters (i.e., completed candidate profile form and letter of recommendation, if required) by 5:00PM CST (UTC -6 hours) on 1 February 2017. Nominated candidate materials should be sent to nominate@isaca.org.

Questions? Contact nominate@isaca.org.


The Dilemma for Workplace Usage: Wearable Technology


The ISACA Phoenix (Arizona, USA) Chapter research committee set out to learn more about the wave of wearable devices and understand the ISACA community’s attitudes toward wearables’ potential risk and security impacts in the workplace. To that end, the committee conducted 2 surveys of ISACA membership. Their ISACA Journal volume 6 article, “The Dilemma for Workplace Usage: Wearable Technology,” shares the insights of survey respondents representing many organizational types and geographies.

While there are many items that could be considered when allowing the use of wearable devices, the 4 key areas are governance, security, data privacy and network/infrastructure impacts.

Management must first determine what types of devices will be allowed and what the policies are relating to these devices. Are the devices going to be provided to employees or would employees be bringing these devices into the workplace? Are the devices going to be used for work purposes, for personal usage, or both? The answers to these questions could have an impact on the security, data management and device life cycle management components.

There are several security considerations when allowing wearable devices in the workplace. Given the wide variability and connectivity there is no “one-size-fits-all” security strategy that can be applied. Each organization should carefully weigh the risk vs. the benefits of allowing these devices. Risk relating to physical, organizational and technical aspects should be considered and evaluated. Further, the technology behind these devices and the interconnectivity between devices often cause additional risk that needs to be considered.

Management should look at all layers, including hardware, software and add-on accessories, as part of the security assessment. Creating a comprehensive security standard that is based on an established framework can greatly reduce risk and allow management to take a proactive approach to securing devices.

Depending on how these devices are going to be used in the workplace, management may need to consider the risk and procedures relating to the entire life cycle, which includes the onboarding, usage and deactivation of devices. Handling lost or stolen devices and providing reimbursement are additional topics that may need to be considered.

Read Craig Krivin, Sanjay Bhide, Sandeep Desai, Ravi Dhaval, Joe Norris, Amanthi D. Pendegraft, Susan E. Snow and Dan Wagner’s full ISACA Journal article, “The Dilemma for Workplace Usage: Wearable Technology.”