@ISACA Volume 3  10 February 2016

Optimizing Vendor Management


Outsourcing has been a common business approach that has helped many organizations optimize risk management and resources. The proliferation of outsourcing has introduced different challenges, and, therefore, it is necessary to revisit vendor management within the organization. The following considerations should be made to optimize vendor management:


  1. Processes—Defining, rationalizing and standardizing processes across the organization is essential to ensure that processes are managed with the optimal use of automated tools.
  2. Governance—The key aspects of governance in vendor management include measuring the value delivered by vendors and relationship management. Some of the critical factors include:
    • Analyzing the information using qualitative and quantitative vendor performance metrics with various stakeholders. This may be done on a monthly basis.
    • Knowing what is being monitored, especially when monitoring vendor performance. Vendors often prefer to monitor the technical performance, e.g., uptime requirements or timelines for delivery. But since IT services help in automating business processes that deliver services to customers and stakeholders, monitoring service delivery must be considered a priority.
    • Meeting periodically with senior management and vendor leaders. Forming a steering committee may be useful in ensuring that issues are discussed and resolved to ensure user satisfaction.
  3. Inventory and categorization of vendors—Maintaining an inventory of vendors and categorizing them can help ensure effective governance. The following activities can help in the categorization of vendors:
    • Assessment—Identify the nature and level of outsourcing. Many organizations have outsourced various activities. Some are controlled by the corporate office and uniformly deployed across geographies, while others are decentralized and managed by regional/local offices.
    • Relationship—Relationships with vendors can be strategic (e.g., for the organization), tactical (e.g., process outsourcing), commodity-related (e.g., suppliers of material) or niche (e.g., software development).
    • Nature of outsourcing—Understand the relationship with the vendor. The relationship depends on the cost of outsourcing, the value received from it, the impact on the business, the length of the relationship and the ease of substituting another vendor.

Apart from these considerations, there are 2 critical questions that must be asked when managing a vendor:

  1. How important is the vendor to the organization? The answer depends on the criticality of the outsourced processes, the nature of outsourcing and relationship with the vendor.
  2. How important is the enterprise to the vendor? The answer depends on the positioning of the organization in the business sector in which the organization is operating and value, volume and duration of the contract.

Managing vendors is essential for business success and optimizing vendor management is an essential part of the overall technology deployment within any organization.

Sunil Bakshi, CISA, CISM, CGEIT, CRISC, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP, is a consultant and trainer in IT governance and information security.


New CSX Career and Control Tools Available


Source: ©iStock.

ISACA’s Cybersecurity Nexus (CSX) has 2 new tools to help cyberexperts advance their careers and identify controls. By providing information about your background and current skills, the CSX Career Road Map helps you learn which positions you are qualified for and define career development goals.

“It’s an employee’s job market right now, with many more open cybersecurity positions than there are skilled candidates to fill them,” said Christos Dimitriadis, Ph.D., CISA, CISM, CRISC, international president of ISACA. “ISACA’s CSX career tool helps individuals identify several cybersecurity roles that may be a good fit based on their current skill sets, experience and credentials, and also highlights potential areas of focus to help them advance in their careers.”

In addition to the Road Map, CSX also has developed a CSX Threats & Controls tool, which provides cybersecurity professionals with information about the top cyberthreats and their associated controls. The 72 controls in this tool cover 10 threats, ranging from social-engineering attacks to unpatched systems.

To learn more about these tools or other CSX resources, visit the CSX page of the ISACA web site.


Security in the Cloud


While some organizations are hesitant about using the cloud for security reasons, a recent cloud predictions article suggests that security will become an incentive to move to the cloud. To help enterprises learn about the benefits and security of the cloud, ISACA and Oracle have partnered to present the “Prediction: Security Moves From Barrier to Main Benefit of Cloud Adoption” webinar. This webinar will take place on 11 February at 11AM CST (UTC -6 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and passing a related quiz.

Troy Kitch, senior principal director of product marketing for security software at Oracle, will lead this webinar. A survey by Harvard Business Review Analytic Services (sponsored by Oracle) found that 62% of respondents thought security issues were the biggest barriers to expanding cloud use at their companies, but Kitch will explain how some of these exact concerns will actually drive enterprises toward adopting cloud use. The webinar will cover how experienced cloud vendors have resources and defense strategies that many companies cannot duplicate in-house.

To learn more about this webinar or to register for it, visit the Prediction: Security Moves From Barrier to Main Benefit of Cloud Adoption page of the ISACA web site.


Compliance With PCI DSS


A Practical Guide to the Payment Card Industry Data Security Standard (PCI DSS) is a tool that can help enterprises learn more about the security requirements, processes and technologies needed to comply with PCI DSS. In addition to elaborating on the security requirements associated with the standard, the guide also contains information about the nature of payment cards and payment card fraud.

The primary audience of this resource is operational stakeholders, but governance stakeholders may also find this resource valuable. And because this standard is a requirement for organizations that process, store, transmit or access cardholder information for major payment brands, this guide is written in simple language so that even those who do not have technical backgrounds can understand the concepts and implement the information from this book.

This guide is available for purchase or as a PDF download from the ISACA bookstore with a discount available for ISACA members.


Deadline to Renew Certifications Is Approaching


There is still time to renew your certifications for 2016. Renewing your certification for 2016 requires paying an annual maintenance fee and reporting your 2015 continuing professional education (CPE) hours. You can find information on your renewal status on your ISACA Track MyStatus page. To pay the annual maintenance fee, visit www.isaca.org/renew. To report your 2015 CPE, visit www.isaca.org/reportCPE.

The certification renewal period will end on 31 March 2016. Be sure to make your 2016 payment and report your 2015 CPE by this date.


Book Review:  IBM iSecurity Administration and Compliance

Reviewed by Upesh Parekh, CISA

The correct security posture of operating systems is crucial for any system to meet security and compliance requirements. Most operating systems offer many different security features and alternatives to suit the needs of different organizations. It is essential for system and security administrators to understand the alternatives available and implications of selecting a particular alternative.

IBM iSecurity Administration and Compliance by Carol Woodbury explains IBM iSecurity and the way it functions within IBM System i. Though the book is focused on the IBM i operating system, most of the book is applicable to recent operating systems i5/OS and OS/400, with a few exceptions.

The book is focused on explaining different security features and settings in detail. The book begins by setting the stage on the subject and explaining the importance of security of an operating system to the security posture of the organization.

The book covers system security levels, user profiles and their attributes, service tools, encryption, auditing, compliance, security administration, and incident response. Various security options are explained in detail. The book outlines best practices in each area of security administration.

IBM iSecurity Administration and Compliance is relevant for system administrators and security administrators who are required to work with the IBM i operating system. It can be used when getting acquainted with the IBM i operating system and can also be used as a reference book. IT auditors who are required to audit organizations that use the IBM i operating system will also find this book useful for understanding the system’s security settings.

IBM iSecurity Administration and Compliance is available from the ISACA Bookstore. For information, visit the ISACA Bookstore online or email bookstore@isaca.org.

Upesh Parekh, CISA, is a risk and governance professional with more than 10 years of experience in the banking and finance industry. He is based in Pune, India.