@ISACA Volume 3  11 February 2015

Tips for Understanding Big Data

By Lisa Young, CISA, CISM

What is big data and why should you care about it? Big data is both a marketing term and a technical term used to describe a very important enterprise asset—information. The primary objective of analyzing big data is to support enterprises in making better business decisions. The bottom line is do not waste time or money collecting and analyzing data if they do not help the organization make better decisions. Just like building a metrics capability, building a data analytics capability requires the effective synthesis of information to make meaningful decisions that lead to essential actions. Here are some considerations to think about as you seek to understand the role of big data in your organization.

Start with the basics by defining big data. Big is a reference to size or quantity and refers to the amount of data or information that is available to an enterprise. The information flows through the enterprise and is created, used and processed in the day-to-day operations of the business activities undertaken to meet the strategic objectives of the organization. The data include vast amounts of information collected from every imaginable source, e.g., audit, incident or transaction logs, financial spreadsheets, business or sales forecasts, product inventories, social media, time sheets or overtime records, operational facts, and any other single piece or group of information from just about any type of file, record or document.

Implementing a data analytics program should involve the following 4 steps:

  • Establish objectives—Step 1 in building a data analytics capability is to define what questions need to be answered or what decisions need to be made. Work with key stakeholders and business units to understand their information needs. Incorporate feedback from risk assessments, audits and business processes to ensure that the data collected will meet the intended objectives. For example, you might want to start with a question for which there is readily available data, such as “How many incidents were caused by an exploited vulnerability for which there was an available patch?”
  • Specify indicators and collect data—Step 2 is to understand what data are needed to answer the questions or provide input to the decision. Just as it is important to understand what piece or pieces of information will need to be acquired, think about how those pieces of data are organized and where the data live. From the example question in step 1, you could run a report on all incidents that have the root cause of an exploited vulnerability. From the incident report, you could narrow the focus to all incidents that were caused by a specific vulnerability that already has a patch. Then you could look at the vulnerability management process to see if the patch was deployed within the specified time window. The mean time between patch release and patch deployment is generally a metric that is already being collected in many organizations. This will assist in determining the real root cause of the incident, and steps can be taken to remedy the correct process instead of just reacting to symptoms.
  • Specify data collection and storage policies, techniques and methods—Step 3 involves thinking about storing, protecting and utilizing the information. The full life cycle of the information needs to be considered. COBIT 5 identifies 6 phases: plan, design, build or acquire, use or operate, monitor, and dispose. Besides the obvious concerns of privacy and security, take time to strategize on the organizational requirements for data classification, retention, quality and destruction. To minimize the risk resulting from inaccurate or fraudulent data, organizations should take an inventory of all data sources to understand the appropriate requirements and controls needed for protection, accuracy and reliability.
  • Maintain data governance—Step 4 involves considerations for ownership and oversight of the data. An accurate inventory of the data that are collected, harvested or maintained by the organization is essential for effective governance. If the data are being sourced from a third-party supplier, the organization has to establish clear requirements and expectations that can be codified into a contractual process. Make sure the requirements clearly spell out who is responsible for data ownership, privacy, quality, availability, retention, off-shoring, the staff vetting process and more.

Big data represents a trend in technology that is leading the way to a new approach in understanding the world and making business decisions. According to COBIT 5, information is effective if it meets the needs of the stakeholders. Ensuring that your enterprise has considered big data in the context of its business objectives will go a long way to maximizing business benefits and the competitive edge that many organizations seek.

For additional information, download the Big Data white paper and the Generating Value From Big Data Analytics white paper.

Lisa R. Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.


CSX Webinar on Using a Risk-based Security Approach


Taking a risk-based approach to security can help organizations better manage the risk posed by security breaches. Although enterprises recognize the importance of a risk-based security approach, many organizations need best practice guidelines for implementing this type of strategy. To help chief information security officers (CISOs) better implement risk-based security approaches, ISACA has partnered with WhiteHat Security to create the CSX Webinar “Implementing a Risk-based Approach to Secure Web Applications and IT Assets.” The webinar will take place at 11AM CST (UTC -6 hours) on 17 February. ISACA members can earn 1 continuing professional education (CPE) hour by attending the webinar and passing a related quiz.

IT security strategist Demetrios Lazarikos will lead the webinar. Lazarikos has several years of experience in information security, and he holds several patents relating to risk, information security and controlling personally identifiable information. In this webinar, Lazarikos will cover how to align business with IT and information security projects, how to embed exit criteria through the project life cycle, and how to create dashboards that track threats. While much of this webinar is relevant for CISOs, anyone working with risk would benefit from attending.

To learn more about the webinar and register, visit the “Implementing a Risk-Based Approach to Secure Web Applications and IT Assets” page of the ISACA web site.


Recognizing ISACA Members—2014-15 Award Nominations Period Is Open


Help ISACA’s Board of Directors honor individuals who have made a difference in ISACA and the professions it supports by nominating an individual for 1 of ISACA’s 2 annual awards—the Harold Weiss and John Lainhart awards.

The Harold Weiss Award was initiated by ISACA in 1985 and recognizes individuals for dedication and outstanding achievement to the IT governance profession.

Instituted in 1997, the John Lainhart Common Body of Knowledge Award recognizes individuals for major contributions to the development and enhancement of the common body of knowledge used by ISACA constituents in the field of IS audit, security and/or control; IS audit certification; and/or IS audit standards.

ISACA members are asked to nominate qualified and deserving candidates for each of these awards by submitting a nomination in letter form. Nominations must include:

  • Name of the nominee
  • Description of accomplishments relating to the award
  • Professional affiliations
  • Other honors and awards achieved
  • Publications or articles published
  • References
  • Name of and contact information for the nominator

Nominations can be submitted to jhoward@isaca.org (or faxed to +1.847.253.1443 to the attention of Josephine Howard). The deadline for submissions is 20 March 2015.

For information on these awards, additional volunteer awards presented by ISACA and prior award recipients, please visit the Awards page of the ISACA web site.


ISACA Webinar:  Learn How to Secure the IoT


While the Internet of Things (IoT) is not a new concept, it has developed rapidly in recent years. To help organizations be more aware of the risk and challenges associated with IoT, ISACA is offering the “IoT—The Intergalactic Highway” webinar. The webinar will take place on 25 February at 6AM CST (UTC -6 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending the webinar and passing a related quiz.

James Seaman, CISM, CRISC, will lead this webinar. In it, he will discuss the challenges created as a result of rapid technological development. During this webinar, Seaman will provide information on the background and evolution of the IoT and the challenges and responsibilities associated with it. He will also discuss potential threats associated with the IoT.

To register for and learn more about the webinar, visit the IoT—The Intergalactic Highway page of the ISACA web site.


Apply for and Renew Your Certifications Today


ISACA is pleased to announce that in 2014, 7,475 Certified Information Systems Auditor (CISA), 3,065 Certified Information Security Manager (CISM), 441 Certified in the Governance of Enterprise IT (CGEIT) and 998 Certified in Risk and Information Systems Control (CRISC) certifications were earned worldwide. With a globally recognized ISACA certification, you hold the power to move ahead in your career, increase your earning potential and add value to any enterprise.

Interested in joining those who have already earned an ISACA certification? Take the 1st steps in earning the certification by registering for and taking the exam. If you have already taken and passed the exam, but have not yet applied, please remember that you only have 5 years from the passing date to apply for certification. You can download an application on the CISA, CISM, CGEIT and CRISC pages of the ISACA web site.

“With a globally recognized ISACA certification, you hold the power to move ahead in your career, increase your earning potential and add value to any enterprise.”

If you are certified, remember to renew your certification(s). There is still time to renew your certification for 2015. Renewing your certification for 2015 requires paying an annual maintenance fee and reporting your 2014 continuing professional education (CPE) hours. To pay the annual maintenance fee visit the Renew page of the ISACA web site. To report your 2014 CPE, visit the Report CPE page of the ISACA web site.

CPEs can be reported individually or in a single total. The CPE policy requires earning 120 CPE hours over a 3-year cycle and 20 CPE hours in each cycle year.

Questions? Contact certification@isaca.org.


Make 2015 a Great Year:  Set Professional Goals


Is there a goal you have dreamed of accomplishing, but have not yet started? Do not let another year pass you by without becoming the professional you are meant to be.

You can start meeting your goals by setting quarterly milestones using ISACA resources. Make a commitment to participate in a webinar or virtual conference every quarter. Or, make a commitment to download and read 1 publication every quarter.

If every quarter is too much of a commitment right now, create semiannual goals. If you have been thinking about enhancing your skill set, commit to attending 1 international ISACA conference and 1 chapter event. If you have been thinking about earning another certification, plan on taking a new ISACA certification exam before the year ends.

Successful goal setting often includes an accountability partner. Connect with another ISACA member to set mutual goals. Utilize your chapter, the Knowledge Center or ISACA’s LinkedIn group. Hold each other accountable for the challenges that arise and for the accomplishments you intend to achieve.

Use your membership as a platform for growth. Set your goals. Accomplish your goals. Become the professional you are meant to be.


Book Review:  Cloud Computing for Lawyers and Executives: A Global Approach

Reviewed by Ibe Etea, CISA, CRISC, CA, CFE, CIA, CRMA

One of the most valuable aspects of Cloud Computing for Lawyers and Executives: A Global Approach is its discussion of the cloud. Much of the current IT knowledge has been obtained through a combination of disparate subjects; this book combines law with a discussion of the cloud, and it serves the IT community well, especially because it has included the interests of top executives.

Author Thomas J. Shaw has embedded his deep legal risk expertise within this book and he covers diverse aspects of the cloud, such as privacy, topic-specific statutes, and standards and controls. Insurance, forensics and business continuity are also addressed in this book.

The scope of most IT developments tends to be large. And, while information security professionals would tend to have silo mind-sets about IT innovations, the reality is that other professions such as accounting, legal and marketing have valid substructures to support the rollout, implementation and sustenance of these technologies.

The 1st chapter of the book outlines information about the basics of the cloud, its usage and the financial aspects of its deployment. It then provides US-specific statutes guiding its implementation and cross-border agreements and statutes for the cloud. The book covers the information security risk inherent in the cloud, and the US government’s response to these issues. It also gives an overview of risk response to various privacy issues in the context of security controls, audits and business continuity in the cloud.

The book discusses the challenges and benefits of the cloud, highlighting data breaches, cyberinsurance and forensics in the cloud. The focus of the end of the book is on contractual provisions, agreement drafts and practical application to realistic scenarios of cloud implementation in organizations. It concludes with a discussion of legal ethics and cloud use and the services lawyers can provide in cloud-related matters.

Suffice it to say that this is a rich book that bridges the divide between the law and IT, and it serves as a useful companion for the forward-looking cloud professional who wants to stay informed on the numerous contemporary issues affecting cloud services.

Cloud Computing for Lawyers and Executives: A Global Approach is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or email bookstore@isaca.org.

Ibe Kalu Etea, CISA, CRISC, ACA, CFE, CRMA, ISO 9001:2008 QMS, is a corporate governance, internal controls, fraud and enterprise risk assurance professional. He also serves as a member on the advisory council of the Association of Certified Fraud Examiners (ACFE).