Cybersecurity Incidents and 3 Lines of Defense
A layered approach to information security (defense in depth) is being followed while implementing information security practices, where the security controls in different areas are implemented based on the criticality of the assets to be protected. Incident management is an integral part of information security management. With an increasing number of cyber security incidents, it is necessary to detect incidents earlier to contain and minimize their impact. Can the concept of the 3 lines of defense be applied to cyber security incident detection?
The UK’s Financial Services Authority (which became the Financial Conduct Authority) used 3 lines of defense for financial risk management, which was mapped by various other outlets, e.g., the ISACA Journal, the Institute of Internal Auditors and the Bank of International Settlement.
How can the 3 lines of defense approach be used for cyber security incident management?
- The first line of defense is operational management. Business management is the primary user of information systems and, therefore, can detect if something is not right or normal. IT operations management implements technical security controls that check the systems and troubleshoot if they are not working properly. The first line of defense also includes application support teams and administrators who handle help desk/service desk calls.
- The second line of defense includes cyber security teams, security analysts from the security operations center, who monitor the ecosystem for unexpected events that cannot be noticed by the first line of defense, and the threat intelligence team that provides advance information on possible new threats. This line of defense also includes various risk management and compliance functions (i.e., support functions) such as finance, compliance, risk control, model validation and back office, whose key duties are to monitor and report risk-related practices and information, and to oversee all types of compliance.
- The third line of defense includes audit functions, incident response teams, forensic investigators, and application scanning and testing teams.
To improve the incident detection and response, the first and second lines of defense must be strong. This can be achieved by creating awareness in detecting abnormal activities. This helps in reducing the detection load on the second line of defense, which typically focuses on ecosystem-level events that are not normal, such as possible attacks that can be noticed by sophisticated tools.
In the event that the first line or operational teams cannot detect possible indicators of attack, the detection responsibility falls on the second line of defense, and they have to defer to the first line, i.e., IT and application teams. Many times, these teams go into defense mode, and the incident is referred back-and-forth between these teams, losing valuable time required for containment, investigation and recovery. For better incident management, it is important to strengthen the first line of defense by conducting awareness programs.
Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP, is a consultant and trainer in IT governance and information security.
Call for Nominations: ISACA Awards
Do you know outstanding colleagues who have dedicated themselves to advancing ISACA’s core areas of audit, information security, risk and IT governance? Have you worked with an outstanding volunteer who has contributed to ISACA’s success?
You are invited to nominate colleagues who have made exceptional contributions to ISACA to be recognized by the ISACA Board of Directors at the Annual General Meeting in June. ISACA is proud to recognize the outstanding achievements of ISACA members who exemplify ISACA’s values, purpose and leadership. Nominations for the ISACA awards are due on 2 March.
Four awards are open to nominations from the general membership:
Michael Cangemi Best Book/Article Award
This award was instituted during the 1996-97 year to recognize individuals for major contributions to publications in the field of IS audit, control and/or security.
John Kuyers Award for Best Speaker/Conference Contributor
This award was instituted during the 1996-97 year to recognize individuals for major contributions in the development of ISACA global conference(s) and/or outstanding speaking achievements.
John W. Lainhart IV Common Body of Knowledge Award
This award is given to recognize individuals for major contributions to the development and enhancement of the common body of knowledge used by constituents of the association.
Harold Weiss Award for Outstanding Achievement
This award was instituted in 1985 to recognize individuals for dedication to the IT governance profession. It is for achievement that far exceeds the norm.
For more information about the nominations process, visit the Volunteer Recognition page of the ISACA website.
Defend Your Enterprise From Cybercrime
With the growing concern over cybercrime, it has become imperative for enterprises to protect themselves against cyberthreats. While global cooperation among public and private entities is lacking, there are steps enterprises can take to protect themselves from cybercrime. To help enterprises prepare for emerging cyberthreats, ISACA’s Cybersecurity Nexus (CSX) has released the Cybercrime: Defending Your Enterprise white paper.
Cybercrime: Defending Your Enterprise covers extortion, dark cloud and appliance attacks, some of the most prominent forms of cybercrime in 2016. In addition to explaining these common attack methods, the white paper provides practical guidance and multiple tips on how to prevent each of these cybercrime methods.
To download this white paper, visit the Cybercrime: Defending Your Enterprise page of the ISACA website.
New Travel, Technology and Business Discounts With Your ISACA Membership
Source: Tetra Images/
In addition to the benefits ISACA members already receive, e.g., ISACA Journal access, up to 72 free continuing professional education (CPE) hours and discounts on ISACA conferences, ISACA is pleased to announce several new cost-saving membership benefits. ISACA members can now receive discounts on hotels, travel, technology, business supplies and shipping services.
As an additional thank you to long-time ISACA members, those who have been with ISACA for 3 or more consecutive years will be offered additional promotional opportunities throughout the year based on their membership level (i.e., platinum, gold, silver or bronze). These opportunities can include items such as greater bookstore discounts and exclusive access at ISACA conferences. In many cases, discounts vary based on how many years an individual has been an ISACA member, so the longer a member has been with ISACA, the greater their offer or discount could be.
For more information about the discounts ISACA membership can provide, visit the ISACA Member Programs and Discounts page of the ISACA website.
Join the Growing Number of ISACA Certification Holders
ISACA is pleased to announce that in 2016, 8,365 Certified Information Systems Auditor (CISA); 1,517 Certified in Risk and Information Systems Control (CRISC); 4,021 Certified Information Security Manager (CISM); and 417 Certified in the Governance of Enterprise IT (CGEIT) certifications were awarded. With a globally recognized ISACA certification, you hold the power to move ahead in your career, increase your earning potential and add value to any enterprise.
Interested in joining those who have earned an ISACA certification? Take the first step in earning the certification by registering and taking the exam. The next ISACA exam testing window is from 1 May-30 June. The early registration deadline for the May/June exam is 28 February. Registrations can be completed on the Exam Registration page of the ISACA website. The ISACA Exam Candidate Information Guide has detailed information on the 2017 exams.
If you have already taken and passed the exam, but not yet applied for certification, please remember that you only have 5 years from the passing date to apply for certification. Join the likes of many who have already obtained the certification and watch your visibility soar to new heights. Apply for certification today. Applications are available on the CISA, CRISC, CISM and CGEIT application pages of the ISACA website.
Certification Renewals—Deadline to Renew Is Approaching
There is still time to renew your certification(s) for 2017. Renewing your certification for 2017 requires paying an annual maintenance fee and reporting your 2016 continuing professional education (CPE) hours. You can find information on your renewal status on your ISACA Track MyStatus page.
Note that the renewal period for certification will end on 31 March 2017. You will want to make sure that your 2017 payment is received and your 2016 CPE hours are reported by this date.