@ISACA Volume 6  23 March 2016

Five Ways to Protect Your Organization When Using Social Media


Social media are now being utilized in the workplace for legitimate reasons. For example, 93% of business-to-business marketers use social media for business purposes. A report by SilkRoad Technologies found that 75% of US employees access social media sites at least once per day at work.

Using any Internet connected platform, especially one that hosts and transacts personal data, brings with it certain challenges in the privacy and security areas.

Social media platforms work because of the sharing of data. They act as a conduit to host, display, communicate and transact data. These data, by the very nature of social media, are most often personal. The privacy implications of this free-flowing data are massive; in fact, it can be argued that we have never before, in human history, had to deal with such an impact on our privacy and our security.

The following tips can help protect your business, your employees, and, ultimately, your customers and clients.

  1. Training—Training on security and privacy risk is one of the best ways to prevent disclosure of sensitive or private information. Spear phishing emails, for example, are very sophisticated and have an open rate of 70%. Making users aware of the threat may help mitigate it. Similarly, having an understanding of the types of privacy and security choices available when using social media is helpful in reducing the risk of exposed data.
  2. Awareness—Social media sites are improving their choice of policy and security settings. Companies such as Facebook, that have been cited in the past for having lax privacy policies, have complicated and often obfuscated policy settings. Making employees and community managers aware of the limitations of those policies and what is and is not appropriate to share is vital in terms of security and privacy training.
  3. Policies—Security and privacy policies can really help in the fight against cybercrime. Policies give good guidance to employees and cover the whole area of securing an organization when using social media. For example, access control policies can prevent company social media accounts from being compromised if they stipulate that if a second-factor login method is offered by the platform, it must be used. Further policies around data compliance can also prevent the leakage of private and sensitive data via a social media platform.
  4. Procedures—Having procedures in place to address disasters will ensure that if the worst does happen, e.g., a company account is hacked or personal or company data are leaked, the event can be handled and the impacts minimized. An employee agreement on the types of company information they can disclose on personal social media accounts should be put in place.
  5. Technology—There are a number of technologies and technological practices that can help prevent or mitigate cybersecurity and privacy threats. These include simple preventive measures such as ensuring that browsers and other applications are patched. You should also utilize more holistic technology, such as data loss prevention (DLP) platforms, which can monitor, alert and prevent the leakage of data by blocking the sensitive data from being posted online. New systems such as behavioral analysis can also help in the fight against cybercrime that begins with social media interaction.

Social media have brought new and innovative ways of communicating about businesses and products. With this innovation has come new ways of compromising privacy and security. We need to make sure that we, as employees and business owners, can use the power of social media to communicate our message, but in a way that does not put us at risk. We can do this by using these 5 techniques, which give us a way to truly embrace the wonders of social media without the downsides.

Avani M. Desai, CISA, CRISC, CIPP, CIA, CISSP, PMP, is the executive vice president at Schellman & Company Inc. Desai has more than 13 years of experience in IT audit, attestation, security and privacy. Her focus recently has been on emerging technology concerns and issues.


Reduce PCI DSS Implementation Time


Source: ©iStock.com/

Developing a strong defense-in-depth (DiD) strategy requires time and multiple layers to be successful. To discuss Payment Card Industry Data Security Standard (PCI DSS) version 3.1 controls, ISACA will present the “PCI DSS: Developing Robust Trojan Defenses” webinar. This webinar will take place on 31 March at 11AM CST (UTC -5 hours). Members can earn 1 continuing professional education (CPE) hour by attending this webinar and passing a related quiz.

Jim Seaman, security consultants team lead at Nettitude Group, will present this webinar. This webinar will begin with the story of how the city of Troy was attacked for more than 10 years without success due to the security architecture they spent 1,300 years developing. Seaman will discuss the strengths of Troy’s security efforts and what made them so effective. In this webinar, Troy’s countermeasures will be related to PCI DSS version 3.1. The webinar will introduce a 7-stage methodology to help minimize the implementation time for PCI DSS.

To learn more about this webinar or to register for it, visit the PCI DSS: Developing Robust Trojan Defenses page of the ISACA web site.


Cybersecurity Predictions for 2016


Source: ©iStock.com/
Marilyn Nieves

ISACA and RSA Conference collaborated in November and December 2015 to conduct a global survey of cybersecurity professionals. The report found that global cybersecurity is still a concern for most enterprises, with 75% of survey respondents reporting that they expect to be victim to a cyberattack in 2016. The findings of this survey are available in the complimentary State of Cybersecurity: Implications for 2016 report.

In addition to the possibility of attack, enterprises are also dealing with the difficulty of finding well-trained cybersecurity professionals. Sixty percent of survey respondents said that they do not believe their information security staff can handle anything more than simple cybersecurity incidents. The survey white paper goes in-depth on the specific staffing challenges enterprises experience when it comes to finding qualified cybersecurity professionals.

To download the full report, visit the State of Cybersecurity: Implications for 2016 page of the ISACA web site.


June 2016 Certification Exam Deferrals


Deferrals for the June 2016 exam are now open at www.isaca.org/examdefer.

Those wishing to defer their June Certified Information Systems Auditor (CISA) or Certified Information Security Manager (CISM) exams to either September or December 2016 can now do so. Please note that the CISA and CISM September exam is only available at a limited number of locations. Those wishing to defer their June Certified in the Governance of Enterprise IT (CGEIT) or Certified in Risk and Information Systems Control (CRISC) exam can defer to December 2016.

Each deferral requires a fee based on the following schedule:

  • Requests received on or before 22 April will be charged a US $50 processing fee.
  • Requests received from 23 April through 27 May will be charged a US $100 processing fee.
  • Requests received from 28 May through 8 June will be charged a US $125 processing fee.

After 8 June 2016, no deferrals will be permitted. Payment for the deferral fee is due by 11 June 2016.


COBIT 5 at Dubai Customs: A Case Study

By Vishal Vyas, GEIT, Juma Al Ghaith, Ahmad Al Yaqoobi, PMP, and Syed Junaid Hasan, PMP

Dubai Customs is a complex and dynamic organization. The management at Dubai Customs endeavors to be on the leading edge of the latest management principles and frameworks and it utilizes many global best practices to manage activities in all business processes. The organization recognized the need for a single integrated framework, like COBIT 5, that encompasses all of these best practices and standards.

As the COBIT 5 implementation project was formally initiated, the guiding principles for resource management were agreed upon: Take a phased approach and use in-house resources actively in all implementation tasks in order to build sustainability. Taking a phased approach refers to identifying the phases in which the processes will be selected according to business priorities and the goals cascade. Use of in-house resources for sustainability refers to involving internal people right from the initial tasks so that internal capability is developed to sustain this effort, rather than having sole dependency on consultants to interpret COBIT 5.

A phased approach to complete the implementation in 4 phases over 18 months was agreed upon. Considering the complexity and functional dependency of the project, 5 processes were to be considered in phase 1 and 5 more were focused on in phase 2. Process prioritization was based on the impact and relevance of the process in the organization, the complexity of the process, its dependency on other processes, and the efforts required for implementation. Based on these parameters, the selected processes for phase 1 were BAI10, BAI06, BAI01, APO13 and DSS05. The selected processes for phase 2 were DSS02, DSS03, APO09, APO02 and DSS01.

Dubai Customs appreciates that governance implementation and improvement is an ongoing effort. However, toward the end of this project, the project team could see noticeable improvements in process reporting and a single, integrated view of all the framework and standards. Specifically, reporting and monitoring components in the processes were improved leading to increases in customer satisfaction. Most of the processes in the organization had started using unified process templates in order to have common approaches to governance and reporting.

Owing to positive results and improved governance controls aided by COBIT 5, the implementation project organization has decided to take up the next phases of processes implementation in the next fiscal year. This project will now involve 27 more processes and will have participation from all other teams and functions. Dubai Customs has also established 2 specific objectives: to establish a business relationship management (BRM) function and to establish a governance steering committee.

Read the full case study on Dubai Customs implementation of COBIT 5 in the COBIT Focus article, “Dubai Customs COBIT 5 Implementation.”