@ISACA Volume 8  19 April 2017

Tips to Improve the Management of Risk From Critical Dependencies

Lisa Young, CISA, CISM

Business models have changed over the last few decades from organizations providing and managing all services internally (with their own staff) to organizations partnering, outsourcing and depending on suppliers to be an integrated part of the value chain. This shift in strategies, tactics and operational models to outsourcing noncore business functions provides many benefits, including:

   • The ability to reduce or control costs
   • Increased focus on the core business model
   • Access to capabilities and knowledge not previously available in the core business
   • The transfer of specialized risk to a partner with needed expertise

It is important to begin with a broad definition of the types of third parties, vendors, suppliers and partners that may need to be evaluated to understand the potential impact from dependency. Any entity that is not under the direct control of the organization should be considered a dependency. These dependencies could be business partners, consultants, vendors, suppliers, customers or technology providers. Here are some tips to ensure that any risk factors from dependencies are identified and well-managed:

  • Start from a business perspective. The products and services that are the lifeblood of the organization should be inventoried and prioritized. Usually this is done in most organizations as part of the annual business impact assessment (BIA) or risk assessment process. This gives you a starting point that is aligned with the business.
  • Divide the list of high-value products and services into those that are heavily dependent on external entities and those that are mostly dependent on internal, corporate resources. This gives you a starting point to focus on the most critical services and products for which there is a heavy dependence on external parties. You can always come back to the list as circumstances change or if there is a business initiative to outsource a key product or service.
  • From the list of high-value products and services that are critical, map out the dependencies that are needed to deliver those products or services. This might be as simple as a prioritized list of services and the associated vendors, technology services, suppliers or business partners that provide something important to the delivery of the product or service.
  • Look at the list of services and their dependencies and evaluate, using risk-based criteria, whether the dependencies would pose significant risk should they not be available. The criteria used should be based on the importance of the dependency to the delivery of the core business product or service. Questions to ask are: Can this item or service be easily and quickly replaced (e.g., commodity technology hardware and software)? Is there a specialized item that is available only from 1 supplier, or would it take a long time to find a replacement (e.g., specialized software or custom hardware)? Evaluate several different scenarios until you have come up with a list of the dependencies that are most critical.
  • Once you have a list of critical dependencies, enter them into the risk management process for further processing. If your vendor, supply chain or supplier risk management process is separate from your enterprise risk management process, you should seek to enter this as a critical dependency in the enterprise risk management process so that it is tracked and elevated to the correct level in the organization to receive the attention it deserves.

Managing the risk from dependencies is not a one-time occurrence. As the business and suppliers change over time, it is necessary to evolve this process into a regular part of the risk management landscape. Awareness and communication of the risk factors from dependencies will help ensure the right dependencies are managed in a way that supports business outcomes and minimizes risk.

Additional Reading

Lisa Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.


Minimizing the Risk of the Dark Web


Source: Victor
Habbick Visions/
Science Photo
Library/Getty Images

Darknets are networks that require specific anonymizing software, configurations or authorization to access, and the dark web exists on darknets. On the dark web, whistleblowers can contact the media, digital tracks can be hidden and personally identifiable information can be bought. To help reduce the risk associated with the dark web, it is important to know how it works. ISACA is presenting the “The Dark Web—A Threat to Your Business?” webinar to help enterprises reduce the risk associated with darknets. This webinar takes place on 20 April at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and passing a related quiz.

Jayson Ferron, chief executive officer at Interactive Security Training, will lead the webinar. In it, he will discuss how the dark web works and how to search and explore it. Ferron will also explain what Tor is and how to set it up.

To learn more about this webinar or to register for it, visit the The Dark Web—A Threat to Your Business? page of the ISACA website.


Promoting Awareness of the NIST Cybersecurity Framework


The US National Institute of Standards and Technology (NIST) Cybersecurity Framework has become the unofficial standard for cyber security programs. And while strong cyber security practices are necessary, security awareness is just as important. To help enterprises promote awareness of the framework, ISACA and MediaPro have partnered to present the “Aligning Awareness to NIST’s Cybersecurity Framework” webinar. This webinar will take place on 25 April at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and passing a related quiz.

Tom Pendergast, Ph.D., who is the chief strategist for security, privacy and compliance at MediaPro, will lead the webinar. In it, he will explain how to use the NIST Cybersecurity Framework to develop a behavior-changing employee education program. Pendergast will also discuss awareness best practices, which are based on established adult learning principles. In addition, the webinar will help attendees learn how to align awareness efforts with unique enterprise risk factors.

To learn more about the webinar or to register for it, visit the Aligning Awareness to NIST’s Cybersecurity Framework page of the ISACA website.


Report of the Nominations Committee

By Ken Vander Wal, CISA, CPA, Nominations Committee Chair

The charge of the ISACA Nominations Committee, as described in sections 5.02 and 6.02 of the ISACA bylaws, is to prepare a slate of candidates for the ISACA Board of Directors, consisting of a board chair, vice-chair and up to 6 directors, for review by the association membership. The Nominations Committee is chaired by a past chair of ISACA, and its members include 2 additional past chairs and 4 other members with significant ISACA experience and diverse geographic representation.

The committee has an obligation to prepare the best possible slate of individuals who will work together as a team to lead the association. Its evaluation of candidates takes into account their intent to reflect the organization’s diversity in terms of geography, skills, experience and other relevant factors, while also balancing continuity and new viewpoints.

The selection process is managed with attention to detail. Deadlines are strictly adhered to, nominations are treated with unbiased consideration, candidates are interviewed and strict confidentiality is maintained throughout the process. The Governance Committee (GC) provides oversight to the committee’s processes and the committee reports to the Board of Directors and the membership of ISACA.

The 2016-17 Nominations Committee is pleased to present the slate for the 2017-18 ISACA Board of Directors. As chair of the committee, I affirm that the committee’s deliberations were carried out in accordance with the bylaws and good governance principles.

2016-17 Nominations Committee Members:

  • Ken Vander Wal, chair. CISA, CPA, USA (past board chair)
  • Greg Grocholski, vice-chair. CISA, USA (past board chair)
  • Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Australia (past board chair)
  • Gloria Cardenas, CISA, CGEIT, Colombia
  • Vernon Poole, CRISC, CISM, CGEIT, CIPFA, United Kingdom
  • Rolf von Roessing, CISA, CISM, CGEIT, Switzerland
  • Frank Yam, CISA, Hong Kong

Slate of 2017-18 Board of Directors


ISACA will hold its Annual General Meeting on 17 June 2017 in Chicago, Illinois, USA, where it will install the 2017-18 Board of Directors. In accordance with the association’s bylaws, the Nominations Committee submits the following slate as the proposed 2017-18 Board of Directors:

  • Theresa Grafenstine, CISA, CRISC, CGEIT, CGAP, CGMA, CIA, CPA, chair
  • Rob Clyde, CISM, vice-chair
  • Brennan Baybeck, CISA, CRISC, CISM, CISSP, director
  • Zubin Chagpar, CISA, CISM, PMP, director
  • Peter Christiaans, CISA, CRISC, CISM, PMP, director
  • Leonard Ong, CISA, CRISC, CISM, CGEIT, COBIT 5 Implementer and Assessor, CFE, CIPM, CIPT, CISSP-ISSMP-ISSAP, CPP, CSSLP, GCFA, GCIA, GCIH, GSNA, PMP, director
  • Jo Stewart-Rattray, CISA, CRISC, CISM, CGEIT, director
  • Tichaona Zororo, CISA, CRISC, CISM, CGEIT, CIA, CRMA, director
  • Christos Dimitriadis, CISA, CRISC, CISM, ISO 20000 LA, director and past board chair
  • Robert E Stroud, CRISC, CGEIT, director and past board chair
  • Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, director and past board chair
  • Matt Loeb, CEO and director

The bylaws grant the chair the authority to augment the board by a limited number of appointments if desired. Theresa Grafenstine, CISA, CGEIT, CRISC, has proposed the appointment of the following individuals to serve as directors on the 2017-18 Board of Directors, subject to approval by the board: RV Raghu, CRISC, CISA; Michael Hughes, CISA, CRISC, CGEIT; Hironori Goto, CISA, CRISC, CISM, CGEIT; and Ted Wolff, CISA.

The Annual General Meeting agenda will include the annual report, the treasurer’s report, announcement of annual awards and the installation of the 2017-18 board slate.

All ISACA members are invited to attend the Annual General Meeting of the Membership.


ISACA Annual General Meeting to Take Place in Chicago


The ISACA Annual General Meeting (AGM) takes place to instate the Board of Directors. Those who attend this meeting will also be able to review fiscal information from the past year. Attendees will have the opportunity to receive ISACA’s annual report, which will be posted on the ISACA website after the meeting. The AGM will take place on 17 June 2017 at the Langham Hotel, 330 N. Wabash Avenue, in Chicago, Illinois, USA. This 1-hour meeting will take place from 8AM to 9AM CDT (UTC -5 hours) in the Albany/Chelsea Ballroom located on the 2nd floor of the Langham Hotel.

To register to attend the meeting and to ensure adequate seating is available, please email your name and member number to agm@isaca.org. To learn more about the meeting, visit the ISACA Annual General Meeting page of the ISACA website.


Remain Competitive With On-site Training


Source: flytosky11
/Getty Images

The constantly evolving nature of competition, regulation and technology makes training essential for any enterprise that wants to remain competitive. To help your enterprise stay up to date with the latest industry changes, ISACA offers many enterprise training and continuing professional education (CPE) programs. These customizable courses can help save on employee training expenses. On-site training enables you to train groups of 5 or more, ensuring a consistent learning experience across the enterprise.

The subjects these courses cover include audit/assurance, security, cyber security, security and assurance, risk, COBIT and governance, and certification review. Course trainers are experienced professionals who currently work in the field, enabling them to provide valuable real-world experiences in their courses.

To learn more about on-site training, visit the Enterprise Training page of the ISACA website.