@ISACA Volume 4  25 February 2015

Securing Data as a Top Priority


How do you think about your organization’s data? What do you think about regarding those data? And can your data fall into the hands of someone who should not have them?

The word “data” covers myriad ideas. In a number of ways, what data are and are not is based on perspective. Here is a characteristic of data many people in the data business do not recognize: The word, itself, is often misunderstood. “Data” is a plural form of the singular noun, “datum.” Users view data as information used to populate business processes and accomplish an organization’s goals. Network administrators consider data to be configuration settings of and reports from various devices throughout the IT architecture. Applications, their associated source code and configuration are considered data to programmers.

So what are data? The simple answer: All of the above.

To keep this article short enough to fit in this space, I would like to define data as everything represented in 1s and 0s within the IT architecture. So from where do data come? Where are they stored? When are the data needed? Who uses them? And what is the location from which users interact with data? A data architecture attempts to answer those questions; it is the description of how an organization uses data.

The form a data architecture takes, at the most generic level, should be based on a public, private, privileged model, in which data are grouped according to their importance to the organization, or, simply, who has access. For this discussion, “public” means data available to users who are external to the organization. “Private” means data available to employees, third-party trading partners and others who need to know data, e.g., customer account information. “Privileged” means data that are available to select people within an organization, in which exposure may compromise the organization’s livelihood.

The implementation of a data architecture should come with a protection strategy that keeps data groups separate. When working with data architectures, users and their paths to data access are critical. The value of data, or risk of compromise, determines whether the separation takes the form of physical or
virtual safeguards.

The goal of a data architecture should be to have parallel, but separated data paths that each user community follows to get to these data group repositories. This architecture provides defined user groups traversing protected data paths to get to separated data groups.

Unfortunately, the world between data architecture and data infrastructure is not always that clearly defined. Due to fiscal realities, operational needs and bad practices, data groups tend to converge.

Email servers are great examples of where data groups tend to coexist and break one’s data architecture model. Another place is within large and expensive database management systems. Licensing costs and data size drive this tendency to store data groups within the same product on the same set of servers.

A bad practice often found is associated with an organization’s externally facing web sites, often reaching into internal database servers to provide users with data. These internal databases often are the production database that is core to the business. Even where protected with a defense-in-depth strategy, exposing critical data in this manner is a bad practice.

It is just as easy to create a secondary database and drive the web site from there. The takeaway here is that a thorough understanding of the risk associated with converging data is important to upper management.

Finally, if an organization needs the data, then the data should be saved. The saving and restoring of data across the data infrastructure is the responsibility of security professionals.

“The form a data architecture takes, at the most generic level, should be based on a public, private, privileged model, in which data are grouped according to their importance to the organization or, simply, who has access.”

Nothing is more fundamental to computer security than data security. It is the root of the profession. When securing data in an organization, consider these questions:

  1. Is there a formal data architecture that defines the data groups, the users and the users’ data paths?
  2. Does the infrastructure properly separate your data?
  3. Are the protection strategies reflected properly in the data infrastructure?
  4. Where have fiscal realities put data at risk?
  5. Does the organization view servers as separating data?
  6. Is there a data recovery strategy for each data group?

Long before there were information assurance, cybersecurity and information warfare, there were backup strategies such as how often to save and restore data as a function of the data’s life cycle. However sophisticated the security, nothing really has changed.

I often say, “The only reason we secure technology is because we have data residing in the technology.” The statement is like saying we have locks on our homes because we care about who is inside. Securing data should be a top priority for all organizations.

Bruce R. Wilkins, CISA, CISM, CGEIT, CRISC, CISSP, is the chief executive officer of TWM Associates, Inc. In this capacity, Wilkins provides secure engineering solutions for innovative technology and cost-reducing approaches to existing security programs.


Learn to Connect Your Network Security Devices


The US Government’s Cyber Intelligence Sharing and Protection Bill facilitates the sharing of cyberthreat information between the intelligence community and cybersecurity entities. Organizational network security devices should also share information. To help organizations better facilitate this sharing, ISACA has partnered with McAfee to create the “Cybercriminals Share Information. So Should Your Network Devices.” webinar. This webinar will take place on 12 March at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending the webinar and passing a related quiz.

This webinar will be led by Steve Smith, senior network security manager for network solutions at McAfee, and Dan Frey, senior product marketing manager for next generation firewall at McAfee. Together, Smith and Frey have years of experience in firewall protection, product engineering solution architecture, application delivery and security. Attendees will learn how to look at the big picture of their security infrastructure to better understand the threat landscape.

To learn more about this webinar and register, visit the Cybercriminals Share Information. So Should Your Network Devices. page of the ISACA web site.


Seats Are Limited:  Do Not Miss the Inaugural COBIT Conference


ISACA will hold the first-ever COBIT Conference on 14-15 March in Orlando, Florida, USA. Audit, assurance, security and governance professionals from around the world are invited to attend the conference to better understand COBIT, earn the COBIT Foundation certificate or obtain practical guidance on applying the COBIT framework. The COBIT Conference has 2 tracks. Track 1 discusses the foundations of COBIT 5, and track 2 focuses on actionable insights, tools and practical guidance.

The first session offered for track 2 is titled “Business Benefits Realization.” Sushil Chatterji, CGEIT, will lead this session and cover how to best apply the COBIT 5 governance and management principles toward business benefits realization. Business benefits realization can be linked to enterprise and IT strategy and structure, and Chatterji will discuss this relationship, while providing practical guidance and advice on how to best implement business benefits realization using COBIT 5.

Track 1 is currently sold out, but contact conference@isaca.org to be added to the wait list. Limited seats are currently available for track 2. Visit the COBIT Conference page of the ISACA web site to watch a video about the benefits of the conference. Register for the conference on the COBIT Conference web page.


Learn to Adjust in a New Country at Leadership Development Webinar


Moving to another country, whether for professional or personal reasons, can be exciting and challenging. To learn more about adjusting to and working in a new culture, attend “Achieving Success by Stepping Outside Your Cultural Comfort Zone.” This webinar will take place on 5 March, and ISACA members can earn 1 continuing professional education (CPE) hour by attending the webinar and passing a related quiz.

Matthias Kraft, CISA, CGEIT, CRISC, ISO 27001 LA, who has worked in Germany, France, Luxembourg and New Zealand, and Jo Stewart-Rattray, CISA, CISM, CGEIT, CRISC, who has worked in the United Kingdom, Germany, Canada and Singapore, will lead this webinar. In this webinar, they will teach attendees how to succeed in a new cultural environment. They will also provide tips on working abroad and they will share personal stories of their experiences working around the world. In addition to discussing some of the potential blunders made by the newly arrived, the webinar will have a question and answer portion.

To learn more about this webinar or to register for it, visit the Achieving Success by Stepping Outside Your Cultural Comfort Zone page of the ISACA web site.


Volunteers Represent ISACA at Standards-setting Meetings


In recent months, several members of ISACA’s International Organization for Standardization Liaison Subcommittee (ILSC) represented ISACA at international standards development meetings. The International Organization for Standardization (ISO) develops voluntary international standards on a wide range of issues, including information security.

ISO is made up of member countries and liaison organizations. As a liaison organization with the highest possible status in several committees, ISACA can participate in those committees’ meetings and contribute to the development of guidance. ISACA sends delegates to a number of ISO working groups that focus on IT service management, IT governance and IT security techniques. ISACA volunteers recently attended ISO meetings in Mexico, the Netherlands and Spain to ensure that ISACA’s members’ priorities are represented in the development of new standards that could affect members and certification holders.

If you are interested in learning more about ISACA’s involvement with ISO or providing input as a subject matter expert, please contact Linda Wogelius, ISACA advocacy manager, at lwogelius@isaca.org.


ISACA Certifications Among Highest Paying IT Certifications


ISACA certifications can help you advance your career and bring more value to your organization. Foote Partners LLC includes ISACA certifications in its list of highest paying IT certifications from July 2014 to October 2014. The Certified in the Governance of Enterprise IT (CGEIT) certification is tied for the 3rd highest paying certification. ISACA’s Certified in Risk and Information Systems Control (CRISC) and Certified Information Security Manager (CISM) certifications are tied for 4th among top-paying IT certifications, and the Certified Information Systems Auditor (CISA) is tied for 5th highest-paying IT certification.

In addition to paying well, ISACA certifications can be prerequisites to certain jobs. The UK Government’s 2014 Cyber Security Skills report revealed that CISA, CISM, CISSP, ISO 27001 LA and CLAS are among the information assurance qualifications they look for when recruiting staff.

To learn more about ISACA’s certifications, visit the Certification page of the ISACA web site.


Expand Your Security Knowledge With a CISM Certification

Isa Ojeda, IT Risk Manager at Macquarie and Membership Director of the ISACA Manila Chapter, CISA, CISM, CRISC, CIA, Shares Her Experience as a CISM

“Employers are looking for people with knowledge and skills on par with global standards,” says Isa Ojeda. “The Certified Information Security Manager (CISM) certification provided that recognition for me.” Ojeda pursued the CISM certification when she began her career as an auditor. She knew that the CISM certification would help her learn more about information security.

Having the CISM certification has allowed Ojeda to be recognized for her strong understanding of information security management. Her information security background has helped her with the job she has today. “The best part of my job is giving value to the organization by managing risk and helping achieve the organization’s objectives,” she says. “Also, technology is fast-changing and it is great to be in a dynamic field where there are so many things to learn.”

“Employers are looking for people with knowledge and skills on par with global standards”

Ojeda says that having the CISM certification and being an ISACA member have provided her with valuable networking opportunities. “When I got certified, I became an ISACA member and it has been a fruitful and exciting journey ever since, as I have become more active in the organization. I have met and worked with great people from the industry and, in my own little way, I am able to give back to the profession.”

The benefits of the CISM certification have extended beyond Ojeda’s professional life. Many of the skills required for CISM certification holders are useful in everyday life. “Risk and incident management are very practical skills in normal everyday situations and other endeavors outside of work,” she says. “Having a risk mind-set enables us to be prepared for things that can go wrong, while incident management gives us the ability to respond to untoward situations in an organized and effective manner to control and minimize impact.”

To learn more about ISACA certifications, visit the Certification page of the ISACA web site.


Book Review:  The Security Risk Assessment Handbook, 2nd Edition

Reviewed by Upesh Parekh, CISA

The US National Institute of Standards and Technology (NIST) Special Publication 800-30 “Guide for Conducting Risk Assessments” defines information security risk as the risk that arises from the loss of confidentiality, integrity or availability of information or information systems and reflects the potential adverse impact to organization operations, organizational assets, individuals, other organizations and the nation.

It is a cliché that assessing and managing security risk is of paramount importance to an inter-networked corporation. However, assessing security risk is easier said than done. It is like making a portrait on a very wide canvas. The outline of the portrait is entirely visualized in the mind of the artist, but determining the starting point is the biggest challenge. For risk professionals, the security risk essentials and process are well established in their minds, but it is overwhelming to think about the enormity of the subject.

The Security Risk Assessment Handbook, 2nd Edition, written by Douglas J. Landoll, addresses security risk assessments from a practical perspective and helps risk professionals step-by-step in the arduous journey of a security risk assessment. Though the book is written from an external consultant’s perspective, it can easily be used by an in-house risk expert.

The first 2 chapters of the book discuss the fundamental concepts of the risk assessment process. In the next chapter, the author treats security risk assessment as any project and provides useful tips. Chapters 4-8 cover the initial steps of the risk management assessment process, namely preparing for the risk assessment and gathering the technical, administrative and physical data. Chapter 9 covers the important and often less emphasized step of risk analysis, followed by risk reporting in chapter 10.

The book is written in simple and easy-to-understand language. The author has attempted to cover every possible aspect of risk analysis. This book even includes tips on how to draft an introductory letter to the client before beginning the risk assessment project. Theoretical concepts have been explained with supporting examples, sample checklists and templates, which could be useful to a risk professional. The end of every chapter has a few exercise questions to test the reader’s understanding of the chapter.

This book could be useful for security and risk professionals who have been entrusted with the task of performing a security risk assessment. Security, audit and risk students may find this book equally useful when trying to understand some of the elusive concepts of risk assessment.

The Security Risk Assessment Handbook, 2nd Edition is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or email bookstore@isaca.org.

Upesh Parekh, CISA, is a governance and risk professional with more than 10 years of experience in the fields of IT risk management and audit. He is based in Pune, India, and works for Barclays Technology Centre, India.