@ISACA Volume 12: 6 June 2012 

@ISACA Relevant, Timely News

Get a Complimentary Copy of the Highly Anticipated COBIT 5 for Information Security
Attend INSIGHTS 2012 to Receive Your Complimentary Copy

COBIT® 5 for Information Security will be launched at ISACA’s World Congress:  INSIGHTS 2012, which will take place on 25-27 June 2012 in San Francisco, California, USA. All INSIGHTS 2012 attendees will receive a complimentary PDF copy (at significantly reduced rates: members US $35/nonmembers US $175) and will have the opportunity to have live, interactive discussions with ISACA’s COBIT experts in the COBIT Lounge.

This exciting new publication expands on the COBIT 5 framework, offering practical guidance to information security professionals. COBIT 5 for Information Security is the first publication in the COBIT 5 Professional Guides series. COBIT 5 for Information Security examines COBIT 5 from a security point of view, placing a security lens over the concepts, enablers and principles within COBIT 5. Detailed guidance is contained in appendix B, Detailed Guidance: Processes Enabler. The same format is provided in the tables in COBIT® 5: Enabling Processes, where it is used to provide security-specific process goals and metrics, inputs/outputs, and activities. COBIT 5 for Information Security is intended for all stakeholders in the enterprise who are involved in matters related to information security.

Visit the World Congress:  INSIGHTS 2012 page of the ISACA web site to register to attend and receive your complimentary copy.


Tips for Implementing and Improving DLP Solutions
By Lisa R.Young, CISA, CISM

Over the last decade, enterprises have become increasingly reliant on digital information to meet business objectives. On any business day, significant amounts of information fuel processes that occur both inside and outside of organizational network boundaries. There are many paths for this data to travel (e.g., email messages, word processing documents, spreadsheets, database flat files, instant messages). Frequently, multiple copies and variations of the same data are scattered across the enterprise on servers, individual workstations or other media.

Data leak/loss prevention (DLP) is a suite of technologies aimed at stemming the loss of sensitive information that occurs in enterprises across the globe. Implementation of a DLP solution is a complex undertaking that requires significant preparatory activities, such as policy development, business process analysis, and detailed inventories and analysis of the types of information used by the enterprise.

Most DLP solutions include a suite of technologies that facilitates three key objectives:

  • Locate and catalog confidential or sensitive information stored throughout the enterprise.
  • Monitor and control the movement of information across an enterprise’s networks.
  • Monitor and control the movement of information on end-user systems.

As you plan a DLP implementation, or if you wish to improve your current implementation, consider these items and how each fits into your business culture:

  1. What are you trying to protect?—Enterprises are often unaware of the many types and locations of information they possess. Information that needs protection needs a way to be designated for protection. Data classification is not easy but it enables the technology solution to enhance the information protection process instead of dictate the process. Grouping similar types of data together makes the protection strategies easier to manage when you implement a technology solution. Single-channel DLP solutions look at one potential loss vector, such as email or web traffic. Multichannel solutions are deployed on every end-user device across the enterprise. Choosing the right DLP solution means that you have assessed the risk and have deployed the DLP solution where your highest risk of data loss is likely to occur.
  2. Why does the information need protection?—Information such as intellectual property may need a different type of protection than customer records. This may be due to regulations that require compliance reporting vs. protecting corporate secrets from competitors. Again, knowing the types of data that need protection and why they need protection will go a long way toward helping you define the processes, controls and tools that need to be deployed to prevent data loss.
  3. Does your incident response (IR) plan address DLP incidents?—Your IR plan should include the data categories that are targeted, the actions that will be taken to address violations, the escalation processes and any processes required for exception requests. Processes should also be established for off-hours and holidays, when key individuals may not be available.
  4. Have you analyzed data loss incidents to determine root cause?—Data loss incidents mainly fall into three categories: failed business processes, deliberate actions of people or inadvertent actions of people. You should review business processes that require access to confidential information and determine whether that access is required to perform each process. Identifying the need for access to confidential or sensitive information from business processes is one of the strongest methods of protecting such data.

It is important to note that while DLP solutions have the ability to intercept some malicious or criminal attempts to steal information, the technology is not yet sufficiently developed to deter more sophisticated methods of data theft by insiders. Strong policies and user awareness training are equally important in data protection strategies.

By focusing on the location, classification and monitoring of information at rest, in use and in motion, a DLP solution can help an enterprise get a handle on what information it has and how best to protect it. DLP is not a plug-and-play solution. The successful implementation of this technology requires significant preparation and diligent ongoing maintenance. Enterprises seeking to integrate and implement DLP should be prepared for a significant effort that, if done correctly, can greatly reduce risk to the enterprise. Those implementing the solution must take a strategic approach that addresses risk, impacts and mitigation steps, along with appropriate governance and assurance measures.

More information on this topic can be found on the Data Leak Prevention page of the ISACA web site.

Lisa R. Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide. Young was also a member of the ISACA task force that helped to develop the Risk IT publications.


2012-2013 ISACA Board of Directors Elected by Acclamation

The following slate, selected by the ISACA Nominating Committee to serve as the Board of Directors for 2012-2013, was published in @ISACA volume 8, issued on 11 April 2012:

  • Greg Grocholski, CISA, international president
  • Allan Boardman, CISA, CISM, CGEIT, CRISC, ACA, CA, CISSP, vice president
  • Juan Luis Carselle, CISA, CGEIT, CRISC, vice president
  • Christos Dimitriadis, CISA, CISM, CRISC, vice president
  • Ramses Gallego, CISM, CGEIT, CISSP, SCPM, 6 Sigma, vice president
  • Tony Hayes, CGEIT, vice president
  • Jeff Spivey, CRISC, vice president
  • Marc Vael, CISA, CISM, CGEIT, CISSP, vice president
  • Kenneth Vander Wal, CISA, CPA, past international president
  • Emil D’Angelo, CISA, CISM, past international president

Per Article IX, Section 9.01.g of the ISACA bylaws, if no additional nominations are received by petition from the membership, the slate selected by the Nominating Committee is considered elected by acclamation. No additional nominations have been received; therefore, this slate is elected. The 2012-2013 Board of Directors will be installed at the Annual Meeting of the Membership on 24 June 2012 in San Francisco, California, USA, just prior to ISACA’s World Congress:  INSIGHTS 2012.


Learn the Latest at the Introduction to COBIT 5 Workshop Before INSIGHTS 2012

The one-day, instructor-led Introduction to COBIT 5 Workshop provides an overview of the new framework. The course is on 23 June 2012 in San Francisco, California, USA, just prior to ISACA’s World Congress:  INSIGHTS 2012. The course will provide COBIT practitioners and new COBIT users with insight into the latest update of the framework and explain the differences between COBIT 4.1 and COBIT 5. This course includes an introduction to the new COBIT® Assessment Programme, addressing both COBIT 4.1 and COBIT 5.

In addition to the live workshop on 23 June, this course will also be available as an ISACA On-site Training course, and is recommended for those preparing for additional COBIT 5 training, including the COBIT 5 Foundation Course, COBIT 5 Implementation Course and Assessor Program Training (to be available later in 2012)—all of which will include the ability to earn COBIT 5 certificates.

At the conclusion of this course, attendees will be able to:

  • Discuss how IT management issues affect enterprises
  • Understand the principles of governance and management of enterprise IT (GEIT), and explain the differences between management and governance
  • Assess how COBIT® 5: Enabling Processes helps guide the creation of the five basic principles and the seven governance and management enablers
  • Discuss the goals cascade and the process reference model
  • Describe the basics of how to implement COBIT 5
  • Understand the differences between COBIT 4.1 and COBIT 5 and what to consider when transitioning
  • Explain the benefits of using COBIT 5

The Introduction to COBIT 5 Workshop is also offered through ISACA’s public enrollment schedule. See the COBIT 5 Courses page of the ISACA web site for more details. Additional COBIT 5 courses are under development and will be available later this year.

Visit the COBIT 5 Training page of the ISACA web site or contact onsitetraining@isaca.org.


Update to ISACA’s Articles of Incorporation

As part of its charge, ISACA’s Governance Advisory Council (GAC) conducts a periodic review of the organization’s Articles of Incorporation. The reviews are facilitated through the use of a parliamentarian and ISACA’s legal counsel to:

  1. Determine if the various sections of the articles are consistent and in conformance with current regulatory requirements
  2. Evaluate them against current good practices
  3. Ensure that they support the strategic objectives of the organization

Based on the review, it was recommended by GAC that the ISACA Articles of Incorporation be updated, as they were out of date in relation to references to current regulations and the purpose of the organization. Upon receiving support of this recommendation from the Board, the Articles have been amended and restated to:

  • Ensure that the Articles of Incorporation reflect proper legal terminology describing the purpose of each organization and reflect ISACA’s objectives
  • Ensure that the Articles incorporate and reflect applicable US Internal Revenue Service and California Corporations Codes
  • Revise language to ensure that the Articles incorporate and reflect current business activities and practices
  • Remove language that is not required and reflect current good practices

The updated Articles of Incorporation were approved by the ISACA Board of Directors, and will be presented for approval at the 24 June 2012 Annual Meeting of the Membership in San Francisco, California, USA. A copy of the proposed Articles of Incorporation is available on the Bylaws and Articles of Incorporation page of the ISACA web site.


Read More Articles in Our Archives