@ISACA Volume 13: 18 June 2014 

@ISACA Relevant, Timely News

ISACA Announces New CEO

ISACA has selected Matthew S. Loeb, CAE, as its new chief executive officer (CEO). Loeb comes to ISACA after serving as staff executive for the Institute of Electrical and Electronics Engineers (IEEE) and executive director for the IEEE Foundation. Loeb, who has a background in enterprise strategy, corporate development, global business operations and governance, will assume his role as ISACA CEO in early September.

“The ISACA Board of Directors welcomes Matt, and we look forward to working closely with him and building on our 45-year history helping our members and their enterprises drive value through information and information systems,” said Tony Hayes, 2013-14 international president of ISACA and chair of the CEO search panel. “Matt is the right person to lead ISACA and is an ideal match for the execution of ISACA’s Strategy 2022, a long-term plan to expand the association’s reach into critical areas impacting business and technology, including cybersecurity and privacy.”

“As enterprises continue to invest in information systems to build personal relationships with their customers and gain business efficiencies, challenges of compliance, risk, big data, privacy and cybersecurity are increasing complexity for ISACA members in their work to ensure trust and value from these systems,” said Loeb. “While ISACA already delivers resources to help, we have the opportunity to do even more, including increasing appreciation for the role our professionals play in advancing economic prosperity and keeping the digital world safe. I am privileged to have the opportunity to partner with ISACA’s board and employees to grow the organization’s influence and impact globally.”

Loeb is taking over the position from acting CEO Ron Hale, Ph.D., CISM, who stepped in when former CEO Susan M. Caldwell retired in 2013.


Video Series Educates Directors and Managers on Benefits and Risk of IT

The Intersection of Technology, Strategy and Risk helps directors and executives better understand how technology changes business and the risk and opportunity associated with technology. ISACA has partnered with the National Association of Corporate Directors (NACD) and KPMG to create this new video series.

The 8-module series has insights from corporate directors, chief information officers (CIOs) and technology experts. It focuses on the role of the CIO, questions the board should ask about technology, tips for managing cybersecurity risk, and the risk and reward of social media. It also features CIOs offering advice on how to better communicate with the board.

“Executive management is becoming more involved with emerging issues, such as advanced persistent threat attacks, according to 59 percent of respondents to ISACA’s recent APT survey, and this is a positive development,” said Tony Hayes, international president of ISACA. “This video series collaboration will help boards and executives as they continue to maximize value and effectively govern and manage information in their enterprises.”

Each video module is supplemented by additional materials, including articles, webinars and a discussion guide for directors and managers who want to incorporate the strategies from this series into their enterprise.

To view the videos and additional materials, visit the Intersection of Technology, Strategy and Risk page of the ISACA web site.


Earn CPE Hours With Cybersecurity Webinar Series

ISACA is offering a free 6-part cybersecurity webinar series as part of the Cybersecurity Nexus program. The first webinar, “20 Controls for Cyberdefense,” will be held on Tuesday, 24 June at 11:00AM CDT (UTC -5 hours). Members can earn free continuing professional education (CPE) hours by attending the webinar.

Presenter by Vilius Benetis, Ph.D., CISA, CRISC, chief executive officer (CEO) of NRD CS, a specialized cybersecurity company that assists in creating secure digital environments via technology platforms, workflows and processes, will discuss 20 critical cyberdefense controls identified by the SANS Institute and the Council on Cybersecurity and how ISACA’s recent cybersecurity-related publications can affect these controls. The interactive webinar will provide attendees an opportunity to ask Benetis questions.

The next 2 cybersecurity webinars in this series are “How to Implement the US Cybersecurity Framework Using COBIT 5” (29 July) and “Advanced Persistent Threats” (30 September). Other webinars in this series are scheduled for 28 October, 11 November and 9 December—topics are yet to be determined.

To register for the webinar, visit the 20 Controls for Cyberdefense page of the ISACA web site. Visit the Cybersecurity Nexus Webinars page to learn more about this series.


Change to 2014-15 ISACA Board of Directors

In volume 11 of @ISACA, it was reported that the 2014-15 Board of Directors slate, as selected by the Nominating Committee, had been elected by acclamation given that no other candidates were put forward by petition from members. That slate included James Ambrosini, CISA, CRISC, CFE, CISSP, CRMA, from the New York Metropolitan (New York, USA) Chapter.

After the election by acclamation, Ambrosini’s firm, CohnReznick, was selected to be ISACA’s independent auditor for 2014. The selection was made by the Audit Committee after reviewing several proposals and was subsequently ratified by the Board of Directors and approved by the membership at the Annual Meeting of the Membership on 13 June 2014. In order to ensure CohnReznick’s independence as it relates to ISACA, Ambrosini has submitted his resignation from the ISACA Board of Directors, effective immediately.

According to ISACA bylaws (Article VII, Section 7.07), in the event of a vacancy on the board, the international president has the authority to appoint a replacement to complete the remainder of the term, subject to ratification by the board. International president Robert E Stroud, CGEIT, CRISC, has elected not to fill that vacancy for the 2014-15 term.


Tips for Implementing Mobility Programs

Through my recent exposure to architectures at various organizations, it appears that everyone is taking on mobility. In this context, I mean everyone. However, I am amazed at the level of inefficiency within mobility strategies. As I speak to the IT department, the user community and even the planning organizations, everyone is not only doing mobility requirements and planning, but also carrying out their own pilot implementations. These efforts overlap and are often considered the organization’s future enterprise solution.

But what is mobility? Phones and tablets are a small slice of the mobility problem. Organizations had to deal with issues of mobility long before phones and tablets existed. As IT security professionals, the broader definition of mobility should be our focus. Technology such as CDs, DVDs, laptops and thumb drives all constitute mobile devices. Other technologies such as virtual desktop infrastructures (VDI) provide the foundation for new approaches to mobility. Techniques such as drop boxes and emailing information to personal email addresses should also be included in what organizations consider mobility. (But, it is probably better to think of these techniques as shortcomings of mobility programs.) So for us, as security professionals, mobility is the movement of an organization’s information and technology outside its physical facility for the purposes of accomplishing the daily activities and tasks required of employees.

The following is a list (by no means comprehensive, but a good start) of tips to combat the mobility challenges that organizations face today:

  1. Manage mobility as a portfolio. A portfolio allows you to define a common architecture and approach and then divide the challenge into workable subareas. These subareas can be assigned and worked on separately while sharing a common vision of how mobility will be integrated into the organization. It also allows for resource and financial allocation. In some areas, such as mobile platforms (phones, tablets and laptops), the problem should be subdivided into logical blocks, such as endpoint managers, dynamic policy pushes to phones (e.g., virus and configuration) and BYOD.
  2. Review and update your information and IT security policy. Technology is constantly changing. Most mobility policies are directed at mobile code and the use of mobile devices. Recent technological advances have made it possible to use technology that has fallen through the cracks of an organization’s policy framework. For example, old mobile code policies viewed Java Script as a browser-side capability not worthy of security review. Today, technologies such as server-side Java Script and asynchronous frameworks, e.g., Node.js, are being used to build whole systems. As a result, many critical business systems use technologies that have not been reviewed.
  3. Compare VDI to mobile applications. Mobile devices are best thought of as platforms for accessing an organization’s infrastructure. Applications and implementations such as VDI just ride on top of the platform. Phone apps are great for phones and tablets; however, the user experience of being able to access their work computer from anywhere makes VDI very attractive. Many organizations implement VDI and never consider accessing it from a mobile device. However, if one does intend to access a VDI implementation from a mobile platform, here are some interesting points to remember:
    • A thin client provides the highest level of assurance with no data at rest (screen scrapes, clicks and keyboard entries).
    • A secure communication path should be present from the mobile device to the mobility gateway.
    • A common enterprise authentication mechanism should be in place. Phones provide a limited experience due to physical size, while tablets provide a more realistic experience.

Even if one were to virtualize the phone’s internetwork operating system (IOS) into the cloud and access the phone’s IOS through a thin client app, these technological solutions would not achieve the user experience of VDI. In the end, virtualizing a phone’s actual IOS into a cloud is an interesting technical study. However, accessing an organization’s VDI solution from mobile platforms may be a less expensive and more straightforward way to reduce the risk associated with the perceived need to email information to oneself and use CDs, thumb drives or other information transfer technologies.

Bruce R. Wilkins, CISA, CISM, CGEIT, CRISC, CISSP, is the chief executive officer of TWM Associates Inc. In this capacity, Wilkins provides secure engineering solutions for innovative technology and cost-reducing approaches to existing security programs.


Publish ISACA Certifications to Your LinkedIn Profile

All ISACA certification holders have been issued open badges—electronic validations of your achievements—for use in broadcasting your skills across online platforms (Facebook, LinkedIn, Twitter, email signature) to tell your professional story. Now you can publish your credential details directly to the Certification section of your LinkedIn profiles. Previously, sharing a badge to LinkedIn resulted in it being posted to a newsfeed.

“LinkedIn recently introduced the Add to Profile pilot service that allows members to add certification information from trusted partners directly to the LinkedIn profile. This is a very valuable service to LinkedIn members, since a profile with professional certifications receives twice the views as those without,” according to Mike Kim, who leads global business development for LinkedIn’s Profile and Higher Ed Product Teams.

To display your badge on your LinkedIn profile, log in to Acclaim, select the badge you would like displayed on LinkedIn and then select share. The site will then walk you through connecting to LinkedIn and provide you with a series of confirmation steps. Please note that when a certification is referenced in a LinkedIn profile, an image of the ISACA logo, not the actual badge image, is displayed inline.

Because these badges offer single-click verification, employers and others interested in what your badge signifies can click on the badge and be linked to your certification’s validation page, which includes information on the requirements for certification and other certification-related information. This option is part of LinkedIn’s recently launched direct-to-profile service, which allows trusted partners to add certification information directly to the LinkedIn profile.

The Open Badges page of the ISACA web site includes sample images of what each certification badge looks like and has frequently asked questions (FAQs) on key issues.


Pittsburgh Chapter Support Leads to ISACA’s Latest CSR Donation

ISACA has donated US $5,000 to the Pressley Ridge Career Development Center as part of its corporate social responsibility (CSR) program. ISACA’s Pittsburgh (Pennsylvania, USA) Chapter nominated the Center for this donation under the “support of a cause—chapter/individual” portion of the CSR program.

“The ISACA Pittsburgh Chapter board feels that the Pressley Ridge Career Development Center has excellent programming and training to support children with serious emotional disturbance (SED). Their training is focused on giving children access to and understanding of technologies that will help them to learn and thrive in their communities and local workforces,” says Dan Desko, ISACA Pittsburgh Chapter president.

This donation will be used to help children with disabilities have greater access to technology. Specifically, the donation will provide the center with specialized cameras for visual aids for students, projectors and tablets, which all interface with each other.

Pittsburgh Chapter Support Leads to ISACA’s Latest CSR Donation

Under the “support of a cause—chapter/individual” portion of the CSR program, chapters and individuals can apply for funding for local organizations. To apply for ISACA funding for regional organizations and activities, visit the Criteria for Support of a Cause page of the ISACA web site. A volunteer working group composed of representatives from the Chapter Support Committee, the Finance Committee and the Relations Board reviews all submissions.

To learn more about ISACA’s CSR program, visit the Corporate Social Responsibility page of the ISACA web site.


New IS Audit and Assurance Guidelines Issued

ISACA has issued 18 IS Audit and Assurance Guidelines to support the standards that were issued last year. The guidelines are effective 1 September 2014, at which time the previous guidelines will be withdrawn.

These new guidelines, which contain references to COBIT 5, are designed to provide assistance in performing assurance work and additional detail to support compliance with standards. Although following the guidelines is not mandatory, it is strongly recommended. Professionals must be able to justify any deviation from the guidelines.

The guidelines are posted on the IS Audit and Assurance Guidelines page of the ISACA web site in HTML and PDF formats. The titles include:

2001 Audit Charter
2002 Organisational Independence
2003 Professional Independence
2004 Reasonable Expectation
2005 Due Professional Care
2006 Proficiency
2007 Assertions
2008 Criteria

2201 Engagement Planning
2202 Risk Assessment in Planning
2203 Performance and Supervision
2204 Materiality
2205 Evidence
2206 Using the Work of other Experts
2207 Irregularity and Illegal Acts
2208 Sampling

2401 Reporting
2402 Follow-up Activities

The new guidelines will be incorporated into ITAF, 3rd Edition. Access the new standards and guidelines on the IT Assurance Framework (ITAF) page of the ISACA web site. Additional information on recent and upcoming research projects is posted on the Current Projects page.


Book Review: Essential Information Security
Reviewed by Joyce Chua, CISA, CISM, CITPM, ITIL, PMP

Essential Information Security is a basic how-to book for the information security professional. It provides an introduction to the field of information security, covering popular topics including cloud security, mobile device security and network security. The book provides a comprehensive overview of what is important in terms of data privacy (confidentiality), integrity, availability and compliance with government and industry regulations/standards. As a book that provides risk management information, this publication is applicable to all geographical areas with no specific industry vertical.

The information in this book is presented cogently and clearly and has an appropriate amount of documentation. The key features of Essential Information Security include definitions of important terms and a summary to capture the focal points of the topics discussed in the chapters.

One of the major strengths of this publication is its informal tone. Despite the casual tone the authors have ensured that readers will be able to grasp the key concepts before they are discussed further. The book covers the latest topics, including bring your own device (BYOD) and cyberwars. Although there could be more interconnectivity among the chapters, the chapters go into sufficient depth on the subject matter. Useful resources, such as a readiness check and network security configuration guide, are also available as appendices.

Every new security practitioner should start with this book, as it provides a comprehensive overview of what is important in information security.

Essential Information Security is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or email bookstore@isaca.org.

Joyce Chua, CISA, CISM, CITPM, ITIL, PMP, is a global IT compliance manager for GLOBALFOUNDRIES, one of the world’s top dedicated semiconductor foundries. Chua is a member of the ISACA Publications Subcommittee.


Read More Articles in Our Archives