@ISACA Volume 19: 10 September 2014 

@ISACA Relevant, Timely News

COBIT 5 Online Provides Interactive Access to COBIT Resources

COBIT 5 online gives COBIT users an interactive method of understanding, exploring and using COBIT 5. The recently launched platform offers an updated Goals & RACI Planner. This planner tool helps COBIT 5 users select the enterprise, IT-related and enabler goals best suited for the stakeholder’s needs.

COBIT 5 online also offers a central location for users of the framework to find current industry information. As it is an online resource, the platform contains the latest, most up-to-date industry news, sorted by topic. COBIT 5 online guides users to all of ISACA’s COBIT-related publications and contains valuable insights, sorted by professional focus.

A major benefit of COBIT 5 online is the ease with which it can be navigated. Users can easily browse all of ISACA’s COBIT-related publications and sort results based on professional roles, topic, subject and resource type. The content locator allows users to search based on professional focus and business challenge. COBIT 5 online can be used by people with varying familiarity with COBIT 5, as the web site provides resources for those who already use COBIT 5, those who are new to COBIT 5 and those who are upgrading from COBIT 4.1.

To learn more about COBIT 5 online, visit the COBIT 5 online web site.


Can Open Source Data Be Predictive?

We are all familiar with protective and detective controls, but what about predictive controls? Do they exist? Is it possible to predict the future?

The use of open source is being advertised as having these predictive qualities. However, for the most part, open-source tools are used for a variety of trend analysis algorithms. Open-source data may contain facts; manipulated or skewed information; plain, old, everyday untruths; or a combination of these. So when we speak about 1 specific event within open source, based on a limited number of findings, the information is always in question.

Open source is loosely defined as data mined from the Internet, which includes data services provided by social media sites. The most popular social media sites are microblogging sites.

Information on a security event can be informational, news (good or bad), or intelligence. Informational data are usually benign and wield no negative or positive influence on an organization’s financial or social position in the marketplace or on an organization’s security posture. News data can be viewed as something occurring in real time that security professionals are either reacting to or benefiting from.

Intelligence data, however, are more interesting in that they can be predictive. For analysis to be predictive based on open-source data goes beyond statistical or trend analysis. Predictive tools require an understanding of human behavior (as it relates to a security event) and the related events that led to the security event. This includes algorithmic solutions that provide positive or negative sentiment about an organization.

The following are some tips and questions to ask when deciding whether or not to use open-source tools in your organization.

  • Will your management tolerate the social backlash if your organization’s use of open source were to be made public?
  • Is your organization large enough to have unique attack vectors that could be targeted in open source?
  • Government, bad guys and competitors can skew specific events with misinformation (or disinformation). Open source is a big data environment better suited for examining statistical trends than specific events. Large trends and statistics tend to be more resilient (reliable) if the data sample is large enough.
  • Open source is captured in native language; if you think everyone posing a threat speaks a common language, you are woefully mistaken.
  • When looking at open source results, it is better to have 2 or more unrelated sources to validate an event.
  • Understand the physics of a web site within the open source, e.g., demographics of the users of the site, persistence of data, government control. All of these could distort your results. You would hate to make a decision on data posted by high school bloggers who happen to be angry at someone with the same name as your CEO.
  • Always look for algorithms that aid—not replace—the human decision process.

Open source, if used properly, is a great source of information when researching public opinion or sentiment concerning corporate officials or the corporation itself. In my experience, the use of open source to uncover specific attacks against a corporation would be less than productive. The amount of data that would need to be collected, translated and analyzed could easily exceed the value of the data you are protecting.

If you are considering open source, I leave you with this warning: Understand the negative impact on a corporation’s reputation for the perceived use of raw open-source data. The impact could outweigh any benefit one might achieve by identifying a security event.

Bruce R. Wilkins, CISA, CISM, CGEIT, CRISC, CISSP, is the chief executive officer of TWM Associates Inc. In this capacity, Wilkins provides secure engineering solutions for innovative technology and cost-reducing approaches to existing security programs.


Network and Earn CPE at Mobile Security Virtual Conference

Learn how to improve safety in the face of evolving mobile-device-related risk, while still giving users the mobile features they want. Join security experts and your peers from around the world on 17 September for the Mobile Security: Overcoming Obstacles, Reducing Risk virtual conference. Attendees can earn up to 5 continuing professional education (CPE) hours at this event.

The keynote session at the virtual conference, “The State of Enterprise Mobile Security,” will be led by ISACA International President Robert E Stroud, CGEIT, CRISC. This session will examine the evolving risk associated with mobile devices and the tools organizations can use to combat these threats.

Other sessions at this conference will cover integrating mobile security into an organization’s data protection strategy, bring your own device (BYOD) management strategies, and secure file sync and sharing. In addition to the technical knowledge that can be gained at this conference, attendees will also have the opportunity to connect with their peers with dedicated networking time built into the conference schedule.

To learn more about the mobile security virtual conference, visit the Mobile Security: Overcoming Obstacles, Reducing Risk page of the ISACA web site.


Boards Should Participate in Cybersecurity Initiatives

Boards of directors need to actively participate in their organizations’ cybersecurity strategies, a report from the Institute of Internal Auditors Research Foundation (IIARF) and ISACA emphasizes. The report, which was released at the joint IIA/ISACA 2014 Governance, Risk and Control (GRC) Conference, contains 6 questions board members should consider when revising their organizations’ cybersecurity policies.

The report found that more than 65 percent of survey respondents feel that cybersecurity risk is at a high level or has increased. As cybersecurity becomes a greater concern, it becomes imperative that organizations put more resources toward it. “This report is an important collaboration of our organizations, bringing together the global expertise of thousands who are working toward better detecting and mitigating cyberthreats,” says Ron Hale, Ph.D., CISM, chief knowledge officer at ISACA. “It urges executives to roll up their sleeves and get involved in the cybersecurity process and provides concrete questions to get started.”

In addition to providing survey results and a starting point for cybersecurity discussions, the report also outlines guiding principles for the board, as established by the National Association of Corporate Directors, the American International Group and the Internet Security Alliance. The information and guidelines provided in this report empower the board and management with specific strategies to effectively combat cyberrisk.

To help professionals and organizations combat cyberrisk, ISACA has created the Cybersecurity Nexus (CSX), which is a central location where security professionals can find comprehensive cybersecurity guidance. CSX offers training, education, research, certification and career development resources.

Please keep in mind that October is Cyber Security Awareness Month, so it is an opportune time to spread the word about the importance of cybersecurity. For ideas on how to get involved, visit the National Cyber Security Alliance’s Cyber Security Awareness Month web site and the European Union Agency for Network and Information Security’s European Cyber Security Month web site. To read the report, visit the Cybersecurity: What the Board of Directors Needs to Ask page of the ISACA web site.


New ISACA Chapter Formed in Medellin, Colombia

ISACA is pleased to announce the formation of a chapter in Medellin, Colombia. The chapter received final approval from the ISACA Chapter Support Committee and ISACA's international president on 26 June. Medellin is the second largest city in Colombia, and the new chapter will be supporting an initial member base of 80 local professionals.

Medellin is home to large financial services, insurance and textile companies, and concern about IT governance, compliance and information security issues is increasing. The ISACA Medellin Chapter was created to help improve the skills of professionals and offer guidance, resources and good practices.

Officers of the new ISACA Medellin Chapter include:

  • President: Mauricio Henriquez Alzate, CISA
  • Vice president: Diego Pulido, CISA, PMP
  • Treasurer: Gloria Cardenas, CISA, CGEIT
  • Secretary: Efren Sanchez, CISA, CRISC
  • Membership director: Arean Velasco
  • Certification coordinator: Marcelo Linero

ISACA now has 205 chapters in 86 countries. There are 22 chapters in Latin America. A Medellin Chapter overview page with contact details is available on the Local Chapter Information page of the ISACA web site.


Board Nominations Are Open

Nominations for the ISACA Board of Directors for the 2015-16 term are now open. Information about serving on the board, the attributes for office (both international president and vice president) and the nomination form are available on the Board Nominations page of the ISACA web site.

Members may submit nominations for themselves or for others (or both). All nominations will be acknowledged, and all candidates will be required to complete a candidate profile form that confirms the candidate’s willingness to serve if selected and provides the Nominating Committee information about the candidate. Self-nominating candidates will also be asked to submit a letter of recommendation from an ISACA member outlining how the candidate demonstrates the attributes for office. Information on candidates will be gathered in other ways as well, including a review of public web sites (e.g., Google, Facebook, LinkedIn) and interviews with the candidates.

Nominations for international president close at 5:00PM CDT (UTC -5 hours) on 14 October 2014; nominations for vice president close at 5:00PM CST (UTC -6 hours) on 6 January 2015. These are the dates by which all materials must be received at ISACA International Headquarters (i.e., completed candidate profile form and letter of recommendation, if required), so if you wait until these deadline dates to submit your nomination form, you may not be giving yourself enough time to provide the committee all the required information. Questions? Contact nominate@isaca.org.


Seasoned ISACA Members Value Networking Opportunities

There is 1 major differentiating factor between newer ISACA members and seasoned members. According to ISACA’s 2013 Member Needs Survey, platinum- and gold- level members, who have been ISACA members for 10 or more years, value networking through local, international and web-based events significantly more than bronze- and silver- level members, who have been ISACA members for 3-9 years.

ISACA’s platinum- and gold- level members believe that every connection is critical to create a successful career over time. Seasoned members are more likely to attend local chapter meetings and events to build and maintain relationships. While newer members find great value in the reduced member pricing for certifications, training, research and other ISACA resources, long-standing members tend to focus on the valuable networking opportunities that membership provides.

“I joined ISACA almost 10 years ago as a young professional. Over the past 10 years, I discovered how powerful an international network of outstanding people helps achieve professional goals,” said Matthias Kraft, CISA, CGEIT, CRISC, silver-level member. “My local chapter affiliation eased my transition into new environments when I worked across multiple continents.”

The next time you receive a chapter invitation, consider the benefits you will reap by attending. Even if the subject matter does not cover your area of expertise, use the meeting as an opportunity to get to know other professionals in your community. Introduce yourself to someone new. Ask others about their favorite or most challenging projects at work. Brainstorm with your new connections about how both of you can accomplish more enriching career goals.

If you are not in a chapter territory or are too far away to attend a meeting, participate in ISACA’s next virtual conference, join a topic community in the Knowledge Center or connect with ISACA’s LinkedIn group. Do not miss an opportunity to connect with other experts in your field. Create lasting relationships that will help advance your career.


2009 CISA, CISM, CGEIT Exam Passers: Deadline to Become Certified Is Approaching
Reviewed by Horst Karin, Ph.D., CISA, CRISC, CISSP, ITIL

Exam passers have 5 years to apply for certification once they have passed their exam. The 5-year period to apply for certification for those who passed the exam in 2009 will end on 31 December 2014.

Please note that individuals are not certified and cannot use the Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) or Certified in Risk and Information Systems Control (CRISC) designation until the completed application is received and approved by ISACA International Headquarters. Applications can be found on the CISA, CISM, CGEIT and CRISC Apply for Certification pages of the ISACA web site.

Questions? Contact certification@isaca.org. Learn more about certification on the Certification page of the ISACA web site.


Book Review: Lukaszewski on Crisis Communication

Effective and ethical communication is critical in crisis or emergency situations. If done right, crisis communication can save lives, values, reputations and careers. It might also help in keeping negative publicity, critics, devastating social media responses and litigation at bay.

James Lukaszewski writes in Lukaszewski on Crisis Communication, “Faced with a crisis, management may spend a lot of time in denial, covering bases that don’t immediately matter, such as embarrassment, avoidance, self-forgiveness, searching for the guilty or just self-talk.” One of the key messages in the book is that organizations need to be proactive and prepare the right response for crisis situations before they happen. This may seem easier said than done, but bad things happen unexpectedly, and organizations are faced with the question: “What is the next step?” This book helps readers be prepared for the unexpected.

Lukaszewski’s book is an invaluable and interesting reading for C-level executives, managers and entry-level consultants who want to develop their leadership skills. The book is well-structured in 10 chapters with case studies, tables, graphs and a glossary. These 10 chapters fall into the categories of defining crisis, crisis communication, creating the crisis communication plan or the communication plan in action.

Although there are many books about leadership and communication available, this book stands out from the crowd because its content is not just theory. It is a comprehensive presentation of real-world experience. It gives useful practical advice on the essential steps to complete before, during and after the unexpected happens.

Lukaszewski on Crisis Communication is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or email bookstore@isaca.org.

Horst Karin, Ph.D., CISA, CRISC, CISSP, ITIL, is president of DELTA Information Security Consulting Inc. He has been working in SAP/IT security and risk management for 16 years. He served as chair of the ISACA Publications Subcommittee for 3 years, has authored several book reviews for the ISACA Journal and is coauthor of SAP Security and Risk Management.


Read More Articles in Our Archives