@ISACA Volume 2: 18 January 2012 

@ISACA Relevant, Timely News

ISACA Career Centre Makes It Easier to Showcase Member Skills

Do you dread writing or updating your résumé/curriculum vitae (CV)? ISACA has just made it easier for you to showcase your skills, by enhancing the Career Centre professional profile feature. Now, when members complete a simple form regarding their education, experience and career goals, the ISACA Career Centre will automatically format this information as a résumé/CV. Members may also continue to upload their own additional documents.

ISACA urges members to take a look at this new profile format and upload their profile information. We hope that this new feature will allow employers to more easily scan job seekers’ information for relevant skills and experience, and will help you take that next step in your career. With this new feature, members can virtually manage, plan and develop their careers.


Strategies for Addressing Risks From Web Applications
By Lisa R. Young, CISA, CISM

Web applications are indispensable to a modern enterprise. A web application is computer software that is accessed over a network such as the Internet, as opposed to software that runs locally on the organization’s end-point devices. Examples include webmail, online retail sales, online banking and cloud computing services. Benefits of web applications include the convenience of using a web browser as a client, seamless integration with other online resources and services, and support for multiple platforms such as Windows, LINUX, Mac OS, and mobile device platforms such as iOS and Android™.

However, the benefits of web applications can be quickly undermined by inattention to the importance of ensuring security and reliability of these applications. Here are six considerations for addressing the risks from web applications:

  1. Seek business and senior-level management support—Support from senior management is essential for any security initiative, and secure development practices are no exception. Educate your senior managers on the risk from web applications, especially if your core business relies on the Internet or if outsourced software development is a common practice in the organization. Compliance can be a strong motivator for executive support. The requirements in area 6.6 of the Payment Card Industry Data Security Standard (PCI DSS) Version 2.0 clearly mandate securing the application development process and even suggest using guidance from organizations such as The Open Web Application Security Project (OWASP). Enterprises impacted by PCI DSS already have a strong case for senior management to endorse the initiative to secure a system development life cycle (SDLC) process.
  2. Train your in-house software developers or ensure your vendors are trained in secure coding—Formalized training of developers in secure-coding practices, augmented by periodic updates on new techniques and vulnerabilities, is an essential step in securing the overall SDLC process. Numerous resources exist to assist with this process. Training in secure-coding practices should be accompanied by periodic skills assessments to ensure that training has been effective.
  3. Secure the supply chain—Web applications are rarely developed completely in-house. Standards and effective code-review processes must be applied, not only to code developed in-house but also to code components such as plug-ins that are procured from a supplier to augment internally developed code.
  4. Policies and standards—Any program to address web application vulnerabilities must be appropriately framed by a complete set of security policies and supporting standards and procedures. Developing and effectively communicating these security standards will drive consistency across the enterprise’s efforts to employ effective security in the application development process. Additionally, the program should be periodically audited to ensure its continuing compliance with these policies and standards.
  5. Technical controls—It is important to consider technical controls for the web application environment, particularly when there are web applications with legacy code that has not undergone security testing or is known to have vulnerabilities that have not been addressed. Web servers that serve Internet clients are typically on a protected or screened subnet, known as a DMZ. This is a start, but to truly protect against application misconfigurations and other application layer vulnerabilities, a web application firewall is a better choice.
  6. Effective incident response capabilities—Despite taking all of the previous steps, there is still a chance that an Internet-facing web application system will be compromised. Having a tested and well-defined incident response process is an additional compensating control that can significantly reduce the impact of a breach if it occurs.

For more information on this topic, please read Web Application Security: Business and Risk Considerations and visit the Application Security Knowledge Center community on the ISACA web site.

Lisa R. Young, CISA, CISM, is the past president of the ISACA West Florida Chapter in Tampa, Florida, USA, and a frequent speaker at information security conferences worldwide. Young was also a member of the ISACA task force that helped to develop the Risk IT publications.


New COBIT Self-assessment Guide and Audit Programs Available

ISACA has recently released the following valuable resources:

  • COBIT® Self-assessment Guide: Using COBIT® 4.1—This is a companion to the COBIT® Process Assessment Model (PAM): Using COBIT® 4.1. The guide provides details on how to undertake an assessment, while the COBIT PAM provides details on the basis for the assessment. This guide can be used by organizations to perform a less-rigorous assessment of the capability of their processes. It is based on the COBIT PAM, but does not include the same level of evidentiary requirements as found in the COBIT® Assessor Guide: Using COBIT® 4.1.

    The guide includes a tool kit zip file with:
    • An assessment scoping tool Excel® file
    • A report template Word® file
    • A summary of the results template Excel file
    • An assessor presentation techniques PowerPoint® file
    • A COBIT Assessment Programme introduction PowerPoint slide deck
    • A self-assessment templates Excel file (for the 34 COBIT 4.1 processes)

    The guide is available in the ISACA Bookstore and as a complimentary PDF and tool kit for members.
  • New audit programs—The following audit programs complement each other and are available to ISACA members as complimentary Word documents on the Audit Programs page of the ISACA web site:
    • IT Strategic Management Audit/Assurance Program
    • IT Tactical Management Audit/Assurance Program


SEC Guidance on Reporting Cybersecurity Risks

In October 2011, the US Securities and Exchange Commission (SEC) issued guidance recommending that SEC-registered organizations may need to report cybersecurity risks or incidents if a reasonable investor would consider that information important in making an investment decision. While this is not a rule or regulation that organizations must follow, it does recognize the dependence organizations have on digital technologies and the frequency and severity of cyberincidents. Business publications have reported on this, and the greater awareness given to cybersecurity risk has led executive management and board members to ask about the cybersecurity posture of their organization.

Cybersecurity risk and the impact of incidents have led the SEC and governments worldwide to pay greater attention to this threat. Greater concern has been raised due to the increased number of attacks and the sophistication of methods used by those who want to compromise systems to gain access to protected assets and information, corrupt data, disrupt operations, or cause a general denial of service. Incidents have resulted in material losses from the manipulation of systems for fraud and internal theft as well as for the theft of private information. Remediation efforts, enhanced protection cost, litigation and reputation damage add to the financial impact of cyberincidents.

The SEC guidance calls for an understanding of the factors that make the cybersecurity position of an organization a possible investment risk. Experience with prior incidents, the severity and frequency of incidents, and the adequacy of preventive actions need to be considered. To manage cybersecurity and the potential for operational incidents, organizations need to leverage a framework that integrates technology and information risk, business goals, and objectives.

The Risk IT framework provides the structure required for the identification, assessment and resolution of cyber risks. Certified in Risk and Information Systems Control (CRISC)-certified professionals have the skill and expertise to effectively implement cybersecurity risk management programs and to demonstrate that organizations are prepared to address cybersecurity concerns. The use of Risk IT by CRISC-certified professionals should be considered as an important factor in helping to reduce the exposure of an organization to cyberthreats.


Read More Articles in Our Archives