ISACA Tackles the Cloud
ISACA® provides its members and constituents valuable, integrated and comprehensive information on the risk and benefits of cloud computing. Development of the material is driven by ISACA members who are global subject matter experts in audit/assurance, information security, IT risk management and governance of enterprise IT. Through this coordinated effort, ISACA provides a variety of ways for IT and business professionals to learn about, demonstrate proficiency in, and ensure trust and value from cloud computing activities.
Generally speaking, ISACA cloud activities (overseen by a task force of ISACA international leaders) can be categorized in 4 areas:
- Knowledge—ISACA produces research publications and other documents on cloud computing that provide both technical and business views into what is needed to capitalize on cloud technologies, while mitigating risk. Examples include:
- Certification—ISACA certifications address cloud computing content and questions, ensuring that those who earn the certifications demonstrate mastery of the topic. Specifically, the certification materials include:
- Cloud content in the job analysis for all 4 certifications (by 2014)
- Cloud content in knowledge statements
- Cloud content in review manuals
- Cloud concepts in exams
- Education—ISACA offers 2 ways to learn from the pros. Live and online educational programs are taught by global speakers who are experts in the field. Knowledge sharing with colleagues takes place during networking opportunities at live events and in online communities. Examples include:
- Live and archived webinars on topics such as IT control objectives for the cloud
- Virtual tradeshows on cloud security and the state of the cloud
- The Cloud Computing Group in the ISACA Knowledge Center
- Case studies showing how enterprises have dealt with cloud risk and opportunity
- Alliances—ISACA collaborates with other organizations worldwide that are undertaking groundbreaking work in cloud computing. Examples of relevant ISACA collaboration include participation:
- With the European Network and Information Security Agency on the Common Assurance Maturity Model
- As a founding association of the Cloud Security Alliance (CSA)
- With the CSA on its Governance, Risk Management and Compliance Stack
Watch the Cloud Computing page of the ISACA web site for updates on the association’s cloud activities.
5 Information Risk Management and Security Tips When Adopting a BYOD Strategy for Mobile Devices
By John Pironti, CISA, CISM, CGEIT, CRISC, CISSP, ISSAP, ISSMP
- Bring your own device (BYOD) means that the user has the final say about what happens on the mobile device—BYOD strategies for mobile devices have numerous financial and technological advantages for organizations, but also introduce risk management and security concerns. It is important to remember that the user has the authority and ability to modify the configuration, applications and technical controls used in these devices. The best defense for an organization is to define technical controls that are required to be present and operating on personal mobile devices that are used to connect and interact with the organization’s network. Organizations should also implement capabilities to verify that these technical controls are in place and operating as intended whenever personal mobile devices attempt to access or interact with the organization’s network.
- Limit access for employee-owned mobile devices compared to corporate-issued and -managed mobile devices—Typically, an organization has more authority and control over devices it owns and manages compared to those that are employee-owned. Organizations should consider limiting the access of users using personal mobile devices to low-risk capabilities when connecting to the enterprise network such as e-mail, employee directories and internal web browsing. Individuals who have business needs to access sensitive data or applications should be issued corporate-owned and -managed mobile devices. This will allow the organization to have more control and flexibility in how it manages risk and secures devices for high-risk users while still gaining the financial and technological gains of the BYOD strategy for other users.
- Certify mobile devices and associated capabilities for use—Only mobile devices and operating systems that have been tested and certified for their ability to meet an organization’s information risk management and security capabilities should be able to access and interact with its network. This testing and certification process should identify and confirm the ability for the organization to install, enable, verify and maintain technical controls required to meet its data and technical security requirements. The testing should be performed on typical configurations used by employees for their devices and should include common and popular add-on applications to ensure that they are representative of realistic operating conditions. A list of certified, acceptable devices, operating systems and applications should be communicated to the organization’s user population proactively and be easily accessible for future reference.
A second list should be developed and distributed that identifies popular mobile devices, operating systems and applications that have been evaluated, but are not certified to be connected to or interact with the organization’s network. This list should also provide a clear explanation of the reasoning for not certifying these items as well as information about when reevaluations are projected to occur. This will ensure that individuals included in a BYOD environment are aware of both certified and prohibited devices, operating systems and applications prior to any purchase or request to connect and interact with the organization’s network.
- Update policies and standards to incorporate BYOD mobility requirements—Information risk management and security policies and standards provide users with guidance and insights on how an organization expects them to operate and behave when connecting and interacting with its network. When adopting a BYOD strategy for mobile solutions, it is important to update these policies, standards and supporting documentation to incorporate control objectives and requirements that are unique to personally owned mobile devices and capabilities. These updates can include an organization’s right to examine and audit devices, install and maintain technical security controls, limit or adjust functionality, and adjust access and use capabilities based on current threats and risk—regardless of whether the solution is currently connected to the enterprise network.
- Educate users about the organization’s technical security control capabilities and impacts on their personal mobile solutions—Many users are concerned about the level of access and restrictions that an organization’s technical security controls can enable on their personal devices. In a BYOD-enabled environment, it is important that a user understands the capabilities and limitations of these technical controls to ensure their continued use and acceptance.
The most common user concerns about technical controls implemented by an organization on personal mobile devices is the ability for the organization to access, modify, monitor, restrict or delete data and communications (including personal data and communications) on devices without the user’s permission or prior notification. User education is the key to overcoming these concerns. Ensuring that a user understands the capabilities, use cases, and inherent personal and business benefits that these technical security controls provide will often make users feel more comfortable about the existence of the controls and encourage their continued use. It is also important to communicate information about the governance processes and capabilities that are in place for these technological controls. This will ensure that a user understands that they will be used only when warranted by the organization and that proper procedures and oversight capabilities are in place to ensure that the controls are not abused.
For additional information related to mobile devices, see the ISACA publications Securing Mobile Devices; Mobile Computing Security Audit/Assurance Program; and Geolocation: Risk, Issues and Strategies.
John P. Pironti, CISA, CISM, CGEIT, CRISC, CISSP, ISSAP, ISSMP, is the president of IP Architects LLC.
Prepare for the CISA and CISM Exams With Free Self-assessments
ISACA® offers free self-assessments to help Certified Information Systems Auditor® (CISA®) and Certified Information Security Manager® (CISM®) exam candidates gauge their knowledge of the respective job practice areas and determine in which areas they may have strengths and weaknesses. Each self-assessment contains 50 sample items that cover the appropriate proportion of subject matter to match the respective exam blueprint. The items are not actual exam items, but are representative of items that have appeared on the respective exams. (Note that these self-assessments are not substitutes for the actual exams, nor do the results of the self-assessments guarantee or indicate future success on either exam.)
CISA and CISM candidates who are sitting for the December 2011 exams are encouraged to utilize these self-assessments as they prepare. To take either self-assessment, please visit the CISA or CISM Self-assessment page of the ISACA web site. In addition to these resources, additional review materials for the CISA, CISM, Certified in the Governance of Enterprise IT® (CGEIT®), and Certified in Risk and Information Systems Control™ CRISC™ exams are also available on the web site. These resources include review manuals and study questions.
The Board of Directors Needs You!
You may nominate yourself or others (or both) for the ISACA® Board of Directors for the 2012-13 term. Your nomination will be acknowledged, and everyone you nominate will be asked to complete a candidate profile form that confirms the nominee’s willingness to serve if selected. The candidate profile form also provides the Nominating Committee information to evaluate the nominees. Information will be gathered in other ways as well, including review of public web sites (e.g., Google, Facebook, LinkedIn) and a possible phone interview. If you nominate yourself, you will also be asked to submit a letter of recommendation from an ISACA member.
Nominations close on 31 October 2011 (for international president) and on 9 January 2012 (for vice president). These are the dates by which all materials must be received at ISACA International Headquarters (i.e., completed candidate profile form and letter of recommendation, if required), so do not wait until that date to submit the nomination. Questions? Please visit the Volunteering page of the ISACA web site or e-mail email@example.com.
Upcoming Virtual Seminar and Tradeshow Focuses on Cloud Security
“Cloud Security: How Safe is the Cloud?” • 8 November 2011 • Virtual Seminar and Tradeshow
Learn from leading industry experts as they share their experiences and provide insights into securing the cloud at “Cloud Security: How Safe is the Cloud?,” the latest virtual seminar and tradeshow from ISACA®. Attendees will earn 5 free continuing profession education hours while gaining knowledge on application programming interfaces, identity and access management, threats, and risk in the cloud.
Held 8 November 2011 and sponsored by Intel, McAfee and Microsoft, “Cloud Security: How Safe is the Cloud?” will provide educational sessions and downloadable resource materials that are relevant to the IT community, and it will offer attendees the opportunity to network with IT professionals from all over the world, including the event’s speakers, vendors and presenters, from the comfort of their own home or office. Register now for this valuable event!
Need to Study for the CISA Exam? Take Advantage of ISACA and Deloitte’s Cram Course
CISA Exam Cram Course • 3-4 December 2011 • Multiple US Locations
Certified Information Systems Auditor® (CISA®) exam candidates are encouraged to attend the CISA Exam Cram Course, which is offered jointly by ISACA® and Deloitte this December in multiple locations throughout the US. This intense 2-day session takes place the weekend before the December CISA exam and provides specific strategies, techniques and tips for taking and passing the exam.
Through lectures, group discussions, facilitator presentations, application planning and self-assessments, CISA exam candidates will gain an understanding of the format and structure of the CISA certification exam and the various topics and technical areas covered by the exam. As an added benefit, attendees can earn up to 14 continuing professional education (CPE) hours that may be applicable to their current certifications.
Held 3-4 December 2011 at Deloitte & Touche offices in Washington DC; Chicago, Illinois; Philadelphia, Pennsylvania; New York, New York; Dallas, Texas; Atlanta, Georgia; Parsippany, New Jersey; Boston, Massachusetts; and Los Angeles, California, the CISA Exam Cram Course is recommended for all CISA exam candidates. For more information, please visit the CISA Exam Cram Course page of the ISACA web site.
CPE Policy Change Regarding “Contributions to the Profession”
Ensure That You Have Earned Your 2011 CPE Hours
Effective 1 January 2012, the annual continuing professional education (CPE) hour limitation for each ISACA® certification will be increased from 10 hours to 20 hours for qualifying activities that fall under the category Contributions to the Profession. These activities include work performed for ISACA and other bodies that contribute to the IT audit, control, information security and governance professions.
Please note that there are only 2 months remaining to earn required CPE hours for the 2011 reporting year. CPE hours are reported annually during the renewal process. Maintaining certification requires the earning of 120 CPE hours over the 3-year cycle and earning at least 20 CPE hours in each cycle year.
To view the CPE policies and a complete list of qualifying activities, please visit the CISA, CISM, CGEIT and CRISC CPE policy pages of the ISACA web site.