@ISACA Volume 21: 8 October 2014 

@ISACA Relevant, Timely News

ISACA Tools Help Develop Cybersecurity Expertise

Cybersecurity is a constantly changing field. New threats are uncovered every day as enterprises race to secure their systems. Mitigate your enterprise’s risk with access to the latest developments in cybersecurity. October is Cyber Security Awareness Month, and ISACA has tools to help you develop your cybersecurity skills.

ISACA’s Cybersecurity Nexus (CSX) includes the most innovative advancements in the cybersecurity field. For example, the Advanced Persistent Threat Awareness Study Results report highlights the need for enterprises to cultivate new defenses. Implementing the NIST Cybersecurity Framework and its accompanying tool kit describe the application of ISACA methods as an effective way to use the cybersecurity framework. Both publications empower you to proactively secure your enterprise.

Cybersecurity webinars on the CSX platform offer cutting-edge thought leadership, research and advice on the current and emerging threat environments. The webinars explore controls for cyberdefense, diagnostics and COBIT 5. Watch the upcoming and archived webinars today to earn continuing professional education (CPE) hours before the year ends

You can become more knowledgeable about cybersecurity with the tools and resources provided by your ISACA membership. “I cannot think of an organization that is more apt for professionals in the IT security field than ISACA,” says Manu Kuriakose Varghese, CISA, CIA, internal auditor.

To learn more about membership benefits, visit the IT Professional Membership Benefits page of the ISACA web site.


Nominate Qualified Candidates for the ISACA Board of Directors

Nominations for the ISACA Board of Directors for the 2015-16 term are open. Information about serving on the board, the attributes for office and the nomination form itself are available on the Board Nominations page of the ISACA web site. Note that only about a week remains in the nomination period for international president.

Members may submit nominations for themselves or for others (or both). All nominations will be acknowledged and all candidates will be required to complete a candidate profile form that confirms the candidate’s willingness to serve if selected and provides the Nominating Committee information about the candidate. Self-nominating candidates will also be asked to submit a letter of recommendation from an ISACA member, outlining how the candidate demonstrates the attributes for office. Information on candidates will be gathered in other ways as well, including review of public web sites (e.g., Google, Facebook, LinkedIn) and interviews with the candidates.

Nominations for international president close at 5:00PM CDT (UTC -5 hours) on 14 October 2014; nominations for vice president close at 5:00PM CST (UTC -6 hours) on 6 January 2015. These are the dates by which all materials must be received at ISACA International Headquarters (i.e., completed candidate profile form and letter of recommendation, if required). Questions? Contact nominate@isaca.org.


Tips for Solving Data Classification Challenges

Information is a primary enabler for any organization, as established in COBIT 5. Organizations today generate, process, use and store volumes of data/information. However, the major concern for organizations is, “Are these data secure?” Information security best practices state that in order to optimize security, data must be classified. But organizations find that this is easier said than done.

Data classification best practices suggest the following steps:

  1. Define a classification scheme in which the information within the organization shall be classified in predefined buckets (e.g., top secret, confidential, sensitive, internal, public). Organizations may adopt a different scheme.
  2. Identify the organization’s data—electronic and physical.
  3. Classify and label the data.
  4. Implement controls for protection.
Organizations face major challenges while executing the second step, primarily due to:
  • Volume of data generated, processed and stored
  • Multiple data owners and coordination among them
  • Cross-functional dependency and, hence, accesses required
  • Classifying and labeling historical data
Organizations may consider the following suggestions during data classification:
  • Educate business process owners on the need and scheme for classification.
  • Ask business process owners to identify data elements and the source of data. This will help in identifying data owners/custodians. (For example, employee data generated and owned by the human resource function, but used by other departments, must be classified by human resources and others must use that classification.)
  • Independent data elements often cannot be classified, except for a few (e.g., credit card number), therefore, it is best to form small data sets that make meaningful information from data elements and classify them (e.g., employee number, name, date of birth, address, and date of hire can form 1 data set that is generally used by other functions like payroll, physical security).
  • Any information or report generally contains multiple data sets. While classifying such information, identify the data sets (partial or complete) used and determine the classification level of report/information based on classification of data sets; generally the highest level shall prevail.
  • Determine and document exceptions.
  • Maintain a function-wise and centralized data set inventory with validity.
  • Implement a process for periodic review.
  • Implement an ongoing classification process.

Once the classification process is on its way, further steps to optimize security may be considered.

Sunil Bakshi, CISA, CISM, CGEIT, CRISC, AMIIB, ABCI, CEH, CISSP, ISO 27001 LA, BS 25999 LI, MCA, PMP, is a consultant and trainer in IT governance and information security.


Earn CPE at Professional Guidance Webinar

The US National Initiative for Cybersecurity Education (NICE) has created the National Cybersecurity Workforce Framework (Workforce Framework), which provides a common language for defining cybersecurity work. To help cybersecurity professionals understand the Workforce Framework and its changes, ISACA has partnered with Capella University to create the “Why Implement the NICE Cybersecurity Workforce Framework?,” which will take place on 9 October at 11:00AM CDT (UTC -5 hours). After attending and passing a quiz about the webinar, ISACA members can earn 1 free continuing professional education (CPE) hour.

Cybersecurity is rapidly evolving, and protecting cyberspace relies on the quality and quantity of the cyberworkforce. This webinar will be led by Ben Scribner, from the Cybersecurity Education and Awareness Branch of the US Department of Homeland Security.

To register for this webinar, visit the Why Implement the NICE Cybersecurity Workforce Framework? page of the ISACA web site.


Participate in Cyber Security Awareness Month This October

ISACA is a champion of Cyber Security Awareness Month in October. The goal of Cyber Security Awareness Month is to inform people about the importance of online safety and ISACA has the tools to help you become a cybersecurity leader.

ISACA has created Cybersecurity Nexus (CSX) to help address the growing need for cybersecurity professionals. One component of the CSX portfolio is the knowledge-based Cybersecurity Fundamentals Certificate. The Cybersecurity Fundamentals Certificate exam is now available online. To earn the certificate, candidates must pass the exam and agree to adhere to ISACA’s Code of Professional Ethics. To help those interested in the certificate prepare for the exam, ISACA has issued the Cybersecurity Fundamentals Study Guide, which covers the key areas that will be tested on the exam.

On the CSX page of the ISACA web site, you can find webinars, studies, certificates and white papers with up-to-date information on cybersecurity trends. You can post about cybersecurity issues on social media to engage others and encourage discussion. You can also interact with others on cybersecurity-related issues by using the hashtag #ChatSTC to participate in Twitter chats on 16 October at 2:00PM CDT (UTC -5 hours) and 30 October at 2:00PM CDT (UTC -5 hours). The Get Involved page of the Stay Safe Online web site has specific actions you can take to help others learn about cybersecurity.

For more information on Cyber Security Awareness Month, visit the National Cyber Security Alliance’s Cyber Security Awareness Month web site and the European Union Agency for Network and Information Security’s European Cyber Security Month web site. For more information on the fundamentals exam or CSX, visit the Cybersecurity Nexus page of the ISACA web site.


Explore Governance, Cybersecurity and Leadership at 2014 Oceania CACS

The 2014 Oceania Computer Audit, Control and Security (CACS) Conference addresses the governance, cybersecurity and leadership challenges that IT professionals face today. The conference, hosted by the ISACA Perth (Western Australia) Chapter, will take place on 29-31 October.

The keynote speakers for this conference have years of experience in cybersecurity, audit and governance. In addition to learning from industry leaders, attendees will also be provided with information on ISACA’s Cybersecurity Nexus (CSX) and how it can be used to strengthen their organization’s cybersecurity practices.

Attendees can also network with professionals from around the region and the world. A networking session and dedicated networking time have been built in to the conference schedule.

To register for or learn more about the conference, visit the Oceania CACS web site.


Learn to Protect Organizational Data at Audit Webinar

An important component of any good security strategy is to protect databases that contain sensitive data. To help organizations learn how to create such a plan, Oracle is sponsoring an ISACA webinar to help enterprises reduce their organization’s risk. The “Data-centric Audit and Protection: Reducing Risk and Improving Security Posture” webinar will take place on 23 October at 11:00AM CDT (UTC -5 hours), and ISACA members can earn 1 continuing professional education (CPE) hour for attending.

Roxana Bradescu, CISSP, director of product management, database security at Oracle will lead this webinar and will teach attendees what and how to audit, secure infrastructure practices and how to prevent information leaks. To register for the webinar or learn more about it, visit the Data-centric Audit and Protection page of the ISACA web site.


Cybersecurity Focus at North America ISRM

The 2014 North America Information Security and Risk Management (ISRM) Conference provides valuable resources for anyone interested in the field of cybersecurity. As cybersecurity is a growing concern for enterprises, 2 of the 5 conference tracks focus on cybersecurity and contain the latest information on cybersecurity trends and how to use ISACA’s numerous cybersecurity-related resources.

The sessions at this conference are led by experts in the field of cybersecurity and cover topics including cybersecurity for small businesses, security trends, privacy and security, and how to involve the board of directors in cybersecurity discussions. In addition to the cybersecurity lectures, North America ISRM also offers cybersecurity workshops, including the in-demand Cybersecurity Fundamentals Workshop, which prepares attendees for ISACA’s Cybersecurity Fundamentals Certificate exam.

The other tracks at this conference are compliance, privacy/security and risk management. To learn more about the presentations and workshops offered at the conference, visit the North America ISRM 2014 Presentations and Descriptions page of the ISACA web site. To learn more about the conference, visit the North America ISRM page.


COBIT-related Risk Scenarios Available

Risk scenarios are powerful tools that help risk professionals prepare for the unexpected. ISACA understands that scenario analysis is an important component of enterprise risk management and has issued Risk Scenarios Using COBIT 5 for Risk to provide guidance to professionals tasked with utilizing risk scenarios.

Risk Scenarios Using COBIT 5 for Risk provides practical guidance on how to use COBIT 5 for Risk to solve for current business issues. The publication provides a high-level overview of risk concepts, along with more than 50 complete risk scenarios covering all 20 categories described in COBIT 5 for Risk. An accompanying online tool kit is available and contains interactive risk scenario templates for each of the 20 categories.

Risk Scenarios Using COBIT 5 for Risk is available to ISACA members as a complimentary download. Nonmembers can purchase the PDF in the ISACA Bookstore. A print version of the book will be released in the coming weeks.


Book Review:  Networking: A Beginner’s Guide
Reviewed by Upesh Parekh, CISA

Many people do not know how “networking” in the networked world works. How a message sent from point A reaches point B over the Internet is still a mystery to many.

As a result, network security is increasingly important. Networking A Beginners Guide explains the fundamentals of networking, which is necessary for audit and security professionals who are entrusted with the responsibility of ensuring network security.

Networking A Beginner’s Guide is a technical book focused on explaining the basics of networking. The book is divided in 2 parts. Part I, “Networking Ins and Outs,” deals with fundamental concepts; Part II, “Hands-on Knowledge,” is a practical guide to working with selected platforms.

Part I of the book starts with a basic explanation of why networking is required by a company. It then goes on to cover network hardware, network protocols, directory services, remote connections, network design, network security and network disaster recovery. Part II of the book covers hands-on knowledge of Windows 2012 server, Exchange server 2013 and Linux, and includes an introduction to virtualization.

The book presumes a certain level of understanding of terminology most commonly used in the IT world. It is written in very lucid, simple language and flows very easily. The tips, warnings and diagrams support the technical explanations.

Many students and job seekers are looking forward to a career as network professionals. They need to start with an understanding of the “nuts and bolts” of networking. Novice network professionals or nontechnical assurance professionals who want to take the first step toward a better understanding of networking will find this book immensely helpful.

Networking A Beginner’s Guide is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or email bookstore@isaca.org.

Upesh Parekh, CISA, is a governance and risk professional with more than 10 years of experience in the fields of IT risk management and audit. He is based in Pune, India, and works for Barclays Technology Centre, India.


Read More Articles in Our Archives