@ISACA Volume 22: 22 October 2014 

@ISACA Relevant, Timely News

Learn to Secure the Cloud at CSX Webinar

As a result of data security breaches in the public and private sector, cybersecurity is becoming more and more important. October is Cyber Security Awareness Month, and ISACA is offering the “Self-defense Strategies to Thwart Cloud Intruders” webinar to help attendees learn about keeping their cloud data safe. This webinar is part of the Cybersecurity Nexus (CSX) webinar series and will be offered on 28 October at 11AM CDT (UTC -5 hours). Members have the opportunity to earn 1 continuing professional education (CPE) hour for attending the webinar.

The cloud is a valuable resource and security concerns should not be the reason IT leaders choose not to use it. This webinar, which is being sponsored by Seagate, will address the myths that it is impossible to secure data stored in the cloud and that it is impossible to control access to cloud data. Erik Salo, director of product management for Seagate’s cloud systems and solutions division, will lead this webinar and teach attendees how to keep data in the cloud safe.

To register for this webinar, visit the Self-Defense Strategies to Thwart Cloud Intruders page of the ISACA web site.


Tips for Classifying Risk Controls
By Leighton Johnson, CISA, CISM, CIFI, CISSP

As security and risk professionals, it is necessary to understand how and what controls are deployed in the operating environment and in the organization. Therefore, it becomes important to inventory and identify which security controls are installed and to which risk factors these controls are related. The following control classifications can help professionals identify and inventory these controls:

  • Preventive—This control set is the primary control set needed for any system. The preventive control is designed to stop some negative event from happening, inhibit attempts to violate security policies or provide the ability to potentially stop an adverse incident from occurring.
  • Detective—This class of controls is designed to indicate that some adverse activity or condition is currently happening. These controls are intended to identify and characterize an incident in progress or an incident that is considered active.
  • Corrective—The corrective control set is designed to limit the extent of any adverse event and usually is used and deployed in conjunction with detective controls. These controls are intended to limit the extent of any damage caused by an incident.
  • Directive—This control set mandates the behavior of an entity by specifying what actions are, or are not, permitted. These controls are primarily security policies and regulatory guidance.
  • Deterrent—Deterrent controls are intended to discourage individuals from intentionally violating information security policies or procedures. These controls are placed into effect to “keep the good people good.” These usually take the form of constraints that make it difficult or undesirable to perform unauthorized activities and mention the consequences of these activities in order to influence a potential intruder to not violate security.
  • Supplemental—The special use or specialized focus of various types of security controls as needed or required by some special event, incident or activity from an internal or external source is the control set known as supplemental controls.
  • Recovery—This control set provides the capability to restore lost computing resources or capabilities and help recover monetary losses caused by a security incident. Recovery controls are neither preventive nor detective, but often are included as disaster recovery or contingency plans.

Leighton Johnson, CISA, CISM, CIFI, CISSP, is a senior security consultant for the Information Security & Forensics Management Team of Bath, South Carolina, USA.


COBIT Focus: A New Look Now Available Weekly

With the growing use of and interest in COBIT 5, ISACA has redesigned COBIT Focus, the only publication providing up-to-date news and case studies on using this valuable governance and management framework. In addition to an updated, user-friendly look, COBIT Focus has a new weekly publication schedule. COBIT Focus now releases new articles every Monday, instead of its previous quarterly publication schedule.

COBIT users and trainers are encouraged to submit articles for publication in COBIT Focus. The COBIT Focus publication team is always accepting COBIT case studies, practical use articles and tips on using COBIT. For more information on submitting an article, visit the Submission Guidelines page of the ISACA web site or contact publication@isaca.org.

Subscribe to the COBIT Focus quarterly email, which announces the most recently released articles. The next COBIT Focus email will be released on 24 October, so be sure to subscribe today.


Webinar on Securing Physical, Virtual and Cloud Servers

To help provide guidance on protecting different types of servers, ISACA will host the “Securing Servers in a Hybrid Data Center” webinar on 6 November at 11AM CST (UTC -6 hours). This webinar, sponsored by Intel McAfee, offers members the opportunity to earn 1 free continuing professional education (CPE) hour.

The webinar will provide recommendations on how to secure physical, virtual and cloud servers. With more than 9 years of experience at Intel, Joakim Lialias, director of product marketing at Intel Security Group, will lead this webinar and share his knowledge on how to best secure data centers. Lialias will also discuss what type of protection is most effective, how to secure different deployment architectures, and how to ensure server security as data centers change and evolve.

To register for this webinar, visit the Securing Servers in a Hybrid Data Center page of the ISACA web site.


Team From UMUC Wins CyberLympics Competition

ISACA partnered with the EC-Council Foundation to host the final round of the Global CyberLympics competition, an online cybersecurity competition, at the 2014 European Computer Audit, Control and Security (CACS)/Information Security and Risk Management (ISRM) Conference on 29 September in Barcelona, Spain. There is a growing need for cybersecurity professionals, and many EuroCACS/ISRM sessions addressed how to handle cybersecurity challenges. Because of this focus, the conference was an ideal location to hold the final round of CyberLympics.

The winning team was the Cyber Padawans from the University of Maryland University College (UMUC) in Maryland, USA. To qualify to compete in the final round, participating teams had to successfully complete 3 rounds prior to competing at EuroCACS/ISRM. The top 3 teams received cash prizes and medals at the conference.

“This competition proved to me the importance of never giving up,” said Matt Matchen, Cyber Padawans team captain. “Many times, there were road blocks thrown up that we had to work around, sometimes in seemingly fruitless situations. Regardless of how imposing an obstacle or challenge first appears, it should be met head on and without hesitation.”

To learn more about CyberLympics, visit the CyberLympics web site. To learn more about ISACA’s cybersecurity resources, visit the Cybersecurity Nexus (CSX) page of the ISACA web site.


ISACA’s CSR Program Supports Snehalaya’s IT Center of Hope

As part of its corporate social responsibility (CSR) program, ISACA has donated US $5,000 to the Center of Hope (IT Center) at the Snehalaya organization’s English Medium School. The ISACA Pune (India) Chapter nominated this organization as part of the support of a cause—chapter/individual portion of the CSR program.

Snehalaya aims to help victims of sex trafficking, and its new English Medium School is providing free education to 190 students. The IT Center provides personality development and English courses to give students the skills they need for better professional opportunities.

“ISACA’s support of Snehalaya’s IT center reinforces its recognition as a respected resource for professional education and development,” said Vijay Bhalerao, CISA, ISO 27001 LA, MCTS, of the ISACA Pune Chapter. “Snehalaya is doing a wonderful job for the children and women in India, and we are proud ISACA can assist with its noble efforts in building them a brighter life and future.”

Under the support of a cause—chapter/individual portion of the CSR program, chapters and individuals can apply for funding for local organizations. To learn more about ISACA’s CSR program, visit the Corporate Social Responsibility page of the ISACA web site.


Book Review:  Too Big to Ignore: The Business Case for Big Data
Reviewed by Chris Chan, CISA

During conferences and investor presentations this past year, one of the most widely used buzzwords was “big data.” The term joined the ranks of “cloud computing,” “showrooming” and “Bitcoin” among the most used, but least understood, phrases.

Phil Simon, a much sought-after speaker and author of the award-winning book The Age of the Platform, shines a light on big data in Too Big to Ignore: The Business Case for Big Data. This book is a primer targeted toward executive management and IT professionals and provides an overview of big data concepts and how enterprises have deployed them to meet business needs.

To distinguish between what big data is and is not, Simon provides a brief data refresher in layman’s terms, describing structured data, unstructured data, semistructured data and metadata. The book defines big data as any data that do not fit well in traditional databases and thus require the use of different software and a new mind-set in order to fully utilize their potential. Too Big to Ignore explains commonly used tools and techniques for analyzing big data, some of which include Hadoop, Not Only Structured Query Language (NoSQL), columnar databases, statistical techniques, data visualization, automation, semantics and predictive analytics.

Later in the book, Simon provides real-world examples of several companies, varying in size and industry, that have implemented big data successfully. He also outlines requirements for organizations looking to deploy big data solutions to solve existing business problems, along with pitfalls and the risk related to the use of big data.

The book should be seen as providing various business cases for the use of big data rather than as a technical reference on how to deploy and maintain a big data solution. By providing general requirements and prerequisites for implementing a big data solution, readers can make a preliminary decision on whether their organizations’ existing personnel, data infrastructure and data maturity would benefit from the implementation of a big data solution.

Too Big to Ignore: The Business Case for Big Data is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or email bookstore@isaca.org.

Chris Chan, CISA, is an IT auditor with 7 years of experience in application development, IS security and IS audit. He is based in Austin, Texas, USA, and works for Texas Health and Human Services Commission.


Read More Articles in Our Archives