@ISACA Volume 23: 5 November 2014 

@ISACA Relevant, Timely News

CSX Webinar: Learn to Handle Security Breaches

Because of recent high-profile security breaches, it is becoming increasingly important for organizations to have a plan to combat attacks. ISACA has partnered with WhiteHat Security to create the “Data Breaches: A Risk-based Approach to Identification, Impact Estimation and Effective Remediation” webinar. This free webinar will take place on 11 November at 11AM CST (UTC -6 hours). ISACA members have the opportunity to earn 1 continuing professional education (CPE) hour by attending and passing a subsequent quiz.

The focus of this webinar is using a risk-based approach to handling data breaches. This approach consists of 3 phases: testing resistance strength, understanding and measuring the business impact, and monitoring the threat landscape. Demetrios Lazarikos, IT security strategist, will lead this webinar. He holds several patents related to personally identifiable information, information security and quantifying security risk. During the webinar, he will discuss how to weigh security against business criticality and cost. After the presentation, Lazarikos will host a question and answer session.

To register for this webinar, visit the Data Breaches: A Risk-based Approach to Identification, Impact Estimation and Effective Remediation page of the ISACA web site.


Risk Work Is Stressful
By Jack Freund, Ph.D., CISA, CISM, CRISC

Voltaire is quoted as saying, “It is dangerous to be right in matters where established men are wrong.” This is true in a number of scenarios, but perhaps no more so than in risk. Why? Because risk tells people what to do. In many ways, risk is equivalent to priority in that it creates a to-do list of things upon which to work. These can be large, obtuse tasks, such as developing a web application scanning program for your firm, or more specific such as patching the Shellshock hole on the interactive voice response (IVR) system. The things that are classified as priorities are considered such because of the desire to avoid the negative consequences associated with not achieving them. This is clear in the work done in the field of information security. (Patching Shellshock is important because not patching it means there is a deficiency that could be exploited and then bad things could ensue.) But the impact of thinking of risk as priority is bigger than that.

In a list of general priorities for a company, let us assume that one of them is “make our customers happy,” a noble goal that can serve a company well. It is a priority because businesses do not want to incur the losses associated with unhappy customers. However, in security we know that controls often impede convenience and sometimes customer happiness. So when this occurs, which priority takes precedence? Doubtless this is a scenario that many organizations have encountered. For many, their risk analyses become the central artifact in a world-class wrestling match. It is precisely these kinds of scenarios, where risk analysis work is being used to justify the priorities of an organization (perhaps even to the near-term detriment of customers), where it is “dangerous to be right,” in the words of Voltaire.

The worst-case scenario in an unhealthy organization is that it begrudgingly accepts that the risk team is correct and makes a mental note about avoiding working with security in the future (perhaps putting security jobs at risk). Another outcome is that the wrong priority is pursued and risk becomes incidental or limited corporate resources are misallocated. However, this disagreement in priority can also be used as an opportunity to find common ground and have an honest, organic conversation about which trade-offs the firm is willing to make in pursuit of its conflicting priorities. Believe it or not, this is actually a very healthy thing to do to cement the values of an organization in practice (if not in design).

But whether the results of a risk analysis are good or ill, it is important to recognize that risk work is stressful. Make sure to take the necessary precaution to manage your own health such that you have a long career in IT risk. Make that a personal priority.

Jack Freund, Ph.D., CISA, CISM, CRISC, is lead IT risk manager for TIAA-CREF and coauthor of Measuring and Managing Information Risk.


New Security-related COBIT Courses From ISACA

With the growing concern surrounding security, the US National Institute of Standards and Technology (NIST) created the Framework for Improving Critical Infrastructure Cybersecurity. . ISACA’s COBIT 5 is included as an informative reference in the core of this framework. To help organizations with their security practices, ISACA has created 2 new courses in the COBIT 5 product family: “Implementing the NIST Cybersecurity Framework Using COBIT 5” and “COBIT 5 Assessor for Security.” An exam for the “Implementing the NIST Cybersecurity Framework” course is also offered.

The “Implementing the NIST Cybersecurity Framework Using COBIT 5” course is for individuals who have a basic understanding of both COBIT 5 and security concepts, and who are involved in improving organizational cybersecurity programs. The course has the following learning objectives:

  • Understand the goals of the Cybersecurity Framework.
  • Understand and discuss the content of the Cybersecurity Framework and what it means to align to it.
  • Understand each of the 7 Cybersecurity Framework implementation steps.
  • Understand and be able to apply and evaluate the implementation steps by using COBIT 5.

The exam for this course will measure a candidate’s knowledge and understanding of the NIST Cybersecurity Framework, its goals, the implementation steps, and the candidate’s ability to apply this information. Successful completion of the COBIT 5 Foundation Exam is a prerequisite for this course and exam.

The “COBIT 5 Assessor for Security” course provides a basis for assessing an enterprise’s process capabilities against the COBIT 5 Process Reference Model (PRM). Case studies and examples focus specifically on security-related issues. Upon completion of the course, individuals may take the COBIT 5 Assessor Exam and apply to become a COBIT Certified Assessor.

These courses are available through ISACA’s onsite training program and training organizations that have been accredited by ISACA partner APMG International. To find a training provider, visit the Accredited Organization & Product Search page of the APMG web site. Questions? Contact COBITtraining@isaca.org.


Participate as a 2015-16 ISACA Volunteer

Volunteers who are willing to share their time and talent are critical to the success of ISACA. Apply to become an ISACA volunteer—contribute to your profession and earn free continuing professional education (CPE) hours. ISACA’s annual volunteer application period is now open.

Members interested in volunteering with ISACA at the international level can find information on the opportunities available and the process for submitting an application for consideration on the 2015-16 Invitation to Participate page of the ISACA web site. In addition to the invitation to participate brochure, members can learn more about the boards, committees and subcommittees that support the association.

Interested members should review the information contained in the brochure and online, identify those volunteer opportunities that are of most interest, and complete the online application. Volunteer applications for the 2015-16 administrative term are due by 12 February 2015.

In addition to the annual volunteer appointments, there are a number of volunteer opportunities available throughout the year. For more information, visit the Additional Volunteer Opportunities page of the ISACA web site.


Two More Months to Recruit Members and Earn Prizes!

There are only 2 months remaining in the 2014 Member Get a Member program. Follow up with your colleagues to ensure they join ISACA before 31 December 2014. Remember, newly recruited members need to register with your member ID number and be paid in full by 31 December 2014 for you to receive credit under the campaign.

ISACA membership allows you to connect and network with other like-minded individuals. Build lasting professional relationships through a conversation about an ISACA white paper, the new Cybersecurity Fundamentals Certificate or recent ISACA Journal articles, for example. When you connect with your colleagues about ISACA, you brand yourself as a resourceful IT expert.

With every member you recruit, you move closer to earning rewards. There is still time to earn a checkpoint-friendly computer backpack by recruiting 3-4 new members. You have the opportunity to earn a personal wireless activity and sleep tracker by recruiting 5-6 new members, a portable mini-Bluetooth® speaker by recruiting 7-9 new members or noise-canceling headphones by recruiting 10 or more new members.

Help advance the IT profession. Recruit members to ISACA today and participate in the Member Get a Member program. Learn more on the Member Get a Member page of the ISACA web site.


New ISACA Chapter Formed in Cairo

ISACA is pleased to announce the formation of a chapter in Cairo, Egypt. The chapter received final approval from the ISACA Chapter Support Committee and ISACA's international president on 1 August 2014. The new chapter is supporting an initial member base of 170 local professionals.

With increasing enterprise reliance on information and technology comes the demand for IT projects and professionals. The ISACA Cairo Chapter plans to offer training and guidance for established IT professionals, recent graduates and university students who are interested in pursuing a career in the IT industry. The chapter will facilitate networking and knowledge-sharing in IT audit, information systems governance and information security.

“By developing this chapter, we hope to offer a great opportunity for IT professionals to gather, network and share experiences,” said Waleed Hammad, president of the ISACA Cairo Chapter. “We are excited to promote ISACA’s globally accepted knowledge and practices not only with current IT professionals, but also with students and others interested in pursuing a career in the field.”

Officers of the ISACA Cairo Chapter are:

  • President—Waleed Hammad
  • Vice president—Osman Azab, CISA, CISM, CGEIT, CRISC
  • Treasurer—Khaled Embaby, CISM, CRISC, CBCP
  • Secretary—Nadine Kamal El Sarrag
  • Membership director—Asser Hegazi, CISA, CISM, ISO 27001 LI

ISACA now has 206 chapters in 87 countries. To learn more about the Cairo Chapter, visit the Cairo Chapter Overview page of the ISACA web site.


Help Your Organization and Advance Your Career With ISACA Certifications
Stacy J. Hill, CISA, CISM, CGEIT, CRISC, CISSP, CRMA, Shares Her Experience as a CISM and CGEIT

Stacy J. HillStacy J. Hill, CISA, CISM, CGEIT, CRISC, CISSP, CRMA, knows the value of ISACA’s Certified in the Governance of Enterprise IT (CGEIT) and the Certified Information Security Manager (CISM) certifications. She says that the certifications have enabled her to practice risk management at a large financial institution and encourage others to join this field. “Being a CISM allows me to encourage other security professionals to join the information security management profession. If ISACA offered a CISM cheerleader certification, I would apply,” she jokes.

Having the CGEIT certification has allowed Hill to have a better understanding of security. “The governance skills the CGEIT brings to my tool kit helped me to understand IT security matters in a holistic way,” she says. “Having strong policy and procedures are essential but ineffective without appropriate governance.”

Hill initially pursued these certifications because there was a shortage of qualified risk personnel. She found that preparing for the CISM exam also helped her review and improve her organization’s current information security production program. “There were answers to questions I had right there in the review material. I could apply them to my program with an instant benefit,” she says. Although she has passed the CISM exam, she still uses the study materials for it.

Hill has a number of ISACA certifications, and one of her tips for preparing for certification exams is to collaborate with others. “Obtaining support from family and friends will be essential to any study plan,” she says. “If your local ISACA chapter offers an examination review course, sign up. Local chapter review courses will also help you network with other professionals seeking the credential. You may just find a great study group!”

To learn more about the CISM, CGEIT and other ISACA certifications, visit the Certification page of the ISACA web site.


Book Review:  IBM Mainframe Security: Beyond the Basics
Reviewed by Horst Karin, Ph.D., CISA, CRISC, CISSP, ITIL

Mainframe computing systems are still important and so is the need for information security. Because of their specific benefits and legacies in many large companies and organizations, mainframes are still widely used in finance, insurance, telecom, automotive, energy and government organizations. Mainframe computing systems store and process enormous amounts of data and sensitive information. Consequently, data and information security continues to be a hot topic; mainframe systems and numerous mainframe programmers, system administrators, security administrators and IT auditors must consider information security. These individuals have a great interest in learning, refreshing and updating their knowledge on mainframe security. IBM Mainframe Security: Beyond the Basics is a great tool for this audience. Those involved with mainframe security will better understand the concept, configuration details, monitoring tasks and risk associated with data security.

In the introduction, author Dinesh Dattani writes, “Mainframes have always been designed with multiple users in mind. Basic security considerations were laid out in the very foundation of the operating system, data, program code.”

Dattani also notes, “There is another reason why mainframe security is miles ahead of rival platforms: Personal computers were initially targeted for non-business applications, such as gaming and word processing.” Security of information was an afterthought for personal computers. Systems with personal computers and personal computers themselves are the most frequent targets of security attacks and their systems’ security weaknesses must be repaired and improved on an ongoing basis.

But this security concern is present for mainframe systems as well; security does not come automatically. It is a result of a difficult balance between user access to the system and data on one hand and the business requirements to protect data from unauthorized access on the other hand. This balance must be defined and implemented with the available security capabilities of the system/application. To do that, it is important to understand the concept and capabilities of the mainframe security. This book helps the reader to do that from a z/OS UNIX and Resource Access Control Facility (RACF) perspective.

The book is well structured and contains general and in-depth information, starting with background information and continuing to code examples and configuration details. The content is presented in 30 chapters on 210 pages. There is a summary at the end of each chapter, many examples, quizzes, questions to consider and a detailed index at the end of the book. The main parts of the book are securing business data, securing the z/OS operating system and security infrastructure matters There are also chapters about security event logging, monitoring, auditing and best practice for mainframe security implementation, controls and segregation of duties.

IBM Mainframe Security: Beyond the Basics presents the multilayered and complex mainframe security concept in a competent and concise format—ideal for anyone involved with mainframe security programs.

IBM Mainframe Security: Beyond the Basics is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or email bookstore@isaca.org.

Horst Karin, Ph.D., CISA, CRISC, CISSP, ITIL, is president of DELTA Information Security Consulting Inc. He has been working in SAP/IT security and risk management for 16 years. He served as chair of the ISACA publishing committee for 3 years, has authored several book reviews for the ISACA Journal and is coauthor of SAP Security and Risk Management.


Read More Articles in Our Archives