@ISACA Volume 23: 9 November 2011 

@ISACA Relevant, Timely News

ISACA Survey Examines Bring Your Own Device Trend and Online Holiday Shopping at Work

More than 4,700 ISACA members in Africa, Asia, Europe, Latin America, North America and Oceania participated in the association’s 4th annual Shopping on the Job survey, which examines the bring your own device (BYOD) trend and potentially risky online activities, including employees’ shopping online at work. A separate but related survey of 1,224 US employees examined their online activities at work. Full results are available on the Online Shopping Risk page of the ISACA web site.

The US employee survey found that 32 percent of respondents say they will do more online shopping at work this year. In total, US employees plan to spend an average of 17.5 hours shopping online using either a work-supplied computer or a personal device that is also used for work activities.

The survey also found that an increasing number of enterprises have employee BYOD policies. This trend is least common in Europe, where 32 percent of respondents say their enterprises allow the use of personal devices for work purposes, and most common in Africa, where 51 percent of respondents note that their enterprises allow it.

When it comes to using work devices for personal activities, more ISACA members in Europe, North America and Oceania say that their enterprises generally allow it as a way to promote work/life balance, while those in Asia, Latin America and Africa say that their enterprises generally restrict employees from using corporate IT assets due to security concerns.


Tips to Develop an Inventory of Access to Information and Functionality
By Victor Chapela

Information security has evolved in step with our experience and understanding of real-world security. In many ways, our physical world has defined how we protect our digital information. One of the most pervasive elements is our need to create information asset inventories. In so doing, we try to map where the information is stored. Nevertheless, from a digital security perspective, managing access to information and functionality may be far more effective than trying to manage the information’s location.

For instance, if your data are stored in a cloud-based service, several copies of your information are kept around the globe. In these cases, the information will most probably be dissociated into little fragments, rendering it useless for most anyone who could gain unauthorized access. The only way to render this information back together would be by authenticating it through the right application. In this scenario, which is more common every day, an inventory of individuals who have access and the quality of their authentication will be more important than knowing where the information is stored.

Tips to developing an inventory of access to information and functionality include:

  1. Classify your information and functionality based on external threat—the higher the value for whoever attains unauthorized access, the higher the threat. For example, credit card information or valuable intellectual property will have a very high threat. However, sensitive private information about a politician or a celebrity may also have high threat because of its value to competitors, fans or the media. On the other side, functionality is normally overlooked in asset classification and access to a function that enables money transfers would definitely have a very high threat level as well, even though there may be no information asset. It is important to note that threat is independent of the value the information or the functionality may have for your organization; you should take into account only the value it may have for others.
  2. Develop an inventory of end-user applications that allow access to high-threat information.
  3. List the groups and/or individuals authorized to log on to each application.
  4. Specify as high-risk those accounts that have access to high-threat information or contain high-threat functionality.
  5. Determine which underlying servers are used by the applications, and list all the individual account accesses to these servers.
  6. Identify again those user or system accounts that have clear text access to high-threat information and classify them as high-risk access accounts.
  7. Keep in mind that vulnerabilities are just another access avenue. By scanning, assessing and testing the previously mentioned applications and servers, a vulnerability inventory should be generated. Known vulnerabilities should also be classified into high-risk vulnerabilities (those that could allow access to high-threat information) and low-risk vulnerabilities.

By developing and maintaining an access inventory, it is much easier to select the most effective and efficient controls as well as to eliminate the highest-risk vulnerabilities. Reducing the risk of unauthorized access is better accomplished by focusing on access as opposed to assets.

Victor Chapela is founder and chief executive officer of Sm4rt Security Services and a frequent speaker at ISACA conferences around the world. Chapela, along with coauthor Santiago Moral, is currently writing RiskVolution, a book on the evolution of risk.


Take Advantage of Your Member Benefits

Members are encouraged to take advantage of the many benefits offered by ISACA. As a result of the increased expenses associated with membership, the ISACA International Board of Directors has approved a membership dues increase of US $5 to enable the continued expansion and delivery of member benefits.

The following is a list of some of the most recently expanded valuable offerings from ISACA:

Take advantage of these many benefits, and visit the IT Professional Membership Benefits page of the ISACA web site for more information on the value of your ISACA membership.


2012 Certification Renewals Now Open
New Discounts for Those Holding 3 or More ISACA Certifications

2012 certification renewals are now open on the Renew page of the ISACA web site. Please remember that renewing certifications requires payment of the 2012 annual maintenance fee and reporting the required 2011 cycle hours.

ISACA also offers a new discount on certification maintenance fees for certified individuals holding more than 2 ISACA certifications. Individuals who are renewing more than 2 certifications will receive discounts on their 3rd and 4th certification renewal fees in the amount of US $15 for members and US $35 for nonmembers. Please refer to your 2012 invoice for your specific details.


New ISACA Event Outlines Top Cloud Issues in 2012 and Beyond
“Making the Case for the Cloud: The Next Steps” • 7 December 2011 • Virtual Seminar and Tradeshow

This December, ISACA will showcase the hot issues in cloud computing for 2012 and beyond at its latest virtual seminar and tradeshow, “Making the Case for the Cloud: The Next Steps.” Presented from a holistic business perspective, the 5 sessions will address benefits and risk, security preparation, incident response, legal aspects, and Software as a Service.

Being held 7 December 2011, “Making the Case for the Cloud: The Next Steps” will provide attendees with the knowledge needed to make informed business decisions related to cloud computing. Visit the Virtual Seminar and Tradeshow page of the ISACA web site for more information and to register.


Nominations Remain Open for ISACA Vice President

Nominations for the position of vice president on the ISACA Board of Directors for the 2012-13 term are still open (nominations for international president closed on 31 October 2011). On the Volunteering page of the ISACA web site, you will find information about serving as vice president; be sure to focus special attention on the attributes recommended for the office and the Nomination Form, which you will need to complete and submit to start the evaluation process.

You may nominate yourself or others (or both). Once your nomination form is received, you will be asked to complete a candidate profile form that confirms your willingness to serve if selected and provides the Nominating Committee information it will use to evaluate you. If you nominate yourself, you will also be asked to submit a letter of recommendation from another ISACA member. There is no specific template for this letter; however, the letter must be submitted directly to nominate@isaca.org by the deadline date and should describe how you, as a candidate, demonstrate the attributes of office (the list provided on the Nomination Form). Information on you will be gathered in other ways as well, including review of public web sites (e.g., Google, Facebook, LinkedIn) and a possible phone interview.

Nominations for vice president close on 9 January 2012. These are the dates by which all materials must be received at ISACA International Headquarters (i.e., completed candidate profile form and letter of recommendation, if required), so do not wait until that date to submit the nomination form. If you have questions, please e-mail nominate@isaca.org.


Knowledge Center Provides Real-life Experience With Different Views and Opinions
Meet Risk Management Topic Leader Ayman M. Galal of the London (UK) Chapter

Ayman M. GalalQuestion How were you introduced to the Knowledge Center?

Answer I informed ISACA that I would like to volunteer for any activities that ISACA provides. The ISACA team asked me to send my curriculum vitae. I was then asked if I would be interested in sharing my knowledge and experience with ISACA members in one of the Knowledge Center topics: risk management.

Question In your opinion, what makes the Knowledge Center a valuable resource for ISACA members?

Answer It provides real-life experience with different views and opinions. It helps you and your employer’s business as you learn from others’ experience.

Question What made you decide to become a topic leader?

Answer I like to share knowledge with others. I see it as the best way of learning for both sides. When I start a discussion in the community, I get really useful opinions and views that I might not have considered before.

Question How did you choose your topic?

Answer It was one of the areas of interest that I sent to ISACA. I have been working in risk management for many years with blue-chip companies in different industries.

Question What is one thing that you wish all ISACA members knew about the Knowledge Center?

Answer It is a very useful source of information and knowledge that is available to all members. Why not have a look and participate in relevant Knowledge Center topics?

Question Any parting words of advice to those who have not yet visited the Knowledge Center?

Answer Go and visit. Review recent discussions and see whether they are helpful to you (I am sure that you will find them very interesting and helpful). Share your opinion in the discussions.

Visit the Risk Management Group in the Knowledge Center to join the discussion with Galal, or browse other topics in the Knowledge Center to find resources and connect with fellow ISACA members. To learn more about volunteering as a topic leader, please visit the Become a Topic Leader page of the ISACA web site.



Read More Articles in Our Archives