@ISACA Volume 25: 3 December 2014 

@ISACA Relevant, Timely News

Network and Earn CPE Hours at Cloud Security Virtual Conference

Although cloud technology is maturing and becoming a fixture in IT environments, the risk and threats to the cloud are rapidly evolving. To help security specialists keep the cloud secure, ISACA has partnered with TechTarget to create the “Evolving Security for a Maturing Cloud” virtual conference. This free virtual conference will take place on 9 December from 6:45AM to 3:30PM CST (UTC -6 hours). Attendees can earn 5 continuing professional education (CPE) hours by attending the conference and passing a related survey.

This virtual conference has 4 sessions: “Post-Deployment Governance Tips to Protect Cloud Security,” “The Floating Perimeter: Managing On-Premise/Off-Premise Security Issues,” “Cloud Security and Identifying Bring Your Own Cloud (BYOC) Risk,” and “Pragmatic Cloud Encryption: Tools and Strategies to Ensure Data Security.” In addition to these informative sessions, the virtual conference also has built-in networking time, allowing attendees to connect with professionals around the world.

To register for this conference or to learn more about it, visit the Virtual Conference: Evolving Security for a Maturing Cloud page of the ISACA web site. If you are interested in these sessions, but cannot attend during the scheduled conference time, the archived conference will stay open for 30 days after the conference.


Tips for Understanding the Benefit of Risk Scenarios
By Lisa Young, CISA, CISM

Many organizations conduct a threat or vulnerability evaluation as the first step to identify risk. While this is a good first step, many people shortcut the process of risk assessment or analysis and move to implement a set of controls or countermeasures to quickly address an identified threat or vulnerability. Any risk management activities where the only goal is to add controls will simply increase costs and may not provide the protection and sustainment to critical assets, services and business processes that are the objectives of a risk management program.

Risk analysis and assessment are core approaches to bringing realism, insight, organizational engagement and improved structure to the complex matter of enterprise risk and, especially, IT risk. Risk analysis is the process used to estimate the frequency and magnitude of a given risk scenario. Risk assessment is a process used to identify and evaluate risk, its potential impact on the organization, and the probabilities that a particular event will occur. Risk assessment is slightly broader and includes the activities of rank-stacking, or prioritizing, the identified risk according to some organizational risk thresholds; grouping like risk types together for mitigation activities; and documenting existing controls.

An effective enterprise risk management (ERM) program requires a thorough consideration of all risk that has the ability to impact the organization. Risk scenario analysis is an important component of ERM. A risk scenario is a description of a possible event that, when occurring, has an uncertain impact on the achievement of the organizational objectives. Scenario analysis is not just an analytical exercise involving risk analysts. As a forward‐looking element, it can assist in the identification of key risk exposures and potentially severe events (especially emerging risk) with a potential for organizational impact. When risk scenario development or use is conducted in an open and transparent environment, scenario development can unlock insights about events that are possible, but not realized previously by an organization.

Scenario exercises can also be a highly effective way to engage senior or higher-level management in the operational risk management process. It can spark ideas and serve as a means to achieve organizational buy-in from business lines, risk management, IT, finance, compliance and other parties. Scenarios are valuable only to the degree they are used by the organization. Having scenarios in a binder on the shelf is not very useful. To use scenarios effectively, you have to practice and pay attention to the outcomes. This will take time, energy and patience. You will also need people who are willing to use and test the scenarios in real-life situations and provide feedback. The key benefits of using risk scenarios are:

  • A better understanding and management of IT risk in line with business objectives
  • The positioning of security risk among other categories of IT risk
  • The positioning of IT risk among the other categories of enterprise risk
  • A better understanding of how to identify and manage IT risk
  • An ability to communicate IT risk to business decision makers
  • An identification of operational losses or development of key risk indicators (KRIs)
  • A thorough consideration of real and relevant risk, not just threats and vulnerabilities

If you do not take the time to understand if the threat or vulnerability is really something that is relevant to you or probable in your business environment, you are not getting the full benefit of the ERM process. Risk scenarios are a tool for understanding the larger risk landscape in which the organization operates, communicating the risk in business terms and taking the appropriate steps to address the IT risk in the context of all enterprise risk. Risk scenarios are the tangible and clear representation of risk and are one of the key information items needed to identify, analyze and respond to risk (COBIT 5 process APO12).

Lisa R. Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.


IT Audit Benchmarking Survey: “Are Companies Keeping Pace?”

ISACA and Protiviti recently conducted the 4th annual IT Audit Benchmarking Survey. The global survey examined:

  • Today’s top technology challenges
  • IT audit in relation to the internal audit department
  • IT risk assessment
  • Audit plans
  • Skills and capabilities

The survey asked the question, “Are companies keeping pace?” The answers varied. While organizations have made notable strides in establishing IT audit best practices and bringing these efforts to the forefront for boards of directors and executive management, significant gaps and areas for growth remain.

Among the key findings from the survey are:

  1. Cybersecurity and privacy are primary concerns.
  2. Companies face significant IT audit staffing and resource challenges.
  3. Audit committees and organizations in general are becoming more engaged in IT audit.
  4. IT audit risk assessments are not being conducted or updated frequently enough.
  5. IT audit reports and reporting structures have room for growth.

ISACA and Protiviti’s “2015 IT Audit Benchmarking Survey: A Global Look at IT Audit Best Practices” webinar discussed the findings of the survey. This archived webinar, a full survey report, infographic and video on the survey can be accessed on the A Global Look at IT Audit Best Practices page of the ISACA web site.


Share Your Passion—Become an ISACA Volunteer

The 2015-16 Invitation to Participate is open through 12 February 2015. Visit the Join an ISACA Volunteer Body page of the ISACA web site for information regarding volunteer service at ISACA and to view links and other important information related to the volunteer process and ISACA’s volunteer bodies.

Participants in ISACA’s volunteer bodies support education and certification programs, professional conferences, research, education programs, and professional standards. They also drive the creation and maintenance of products, services and benefits for ISACA members and constituents.

In addition to volunteering yourself, you can nominate others who you believe would be an asset to an international-level ISACA volunteer body. To nominate someone, follow the instructions on the Nominate a Colleague page of the ISACA web site. There you will find information on nominating an individual and a link to the nomination form.

Volunteers experience ISACA in unique ways. Join us and help shape your profession and your future. Become an ISACA volunteer.


Book Review:  Guide to Firewalls and VPNs,
3rd Edition

Reviewed by Upesh Parekh, CISA

Organizational boundaries are becoming blurred. The enterprise’s network is accessed beyond the 4 walls of the organization. No longer is the network supposed to be used only by the organization’s employees. It is, therefore, important to protect the network perimeter of the organization more zealously than ever.

Firewalls are a powerful weapon in the armory of any security professional, and firewalls can be used to protect an organization from the insecurity of the public network. A firewall helps keep undesired elements from getting into the network and also helps protect insiders from visiting harmful web sites.

Authorized users of the organization’s network are required to access the network frequently from outside the organization. Many times such access is via a public network, which is not very safe. With the advancement of encryption technology, it is possible to create a specific type of private communication channel—a virtual private network (VPN)—to protect such access.

Guide to Firewalls and VPNs, now in its 3rd edition, is written to specifically address firewalls and VPNs in detail. The book is useful for candidates preparing for security and audit-related exams, such as the Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) exams, and for security professionals interested in gaining a better grasp of the concepts. This book would be very useful for those who want an in-depth understanding of firewalls.

The book is divided into 3 parts. In the 1st part, the authors set the context for the discussion around firewalls and VPNs. They establish that firewalls are not magical tools that, once installed, solve all security-related miseries. Rather, they are just a clever piece of technology that should be supported by strong security policies, detailed security standards and robust training/awareness programs.

The 2nd part of the book explains that a firewall is not a piece of a hardware or software, but rather a combination of hardware and software. For example, firewalls can be classified by their type, technology, generation or placement in the network. The firewall is configured to make it behave in line with the organization’s intent. Too many false positives or false negatives could result in an irritated worker, a constricted business or an exposed network.

The 3rd part of the book starts with an explanation of encryption, which is the underlying foundation of the VPN. It then discusses the concept and configuration of VPNs.

The book is written in as simple language as is possible when discussing a technology-oriented subject. It presumes that readers have a basic understanding of networking concepts. Each chapter ends with practice questions for readers. The highlights of the book are the real-world exercises and the hands-on projects included at the end of every chapter. The book is not completely vendor-neutral, and this helps readers visualize some of the concepts in the context of some leading products.

Guide to Firewalls and VPNs, 3rd Edition is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or email bookstore@isaca.org.

Upesh Parekh, CISA, is a governance and risk professional with more than 10 years of experience in the fields of IT risk management and audit. He is based in Pune, India, and works for Barclays Technology Centre, India.


Read More Articles in Our Archives