@ISACA Volume 4: 12 February 2014 

@ISACA Relevant, Timely News

Using Big Data Effectively

The Generating Value From Big Data Analytics white paper presents how organizations are using big data to be more competitive and how they are adapting concepts from traditional business intelligence to leverage new sources of data previously out of reach. The ISACA white paper also investigates why having a realistic picture of an organization’s risk should also include the business’s risk as a result of failure to adopt.

Many enterprises are moving quickly to adopt big data analytics to enable better decision making. As this trend of adoption continues, information security, risk and audit professionals are becoming increasingly aware of the technical and operational risk that may arise.

However, to analyze risk holistically, practitioners also need to evaluate the business risks in equal measure. Understanding the reasons why big data analytics is appealing from a business perspective can help ensure that both technical and business risks are considered thoroughly, enabling organizations to remain competitive.

ISACA’s Generating Value From Big Data Analytics white paper explains the business side of big data analytics, describing the drivers that provide the impetus for adoption, the benefits and value that can come from using big data, and the business risk that can face organizations that do not.

ISACA has issued the Generating Value From Big Data Analytics white paper as a complimentary download. Information on recent and upcoming research projects is posted on the Current Projects page of the ISACA web site.


ISACA Launches Open Badges for Its Certification Holders

ISACA will begin the rollout of open badges in February 2014. These open badges are web-enabled versions of credentials. In partnership with Pearson, ISACA will give Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance and Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC) holders open badges that allow employers, prospective clients and anyone viewing the badge holder’s networking page to validate these credentials with a single click. Open badges can also be used on social and professional networking sites, in emails and on personal web sites.

These badges are free to ISACA certification holders and are highly valuable because they are uniquely linked to data hosted on the Pearson-backed Acclaim platform. They are much more reliable than traditional paper-based credentials. If you do not want your credentials or profile to be publically visible, you can make them private. If you do not want to participate in this program, you can simply ignore the open badge email invitation.

The open badge rollout is estimated to be completed by the end of the first quarter of 2014. Credential holders will receive an email containing all of the information needed to claim the open badge. To receive an open badge, a profile must be created on the Acclaim web site, hosted by Pearson, and the certification holder must claim each badge issued by ISACA (the entire process should take no more than 5 minutes).

Visit the Open Badges page of the ISACA web site to learn more. Questions? Contact badges@isaca.org.


4 Considerations During the Patch Management Process
By Tara Kissoon, CISA, CISSP

The unwelcome accessing of valuable assets by unauthorized individuals is prevalent and growing in today’s environment. One of the most common attack methods is to exploit existing vulnerabilities resulting from unpatched systems and devices residing on the network. Forrester Research Inc. has defined a new scalable process called the Prioritized Patch Process (P3). The process is explained in the November 2013 report, “Introducing Forrester’s Prioritized Patching Process (P3).” The following are some key takeaways from the report regarding important considerations that should be implemented for a prioritized approach to patch management:

  1. Estimate attack difficulty. Predictive threat modeling is a proactive security approach that employs a simulated model of an organization’s network architecture by utilizing data mapping and network security configuration. This type of modeling is used to identify which assets are most vulnerable to attack and then predict how challenging it would be to compromise these assets. This analysis would result in a grouping of end points that indicate an unacceptable level of exposure.
  2. Measure potential effects of an exploit. Measuring the potential effects of an existing exploit on an unpatched system is a key consideration in the patch management process. Depending on the type of data residing and accessed by these assets, determination of the severity of attack is identified through an understanding of the effect of the exploit. For example, if an exposed application resides on a system with sensitive data, the risk to the organization would be categorized by the type of data exposed and the severity of the exploit.
  3. Measure intrinsic risk. While data classification and attack complexity are specific measures by individual organizations, the patch management process also takes into account intrinsic risk. This term is defined in the Forrester report as “the level of risk posed by the nature of the flaw itself. To determine this, you must know whether an exploit already exists for the flaw, the frequency with which attackers exploit this flaw and the level of the malicious behavior executed by the exploit.” An example of a high intrinsic risk score would be a vulnerability that can be remotely exploited by an attacker.
  4. Assign patch priority based on risk classification. Most organizations have implemented a risk classification patching process that takes into account their requirement for IT operations aligned to the organization’s risk appetite. In addition to this process, organizations may also select to implement varying weights on different types of end points (e.g., employee laptops/desktops). In essence, when a patch is determined to be missing on an asset, a prioritized value is assigned based on custom weightings and risk classifications from each of the 3 measurements (attack difficulty, data sensitivity and intrinsic risk).


Book Review: Pragmatic Security Metrics
Reviewed by Maria Patricia Prandini, CISA, CRISC

When discussing metrics, it is often said, “You cannot manage what you cannot measure.” Looking at this statement in the field of information security, it could be argued that organizations can manage information assets without any measurement system. But is this strategy effective? Are information security initiatives being managed efficiently and competently? Could the processes be improved?

When evaluating security effectiveness or searching for areas of improvement, most people will probably agree on the need for metrics to manage information security. The problem is how to start using metrics. Pragmatic Security Metrics provides the road map.

Pragmatic Security Metrics is truly pragmatic, highlighting the benefits of security metrics and taking a detailed look at several sources of information security metrics, such as ISACA’s Business Model for Information Security (BMIS), the Capability Maturity Model (CMM), ISO 27004 and the National Institute of Standards and Technology (NIST) publications. The authors, W. Krag Brotby and Gary Hinson, successfully show what, why and how information security should be measured. They use the term “metametrics” to show the characteristics that a good metric should have. The authors provide an innovative and easy-to-understand approach to the use of metrics, with more than 150 real-life examples. A case study is provided to illustrate many of the concepts contained in the book.

The book reflects the profound knowledge, insights and experience of the authors on this subject. Pragmatic Security Metrics is written for information security managers, senior professionals, technical specialists and auditors. It helps readers to objectively show the achievements of their work and the value of information security.

Pragmatic Security Metrics is available from the ISACA Bookstore. For more information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or email bookstore@isaca.org.

Maria Patricia Prandini, CISA, CRISC, has a long career as a public official in different positions related to information technology at the Argentine Government. Prandini was involved in the development of the National PKI and the foundation of ARCERT, the first governmental computer security incident response team (CSIRT) in Argentina. She is the immediate past president of the ISACA Buenos Aires (Argentina) Chapter.


Renew Your Certification for 2014

There is still time to renew your ISACA certification(s) for 2014. Renewing your certification ensures you maintain your globally recognized designation(s) and is a simple two-step process: Pay the annual maintenance fee and report your 2013 CPE hours. The CPE policy requires earning 120 CPE hours over a 3-year period and 20 CPE hours in each cycle year.

Visit the ISACA home page to easily renew your certification(s) online. Note that your CPE hours can be reported individually or in a single total online.
Questions? Contact certification@isaca.org.


Recognizing ISACA Members—2014 Award Nominations Now Being Accepted

Help ISACA’s Board of Directors honor individuals who have made a difference in ISACA and the professions it supports by nominating others for the Harold Weiss and John Lainhart awards, two of ISACA’s annual awards.

The Harold Weiss Award was initiated by ISACA in 1985 and recognizes individuals for dedication and outstanding achievement to the IT governance profession.

Instituted in 1997, the John Lainhart Common Body of Knowledge Award recognizes individuals for major contributions to the development and enhancement of the common body of knowledge used by the constituents of ISACA in the fields of IS audit, security and/or control; IS audit certification; and/or IS audit standards.

ISACA members are asked to nominate qualified and deserving candidates for each of these awards by sending a nomination letter that includes the following:

  • Name of the nominee
  • Description of accomplishments relating to the award
  • Professional affiliations
  • Other honors and awards achieved
  • Publications or articles published
  • References
  • Name and contact information of the nominator

Nominations can be submitted to mmcgee@isaca.org or faxed to +1.847.253.1443 to the attention of Mikel McGee. The deadline for submissions is 21 March 2014.

For information on these awards, additional volunteer awards presented by ISACA and prior award recipients, please visit the Awards page of the ISACA web site.


Topic Leader Wins Trip to an ISACA Conference—You Could Be Next

Congratulations to Jason Yakencheck, CISA, CISM, for his hard work as a topic leader in the young professionals community in ISACA’s Knowledge Center. As a reward for his expertise and dedication as a topic leader, Yakencheck has earned paid attendance to an ISACA conference in his region, with airfare and hotel accommodations included, through the Community Leader Recognition program.

ISACA is proud to have Yakencheck as the first recipient of the Community Leader Recognition program. A member of the National Capital Area (Washington DC, USA) Chapter, Yakencheck is heavily involved with ISACA as the chair of the Young Professionals Committee and a member of the Communities Committee. Yakencheck has led the young professional Knowledge Center community for more than 2 years, and his dedication to the community shows in its consistent growth—it has more than 1,400 members (compared to a little more than 300 2 years ago)—and robust discussions about everything from dealing with life in the office to exam study tips.

Join Yakencheck and other young professionals in the young professional topic of ISACA’s Knowledge Center. The community is focused on ISACA members in the early stages of their career who can share practical career advice and tips for personal and professional development. The young professional community routinely supports their goals by providing webinars and member spotlights. All ISACA members are welcome to participate in the community and share insights. Additionally, the Knowledge Center offers a variety of topics—check to see which topics most closely align to your career and aspirations.

If you are interested in learning how you can win a trip to an ISACA conference, learn more about how you can become a topic leader on the Become a Topic Leader page. Once a topic leader, you can opt-in to the Community Leader Recognition program. The topic leaders with the highest participation rates will be recognized quarterly, and the leader with the highest rate at the end of each year will win attendance to an ISACA conference in his/her region with airfare and hotel accommodations included. Full contest details are available on the ISACA web site.


Read More Articles in Our Archives