@ISACA Volume 5: 29 February 2012 

@ISACA Relevant, Timely News

ISACA Certification Shows Commitment to Knowledge
Jack FreundJack Freund, CISA, CISM, CRISC, CISSP, CIPP, PMP, Shares His Experiences

When Jack Freund, a consultant in IT risk management for Nationwide Insurance, entered the consulting business, he quickly discovered that requests for proposals (RFPs) frequently required principal consultants to be certified. He began earning certifications to qualify to bid on work and, ultimately, set himself apart from the competition.

“ISACA certification gives me credibility in the otherwise crowded field of security and risk professionals,” Freund said. “The rest of your curriculum vitae (CV) needs to be credible as well, but pursuing ISACA certification shows your commitment to master a domain of knowledge. And, the professional recognition you get by adding those letters after your name is very satisfying.”

Earning ISACA certifications, especially the Certified in Risk and Information Systems Control (CRISC), paved the way for Freund’s further involvement with ISACA. “I serve on the CRISC Test Enhancement Subcommittee (TES), where I have met some amazing people,” he said. “Having to justify your thoughts on risk management and be willing to be humbled by another person’s brilliance is the best training anyone could ask for.”

While Freund feels the best part of his job is having the intellectual freedom to think about security and risk problems differently, he says his biggest challenge is the misunderstanding of foundational terminology such as risk, threat and vulnerability.

“Many articles on the matter will use the terms interchangeably, when they clearly have different meanings,” he explained. “As a member of the CRISC TES, I like to make sure that these terms are tested accurately, in the hopes that it will help other professionals use them correctly and think about their security problems in a way that helps them apply the correct solution.”

Freund feels it is important to contribute to the profession to enhance his career and learn from peers. In addition to serving ISACA, he has volunteered with the Institute of Electrical and Electronics Engineers (IEEE) for the past seven years. “I’ve had the opportunity to serve IEEE as a section chair as well as treasurer,” he said. “Professional organizations offer members social connections that will undoubtedly serve them throughout their careers.”

When he is not contemplating the perplexities of security and risk problems, Freund enjoys outdoor activities with his family, spending time hiking and geocaching.


Tips for Managing Risk-level Transitions
By Victor Chapela

The risk of intentional unauthorized access to information or functionality can be better mitigated by considering transitions between different risk levels. This helps when allowing access through highly disparate risk-level environments.

The DMZ is a well-known transition zone in which a high-risk environment such as the Internet may have controlled access to applications and data that reside within the internal network. The transition principles with which the DMZ lowers risk can be applied to other parts of the network.

When evaluating where to apply risk-level transitions, consider the following:

  1. Establish which networks confer high anonymity. The more anonymous a user is while accessing, the more likely he will try to access unauthorized data or functionality, as he has less risk of being caught. Highly anonymous environments include the Internet, wireless networks and third-party organizations with direct access to your network.
  2. Determine which information or functionality has high value or awards the highest benefit to an unauthorized individual or organization that obtains access. The higher the benefit, the higher the probability that someone will try to achieve unauthorized access. And, they will invest more time, effort and resources into accessing targets that give them a bigger reward. High-value information can vary from one organization to the next. But, a good indication of data value comes from published data breaches. For example, data that are repeatedly hacked or stolen for a gain include: credit card numbers, personally identifiable information, user accounts and passwords, merger and acquisition information, and private intellectual property.
  3. Use transition zones to manage the three risk mitigation strategies. Transition zones should by default deny access, deanonymize users and devalue information.
    • Deny access—Reduce risk by authorizing, filtering and isolating. Controls that fall into this category should filter or isolate based on pattern recognition or access control lists (ACLs) such as firewalls, intrusion prevention systems (IPS), proxies and antivirus. The main difference with other parts of the network is that transition areas should predominantly work based on authorized white lists.
    • Deanonymize users—Transition zones should also start by authenticating, logging, alerting and reacting to potential unauthorized accesses. By doing so, you are increasing the legal and reputational risk of the individual or organization that could want to access your high-value information without authorization. Controls of this nature include passwords and log servers to biometric authentication and incident response teams. When done correctly, this mechanism alone should deter the majority of the unsophisticated attacks. Deanonymizing also goes hand in hand with allowing proper access authorization enforcement.
    • Devalue information—The value of information can be reduced through two very effective strategies. The first of them is by dissociating information and rendering it worthless. For example, storing only the last digits of a credit card number or accessing sensitive personal data through a customer number in a system that stores no reference to an identifiable individual are very effective dissociation mechanisms. In a similar fashion, the data’s value can also be reduced by separating information. The fewer credit card numbers you store, the less valuable a database will be. Separation can be achieved in a number of ways, for example, by separating historic and live registries, by replicating only a subgroup of all data to localized repositories, or by individualizing access so that every piece of data can be accessed only by one user account. Encryption is also a type of dissociating mechanism that nullifies data value or greatly increases the cost of using it. Dissociation and separation reduce the probability of unauthorized access by reducing the value of the information.
  4. To evaluate transition risk, include the originating anonymity level and the value of the information accessed in every digital access to information. Implement transition zones if you have a high anonymity access or a high information value. In other words, whenever either side has a high risk, implement the 6 Ds: default deny, default deanonymize and default devalue. This is especially true when risks combine, for example, an Internet anonymous access to high-value credit card information is of extremely high risk.
  5. Depict the external DMZ transition zone as a wall that surrounds the network. This is a good mental image since it protects everything within (low anonymity) from everything outside (high anonymity). Keep in mind that wireless networks and third-party networks are also high anonymity and should, therefore, also traverse a DMZ-type transition zone before accessing the internal network.
  6. In contrast, the transition zones that protect high-value information within your network can be thought of as safe boxes that enclose the network segments, servers, applications and databases that transfer, process or store valuable data. These safe boxes are also transition zones surrounding each system or type of data you need to protect. Think of them as internal DMZs.

Victor Chapela is founder and chief executive officer of Sm4rt Security Services and a frequent speaker at ISACA conferences around the world. Chapela and coauthor Santiago Moral are currently writing RiskVolution, a book on the evolution of risk.


Recognizing ISACA Members—2012 Award Nominations Now Being Accepted

Help ISACA’s Board of Directors honor those individuals who have made a difference in ISACA and the professions it supports by nominating an individual for one of ISACA’s two annual awards—the Harold Weiss and John Lainhart awards.

Named after ISACA’s first president, the Harold Weiss Award was initiated by ISACA in 1985 and recognizes individuals for outstanding achievement and dedication to the IT governance profession.

Instituted in 1997, the John Lainhart Common Body of Knowledge Award is named after past International President John Lainhart and recognizes individuals for major contributions to the development and enhancement of the common body of knowledge used by the constituencies of the association in the field of IS audit, security and/or control, IS audit certification and/or IS audit standards.

ISACA members are asked to nominate qualified and deserving candidates for each of these awards by sending a nomination in letter form. Nominations must include:

  • Name of the nominee
  • Description of accomplishments relating to the award
  • Professional affiliations
  • Other honors and awards achieved
  • Publications or articles published
  • References
  • Name and contact information for the nominator

Nominations can be submitted to mmcgee@isaca.org (or fax to +1.847.253.1443 to the attention of Mikel McGee).

The deadline for submissions is 23 March 2012.


New Audit Programs and Resources Available on Oracle PeopleSoft and Other Topics

ISACA has recently released the following valuable resources:

Information on current research projects is posted on the Current Projects page of the ISACA web site.


Book Review:  IT Governance to Drive High Performance:  Lessons From Accenture
Reviewed by Upesh Parekh, CISA

IT Governance to Drive High Performance:  Lessons From Accenture by Robert E. Kress is a pocket guide that provides insights into IT governance at a global management consultancy serving clients in 120 countries. The author is the executive director of business operations for Accenture’s high-performance IT operations. He is in a unique position to provide a bird’s-eye view of IT governance at a huge, multigeographic and complex organization.

This book, running approximately 40 pages, briefly describes how IT governance works at Accenture. The book is divided into an introduction and five chapters. The author describes the complexity of the organization and presents the need to implement IT governance in the introduction. This sets the stage for the subsequent five chapters, which get into the details of IT governance.

The journey to understanding IT governance at Accenture starts with an overview of IT governance policy, which touches on IT strategy at a very high level (chapter 1). The subsequent two chapters are the core of the book; they describe the IT governance structure in detail. It is interesting to learn how IT decision-making responsibilities at Accenture are divided among different committees and subcommittees across business and IT. The participation of business in IT-related decisions, in the clear accountability of benefit realization and in the interrelationship of different decision-making bodies across the organization is clearly brought out in these chapters.

Chapter 4 ties up discussions in chapters 2 and 3, describing how IT investment decisions are made—flowing from business strategy to IT strategy and finally to the annual budget. Chapter 5 provides tips for effective IT governance.

The strength of the book is that it is concise and crisp. Due to its small size, some topics such as risk management and performance measurement are excluded. However, the book is very interesting and is a good, quick read for those questioning how IT governance can work in a large organization.

IT Governance to Drive High Performance:  Lessons From Accenture is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or e-mail bookstore@isaca.org.

Upesh Parekh, CISA, works in process governance, testing governance and activities related to IT operational risk assessment at Barclays Technology Centre in India. Parekh has experience in IT security audits, application audits, functional testing and governance-related activities.



Read More Articles in Our Archives