ISACA Journal Blog

 ‭(Hidden)‬ Admin Links

ISACA > Journal > Practically Speaking Blog

Reducing the Gender Disparity in Cyber Security

Daksha Bhasker, CISM, CISSP
Posted: 10/24/2016 3:13:00 PM | Category: | Permalink | Email this post

Bletchley Park is great historical evidence that women do well as contributors to national security, intelligence and technology development. At its peak, Bletchley Park, the British government’s Code and Cipher School, employed about 7,000 women in its 10,000-person code-breaking operations of the German Enigma machine during World War II. The age and education of the women in this intelligence operation varied, ranging from high school graduates at 17 years old to linguists, mathematicians and talented crossword puzzle solvers. Diversity in gender and skills were integrated successfully in cryptanalysis and some of the world’s most critical security operations.


Practical Considerations in Planning an Open-source Security Monitoring Infrastructure

Furkan Caliskan, CISA
Posted: 10/17/2016 3:13:00 PM | Category: | Permalink | Email this post

It is not a trivial job to deploy a large-scale, open-source security monitoring infrastructure. Although you can use an easy-to-install open source solution, e.g., Security Onion, planning and knowing what to do is still an essential part of the project.

There are several considerations that need to go into this planning:

  • Storage planning—Saving all the network traffic for incident analysis purpose is a big challenge. Setting a log retention policy is essential. This decision should be made with management approval.
  • Secure Sockets Layer (SSL) traffic and privacy—Since SSL-using malware poses significant risk, inspecting SSL traffic is becoming more important every day. On the other hand, decrypting and recording SSL connections is a risk for privacy. There must be exceptions, especially for finance and health-related resources.
  • Visibility—Establishing the right visibility through the network is key for a good security monitoring infrastructure. This process should start by determining the crown jewels of the company, and sensors should be placed as near as possible to those jewels through their switches. Without doing this, analyzing network address translation traffic will be hard for the analyst.
  • Open source risk—Maintaining an open-source software is not an easy job. It needs skilled personnel. It is also a risk the organization should consider. To mitigate this risk, consultancy may be an alternative.

With all of these considerations, monitoring efforts should be carefully planned and executed. For example, all traffic will be visible to the security operations center. If background checks of these personnel are not carefully done this may be a risk for the company. Also all changes done on the monitoring system should be audited and recorded.


Why Do IT Governance and Information Security Governance Practices Fail?

Yuri Bobbert, CISM, SCF and Hans Mulder, Ph.D. Posted: 10/10/2016 3:55:00 PM | Category: | Permalink | Email this post

Most of the time, IT and IS security governance practices fail because of poor decision making on and between the different levels of the organization. Research shows that formal structures within the governance of IT and IS do not explicitly support and address the necessity of good decision making. Often, a decision is a result that just happened because the process of decision making was not properly substantiated.

Decision making is an important topic within governance practices. Our recent Journal article describes how knowledge concerning information security can be shared in an effective way and how this knowledge can facilitate the decision-making process. We have performed multiple sessions with the use of group support system (GSS) software technology to facilitate groups in making adequate decisions. Most of the time, these group meetings are held under a time constraint and require a thorough analysis, proper interpretation and a swift decision.


Leveraging the NIST 800-53 Controls

Craig R. Hollingsworth, CISA Posted: 10/3/2016 8:43:00 AM | Category: | Permalink | Email this post

After the experience of creating a security document package for the commercial product installed in our network, I was fortunate enough to have subsequent work assisting with security audits of organizations outside our company.

Only one of the several organizations I worked with was in the process of developing a system security plan based on the US National Institute of Standards and Technology (NIST) 800-53 controls. They were not ready to share that documentation at the time. The other organizations I worked with all had plans that addressed the highlights of NIST 800-53 but did not delve into the individual controls. Having a plan that addresses all of the controls is a great roadmap to help a company make sure that they have adequate data security protections in place and can be a great artifact to hand to auditors when they arrive.


Framework for Protecting Your Valuable IT Assets

Shemlse Gebremedhin Kassa, CISA, MSCS
Posted: 9/26/2016 3:11:00 PM | Category: | Permalink | Email this post

Technology is evolving at an amazing pace and offering a vital benefit for businesses. On the other hand, it has also brought ever-increasing security threats. There is no agreed upon and well-suited security audit framework for tackling IT security challenges, and there is also no holistic approach for the audit process. Because of this lack of agreement, it is getting more challenging to monitor assets; confidentiality, integrity and availability (CIA); threats; vulnerability; risk; and control.

My recent Journal article proposed 8 audit processes in 1 hierarchical framework to understand and design visualizations on the previously mentioned security concepts.

<< First   < Previous     Page: 1 of 65     Next >   Last >>