Technology is evolving at an amazing pace and offering a vital benefit for businesses. On the other hand, it has also brought ever-increasing security threats. There is no agreed upon and well-suited security audit framework for tackling IT security challenges, and there is also no holistic approach for the audit process. Because of this lack of agreement, it is getting more challenging to monitor assets; confidentiality, integrity and availability (CIA); threats; vulnerability; risk; and control.
My recent Journal article proposed 8 audit processes in 1 hierarchical framework to understand and design visualizations on the previously mentioned security concepts.
When I interact with our clients, the vast majority of them are either trying to get a brand-new awareness program off the ground or are looking for ways to improve a program that is pretty limited in scope. I bet this sounds familiar to many readers: IT and information security teams are so busy fighting other battles that they often have little time left for dealing with their human problems in privacy and security. You will pass most audits with a program that is “good enough.” But what if your awareness program could be great?
I got a chance to think more about this the other day when one of our most advanced clients said that his chief information security officer (CISO) wanted to know what it would take for them to take their program from good to great. We had already been working with them on a program that included small units of training interspersed with monthly videos, and I knew that their program was completely voluntary. (Yes, I know!). Here are my ideas for revving up a program that was fun for employees and tightly aligned with known risk factors:
Paul Phillips is technical research manager at ISACA.
Performing an audit can be a daunting task, especially for a new auditor. By the same token, performing the customary review of an audit can be challenging when one has not been intimately involved in the process.
ISACA has started the process of simplifying and reformatting the audit programs to make them more user-friendly. These programs are simpler for ease of use, and each control can be traced back to a COBIT 5 Process that provides more detail that may be helpful during an audit. The following 4 audit programs have been simplified/reformatted: bring your own device (BYOD), cloud computing, IT risk management and change management. Traditionally, the audit programs have been in Microsoft Word, and while the content has not changed very much, the newly formatted audit programs are now in Microsoft Excel. Now, instead of continuous scrolling to locate a particular process, each has its own worksheet and has been clearly labelled. The first worksheet of each audit program has instructions on how to use each column. There are 13 columns. The following lists each column along with a brief description:
Betsie Estes is a research manager with ISACA and has been with the association for 5 years
Utilizing cloud services can offer significant benefits to an organization—the ability to gain competitive advantage, break geographic barriers and reduce operating costs, to name a few. To realize those benefits, it is important that adoption drivers are aligned with overall enterprise goals and objectives and that business and cultural factors are favorable for adoption. Like any investment, cloud projects should be guided by the board of directors (BoD) to ensure value creation and optimization of risk.
The ISACA white paper Cloud Governance: Questions Boards of Directors Need to Ask provides a comprehensive overview of the value cloud computing can bring to an organization and the governance considerations inherent in adopting cloud technology. The white paper outlines the following questions that will help the BoD identify the strategic value of cloud services and the impact that the cloud could have on enterprise resources and controls:
As companies become more reliant on modern technology, they also have to face more vulnerabilities that must be handled efficiently. For most companies, it is obvious that adequate cybersecurity safeguards must be selected and implemented. In these processes, the trade-off between benefits and costs should always be considered. However, some costs can be quickly overlooked. Because costs may be overlooked, every decision maker who is responsible for selecting safeguards should be familiar with all relevant costs, including costs that are not obvious.
On one hand, cybersecurity safeguards are strongly related to costs because money and other resources are needed for appropriate solutions. On the other hand, missing safeguards can lead to breaches and subsequent countermeasures that induce even higher costs. In one way or another, various costs must be considered.