ISACA Journal Author Blog

 ‭(Hidden)‬ Admin Links

ISACA > Journal > Journal Author Blog

Social Learning and Security Awareness

Posted: 6/20/2016 3:06:00 PM | Category: | Permalink | Email this post

A workplace is a social place, and much of the learning that occurs there is social learning. Social learning occurs through observation of other individuals’ actions and behaviors. It is not a mere imitation of the behaviors of others in an environment, but a reasoning process in which the individual examines others’ behaviors and makes conscious decisions about whether to adopt or reject this learning. Social learning occurs continually, although we might not be aware that it is taking place.

One motivation for social learning in the workplace is the individual’s desire to fit into the environment. Social learning is relevant to promoting secure behaviors in the workplace. It is not limited to the physical world, but extends to the virtual world by using social media tools. It can be incorporated into existing security awareness efforts to strengthen them. Social learning is beneficial across all generations, but especially to millennials because of their early adoption of social media as a core communication and connectivity mechanism.


Preparing for a Black Swan

Mustafa S. Poonawala, CISA, ITIL Posted: 6/6/2016 8:23:00 AM | Category: | Permalink | Email this post
Black swans are rare, unpredicted and unknown events that have a significant impact. It has been decades since the concept of the black swan was introduced, but even today there are many organizations that are unaware of it or do not understand the magnitude of its impact on their business. Some organizations believe that they will not be affected by it.
The chances of a black swan sighting are higher than ever and are increasing due to the rise in many of its causes, e.g., political turmoil, natural disasters, cyberattacks. The current need is for organizations to realize the gravity of the impact of a black swan and get itself ready so that it can minimize the damage. Therefore, organizations should concentrate on a better understanding of the value of their data and resources and, accordingly, back a sound resilience program financially and logistically.
Designing an effective resilience program requires careful monitoring and evaluation of various factors. The strategy used to design it should be evaluated constantly to ensure that it is able to handle the newest threats. The following points should be kept in mind when designing an effective resilience program:
  • A business continuity management program should be tailored as per the value of the data of each department within the organization.
  • An organization should be aware of how well its employees can function under pressure and exhibit their skills in an emergency.
  • It is essential for employees to have expert certifications in various fields rather than just completing foundation courses. This would help the organization have the proper expertise in designing the resilience program.
  • Complimenting updated human resources with the latest technology (e.g., implementing artificial intelligence) strengthens the line of defense.
  • Innovation and critical and aggressive thinking help reduce the impact of an incident.

One thing to keep in mind is that the term black swan is applied to an unknown threat. Therefore, there is no fail-proof strategy against it. A good resilience program may not stop a threat altogether, but it definitely can reduce the impact of the risk.


The Necessity of SoD

Stefano Ferroni, CISM, ISO 27001 LA, ITIL Expert Posted: 5/31/2016 3:15:00 PM | Category: | Permalink | Email this post

Segregation of duties (SoD) has been a source of guidance for audit and accounting systems for a long time; nevertheless, many IT security controls imposed by recent trends and regulations can be viewed through its lenses.

Privacy by design and privacy by default, for example, as required by the new EU regulation recently approved by the European Parliament, require that duties are well separated and roles are well defined from the beginning.

Privacy by design must be introduced in the design of processes and in the design of systems and tools. For example, a client recently asked for a solution to make service desk personnel able to reset user passwords without knowing the user’s new password and without resorting to the self-help password reset. This does not only require a supporting tool but also a sound access management process in which SoD is the central issue.


The Role of CIOs and CISOs

Devassy Jose Tharakan, CISA, ISO 27001 LA, ITIL, PMP
Posted: 5/23/2016 3:11:00 PM | Category: | Permalink | Email this post

Businesses of various sizes are extremely worried about information security. On a daily basis, we hear news of banks and financial institutions losing customer records, confidential information and money due to cyberattacks. Cyberattacks have increased exponentially over the last 5 years, and attack methods are becoming more sophisticated each day. On average, enterprises take about 100 days to identify an attack. It takes even more time to investigate, plug the gaps and prevent similar incidents. The goal of my recent Journal article is to help enterprises and security leaders realign the strategy of their information security teams by empowering the chief information officer (CIO) and the chief information security officer (CISO).


Regulatory Management and Measurement Rules

Simon Grima, Ph.D., Robert W. Klein, Ph.D., Ronald Zhao, Ph.D., Frank Bezzina, Ph.D., Pascal Lélé, Ph.D. Posted: 5/16/2016 3:23:00 PM | Category: | Permalink | Email this post

The ISO 31000:2009, Basel III recommendations, the EU Capital Requirement Directives and the Own Risk and Solvency Assessment (ORSA)/Forward Looking Assessment of Own Risk (FLAOR) processes of Solvency II Directives profoundly affect the financing and the insurance of companies in all business sectors and local authorities.

US companies use US National Association of Insurance Commissioners (NAIC) recommendations based on the fundamental principles of ORSA; EU firms refer to FLAOR recommendations; and companies in other countries (e.g., Canada, Japan, China) refer to Solvency II as an international best practice.

<< First   < Previous     Page: 1 of 62     Next >   Last >>