ISACA Journal Author Blog

 ‭(Hidden)‬ Admin Links

ISACA > Journal > Journal Author Blog

Applying Porter’s 5 Forces Model to Risk and Security

Yuri Bobbert
Posted: 2/9/2015 3:08:00 PM | Category: Risk Management | Permanlink | Email this post

Yuri Bobbert

A large portion of academic and practitioners’ literature focuses on implementing and validating existing security frameworks or guidelines. Limited academic research is done on strategizing risk and security. Formulating a security strategy depends on several perspectives and is usually different for each company. Formulating this strategy depends on regulations, technologies, business processes and the interaction among numerous partners in the digital value chain. These dynamics vary in force and frequency. The importance of a well thought-out strategy is examined and elaborated in several studies by several strategists in all types of industries.


A Smart Strategy to Combat Advanced Persistent Threats and Targeted Attacks

Posted: 2/2/2015 8:45:00 AM | Category: Security | Permanlink | Email this post

Seemant Sehgal, CISA, CISM, BS7799 LI, CCNA, CEH, CIW Security Analyst, SABSA

Advanced persistent threats (APTs) are a hot topic in the security arena today. There are a number of definitions and methods of identifying an APT. Some define it based on the extent of pinning it to certain attack vectors, while others map it to the complexity or time it takes to complete the attack. The term “targeted attacks” is the latest buzzword, gradually taking center stage as a new breed of cyberthreats emerge.

So how can one devise an effective strategy to combat such threats? Well, to do so, it is important to understand the implications of the words “advanced” and “targeted” in the cybersecurity context. Think of the example of a pickpocket looking for a prospective victim. A thief will skip stealing from targets when they are vigilant and instead look for someone whose guard is down. In other words, the attacker will go for the “low-hanging fruit” to find a way in.


4 Ways to Honor User Privacy (While Avoiding User Threats)

Posted: 1/26/2015 3:21:00 PM | Category: Privacy | Permanlink | Email this post

Dimitri Vlachos

Did you know that 69 percent of reported breaches involve someone inside the organization? Whether by mistake or malice, users are the biggest threat to a company’s data. Therefore having forensics and analytics on your users’ actions is the best way to audit and respond to a data breach. But how will users feel about you collecting these forensics?

On the one hand, organizations need to monitor user activity for potential threats. On the other hand, employees do not want to feel like their privacy is being violated. So, how do you protect your company from data breaches without employees seeing you as being intrusive? Here are a few suggestions:

  • Clearly communicate monitoring policies—When giving employees or third-party users access to the system, notify them that their actions will be monitored. Create a “policies and procedures” document that clearly outlines why user behavior is monitored, what will be monitored, and what behaviors are considered illegal or unacceptable. Give this document to all users when they first receive their login credentials. Discovering this monitoring policy later may leave employees or vendors feeling like their privacy has been violated.
  • Explain the goal of user activity monitoring—To help employees feel like they are trusted members of the company, it is important to explain the goal of user monitoring. Monitoring simply records actions to flag down potential illegal activity or threats to the company. The standard employee should have nothing to be concerned about. In fact, this software will help protect them from blame if a breach does occur.
  • Explain what activities are monitored—Unfortunately, all action taken on a company system must be monitored, recorded and stored. While it does not seem necessary to record someone browsing Facebook or checking personal email, stopping the recording during these times would open up opportunities for disguising illegal behaviors. To ease employees’ minds, explain that while every action—including individual keystrokes—is being recorded, they are not necessarily being monitored. Only suspicious or illegal activity will trigger alerts.
  • Remind users they are being monitored—Even after explaining the monitoring policies fully, it is a good idea to regularly remind employees of these policies. Notifications and policy messages can be built into your monitoring software to remind users every time they log in so they never feel caught off guard. It can also act as a constant deterrent for anyone attempting any illegal acts.

User activity monitoring is the best defense for the inside threat companies face. But companies should be smart about it. Follow these tips to keep users feeling happy and safe while keeping the company protected.


The Benefits and Challenges of Continuous Monitoring Systems

Posted: 1/19/2015 3:11:00 PM | Category: Security | Permanlink | Email this post

Tieu LuuTieu Luu

There is a big push within the United States federal government right now to implement information security continuous monitoring (ISCM) across all of its computer networks. According to the US National Institute of Standards and Technology (NIST),“information security continuous monitoring is defined as maintaining ongoing awareness of information security, vulnerabilities and threats to support organizational risk management decisions.” Key benefits of an ISCM program include enabling consistent adoption of cybersecurity best practices, streamlining and automating manual assessment processes, measuring risk, and prioritizing the problems that need to be fixed first. The US Department of Homeland Security (DHS) is spearheading the effort to implement an ISCM, with an initial focus to roll out hardware asset management, software asset management, configuration settings management and vulnerability management capabilities across federal agencies. 


Return on Security Investment (ROSI)

Posted: 1/12/2015 3:19:00 PM | Category: Security | Permanlink | Email this post
Ed GelbsteinEd Gelbstein, Ph.D.

The need to justify expenditures with a return on investment (ROI) grows steadily as everyone is trying to reduce costs—in the private sectors to “optimize shareholder value,” and in the public sector to “cut public expenditure”— In extreme cases, this leads to what I call saving money regardless of cost (SMRC).

The chief information officer (CIO) and chief information security officer (CISO) are disadvantaged when competing against other corporate functions for funding—security is essentially an expense, while other areas, such as marketing, target new revenue. This is not the only disadvantage CIOs and CISOs face. Other challenges include:

<< First   < Previous     Page: 1 of 51     Next >   Last >>