ISACA Journal Author Blog

 ‭(Hidden)‬ Admin Links

ISACA > Journal > Journal Author Blog

Internet of Things: Evolution or Revolution of Technology?

Jim Seaman, CISM, CRISC
Posted: 11/23/2015 3:02:00 PM | Category: | Permalink | Email this post

A simple search on an Internet search engine for “Internet of Things” (IoT) yields 21,800,000 results. Despite all of the available information on the IoT, do we really understand the implications of the rapid expansion of the IoT?

Source:  Business Insider and India Times

There will be between 25 billion and 50 billion connected devices by the year 2020. The benefits created by the rapid advancements of IoT technologies are widely published and focus on how it might make lives easier, removing the need for humans to conduct some remedial tasks. Imagine a world where the following actions happen automatically:


Toward a Common Understanding of Cybersecurity

Deepak Rout, CISM, CRISC, CISSP Posted: 11/16/2015 3:06:00 PM | Category: | Permalink | Email this post

I conducted a workshop on cybersecurity risk assessment for several directors managing application portfolios in a large global financial firm. One of the senior directors who managed the mainframe systems asked me directly, “I manage the mainframe systems that are purely internal. How is cybersecurity even relevant to me?” I was hardly surprised and said silently to myself, “Here we go again.”

Cybersecurity is now a common buzzword, so one would think the meaning should be obvious and globally common. However, it is far from being clearly understood, let alone standardized. The good news is that cybersecurity is perceived as something essential that has a significant impact on business or government. We only need to figure out what exactly it means.


Managing Changes in Risk Management

Mette Brottmann, Klaus Agnoletti, Morten Als Pedersen, Ronnie Lykke Madsen, Michael Rosendal Krumbak and Thor Ahrends, CISA, CISM, CRISC
Posted: 11/9/2015 3:11:00 PM | Category: | Permalink | Email this post

Working with risk assessments and risk management is a challenging job. Everyone has an opinion, and there is no single outcome. Things change over time, and changing threat landscapes will influence the assessment and make it necessary to revisit the assessment again.

The area of risk assessments is covered by multiple theories and frameworks, which are no doubt scientifically well-founded but, at the same time, are difficult to make operational in a changing environment. We cannot gather all relevant stakeholders to update assessments quarterly.

What we can do is focus efforts on the critical assets top-down and keep these in mind when vulnerabilities and threats are identified. We can also make ad hoc assessments using the bottom-up methods when involved in projects and when asked to comment on new initiatives.


From Problem to Ethical Solution

Wanbil W. Lee, DBA Posted: 11/2/2015 9:01:00 AM | Category: | Permalink | Email this post

Many of the problems computer auditors deal with are ethical in nature. Post-contract and post-implementation problems are cases in point. Unfortunately, we are unaware or ignorant of this aspect of many problems. Consequently, we can reach only a partial solution at best. Such a solution will eventually blow up; then the professional’s future and company’s reputation and prosperity may be ruined.

Ideally, solutions sought are not only technically efficient, financially viable and legally admissible, but also ethically acceptable, socially desirable and ecologically sustainable. To this end, we need not only the technical know-how (auditing and IT knowledge and skills) and a deep understanding of the common ethical principles (called requisite competence), but also a shift of the conception of risk and a new tool for decision analysis due to the so-called misinterpretation of risk and the flawed education across science and technology (called additive).


Understanding Cyberhacking Tools and Techniques

Omar Y. Sharkasi, CBCP, CFE, CRP
Posted: 10/5/2015 9:01:00 AM | Category: | Permalink | Email this post

It seems like every day there is a new data breach or heist. Hackers break into corporate or government computers and swipe names, addresses, birth dates and those all-important US Social Security numbers. Consider these recent breaches:

  • Hackers hit the jackpot when they cracked the network at the US government’s Office of Personnel Management and accessed Social Security numbers, dates of birth and other personal information of more than 4 million federal workers.
  • Unidentified Russian hackers broke into an unclassified email system used by the US Joint Chiefs of Staff.
  • Gang members are using social media like many others do. In addition to the standard uses for social media, they post threats on social media that include a rival’s street—a practice known as online tagging. Posts and videos threatening rivals and others may accompany online postings.
  • In early February 2015, Anthem (one of the US’ largest health insurers) revealed that hackers had breached a database containing the personal information of 80 million customers and employees.

My recent Journal article focuses on Windows computers with an emphasis on all nonserver Windows computers. This includes Windows end-user devices, such as workstations, desktops, laptops, hybrids and tablets. Workstations are just as important to the security of an organization as servers. Of course, an insecure workstation only directly impacts one user (in most cases), while a server can impact thousands. But all of the biggest breaches in recent times have started with a compromised workstation, not a server. Even though servers and workstations run essentially the same Windows operating system, securing workstations is very different than servers.

<< First   < Previous     Page: 1 of 57     Next >   Last >>