Ulf T. Mattsson
Data are valuable. Businesses increasingly rely on data to make better decisions, to better target their customers and to predict the future. Leveraging data through real-time analysis for business value is driving businesses to collect more data faster and from more sources than ever. This has given rise to the era of big data and the Internet of Things.
These large caches of data also hold a significant direct value in monetization—the sale of part or all of the data to a third party. The percent of businesses monetizing their data is projected to triple by 2016. Much of this data is related to consumers—privacy data.
It is important to note how much more severe the damage due to identity theft can be than a typical payment card industry breach. You cannot simply issue a new identity the same way you can a new payment card. Meanwhile, an individual’s health insurance, credit and legal status are all in jeopardy.
It only makes sense that with all that data (and the direct and indirect value it represents), hackers would be increasingly driven to steal it. The question is how to protect the data from persistent, intelligent threats while preserving its value to the enterprise.
Businesses often collect a lot of privacy data in bits and pieces: names and addresses, separate from phone numbers and email addresses, separate from ages and genders. Then they integrate it in analysis to get a complete view of their customers. While separately these pieces of information may not readily identify an individual, together they can completely expose an individual to financial hijacking or outright identity theft. In effect, these businesses are doing a lot of the work for criminals aiming to steal this information.
To reach the goal of securing the data while preserving its value, the data itself must be protected at as fine-grained a level as possible. Securing individual fields allows for the greatest flexibility in protecting sensitive identifying fields while allowing nonidentifying information to remain in the clear.
Protecting this information within the enterprise is a significant challenge on its own, but monetizing the data means sending it to one or many other organizations, each of which have their own security profiles. Anonymizing privacy data completely may not be feasible in a monetizing scenario, but deidentifying the most sensitive information, e.g., names, social security numbers, birth dates, is vital to protecting the privacy of individuals. Using data protection methods such as tokenization can also allow businesses to preserve the type and length of the data, as well as deidentifying only part of the data fields, while leaving the relevant parts in the clear, such as exposing a birth year rather than the entire date. This will keep the data usable for third parties to analyze, while helping to protect the privacy of the individuals who make up the data.
We may not be able to completely prevent hackers from stealing data, but we can make it far more difficult for them to cause significant damage with it. By protecting data at a very fine-grained level—fields or even part(s) of a field—we can continue to reap the benefits of data monetization while putting forth a significant barrier to identity theft.
Read Ulf Mattsson’s recent Journal article:
“Leveraging Industry Standards to Address Industrial Cybersecurity Risk,” ISACA Journal, volume 6, 2014.
Ivan Alcoforado, CISSP, PMP
The cybersecurity landscape has changed and evolved to more sophisticated threats targeting the enterprise IT and industrial automation and control systems (IACS) supporting pipelines, refineries, manufacturing and power plants, mining, and railways. It is evident that critical infrastructure organizations must appropriately manage this new risk in their environments.
Very often, however, we find that organizations jump to the implementation stage without adequately establishing all of the processes needed to achieve their goals. From failing to establish cybersecurity risk management targets to having little oversight over metrics and controls, these companies do not have an IACS security program with proper governance.
IACS security and IT security are usually undertaken by separate teams with different drivers and requirements. The IACS devices (e.g., distributed control systems, programmable logic controllers, supervisory control and data acquisition) are managed by the engineering or automation department, whilst the IT components (e.g., IP network, infrastructure, servers, operating systems) are the responsibility of the IT department. Without proper coordination, there is often uncertainty about where the responsibility for IACS support and security lies, and gaps occur in the organization’s security capabilities.
I believe we need IACS and IT security strategies to be aligned to the business, ensuring that resources are allocated in an efficient and effective manner to bring consistent results. These results need to be measurable, comparable and in line with the company’s risk appetite.
Failure to establish proper IACS security governance can lead to poor management of risk with dire consequences to the organization’s operations. It may lead to individual security project flops, operational impacts to the very IACS we are trying to protect or to overestimating the organization’s own cybersecurity capabilities.
My recent ISACA Journal article talks about leveraging industry standards to build an IACS program with an adequate governance structure. This should give senior management a better view of the company’s IACS risk profile, enable clearer communications with all stakeholders, optimize the allocation of resources, and give clarity of roles to engineers, IT security professionals and IT auditors when it comes to IACS security.
Read Ivan Alcoforado’s recent ISACA Journal article:
“Leveraging Industry Standards to Deal with Industrial Cybersecurity Risk,” ISACA Journal, volume 6, 2014.
Kerry A. Anderson, CISA, CISM, CGEIT, CRISC, CCSK, CFE, CISSP, CSSLP, ISSAP, ISSMP
Information security programs need to evolve in order to survive and mature. This century will see almost a thousand times greater technological change. This means information security programs will need to evolve to maintain their current maturity stage. The key strategy for managing the maturity life cycle is adaption. Organizations unwilling or unable to adapt may find themselves regressing to an early maturity state, while enterprises willing to innovate and expand upon new paradigms will thrive. The following strategies can assist in the evolutionary change required for maturity to flourish:
- Develop change-adaption strategies—Each organization needs to develop a strategy for adapting to change. Whatever the change appetite, information security programs are more successful in managing change when those programs are in control of it rather than having it forced upon them.
- Identify focus areas—It is possible to have too many ideas. A mature information security program needs to select a few focus areas that have the highest potential to take it to the next maturity stage. This requires identifying any weaknesses that that could thwart maturity progress, then methodically eliminating them.
- Build connectivity—Mature information security programs cannot exist within a silo. All stakeholders need to understand how their decisions can affect the organization’s security posture. This means communicating security messages across all levels of the organization.
- Be prepared for set backs—Set backs are inevitable in life. Successful information security programs regard the occasional bump in the road as the cost of innovation and a chance to try again, similar to Henry Ford’s saying, “Failure is simply the opportunity to begin again, this time more intelligently.”
- Seek continuous renewal at every maturity level—An information security program cannot tolerate stagnation. Maintaining an effective program requires vigilance in sustaining its people, processes and technologies, as well as continuing to seek solutions to emerging risk. The security threat environment is dynamic and the control portfolio needs to be tweaked to adjust to changes in the risk landscape and unique organizational environment.
In the dynamic business environment we are currently experiencing, continual change may remain the only constant. In order to maintain and advance maturity, information security programs need to respond and transform themselves to manage emerging risk.
Muhammad. Mushfiqur Rahman, CISA, CCNA, CEH, ITIL V3, MCITP, MCP, MCSE, MCTS, OCP, SCSA
Database management systems (DBMS) are rapidly changing their technological capabilities. This advanced technology provides a wide range of flexibility when using a DBMS, but also increases the likelihood of attacks. These DBMS advances also drive massive and rapid increases in the number of people with access to them.
The speed of these changes has no precedent in human history, and the power of these technologies has transformed the work environment and our personal lives and brought with it many positive contributions.
It is very important for an auditor to know about the new changes of the DBMS, otherwise a set of undetected vulnerabilities may cause a distortion of the company image, reputation and business losses. We have by now learned that technology is never perfect; by design, hardware vulnerabilities and software errors can be impossible to totally avoid.
In my recent Journal article, I discussed the Oracle database auditing steps, which uses penetration of the Oracle database to ensure compliance with the organization’s security policy. The users or Oracle database administrators who use sophisticated DBMS technologies have limited knowledge or even awareness of security issues and what their roles are in managing them. In this article I have tried to identify those security issues to be aware of and to initiate a discussion with the peers around the globe.
Read Muhammad Mushfiqur Rahman’s recent Journal article:
“Auditing Oracle Database,” ISACA Journal, volume 6, 2014.
Jeimy J. Cano M., Ph.D, CFE
The role of information security should not detract from the evolution of business models. Information security must read, understand and motivate a proactive move to protect the value of the company and anticipate emerging risk. In this context, information security teams should understand the digital mastery needed
to consolidate the business and understand what the management expectations are regarding the transformation of the enterprise IT.
In the current ecosystem of content and possibilities, organizations demand a more flexible view of information security, practical rules to promote security and use agreements founded on the impacts of possible breaches of information security. This flexible view is preferable to having rigid IT security procedures and security and control guidelines. In this understanding, information security executives should orient based on business decisions, not security ones. That is, information security teams should have an understanding of how to leverage a more reliable operation and secure actions while keeping the enterprise goals in mind.
If the organization is challenged to conquer and expand into new territories to create new value and growth options, information and IT will be the basic elements to motivate this transformation. Consequently, there will be greater exposure and demand from the company management to develop proposals for changes, which can help enterprises capitalize by quickly taking calculated risk in a changing context.
In an ongoing review of the role of information security, it is necessary to create breaks—moments of truth to observe emergent situations. These can be an opportunity to develop distinctions, establish and indicate new patterns and emerging reflections about the environment. It is important to incorporate changes and make them part of the ongoing review exercise and to develop new strategic, tactical and operational practices that will enable that function. An ongoing information security review is about more than teaching others what they do not know; it is about helping them shape their actions to keep information security principles in mind.
Read Jeimy J. Cano’s recent Journal article:
“The Information Security Function: Current and Emerging Pressures From Information Insecurity,” ISACA Journal, volume 6, 2014.
Eduardo Gelbstein and Viktor Polic
For a long time, organizations and individuals have relied on third-party services relating to data, information systems, and infrastructure, and many lessons have been learned in the process.
Cloud computing has established itself as a potentially valuable addition to the portfolio of third-party services. But cloud computing can introduce several issues for data owners, particularly when the data is considered sensitive in terms of confidentiality, access rights and privileges.
While the benefits of cloud computing are easy to understand (e.g., lower cost, flexibility, transfer of accountabilities for operational activities), it is prudent to remember the old adage, “If it looks too good to be true, it probably is,” and devote time to a detailed assessment of the issues described in our recent Journal
Cloud-related issues raised in conference discussions and various publications focus on concerns such as:
- Data ownership and what the service provider is or is not allowed to do with this data
- The use of encryption and management of the encryption keys and digital certificates
- Identity and access management
- Compliance with data protection legislation, particularly about the location of the data
- Compliance with privacy protection legislation
- Terms of contract, including the right to audit the service provider
- Confidentiality and nondisclosures by the service provider
- Access rights to data by the personnel of the service providers and its suppliers or service providers
- Guarantees that in the case of termination of a contract there will be no copies of data left with the service provider
Other issues that could effect cloud computing are:
- The impact on the data owners if the service provider goes out of business or is the target for an acquisition by a third party
- The feasibility of terminating a contract and migrating the data (and related services) to another service provider
The real issue may be one of timing—the cloud is likely to be part of the service portfolio offered by third parties for many years to come. Optimists and risk takers will no doubt gain the benefits of cloud computing sooner and gain valuable experience in doing so. Those whose risk appetite is limited and deal with custom, critical applications may choose to wait until the issues discussed in our Journal
article have been addressed and resolved appropriately.
Biswajit Mohapatra, Vinay Parisa and Joydipto Banerjee
In our recent Journal article
, we talk about how enterprises are adopting technologies like cloud, analytics, social and mobile tools to drive a strategic advantage. Emerging businesses that are born on the cloud have these technologies as part of their DNA and are at an advantage, as they can focus on a small number of core competencies that are integral to their business, unlike established enterprises that were formed using a strategic but different business model from the internet era. We are at the cusp of a smarter era where systems and applications are designed to interact with each other and generate a lot of data. Businesses are starting to depend on sophisticated analytics to distill insights and context from this increasing volume of digital information. These insights are changing the way enterprises do business with their customers. By 2020
, it is expected that there will be more than 200 billion connected devices, and machine-generated data will be 42 percent of all data.
In the infrastructure world, as cloud computing evolved, it became increasingly evident that there was still room for traditional applications and hardware. A new deployment model, the hybrid cloud, started to emerge, and with it the automation that was built for the cloud started to find use in the traditional datacenters. By abstracting the infrastructure, the cloud automation makes it possible to scale the resources between public and private clouds to offer a perfect solution for unique requirements. Cloud automation software also includes monitoring and predictive analytics solutions, which are used to analyze the data generated by the infrastructure in order to allocate appropriate resources for applications, there by bringing a greater level of optimization.
Gartner predicts that by 2016, 25 percent of external application implementation will be on mobility, cloud, analytics and social computing services and more than 50 percent of application modernization efforts will address business demand for enhanced functionality to legacy systems and not cost reduction. Enterprises lacking a modernization strategy are going to lose a lot of ground and will face an uphill task of playing catch-up. For an enterprise to be successful across technological eras, it must continuously reinvent itself and embrace innovation and be early adopters. These new technologies enable rapid change, growth and innovation in business. A modernization strategy is essential for an organization, and big data will be the key to hidden opportunities.
I believe discussions about bring your own device (BYOD) should take cultural and organizational context into account. There is no right or wrong BYOD-related decision in an absolute sense; you must put it into the right perspective. That is why I will start setting the context. I am working as a health care chief information officer in Italy, where IT spending, IT staffing and IT governance are chronically underestimated. Our health care model is fragmented at the regional level, with little coordination and supervision at the national level; this is the reason why international health care IT players are basically not present in Italy. The consequences are beginning to be evident. Our information systems are often outdated legacy systems. From the cultural point of view, I must say health care is one of the most stimulating fields in which to work. Diverse cultures (doctors, nurses, staff, social operators, and information and communications technology professionals) are working together, and this provides an absolute value and richness. But I cannot avoid noticing that, up until now, I have not seen an “IT-savvy” culture emerge in any of the institutions I know.
On the other hand, innovation is pushing its way into health care, above all in the clinical engineering field. Again, this is extremely positive, since new medical devices and better technologies for the operating theaters mean better outcomes for patients. Pervasive innovation also means better lifesaving devices, such as new-generation wireless-enabled pacemakers. Mobile health is a reality in many hospitals, albeit often built on the weak foundation of high-risk legacy systems. New regional electronic health record systems are under construction in many areas, and health care applications are spreading fast.
My recent Journal article
gives readers a glimpse into the dynamic and complex health care setting. Viewed in this context, BYOD could be an opportunity or a risk at the enterprise and patient level. In my article, I explain the key questions to be asked before implementing a BYOD strategy in a hospital or before deciding not to implement a BYOD strategy, which is a challenging option as well.
An ineffective BYOD strategy could end up opening information systems to data thieves; data breaches in health care are growing exponentially. For example, the US Federal Bureau of Investigation (FBI) warned
those in the health care industry about hackers, and in August, Community Health Systems
in Franklin, Tennessee, USA, announced that hackers stole data on approximately 4.5 million patients. Even worse, if you do not plan well and better execute your BYOD or lack thereof, you could end up with life-threatening situations for your patients, as I explain in my Journal
Health care, as mentioned in the FBI private industry notification
, is more fragile than other industries. That is striking since, as a consumer, I would put more trust in a setting where I risk my life, such as in health care, than in banking. I think this is the time to wake up and to review how we deal with information systems in health care. It is not only a matter of BYOD; it is a matter of protecting our sensitive health care data and, in extreme situations, our lives.
Read Giuliano Pozza’s recent Journal article:
,” ISACA Journal
, volume 5, 2014.
John Simiyu Masika, CISA, CISM
Business leaders are always faced with the challenge of guiding change and transforming their respective functional areas. Chief information officers (CIOs) and chief information security officers (CISOs) face similar challenges in leading information security changes. The drivers for change and transformation in information security operations include an escalating business risk and a need to comply with new legislation and regulations. A new business strategy, either as a result of business reorganization or other changes, can also drive the need for an information security transformation.
How should a CIO or CISO effectively lead change and transformation of information security? According to Harvard University Professor John P. Kotter, Ph.D., managers who successfully transform businesses and functional strategies and processes do 8 things right and they do them in the right order. Practically, Kotter’s 8-step process for leading change can be mapped with various information security change initiatives as shown below:
View Larger Graphic.
Leading change requires a systematic approach to issues. This involves having all key stakeholders play a role in institutionalizing those changes in order to achieve meaningful results both in the short term and long term. This approach mirrors guidelines provided in Information Security Governance: Guidance for Information Security Managers.
Read John Masika’s recent Journal article:
“Leading Change and Transformation in Information Security,” ISACA Journal, volume 5, 2014.
Ashwin Chaudhary, CISA, CISM, CGEIT, CRISC, CISSP, CPA, PMP
My recent Journal article
addresses increasing concerns over user privacy due to a wide usage of personal mobile devices in the workplace. Recent privacy violation issues faced by large organizations have brought the topic of privacy issues into the limelight. There are several increased privacy regulations, such as the US Health Insurance Portability and Accountability Act (HIPPA) and the US Health Information Technology for Economic and Clinical Health (HITECH), which focus on health-related privacy issues, and the US Children's Online Privacy Protection Act (COPPA) for the online privacy of children. Such efforts are initiated to bring about stringent privacy regulations; however only strict enforcement of these regulations can ensure the law’s effectiveness.
With respect to bring your own device (BYOD), an enterprise’s focus is mainly on the corporate network and data security rather than user privacy. As a social responsibility, organizations also need to adopt user privacy audits and assurance programs to manage user privacy, as this protection is equally as important as protecting corporate security.
Regulations and compliance requirements that mandate annual certification are generally at a point-in-time, and some of them are based on self-assessment and self-certifications, which may lead to cutting corners. Continuous independent assurance programs, such as Service Organization Control (SOC) 2 or SOC 3 Type2, should be considered in corporate security planning.
Read Ashwin Chaudhary’s recent Journal article:
“Privacy Assurance for BYOD,” ISACA Journal, volume 5, 2014.