ISACA Journal Blog

 ‭(Hidden)‬ Admin Links

ISACA > Journal > Practically Speaking Blog

A Framework to Evaluate PAM Implementation

Richard Hoesl, CISSP, SCF, Martin Metz, CISA, Joachim Dold, Stefan Hartung
Posted: 2/21/2017 9:11:00 AM | Category: Risk Management | Permalink | Email this post

A study in 2016 found that 80% of the more than 500 chief information security officers (CISOs) surveyed consider privileged access management (PAM) a significant topic, and a number of them have already implemented specific PAM solutions. In general, these solutions try to attain the following goal(s):

  • Keeping the number of privileged access channels low
  • Authorizing, activating and deactivating the usage of privileged access channels
  • Detecting, evaluating, recording and terminating the usage of privileged access channels

Over the course of a variety of implementation projects, we found that implementing PAM is not only a question of technical functionality; a successful PAM solution, in fact, requires a comprehensive framework comprising the following building blocks:


EU GDPR: Embracing Privacy Requirements

Tarun Verma Posted: 2/13/2017 3:11:00 PM | Category: Government-Regulatory | Permalink | Email this post

We are living in a digital world where a staggering number of data breaches have resulted in the theft of personal data of end users across a broad spectrum of sectors, such as financial, health care and media. The growing adoption of the cloud, mobile devices and social media has resulted in an increase in incidents related to the theft of personal data.

As organizations begin the scramble to comply with the European Union (EU) General Data Protection Regulation (GDPR), there is a dire need to understand its scope and the privacy requirements mentioned in the standard. The regulation is applicable to all organizations that store, process and transmit any personal data related to an EU resident. The GDPR will replace Directive 95/46/EC, which has been the basis of European data protection law since it was introduced in 1995. The regulation will apply to even those organizations that may not have a presence in the EU, but are processing or accessing the personal data of EU data subjects.


The Risk Associated With AI

Phillimon Zongo
Posted: 2/6/2017 9:40:00 AM | Category: Risk Management | Permalink | Email this post

Exponential increases in the computing power and availability of massive data sets, among other factors, have propelled the resurgence of artificial intelligence (AI), bringing an end to the so-called AI winter—a bleak period of limited investment and interest in AI research. Commercial deployment of AI systems is fast becoming mainstream as businesses seek to gain deeper customer insights, lower operating costs, improve efficiency or boost agility. 

The proliferation of AI raises intriguing opportunities; however, associated risk exists, and it should be considered, as its impacts can result in significant consequences. My recent Journal article provides practical strategies to mitigate 3 crucial risk factors associated with the commercial adoption of AI:


Mitigating the Insider Threat

Rodney Piercy, CEH, CISSP
Posted: 1/30/2017 3:06:00 PM | Category: Risk Management | Permalink | Email this post

While we become more and more connected and dependent on technology, we also become more and more vulnerable. Most organizations spend a large amount of resources defending against the outsider threat, but what about the insider threat? The insider threat can be just as costly and devastating as the outsider threat, but how do you control and monitor the people who must have access to the systems and data that you are trying to protect? Do we as cyber security professionals really understand what options we have when dealing with an insider threat? Here are some methods to mitigate the insider threat:

  • Hiring practices—This is the first opportunity to find an insider threat. The personnel office has the ability, through social media and other avenues, to get a good understanding of an applicant’s personality and beliefs.
  • Policies and procedures—Most organizations already have policies and procedures in place. These must be reviewed, updated regularly and enforced to be effective. They cannot simply be put in place and forgotten.
  • Training—Many organizations provide some type of training as well. For training to be useful, it must be interesting and relevant to employees. If it is not, the training will not be useful to employees or the organization.
  • Culture—This is where many companies fail. If the culture of the organization is to take care of employees, they are much more loyal to the organization. If employees are not treated as valuable, they are much less likely to take care of the organization and may not be as concerned about the security of the systems and data they work with regularly. In addition to promoting security, good company culture will also play a role in reducing the insider threat.
  • Automation—Automation is an area that is currently being researched. There are ways to monitor certain keywords and other specific activities, but we must be careful when considering automated tools that monitor employees because they can very easily pose privacy issues. There are also automated means that are not directly related to the employee. The actions that an individual may take can cause issues within the network, and good network monitoring tools could give clues as to whether anomalies seen on the network are actually insider actions.

Which methods are used and how they are used is dependent on the organization. There are other factors that affect the method used, such as budget, amount and types of data, importance of the data, and leadership buy in. The way we deal with the insider threat may vary, but it is a threat that each organization must understand and mitigate.


Dispelling Concerns Regarding Quantitative Analysis

Jack Jones, CISA, CRISC, CISM, CISSP Posted: 1/23/2017 3:18:00 PM | Category: Risk Management | Permalink | Email this post

In my recent Journal article, I stated that our profession needs to adopt quantitative methods of risk analysis to enable well-informed executive stakeholder decisions. Common reactions to this notion include:

  • Quantitative risk measurement is too time-consuming.
  • There are not enough data to support quantitative analysis.

I will be the first to admit that quantitative analysis will always take more time than sticking a wet finger in the air and proclaiming high risk. Then again, you get what you pay for. In my own experience working with numerous organizations, I have found that between 70% and 90% of high-risk issues in risk registers and top 10 lists do not, in fact, represent high risk. So the question becomes, how much value is there in effectively prioritizing and understanding the cost-benefit of risk management investments? 

<< First   < Previous     Page: 1 of 68     Next >   Last >>