ISACA Journal Blog

 ‭(Hidden)‬ Admin Links

ISACA > Journal > Practically Speaking Blog

EU GDPR: Embracing Privacy Requirements

Tarun Verma Posted: 2/13/2017 3:11:00 PM | Category: Government-Regulatory | Permalink | Email this post

We are living in a digital world where a staggering number of data breaches have resulted in the theft of personal data of end users across a broad spectrum of sectors, such as financial, health care and media. The growing adoption of the cloud, mobile devices and social media has resulted in an increase in incidents related to the theft of personal data.

As organizations begin the scramble to comply with the European Union (EU) General Data Protection Regulation (GDPR), there is a dire need to understand its scope and the privacy requirements mentioned in the standard. The regulation is applicable to all organizations that store, process and transmit any personal data related to an EU resident. The GDPR will replace Directive 95/46/EC, which has been the basis of European data protection law since it was introduced in 1995. The regulation will apply to even those organizations that may not have a presence in the EU, but are processing or accessing the personal data of EU data subjects.

 
Read More >>
    

The Risk Associated With AI

Phillimon Zongo
Posted: 2/6/2017 9:40:00 AM | Category: Risk Management | Permalink | Email this post

Exponential increases in the computing power and availability of massive data sets, among other factors, have propelled the resurgence of artificial intelligence (AI), bringing an end to the so-called AI winter—a bleak period of limited investment and interest in AI research. Commercial deployment of AI systems is fast becoming mainstream as businesses seek to gain deeper customer insights, lower operating costs, improve efficiency or boost agility. 

The proliferation of AI raises intriguing opportunities; however, associated risk exists, and it should be considered, as its impacts can result in significant consequences. My recent Journal article provides practical strategies to mitigate 3 crucial risk factors associated with the commercial adoption of AI:

 
Read More >>
    

Mitigating the Insider Threat

Rodney Piercy, CEH, CISSP
Posted: 1/30/2017 3:06:00 PM | Category: Risk Management | Permalink | Email this post

While we become more and more connected and dependent on technology, we also become more and more vulnerable. Most organizations spend a large amount of resources defending against the outsider threat, but what about the insider threat? The insider threat can be just as costly and devastating as the outsider threat, but how do you control and monitor the people who must have access to the systems and data that you are trying to protect? Do we as cyber security professionals really understand what options we have when dealing with an insider threat? Here are some methods to mitigate the insider threat:

  • Hiring practices—This is the first opportunity to find an insider threat. The personnel office has the ability, through social media and other avenues, to get a good understanding of an applicant’s personality and beliefs.
  • Policies and procedures—Most organizations already have policies and procedures in place. These must be reviewed, updated regularly and enforced to be effective. They cannot simply be put in place and forgotten.
  • Training—Many organizations provide some type of training as well. For training to be useful, it must be interesting and relevant to employees. If it is not, the training will not be useful to employees or the organization.
  • Culture—This is where many companies fail. If the culture of the organization is to take care of employees, they are much more loyal to the organization. If employees are not treated as valuable, they are much less likely to take care of the organization and may not be as concerned about the security of the systems and data they work with regularly. In addition to promoting security, good company culture will also play a role in reducing the insider threat.
  • Automation—Automation is an area that is currently being researched. There are ways to monitor certain keywords and other specific activities, but we must be careful when considering automated tools that monitor employees because they can very easily pose privacy issues. There are also automated means that are not directly related to the employee. The actions that an individual may take can cause issues within the network, and good network monitoring tools could give clues as to whether anomalies seen on the network are actually insider actions.

Which methods are used and how they are used is dependent on the organization. There are other factors that affect the method used, such as budget, amount and types of data, importance of the data, and leadership buy in. The way we deal with the insider threat may vary, but it is a threat that each organization must understand and mitigate.

 
Read More >>
    

Dispelling Concerns Regarding Quantitative Analysis

Jack Jones, CISA, CRISC, CISM, CISSP Posted: 1/23/2017 3:18:00 PM | Category: Risk Management | Permalink | Email this post

In my recent Journal article, I stated that our profession needs to adopt quantitative methods of risk analysis to enable well-informed executive stakeholder decisions. Common reactions to this notion include:

  • Quantitative risk measurement is too time-consuming.
  • There are not enough data to support quantitative analysis.

I will be the first to admit that quantitative analysis will always take more time than sticking a wet finger in the air and proclaiming high risk. Then again, you get what you pay for. In my own experience working with numerous organizations, I have found that between 70% and 90% of high-risk issues in risk registers and top 10 lists do not, in fact, represent high risk. So the question becomes, how much value is there in effectively prioritizing and understanding the cost-benefit of risk management investments? 

 
Read More >>
    

Governance and City Development

Graciela Braga, CGEIT, COBIT Foundation, CPA
Posted: 1/17/2017 3:01:00 PM | Category: COBIT-Governance of Enterprise IT | Permalink | Email this post

Most of us live in cities. We are always busy, so we only see the impact and benefit of IT when it is not there, e.g., during failures, service unavailability, loss of physical devices, natural disasters and so on.

The definition of “city” has evolved, and IT has been an enabler for that evolution, transforming cities to become smart or smart sustainable. All types of disruptive or cognitive technology used in this transformation have benefits and risk, but if they are well governed, the probability of value delivery increases.

In my recent Journal article, I present how an IT governance framework can be implemented to help cities get value from the use of IT, following the structure proposed by ISACA’s publication Getting Started With GEIT: A Primer for Implementing Governance of Enterprise IT.

 
Read More >>
    
<< First   < Previous     Page: 1 of 68     Next >   Last >>