ISACA Journal Author Blog

 ‭(Hidden)‬ Admin Links

ISACA > Journal > Journal Author Blog

APT and Social Engineering: With New Threats Come New Assessment Methodologies

Roberto Puricelli, CISM Posted: 5/18/2015 3:04:00 PM | Category: | Permalink | Email this post

During the last few years, companies have evolved exponentially through the adoption of new technologies, devices and habits that allow them to improve the business from one side, but also to be more vulnerable to cyberattacks from the other. As the attack surface expands and cyberattacks evolve using different techniques and vectors, companies need to adapt their assessment methodologies, going beyond the traditional vulnerability and malware identification or data loss prevention.

For example, consider advanced persistent threats (APT). They are probably the most dangerous threats. They target specific companies and rely on social engineering as the main vector to gain access to inner information and communications technology (ICT) systems. In order to face these threats, companies should start considering possible tools or methodologies to evaluate their risk and the real extent of their exposure. What makes a corporation an attractive target? Could the employees effectively face an advanced social engineering attack? How simple is it to perform a technological attack against workstations? What kind of information is reachable and which assets are exploitable from hidden backdoors?


The Limits of Rules

By Vasant Raval, DBA, CISA, ACMA
Posted: 5/11/2015 3:06:00 PM | Category: | Permalink | Email this post

Recently, with the goal of combating anorexia, French lawmakers voted in favor of a measure that would ban excessively thin fashion models from the runway and potentially fine their employers. The law would forbid anyone under a certain body mass index (BMI) from working as a runway model. In addition to protecting models from the risk of being thin at any cost, the law would indirectly (ideally) protect adolescents from aspiring to be like fashion models and possibly developing eating disorders. So, a new set of rules is born in France. Although not directly relevant to information ethics, this story highlights the role of rules in everyday life. My recent Journal column has examples of rules as they relate to information ethics.


Process Automation for Better Governance

Andrew Evers
Posted: 5/4/2015 8:27:00 AM | Category: | Permalink | Email this post

Process automation is an important part of any tool kit to enforce governance—for business or IT. Unfortunately, it is also one that is rarely considered. That is unfortunate because the benefits of automation for risk, audit and compliance are manifold. Automated processes typically document what they do as part of completing a task. Automation provides clear, auditable logs that show what was done, when and by whom. With increased automation, organizations reduce the potential for manual errors and increase the speed of regularly occurring tasks or those that involve a broad range of systems. This increase in efficiency leads to greater consistency, reliability and, ultimately, a better quality of service for the business.


Building a Holistic IT Security Policy

Mauricio Rocha Lyra, Ph.D., COBIT Foundation, CTFL, ISO 20000, ITIL, MCSO, OCUP, PMP, RUP and Jose Carlos Ferrer Simoes
Posted: 4/27/2015 9:40:00 AM | Category: | Permalink | Email this post

Information technology systems require a security policy that includes both information and communication in a balanced way. This policy should take technical, human and behavioral aspects into account in order to mitigate potential threats and vulnerabilities.

Our recent Journal article aims to present best practices for building a security policy for information and communication (SPIC) within the federal public administration organizations of Brazil. This approach checks how organizations are in compliance with best practices in developing their security policies of information and communication. It also provides a comparative study in order to evaluate the maturity of these essential security policies. The study looks toward a collection of articles and papers on information security policies and communication security policies from federal administration organizations.


Evaluating E-health Governance Frameworks

Elena Beratarbide, Ph.D., CISA
Posted: 4/20/2015 3:20:00 PM | Category: | Permalink | Email this post

E-health plays an essential role in supporting health care in today’s digital society; it is perceived as crucial for high quality and cost-effective health care. However, getting the expected benefits from e-health has been difficult to demonstrate.

There has been a growing interest in adopting e-health governance frameworks to obtain reassurance that investments return the expected results in health care. However, how IT governance is implemented within health care and the actual impact on strategic alignment remains poorly understood.

My recent Journal article presents the findings from a recent comprehensive technical report on e-health governance. The report explores the application of well-known frameworks (e.g., COBIT and ITIL) within the National Health Services (NHS) in Scotland and their impact on e-health governance maturity and strategic alignment with health care. The report mainly presents results of a longitudinal study conducted since 2008 within Scottish health care organisations, but it offers cross-national and cross-sectoral benchmarking. My Journal article discusses the implication of these report findings.

<< First   < Previous     Page: 1 of 54     Next >   Last >>