ISACA Journal Author Blog

 ‭(Hidden)‬ Admin Links

ISACA > Journal > Journal Author Blog

Staying Secure in the IoT

Marcelo Hector Gonzalez, CISA, CRISC, and Jana Djurica
Posted: 3/30/2015 3:22:00 PM | Category: Security | Permanlink | Email this post

The Internet of Things (IoT) is changing how people and technology interact. With billions of devices projected to be connected in the near future, the opportunity to be innovative is amazing.

In recent months, there have been several publications discussing the IoT, with many articles in favor of it and many against it. On one hand, it is said that all things should be connected:  refrigerators, coffee machines, wearables, microwaves, umbrellas, fitness bands and drones. On the other hand, there is an opinion that this trend needs to be stopped, regulated or banned by government organizations because of security and privacy concerns. For example, the US Federal Trade Commission (FTC) publicly raised concerns about the security risk associated with the rising number of interconnected systems and devices.

 
Read More >>
    

Preventing Cyberattacks With COBIT 5 Processes

Fredric Greene, CISSP
Posted: 3/22/2015 3:01:00 PM | Category: Security | Permanlink | Email this post

It is easy to second guess organizations after an attack as opposed to working with them on cybersecurity or information security initiatives. But this questioning can also offer some benefit, helping the  security professionals learn what could have been done to defend the organization against the cyberattack. The following is a brief look at the attacks on Sony, Morgan Stanley and Anthem as a sample across the entertainment, financial and health insurance industries:

  • Sony Pictures Entertainment (SPE) was the victim of a breach that exfiltrated more than 100 terabytes of data (47,000 records), after which large volumes of data were erased. Servers, networks and other infrastructure were rendered nonoperational.
  • Morgan Stanley was the victim of an internal financial adviser who stole data on 350,000 clients using a reporting tool that gave him access to massive amounts of data on clients.
  • Anthem suffered the disclosure of 80 million unencrypted customer and employee records accessed through stolen administrator credentials.

I would suggest  that there are specific COBIT® 5 processes and practices that can be effective in halting or minimizing these types of attacks.

 
Read More >>
    

A Security Solution Needs to Fit Like a Great Suit

Kerry A. Anderson, CISA, CISM, CGEIT, CRISC, CCSK, CFE, CISSP, CSSLP, ISSAP, ISSMP Posted: 3/9/2015 3:08:00 PM | Category: Security | Permanlink | Email this post

The selection of a security solution is a critical decision for an information security program. With the plethora of security solutions available, finding the best fit for an enterprise and its security needs can be a challenging and time-consuming task. When cost constraints are added to the picture, the selection process becomes even more problematic. There is a temptation to go with what is already familiar or select a solution that is already in use at a similar organization. But the best place to begin is by identifying critical functional requirements and restrictions for a security solution. The goal is to define, in a vendor-neutral fashion, a generic prototype of the security solution being sought. This should be done before doing any vendor research. This process should also spot potential attributes of a solution that may clash with the organizational environment.

 
Read More >>
    

Tips for Implementing a Secure Cloud System

Larry Wlosinski CISA, CISM, CRISC, CAP, CBCP, CDP, CISSP, ITIL V3 Posted: 3/2/2015 7:59:00 AM | Category: Security | Permanlink | Email this post

Cloud technology had a strong start because it followed the same development path as other systems. That path was to develop capabilities and add features to systems with little regard for information security. Over the years, cloud applications have emerged as software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS). Cloud systems are deployed as private, community, public and hybrid models. They are all over the Internet and are accessible by many types of mobile devices.

Over time, many cloud systems have crashed and incurred a variety of problems. Because of this and the fact that many people are not paying attention to these issues I wrote my recent ISACA Journal article, “Cloud Insecurities.” In the article I talk about the threats, vulnerabilities and weaknesses that people have accepted as a way of life and tend to ignore. Many of the article’s observations come from reading the Department of Homeland Security (DHS) Daily Open Source Infrastructure Report and from the Cloud Security Alliance (CSA) reports. To address the cloud problems, my Journal article suggests countermeasures that may or may not have been considered or implemented, and there are some questions that may help organizations think through cloud vulnerabilities. 

 
Read More >>
    

Applying Porter’s 5 Forces Model to Risk and Security

Yuri Bobbert
Posted: 2/9/2015 3:08:00 PM | Category: Risk Management | Permanlink | Email this post

Yuri Bobbert

A large portion of academic and practitioners’ literature focuses on implementing and validating existing security frameworks or guidelines. Limited academic research is done on strategizing risk and security. Formulating a security strategy depends on several perspectives and is usually different for each company. Formulating this strategy depends on regulations, technologies, business processes and the interaction among numerous partners in the digital value chain. These dynamics vary in force and frequency. The importance of a well thought-out strategy is examined and elaborated in several studies by several strategists in all types of industries.

 
Read More >>
    
<< First   < Previous     Page: 1 of 52     Next >   Last >>