Tugba Yildirim, CISA, CGEIT, CRISC
Organizations maintain their operations with the help of processes that are tailored to their working styles. Processes may differ from organization to organization according to their organizational structure, business objectives and working styles. An information system’s internal control system is a very important enabler of an organization because most business operations are strictly related to information technology. Making a risk assessment that provides a prioritization in designing and evaluating an internal control system for these processes is recommended.
These critical processes have been defined by taking into account the requirements that are acknowledged by most of well-known IT frameworks and standards.
By highlighting the most critical IS processes via the most well-known frameworks and standards, business objectives can be achieved and design and evaluation of internal control system efforts can be prioritized.
Ian Cooke, CISA, CGEIT, COBIT-F, CFE, CPTS, DipFM, Six Sigma Green Belt, ITIL-F
One of my grandmother’s favorite sayings was, “There is more than one way to skin a cat.” This means that there is more than one way of achieving an aim. In IT auditing, this is most certainly the case. Indeed, not only is there more than one way of achieving your aim, there are often instances when the perceived or accepted best practice is not practical.
This, I believe, is true when auditing Oracle databases, where the accepted best practice is to validate the database with a security scanner. But this may not always be possible. For example, the costs may be prohibitive for smaller companies, or as a consultancy, you may not be given permission to scan a mission-critical database.
In these instances, computer-assisted audit techniques (CAATs) come into their own. CAATs can be tailored for multiple tasks, and when combined with information taken directly from the Oracle database, they can be used to provide assurance for a number of risk concerns, including many of those defined in the main Oracle Security Standards
. Furthermore, your company can define its own standard within the CAAT software and use this as a basis to compare against all of its Oracle databases, thus increasing compliance and speeding up the audit process.
So there are indeed many ways to skin a CAAT.
Yo Delmar, CISM, CGEIT
The 2013 Data Breach Investigation Report reveals some alarming statistics about the rising incidence of cyberattacks and overall enterprise awareness and response strategies to cyberattacks. In 2012, there were several cases of intrusions that were successfully carried out within a matter of minutes. Yet nearly 66 percent of breaches remained undetected for several months, and 69 percent were first detected by an external party. These numbers reveal just how defenseless organizations can be against cyberattacks, irrespective of their organization’s size, location or industry.
The heightened likelihood and effects of threats, alongside mounting regulatory complexity, has put IT and risk professionals under unprecedented pressure from across all levels of the organization. Fortunately, there are tools and technology that can support a more collaborative, proactive and analytics-driven security program that aligns internal stakeholders, prioritizes resources, and protects business-critical processes and sensitive assets. However, many organizations still lack the necessary 360-degree near real-time view of their emerging potential threats and the associated defense strategies needed to counter those threats.
Organizations increasingly require security analytics that deliver insights into the size, scale and scope of the risk, in addition to providing the basis for root-cause analysis and remediation strategies across policies, processes and technologies. Strong metrics and security analytics frameworks can act as catalysts, transforming risk identification to more sophisticated risk intelligence. Leveraging technology can provide automation and can support ongoing threat monitoring, identification and analysis processes.
By integrating security analytics with GRC programs, organizations can establish a mature security program. By taking it one step further and aligning the program with broader business objectives and business performance metrics, organizations can achieve greater stakeholder engagement and support for additional security-related resources and investments.
A long-term and tightly integrated security and GRC program requires a clear road map that outlines the firm’s objectives, stakeholder roles and responsibilities, and key milestones. Executive involvement, ownership and accountability, especially amongst the security, risk and business teams, can lower overall enterprise risk exposure and ensure a more sustainable enterprisewide approach.
Tomorrow’s most trusted, reputable and financially sound organizations are the ones that are working today to integrate security analytics with their enterprise GRC program and technology ecosystem. Gaining the risk intelligence needed to protect the business, sustain operations and support performance is no easy feat. But establishing the vision and embarking on the journey promises a payoff that will prove to be well worth it in the end.
Read Yo Delmar’s recent Journal Online article:
“Integrating Security Analytics into Governance, Risk and Compliance Programs,” ISACA Journal, volume 1, 2014.
Munir Majdalawieh, Ph.D.
Researchers and practitioners, through empirical and field studies, indicate that in today’s business environment, traditional risk management practices are no longer sufficient to deal with today's threats. Intense competition, natural disasters, financial crises, terrorism, the Internet, cyberterrorism, regulatory requirements and other modern challenges require dealing with new levels of risk.
The inability to manage all kinds of risk in a cohesive and precise approach results in dramatic detriments to organizations’ abilities to compete effectively, satisfy their customers, retain their employees, meet their financial responsibilities, and meet their organizations’ goals and objectives. Moving from the traditional risk management approach to a more advanced one requires embedding risk management activities within the business processes of the enterprise and establishing a risk management repository.
The proposed Business Process-Centric Risk Management System (BPC-RMS) framework and solutions intend to increase the confidence of management regarding the way functional teams cooperate when it comes to dealing with risk. The BPC-RMS framework is intended to help increase the probabilities of analyzing risk in a dialog setting and, in turn, by creating risk knowledge, increase the success factors of mitigating and responding to all levels of risk. The BPC-RMS proposes a step-by-step repositioning of resources to help organizations deal with risk in an effective and credible manner regarding both threats and opportunities. It also bridges the gap between strategic and tactical risk management. This enables the entire organization to be aware of the importance of risk management and to use it continuously in all processes and activities rather than on an as-requested basis.
Jason Andress, Ph.D., CISM, CISSP, GPEN, ISSAP
I was having a discussion with someone the other day on what it takes to be a good information security professional. Looking at the problem from a high level, we might say that it takes a certain amount of technical aptitude, a moderate level of computing and networking knowledge, and, if we measure against other industries, what might be considered to be an unhealthy level of curiosity. To fill more advanced positions, we might look for specific security knowledge, but often security professionals cross over from other computing and network-related areas and have a background in areas such as development, system administration and networking.
One of the other main factors that I often find lacking in such discussions, however, is drive. The burning need to be learning, digging at a problem, building new things, sharing with others, taking things apart, and generally staying in motion and continuing to develop. The vast majority of the really skilled security professionals that I know are firmly in this group. These are the folks that I see presenting at conferences, working on open source security tools, and spending their own time and money to go to school. They do these things not because anyone necessarily demanded that they do these things, but because they saw a need, they love what they do, or they just wanted to improve themselves and their skills. These are the people with whom I want to work.
As a metaphor for the security professional, I would point you to the shark. Certain sharks, like the great white, will suffocate and die if they stop swimming. These sharks need to continually force water through their gills in order to breathe, so they really can never stop moving. So to all you security folks out there, keep swimming.
Nageswaran Kumaresan, CISA, CRISC
Recent high-profile data leakages, compliance breaches and court battles to protect intellectual property show the challenges corporate management faces when it comes to preventing information losses and leakages. Data loss or breaches occur accidently (e.g., sending an email with confidential data to a wrong person), unknowingly (e.g., storing sensitive personal data without encryption) or intentionally (e.g., deliberately leaking information for personal gain). A typical corporate dilemma is the struggle between maintaining an open innovative environment by sharing more data while simultaneously preventing data loss or leakage. Though traditional layered security provided protection—especially from external threats—content-centric data loss prevention (DLP) technologies create another security layer, primarily focusing on protecting corporate data.
The implementation of DLP solutions should be approached holistically, and the success of DLP technologies depends on adequate planning, effective operation processes and monitoring mechanisms, and overall governance structure. DLP technology has the capability to enforce data restrictions to access, change and transfer. It provides powerful capabilities to monitor or track all forms of data within/to/from the corporate network. A poorly designed system, ineffective operational policies and improper processes can negatively affect the business and the innovative environment.
Understanding the organization-specific risk and how a solution such as DLP can help mitigate it should be considered during the planning phase. As DLP handles sensitive corporate and personal data, the involvement of appropriate business, IT, compliance and human resources personnel is paramount for implementation success. A phased implementation and thorough testing on small target groups can provide learning opportunities and help to reduce false-positive triggers. Defining the right policies and enforcing an effective reviewing and reporting mechanism are also critical factors to success. DLP should be considered as a part of a broader security landscape, and corporate policies and procedures should be progressively aligned to shape the corporate data handling culture to get the greater benefit.
Read Nageswaran Kumaresan’s recent Journal article:
“Key Considerations in Protecting Sensitive Data Leakage Using Data Loss Prevention Tools,” ISACA Journal, volume 1, 2014.
Dauda Sule, CISA
Digital forensic technology has become an important component of investigations, and not only in IT-based cases such as cybercrimes. Because of technological developments in IT, crimes can be investigated and solved using digital forensic evidence. Criminals’ locations can be traced through their cell phones. In some cases, the search history on a suspect’s computer can be used to establish a case for or against the suspect. Digital forensic evidence has been used to solve murder cases, prevent kidnappings and capture child predators.
Digital forensic evidence can also be of immense value to information security within an organization. These tools and techniques can help assist in conducting internal investigations within an organization, especially when there is litigation. Discovery for litigation in this day and age has become almost completely electronic, as most businesses rely on IT platforms and infrastructure. This reliance generates a great deal of electronic data that can serve as evidence as needed. Forensic readiness helps ensure that an organization is prepared for investigations and litigation in a manner that is economical and has minimal business disruption. This is achieved by storing data and information generated in the normal course of business in anticipation of an event, such as litigation or an in-house investigation, that would require such data and information as evidence.
Digital forensic technology can be used to investigate and trace a breach on an organization’s infrastructure, which can lead to the source and indicate how the breach took place. Such knowledge would also help strengthen the organization’s security—knowing how a breach took place and what the existing loopholes are is knowledge that can be used to protect against and avoid future security breaches.
Giuseppe Arcidiacono, CISA, CISM, CGEIT
COBIT 5 for Information Security
represents a revolution in the field of information security because it gives IT managers and security specialists the opportunity to align their perspectives and daily work with the new global way of doing business.
While the 20th century’s economy was founded on material and tangible assets, the focal point and the currency of the 21st century enterprise is information. For this reason, the real challenge is how to govern and manage this new virtual gold.
COBIT 5 for Information Security provides an end-to-end business view of governance of enterprise IT (GEIT), reflecting the central role of information and technology in creating value for enterprises.
This new standard was created largely to do the following:
- To describe information security in an enterprise context, including all aspects that lead to effective governance and management of information security.
- To maintain (while containing the overall cost) information risk at an acceptable level and to protect information against disclosure, modifications or intrusions.
COBIT 5 for Information Security is based on 5 principles tailored to enterprise’s real and actual context:
- Principle 1 (meeting stakeholders’ needs): Modern organizations are called to integrate security into every aspect of management and operations. Integration begins with identifying all business processes and related stakeholders, including auditors and information security managers.
- Principle 2 (covering the enterprise end-to-end): The general application of security and assurance best practices requires security reviews as part of all business processes and IT development and implementation activities. This is not just horizontal integration. All levels of management must include information security in every business, strategic and operational planning activity.
- Principle 3 (applying a single integrated framework): Aligning with other relevant standards and frameworks at a high level ensures effective governance by avoiding overlaps and additional complexities and costs.
- Principle 4 (enabling a holistic approach): Years of experience (and failures) in information security have demonstrated that point-and-shoot approaches to managing security do not achieve the best overall results for the enterprise. A holistic approach is necessary to obtain enterprisewide efficiency and efficacy.
- Principle 5 (separating governance from management): Governance and management are distinct functions; different teams perform them, but they are strictly related and must support each other. While governance defines outcomes, management implements technology and processes to meet those outcomes. Governance then determines if outcomes are met and provides feedback to help management make necessary adjustments.
Greg Zoughbi, CISA, CISM, GGEIT, CRISC, COBIT 4.1 (F), ABCP, CISSP, ITIL Expert, PMP, TOGAF 9 (C)
The main motivation of my recent Journal article
is to encourage out-of-the-box thinking rather than bounded or linear thinking. If an initial business case analysis is negative, determine why and investigate what you can do about it.
Through proper risk management, it may be possible to turn around the business case and unlock hidden value. The discount rate in a net present value (NPV) analysis is related to the investment risk. Therefore, lowering the risk level leads to a reduced discount rate and a more positive NPV result when positive cash flows are expected later in the investment’s lifecycle.
Think about business cases from a potential customer’s point of view. Then ask yourself, “What is it that I have to do to maximize the value a potential customer would receive from a particular investment?” While a potential customer may have funds, keeping it in a bank account may not be the best thing for them. Will investing in a new project or an ERP system acquisition generate more value than keeping the funds in a bank account? How can I make a potential project with my employer generate more value to the organization than what investing in a different project would generate?
An investor or potential customer would naturally tend to ask for a lower price. Some of them will also seek higher value or more benefits for their investment. The more savvy investors will also consider the investment risk and, while they may still ask for more benefits and lower prices, they will also seek to reduce the investment risk. So, look for ways to reduce an investment’s risk and unlock hidden value. Why do you think some customers require a potential vendor to be certified under international standards or have professionally certified staff?
Although the cloud is much buzzed about in the tech world, it is still new enough to be feared by many, especially by those who do not fully understand it. Most people see its benefits in flexibility, speed and cost savings. By automating processes from the cloud, organizations can achieve the benefits of automation faster and more economically than ever before.
Over the years, I have had first-hand experience with organizations that have been reluctant to automate their business and IT processes. It is not because they were afraid of automation, but because they were concerned about how they would implement it. In a survey
commissioned by Redwood Software in 2012, the results found that even though 87 percent of representatives from top global enterprises believe that automation is key for productivity, 99 percent still spent a lot of time doing repetitive manual tasks, with almost two-thirds (63 percent) of companies spending more than a quarter of their time on manual tasks. Each of these manual tasks costs the organization money every day.
In fact, implementing automation from the cloud eliminates many perceived barriers to automation. Any decision required to kick off a process improvement initiative with automation from the cloud does not require buying additional infrastructure or hardware. Automation from the cloud makes it much more feasible. Rather than just accessing applications, infrastructure or data, business and IT professionals can now build in automation that is easy to implement, change and expand. Perhaps surprisingly, the cloud can also offer more security than on-premises solutions. Because process automation touches so many activities across so many systems, shifting these to the cloud can avoid systemwide slowdowns and keep everything running smoothly. Think of how many times you have heard complaints that something critical to operations is running slow because of, for example, a system copy in progress. Now imagine that never happening again for you or anyone else across your entire organization. It is possible.
From the automobile to Google Glass, every bit of innovative technology is initially met with fear and skepticism. When innovation can affect an entire company’s overall performance, it is no wonder that it is approached with some trepidation. However, being a late adopter of advantageous approaches, such as automation from the cloud, can cost companies real money. As early adopters begin to share their success stories with those who are more hesitant, do not be surprised if cloud-based automation is the norm everywhere very soon.