ISACA Journal Blog

 ‭(Hidden)‬ Admin Links

ISACA > Journal > Practically Speaking Blog

The Keys to Using Analytic Techniques

Spiros Alexiou, Ph.D, CISA Posted: 11/14/2016 12:45:00 PM | Category: Audit-Assurance | Permalink | Email this post

Modern companies routinely collect a large amount of data, which are used for a variety of purposes, including audits. Analyzing the data and deciphering the story that they are telling could be done with very simple techniques or can require quite complex and sophisticated techniques. A number of software packages, some of them free, perform such complex analyses. These techniques can be applied by most auditors, provided they understand what the techniques do, not necessarily how they work. In my recent Journal article, I present a number of such techniques that have proven useful in audits. These techniques have different scopes and purposes, e.g., clustering automatically finds groups of similar behavior, while case-based reasoning finds the most closely related data instance in the database. 


Follow-up to Ensure That All Is Well

Ian Cooke, CISA, CRISC, CGEIT, COBIT Foundation, CFE, CPTS, DipFM, ITIL Foundation, Six Sigma Green Belt Posted: 11/7/2016 11:07:00 AM | Category: Audit-Assurance | Permalink | Email this post

You child is not well. In fact, he is so unwell that you bring him to visit your doctor, who asks some questions, performs some tests and, after considering the facts, writes a prescription. She tells you to ensure that your son finishes the course of prescribed antibiotics and to bring him back for a follow-up consultation. Why? Because the doctor wants to make sure that her actions have been effective. She wants to make sure that they result in your son getting better.

Now, consider your last audit. On behalf of the audit committee, you reviewed processes, procedures, applications or databases. You considered their protection from a confidentiality, integrity and availability perspective. You considered relevant standards and legislation. You asked some questions, performed some tests and, after considering the facts, you made a recommendation. But, did you or will you follow up?


Conduct a More Accurate Risk Assessment

Venkatasubramanian Ramakrishnan, CRISC, CISM, CHFI Posted: 11/3/2016 3:03:00 PM | Category: Risk Management | Permalink | Email this post

Your neighborhood zoo decides to conduct a risk assessment of its operations based on the threat to human life and safety of animals. The following is a snapshot of the assessment:

  1. The inherent risk level of a tiger is high, and the control value of a cage is moderate, so the final risk value of a caged tiger is moderate-high.
  2. Using the same method, the risk value for a caged hyena is moderate. However, the hyena’s cage is in a high traffic area because it is near the panda, which is the zoo’s most popular attraction, so the risk value of the hyena is also raised to moderate-high.
  3. The panda has a low risk value, but there are fears of people trying to enter its enclosure and the panda escaping. Since it also attracts the most traffic, the risk value of the caged panda is also raised to moderate-high.

The net result is whether it is a caged tiger, hyena or panda, all are at a moderate-high risk in the zoo’s risk assessment. Given that outcome, zoo management decides to invest in the procurement of more tranquilizer dart guns rather than focusing on security of individual animals. An unfortunate outcome of this decision is that, because its cage did not have a moat around it, the tiger manages to escape from the zoo and create chaos in the neighborhood. Since this happened outside the zoo’s normal operating hours when most of the guards were not around, the selected control failed to mitigate the threat.


Reducing the Gender Disparity in Cyber Security

Daksha Bhasker, CISM, CISSP
Posted: 10/24/2016 3:13:00 PM | Category: | Permalink | Email this post

Bletchley Park is great historical evidence that women do well as contributors to national security, intelligence and technology development. At its peak, Bletchley Park, the British government’s Code and Cipher School, employed about 7,000 women in its 10,000-person code-breaking operations of the German Enigma machine during World War II. The age and education of the women in this intelligence operation varied, ranging from high school graduates at 17 years old to linguists, mathematicians and talented crossword puzzle solvers. Diversity in gender and skills were integrated successfully in cryptanalysis and some of the world’s most critical security operations.


Practical Considerations in Planning an Open-source Security Monitoring Infrastructure

Furkan Caliskan, CISA
Posted: 10/17/2016 3:13:00 PM | Category: | Permalink | Email this post

It is not a trivial job to deploy a large-scale, open-source security monitoring infrastructure. Although you can use an easy-to-install open source solution, e.g., Security Onion, planning and knowing what to do is still an essential part of the project.

There are several considerations that need to go into this planning:

  • Storage planning—Saving all the network traffic for incident analysis purpose is a big challenge. Setting a log retention policy is essential. This decision should be made with management approval.
  • Secure Sockets Layer (SSL) traffic and privacy—Since SSL-using malware poses significant risk, inspecting SSL traffic is becoming more important every day. On the other hand, decrypting and recording SSL connections is a risk for privacy. There must be exceptions, especially for finance and health-related resources.
  • Visibility—Establishing the right visibility through the network is key for a good security monitoring infrastructure. This process should start by determining the crown jewels of the company, and sensors should be placed as near as possible to those jewels through their switches. Without doing this, analyzing network address translation traffic will be hard for the analyst.
  • Open source risk—Maintaining an open-source software is not an easy job. It needs skilled personnel. It is also a risk the organization should consider. To mitigate this risk, consultancy may be an alternative.

With all of these considerations, monitoring efforts should be carefully planned and executed. For example, all traffic will be visible to the security operations center. If background checks of these personnel are not carefully done this may be a risk for the company. Also all changes done on the monitoring system should be audited and recorded.

<< First   < Previous     Page: 1 of 66     Next >   Last >>