ISACA Journal Author Blog

 ‭(Hidden)‬ Admin Links

ISACA > Journal > Journal Author Blog

Develop Sustainable Business Practices with COBIT 5

Graciela Braga, CGEIT, COBIT 5 Foundation, CPA
Posted: 5/26/2015 3:10:00 PM | Category: | Permalink | Email this post

Stakeholders expect that businesses create value, but at what cost? In the end, stakeholders and businesses are looking for the same thing:  to protect their future. Information technology plays an important role. It can be a solution or part of the problem depending on how it is governed and managed.

COBIT 5 can be used to help enterprises create value for their stakeholders, including sustainable development in their goals and in the governance and management of IT (GEIT):

  • Alignment of IT and business strategy to achieving sustainable development—This is important in order to set and maintain a governance framework that considers sustainability as a core principle.
  • IT compliance and support for business compliance with external laws/regulations and with internal policies—Enterprises should comply with human rights; environmental and social responsibility; natural resource management; information security management; and health, safety and labor regulations. Enterprise policies have to recognize these regulations and strongly avoid exceptions while stipulating the consequences. It is important that educational, awareness and training activities include sustainability compliance issues. This will increase the confidence of stakeholders in the enterprise.
  • Manage IT-related business risk and delivery of IT services in line with business requirements—Sustainability requires identifying risk factors that could limit the possibility of future generations to satisfy their needs and put in place countermeasures to prevent negative impacts. It also requires satisfying business requirements. Important subjects to evaluate are external laws and regulations, best practices and international standards, internal policies, and IT and business performance goals.
  • IT agility—Respond in a timely and efficient manner to a changing business environment
  • Competent and motivated personnel—If personnel understand their responsibility regarding sustainability and respect future generations’ rights in the current decision-making or performance process, there will be a greater chance of reaching sustainability objectives.
  • Knowledge, expertise and initiatives for business innovation—Innovation allows for sustainability. Knowledge, expertise and new initiatives focused on sustainability aspects are critical to being sufficiently innovative in order to discover new and more efficient methods to protect the environment, business and IT personnel.
Sustainability is a stakeholder need and a business requirement. But more than anything, it is a human responsibility. Read my recent Journal article and share how COBIT 5 assists enterprises in achieving this goal.
Read Graciela Braga’s ISACA Journal article:
Time for Sustainable Business Is Now: Leveraging COBIT 5 in Sustainable Businesses,” ISACA Journal, volume 3, 2015.

APT and Social Engineering: With New Threats Come New Assessment Methodologies

Roberto Puricelli, CISM Posted: 5/18/2015 3:04:00 PM | Category: | Permalink | Email this post

During the last few years, companies have evolved exponentially through the adoption of new technologies, devices and habits that allow them to improve the business from one side, but also to be more vulnerable to cyberattacks from the other. As the attack surface expands and cyberattacks evolve using different techniques and vectors, companies need to adapt their assessment methodologies, going beyond the traditional vulnerability and malware identification or data loss prevention.

For example, consider advanced persistent threats (APT). They are probably the most dangerous threats. They target specific companies and rely on social engineering as the main vector to gain access to inner information and communications technology (ICT) systems. In order to face these threats, companies should start considering possible tools or methodologies to evaluate their risk and the real extent of their exposure. What makes a corporation an attractive target? Could the employees effectively face an advanced social engineering attack? How simple is it to perform a technological attack against workstations? What kind of information is reachable and which assets are exploitable from hidden backdoors?


The Limits of Rules

By Vasant Raval, DBA, CISA, ACMA
Posted: 5/11/2015 3:06:00 PM | Category: | Permalink | Email this post

Recently, with the goal of combating anorexia, French lawmakers voted in favor of a measure that would ban excessively thin fashion models from the runway and potentially fine their employers. The law would forbid anyone under a certain body mass index (BMI) from working as a runway model. In addition to protecting models from the risk of being thin at any cost, the law would indirectly (ideally) protect adolescents from aspiring to be like fashion models and possibly developing eating disorders. So, a new set of rules is born in France. Although not directly relevant to information ethics, this story highlights the role of rules in everyday life. My recent Journal column has examples of rules as they relate to information ethics.


Process Automation for Better Governance

Andrew Evers
Posted: 5/4/2015 8:27:00 AM | Category: | Permalink | Email this post

Process automation is an important part of any tool kit to enforce governance—for business or IT. Unfortunately, it is also one that is rarely considered. That is unfortunate because the benefits of automation for risk, audit and compliance are manifold. Automated processes typically document what they do as part of completing a task. Automation provides clear, auditable logs that show what was done, when and by whom. With increased automation, organizations reduce the potential for manual errors and increase the speed of regularly occurring tasks or those that involve a broad range of systems. This increase in efficiency leads to greater consistency, reliability and, ultimately, a better quality of service for the business.


Building a Holistic IT Security Policy

Mauricio Rocha Lyra, Ph.D., COBIT Foundation, CTFL, ISO 20000, ITIL, MCSO, OCUP, PMP, RUP and Jose Carlos Ferrer Simoes
Posted: 4/27/2015 9:40:00 AM | Category: | Permalink | Email this post

Information technology systems require a security policy that includes both information and communication in a balanced way. This policy should take technical, human and behavioral aspects into account in order to mitigate potential threats and vulnerabilities.

Our recent Journal article aims to present best practices for building a security policy for information and communication (SPIC) within the federal public administration organizations of Brazil. This approach checks how organizations are in compliance with best practices in developing their security policies of information and communication. It also provides a comparative study in order to evaluate the maturity of these essential security policies. The study looks toward a collection of articles and papers on information security policies and communication security policies from federal administration organizations.

<< First   < Previous     Page: 1 of 54     Next >   Last >>