Knowledge Center > ISACA Now

 ‭(Hidden)‬ Admin Links


Assessing control effectiveness—an essential part of every risk assessment

Mark E.S. BernardControl effectiveness is measured by looking at the maturity of the process. Most people agree that mature processes are documented, but why? Transferring knowledge from the human brain requires conversion from tacit knowledge to explicit knowledge, so that it can be shared, reviewed, updated and tested. Think about it. If we relied on tacit knowledge all the time, there is a good chance that the outcomes would be different every time the process was executed, unless they had a plan to follow, which is where explicit knowledge comes into play. Quality management requires that we integrate feedback loops to push a process even higher in maturity. Continuously monitoring and making adjustments to perfect the process can only be achieved with explicit knowledge.

Building the perfect control to mitigate risk is one thing, but making sure that it gets implemented, monitored and maintained adequately, so that it is functioning 100 percent, is yet another. This requires the assessment of competence for those employees or contractors who have been assigned the responsibility to get the job done! I like to leverage my knowledge as a teacher using Bloom’s Taxonomy. I create at least six basic questions to determine how much the employee knows. For example, I recently created a one-page assessment for CyberSecurity Leader.

Category: Risk Management     Published: 8/28/2014 3:02:00 PM

Young Professional Ambassadors and the IT Security Skills Shortage: Closing the Gap

Ivan Sanchez LopezThe “2014 Annual Security Report” recently published by Cisco has highlighted the lack of new professionals and security talent as a key issue for the sustainability of our profession. By this year, Cisco estimates that the industry will still be short more than one million security professionals across the globe.

Young professionals are the future of the IT security profession, and the number of voices demanding an action plan to address the young professionals’ needs is increasing within companies, organizations, governments and the security industry in general.

ISACA is actively working on closing the existing gap with the launch of the Cybersecurity Nexus (CSX) and initiatives related to young professionals (YPs), like activities being undertaken by ISACA’s Young Professionals Subcommittee (YPS). The YPS demonstrates a clear commitment to the development of the next generation of security professionals by assisting them in the early stages of their career through mentoring, knowledge sharing and working together with local chapters to hold and promote activities targeted at younger (identified as individuals under the age of 35) ISACA members.

Category: Security     Published: 8/27/2014 3:22:00 PM

European initiatives for a more secure cyber world

Rolf von RoessingEurope is poised to tackle cybersecurity headfirst with initiatives that are growing in strength and support. In 2013, the Cybersecurity Strategy for the European Union and the Commission Proposal for a Directive on Network and Information Security presented legal measures and provided incentives aimed at increasing the security of Europe's online environment. These efforts are supported by the European Network and Information Security Agency (ENISA), as well as by the Computer Emergency Response Team for the EU institutions (CERT-EU).

As part of ISACA’s holistic Cybersecurity Nexus (CSX), ISACA is addressing the need for cybersecurity guidance in Europe by releasing the European Cybersecurity Implementation Series of white papers and an audit program, which includes:

  • European Cybersecurity Implementation: Overview
  • European Cybersecurity Implementation: Risk
  • European Cybersecurity Implementation: Resilience
  • European Cybersecurity Implementation: Assurance
  • European Cybersecurity Audit/Assurance Program

The white papers address cybersecurity in the context of European Union (EU) laws, regulations and best practice, with a focus on using the COBIT 5 framework and related materials. They provide practical implementation guidance that is aligned with ENISA, European requirements and good practices.

Category: Security     Published: 8/26/2014 3:07:00 PM

Secure software development governance

Stefan BeisselThreats to data and systems leading to significant financial and reputational damage can occur when a company insufficiently implements security requirements during the development of software. Examples include the theft or corruption of customer and confidential business data and the unavailability of critical systems.

Avoiding vulnerabilities, e. g. those mentioned in OWASP Top 10, is most effective when already taking place through software development. From the beginning, it should be ensured to securely develop and to avoid attack points even while designing the software.

A recent example for a major vulnerability caused by insecure software development is Heartbleed, which allows hackers to exploit OpenSSL and tap confidential data from encrypted TLS connections. A scan by Errata Security revealed that there are still more than 300,000 vulnerable systems reachable today.

In the context of security standards, the secure software development is becoming increasingly important, too. The recently revised standards ISO 27001:2013 and PCI-DSS 3.0 have both been extended by new requirements in this respect. ISO now requires a secure development policy (A.14.2.1), secure system engineering principles (A.14.2.5) and a secure development environment (A.14.2.6). PCI now requires coding practices to protect against broken authentication and session management (6.5.10).

Category: Security     Published: 8/21/2014 3:49:00 PM

What Heartbleed taught us

The year 2014 has been dubbed “The Year of the Cyberattacks” before it even reached the halfway point, with aftershocks from Heartbleed still being felt weeks later. But did you know that attacks and bugs like Heartbleed are often 100 percent preventable? Simply put, best IT practices can create red flags before damage can be done. But, when humans are involved, laziness and shortcuts can lead to missed security steps. Technology, of course, is programmed and designed by humans, so the possibility for human error in technology is everywhere.

And it is not just human fault here, but also the technology. This is a two-pronged fork. According to security expert Richard Kenner, programs should never read from the same place in memory where they were written. That is security safety 101, but that is exactly what happened with Heartbleed. It has already been estimated that millions of dollars are being paid out by enterprises affected by Heartbleed, but what lessons can be learned from this?

Technology: Not as cutting edge as you think
Kenner points out that the programming language involved in Heartbleed is more than 40 years old; and even though new languages have been developed (and are arguably safer), that doesn’t mean they have been adopted. In addition to keeping up with languages and improving upon them, best practices simply were not followed in order to stop Heartbleed. There is technology available that ensures programs meet key properties (like that pesky reading from memory writing issue), but most companies fail to utilize it.

Category: Security     Published: 8/19/2014 3:12:00 PM
<< First   < Previous     Page: 1 of 82     Next >   Last >>

 About This Blog


This blog is intended to offer a way for ISACA leaders, constituents and staff to exchange information of interest pertinent to the association, the business environment and/or the profession.

The comments on this site are the author’s own and do not necessarily represent ISACA’s opinions or plans. ISACA does not endorse, monitor or control any links to external sites offered in this blog, and makes no warranty or statement regarding the content on those external sites.

Anyone posting comments on this site should ensure that the content remains on-topic and steers well clear of any statements that could be considered insensitive, offensive or threatening. Given ISACA’s global nature, the need to communicate in a way that is accessible and acceptable to many cultures should be taken into account. ISACA retains the right, at its sole discretion, to refuse content that is considered inappropriate.


To volunteer to write a blog or suggest a topic send an email here.