Knowledge Center > ISACA Now

 ‭(Hidden)‬ Admin Links


International President: Ongoing diligence is key to address vulnerabilities such as the one in Bash

Robert E StroudDiligence may not be the most exciting items on our to-do lists, but it is a time-honored practice and should be a staple. This thought rises to the top as we read news reports about the security vulnerability in the Bourne Again Shell (Bash), which is now being referred to by many as Shellshock.

Some experts counsel that the impact of this vulnerability will only be moderate and that patches will be applied appropriately. At the same time, the potential severity of this vulnerability is high—it could allow hackers to take control of affected systems, thus allowing unauthorized disclosure of information, unauthorized modification and disruption. In addition, its severity is ranked as 10, while its complexity is considered low, which might not make it a “perfect” storm but at least a “close-to-perfect” storm.

I think we all agree that our future will contain many more vulnerabilities, bugs and other incidents with varying repercussions. Human error, changing times and needs, updates to technology and the ever-present desire in some people to cause havoc will ensure that we are all kept on our toes. A combination of planning, reviewing, monitoring and ongoing diligence is needed so we can be both proactive and prepared for rapid response when needed.

Diligence includes frequently reinforcing that processes and techniques must be in place to ensure that systems are appropriately patched and upgraded. This needs to be extended to the supply chain, including vendors and partners. We need to monitor complex interconnected environments to ensure that devices in manufacturing lines and elsewhere are maintained. Penetration testing is critical and should be regularly undertaken to ensure entry points to the organization are secure and monitored. Security awareness programs should be reviewed to ensure they are thorough, updated and—even more important—exist.

Category: Security     Published: 9/29/2014 3:16:00 PM

Investing in privacy training

Rita Di AntonioEver since Snowden made his first revelations over a year ago, ‘privacy’ has become a bit of a buzzword. Once the prerogative of royals and stars (whose computers and online accounts continue to be among hackers’ favourite targets) in the information age the average consumer struggles to reconcile the benefits of personalised services and tailored advertising with the apprehension of not knowing what personal information about them is held by whom, where it is stored, and how it is used. Forrester calls this the ‘privacy-personalisation paradox’.

Equally, companies and public bodies face a difficult challenge: to paraphrase Voltaire, with big data must come big responsibilities. Get privacy right, and you have gained a competitive advantage. Get it wrong and—well, you’re in trouble. Target’s former CEO and its board of directors know this well. At stake: financial and reputational damages.

Category: Privacy     Published: 9/25/2014 3:12:00 PM

Focusing on the roadmap

Pedro BagulhoPedro Bagulho, IT audit and security manager at Baker Tilly, is a Certified Information Systems Auditor (CISA) and a new Certified Information Security Manager (CISM). He is also preparing to pursue the Certified in the Governance of Enterprise IT (CGEIT) certification and COBIT 5 Foundation certificate. Here he shares his roadmap to passing the CISM exam.

What was your exam study process?
I recommend focusing on the roadmap of the exam process. To prepare for the CISM exam, I used the CISM Review Manual and the CISM Database Questions issued by ISACA. I read the review manual in my spare time and dedicated roughly 85 hours to going through the database questions. Another great resource in my preparation was the CISM Exam Study Community within ISACA’s Knowledge Center. Here, I found peers who were also preparing for the exam, CISM certified members and other helpful ISACA members who were a valuable resource for answering questions. In addition, I read articles from the ISACA Journal and participated in ISACA webinars on information security. I also found the guidance from George Pajari’s article “Ten steps to acing a June certification exam” very helpful.

Category: Certification     Published: 9/23/2014 10:17:00 AM

Global privacy concerns about the Internet of Things

Rebecca HeroldI have been looking into the privacy risks of the Internet of Things (IoT) for the past few years. I initially became interested through my work with National Institute of Standards and Technology (NIST) while researching the privacy risks of the smart grid and leading the group responsible for NISTIR 7628 Volume 2, and then a new version two years later in NISTIR 7628 Volume 2 Revision 1. Looking into smart meters led to my personal research of looking into smart appliances and then wearables.

For the past year, I have been working with a large medical devices group (and spoke at its conference) to identify the information security and privacy risks that are created by new and emerging medical devices, many of which are “smart” devices, generally meaning they are also part of the IoT. Smart medical devices can bring significant benefits to the associated patients, such as automatically applying medication based upon health readings, or sending alerts to a physician or hospital in the event of a medical emergency. However, they also create privacy risks when inappropriate entities get access to the data and use it for malicious actions. For instance, health insurance companies that use the medical device data as a basis to increase insurance premiums or cancel health insurance coverage; or those with ill intent accessing the medical device to do physical harm to the associated individual.

Category: Privacy     Published: 9/18/2014 8:35:00 AM

International recognition and accreditation for ISACA certifications

Prof. Frank YamIn today’s ever changing environment it is important for professionals to be able to show tangible proof of their experience and knowledge. That is why, as the chair of ISACA’s Certification and Career Management Board, I am proud to announce that ISACA’s four certifications— Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC)—have been renewed under ISO/IEC 17024:2003 and once again comply with the American National Standards Institute (ANSI) policies and procedures.

The ISO 17024/ANSI accreditation process involves the completion of an application to validate that ISACA’s procedures for their certifications meet essential requirements for openness, balance, consensus and due process. This is a great accomplishment as the accreditation is recognized internationally and has become the hallmark of a quality certification program. This renewed accreditation demonstrates the integrity of ISACA’s certifications, enhances public confidence in the quality of the certifications and facilitates their mobility across borders.

Professionals and employers benefit from ISACA’s dedication to certification. For many professionals, a CISA, CISM, CGEIT and/or CRISC after their name confirms to employers that the professional possesses the experience and knowledge to meet the challenges of the modern enterprise. Employers often favor candidates with appropriate certifications when choosing among candidates for an open position.
Recognitions such as this speak to the integrity of ISACA’s certifications and bring further acknowledgement of the certifications globally.

Category: Certification     Published: 9/16/2014 3:10:00 PM
<< First   < Previous     Page: 1 of 84     Next >   Last >>

 About This Blog


This blog is intended to offer a way for ISACA leaders, constituents and staff to exchange information of interest pertinent to the association, the business environment and/or the profession.

The comments on this site are the author’s own and do not necessarily represent ISACA’s opinions or plans. ISACA does not endorse, monitor or control any links to external sites offered in this blog, and makes no warranty or statement regarding the content on those external sites.

Anyone posting comments on this site should ensure that the content remains on-topic and steers well clear of any statements that could be considered insensitive, offensive or threatening. Given ISACA’s global nature, the need to communicate in a way that is accessible and acceptable to many cultures should be taken into account. ISACA retains the right, at its sole discretion, to refuse content that is considered inappropriate.


To volunteer to write a blog or suggest a topic send an email here.