Knowledge Center > ISACA Now

 ‭(Hidden)‬ Admin Links


SciCast Calls for ISACA members to make predictions

Jamie PasfieldFor those of you who didn't see the news in ISACA's social media channels, you may be interested to learn that ISACA is working closely with SciCast on exciting predictions for our field. Experts from around the world are predicting the next big thing on SciCast, a science- and technology-focused crowdsourced forecasting site. More than 9,000 SciCast participants are predicting events and discussing, as well as competing with, their peers.

SciCastSciCast, launched in 2014, is a federally funded research project being run by George Mason University. Its focus is to bring science and forecasting together (hence the name); in other words, to establish an objective, data-driven, open and "scientific" way to predict future events

If you're wondering what forecasting has to do with ISACA's core mission, stop and think for a moment about the practical ramifications of challenges we have all had knowing with being late to the table on new technology deployments. For many of us, this is a particularly acute pain point: consider how challenging it was (and still is) trying to secure cloud use when business teams have already engaged multiple, potentially overlapping providers. Or consider the challenges involved in trying to establish governance around BYOD only after device use proliferates.

Category: ISACA     Published: 7/21/2014 3:34:00 PM

International President: Cybersecurity Nexus updates and resources

Robert E StroudEarlier this year, the National Institute of Standards and Technology (NIST) released the Framework for Improving Critical Infrastructure Security (the Cybersecurity Framework, or CSF). ISACA participated in the development workshops, and COBIT 5 was included in the CSF as a core reference.

Robert E StroudNow, as part of ISACA’s Cybersecurity Nexus (CSX), ISACA is offering a free webinar titled “How to Implement the US Cybersecurity Framework using COBIT 5.” This event takes place 29 July at 12 p.m. EST (16:00 UTC) and is the second webinar in a six-part cybersecurity series.

The US Cybersecurity Framework (CSF) helps organizations develop a prioritized action plan for preventing, detecting and responding to today's cybersecurity threats. The webinar will offer guidance on implementing the CSF in a measurable, actionable way. It will also explain how applying the industry-based framework through specific processes, such as those found in COBIT 5, makes it possible to achieve CSF outcomes that are accountable and practical.

Category: Security     Published: 7/17/2014 3:34:00 PM

What we missed at the data centre audit

Robert Findlay

With the advent of cloud computing and major purpose-built data centres, it seems that many organisations do not see the need or do not have the rights to carry out a thorough data centre review. However, there are many aspects of even the remotest of data centres that can be scrutinised.

My first job of managing an outsourced data centre at a previous employer started with a fruitless week of trying to find the signed contractwe had simply lost it! After I had gone, cap in hand, to the provider, I soon found out it was hopelessly out of date and did not reflect the services we were receiving. Of course the data centre itself had been subject to glowing audits and everyone had felt this was perfectly in hand, but the reality was that from a business point of view, it was completely out of control. No previous auditor or IT manager had even looked at it.

Many years later, I see no letup to this fundamental absence of control. And yet, as many companies cannot gain access to the data centre or focus purely on obvious controls, they have lost sight of the most important control of all. This has now happened to the extent that almost every audit of a data centre I have ever seen has not included a review at the outset of the contract. At one major e-commerce company, I was even told that it was none of my business to review it and it should be out of scope. It could not have been more in scopein fact, it was the scope!

Category: Audit-Assurance     Published: 7/15/2014 3:40:00 PM

Creating an effective vendor risk management program

Damon Stokes

We have all seen the news reports on data breaches at major companies spanning all industries and sectors. These types of stories are alarming enough to keep any organization’s senior management up at night.

Many of us today rely on partnering with vendors for critical business functions, so these headlines really hit home. Truth be told though, in some cases, these breaches were avoidable with just a little bit of due diligence. As the primary data owner, you are responsible for what happens to your customer and business information when it leaves the boundaries of your organization. So, the question becomes, “How do you minimize the risk of losing your customer data?”

Blue Cross Blue Shield of Michigan (BCBSM) recently received the CS040 Award for our Vendor Risk Management Program. This recognition is a crowning achievement for years of work in this area. Tonya Byers, BCBSM’s information security director, and I traveled to Atlanta, Georgia, USA to receive the award and present the organization’s five year program journey. We thought this would be a good opportunity to share our thoughts and lessons learned with those who have an interest in developing or improving their vendor risk management (VRM) program.

A good VRM program starts with solidifying an understanding of two critical things: 1.) The regulating bodies that govern your organization 2.) The organization’s risk appetite

Category: Risk Management     Published: 7/10/2014 3:34:00 PM

Global ISACA study: Organizations not prepared for advanced cyberthreats

Robert E StroudOnly 15 percent of organizations worldwide believe their enterprise is very prepared for an advanced persistent threat (APT) attack, and big gaps in employee education and mobile security remain. These findings come from ISACA’s new 2014 Advanced Persistent Threat Awareness Study, which published today.

The study also found that one in 5 organizations (21 percent) have experienced an APT attack, and 66 percent believe it’s only a matter of time before their enterprise is hit by an APT. Among the companies that have been attacked, only one in three could determine the source.

APTs are stealthy, relentless and single-minded, and their aim is to take information such as valuable research, intellectual property or government data. In other words, enterprises cannot afford to be anything less than very prepared—and that preparation requires more than just the traditional technical controls.

However, the majority of responding organizations still say their primary APT defense is technical controls such as firewalls, access lists and anti-virus, which are critical for defending against traditional treats, but not sufficient for preventing APT attacks. Nearly 40 percent of enterprises report that they are not using user security training and controls to defend against APTs—a critical component of a successful cybersecurity plan. Worse yet, more than 70 percent are not using mobile controls, even though 88 percent of respondents recognize that employees’ mobile devices are often the gateway to an APT attack.

Category: Security     Published: 7/9/2014 3:42:00 PM
<< First   < Previous     Page: 1 of 79     Next >   Last >>

 About This Blog


This blog is intended to offer a way for ISACA leaders, constituents and staff to exchange information of interest pertinent to the association, the business environment and/or the profession.

The comments on this site are the author’s own and do not necessarily represent ISACA’s opinions or plans. ISACA does not endorse, monitor or control any links to external sites offered in this blog, and makes no warranty or statement regarding the content on those external sites.

Anyone posting comments on this site should ensure that the content remains on-topic and steers well clear of any statements that could be considered insensitive, offensive or threatening. Given ISACA’s global nature, the need to communicate in a way that is accessible and acceptable to many cultures should be taken into account. ISACA retains the right, at its sole discretion, to refuse content that is considered inappropriate.


To volunteer to write a blog or suggest a topic send an email here.