Other Blogs
There are no items in this list.
Knowledge & Insights > ISACA Now > Categories
Is HIPAA Compliance Enough to Keep Your Organization Safe?

Anna JohannsonThe Health Insurance Portability and Accountability Act (HIPAA) has evolved considerably to keep up with the demands of our modern society. Now that protected health information (PHI) is kept via electronic records, healthcare organizations need to comply with the HIPAA Security Rule if they want to keep their patients’ data private (and avoid a hefty fine).

What’s Required for HIPAA Compliance?
HIPAA compliance requirements can be complicated, but at a minimum, you’ll need to do the following:

  • Only access PHI information when you need to and/or when you have permission. First, you’ll need to comply with all former iterations of HIPAA by not accessing PHI data unless you have the patient’s explicit, written permission to do so, or if it’s required to treat your patient adequately.
  • Have an emergency plan to access PHI. In some cases, you may not be able to get your patient’s permission, and you may not have the account access necessary to retrieve it. What happens then? To be HIPAA-compliant, you’ll need to have an emergency plan in place.
  • Limit and secure email transmissions of PHI. At times, you may need to transmit patient information via email. Avoid these situations when possible, and make sure you’ve upgraded your email platform to be HIPAA-compliant when transmitting via email becomes necessary.
  • Back up all patient data. This should be common sense, but have a backup in place for all patient data, preferably, a HIPAA-compliant source of cloud storage. Don’t risk the damage or destruction of patient data.
  • Give role-based permissions to staff. Your staff members shouldn’t have universal access to patient records. Establish multiple roles, with varying types of permissions, so staff members can access only the data they need.
  • Take precautions against malware. Malware can bring your entire system down, so make sure you have a strong antivirus platform in place, and keep all your apps updated.
  • Maintain different passwords, and change them routinely. Every staff member should have a unique password, and be prompted to change those passwords regularly.
  • Maintain activity logs and audit controls. Your digital systems should keep track of activity, noting when records are accessed or changed. That way, you can audit them in event of a breach or other suspicious activity.
  • Never leave PHI out in the open. Avoid leaving PHI open on a computer. Always log out before leaving a room.
  • Enable automatic logouts. Computers should log out automatically if left unattended for a few minutes.
  • Don’t share PHI information. Staff members shouldn’t share PHI with anyone unless they have explicit permission from the patient and/or orders from a physician to do so.
  • Dispose of PHI information properly and completely. If and when you need to delete patient records, do so completely and securely. That means shredding all documents and wiping all hard drives.
  • Keep an updated training program. Your staff should always be up-to-date on the latest HIPAA security practices. Make sure your training program dedicates enough time to learning these fundamentals, and introduces new information as it becomes available.
  • Have and test a disaster recovery program. What happens if your system’s integrity is compromised? Have a plan in place and test it to ensure it’s working and that staff understand it.
  • Ensure all partners and vendors are following proper procedures. A breach from outside your organization can compromise your PHI; make sure your partners and vendors are HIPAA-compliant as well.
  • Report any security incidents. If you do encounter a security breach, report it, and update your policies to guard against similar events in the future.

Are these standards enough?
Meeting HIPAA standards will ensure your organization remains HIPAA-compliant, avoiding legal trouble that could arise if you slip up. But is it truly enough to keep patient data safe?

HIPAA doesn’t have set requirements for specific types of security; for example, it doesn’t mandate that you use a certain encryption standard, or set your passwords in a specific format. Instead, it’s up to your discretion how to set those standards for your own organization. Competent security isn’t just about checking items off a list; it’s about creating an environment that’s actively searching for and guarding against potential new threats, and evolving to face those threats more efficiently.

In short, HIPAA standards are a great start to any organization’s data security, but they aren’t enough to have a truly comprehensive security program.

Learning to keep up
Even if you believe all your current practices keep your organization HIPAA-compliant, and even if that level of compliance is enough to keep your patients’ data safe, it may not stay that way for long. HIPAA is constantly being updated to respond to new threats and add newer, better layers of protection for patients in the United States. If you want to stay ahead of cybercriminals, and remain in compliance with these regulatory requirements indefinitely, you’ll need to stay plugged into the latest news—and be willing to adapt your security protocols at a moment’s notice.

Action Plan for HIPAA-Compliant Cloud

Adnan RajaHIPAA compliance involves treating your data with extreme sensitivity, so you should view any related technology with extreme care.

Note that the security of a public cloud architecture has often been described as an asset. For instance, Tripwire wrote that “the Cloud is more secure than on-premise backup, storage, and computing systems” – citing regular audits, controlled access, security knowledge, surveillance, and perimeter defenses. However, a poll by SDxCentral found that, across industry, security and compliance was the primary challenge related to public cloud. With 62 percent of respondents indicating this, it was a higher stress than cost management (46%), lack of performance visibility (44%), and cost predictability (41%).

Since healthcare companies have to be so centrally focused on compliance, particularly with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), this concern over cloud compliance deserves special attention. How can you leverage cloud for all its positives without suffering a violation? A few chief concerns should be addressed.

Focus on the BAA.
The US Department of Health and Human Services (HHS), the federal agency that develops and enforces HIPAA regulations, has issued specific guidance related to meeting compliance with cloud systems. This guidance advises that cloud service providers (CSPs) are considered business associates when they generate, receive, send, or store electronic health data, whether they are doing so for a covered entity or business associate. In fact, HIPAA compliance is necessary for cloud vendors that are entirely handling personally identifiable health records (the electronic protected health information, or ePHI, of HIPAA) that is encrypted and for which the provider does not have a key.

Even if a cloud firm does not have any way to access data except in encrypted form (thus meeting the confidentiality requirement), it still must maintain the integrity and availability of the data. As in any other business associate relationship, a business associate agreement (BAA) must be signed by both parties (or a subcontractor BAA, if applicable). Note that the HHS also refers to this document, less commonly, as a business associate contract. The cloud vendor is legally responsible for adhering to the agreement’s provisions. Beyond meeting the BAA’s parameters, the cloud firm also must be HIPAA-compliant itself: ever since the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) went into effect in 2013, business associates have been directly responsible for HIPAA compliance.

Know that the data is, in fact, protected health information.
Protected health information (PHI) is the information under the umbrella of HIPAA rules. Encrypted PHI is PHI. However, if it is unidentified (encrypted or unencrypted), it is not PHI.

Work with a cloud provider that is ready to scale.
With acquisitions on the rise in healthcare, it is particularly important to know that a CSP can expand with you. If an acquisition occurs, the vendor should be able to quickly spin up new servers. Scalability is important because you must have enough resources to meet your demand to comply with HIPAA’s availability requirement.

Create a dual relationship.
In signing a BAA with a CSP, you should be creating a two-part relationship that encompasses both business and technical functions. Permitting a balanced interconnection between different healthcare services and knowing about the covered entity or business associate that is contracting with them (i.e., you) are core elements of a cloud vendor that deserve your attention.

Pay attention to use cases.
Think in terms of use cases when you assess CSPs. Many cloud vendors now have HIPAA-compliant business associate agreements readily available (although certainly not all do). Even among those that have BAAs in place, they are not created equal. You especially must be concerned that the organization can customize to suit your requirements when you're looking for a data backup or disaster recovery service, noted Bill Kleyman. Plus, commitment and expertise related to compliance will vary greatly.

Verify transparency.
You want to have a reasonable view of the cloud firm’s operations and business to assess risk and meet compliance.

Check for HIPAA certification.
Does the CSP have a HIPAA compliance certification from a trusted, credible third party, based on a recent audit? Look over the provider’s implementations and control matrix.

Conduct routine risk assessments.
Do your CSPs conduct routine risk assessments? Risk assessments are fundamental to HIPAA compliance – and they must be ongoing. The HHS is extremely clear on this point. The language on risk assessments is somehow loose but specific: “Some covered entities may perform these processes annually or as needed (e.g., bi-annual or every three years), depending on circumstances of their environment,” notes the HHS.

Select the right cloud partners.
Compliance can become especially challenging when you consider your business associates – and cloud providers represent specific risks. By following the above guidance and additional insights provided through the HHS site, you can feel certain that your cloud is healthcare-compliant.

Author’s note: Adnan Raja is the Vice President of Marketing at Atlantic.Net. During his tenure, Atlantic.Net has grown from having a primarily regional presence to garnering and developing attention nationwide and internationally.

Doing the Math: The Value of Healthcare Security Controls

Adnan RajaThe Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a central concern of US organizations that are in any way involved with the creation, access, processing or storage of sensitive confidential health records – electronic protected health information (ePHI). The Security and Privacy Rules are a particular point of focus since violation of those guidelines often leads to federal fines and settlements; those parameters are covered under Title II of HIPAA.

A newer piece of healthcare legislation is the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009. The first act is typically discussed in terms of concern with security and privacy of health records, while the second is generally described as increasing the implementation of digital health records and technologies. However, Subtitle D of HITECH is specifically focused on issues of security and privacy of electronic health data; it achieves this end by modifying and elaborating on those parameters within HIPAA. Essentially, if an organization is HITECH-compliant, that means that they are compliant with the most recent HIPAA security and privacy stipulations contained within the 2013 Omnibus Rule.

HITECH gives professionals a chance to work with an access governance model so that they can better control who does and does not get access to information – particularly for any systems that contain ePHI. When companies do implement some of the lessons they can glean from HITECH into the structure of their organizations, they will see that it costs them less to operate and that they are better able to create more efficient workflow to manage access risk. Both this reduction in the cost of operation and the streamlining of workflow improve the security of the organization while boosting its value.

To consider that specific notion of value from a security system, it helps to look at the return on security investment (ROSI) of a HIPAA compliant system – and we can use the analogy of soccer.

ROI and ROSI—Like Offense and Defense
Return on investment (ROI) and return on security investment (ROSI) initially seem to be almost identical concepts. However, you can start to understand what makes them dissimilar when you think about how you arrive at an ROI figure: add up the gains, subtract the cost and divide the difference by the cost. Immediately it’s clear that formula will not work: you will not typically profit from adding security measures. Instead of focusing on gain, the intent of the ROSI concept is to limit your losses and help your organization’s value from that perspective. For that reason, rather than thinking in terms of gain and scoring goals as you would with a soccer team, think in terms of not letting the other team score.

You can figure out how much value is being achieved with your security controls by performing a quantitative risk assessment, as noted by the European Union Agency for Network and Information Security (ENISA). In order to come up with your ROSI number, you need to first look at other data: the ARO, SLEs, ALE and mALE.

Calculating ROSI
The single loss expectancy (SLE) denotes the total cost of a single security incident. The annual rate of occurrence (ARO) is the probability that the incident will take place during a single year. The annual loss expectancy (ALE) is the complete loss from security incidents throughout the year. Finally, the modified ALE (mALE) is the ALE, plus whatever losses are avoided through adoption of the security mechanism – as expressed by the mitigation ratio (the percent of threats the solution is able to counter).

To get the ROSI itself, you want to multiply the ALE by the mitigation ratio (producing the mALE), and then subtract the cost of the security apparatus. Divide that total by the cost of the security plan. The end result is the return on security investment.

In other words, you will get the ROSI figure by adding up your loss reduction numbers, subtracting how much you spent on the security mechanism to achieve that loss reduction, and then dividing by the amount you spent on the protective system. You want the number to be higher for ROI, but you want it to be lower for ROSI.

Problems with ROSI
What exactly is the loss reduction, though? By subtracting the annual loss expectancy once the security system is implemented from the annual loss expectancy prior to its adoption, you get the loss reduction. The issue is that the second figure is not easy to measure accurately, with confidence. The figure often has more to do with suggestions made within individual projections and broader polling than it does with real objective measurement.

Pete Lindstrom has said that what must be involved when looking at any solution is effectively a “gut check,” asking oneself point-blank if the amount spent on security achieves a loss reduction that justifies the cost.

Beyond ROSI
As you can see, ROSI can be problematic when it is taken too seriously as an absolute. For greater accuracy when determining value of security, it helps to think about how security can be considered – different perspectives and factors when attempting to accurately apply a value to it, as indicated by Steven J. Ross, CISA, CISSP, MBCP. First, there is the notion of a threshold condition for adequacy of security solutions, without which a business could not be sold because protections do not meet standards of “adequacy.” A higher degree of security would be sufficiency – based on an independent metric that goes beyond the needs of adequacy. Intellectual property should be factored into any estimation of the worth of security solutions, since that asset is being protected. Plus, security should be considered in terms of facilitating sales, since security solutions will often lead to greater revenue.

In the context of healthcare, you want to consider how precious the ePHI is. Because of the various costs related to compliance and general data protection, expenses incurred in a healthcare data breach are diverse, ranging from forensics to breach notifications to lawsuits to lost revenue to lost brand value to post-breach cleanup – and that doesn't even include the federal fine. By implementing industry standards such as those of ISACA, you can systematize your controls and auditing, resulting in security that you and your clients can trust – and that really is holding true as a valuable data defense.

Author’s note: Adnan Raja is the Vice President of Marketing at Atlantic.Net. During his tenure, Atlantic.Net has grown from having a primarily regional presence to garnering and developing attention nationwide and internationally.

Advancing a Symbiotic Relationship Between COBIT, ISO Governance Standards

Judd HesselrothAs a 2003 CISA recipient and a former honorary secretary of the ISACA Singapore Chapter’s board of directors, I am honored to be selected as the ISACA liaison to the International Organization for Standardization (ISO) Technical Committee 309 – Governance of Organizations.

Having served nearly three years as the chair of the US Technical Advisory Group to ISO Project Committee 278 to help develop, draft and evangelize the ISO 37001 Anti-Bribery Management System Standard, I see this as a wonderful opportunity to not only keep both the ISACA and TC-309 communities informed of significant developments in the world of governance and compliance, but also to help shape and develop newly proposed ISO standards while supporting and strengthening existing ones.

As you may already be aware, TC-309 is focused on standardization in the field of governance relating to aspects of direction, control and accountability of organizations, and is responsible for:

The symbiotic relationship of COBIT and ISO governance and compliance standards, particularly in the realms of data governance, privacy, security in the cloud and the Internet of Things, likely goes without saying. However, having the opportunity to proactively and positively engage, inform, shape and contribute to this relationship with fellow subject matter experts from 40-plus countries is rare, and I thank ISACA for enabling me to participate in this partnership. 

Author’s note:  Judd Hesselroth is a Director in Microsoft’s Office of Legal Compliance, where he has focused primarily on anti-corruption programs and ISO 37001 since 2010, and prior to that, internal audit.

Data Analytics Maturity Models and the Control Environment

Angel SerranoOrganizations have recently raised concerns on their data analytics capabilities. There are several motivations for this increased interest in data analytics, such as fulfilling regulatory requirements, increasing efficiency and reducing cost. However, the primary reason is focused on the identification of business opportunities. The most typical questions include:

   • Are we maximizing the value from the data we currently have?
   • Are we missing business opportunities because we do not use our customer data?
   • What is the competition doing?
   • What are the best practices in the market?

It is difficult to answer these questions without a structured model that defines what is “basic” and what is “advanced.” It helps to provide a simple maturity model that is easy to understand.

The maturity levels below show a basic and summarized model based on the current situation in the financial services sector, and are based on what the industry wants to achieve.

  • Level 1: Basic data analytics capability. Systems and applications working in silos and analysis performed on individual databases on end-user computing tools (e.g., spreadsheets and access databases). Limited analysis can be done at this level due to the limitation of the tools and the data used.
  • Level 2: Specific analytics function. Interaction between systems (e.g., data warehouses or data lakes) and usage of data analysis tools that allow integration of different data sets. Analysis can be reused on those systems that combine different data sets. However, there is a gap between the business and its data analytics teams.
  • Level 3: Business intelligence capability. Adding a business intelligence platform (data visualization ledger) to the previous maturity level. This allows the end users to perform their own analysis through dynamic dashboards.
  • Level 4: Prediction Analytics (artificial intelligence). Adding to the previous maturity level the usage of statistical analysis that allows for the creation of prediction models and algorithms based on parameters or scenarios.

Some organizations want to achieve the best maturity level without having basic controls in place, which can create erroneous results due to the lack of quality in the data used. An appropriate level of control and data governance function is critical for the success of the data analytics function, and helps to progress through the maturity model.

Examples of basic controls that must be in place before progressing to the next level include:

  • Input controls on entry data systems and applications, such as range controls (e.g., age must be between 18 and 100), avoid zeros and blanks, invalid characters, etc.
  • Reconciliations (or equivalent) on interfaces and transfers of data between systems applications; sometimes totals on number of transactions and total value provides enough level of comfort.
  • Assurance that calculations performed on applications are correct. Reperform calculations in an independent environment in order to ensure that calculations are performed correctly.

To summarize, the use of data analytics techniques and expertise can increase the value from the data that organizations can obtain. However, it is important to maintain data quality and a management framework to ensure that the data used for the analysis is fit for purpose.

Leveraging UAS Technology: Time is of the Essence

Unmanned aerial system (UAS) technology has the potential to revolutionize a broad cross-section of industries, ranging from media and telecommunications to agriculture and construction. In the future, a forward-leaning regulatory framework will allow businesses of all sizes to leverage this technology to maximize revenue, create efficiencies, and expand the scope of goods and services available to consumers, not to mention deliver hundreds of billions of dollars to the economy. The Small UAV Coalition was founded on the principle that ‘technology always wins,’ and that philosophy is more apropos now than ever before. However, federal regulators determine when businesses, consumers, and our economy can begin to benefit.

In June 2016, the Federal Aviation Administration (FAA) took an important step toward achieving this reality. After a nine-month delay, the FAA released its long-awaited Final Rule for commercial UAS operations (Part 107). The rule, effective 29 August, 2016, expanded opportunities for commercial drone operators and businesses to test and integrate a wider range of commercial UAS applications. While beneficial to industry, Part 107 was merely a small first step. Operators must travel to a designated FAA testing facility to take an Aeronautical Knowledge Test in order to obtain a remote pilot certificate and entities interested in integrating extended operations – including those beyond visual line of sight (BVLOS), at night, over people, and with multiple UAS – are subject to a lengthy and arduous waiver process.

In the six months since Part 107 went into effect, the FAA has granted just over 300 of these waivers, the vast majority of which only allow for highly restricted nighttime operations. These lingering limitations on expanded operations stifle innovation and truncate the vast economic and social benefits possible through widespread integration of UAS technology.

Many companies that utilize UAS technology saw a glimpse of the future when the FAA announced plans to release a notice of proposed rulemaking (NPRM) for operations over people by the end of 2016. This NPRM would open a public comment period that would allow industry, consumers, and government stakeholders to provide input in support of a forward-leaning final rule that embraces innovation, safety and security. With no sign of progress at year’s end, FAA Administrator Michael Huerta publicly acknowledged an indefinite postponement of the NPRM on 6 January.

The promise of a NPRM took another hit in early 2017 when the new US Administration implemented a regulatory freeze and announced intentions to require two regulations to be repealed for every new one that goes into effect in an effort to reduce regulatory burdens on businesses. Let’s celebrate the reduction of redundant or burdensome regulations while recognizing that some regulation provides clarity to industry and actually promotes investment, innovation, and job creation through removing government prohibitions. Huerta’s “steadfast commitment to… ensur[ing] drones can fly over people without sacrificing safety or security” remains a hollow promise to companies eager to integrate operations over people, but stalled by the delay. Even initiatives that face no uncertainty or interagency “miscommunication,” such as digital education tools, consumer information centers/representatives, and an automated and expedited waiver process are in some nebulous queue.

While there are undoubtedly sectors of the economy in dire need of reduced regulatory burdens and less red tape, many rapidly developing sectors of the 21st century economy are at a standstill amidst legal and regulatory uncertainty. Commercial UAS technology is evolving at a pace that has exceeded nascent regulations. The industry needs a forward-leaning, progressive regulatory framework to in order to realize the vast economic and social benefits of this transformative technology.

Security issues must never be taken lightly and safety is always paramount, but we can, at the very least, initiate this critical dialogue and have transparency about reasons why we are not. A NPRM would provide an opportunity for industry stakeholders to sit down at the proverbial table and consider all questions and concerns – safety, security, or otherwise – alongside key lawmakers and regulators. Countries around the world continue to adopt progressive UAS regulations and authorize expanded operations, outpacing US progress and our government’s commitment to American innovation. Aggressive pursuit of US leadership in the research, development, production and application of UAS technology is more important than ever – time is of the essence because, as we all know, technology always wins.

Editor’s note: A new ISACA white paper on drone usage and a related checklist can be downloaded at www.isaca.org/drones.

US Executive Order on information sharing:  A government security leader’s perspective

Recently, US President Barack Obama signed a new Executive Order to promote cyber security information sharing. As a government security leader and member of ISACA’s Government Relations and Advocacy Committee, I believe that this directive was significant because it demonstrates that government leaders can take bold steps to improve our security posture without an act of Congress. Some may argue that without legislative edicts, the new voluntary information sharing framework lacks the teeth to be successful. But I wholeheartedly disagree. As a longtime voluntary member of the Multistate Information Sharing and Analysis Center (MS-ISAC), I know from firsthand experience the value proposition of being part of an information sharing community, even one that is voluntary. If they build it, people will come, because in today’s threat-laden world, prompt access to actionable intelligence is vital.

So what does the Executive Order do? First, it elegantly expands the existing sector-based ISAC model to include regional and other information sharing constructs. In the order, all information sharing groups are collectively rebranded as Information Sharing and Analysis Organizations (ISAOs). The Executive Order also positions the National Cybersecurity and Communications Integration Center (NCCIC) to serve as the epicenter of ISAO information sharing. And finally, the order requires the adoption of consistent information sharing standards to be used by all ISAOs. Additional details can be found in the FAQ document on the White House website.

The US Department of Homeland Security is now soliciting feedback as it works to build out this new and vital link in our national security ecosystem. I am proud to report that I am one security leader who plans to belly up to the bar to lend my support because the more that we collaborate, the more secure we all will be.

As a member of ISACA, I am interested to hear your thoughts on this very important Executive Order.

Christopher P. Buse, CISA, CISSP, CPA
Chief Information Security Officer, MN IT Services

Addressing IT skills gap at State Audit Institution of Oman

Earlier this year, the ISACA Muscat chapter worked with the State Audit Institution (SAI) of Oman to help address a skills gap within its IT auditing team. After hearing about ISACA’s Certified Information Systems Auditor (CISA) and other certifications from chapter leaders, the SAI decided to sponsor any of its auditors who are interesting in taking ISACA certification exams.

Though SAI is responsible for carrying out audits of all Omani government entities, the more than 500 SAI auditors carrying out field audits do not have IT audit qualification. While they carry out the functional audits, they do not focus on IT audits. Seeing a gap, SAI officials approached our chapter with questions about ISACA’s IT audit qualifications and their potential relevance to the Omani State Audit Institution.

After several meetings in which the chapter president and Government and Regulatory Advocacy (GRA) coordinator and I told SAI officials about ISACA’s certifications and their benefits, SAI decided to encourage its field level auditors to pursue CISA and other ISACA certifications—including Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC)—and to fund the examinations of any SAI auditors interested in taking ISACA exams. The Muscat Chapter also offered to hold CISA training days for them.

CISA recognizes the knowledge and skills of professionals who audit, control, monitor and asses their business’s information technology and systems. When SAI auditors earn the CISA designation, they confirm the knowledge, expertise and value they add to SAI.

We are very happy with the outcome of our work with SAI, and look forward to continuing to partner with them in the future. We found that once SAI officials understood the benefits of ISACA certifications, they were eager to become more involved. I would encourage other chapters to learn from this by being proactive in reaching out to, and meeting with, the audit institution leadership, knowing that ISACA’s offerings can be of immense help.

Mohamed Nayaz
CGEIT/CRISC Director, ISACA Muscat Chapter
GRA Area 1 Committee

ISACA Madrid Chapter’s role in government and regulatory advocacy

Serving as a volunteer on ISACA’s Government and Regulatory Advocacy (GRA) Subcommittee 3 (Europe/Africa) has been a great opportunity for me to meet new people, face new challenges and look for creative ways to use ISACA deliverables and research.

ISACA chapters, as local groups, need to take care of their members and show them the value of membership. One way of providing value to chapter members is through government and regulatory advocacy activities with objectives including: having ISACA intellectual property (IP) adopted as good practice, making recommendations that help to implement national regulations or even becoming part of them by gaining ISACA professional certifications and becoming a requisite or a recommendation for particular activities.

To achieve this, the virtues of ISACA IP and professional certifications have to be known and understood by the right people in the right positions in the regulatory bodies.

In the ISACA Madrid Chapter, we have taken GRA objectives so seriously that the president and vice president are in charge of GRA activities within the chapter. During the last five years, many efforts in this area have provided some positive results, including:

  • ISACA Madrid Chapter is one of the key players in the National Digital Trust Forum, created by the Spanish Ministry of Industry, Energy and Tourism, to take care of the Digital Agenda, leading the work group dedicated to professionals. This work group has proposed a new initiative in the Digital Agenda to foster and improve “trust” professionals (auditors, information security managers, etc.). As a collateral benefit, ISACA is well known in the Ministry in charge of digital “business.”
  • ISACA Madrid Chapter has had the opportunity to make proposals to the recently modified Law for Private Security Services, which includes regulations about information security services for the first time. Regulatory development is under way and the intention is that Certified Information Security Manager (CISM) professionals become, in some way, recognized for these kinds of activities.
  • The Spanish government project to develop a framework for cybersecurity professional certification (in the development phase) has been reoriented to consider third-party certifications, such as ISACA’s CISM and Cybersecurity Nexus (CSX) program.
  • ISACA International President Robert E Stroud was invited to participate as keynote speaker in Cybercamp, the annual cybersecurity event promoted by the Spanish CyberSecurity Institute, INCIBE.
  • An agreement is under way with the Spanish Cyber Defense Unified Command, the unit in charge of cybersecurity defense and attack operations, to participate in its training program and help its members become CISM and Certified in Risk and Information Systems Control (CRISC) certified, and also acquire the appropriate new CSX certification.
  • Recently a collaboration agreement was signed with the Madrid Bar Association to allow the chapter to participate, through this lawyer association, in consultation on new laws and to act as a consultation body for the Spanish regulator.

We are confident that these activities and initiatives will help to assure the continuity of our chapter and even make it more relevant as the government can find continuing collaboration and knowledge through ISACA. As more professionals become certified in the public sector, more people will be willing to ask for ISACA certifications as a necessary condition for assurance roles.

If you or your chapter is considering working on GRA activities, I am more than happy to share my own experience working in this field with you.

Antonio Ramos
Vice President and Past President, ISACA Madrid Chapter
GRA Area 3 Committee

New US Congressional bills are an important milestone for cybersecurity professionals

News over the past year has focused the world’s attention on issues surrounding cybersecurity—notably that cyber attacks emerged as a top technology risk in the World Economic Forum’s Global Risks 2015 report. In April, US President Barack Obama declared cybercrime a national emergency and signed an executive order authorizing new sanctions against individuals and groups deemed responsible for cyberattacks.

The attention resonated with consumers, business leaders and legislators alike.

Mixed together with news of the Sony Corporation breach and other retail hacking occurrences, awareness of the need for increased cybersecurity focus has been at a high level. Now there is even more—but this time the news is about the US House of Representatives passage of two cybersecurity information sharing bills: Protecting Cyber Networks Act (PCNA) and National Cybersecurity Protection Advancement (NCPA) Act.

  • PCNA aims to defend against cyberattacks through the creation of a framework for the voluntary sharing of cyber threat information between private entities and the federal government. Importantly, it includes liability protection for those companies who choose to participate.
  • NCPA is similar to PCNA, with the distinction being that it encourages voluntary information sharing about cyber threats between the private sector and the Department of Homeland Security.

To help cybersecurity professionals understand the importance of these two new acts, ISACA has added a new CSX Special Report to its Cybersecurity Legislation Watch center as part of its Cybersecurity Nexus (CSX). I encourage you to take a look at the report to better understand the two acts and what this new legislation could mean for you in your role and for your enterprise.

For professionals in the cybersecurity profession the implication is crystal clear. The general business community is more aware of the challenges, and those charged with protecting their organizations from attack must be highly aware and trained, including being knowledgeable of evolving legislation, such as this.

Keeping current and positioning your organization to best take advantage of the evolving regulatory landscape is of utmost importance in today’s fast-moving cybersecurity environment. This is not a time to be caught flat-footed.

Douglas Rausch, CISSP
President, Aurora CyberSecurity Consultants, Inc.

1 - 10 Next