I recently began taking my first crack at auditing an Amazon cloud platform that comprises over a dozen managed services. While I was excited to add this new wrinkle to my skill set, I had no idea where to get started on identifying key risks applicable to each service or how to approach the engagement. Searching online eventually led me to the AWS training and certification website. My intuition initially suggested to me that Amazon was not very likely to help me audit their services, or even if they did, there probably would not be much free information available that I could leverage to obtain sufficient understanding of the service architecture or operation. Well, I was dead wrong!
A few days ago, in between catching flights and dozing off in an airport terminal, I read an article about the recently published findings from the 2017 Global Information Security Workforce Study.
There were a few obvious conclusions that I expected to come out of this report, such as the ever-widening cybersecurity talent gap (hence the title), but there was one item in particular I found to be quite intriguing. In the third paragraph of the introduction, the GISWS asserts, “This year’s Study reveals we are on pace to reach a cybersecurity workforce gap of 1.8 million by 2022, a 20% increase over the forecast made in the 2015.”
GDPR compliance projects around the world are dependent on knowing what personal information data organizations are collecting or processing.
This is a difficult challenge, as evidenced by new ISACA research that shows data discovery and mapping is the top challenge/concern respondents have in preparing for GDPR compliance. With due diligence, though, this challenge can be overcome.
The first step is to map or collect all the personal data of the company. What does this mean?
Article 30 of the GDPR (records of processing activities) states that organisations must maintain a record of processing activities under [their] responsibility. That record shall contain all of the following information:
Compliance and security professionals are regularly challenged with unique security situations. However, the harder the challenge, the more rewarding it is for those who successfully solve the problem—part of what makes the profession so fulfilling. The difference between success and failure depends on individual skills and experience to deconstruct a complex security environment into individual elements that can be mitigated with a standard set of security controls.
Perhaps one of the more complex security issues for security and compliance professionals is protecting biomedical devices. There are several factors that make securing biomedical devices so difficult, including their close interaction with patients, lack of individual accountability, fragmented regulatory oversight and very long operational life-cycles.
I was recently very fortunate to attend the biggest cybersecurity conference of its kind, the 27th annual RSA Conference (RSAC) in San Francisco, USA. The first thing that struck me when I arrived at registration was the scale of the event. Spread across three huge conference venues in the center of the city, it was clear that they were preparing for a lot of people – more than 50,000 attendees, it turns out, with a choice of more than 500 different sessions and an expo housed across the venues filled with more than 650 exhibitors from 27 different countries.
This blog is intended to offer a way for ISACA leaders, constituents and staff to exchange information of interest pertinent to the association, the business environment and/or the profession.
The comments on this site are the author’s own and do not necessarily represent ISACA’s opinions or plans. ISACA does not endorse, monitor or control any links to external sites offered in this blog, and makes no warranty or statement regarding the content on those external sites.
Anyone posting comments on this site should ensure that the content remains on-topic and steers well clear of any statements that could be considered insensitive, offensive or threatening. Given ISACA’s global nature, the need to communicate in a way that is accessible and acceptable to many cultures should be taken into account. ISACA retains the right, at its sole discretion, to refuse content that is considered inappropriate.
To volunteer to write a blog or suggest a topic send an email here.