Knowledge Center > ISACA Now

 ‭(Hidden)‬ Admin Links


Football, risk management style

Brian Barnier1 February is a big day for American football. When the football takes flight in the big game on Sunday, where will you be? Will any of your office teammates or ISACA friends be with you?

To liven up a post-game office or chapter meeting, you can play a football game ISACA-style.

The game is simple; you earn points two ways:

    ●  First, by describing memorable football plays with five steps of the 5+2 Step Cycle used in managing IT risk. This is like the radio play-by-play the commentator does when the video can’t tell the story.
    ●  Second, by describing memorable plays with all the 5+2 steps. This is like a color-commentator, providing more backstory for a play. This requires a panel of judges:
  • Each person in the role of color-commentator tells a story to judges.
  • Judges could be a panel of three (to break ties) or all the other attendees—a bit like talent audition competitions.
  • Judges confer. If all seven steps are covered, the judges award points, depending on how robust and colorful the story is.

A review of the 5+2 Step Cycle:

    ●  Evaluating risk
  • Understand the environment and enterprise capabilities
  • Seek Scenarios—asking “What if?”
  • Watch for warning signs
    ●  Responding—quick response
  • React—taking the right action at the right time
  • Recover—reposition back into “ready” condition of evaluation
    ●  Responding to risk—continual improvement
  • Prioritize—based on evaluation, select actions to improve readiness to take advantage of opportunity and respond to threats
  • Improve position in the environment and strengthen enterprise capabilities—implement prioritization decisions

This is a constant cycle. In quick response, only existing capabilities are available. In continual improvement, time is available to add resources.

Category: Risk Management     Published: 1/27/2015 3:01:00 PM

Degrading security diminishes privacy

Rebecca HeroldPrivacy has been getting a lot of attention lately. And with good reason, given the increasing occurrences of privacy breaches, personal information records breaches, all the many new types of smart devices being used by more and more people, and the collection of more personal and associated data than ever before. It would appear that the 2014 Sony hack was the tipping point that motivated US President Barack Obama to propose the Personal Data Notification & Protection Act and the Student Digital Privacy Act on 12 January this year. It was encouraging to see this new interest in taking steps to better protect personal information—not only for improving personal privacy of US residents, but also to help show the rest of the world that the US is moving beyond having a patchwork set of privacy laws and being considered as an “inadequate” privacy protections country by the rest of the world, to moving forward with actions to better protect personal information throughout all industries, and not just a chosen few that exist in the US today.

Category: Privacy     Published: 1/22/2015 3:04:00 PM

World leaders focus on cybersecurity, but survey shows 86% see a global skills shortage

Matt LoebIn Washington tonight, US President Barack Obama will propose legislative action to focus on cybersecurity during his State of the Union address. In Davos, 2,500 world leaders from government, industry and civic society are gathering today for the World Economic Forum (WEF) to discuss what WEF Chairman Klaus Schwab describes as “The New Context.” Front and center on the agenda are cybersecurity, risk and the Internet of Things.

Large-scale data breaches have brought this issue to the forefront and showcase that even well-protected, mature organizations face difficulties keeping data secure. And with cyberattacks rising exponentially, it’s no surprise that organizations are aggressively trying to hire those with the skills to prevent them.

There is one problem, however: the severe shortage of skilled cybersecurity professionals. According to the ISACA 2015 Global Cybersecurity Status Report, 86% of respondents believe there is a shortage of skilled cybersecurity professionals and 92% of those whose organizations plan to hire cybersecurity professionals in 2015 say it will be difficult to find skilled candidates. The ISACA 2015 Global Cybersecurity Status Report, conducted 13-15 January 2015, polled more than 3,400 ISACA members in 129 countries. It found that close to half (46 percent) expect their organization to face a cyberattack in 2015, and 83 percent believe cyberattacks are one of the top three threats facing organizations today.

ISACA, which assisted the National Institute of Standards and Technology (NIST) in the development of the US Cybersecurity Framework, has launched its Cybersecurity Nexus (CSX) program. CSX is a global resource for enterprises and professionals that helps identify, develop and train the cybersecurity workforce, while also raising the awareness of cybersecurity throughout the organization. CSX has extensive resources to address the cybersecurity skills gap through training, mentoring, performance-based credentials and applied research. CSX also now offers a Cybersecurity Legislation Watch center, which features the new CSX Special Report.

Category: Security     Published: 1/20/2015 12:37:00 PM

Integrating data analytics into a risk-based IT audit

Seren Dagdeviren,Although most would agree that internal audit is an assurance function, I like to think of internal auditors as value-added trusted advisors. A given mandate will provide assurance on processes that are functioning appropriately; however, the real value is in identifying areas of improvement that add tangible value back to the organisation. Data analytics has long been my tool of choice to help accomplish this value in an effective and efficient manner.

At ISACA’s 2015 North America Computer Audit, Control and Security (CACS) conference, I will be presenting alongside Bob Cuthbertson, COO of CaseWare IDEA Inc., on successful integration of data analytics within a risk-based IT audit universe. In a prelude to our session, I would like to provide examples from my own work in the past that I will be adding to, along with others, during the session on 16 March in Orlando, Florida.

Getting Started—Scoping the Audit Engagement

Understanding the business is the first and most crucial step in the audit process. It is what determines the amount of value you can potentially provide to key stakeholders. Shown in scenario 1 below, data analytics can be used before the audit begins as a status indicator of the risks facing an organization. And with this information, internal audit is able to improve the audit effectiveness as well, with the ultimate effort of providing value to the organisation.

Category: Audit-Assurance     Published: 1/15/2015 3:07:00 PM

Will government be an effective cybersecurity leader or passive bystander?

Eddie SchwartzOur industry has been discussing the need for updates to critical public electronic communications laws and policies; reductions in corporate liability for intelligence sharing; national data breach legislation to replace the morass of US state laws; and increases in funding for cybersecurity education, research and standards for many years.

There are two milestones that make a transition from conversation and confusion to clear and decisive action so important now. The first is that we’ve reached critical mass in both corporate and consumer understanding and perception of the importance of cybersecurity. While mega breaches are not new, consumers’ inconvenience of swapping credit card numbers has largely been the extent of impact for most Americans in the past and attention has quickly waned. This year, consumers and corporate citizens at all levels experienced multiple breaches that created a saga of compounding and widespread impact—from credit cards, to corporate espionage, to threats of physical terrorism—and sustained attention for months.

The second, more troubling factor is escalation. While some of the nation state saber- rattling may be just that, the ease with which cybercriminals compromised a significant footprint of the retail and digital advertising sector—and the aggressive and calculated manner in which they compromised and then meted out damage on Sony and other very mature organizations—is a major milestone and also an unsettling indicator of things to come.

Category: Security     Published: 1/14/2015 3:11:00 PM
<< First   < Previous     Page: 1 of 91     Next >   Last >>

 About This Blog


This blog is intended to offer a way for ISACA leaders, constituents and staff to exchange information of interest pertinent to the association, the business environment and/or the profession.

The comments on this site are the author’s own and do not necessarily represent ISACA’s opinions or plans. ISACA does not endorse, monitor or control any links to external sites offered in this blog, and makes no warranty or statement regarding the content on those external sites.

Anyone posting comments on this site should ensure that the content remains on-topic and steers well clear of any statements that could be considered insensitive, offensive or threatening. Given ISACA’s global nature, the need to communicate in a way that is accessible and acceptable to many cultures should be taken into account. ISACA retains the right, at its sole discretion, to refuse content that is considered inappropriate.


To volunteer to write a blog or suggest a topic send an email here.