Knowledge Center > ISACA Now

 ‭(Hidden)‬ Admin Links


Cybersecurity challenges and opportunities Twitter chat – #cybersecuritychat

Last week, ISACA hosted a Twitter chat focusing on cybersecurity challenges and opportunities in support of Cybersecurity Month. ISACA’s International President Robert E. Stroud and International Vice President Ramsés Gallego participated as our guest panel. Review excerpts from the chat below:

Q1: What are the top #cybersecurity threats facing organizations today? #cybersecuritychat


A1: there are so many .... access to information, service disruption, theft..... #cybersecuritychat


A1: Understanding the risks. the human factor. PEOPLE using technologies. #cybersecuritychat #CyberSecMonth #ISACA


A1: Interesting change is the threat is external, not just internal... #cybersecuritychat


Q2: What #cybersecurity priorities should organizations focus on going into 2015? #cybersecuritychat

Category: Security     Published: 10/30/2014 3:05:00 PM

International President: Teamwork fuels ISACA’s spirit and intensity

Robert E Stroud“It takes two flints to make a fire” has been attributed to noted author Louisa May Alcott and it truly symbolizes the teamwork that goes into delivering ISACA’s activities and resources, and specifically, the ISACA Journal. Thousands of members have shared their time and expertise with the Journal since it was introduced in 1973 as a quarterly publication named The EDP Auditor Journal.

Since then it has grown in size and circulation and has earned a reputation as a highly respected global peer-reviewed source of practical knowledge. The Journal is consistently rated as one of the top member benefits and value and satisfaction are high across all job functions and global regions. According to the ISACA Member Needs Survey, 83 percent of members are satisfied with the Journal and 81 percent believe it is of value to members.

A cover of the ISACA Journal from 2005
A cover of the ISACA Journal
from 2005
A cover of the ISACA Journal from 2014
A cover of the ISACA Journal
from 2014

This is possible only because of the dedication of article authors and other volunteers, including contributing editors and editorial reviewers, who have been instrumental every step of the way. Two of these volunteers hit milestones this year—Steve Ross is marking his 15th year as author of the Information Security Matters column and after volume 6 (and nine years of contributions) Tommie Singleton is retiring from writing the IS Audit Basics column. Both of these columns are widely read and respected and have contributed to the knowledge and lively debate among many ISACA constituents.

Category: ISACA Journal     Published: 10/28/2014 3:15:00 PM

NIST Privacy Workshop Moves Forward with Framework Development

Rebecca HeroldI attended the second National Institute of Standards and Technology (NIST) Privacy Engineering Workshop on behalf of ISACA, which was held in September in San Jose, California, USA. NIST took the information that they collected at their first workshop in April 2014 and put together a proposed high-level draft of the beginning of what will eventually become the privacy engineering framework—the “Preliminary Concepts” that will ultimately become integrated with the U.S. Framework for Improving Critical Infrastructure Cybersecurity, which was published early this year.

This workshop focused on four primary activities:

  1. Reviewing the proposed privacy engineering definitions
  2. Reviewing the proposed “System Privacy Risk Equation”
  3. Determining a lexicon of privacy objectives, establishing common terms and categorizing potential privacy harms
  4. Hearing from engineers, privacy experts and privacy advocates about additional issues

Proposed Privacy Engineering Lexicon
If engineers are expected to be able to understand privacy principles and then build privacy controls into their systems, devices and processes to effectively protect privacy, then they must be operating under a common vocabulary to understand the terms in the same way across the enterprise and then consistently implement the privacy controls. Some of the terms proposed by NIST, based upon their research and feedback from the April workshop, include three primary privacy engineering objectives and some primary privacy terms that all engineers need to know and understand.

Category: Privacy     Published: 10/23/2014 3:24:00 PM

Meeting the PCI DSS Compliance Guidelines

Adesanya AhmedCloud computing has the ability to offer organizations long-term IT savings, reductions in infrastructural costs and pay-for-service models. By moving IT services to the cloud, organizations are more geographically distributed than ever before and the pace of business gets faster every day. Online collaboration has become a business necessity—there is no other way for distributed teams to work as quickly and efficiently as business demands. With virtual, paperless environments becoming more common, simply locking the doors at night no longer protects merchants, banks, customers or the business they conduct.

This means that exploitation will change from systems to web. Due to these changes, today’s business needs demand that applications and data not only move across physical and international borders, but also to the cloud and accessible by third parties. This loss of control is significant for security teams that must not only keep data safe, but also comply with the necessary security standards, including the Payment Card Industry Data Security Standard (PCI DSS). The payment card industry (PCI) should recognize that the most effective way to protect customer data is to protect the networks from the point of purchase to the application servers in their networks.

The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment. The cardholder data environment (CDE) is comprised of people, processes and technologies that store, process or transmit cardholder data or sensitive authentication data. “System components” include network devices, servers, computing devices and applications.

Category: Cloud Computing     Published: 10/22/2014 3:08:00 PM

Why is it so hard to explain cybersecurity?

Steve SchlarmanAs someone who has been in the cybersecurity industry for many years, I have witnessed more confused, perplexed, dazed and otherwise confounded looks than I care to admit. Nearly all of them asked simple questions like “What do you do at your job?” or “How do you actually secure XYZ?” Recently, I have been hearing a lot of questions about security breaches including; “Why do I keep reading about these security breaches in the news?” When I start to explain the answer, the listeners quickly become disengaged and one of the looks I mentioned earlier soon appears on their faces. Cybersecurity should not be hard to explain but so often it is. As security practitioners, we are always ready for the analogy–pick your favorite–the castle, the bank vault, the battlefield, etc.–but it always seems to fall short of actually educating the audience.

Some questions are more prevalent than others these days and in your company I am sure you get some stream of questions from your business partners and colleagues. First is “Why is it so hard to keep the bad guys out?” This is a completely relevant and fair question but is not easy to describe in simple terms without pulling out at least some technical jargon. Another favorite is “How do these data breaches happen?” Again–without technical explanations–you are most likely faced with explaining how people break into a home or business physically. It might make the point but the person is no more educated on technological security challenges than when the conversation started. Next, questions are asked like “What is a vulnerability and why can we not fix them?” and “How did the security team not see what was happening?” At this point, the conversation is really going downhill fast if you are trying to avoid a confused questioner. Ultimately, the discussion arrives at the basic question “How can companies get better at cybersecurity?” At this point, explanations of defense in depth, event and packet analysis, and other components of a well-designed and effective security program, frequently leave the questioner confused and frustrated.

Category: Security     Published: 10/21/2014 3:08:00 PM
<< First   < Previous     Page: 1 of 86     Next >   Last >>

 About This Blog


This blog is intended to offer a way for ISACA leaders, constituents and staff to exchange information of interest pertinent to the association, the business environment and/or the profession.

The comments on this site are the author’s own and do not necessarily represent ISACA’s opinions or plans. ISACA does not endorse, monitor or control any links to external sites offered in this blog, and makes no warranty or statement regarding the content on those external sites.

Anyone posting comments on this site should ensure that the content remains on-topic and steers well clear of any statements that could be considered insensitive, offensive or threatening. Given ISACA’s global nature, the need to communicate in a way that is accessible and acceptable to many cultures should be taken into account. ISACA retains the right, at its sole discretion, to refuse content that is considered inappropriate.


To volunteer to write a blog or suggest a topic send an email here.