Knowledge Center > ISACA Now

 ‭(Hidden)‬ Admin Links

 Posts

A Look at the Fourth Annual IT Audit Benchmarking Study

Robert E StroudThis week, Protiviti and ISACA issued results of the fourth annual IT Audit Benchmarking Study. The organizations surveyed 1,330 IT audit leaders across the globe, including chief audit executives, IT audit vice presidents and directors, who answered questions in five categories:

  • Today’s Top Technology Challenges
  • IT Audit in Relation to the Internal Audit Department
  • Assessing IT Risks
  • Audit Plan
  • Skills and Capabilities

The survey found that, although organizations have made strides in establishing best practices for the IT audit function, many are struggling to keep pace with global IT risks amid rapidly changing technology environments.

“Concerns over cybersecurity, industry disruptors and regulatory compliance have moved many organizations, and audit committees in particular, to become more engaged in the IT audit function,” said David Brand, a Protiviti managing director and the firm’s global IT audit leader. “We see some positive trends in our results, notably in the number of designated IT audit directors and their regular attendance at audit committee meetings. However, we also see significant gaps to be addressed, including the frequency with which IT audit risk assessments are conducted."

 
Read More >>
Category: Audit-Assurance     Published: 11/20/2014 12:01:00 PM

Risk management that embraces privacy can strengthen security

David MelnickIt is hard to imagine a world in which we didn’t use the Internet at work. 15 years ago, it was a luxury. Today, Internet use at work is mission-critical. We’ve evolved from casually getting online to search for basic information about a company to doing such critical things as accessing webmail, posting to and monitoring social media and transferring and storing files in the cloud.

Unfettered Internet access at work has empowered us to defy geographical and time constraints to communicate with colleagues, vendors and customers located around the globe, develop content and code, and share real-time 24 x 7. It also allows us to shop, gamble, chat with friends, check bank balances and pay bills at work and generally “cyber loaf” on the company network, to the tune of US $178 billion in lost productivity annually, according to U.S. security company Websense. According to IDC, 30 to 40% of Internet access is now spent on non-work related browsing, and 60% of all online purchases are made during working hours.

 
Read More >>
Category: Privacy     Published: 11/18/2014 3:08:00 PM

ISACA’s 2014 IT Risk/Reward Barometer survey results reveal Internet of Things trends

2014 IT Risk/Reward Barometer

Robert E StroudLike many people, my office tends to be airports and wherever in the world I have traveled. The advent of connected devices, wearable tech and the Internet of Things enables me to be more productive and have more contact with colleagues and friends. This is a good thing.

But at the same time, these amazing advancements are also causing disruption in our lives and workplaces. We don’t always know who has use of or control over our sensitive personal and corporate information. And since new developments are always making their way into the workplace, it is critical that we understand attitudes and actions of consumers as well as the professionals and executives on the front lines of enterprise technology.

ISACA helps build this understanding with its annual IT Risk/Reward Barometer, and the 2014 survey results show some interesting trends with significant implications. For example, 68 percent of US consumers plan to use wearable tech or connected devices at work. But despite the surge in wearable tech at work, only 11 percent of enterprises have a policy that addresses it.

 
Read More >>
Category: ISACA     Published: 11/12/2014 7:01:00 AM

“Know your enemy”—is it enough?

Richard NormanUsually attributed to the ancient treatise The Art of War by Sun Tzu, the phrase “Know your enemy” is often repeated in military and security environments and is given as guidance to junior level staff in these environments. While it is good guidance, this article will explore why it is incomplete and why this is important.


One reference gives the full quotation, rendered in modern Chinese script as "故曰:知彼知己,百戰不殆;不知彼而知己,一勝一負;不知彼,不知己,每戰必殆" complete with the English translation:

"So it is said that if you know your enemies and know yourself,
you can win a hundred battles without a single loss.
If you only know yourself, but not your opponent, you may win or may lose.
If you know neither yourself nor your enemy, you will always endanger yourself."

The full quotation provides much fuller and richer guidance and it is important to consider the meaning and impact of the full text. Below I will examine each sentence from the English translation.

"If you know neither yourself nor your enemy, you will always endanger yourself."
The third sentence reminds us that lack of knowledge is dangerous. If you do not know your own capabilities, structures, processes, strengths and weaknesses it is unlikely that you will be able to use your resources effectively, or be able to resist your own weaknesses being exploited. A lack of knowledge about your enemy could lead you into a false sense of security—or to overestimate the abilities of your enemy—perhaps leading you to direct defences where the attacker is weakest and the attack least likely to succeed even without your efforts. For example, you would not want to concentrate all your defences on a Windows exploit being run against a Linux server. In short, you are totally unprepared for the battle and you may well contribute to your own defeat by making incorrect decisions!

 
Read More >>
Category: Security     Published: 11/11/2014 3:27:00 PM

Join football season with ISACA—play to win, play for fun

Brian BarnierFootball fans are enthusiastic around the world—even though rules, fields and equipment vary.

This similarity and differences is a great comparison to ISACA’s flexible frameworks and other guidance—just ask our rugby-playing International President Rob Stroud.

When I teach workshops, participants often ask questions about configuring firewalls, Wi-Fi, or data access tools. These are good questions with good answers. Yet, these product-level questions are not the “sweet spot” of ISACA-land guidance.

Using our football comparison, these questions are about lacing up shoes or inflating the ball. ISACA guidance assumes that players can pick their own shoes (and sign endorsement contracts), lace them up, clean them off and know when to replace them. ISACA assumes members read the intrusion prevention product manual.

ISACA-land guidance is focused more on how to train, recruit players, position players, work as a team, scout competitors, develop plays and even maintain the field and stadium.

Vitally, maturity models help answer the question, “how good are we?” People say “yes, I’m doing that.” But in football terms, is that just enough to play in the league or to be league champion? Players (and IT professionals) who are overconfident get a rude awakening in competition. Improvement is what we accelerate in workshops.

 
Read More >>
Category: ISACA     Published: 11/6/2014 3:22:00 PM
<< First   < Previous     Page: 1 of 87     Next >   Last >>

 About This Blog

 

This blog is intended to offer a way for ISACA leaders, constituents and staff to exchange information of interest pertinent to the association, the business environment and/or the profession.

The comments on this site are the author’s own and do not necessarily represent ISACA’s opinions or plans. ISACA does not endorse, monitor or control any links to external sites offered in this blog, and makes no warranty or statement regarding the content on those external sites.

Anyone posting comments on this site should ensure that the content remains on-topic and steers well clear of any statements that could be considered insensitive, offensive or threatening. Given ISACA’s global nature, the need to communicate in a way that is accessible and acceptable to many cultures should be taken into account. ISACA retains the right, at its sole discretion, to refuse content that is considered inappropriate.

   

To volunteer to write a blog or suggest a topic send an email here.