@ISACA Volume 6  20 March 2019

Vendor Risk Management: An Essential Tool for GDPR

By Antonio Ramos Garcia, CISA, CRISC, CISM, Jonah

In 2018, the General Data Protection Regulation (GDPR) came into effect in the European Union, leading many organizations to continuously work to adhere to the regulation. Once internal procedures have adapted to GDPR, organizations must work with third parties and providers, known in this context as data processors, to become completely GDPR-compliant. According to GDPR, and derived from the accountability principle, data controllers can only choose and use trusted data processors that are able to assure they can protect data privacy according to controllers’ requirements:

Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

Initially, most organizations approach this need by adapting the contracts signed with their providers and sending them long questionnaires with the security requirements for data protection in an effort to show due diligence to data protection authorities.

This method is very quick to implement, but has some issues:

  • There are high, hidden costs derived from the administrative work needed to manage questionnaires, e.g., preparing the questionnaire, sending the questionnaire, following‑up on answers, solving reported doubts and preparing a report after receiving responses.
  • The level of assurance is very low. There is no way to assure that the answer given by the vendor is true or false.
  • The effort put into 1 questionnaire cannot easily be reused for other vendors.

In fact, this approach is based on just 1 method and is not enough to manage the risk of third-parties and vendors. Data controllers need a combined set of tools and mechanisms to effectively understand and manage the risk that vendors pose. Basically, data controllers must:

  • Evaluate the criticality of the services they are using (because the risk depends on the service, not the vendor).
  • Define the level of security for each level of criticality. (Low-risk services should implement lower levels of security than high-risk services.)
  • Establish the level of assurance that vendors must demonstrate. (Again, low assurance methods could be right for low-risk services, but higher risk services should be evaluated with higher assurance methods, for example, remote or in-house audits.)
  • Define the period of time between checks or for compliance.

An implementation of this kind of process allows organizations not only to know if data controllers are meeting the organization’s expectations, but also to monitor adherence to their specific criteria with a risk‑based approach (as data controllers cannot audit all processors and enterprises cannot trust them just based on a questionnaire).

For this reason, vendor risk management is an essential tool for GDPR compliance. It is very difficult for data processors to show due diligence in choosing and monitoring data controllers if they have not implemented a sound vendor risk management procedure.

Antonio Ramos Garcia, CISA, CRISC, CISM, Jonah, is founding partner and chief operation officer (COO) at LEET Security Rating Agency, Spain.


Diving Into NIST Risk Management Framework Revision 2


Source: nadla;
Getty Images

The US National Institute of Standards and Technology (NIST) recently updated its Risk Management Framework (RMF). Revision 2 (V2) provides updates and changes to the 2014 NIST RMF that considers privacy, supply chain security, and software and system security.

To help you familiarize yourself with the changes and potential impacts of RMF V2, ISACA presents the “NIST’s Risk Management Framework V2: Changes, Challenges and What You Can Do Now” webinar. It will cover what you can do to prepare your organization for implementation of RMF V2 and help you minimize risk for your organization. This webinar takes place on 4 April at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Ted Dziekanowski, CISA, CAP, CCSP, CISSP, PECB ISO/IEC 27001 LA, PECB ISO/IEC 27005 Risk Manager, enterprise governance, risk and compliance (eGRC) specialist and risk management framework (RMF) trainer, has taught the NIST RMF around the world to the US military, portions of the US Intelligence Committee, several government agencies and major suppliers of services to the US government. Having experience as both an auditor and system integrator, Dziekanowski has a unique insight into the challenges associated with developing an eGRC program that satisfies the compliance requirements faced by organizations of all types and sizes. Dziekanowski will use his experience both implementing and training others to implement frameworks to help prepare you and your organization for the NIST RMF V2.

To learn more about this webinar or to register for it, visit the NIST’s Risk Management Framework V2: Changes, Challenges and What You Can Do Now page of the ISACA website.


Find Talented Professionals and Employers at ISACA Online Career Fair


Source: Steve
Debenport; Getty

Finding the right match between employer and employee can be tricky. Whether you are a potential candidate or a potential employer, the ISACA Online Career Fair is for you. ISACA is hosting this member-exclusive online career fair on 3 April from 10AM – 2PM CDT (UTC -5 hours). Employers can preview candidate resumes both leading up to and during the online career fair. During the career fair, they can also reach out to qualified candidates.

Potential candidates can consult a bilingual (English and Spanish) career coach during the event and save 10% on career coaching services. In the past, 1 employer noted walking away with a few prospective candidates and a new hire from the event. The career fair is beneficial for both job seekers and employers alike.

To learn more about the ISACA Online Career Fair, visit the ISACA Online Career Fair website.


The Top Concern for the State of Cybersecurity


In November 2018, ISACA surveyed security managers and practitioners for its global State of Cybersecurity survey. The insights and findings from this survey have helped to build this year’s State of Cybersecurity 2019 report—data and analysis intended to help cyberprofessionals manage, understand and address current cybersecurity trends.

The State of Cyber Security 2019—Current Trends in Workforce Development explores the short supply of qualified cybersecurity professionals, the difficulty retaining cybersecurity professionals, declining gender diversity programs and slowing cybersecurity budget increases.

To download this complimentary white paper, visit the State of Cybersecurity 2019 page of the ISACA website.


Accelerate Your Way to Becoming a CSXP


Based on the real day-to-day job tasks of the cybersecurity professional, ISACA has developed a new accelerated path to earning the Cybersecurity Nexus (CSX) Cybersecurity Practitioner (CSXP) credential. Anyone who currently holds an ISACA certification (Certified Information Systems Auditor [CISA], Certified in Risk and Information Systems Control [CRISC], Certified Information Systems Manager [CISM], Certified in Governance of Enterprise IT [CGEIT]), ISACA’s Cybersecurity Fundamentals Certificate or one of the following credentials is eligible for the accelerated path:

  • Certified Ethical Hacker (CEH)
  • Certified Information Systems Security Professional (CISSP)
  • CompTIA Cybersecurity Analyst+ (CySA+)
  • EC-Council Certified Security Analyst (ECSA)
  • GIAC Certified Incident Handler (GCIH)
  • GIAC Penetration Tester (GPEN)
  • Licensed Penetration Tester (LPT)
  • Offensive Security Certified Professional (OSCP)

The CSXP exam now takes 1 hour instead of 4, and candidates must receive a passing score on at least 3 of the 5 performance assessments. The cost for the accelerated CSXP certification suite is US $549 for ISACA members and US $599 for nonmembers. It includes the application fee, certification exam and 10 labs (6 instructional labs and 4 challenge labs) to help the candidate prepare.

Additionally, CSXP certification holders (including those already certified) no longer need to retest every 3 years to recertify. Instead, 50% of the 120 continuing profession education (CPE) hours required every 3 years must involve performance-based training.
In 2019, this accelerated path is the only path to CSXP. A promotional rate of US $429 for members and US $479 for nonmembers is available until 29 March 2019.

For more information, visit the Accelerated CSX Cybersecurity Practitioner Certification Suite page of the ISACA website.


In Retrospect: 33 Years of COBIT

By Dirk Steuperaert, CISA, CRISC, CGEIT

It was late 1995 when Erik Guldentops, my then boss at SWIFT, relentlessly insisted that his auditor team “think about the concept ‘control objective’ and how they would define it in simple words.” Guldentops never feared giving those around him a good challenge. Little did I know that this first contact with COBIT, because that was what it ultimately would become, would be followed by many more.

From the beginning, structure, oversight and broad coverage were the key strengths of COBIT. These same strengths are what we have used to continue to build the later versions. COBIT collaborators have broadened the target audience beyond the IT audit community by providing guidance for boards and senior management, risk managers, financial managers dealing with IT, business managers, regulators, and more. As a part of the COBIT team, we have extended the guidance beyond the “controls” with management practices, performance management instruments, and more specific and detailed guidance. That being said, COBIT is still very much based on the original premises and ideas. Perhaps we could consider COBIT analogous to a well-known brand of German premium sports cars—the models change gradually over the years and gradually most components are changed or renewed, but you can always recognize the basic design and the brand. That is COBIT too.

My next experience with COBIT was when I worked for Eddy Schuermans—apparently I made it a habit of working for COBIT pioneers—who assigned me the tasking of teaching COBIT in Eastern Europe. Schuermans said, “You know COBIT, [so now] you go and teach it to the National Bank somewhere in Eastern Europe.” It is well known that teaching a subject is the best way to master it, so I carefully prepared a 3-day workshop just to find out that once I arrived onsite, every sentence I spoke needed to be translated by an interpreter who knew nearly nothing about COBIT, IT or anything related. Now, you may wonder why this is relevant. It is relevant because we have seen from the start of COBIT, and we still see today, a high level of interest and adoption of COBIT in the emerging and evolving economies. By learning to implement COBIT, these same emerging and evolving economies are sometimes more advanced in governing enterprise IT than many places in established and developed economies. This shows another great advantage of using COBIT.

There are plenty of articles describing the evolution of COBIT and all the details that have changed between versions, so I will only list the essentials that have impacted the evolution of COBIT. These essentials include the following evolutions:

  • COBIT has moved from an auditor’s tool to a governance and management framework for the general public.
  • COBIT has moved from providing high-level guidance on controls to delivering much more detailed guidance on many IT-related areas.
  • COBIT has moved from a focus on control for safeguarding of assets to a broader and more appealing focus on ensuring information and technology generate value for the enterprise.
  • COBIT has moved from providing guidance on how to control a “glass house with a mainframe inside” to the current IT paradigms—cloud, Agile, DevOps, cyber, etc.

All these evolutions were gradually introduced over time over the consecutive versions, never creating an earthquake. This allowed COBIT to maintain the structured nature of the framework and its underlying principles.

The success of COBIT is largely attributable to all the people—staff and volunteers—who have led the development over many years, and to all the individuals who contributed as reviewers or in the development workshops we organized for the bulk development efforts. Those meetings brought together dozens of experts who brought together valuable, quality, good-practice content.

It is impossible to name all COBIT contributors—most of them are listed in the books—but a few words of appreciation for 2 of the key drivers for COBIT who passed away last year and who we miss dearly must be shared. We must honor John Lainhart, who was one of the original members of the first COBIT team and who continued pushing COBIT forward through his efforts toward COBIT 2019 last year. We must also honor Robert E Stroud who also put an incredible amount of energy into COBIT and supported all of our group’s work in all the roles he later assumed at ISACA. Thank you, John and Rob.

Returning to the German premium sports car analogy, one thing about COBIT does not really compare with these cars—the price. COBIT is affordable, thanks to the generous investments ISACA has made for the benefit of the user community. It is one of the milestone products of ISACA, so let us keep it like that for many more years and let us keep growing COBIT and its user community.

To learn more about COBIT 2019 and ISACA’s 50th Anniversary, visit the COBIT 2019 page of the ISACA website and the ISACA 50 website.

Dirk Steuperaert, CISA, CRISC, CGEIT, is IT and risk governance consultant at IT In Balance, Belgium, and a coach and well-appreciated trainer in IT risk management, IT governance and all COBIT 2019-related matters. Steuperaert’s current mission is to use his experience as project leader and one of the key authors of all main COBIT 2019 publications to teach all those who can benefit from COBIT 2019 and to help them apply it in practice in a very pragmatic way.