ISACA Journal Blog

 ‭(Hidden)‬ Admin Links

ISACA > Journal > Practically Speaking Blog

Tracking Vulnerability Fixes to Production

Michael Werneburg, CIA, PMP Posted: 9/18/2017 1:53:00 PM | Category: Security | Permalink | Email this post

As an IT auditor at a software company, I discovered that security vulnerabilities in our bespoke product had not been getting released to clients on a timely basis. We had been doing penetration tests for years, but obtaining the penetration test report had not translated to the fixes being released to the users. Our clients remained exposed to known vulnerabilities, a situation that meant my employer was assuming all potential liability for the situation.

There were, it turned out, many things that slowed delivery of the fixes. Some factors were organizational and some were technical. I address the organizational challenges of client resistance and lack of internal commitment in my recent Journal article. But I will offer an additional insight for readers of Practically Speaking on overcoming technical complexities in patching a bespoke software product.


Equifax: Too Soon for Lessons Learned?

Ed Moyle Posted: 9/8/2017 2:54:00 PM | Category: Security | Permalink | Email this post

I am sure most practitioners by now have probably heard about the Equifax breach. If you have not yet, get ready to hear about it nonstop—probably for the next year or 2 at least. Why? Because it eclipses even the 2013 Target breach (which people are still talking about) both in number of individuals potentially impacted (143 million) and the potential sensitivity of the records involved (which include social security numbers, dates of birth, addresses, credit card numbers and driver's license information.) 

The details of this are still unfolding, so we do not have the full picture yet. It will probably be a few months before we do. But in the meantime, I think we know enough to highlight at least a few lessons learned. Specifically, things that it behooves organizations to have in mind as they plan (and ideally exercise) their own incident response strategies. We can use what happened with Equifax as an illustration of why these principles are a good idea. 


Stuck in the Middle With You

Ian Cooke, CISA, CRISC, CGEIT, COBIT Assessor and Implementer, CFE, CPTE, DipFM, ITIL Foundation, Six Sigma Green Belt Posted: 9/5/2017 8:51:00 AM | Category: Audit-Assurance | Permalink | Email this post

Ian CookeI find working as an IT auditor a fulfilling and enjoyable job; however, as with any profession, there are times when it can be hard. There are certainly days when I feel that there are “clowns to the left of me, jokers to the right.”1 The clowns are auditees who are always pushing back on audit recommendations or, if they do accept them, never seem to implement them. The jokers are the audit committee members who seem to have never-ending requirements for more and more assurance without allocating any additional resource.


ESA: What Is It and How Does it Work?

Rassoul Ghaznavi Zadeh, CISM, COBIT Foundation, SABSA, TOGAF Posted: 8/28/2017 3:48:00 PM | Category: Security | Permalink | Email this post

Rassoul Ghaznavi ZadehEnterprise security architecture (ESA) is the methodology and process used to develop a risk-driven security framework and business controls. The focus of an enterprise architect should be to align information security controls and processes with business strategy, goals and objectives.

Normally, developing an effective ESA is achieved following these steps:

  • Defining the business’s goals and objectives
  • Understanding business risk and threats
  • Understanding compliance, regulation and legal requirements
  • Identifying the appropriate framework and architecture vision
  • Identifying the appropriate security controls (gap analysis)
  • Managing and implementing the security controls
  • Monitoring and evaluating the security controls
  • Assessing and identifying gaps before repeating the cycle


Developing an Information Privacy Plan

Larry G. Wlosinski, CISA, CRISC, CISM, CAP, CBCP, CCSP, CDP, CIPM, CISSP, ITIL V3, PMP Posted: 8/14/2017 3:13:00 PM | Category: Privacy | Permalink | Email this post

My most recent Journal article was based on an analysis of data privacy I performed for an ISACA presentation. The privacy areas of concern detailed by the International Association of Privacy Professionals (IAPP) and the 7 categories of privacy according to ISACA were integrated with the privacy and security controls included in National Institutes of Standards and Technology (NIST) Special Publication (SP) 800-53 revision 4 to reveal the key ingredients to inform privacy planning.

In my most recent Journal article, I reveal the root causes of data breach incidents and related statistics that highlight the severity of data breaches. There are several privacy categories (with associated concerns), questions, responsibilities and areas of risk that a privacy officer (PO) needs to address to protect data. The PO also needs to adopt a governance strategy that respects personal privacy and educates the organization to ensure a unified effort. Four main privacy controls (management, computer operations, business operations and technical controls) should be implemented to ensure a successful privacy program. An organization’s privacy plan should include a list of authorities, definitions, scope and purpose, roles and responsibilities, privacy controls, and other considerations to be set up for success. My article has a more thorough outline to help the PO and your organization implement a successful privacy plan.

<< First   < Previous     Page: 1 of 72     Next >   Last >>