ISACA Journal Blog

 ‭(Hidden)‬ Admin Links

ISACA > Journal > Practically Speaking Blog

Knowing What to Protect

Sridhar Govardhan, CISA, CISM, SABSA
Posted: 8/16/2018 2:38:00 PM | Category: Security | Permalink | Email this post

Sridhar GovardhanWith so many compromises leading to data breaches, one common concern is even after so much investment going into technology, people and processes, why are breaches occurring? Are we “barking up the wrong tree”?

Perhaps, yes. Today there is a different challenge that security professionals are faced with: where to focus and what to protect. The traditional approach of protecting everything is failing; focus and effort should be on critical assets.

Knowing what to protect is extremely relevant for deciding the level of security protection required. The asset could either be raw data or processed information along with the ecosystem (e.g., operating system, application, web, data or application programming interface [API]). Lack of visibility to this key and critical piece of information leads to:


SWIFT Infrastructure Needs to Be Secured in a Structured Manner

Vimal Mani, CISA, CISM, Six Sigma Black Belt
Posted: 8/13/2018 2:47:00 PM | Category: Security | Permalink | Email this post

In the last few years, SWIFT has become a favorite target for hackers across the globe. The frequency of SWIFT-targeted cyberattacks is a good indicator of the same. In most of these SWIFT-targeted attacks, the network perimeter was compromised before the core SWIFT platform was touched. It is first important to ensure that we have a foolproof network perimeter built around SWIFT infrastructure with appropriate security solutions in a defense-in-depth manner.

Data confidentiality in SWIFT can be achieved through the encryption of all payment-related data and having all links controlled by SWIFT using strong encryption algorithms. Access to SWIFT payment data should be protected by means of one-time passwords (OTP). Controls such as unique sequencing of all messages, dual storage, real-time acknowledgement to the user, and message authentication procedure between the sender and receiver also help ensure SWIFT data integrity by protecting from fraudulent modification of SWIFT data, which was the technique used by hackers in many recent SWIFT-targeted attacks. Availability of SWIFT infrastructure can be achieved using several measures, many of which are built into organizations in the form of continuity planning, duplication, and, in some cases, triplication of equipment, extensive recovery schemes and automatic rerouting of payments in the event of failure of some network nodes.


Love Them or Loathe Them, Good IT Business Cases Are of Inestimable Value to Good IT Portfolio Managers

Guy Pearce, CGEIT Posted: 8/6/2018 3:16:00 PM | Category: Risk Management | Permalink | Email this post

Many struggle to pull credible business cases together. Business case mechanics aside, the hard work not only involves identifying the required data, collecting them and ensuring that they are of the right quality, it also involves receiving buy-in for the business case from stakeholders, hopefully without too much fudging. That business cases can be fudged highlights the importance of an explicit assumptions section; it is a vital component of a good business case because it can be used to assess the veracity of the business case’s inputs.

In spite of how hard building a business case can be though, properly assessing the contribution of new IT investments to the organization helps prevent wasting precious organizational resources on “investments” that yield little for the organization. A good business case also helps ensure a good understanding of the dependencies of the project on various organizational resources, all of which helps ensure the business success of the IT investment.


Managing Technology Innovation Efficacy

Robert E. Davis, DBA, CISA, CICA
Posted: 8/2/2018 3:06:00 PM | Category: COBIT-Governance of Enterprise IT | Permalink | Email this post

Technological innovation has significant governance dynamics. Linked to the governance dynamics are offensive and defensive innovation strategies. Offensive strategies encompass reconfiguration, redefinition and pure spending. Reconfiguration occurs when the challenger performs an activity innovation in the value chain or the configuration of the entire business. Redefinition arises when a challenger redefines the competitive scope compared to the market leader. Pure spending transpires when the challenger buys a market position through superior resources utilization or greater willingness to invest.

Conversely, a defensive strategy focuses on lowering the probability of competition from new entrants pursuing innovation monetarization or from established competitors seeking to reposition a line of business. Defensive strategies encompass technology licensing, selective retaliation, entry deterrence and forming coalitions. The principal objective of implementing a defensive plan is to influence new entrants or established competitors to conclude that market participation is an unattractive organizational commitment.


Privacy Matters Matter

Ian Cooke, CISA, CRISC, CGEIT, COBIT Assessor and Implementer, CFE, CPTE, DipFM, ITIL Foundation, Six Sigma Green Belt
Posted: 7/26/2018 3:05:00 PM | Category: Privacy | Permalink | Email this post

Ian CookeDue to scheduling and timing constraints, articles and columns that appear in the ISACA Journal are often written weeks or even months before they appear online or become available on the Journal app. This was most certainly the case with my volume 3 IS Audit Basics column, “Auditing Data Privacy,” which was completed well before the Facebook and Cambridge Analytica story hit the news headlines.

Shortly after the story broke, I shared a Guardian article1 on the ISACA Knowledge Center,2 which I said then and still believe now is a must-read for all IT auditors. The article referenced a research paper3 that showed that easily accessible digital records of behavior, e.g., Facebook likes, can be used to automatically and accurately predict a range of highly sensitive personal attributes including: sexual orientation, ethnicity, religious and political views, personality traits, intelligence, happiness, use of addictive substances, parental separation, age, and gender. Further, when users liked curly fries and Sephora cosmetics, this was said to give clues to intelligence; Hello Kitty likes indicated political views; and “being confused after waking up from naps” was linked to sexuality.4

<< First   < Previous     Page: 1 of 81     Next >   Last >>