As a follow-up to our recent ISACA Journal article, “NIST’s New Password Rule Book: Updated Guidelines Offer Benefits and Risk,” we wanted to provide some additional thoughts on the password dictionary concepts. As our article suggests, organizations should place appropriate controls around the establishment and maintenance of the password dictionary. Under the passphrase approach advocated by the latest US National Institute of Standards and Technology (NIST) guidelines, the dictionary becomes the primary tool for enforcing complexity and uniqueness in user authentication credentials. As such, it is integral to ensuring secure access to IT resources.
Whether from a conformance (compliance) or performance perspective, 2 enterprise governance tasks of particular interest are:
In the case of compliance, the extent of the information required to support due diligence is proportional to the impact of the risk of noncompliance to the organization. In the case of the EU General Data Protection Regulation (GDPR), the risk factors associated with noncompliance are extraordinary. At a minimum, the risk poses challenges not only in terms of the considerable maximum penalties for noncompliance, but, perhaps more importantly, also in terms of the reputation impact of noncompliance.
Practical implementation and management of data loss prevention or protection (DLP) solutions or a portfolio of solutions should follow a logical process to ensure the holistic protection of information resources. Strategies intended to protect information resources should span the 3 generic domains of people, processes and technologies.
Understand the Business LayoutImplementers and managers of DLP solutions first need to understand the business layout of the institution requiring protection, which entails understanding the organization’s information strategy. An information strategy highlights the organization’s valuable or business-critical information and how the organization intends to use said information to add value. Further to identifying the organization’s critical information, protectors need to understand how the information flows between the various units of the organization, including external parties. The various technologies that process information should be identified, and protection profiles should be defined for each technology class. The COBIT 5 Goals Cascade can help translate the organization’s information goals into a technical protective profile.
Like in many professions, the new year is traditionally a time for planning for IT auditors. This year, I am willing to wager that many of your resulting IT audit plans include something to do with the EU General Data Protection Regulation (GDPR).
A question naturally follows from this: How do you go about performing the audit? A Google search for the term “GDPR audit” produces about 34,800,000 results (as of 15 January 2019). So how do you separate the wheat from the chaff?
This very topic was recently discussed on ISACA’s Engage Audit and Assurance Online Forum. Excellent suggestions were made, including using the International Association of Privacy Professionals (IAPP) Certified Information Privacy Manager (CIPM) Body of Knowledge and the self-assessment tools defined by the United Kingdom’s Information Commissioner’s Office.
Transformation offers many key benefits, and any enterprise that would like to sustain and grow in this ever-changing, fast-paced world would be subject to the deployment of new systems. In my recent ISACA Journal article, I discuss various challenges that any enterprise might experience and how the intensity of any of those challenges would differ based on organizational dynamics and economic variables.
Here are some key points that any enterprise should consider in the deployment process: