ISACA Journal Blog

 ‭(Hidden)‬ Admin Links

ISACA > Journal > Practically Speaking Blog

Patch Management Practice

Spiros Alexiou, Ph.D., CISA, CSX-F, CIA Posted: 6/17/2019 3:11:00 PM | Category: Security | Permalink | Email this post

Unpatched systems represent a very serious IT security threat with potentially extremely important consequences, as documented in a large number of high-profile breaches that exploited known unpatched vulnerabilities. Since these vulnerabilities are known, not just to attackers, but also to system administrators, and since patches exist, it is on first look surprising that unpatched systems even exist. The reality, however, is that patching is not that simple: Because of interdependencies, it must be verified that the patch is compatible with everything else in the system, e.g., an operating system patch must be compatible with the applications and databases running on top of the operating system. Sometimes, they are not, as manifested, for instance, in the recent Spectre and Meltdown vulnerability, where some application providers explicitly warned against patching. Verifications mean testing by other vendors, and this may not be a high priority for the application vendor, with an answer or full solution sometimes coming with the next release. Today’s organizations typically employ a large number of systems and applications, and making sure all of them are patched promptly is not automatic.


Three Steps to Begin Transforming Your Cybersecurity Program

Brian Golumbeck, CRISC, CISM, CCSK, CISSP, ITIL Foundation Posted: 6/13/2019 3:03:00 PM | Category: Security | Permalink | Email this post

The nature of risk management has changed over the past 2 decades. Previously isolated IT infrastructures are more connected with the outside world, and organizations face an ever-expanding threat landscape. Most organizations operate in a reactive mode, typically driven by an outside-in fear and avoidance approach where priorities are based on the latest known threat or new regulation. The challenge with this approach, in addition to it being reactionary and driven by outside forces, is that it promotes a keep-the-lights-on mentality, results in an inefficient use of resources and distracts from the priority of protecting an organization’s most critical data assets.

The motivation is primarily the fear of fines and reputational risk. For a security program to succeed and reduce information technology risk, a focus on driving business value by effectively mitigating risk wherever it may live is preferred.


Increasing Your Organizaton’s Cybermaturity

Jaco Cloete, CISA, CRISC, CISM, CA, CCISO, CISSP Posted: 6/10/2019 2:57:00 PM | Category: Security | Permalink | Email this post

Managing cyberrisk is critically important for organizations. Interconnectedness, digitization, the focus on utilizing data and providing enhanced client experiences expand the attack surface and expose an organization to increased cyberrisk. I cannot think of a worse experience for a board member than to be told (or to read in a newspaper) that the organization’s client database has been leaked online, that a significant amount of money was stolen or that the organization cannot operate because all the servers have been locked up with ransomware. No organization can be 100% secure, and bad events will happen. There are, however, practical steps that can be taken to reduce the risk of a cyberevent happening and, when it does happen, to recover the organization to the same state as before the event.


Innovation Is About People

K. Brian Kelley, CISA, CSPO, MCSE, Security+ Posted: 6/3/2019 3:37:00 PM | Category: COBIT-Governance of Enterprise IT | Permalink | Email this post

I was a member of an innovation team because of my expertise in servers, Active Directory and general information security practices. However, I also brought my audit background. Because of this, I entered the team with trepidation. I wondered how the innovation effort would honor the processes and controls we had in place to protect the organization. As an auditor, I realized that people operating outside of their domains could lack the knowledge of necessary safeguards and, due to the intended rapid pace of prototyping and development, they would not think about them.

I started thinking about what an auditor should bring to the team. What I quickly realized is that we already have guidance on how to handle an innovation situation. Effectively, we are performing the same function as we do for projects, but at a greater-than-normal speed. In reality, this is no different from working on an emergency project. As an IT industry, we have had a number of global efforts of this type, whether we are talking Y2K or figuring out how to achieve EU General Data Protection Regulation (GDPR) compliance. Individually, most of us have been on those types of projects specific to our industry or our organization.


The Role of Culture on IT Governance

Guy Pearce, CGEIT
Posted: 5/30/2019 3:05:00 PM | Category: COBIT-Governance of Enterprise IT | Permalink | Email this post

It was 150 years ago that Sir Edward Tylor first referenced culture (in an anthropological sense) in his book Primitive Culture. Then, 80 years later, Elliott Jacques, Ph.D., published The Changing Culture of a Factory, introducing organizational culture as the “… customary and traditional way of thinking and doing of things…and which new members must learn, and at least partially accept, in order to be accepted into service in the firm."1 Today, another 70 years later, organizational culture is recognized as the most significant of all IT governance critical success factors.

This last finding implies that if we ignore the impact of culture on IT governance, then almost anything we do from an IT governance perspective may very well be doomed in spite of our best efforts. This state of affairs is amplified in digital transformation and in the governance of emerging technology, given the pressing need for today’s organizations to increasingly adopt digital—to maintain their competitiveness or, better, to enhance it—and for these activities to create the diverse kinds of value expected of them.

<< First   < Previous     Page: 1 of 89     Next >   Last >>