ISACA Journal Blog

 ‭(Hidden)‬ Admin Links

ISACA > Journal > Practically Speaking Blog

More on Password Dictionaries

Bachman Fulmer, Ph.D., CISA, Melissa Walters, Ph.D., and Bill Arnold, CISSP
Posted: 2/14/2019 3:02:00 PM | Category: Security | Permalink | Email this post

Bachman Fulmer, Ph.D., CISA, Melissa Walters, Ph.D., and Bill Arnold, CISSPAs a follow-up to our recent ISACA Journal article, “NIST’s New Password Rule Book: Updated Guidelines Offer Benefits and Risk,” we wanted to provide some additional thoughts on the password dictionary concepts. As our article suggests, organizations should place appropriate controls around the establishment and maintenance of the password dictionary. Under the passphrase approach advocated by the latest US National Institute of Standards and Technology (NIST) guidelines, the dictionary becomes the primary tool for enforcing complexity and uniqueness in user authentication credentials. As such, it is integral to ensuring secure access to IT resources.


For the Board, GDPR Compliance Implementation Reporting Is More Than Just About Exposure and Progress

Guy Pearce, CGEIT Posted: 2/11/2019 3:13:00 PM | Category: Government-Regulatory | Permalink | Email this post

Whether from a conformance (compliance) or performance perspective, 2 enterprise governance tasks of particular interest are:

  • Knowing what questions to ask in the process of performing due diligence
  • Knowing what data and information to request to support the due diligence process

In the case of compliance, the extent of the information required to support due diligence is proportional to the impact of the risk of noncompliance to the organization. In the case of the EU General Data Protection Regulation (GDPR), the risk factors associated with noncompliance are extraordinary. At a minimum, the risk poses challenges not only in terms of the considerable maximum penalties for noncompliance, but, perhaps more importantly, also in terms of the reputation impact of noncompliance.


Practical DLP Implementation

Christopher Nanchengwa, CISA, CRISC, ITIL v3, PRINCE2
Posted: 1/28/2019 3:09:00 PM | Category: Government-Regulatory | Permalink | Email this post

Practical implementation and management of data loss prevention or protection (DLP) solutions or a portfolio of solutions should follow a logical process to ensure the holistic protection of information resources. Strategies intended to protect information resources should span the 3 generic domains of people, processes and technologies.

Understand the Business Layout
Implementers and managers of DLP solutions first need to understand the business layout of the institution requiring protection, which entails understanding the organization’s information strategy. An information strategy highlights the organization’s valuable or business-critical information and how the organization intends to use said information to add value. Further to identifying the organization’s critical information, protectors need to understand how the information flows between the various units of the organization, including external parties. The various technologies that process information should be identified, and protection profiles should be defined for each technology class. The COBIT 5 Goals Cascade can help translate the organization’s information goals into a technical protective profile.


Auditing the GDPR

Ian Cooke, CISA, CRISC, CGEIT, COBIT Assessor and Implementer, CFE, CIPM, CIPT, CPTE, DipFM, ITIL Foundation, Six Sigma Green Belt Posted: 1/22/2019 2:47:00 PM | Category: Audit-Assurance | Permalink | Email this post

Ian CookeLike in many professions, the new year is traditionally a time for planning for IT auditors. This year, I am willing to wager that many of your resulting IT audit plans include something to do with the EU General Data Protection Regulation (GDPR).

A question naturally follows from this: How do you go about performing the audit? A Google search for the term “GDPR audit” produces about 34,800,000 results (as of 15 January 2019). So how do you separate the wheat from the chaff?

This very topic was recently discussed on ISACA’s Engage Audit and Assurance Online Forum. Excellent suggestions were made, including using the International Association of Privacy Professionals (IAPP) Certified Information Privacy Manager (CIPM) Body of Knowledge and the self-assessment tools defined by the United Kingdom’s Information Commissioner’s Office.


What Are Challenges in Deployment and How Can They Be Mitigated?

Rajul Kambli, CISA, CMA Posted: 1/3/2019 2:57:00 PM | Category: Risk Management | Permalink | Email this post

Rajul KambliTransformation offers many key benefits, and any enterprise that would like to sustain and grow in this ever-changing, fast-paced world would be subject to the deployment of new systems. In my recent ISACA Journal article, I discuss various challenges that any enterprise might experience and how the intensity of any of those challenges would differ based on organizational dynamics and economic variables.

Here are some key points that any enterprise should consider in the deployment process:

<< First   < Previous     Page: 1 of 85     Next >   Last >>