ISACA Journal Blog

 ‭(Hidden)‬ Admin Links

ISACA > Journal > Practically Speaking Blog

The Impact of the Thailand Cybersecurity Law

Nipon Nachin, CISA, CISM, CISSP, CEPAS DPO, PCI QSA, and Ekkorn Rattanaekkawin, CEPAS DPO Posted: 4/22/2019 3:03:00 PM | Category: Security | Permalink | Email this post

Nipon Nachin and Ekkorn RattanaekkawinIn the past 5 years, the cybersecurity agenda has been raised and discussed and in many forums because cyberattacks have been developed for various purposes, and the number of cybersecurity incidents or data breaches have increased dramatically every year. After major incidents around the world in the past few years, cyberattacks have caused several impacts on public services, business, people and even the accusation of the cybercrime from others. Therefore, many countries, such the United Kingdom, German, Estonia, Australia, Canada and Singapore, have developed and issued laws to take action on cybersecurity, such as the national strategy, guidelines of implementation and reporting. Generally, all cybersecurity acts are focusing on industries identified as critical infrastructure (CI) or critical information infrastructure (CII) of the nations, such as national security, financial, telecommunication, public transportation and logistics, healthcare and energy sectors. These sectors are always the first primary target of cyberattacks and cause the biggest business disruption or impact nationwide.


Simplifying Enterprise Risk Analysis

Luigi Sbriz, CISM, CRISC, ISO/IEC 27001:2013 LA, ITIL v3, UNI 11697:2017 DPO Posted: 4/8/2019 3:12:00 PM | Category: Risk Management | Permalink | Email this post

How many enterprise risk analysis reports must an organization release? A few years ago, I faced this question in light of cost, time and complexity of the solution. My conclusion is that 1 is fine.

Cost is a consequence of the details I need, the number of people involved and their time. Complexity can come from the need for training sessions (and increased costs). A lot of time spent on refreshing basic information means it is updated less frequently, and the obsolescence will decrease the quality of the results.

I want to propose a methodology to assess the risk based on 2 levels of evaluations in order to cover any need for details, to cut any redundancy in data collection, to provide simplicity in the assessment, to keep a low time to update, and to ensure great flexibility to add and maintain any new control framework with minimal cost.


Proactively Embracing Innovation

K. Brian Kelley, CISA, CSPO, MCSE, Security+ Posted: 4/1/2019 2:58:00 PM | Category: Audit-Assurance | Permalink | Email this post

When looking at innovation, it may seem daunting to involve audit properly to protect the organization. With any new effort, there are a lot of unknowns. In traditional project processes, there should be enough time to discover major issues and handle the risk revealed. Innovation, though, wants to move quicker. As a result, the increased speed can mean risk is not properly identified and reviewed. Therefore, it is important for audit to proactively become involved in innovation efforts as the organization attempts to improve its ability to compete.

Be Engaged With the Effort
Innovation is proactive and, in some respect, aggressive. Therefore, audit cannot take a passive approach to innovation. Rather, it needs to be an active participant, whether we are talking about an innovation team or an overall, organizationwide effort. Let us look at 2 ways audit can engage proactively.


Defining the Role of the CISO

Robert Putrus, CISM, CFE, CMC, PE, PMP
Posted: 3/28/2019 2:59:00 PM | Category: Security | Permalink | Email this post

Robert PutrusOrganizations have diverse understandings of what digital security is and is not. As a consequence, they wrestle with who is responsible and who is accountable for digital security. This further complicates the question of whether the chief information security officer (CISO) position ought to be considered and instituted. CISO positions and responsibilities are greatly unsettled because digital security crosses many aspects of enterprise transactions, challenging if it is even possible to place boundaries on the responsibilities of the role.

Do organizations expect the CISO to be a technology wizard, business savvy or a hybrid of both? Do organizations expect the CISO to be the responsible and accountable person in securing the computing environment and informational assets in the enterprise? Should the CISO be part of the executive team, or should the role be confined within the IT group?


Cybersecurity Auditing Skills

Ian Cooke, CISA, CRISC, CGEIT, COBIT Assessor and Implementer, CFE, CIPM, CIPP/E, CIPT, CPTE, DipFM, ITIL Foundation, Six Sigma Green Belt Posted: 3/25/2019 3:00:00 PM | Category: Security | Permalink | Email this post

Ian CookeAccording to the Ponemon Institute/Accenture Ninth Annual Cost of Cybercrime Study, the number of cyberattacks each enterprise has seen has increased, and these incidents take more time to resolve while the cost of cybercrime continues to rise. In the last year, the report notes, there have been many stealthy, sophisticated and targeted cyberattacks against public and private sector organizations. Combined with the expanding threat landscape, organizations are seeing a steady rise in the number of security breaches—from 130 in 2017 to 145 in 2018. Indeed, there has been a 67% increase in the number of security breaches in the last 5 years.

<< First   < Previous     Page: 1 of 87     Next >   Last >>