ISACA Journal Blog

 ‭(Hidden)‬ Admin Links

ISACA > Journal > Practically Speaking Blog

Agile Audit Practice

Spiros Alexiou, Ph.D., CISA
Posted: 4/10/2017 3:07:00 PM | Category: Audit-Assurance | Permalink | Email this post

Auditors are expected to complete audits on material issues within shorter and shorter time periods. Such audits and their completion depend on the availability of key personnel, who are also increasingly pressed for time as they are involved in day-to-day operations and other, often mission-critical, projects. Yet audit methodology, which involves a rigid separation between audit phases, such as planning, fieldwork and reporting, has failed to keep up with these changing requirements. As a result, the inability to schedule timely meetings with key personnel creates bottlenecks and this causes delays in moving to the next phase typically due to a very small part of the previous phase being incomplete.


How to Manage Third-party Risk

Vasant Raval, DBA, CISA, ACMA, and Samir Shah, CISA, CA, CFE, CIA, CISSP Posted: 4/3/2017 8:31:00 AM | Category: Risk Management | Permalink | Email this post

We rely heavily on them, yet we are ignorant about the risk exposure from them. We know them, yet we do not know them when it comes to risk assessment and management. We often call them business partners, but we do not know our share in their risk universe. We are talking about vendors, suppliers, service providers and all such business partners collectively referred to as third parties.

So, what are the options for risk identification, measurement and mitigation? Based on the risk appetite and related cost appetite, there are multiple methodology, assessment and technology options for managing this risk. Some of the available options are standards, e.g., Statement on Standards for Attestation Engagements (SSAE) 16 and ISAE3402; best practices-driven programs, e.g., Shared Assessments; and integrated technology platforms from leading governance, risk and compliance (GRC) companies.


The Value of Risk Comparison

Mukul Pareek, CISA, ACA, ACMA, PRM
Posted: 3/27/2017 3:10:00 PM | Category: Risk Management | Permalink | Email this post

When I used to run vulnerability management for a previous employer, my colleagues and internal clients would stop me in the corridors and ask, “Hey Mukul, how vulnerable are we today?” Of course, this question was largely unanswerable or, at best, deserving of a rhetorical answer. Yet not wanting to appear clueless about my area of responsibility, over time I found myself responding as to whether we were better or worse off than the last week or the last month. This response would normally satisfy most, but a few curious folks would ask how I knew that. I did not know how I knew, but doing the job day in and day out gave me a gut feeling...or so I thought. 

My colleagues and I challenged ourselves to think analytically about what gave us the intuition on whether we were more or less vulnerable than, say, yesterday or last month. Just a little bit of thought made it clear that what we thought of as expert judgment was anything but. We were basing our conclusion on what we knew of the latest metrics on security updates and patches that had been released recently, but had not yet been applied in our environment. Not only that, we were also considering the trajectory of our vulnerability metrics, i.e., the direction in which the trend line was headed and how fast. This realization was the genesis of my recent Journal article, where the proposal is to consider the velocity and distance from a good state and the persistence of badness over time. This contrasts with considering the absolute measure of a metric, which, while important, is often inconsistent with the way humans interpret information over time. 


Going for the ATO

Jo Anna Bennerson, CISA, CGEIT, CPA, ITILv3, PMP
Posted: 3/13/2017 3:04:00 PM | Category: Government-Regulatory | Permalink | Email this post

Jo Anna BennersonThe Authority to Operate (ATO) is necessary to work in the system of US federal government agencies. My recent Journal article provides details on how to obtain the authority to operate. The following steps can help US enterprises gain the approval to operate with the federal government:

   ●  Ensure confidentiality, integrity and availability—The first necessary step toward achieving ATO is confidentiality, integrity and availability (CIA). This means that only approved people can get in, any changes to the system or data are genuine, and the system is up and ready for use.
   ●  Embrace the NIST 800-53 control families—Every family is a tightly knit assembly of control with a dash-one, or parent control, followed by offspring controls that dive deep into the security measure. For instance, the Access Control Family starts with the dash one control of access control policy. It is followed by more detailed controls to be implemented and assessed such as Account Management and Access Enforcement. Using the lists of controls within each of the 18 NIST control families allows users to demonstrate security that is in place or that it is being planned.
   ●  Keep the evidence—Just like in any operational process, you create or gather documentation to delineate the process and what has taken place. Just like any trail or audit, you keep evidence of the path you have taken. The ATO process allows you to gather and store all the security documentation. This serves well in building a case for the security posture of your system and how it fits into your federal agency’s risk profile.


SSH: A Useful but Potentially Risky Tool

Tatu Ylonen
Posted: 2/27/2017 3:01:00 PM | Category: Security | Permalink | Email this post

My recent ISACA Journal article discusses what every chief information security officer (CISO) must know about Secure Shell (SSH) key management. This is a topic that keeps me awake at night and should be of major concern to the whole audit community.

In short, SSH is a tool for systems management, automation and file systems, and it is used in every data center in every major enterprise. It introduced a new authentication mechanism based on cryptographic keys, called public key authentication. Unfortunately, in the default configuration, OpenSSH allows any user to provision new credentials for themselves and their friends, and these credentials never expire—not even when the user’s account is removed if the credentials have been added to a service account.

<< First   < Previous     Page: 1 of 69     Next >   Last >>