ISACA Journal Blog

 ‭(Hidden)‬ Admin Links

ISACA > Journal > Practically Speaking Blog

The Value of Risk Comparison

Mukul Pareek, CISA, ACA, ACMA, PRM
Posted: 3/27/2017 3:10:00 PM | Category: Risk Management | Permalink | Email this post

When I used to run vulnerability management for a previous employer, my colleagues and internal clients would stop me in the corridors and ask, “Hey Mukul, how vulnerable are we today?” Of course, this question was largely unanswerable or, at best, deserving of a rhetorical answer. Yet not wanting to appear clueless about my area of responsibility, over time I found myself responding as to whether we were better or worse off than the last week or the last month. This response would normally satisfy most, but a few curious folks would ask how I knew that. I did not know how I knew, but doing the job day in and day out gave me a gut feeling...or so I thought. 

My colleagues and I challenged ourselves to think analytically about what gave us the intuition on whether we were more or less vulnerable than, say, yesterday or last month. Just a little bit of thought made it clear that what we thought of as expert judgment was anything but. We were basing our conclusion on what we knew of the latest metrics on security updates and patches that had been released recently, but had not yet been applied in our environment. Not only that, we were also considering the trajectory of our vulnerability metrics, i.e., the direction in which the trend line was headed and how fast. This realization was the genesis of my recent Journal article, where the proposal is to consider the velocity and distance from a good state and the persistence of badness over time. This contrasts with considering the absolute measure of a metric, which, while important, is often inconsistent with the way humans interpret information over time. 


Going for the ATO

Jo Anna Bennerson, CISA, CGEIT, CPA, ITILv3, PMP
Posted: 3/13/2017 3:04:00 PM | Category: Government-Regulatory | Permalink | Email this post

Jo Anna BennersonThe Authority to Operate (ATO) is necessary to work in the system of US federal government agencies. My recent Journal article provides details on how to obtain the authority to operate. The following steps can help US enterprises gain the approval to operate with the federal government:

   ●  Ensure confidentiality, integrity and availability—The first necessary step toward achieving ATO is confidentiality, integrity and availability (CIA). This means that only approved people can get in, any changes to the system or data are genuine, and the system is up and ready for use.
   ●  Embrace the NIST 800-53 control families—Every family is a tightly knit assembly of control with a dash-one, or parent control, followed by offspring controls that dive deep into the security measure. For instance, the Access Control Family starts with the dash one control of access control policy. It is followed by more detailed controls to be implemented and assessed such as Account Management and Access Enforcement. Using the lists of controls within each of the 18 NIST control families allows users to demonstrate security that is in place or that it is being planned.
   ●  Keep the evidence—Just like in any operational process, you create or gather documentation to delineate the process and what has taken place. Just like any trail or audit, you keep evidence of the path you have taken. The ATO process allows you to gather and store all the security documentation. This serves well in building a case for the security posture of your system and how it fits into your federal agency’s risk profile.


SSH: A Useful but Potentially Risky Tool

Tatu Ylonen
Posted: 2/27/2017 3:01:00 PM | Category: Security | Permalink | Email this post

My recent ISACA Journal article discusses what every chief information security officer (CISO) must know about Secure Shell (SSH) key management. This is a topic that keeps me awake at night and should be of major concern to the whole audit community.

In short, SSH is a tool for systems management, automation and file systems, and it is used in every data center in every major enterprise. It introduced a new authentication mechanism based on cryptographic keys, called public key authentication. Unfortunately, in the default configuration, OpenSSH allows any user to provision new credentials for themselves and their friends, and these credentials never expire—not even when the user’s account is removed if the credentials have been added to a service account.


A Framework to Evaluate PAM Implementation

Richard Hoesl, CISSP, SCF, Martin Metz, CISA, Joachim Dold, Stefan Hartung
Posted: 2/21/2017 9:11:00 AM | Category: Risk Management | Permalink | Email this post

A study in 2016 found that 80% of the more than 500 chief information security officers (CISOs) surveyed consider privileged access management (PAM) a significant topic, and a number of them have already implemented specific PAM solutions. In general, these solutions try to attain the following goal(s):

  • Keeping the number of privileged access channels low
  • Authorizing, activating and deactivating the usage of privileged access channels
  • Detecting, evaluating, recording and terminating the usage of privileged access channels

Over the course of a variety of implementation projects, we found that implementing PAM is not only a question of technical functionality; a successful PAM solution, in fact, requires a comprehensive framework comprising the following building blocks:


EU GDPR: Embracing Privacy Requirements

Tarun Verma Posted: 2/13/2017 3:11:00 PM | Category: Government-Regulatory | Permalink | Email this post

We are living in a digital world where a staggering number of data breaches have resulted in the theft of personal data of end users across a broad spectrum of sectors, such as financial, health care and media. The growing adoption of the cloud, mobile devices and social media has resulted in an increase in incidents related to the theft of personal data.

As organizations begin the scramble to comply with the European Union (EU) General Data Protection Regulation (GDPR), there is a dire need to understand its scope and the privacy requirements mentioned in the standard. The regulation is applicable to all organizations that store, process and transmit any personal data related to an EU resident. The GDPR will replace Directive 95/46/EC, which has been the basis of European data protection law since it was introduced in 1995. The regulation will apply to even those organizations that may not have a presence in the EU, but are processing or accessing the personal data of EU data subjects.

<< First   < Previous     Page: 1 of 69     Next >   Last >>