5 Security Tips to Keep in Mind When Developing a New Website
Few things put a business at more risk than developing a website and not putting an emphasis on security at a very foundational level.
Conducting Cloud ROI Analysis May No Longer Be Necessary
ISACA’s newly released report, How Enterprises Are Calculating Cloud ROI, is a landmark piece of research that, in my opinion, validates the notion that we have reached (or are at least rapidly approaching) that tipping-point where organizations realize that moving their IT infrastructures to the cloud is an inevitable, foregone conclusion.
Predicting Trends in AR and VR for 2018
Virtual reality and augmented reality are predicted to be two of the most important trends for the next 10 years, but both have a long road to get there.
Twelve IoT Controls
Not too far in the future, Internet of Things (IoT) devices will carry a white-goods-equivalent rating scale, similar to washing machines and refrigerators.
Krack Attack—Exploiting Wi-Fi Networks
Recently, a vulnerability was discovered in the Wi-Fi Protected Access II (WPA2) protocol that secures most modern public protected Wi-Fi networks.
Most practitioners by now are familiar with the concept of the “Internet of Things” (IoT).
Faces of ISACA: Dr. Nancy Asiko Onyango, CISA, CGEIT, CRISC
Nancy Asiko Onyango recalls being encouraged to wear blue jeans during her early days in the audit profession to be more comfortable when sifting through paper files, which would then be marked up with different colored pencils to highlight various findings.
A Different Approach to Assurance
Assurance is one of the most effective tools to support a risk management approach and framework. Effective risk management is essential to enable the operational success of an organization.
Cyber Risk List Has a New No. 1 for 2018
I recently presented the predictions for the Top 10 2018 Cyber Risks at the Whitehall Media, Enterprise Security and Risk Management conference in London.
Five Questions with Best-Selling Author and North America CACS Keynoter Erik Wahl
Erik Wahl, internationally recognized artist and best-selling author, will deliver the opening keynote address at North America CACS 2018, to take place 30 April-2 May, 2018, in Chicago, Illinois, USA.
Fortune Favors the Tech-Savvy: A Portrait of Tomorrow’s Digital Transformation Enterprise Leaders
Today’s digital economy sees established enterprises competing against start-ups, all enterprises worried about risk, and smart enterprises deploying digital technologies capable of transforming their enterprise, and enabling better business-to-customer interactions and relationships.
ISACA Awards: Recognizing Contributions Positively Impacting ISACA
As ISACA’s volunteer engagement manager, I realize how fortunate I am to have found myself working for an organization bringing together some of the most passionate, dedicated and talented people I’ve ever encountered.
Calculating Cloud ROI
The past few years have changed how organizations perceive—and how they use—cloud technologies. If that sounds fairly obvious to you, it should.
Risk Analysis Inputs Critical in Assessing Vulnerabilities
The fact is, new vulnerabilities come to light every day.
2018 Predictions for Cyber Security
With rapid digitization and the inter-networked world leading to a huge data explosion combined with the relentless growth of transformative technologies, the importance of cyber security – now and in the future – is unquestionable.
The Shadow Brokers: Hacking Tool Proliferation
The case of The Shadow Brokers, the group responsible for the disclosure of hacking tools created by “The Equation Group,” impacts the enterprise through the disclosure of hacking tools.
My First Mobile Device
I cannot remember the date at all (I think it was some time in the mid- to late ‘90s), but I can most certainly remember getting my first mobile (cell) telephone. The reason I remember it so well is that it was such a traumatic experience!
5 Helpful Tips for Better IT Change Management
As you know, change management is critical to the long-term success of every organization. This is especially true when it comes to IT, where change happens at an astonishing pace. But is your organization where it needs to be?
GDPR Working Group Hard at Work to Help You Navigate Implementation
It is with great delight that I announce the formal launch of ISACA’s GDPR Working Group.
Need of the Hour: An Effective Cyber Security Leader
Cyber risks have taken center stage in the corporate world.
Uber Breach Reinforces Need to Rethink Enterprise Security Response
As if the personal data of more than 57 million customers and drivers being exposed is not bad enough, the timing and response to the recently exposed Uber breach is especially problematic.
Five Areas to Consider When Testing Cyber Threat Intelligence Effectiveness
According to the ISACA State of Cyber Security 2017 research, 80% of respondents believe “it is either “likely” or “very likely” that they will be attacked in 2017.”
Five Mistakes to Avoid When Deploying Emerging Technology
When I finished my proof-of-concept presentation to the CIO of a prospective client at a recent meeting, he was more than surprised – he was upset. He almost yelled at me: “How did you do it?”
Caught in the Act: Targeting Ransomware on the Wire
Ransomware holds a tight grip on its victims and their most valuable data and is a global epidemic reaching all corners of the world.
Doing the Math: The Value of Healthcare Security Controls
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a central concern of US organizations that are in any way involved with the creation, access, processing or storage of sensitive confidential health records – electronic protected health information (ePHI).
Advancing a Symbiotic Relationship Between COBIT, ISO Governance Standards
As a 2003 CISA recipient and a former honorary secretary of the ISACA Singapore Chapter’s board of directors, I am honored to be selected as the ISACA liaison to the International Organization for Standardization (ISO) Technical Committee 309 – Governance of Organizations.
Research Shows ‘White Male Effect’ Can Impact Risk Communications
This is a story about researching a simple question: Why are there so many vulnerabilities in information systems?
The Role of Certifications in the Hiring Process
Without a doubt, the information security space is experiencing a dramatic increase in hiring. Finding qualified candidates is continuing to get more difficult, and the duties of managers are steadily increasing.
Will Quantum Computing Break the Internet?
“What could cause a digital Armageddon?” That is a popular question to pose to information and cyber security professionals, and when asked, I don’t hesitate: Quantum computing.
IoT Security and Privacy: Exploring Technology Solutions Aligned to Regulatory Needs
In my last post, I spoke about the Internet of Things (IoT) in terms of trust, security and privacy at a high level. Here, I will take a deeper dive in terms of how IoT security and privacy can impact an ecosystem interconnect.
As Smart Home Cyber Security Takes Center Stage, Practitioners Need to be Part of the Solution
Cyber security gets a lot of discussion in terms of small business, but what few outside of the industry know is that many cyber attacks actually take close much closer to home.
Measuring Cyber Resilience - A Rising Tide Raises All Ships
I admit it … I am one of the 143,000,000 people afflicted by the Equifax breach.
The Risk of Third Parties
I have developed a risk-based management approach to third-party data security, risk and compliance methodology and published it to provide process guidelines and a framework for enterprises’ boards of directors and senior management teams to consider when providing oversight, examination and risk management of third-party business relationships in the areas of information technology, systems and cyber security.
Tips for Preparation and Success in the CGEIT Exam
I recently received my CGEIT exam result, with a final score of 557.
Enterprise Leaders Should Steer Organizations on Path to Digital Transformation
Employees are at their best when they are encouraged to take calculated risks, rather than becoming complacent with what they know and what has become comfortable. The same holds true for enterprises.
Data Governance Is Becoming More Complicated – Enablers Can Help
Enterprises are becoming increasingly digital.
Getting Digital Transformation Right: The Fundamental Three
Emerging technologies – such as machine learning, artificial intelligence (AI), blockchain, Internet of Things (IoT), augmented reality, and 3-D printing – are swiftly disrupting several industries.
Windows File Server Versions – Are Functionality Changes Necessarily a Headache?
The security risk of running an unsupported version of Windows File Servers is not at the top of the IT topic debate list.
Faces of ISACA: Paul Yoder, Head of Information Systems Security, El Camino College
Today, we spotlight Paul Yoder, head of information systems security at El Camino College (Torrance, California, USA).Yoder recently was honored in the education category of the Center for Digital Government Cybersecurity Leadership & Innovation Awards, underwritten by McAfee.
COBIT 5/DMM Practices Pathway Tool Enables More Impactful Data Management and Governance
CMMI Institute became a subsidiary of ISACA in 2016, and the organizations focused attention on the synergies between the current offerings in their combined suite of products.
Understanding Covert Channels of Communication
A covert channel is any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy.
Credible Risk Assessment Establishes Foundation for an Enterprise Cyber Security Program
Just like we learn so much about the state of our health with an annual physical exam, so does a credible risk assessment provide vital insight to improve the quality of an enterprise cyber security program.
Steps to Enforcing Information Governance and Security Programs
In my recent Journal article, I covered how organizations can leverage information governance (IG) programs to enable change and instill a culture of security.
Evolving Technology Calls for More Disciplined Approach From Auditors
The concept of Software Development Life Cycle (SDLC) is a natural mechanism of an organization that develops, co-manages and supports digital code as part of its technology ecosystem.
Understanding Your Core Values - A Key to an Authentic YOU
I was chatting with a colleague from our legal team, and he made a remark that he was “learned.”
Design Your Career Destiny So It Doesn’t Happen by Default
I was honored to present the keynote session at last week’s Women’s Forum for the ISACA Chicago Chapter.
The Darkest Moments of a Cybereclipse Are Best Examined Through a Quantitative Lens
Having experienced the excitement of a total solar eclipse, I now have an improved awareness of picking the right lens to make the experience worthwhile.
Shining a Light on Shadow IT
Microsoft: More than 80 percent of employees admit to using unapproved SaaS apps for corporate purposes.
Is a Breach at Your Company Inevitable?
The former CEO of Equifax recently stated in a speech to the University of Georgia that there are “those companies that have been breached and know it, and there are those companies that have been breached and don't know it.”
GDPR Can Bring Major Benefits to Governance, Security Professionals
The European Union has long considered that a person owns all non-public data about him.
Ransomware Analysis – Executions Flow and Kill Chain
Recent ransomware attacks, including WannaCry, Petya and NotPetya (which is considered to be a wiper as it irreversibly damages the disk), hit and partially paralyzed hospitals and large commercial organizations.
Why Privacy by Design Is a Stride Toward Consumercentric Design
Data are emerging as forms of capital in every industry, and data are also the most coveted asset. The forces affecting business operations drive organizations to hunt and gather data, and, in due course, shape them into reservoirs and refineries of giant data.
Cyber Security and Risk Should Be Standing Items on Board Agendas
The world has seen a surge of attention regarding cyber activity, and it has not been in a positive light.
GDPR: The Role of the DPO – And How to Find One in a Competitive Landscape
GDPR (General Data Protection Regulation) introduces the new role of Data Protection Officer (DPO).
Five Questions With Scientist, Cybercrime Expert and CSX Europe Keynoter Raj Samani
Raj Samani, Chief Scientist at McAfee and one of the world’s foremost authorities on cybercrime, will deliver a keynote address at CSX Europe 2017, to take place 30 October-1 November in London, UK. Samani visited with ISACA Now to offer his perspective on how cyber security professionals can keep pace with the challenging threat landscape.
Your Cyber Security Program’s Secret Weapon: Vendor Management
Not sexy enough? Well, I attended a security conference earlier this year in Phoenix, Arizona, with approximately 100 of my closest CISO colleagues, and much, if not most, of the conversations were focused on cloud-based business services providers and the challenges they faced securing those providers.
Examining the “Compliant, Yet Breached” Phenomenon
Most of us have gone through the shocking realization that compliance certification does not mean that our environment is secure. We are forced to remember that security and compliance are different results.
Network Security Policies Your Organization Needs To Adopt Today
Plenty of tech companies allow their workers to work remotely from home.
Technology at the Heart of Hurricane Preparation, Recovery
Recent hurricanes Harvey and Irma caused overwhelming damage in numerous countries—but amidst the devastation, the incidents also provide examples of the potential of technology as an enormous force for good when it comes to preparing for and recovering from natural disasters.
The Future Looks Promising for Blockchain Technology
Being a banker, I strongly consider blockchain technology to be a technology juggernaut that is going to transform the financial services sector by increasing transaction efficiency, transparency and security while reducing costs.
SSH Keys: The Unknown Access Gap
As an audit practitioner, you know better than most the need to ensure the effectiveness of risk management, control and governance processes in your organization.
SSH: Why You Need to Care
Secure Shell (SSH) is everywhere. Regardless of the size, industry, location, operating systems in use or any other factor, chances are near certain (whether you know about it or not) that it exists and is in active use somewhere in your environment.
Five Questions With National Security Expert and CSX North America Keynoter Matt Olsen
Matt Olsen, national security expert and co-founder of IronNet Cybersecurity, will deliver the opening keynote address at CSX North America, which will take place 2-4 October in Washington, D.C., USA. Olsen, who says ‘no company should go it alone in cyber space,’ visited with ISACA Now about the role of cyber professionals in counterterrorism, evolving forms of attacks and sharing of threat information.
How to Hack Neural Networks
If only neurologist Oliver Sacks, who wrote “The Man Who Mistook His Wife for a Hat,” were still alive!
Seven Tips for New IT Auditors
Transitioning into an IT audit or assurance role can be daunting, overwhelming and outright scary at first.
Tracking Vulnerability Fixes to Production
As an IT auditor at a software company, I discovered that security vulnerabilities in our bespoke product had not been getting released to clients on a timely basis.
The Elephant in the Room: SSH Key Management
In the early days of computing, use of private networks was more prevalent than it is now.
Five Questions with Technologist, Astrophysicist and CSX Europe Keynoter Ade McCormack
Ade McCormack is keenly interested in the anthropological factors that drive digital innovation.
A Cyber Perception Gap? What Directors Want to Believe about Cyber Security vs. Real Cyber Risk
Directors and executives want to believe their companies are adequately protected against cyber threats.
Board Leadership Critical in Effectively Leveraging Technology
There is little doubt that better governance of technology leads to better business outcomes.
GDPR: What a Data Protection Impact Assessment Is and Isn’t
There has been a lot written over the past year or so about the EU General Data Protection Regulation (GDPR) – what is required, and what needs to be accomplished sooner rather than later in order to meet the May 25, 2018 compliance date.
No End in Sight for Impact of Equifax Breach
It is a terrible time for privacy in the United States.
The Farmer and the Equifax
In the wake of major disasters, companies often retrench to their board rooms and ask questions about the state of their own resilience.
Equifax: Too Soon for Lessons Learned?
I am sure most practitioners by now have probably heard about the Equifax breach. If you have not yet, get ready to hear about it nonstop—probably for the next year or 2 at least.
Forums Showcase Common Challenges Facing IT Audit Directors
ISACA’s IT Audit Leaders Forums, conducted this year at North America CACS and EuroCACS, fostered productive dialogue about real-world challenges impacting IT audit directors.
When It Comes to Crypto, What You Don’t Know Can Hurt You
Most of us have heard the phrase “What you don’t know can’t hurt you.” While this may hold true for some circumstances, in the case of an audit, the opposite is true.
When growing up, many of us probably heard warnings from our parents to be careful in certain environments—the local woods, a busy side street, or at the beach.
Five Questions With Author and Africa CACS Keynoter Siphiwe Moyo
Siphiwe Moyo, author and motivational speaker, will deliver the closing keynote address at Africa CACS 2017, which will take place 11-12 September in Accra, Ghana.
Stuck in the Middle With You
I find working as an IT auditor a fulfilling and enjoyable job; however, as with any profession, there are times when it can be hard. There are certainly days when I feel that there are “clowns to the left of me, jokers to the right."
Spending Analysis Reflects Information Security’s Rising Profile
Analyst firm Gartner projects that worldwide spending on IT security products and services will grow 7 percent, year over year, to reach a total of US $86.4 billion in 2017.
NIST Password Guidance Should Be Well-Received
Many of us are creatures of habit, and changing our ways can be difficult.
Cybersecurity Workforce Development: Takeaways From a NIST Workshop
I had the opportunity to serve as a panelist at the NIST Workshop on Cybersecurity Workforce Development held in Chicago earlier this month. Based on the day’s conversations, there is still much work to be done.
ESA: What Is It and How Does it Work?
Enterprise security architecture (ESA) is the methodology and process used to develop a risk-driven security framework and business controls.
Data Analytics Maturity Models and the Control Environment
Organizations have recently raised concerns on their data analytics capabilities.
Mobile Computing: Increasing Productivity and Risk
Motorola is credited with creating the first handheld mobile phone.
Cyberpsychologist Mary Aiken: New Threats Demand New Solutions
Aiken recently visited with ISACA Now about several of her core areas of interest, including digital ethics and how parents can combat some of the cyber threats that could harm their children.
Developing an Information Privacy Plan
My most recent Journal article was based on an analysis of data privacy I performed for an ISACA presentation.
The 4 Most Secure Forms of Online Communication
“Secure” is a somewhat vague term, so here’s what a secure form of communication looks like:
Managing IT in Clinical Environments
Working in healthcare technology is about as exciting as IT gets.
Physical and Logical Security: Joining Forces to Manage your Enterprise Security Risk
Just a decade ago, as security professionals, we could talk reasonably about physical security and logical security requiring different approaches.
Faces of ISACA: Cynthia Damian, CISM, CRISC, CCSK, Senior Manager of Enterprise Risk Management, T-Mobile
ISACA member Cynthia Damian has not had to leave her hometown to work for some of the world’s largest, best-known brands.
IoT Cybersecurity Act of 2017: A Necessary But Insufficient Approach
The Mirai botnet attack on the DYN network in October 2016 highlighted to many policymakers the potential problems associated with IoT devices.
What Does the Future of Financial Cyber Security Look Like?
Today, we trust banks and other financial institutions to safely handle our money and the bulk of our monetary transactions.
Will Blockchain Disrupt the Lives of Governance and Assurance Professionals?
The blockchain’s distributed ledger paradigm is serving as the supporting foundation to some forms of digital transformation, including the utilization of cryptographic virtual currencies (VCs) such as Bitcoin.
Increased Cyber Awareness Must Lead to Equivalent Action
Recent and widely publicized cyber attacks must be the impetus for a renewed and more concerted and coordinated global commitment to strengthen cyber security capabilities.
GDPR Compliance: One Step at a Time
Most of the people I speak to about GDPR are struggling with two main things.
To Micro-Chip or Not to Micro-Chip: That is the Question
Talk of employees at a Wisconsin (USA) business getting microchip implants to use within its work facilities for a wide variety of purposes (such as for access control to business networks as well as to secured rooms, to use business machines, to make payments in company stores and vending machines, and many other activities), has been the topic of hundreds of recent news reports.
‘Cyborg’ Society Necessitates Governance, Compliance and Security Vigilance
Today’s security professionals face a daunting reality as the attack surface swells and cyber criminals prey upon the speed at which new devices are hurried to market.
Not Just Smart Cities – A Smart Community Ecosytem
Much consideration has been given to the creation of smart cities in the connected devices era, but Gary Hayslip thinks that security professionals should broaden their perspective.
Faces of ISACA: Mike Krajecki, Director, Emerging Technology Risk Services, KPMG
Mike Krajecki was studying information technology as a college undergraduate when his career goals crystallized.
Questions to Ask When Selecting an ITIL Automation Tool
One of the main tasks of the Information Technology Infrastructure Library (ITIL) implementation process is choosing an ITIL automation tool. Hence, while embarking on the IT service management (ITSM) automation journey, we should not rush into implementing a tool, even if the supplier claims that the tool has pre-built ITIL processes.
Find a Network to Support Your Professional Journey
Nearly two decades after the fact, much of the frenzy about the potentially calamitous implications of Y2K has been reduced to a punch line.
Five Questions with ‘Passionpreneuer’ Moustafa Hamwi
Self-described ‘passionpreneuer’ and award-winning author Moustafa Hamwi will deliver the closing keynote address at Asia Pacific CACS 2017, to take place 29-30 November in Dubai. Hamwi will address an often overlooked ingredient in business success – passionate leadership, also the subject of his recent visit with ISACA Now.
IoT Security Programs Must Leverage Trust
With an ever-growing digital and virtualized world of interconnected devices, we are seeing the rise of an ecosystem of Internet of Things (IoT) that is impacting everyday actions.
The Absence of IT Governance Codes
In recent years, board-level supervision in information technology matters has become a key IT governance topic. It is often assumed that national corporate governance codes can guide board members to design and potentially improve their IT governance practices.
Getting Smarter About Making Cities Smart
Having had the privilege to have visited a number of cities throughout the world, I have learned that Chengdu is not Mexico City, Brussels is not Houston, Abuja is not Melbourne, and Johannesburg is not Dubai.
Five Questions with Social Business Guru Ryan Hogarth
Social business strategist, author and radio show host Ryan Hogarth will deliver the opening keynote address at Africa CACS 2017, to take place 11-12 September in Accra, Ghana. Hogarth’s keynote is titled “We Are Not Robots.”
Talking Team-Building, Business Continuity and Risk Management with Vicki Gavin
Vicki Gavin, CRISC, MBCI, is compliance director, and head of business continuity, cyber security and data privacy for The Economist. Gavin, based in London, recently visited with ISACA Now to discuss how her areas of expertise are being affected by the fast-changing technology and regulatory landscape.
Use Multiple Guidance Systems for Effective Governance
In today’s competitive environment, enterprises are under enormous pressure to focus valuable resources on initiatives that provide value.
Job Boards, Social Networking Sites Can Set Cyber Attacks in Motion
One of the most common cyber security questions I get is: How do attackers plan/carry out their attacks?
Auditing Data Privacy Can Bring Major Value to Organizations
As new technologies facilitate innovative uses of data, the corporations, governments and nonprofits using these technologies assume responsibility for ensuring appropriate safeguards over the collection, storage and purging of the data.
Build a Small Business with GEIT and Security in Mind
Despite the prominence of larger companies, the growth of small businesses and entrepreneurs also is critical to a society’s development.
Obtaining Accurate HTTPS Posture Information
There are far more ways to apply encryption incorrectly than there are ways to apply it correctly. Sadly, many people think they already know everything they need to know about encryption because they have read a few articles online.
The Evolving Role of CISO Can Improve Information Security in Indian Banking
Whether in banking or any industry, business needs take precedence; everything else not as tangibly connected to organizational objectives and profitability is regarded as not as important by senior management.
Thoughtful Analysis Needed to Build on Cyber Security US Executive Order
In May, US President Trump set into motion a series of requirements to obtain an understanding of where US federal agencies stood in terms of readiness to ward off cyber attacks and assured the American public his administration valued the importance of understanding the risk, mitigating it and building a world-class workforce.
If WannaCry Was the Watershed, Is Petya/NotPetya the Tipping Point?
Wow. If only there were some way to defeat these terrible cyber attacks.
Strengthening Risk Management in the Wake of Petya Ransomware Outbreak
If you work in technology and have a working Internet connection, chances are good that you heard of (best case) or experienced firsthand (worst case) the ransomware variant making the rounds yesterday that most are referring to as a new Petya variant.
Ransomware Attacks Accentuate Need for Asset Management
Leftover qualified Wannacry victims – those that were vulnerable, didn’t get caught, and somehow continued to decline to patch – have become caught up in the next round of ransomware attacks.
Petya Attacks Underscore Need for Proactive Threat Modeling
If the recent WannaCry ransomware attack did not make a clinching case to corporate entities across the world, with entities scampering to patch various computers quite reactively, the attack was followed by the Petya ransomware attack across Europe and spreading all over the world.
Using Hackers’ Own Tools Against Them
There is a certain satisfaction that comes from turning the tables on a seemingly unbeatable adversary. Luke Skywalker exploited a design flaw to destroy the Death Star.
Why the Healthcare Industry Is Behind on Cyber Security
There are few industries that need strong cyber security as much as the healthcare industry.
Employees perform emotional labor (EL) when they conform their emotions to organizational expectations while interacting with customers.
Successfully Outsourcing IT Requires an Approach for the Long Haul
The concept of outsourced IT isn’t new and certainly has taken off with full force in both the public and the private sectors.
Digital Forensics Professionals Encountering New Challenges
When I began performing digital forensics more than 10 years ago, things were relatively simple.
The Key for Evaluating IT Asset, Risk Impact and Control Gap
A previous Journal article I wrote, “Information Systems Security Audit: An Ontological Framework,” briefly describes the security audit activities/process in one hierarchical structure.
In Era of Digital Disruption, ISACA is Ready to Rise to the Occasion
Much of what I learned about being a professional – and being part of a professional community – came through my association with ISACA.
Building Skills and Capacity in the Banking System: A Case Study From India
Indian banks have deployed IT-based solutions to cater to increasing demands in the banking industry required for a growing economy.
Business Model Transformation from Blockchain
Our traditional business model as we known is at a crossroads considering the emergence of the Internet of Things (IoT), artificial intelligence and blockchain.
Faces of ISACA: Gerard A. Joseph, CISA, CISSP, CSAM, Ph.D., Independent Consultant
Australia resident and ISACA member Gerard Joseph has traveled extensively throughout the United States, as his visits to all 50 US states would attest.
How to Improve Communication Within Your Technology Team
Few things can stunt the growth of an organization more than a lack of healthy communication.
How to Properly Review and Act Upon SOC Reports
There continues to be a great deal of confusion over the new service organization reporting structure and which reports are the best to obtain.
Faces of ISACA: Michael Thiessmeier, Senior Manager, Technology & Security Risk Management, Oportun
Perhaps owed to his military background, Michael Thiessmeier believes that knowing how to perform the duties of both his supervisors and subordinates is the best way to ensure success. He has put in the time to make sure that’s the case.
Leverage Enterprise Data Management Investments to Facilitate Data Breach Reporting Requirements
In Canada, it is the Data Privacy Act and its impact on the Personal Information Protection and Electronic Documents Act (PIPEDA); in the United States, the regulations include the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act (HIPAA), and the US Personal Data Notification and Protection Act;
Top CISM Scorer Worldwide: How to Ace the CISM Exam
I was recently blessed to have attained the highest CISM exam score in the world for the June 2016 sitting, and to be recognized at the 2017 North America CACS conference as a result.
COBIT 5 and the NIST Cybersecurity Framework – A Simplified Framework Solution
Picking the right frameworks to support your organization’s governance, risk, compliance and cyber security efforts is overwhelming.
Ransomware Do’s And Don’ts
A company I worked for was hit with the CryptoLocker ransomware last year.
Threat Landscape Demands Action from Enterprise Leaders
In today’s climate, it is fully apparent organizations must treat cyber security as a central business priority.
ISACA Chapter President Finds Creative Way to Spread GDPR Awareness
ISACA Belgium Chapter President Marc Vael, CISA, CISM, CGEIT, CRISC, recently took a creative approach to spread awareness about General Data Protection Regulation (GDPR), spearheading a game about the coming regulations that will affect enterprises worldwide.
Global Knowledge: ISACA Certifications Delivering Big Organizational and Personal Returns
One thing is certain: The need for cyber security professionals isn’t going away any time in the near future.
Ransomware: Why Are Organizations Still So Vulnerable?
Ransomware attacks are not new. In fact, ISACA has been sounding the alarm on the increasing spate of ransomware for quite a while.
Shedding the Human Bias in Risk Identification and Analysis
During the risk analysis process, information is availed through internal reports, external reports, surveys and face-to-face meetings during risk workshops.
Securing Connected Devices
Some Internet of Things (IoT) security issues and incidents can be attributed to poor knowledge, failure of the security manager to properly educate stakeholders or lack of stakeholder interest in investing in security measures.
WannaCry: Is this a Watershed Cyber Security Moment?
As I watched the news, I was struck by the inaccuracy of much of the initial coverage of the massive wave of ransomware attacks that surfaced on 12 May.
Ransomware: Healthcare Organizations Cannot Afford to Be Unprepared
I had just typed the last word of a new ISACA publication on governance of enterprise information technology for healthcare environments when today’s news on the National Health Service (NHS) ransomware attack broke.
How Can We Get More Young People Excited About IT?
There are a lot of exciting things happening in the IT field, which means there’s a tremendous amount of growth occurring in a lot of businesses.
The Vendors of My Vendor’s Vendor … What? ... Wait? ... I’m Confused?!
It is no secret that vendor management is one of the top security challenges we face today.
Holistic View of Addressing IoT Risk by Leveraging a Decomposition Strategy
Journal article, I present a strategy to mitigate the risk that the Internet of Things (IoT) evolution is already engendering. The IoT landscape, connecting thousands of systems, devices and sensors, is unlike the traditional IT environment to which we all are accustomed; however, we can certainly leverage the same well-known IT governance methodologies along with state-of-the-art technologies and process changes to manage IoT risk efficiently.
Building a Security Transformation Program in Our New Information Security World
From an information security perspective, companies often have perceived their own organization as a castle with well-defined walls, with few entry points sufficiently staffed with guards monitoring what information is coming in or leaving the organization.
The Darknet and Deep Web: What Are They, and Why Should I Care?
In this age of growing technology, we trust the Internet.
IT Audit Leaders Forum Puts Focus on Skills in Demand
Cloud computing, Internet of Things devices, cognitive and robotics automation, blockchain, virtual reality, drones and a variety of mobile technologies are among the disruptive technologies mounting challenges for IT auditors.
Securing Mobile Apps
There are more mobile devices than people on Earth. It is no surprise that the smart phone is one of the preferred devices to access information. Organizations embrace mobile technology for business advantages.
Help ISACA Mark its 50th Year, Look Toward the Next 50
Planning is well underway to lead into ISACA’s 50th year in 2019, mark the anniversary, and carry momentum forward into the next decade and beyond.
Faces of ISACA: Maria Divina C. Gregorio, CISA, CRISC, PCI-ISA, PCIP, internal audit manager, VSP Global
Today, we spotlight Maria Divina C. Gregorio, CISA, CRISC, PCI-ISA, PCIP, internal audit manager, VSP Global, a US resident from the state of California.
As CISOs’ Roles Evolve, So Do the Reporting Lines
A study by K logix Research titled "CISO Trends" found that "53% of CISOs state that one of their main objectives is to align security with business goals while 46% want to partner with business leaders to help them solve problems.”
My Transition From IT Audit to CISO
My transition from internal IT auditor to CISO in banking felt natural because, while working as an auditor, I developed a strong knowledge of information security and control concepts while also improving my communication skills.
Evolving Cyber Threats Require Evolving Training
Today’s cyber security professional is an amalgamation of haphazard professional experience, rapid-fire bootcamps, and smatterings of dynamically defined academic programs.
Three Questions with Author and CEO Margaret Heffernan
ISACA Now: What are some common pitfalls that cause organisations to fall short in leveraging their employees’ innovative potential?
The Rise of Wireless Security Cameras and the Risks They Pose
While there’s a lot of conversation about cyber security and physical premises security, the two rarely overlap.
Protiviti/ISACA Survey Reveals Major Opportunities for IT Auditors
Cyber security and privacy issues, along with infrastructure management and emerging technologies, rank as the top technology challenges organizations face today, according to a recently released survey report from Protiviti and ISACA.
Agile Audit Practice
Auditors are expected to complete audits on material issues within shorter and shorter time periods. Such audits and their completion depend on the availability of key personnel, who are also increasingly pressed for time as they are involved in day-to-day operations and other, often mission-critical, projects.
Do Your Customers Feel Safe? Here’s How to Help
It’s not enough to make customers safe. I’ve worked with several businesses that did everything they were supposed to on the back end, including hiring IT security professionals, developing safer websites, and actively monitoring for threats—but customers never see the back end.
How AI Can Help Narrow the Talent Gap
The technical skill sets of internal incident response (IR) teams are being forced to evolve.
Securing the Internet of Things: A Public Safety Issue
The explosion of intelligent connected devices – the Internet of Things (IoT) – is presenting fascinating possibilities for businesses and consumers.
Three Questions with Tech Business Guru Dan Cobley
ISACA Now: From working with financial tech start-ups, what are some emerging technologies you see as having the most potential to take off in the next 3-5 years?
How to Manage Third-party Risk
We rely heavily on them, yet we are ignorant about the risk exposure from them. We know them, yet we do not know them when it comes to risk assessment and management.
Benefiting from Chaos in the Cloud
One of the biggest technology advancements in recent years is the expansion of the cloud, allowing users to have more space on their computers or mobile devices, with access to their documents, videos and pictures that are all conveniently stored in one place.
Find the Needle in the Haystack: Detecting Fraud Through Data Analysis
Many companies are looking at fraud detection using data analysis because, whenever there’s a fraud case in the news, it seems that it was ongoing for more than a year before anyone caught it.
The Value of Risk Comparison
When I used to run vulnerability management for a previous employer, my colleagues and internal clients would stop me in the corridors and ask, “Hey Mukul, how vulnerable are we today?”
Internal Control System – Whose System Is It Anyway?
Auditors have a wealth of knowledge acquired through engagement with employees at all levels of the organization, but they can never replace the role management and the business process owner play in ensuring that controls are adequately designed, implemented and are continuously functioning.
Understanding Hackers’ Motivations, Techniques, Are Keys to Deterrence
How do we stop hackers without understanding their true nature?
The Outlook for Biometrics Security
Deloitte Technology, Media and Telecommunications predicted recently that more than 1B devices would be reader-enabled for biometrics by the end of 2017.
Faces of ISACA: Integrity Central to Santor’s Career Success
One of the most influential conversations in Cheryl Santor’s career required plenty of gumption.
Connecting Business and IT Goals Through COBIT 5
Business leaders must take accountability for governing and managing IT-related assets within their units and functions just as they would other assets, such as those involving physical plant or human resources.
Going for the ATO
The Authority to Operate (ATO) is necessary to work in the system of US federal government agencies. My recent Journal article provides details on how to obtain the authority to operate.
Three Questions with Daymond John
ISACA Now: The word ‘innovative’ is thrown around a lot. What does that mean to you, and in what ways has that kind of mindset allowed you to achieve such a high level of success with FUBU and your other ventures?
Security and Compliance - A Relentless Battle
The overall objective for security controls is to support the organization’s services and infrastructure by identifying risks, improving the security level, and enabling rapid detection and response to security attacks.
Demand for CISA Continues to Grow
Many of us ask ourselves: “How can I differentiate myself from others in the workplace?
6 Ways Artificial Intelligence Will Revamp Your Business
Artificial intelligence this, artificial intelligence that … everyone wants to talk about how AI technology is changing various aspects of society.
Faces of ISACA: Babiak Motivated to Help Women Take Final Career Steps
Jan Babiak draws upon her decades of high-level career experience to work toward expanded opportunities for women working in technology – all the way to the top.
Addressing Technology Gender Gap is All of Our Responsibility
I recently met a young woman in Ireland who was working toward a technology-oriented degree, and she recalled being among three women in her course at the beginning of the semester. By the end of the semester, she was the last woman standing.
Incident Response – Being Prepared for the Worst-Case Scenario
It is no secret that in today’s world, information is more at risk than ever before.
Leveraging UAS Technology: Time is of the Essence
Unmanned aerial system (UAS) technology has the potential to revolutionize a broad cross-section of industries, ranging from media and telecommunications to agriculture and construction.
IT Risk: Making Better Connections Between Smoke and Fire
Adults don’t really like new ideas, and while cyber risk may have been born around the time of the first mainframes, it can still feel new today.
SSH: A Useful but Potentially Risky Tool
My recent ISACA Journal article discusses what every chief information security officer (CISO) must know about Secure Shell (SSH) key management.
Cyber Security Workforce Challenges Require Broader Collaboration
Report after report highlight that there is a gap between the number of skilled cyber security professionals in the workforce and the number of job vacancies.
7 Things That Make Every Website Safer for Customers
Your website needs to be well-designed, functional, and aesthetically reflective of your brand. But — don’t forget—it also needs to be safe.
Steps To Kick-Start Your Technical Skill Development Plan Now
Senior IT Auditor, Fortune 500 global manufacturing organization: “I joined a Big 4 firm advisory practice out of college, did two years, and then moved over to IT Internal Audit a year ago.
Faces of ISACA: Meet Jason Duke, CISA, CISM, CSXP
ISACA Now: You’re Southeast Region Geographic Information Systems Coordinator with the U.S. Fish & Wildlife Service; Partner at White Mile Consulting, LLC; and an adjunct professor at Tennessee Technological University – where do you find time for all of that?
A Framework to Evaluate PAM Implementation
A study in 2016 found that 80% of the more than 500 chief information security officers (CISOs) surveyed consider privileged access management (PAM) a significant topic, and a number of them have already implemented specific PAM solutions.
IT Careers = Money, Advancement and Job Satisfaction. Why Aren’t More Women Pursuing Them?
The rewards of a career in information technology include above-average compensation, advancement opportunities, intelligent peers and job satisfaction.
A Digital Payment Case Study - India Goes Hi-Tech
A few months ago, on 8 November 2016, an unexpected announcement jolted the Indian nation.
Auditors Play Prominent Role in Effective Cyber Security
As the business benefits from technology grow rapidly, so do related risks.
EU GDPR: Embracing Privacy Requirements
We are living in a digital world where a staggering number of data breaches have resulted in the theft of personal data of end users across a broad spectrum of sectors, such as financial, health care and media.
Organizations Must Be Smart, Strategic in Pursuit of Cyber Talent
Organizations are understandably concerned about how difficult and time consuming it is to find quality cyber security talent.
How SOC Brings Value to the Business
Most organisations, after being impacted by a cyber-attack, began looking at the design of their Security Operations Center (SOC) operating model – their existing engagement with the managed service provider or their in-house SOC program – to identify the missing link because business challenged their effectiveness. This is a reality.
IoT Device Manufacturers Must Take Steps to Earn Trust from Professionals, Consumers
More than four in five global IT professionals (82 percent) see vulnerabilities in Internet of Things (IoT) devices as significant security concerns for organizations.
Cybercrime Can Put Reputation of Enterprises At Stake
Worldwide, organizations are concerned about cybercrime – but not necessarily for the reasons most would think.
The Risk Associated With AI
Exponential increases in the computing power and availability of massive data sets, among other factors, have propelled the resurgence of artificial intelligence (AI), bringing an end to the so-called AI winter—a bleak period of limited investment and interest in AI research.
New COBIT 5/CMMI Tool Goes Beyond Traditional Mapping
ISACA and CMMI each have a deep well of expertise and rich sources of guidance and leading models in the areas they cover: ISACA in the world of governance of enterprise IT (GEIT) with COBIT, and CMMI in the world of enterprise process maturity.
How to Win the IT Advisory Talent Battle
Demand never has been higher for the IT advisory skill set.
Mitigating the Insider Threat
While we become more and more connected and dependent on technology, we also become more and more vulnerable. Most organizations spend a large amount of resources defending against the outsider threat, but what about the insider threat?
Resilience and Security Risk Management in the Future of the IoT
The IoT, or “Internet of Things” (everyday objects and systems that have connections to a network to provide data-sharing and virtual control), is a fast-growing arena of technology growth.
Member Profile: Johnson’s Interest in AI Has Come ‘Full Circle’
Claudia Johnson always has had a knack for mathematics and statistics.
New NIST-Based Audit/Assurance Program Validates Cyber Controls
We live and work in a high-tech, interconnected world that is seeing increases in the volume and sophistication of cyberattacks.
Teaching Smart Gadgets Privacy Manners
The Internet of Things (IoT) is quickly becoming a highly populated digital space.
Dispelling Concerns Regarding Quantitative Analysis
In my recent Journal article, I stated that our profession needs to adopt quantitative methods of risk analysis to enable well-informed executive stakeholder decisions.
Talking it Out: Millennials, Certifications and Careers (part two)
ISACA Now recently moderated a conversation among a trio of millennials to discuss topics including professional development, networking, certification and how their generation differs from others when it comes to career priorities and workplace dynamics.
Talking it Out: Millennials, Certifications and Careers
ISACA Now recently moderated a conversation among a trio of millennials to discuss topics including professional development, networking, certification and how their generation differs from others when it comes to career priorities and workplace dynamics.
Work Hard, Have Fun and Learn with New CISA Online Review Course
At the very end of his 2010 speech at the iPad's debut, Steve Jobs mused on the secret to Apple's success: “It’s in Apple’s DNA that technology alone is not enough. It’s technology married with liberal arts, married with the humanities, that yields the results that make our hearts sing.”1
Governance and City Development
Most of us live in cities. We are always busy, so we only see the impact and benefit of IT when it is not there, e.g., during failures, service unavailability, loss of physical devices, natural disasters and so on.
Security Automation Isn’t AI Security
In many spheres of employment, the application of Artificial Intelligence (AI) technology is creating a growing fear.
"My life story is not complete without ISACA"
Much of Phillimon Zongo’s youth was spent walking or running great distances barefoot, sometimes en route to school, other times scouring the township for empty cola bottles he could sell for change.
Ransomware: A top security threat for 2017
With the dawn of 2017, ransomware continues to emerge as a top security threat.
Phishing Attacks: Organizations in Troubled Waters Year After Year?
Social engineering of data over the Internet through phishing involves social and technological tactics to acquire information from victims.
Integrated Content Libraries – What You Should Know and Questions to Ask
Having worked for most of the “Big Four” as well as several boutique consultancies, I have witnessed a well-marketed shift and the birth of a new industry as it pertains to integrated regulatory content.