IT Audit Archive

« Older Entries

International President: War of the words

Posted March 14, 2013 By
Body:

Greg GrocholskiBaseball. Sunshine. Welcome.

Do those words ring a bell? They might, if you are among those using lazy passwords to protect yourself online. In October 2012 SplashData, which produces password-management apps, released its annual “Worst Passwords” list, a compilation of the (ostensibly) secret words most commonly cracked by hackers.

“Password” perennially tops the list, followed by “123456” and its hastily hacked cousin “12345678.” “trustno1” is an ironic easy target for hackers. And “letmein” is just too easy.

The secret world of passwords has been in the news lately, as hackers have become increasingly skilled at figuring out codes to enter sites—business or personal—and snatching whatever they want. In the case of enterprises, the target can be data that can cripple or destroy a business. When the hacking is done to individuals, the theft can range from monetary loss to the heist of dignity. (Just think of photos stolen from celebrities’ cell phones.)

“Even though each year hacking tools get more sophisticated, thieves still tend to prefer easy targets,” said Morgan Slain, SplashData CEO, when the company released its list. “Just a little bit more effort in choosing better passwords will go a long way toward making you safer online.”

Figures on the average number of passwords each web user employs vary. Think how many you juggle in your memory or on some tucked-away file—or even worse, on a sticky note inside your desk drawer. Think how often you peck your passwords onto keyboards or phone screens each day. Some of your passwords are likely duplicates. Some are permutations. Some you have likely forgotten. (There are password-storing apps that work well—as long as you remember the password to access them.)

The sad truth is this: all passwords are vulnerable to varying degrees.

“2012 may have been the year that the password broke,” wrote Robert McMillan in January’s WIRED piece that detailed Google’s “war on the password” with its experimental password substitutes, such as cryptographic cards and rings that verify the finger—and the identity—of the person in front of the screen.

“Passwords are a cheap and easy way to authenticate web surfers, but they are not secure enough for today’s Internet, and they never will be,” McMillan wrote.

It’s scary stuff. So where do we fit in…those of us who make our livings securing information, data and the enterprises and individuals that require those things to be private in order to operate? Is the mutating world of passwords good for us or a tricky new obstacle?

The answer is both. When new problems arise, there is greater demand for problem-solvers…greater demand for professionals with the skills, training, backgrounds and certifications that enable them to, in this case, contribute to the cause of ensuring passwords are as impenetrable as possible.

On the flip side, professionals in information security must also stay abreast of these changes, which can be tricky. When the battle shifts, the professionals have to adapt and do it quickly.

I take pride in knowing that the 100,000+ members of ISACA have a long history of that adaptability. If we truly are all involved in this challenge to passwords, I am confident in the skills of our constituents.

Greg Grocholski, CISA
International President, ISACA and the IT Governance Institute

Category: Audit-Assurance
Published: 3/14/2013 2:49 PM

View full post on ISACA Now: Posts

High Tech Crime Solutions

Filed in IT Audit | Tagged: , ,

BYOD: The march of consumerization

Posted March 12, 2013 By
Body:

Nelson GibbsConsumerize (v): to make (goods or a product) suitable or available for mass consumption; to encourage or foster the widespread consumption of (goods or a product).

The inexorable—and accelerating—march of computing in the business environment; from enterprise-class mainframes to low-cost PCs and servers to the bring-your-own-device (BYOD) movement; threatens to overwhelm businesses that have not developed plans to integrate the process into their organizational capabilities and accommodate the risks involved.

While direct costs for hardware are driven down by the move toward BYOD, indirect costs for managing an increased variety of platforms are rising. The standardization of processes and equipment that most enterprises rely on for control and predictability in their environment are in direct contrast to the proliferation of vendors, devices, carriers, contracts, software and risks. Consumerization is driven by the need to appeal to a wide audience by integrating as many capabilities as possible in easy-to-use forms in short timeframes with as little impediment from security as possible.

Make sense?

The pace and drivers of consumerization work against the steady, measured growth of most organizations, which evolve at a much slower rate.

In addition to the practical, tactical challenges of managing the explosion of BYOD into the enterprise, there is the more subtle (but significantly greater) impact of strategic considerations that have not yet been fully answered.

Who owns which data?

How do you keep this data adequately segregated?

How are contractual and financial obligations to carriers and vendors shared?

How do you account for non-business use of personal devices at work versus business use of the same devices at home?

How do you ensure that patches and updates are applied to devices and who is responsible for testing compatibility?

If personal use leads to breaches that affect the business, who bears responsibility?

And if it is truly “bring your own device,” who is responsible for providing those devices? (Most forklift drivers do not bring their own forklifts to work, but in the not-too-distant future, most information workers will bring their own information-processing devices.)

In the face of these considerable challenges, enterprises must determine how to best address the BYOD movement.

At the root, it is a risk-reward scenario, so most tools for analyzing risk and measuring reward can be used to evaluate the potential outcomes. Inherent in this approach is a well-understood delineation of the rewards to be gained and a good inventory of the potential risks faced.

Accepting the likelihood that some degree of control has to be given up to achieve the benefits of BYOD may make some organizations exceedingly nervous. And rightfully so. However, decision-makers must remember the old saying: Nothing ventured, nothing gained.

Currently, the US government in the form of the Department of Defense (and other agencies) is planning to roll out mobile-device use for classified and top-secret networks as well as tactical battlefield activities and communication. That is a pretty speedy adoption rate for mission-critical and life-threatening environments.

However, the risk surface for BYOD is becoming well understood, particularly when an organization’s business drivers and deployment methodology are aligned and management tools are rapidly improving to meet enterprise-class needs. Recent guidance from ISACA in the Securing Mobile Devices with COBIT 5 book provides IT professionals and auditors a framework and roadmap for implementing, managing, and monitoring the use of BYOD in an organization. Nothing mobile, nothing gained.

Nelson Gibbs CISA, CGEIT, CRISC
North America CACS Conference Advocate

*Join Nelson and examine IT consumerization questions and solutions in more detail at ISACA’s North America CACS conference, taking place 15-17 April in Dallas, Texas. Learn more about CACS here.

Category: Audit-Assurance
Published: 3/12/2013 2:37 PM

View full post on ISACA Now: Posts

High Tech Crime Solutions

Filed in IT Audit | Tagged: , ,

Milestone CISA

Posted March 7, 2013 By
Body:

Frank GiebelAs ISACA celebrates the 35th anniversary of the CISA certification this year, we congratulate each and every professional who has achieved this distinction. And as ISACA recently certified the 100,000th CISA since the designation’s inception in 1978, we take this moment to profile one of the newest to achieve the CISA certification—Frank Giebel.

Frank began his career 25 years ago, holding IT audit and business development positions with Dell, SGI and StorageTek. In 2009, he founded an indepenedent consulting firm, 3rd Mind Business Consulting, near the German financial district in Frankfurt.

“I am proud to be part of such an elite international community,” says Frank, a GRC consultant based in Germany, who earned his CISA certification in January. “Many organizations, especially large international companies, specify in their requests for proposal that auditors must hold a CISA certification from ISACA, so this credential will give me access to a wider base of potential clients.”

ISACA:Why did you pursue the CISA certification?
Frank: My job as a GRC-consultant entails the introduction and management of information security and compliance as well as auditing my customers’ current level of information security and data privacy. During auditing and consulting projects, I am helping customers improve their information security and data privacy management. From a compliance perspective, I help them in planning and introducing regulatory compliance archives (i.e., email archives, document-management systems, etc.) While I already held the CISM certification, it is important to me to have CISA to "prove" my skills and get access to more customers.

ISACA: What is the value of CISA certification for you?
Frank: Definitely the access to more customers and high-risk areas like credit card transactions, banks and health insurance. Large and/or international customers include in their requests-for-proposals an IASCA certificate like CISA or CISM. And with the CISA certification, I am eligible to have the title "IT-revisor (IT-auditor).” To achieve that, you need a "bulletproof" certification like CISA.

ISACA: As someone who recently passed the CISA exam, what advice can you offer those sitting for an exam in the near future?
Frank: Have practical experience in information security, compliance and data privacy from a non-technical perspective. Have knowledge regarding the business objectives of the customer and related branches. I believe that specializing to a small number of branches is more valuable than many branches with little knowledge of them all. For me, my technical background and my CISM education were very helpful. You need practical experience.

ISACA: CISA has been earned by more than 100,000 professionals since its inception 35 years ago. How does it feel to be part of those milestones?
Frank: I feel very confident to be part of such a community, particularly since this is an international community. This is an elite circle of high-quality professionals.

To learn more about the 35th anniversary of CISA and the 100,000-certified milestone, go here

Category: Certification
Published: 3/7/2013 5:02 PM

View full post on ISACA Now: Posts

High Tech Crime Solutions


http://stolencomputeralert.com, http://TheCyberWars.com, http://www.GregoryDEvans.net, http://www.computersecurityguru.com

Filed in IT Audit | Tagged: ,

Meet Your Board Members: Ramsés Gallego

Posted March 5, 2013 By
Body:

Ramsés GallegoToday’s ISACA Now post profiles ISACA International Vice President Ramsés Gallego, CISM, CGEIT, CISSP, SCPM, Six Sigma Black Belt, who in 2012 was named security strategist and evangelist for Quest Software, a Dell company.

Ramsés has served on ISACA’s Guidance and Practices Committee, and the CISM and CGEIT Certification Committees. He is an author of ISACA white papers on geolocation, virtualization and sustainability, and is research director for the ISACA Barcelona (Spain) Chapter. He also served on the planning committee of the inaugural ISACA INSIGHTS conference and chaired the planning committee for ISACA’s Information Security and Risk Management Conference in Europe.

“I am honored to be ISACA’s international vice president, after having served the association through many roles,” says Ramsés, who will moderate a session at INSIGHTS 2013 in Berlin, Germany in June. “It is a privilege to represent a growing number of professionals around the world and have the opportunity of taking ISACA to the next level.”

ISACA: Describe your role at Quest Software.
Ramsés: In my professional role at Quest Software, now part of Dell, I enjoy envisioning the next iteration of the markets we decide to serve and helping customers and partners develop the right approach in the security, governance and risk management arenas, using the right technology.

ISACA: What is your philosophy regarding the IT industry?
Ramsés: We live in a world that changes quickly—sometimes too quickly, at the speed of light. There are threats that expose our organizations to risk that we must understand and mitigate through the right mindset. That means having policies, procedures and processes, and using the skills and abilities of people—our teams—to embrace a robust and solid approach to risk management.

Speaking specifically, as we are spreading the word on the business-oriented, process-driven, results-focused COBIT 5 framework, we must separate governance from management and provide (tangible) value to the enterprise. Business is king and service is queen—we shouldn’t forget that perspective. Thus, the security, risk management and governance disciplines will help us understand further what we need to do to protect the brand, people and information.

ISACA: Why are you an ISACA member?
Ramsés: Because of the value provided. Because of the unique opportunity of meeting professionals from around the world. Because of the excellent opportunity that belonging to a group provides and the useful deliverables that the association offers every month. Whether it’s the discipline of geolocation, securing mobile devices, social media, cloud, XBRL or VoIP, ISACA has prepared assurance guides and advice to understand them and—if needed—consider them for our organizations. If you combine that with the certifications that are recognized within the marketplace and the education provided through conferences and events, that’s so unique that I feel empowered as a member.

ISACA: Why do you serve on ISACA’s board?
Ramsés: I serve on the board because I care. I care about the community we live in, and I care about making life easier and more interesting for members and professionals around the world. Because I think that to lead is to teach, to provide the right advice coming from experience. I am serving on the Board of Directors because I think that providing support, guidance and vision to others is one of the most important things in life. We on ISACA’s board are tasked with the duty of creating the right environment for fellow professionals and organizations to move the world forward.

ISACA: Describe your life outside of work.
Ramsés: I have three pillars in my life that are uniquely balanced: family, work and ISACA. I see them as one energizing the other and giving me the room to protect them all. My family is the most important thing for me, but they understand that my work and my role at ISACA are important. I am lucky to have a family that understands the importance of all of my travel, meetings and conference calls.

I love technology, music and taking long walks in the cities I visit. I visited 16 different countries in 2012 and, when able, I walked through all of them to understand them better.

ISACA: What advice do you give to young professionals entering this field?
Ramsés: This is a very interesting time to be in the IT industry. Technology is so pervasive that everything exists on a computer, in a data center, in the cloud. Governance, risk management, auditing and security are areas of great impact in the way we live, work and play. And we require the talent, the energy and the passion that young people will provide. They can change the world and they will.

ISACA: What unique opportunities / challenges do you see in 2013?
Ramsés: The challenge of asking the right questions to the right people at the right time. The challenge of ‘expecting the unexpected’ and being ready for that moment. The challenge of helping before problems happen. The world we live in is packed with threats that exploit our vulnerabilities. Consequently, we must always be asking, talking and listening, then crafting the right vision and strategy to protect at the individual, corporate and government levels.

This is the time to set the charter and execute accordingly. This is the moment of NOW.

For biographies of all ISACA board members, visit www.isaca.org/board.

We welcome your comments! Please log in using the Sign In link at the top right of this page and then leave your comment in the box at the end of the post. To view all blog posts, please click on the ISACA Now link in the blue box on the left.

Category: Audit-Assurance
Published: 3/5/2013 11:43 AM

View full post on ISACA Now: Posts
http://www.computersecurityguru.com, AmIHackerProof.com, http://computer-security-expert.com, http://computersecurityexpert.net

High Tech Crime Solutions

Filed in IT Audit | Tagged: , , , ,

CISA at 35—A recruiter’s perspective

Posted February 28, 2013 By
Body:

Derek DuvalI have been recruiting exclusively in the IT/audit world for about 20 years, and I have watched the evolution of the Certified Information Systems Auditor (CISA) certification with great interest. I believe there were about 25,000 CISAs in 2001—the fact that it has quadrupled in just over a decade is clearly impressive.

A decade ago my clients considered CISA a “nice to have.” Today it is often a hard-and-fast requirement. The Sarbanes-Oxley avalanche magnified the value of CISA, as new professionals flocked to the field and CISA distinguished those who not only had mastered the body of knowledge, but also showed dedication to the field and a commitment to professional development. As the focus on SOX has ebbed, CISA has continued to elevate in status and is better recognized and respected not only by audit leaders, but also by IT and business leaders whose domains rely on IT risk and control professionals for assurance.

While we celebrate the 35th anniversary of CISA this year, I expect demand for the certification to continue growing. Budgets are finally replenishing as the economy continues to improve, and I am seeing my clients create “expansion positions” at the strongest clip since the recession. Many IT audit groups that have been understaffed (“doing more with less”…a phrase we are all tired of hearing) are finally getting the reinforcements they have been asking for.

Even in the depth of the recession—around 2009—demand for auditors slowed, of course, but IT audit always outperforms the general employment market in terms of stability, mobility and salary. Those who were CISA-certified during the recession had a clear edge over those who were not when competing for attractive openings.

Based on the heavy and continually increasing volume of requests my firm is now receiving for assistance, I would put current demand at three times what it was three or four years ago. In all of my primary markets in the eastern United States, the list of major companies NOT specifically looking to hire a CISA professional is much shorter than the list of those who are.

I have clients across varied industries and I see a healthy demand in every sector. The most drastic industry-related spike I have seen is in financial services. I am not sure whether this is just from pent-up demand being satisfied now that budgets are back, or in anticipation of an increased need for the CISA skillset to address forthcoming additional regulatory-compliance requirements. Either way, I am not surprised, as the financial-services industry has always led other fields in employing CISAs in both audit and non-audit capacities.

Demand is steady, but there are changes taking place. The most interesting development I am seeing in the market is a resurgence of interest in CISAs for non-audit roles, such as IT risk management, IT compliance and IT controls analysts. Many of these roles are positioned within IT, as more IT leaders understand the value of having a CISA on their payroll to coordinate with multiple IT controls stakeholders (internal auditors, external auditors, regulators, etc.). CISAs are also prized as project managers during the implementation of IT control solutions.

The bottom line is that anyone who is committed to a career in the broader world of IT assurance—whether in an audit, compliance, governance or risk management capacity—should consider the CISA a must-have.

Let me put it like this…one of the first things I ask new candidates is “Do you have the CISA?” If not, I want to know why not. If not, I ask, “When do you plan to get it?”

Derek Duval
Owner, Duval Search Associates

Continue the conversation…engage with your peers in the Audit Standards topic in ISACA’s Knowledge Center.

Editor’s Note: ISACA’s other credentials are making headlines as well. Last night, the CRISC certification won the SC Magazine Award for Best Professional Certification Program. Find details here.

Category: Audit-Assurance
Published: 2/28/2013 12:55 PM

View full post on ISACA Now: Posts

Hi Tech Crime Solutions

Filed in IT Audit | Tagged: , , ,

Case study on using COBIT 5 for strategy implementation

Posted February 26, 2013 By
Body:

On a couple of previous occasions I have written about the fact that ISACA is using COBIT 5 and COBIT 5 Implementation to formalize and guide implementation of Strategy 2022 (S22). It has been enlightening to use COBIT’s business-oriented principles to govern and manage a non-IT project. Certainly, some adjustments have had to be made to render COBIT exactly pertinent to our goals, but that is one of the strengths of COBIT: It lends itself to customization by every enterprise that uses it, and, in fact, urges the user to exercise judgment to make it relevant guidance for the situation at hand.

I mentioned in previous blogs that we would be issuing a case study once we are well into the “business as usual” portion of implementation. I am pleased to advise you that the case study is now available and is posted to the web site. Of course, even though the case study has been finalized, our implementation of S22 is not over. S22 has a 10-year horizon—but this seemed an opportune time to conclude the case study, given the stage to which we have progressed. We hope you find value in reading about the steps we used, the challenges we addressed, the adjustments we made and the lessons we learned (and are still learning) along the way.

The case study makes it clear how we feel about the benefits of working with COBIT:

There is no question among those working on the S22 initiatives that using COBIT 5 has enabled a more productive outcome to date. The rigor required by starting with defining stakeholders, their drivers and their needs, then proceeding to describe the as-is and to-be states, has sparked a deeper analysis of each initiative. It has enabled achievement of a more in-depth, profound understanding of the problems, so that they are addressed in the most effective way, as opposed to trotting out easy and obvious “solutions” so that another task can be checked off the list. COBIT 5 has also surfaced the deep layers of interdependences among the initiatives, thus “forcing” a holistic, rather than siloed, planning approach. Recognizing the interdependencies has made it clear that issues cannot be dealt with on a piecemeal basis, but rather as parts of a whole.

 

Based on the success of using COBIT to implement strategy, ISACA is applying COBIT 5 to other specific activities as well. Gradually, the intent is to expand COBIT’s scope to cover broader enterprise issues. We hope you find the case study interesting and useful, and will agree with us that COBIT is an effective and valuable framework for governance and management of IT…and more.

Susan Caldwell

CEO, ISACA

Category: COBIT-Governance of Enterprise IT
Published: 2/26/2013 11:18 AM

View full post on ISACA Now: Posts

High Tech Crime Solutions

Filed in IT Audit | Tagged: , , , , ,

Meet Your Board Members: Krysten McCabe

Posted February 22, 2013 By
Body:

Krysten McCabeToday’s ISACA Now post profiles Krysten McCabe, CISA, a director on ISACA’s board. Krysten is also a senior manager in the Assurance and Advisory Management Program at The Home Depot and a member of ISACA’s Audit and Finance Committees.

ISACA: Describe your professional background.

Krysten: I was an IT auditor at Ernst & Young LLP and an IT controls analyst at SunTrust Banks Inc. before joining The Home Depot, where I have been a part of the internal audit function for eight years.

ISACA: What type of projects do you work on?

Krysten: Our group is responsible for compliance projects and process-improvement initiatives. For example, we recently audited accessibility to sensitive data, ensuring that we had the right controls in place to protect our employees’ and customers’ personal information. In that project, we found an opportunity to implement controls that would prevent potentially inappropriate use of that information.

ISACA: What is unique about working at The Home Deport?

Krysten: Our internal audit department functions as a management-development program, bringing in associates with a few years of experience and growing leaders within the organization. Each quarter, these teams rotate through projects in different business areas. We provide our associates with exposure to executive-level leadership, which helps them prepare for when they might take a more senior-level leadership role. And this extends beyond the world of IT—it goes into presentation skills, writing skills, collaboration with team members, management style, etc.

ISACA: What advice would you give to students or young professionals who would like to follow in your footsteps?

Krysten: Starting in college, take leadership roles in organizations, which teaches you the value of working with a team and sharing goals with a large group. That is a huge part of what I do every day. Also, develop a very strong network and maintain relationships with those people. Reach out to people to do benchmarking. And lastly, be patient with your career growth; be willing to grow into your role instead of jumping from job to job.

ISACA: Why did you become an ISACA member?

Krysten: Membership provides access to a wealth of information. The journals every month are awesome at helping keep you up to date with current issues. Membership also gives you a link to a local community of people with the same background as you. I got my CISA certification in 2006. That highlights that you are skilled in a particular area and you are committed to it.

ISACA: What do you hope to accomplish as an ISACA board member?

Krysten: I am excited about bringing a different perspective to the board. There are a lot of new risks—new challenges such as social media—that our generation uses on a daily basis. I feel that I can contribute in these areas and help to attract new members to the association.

ISACA: What do you enjoy doing outside of work?

Krysten: I think that remaining active and healthy contributes to success at work. As such, I enjoy running, spinning and yoga. My husband and I also enjoy traveling.

ISACA: What is unique about being a woman in this industry?

Krysten: You have to be interested in this field. To be honest, it turned me off at first. I am not technical. This field seems very techy up front, but it doesn’t have to be. If you like logical thinking, it’s pretty straightforward…determining what needs to be done to mitigate risks.

It was clear to me that technology was going to be a big part of business when I left school. I didn’t like programming, but with IT audit I get to stay involved with a critical part of business and interact with a variety of people every day. I can improve things where I see opportunities for change. I can challenge the status quo. I like coming up with new ideas, creating plans to address risk and seeing projects from start to finish.

ISACA: What are you most excited about in the world of audit?

Krysten: We are seeing more and more how technology is becoming a critical part of business, and this constant change allows you to continue to learn new things. It’s very exciting.

For a full list of ISACA board members and their biographies, go here.

We welcome your comments! Please log in using the Sign In link at the top right of this page and then leave your comment in the box at the end of the post. To view all blog posts, please click on the ISACA Now link in the blue box on the left.

Category: Audit-Assurance
Published: 2/22/2013 10:05 AM

View full post on ISACA Now: Posts

Hi Tech Crime Solutions


http://www.computersecurityguru.com, AmIHackerProof.com, http://computer-security-expert.com, http://computersecurityexpert.net

Filed in IT Audit | Tagged: , , , ,

Advanced, persistent and tough—the new world of threats

Posted February 20, 2013 By
Body:

Jo Stewart-Rattray and Christos DimitriadisAdvanced persistent threats—commonly known as APTs—are a new class of threats that concern security professionals around the world due to their unique properties. Unlike website defacement for communicating a message or identity theft for financial gain, APTs are designed to “fly under the radar” and exfiltrate information for as long as is needed to achieve a goal.

Not knowing if you have been attacked by an APT is worrisome. Studying the properties of an APT can be even more troubling.

APTs have very specific targets. They do not switch their objective when slowed by strong security architecture. They pursue their target repeatedly—which is where that “persistent” label comes from—using multiple, advanced techniques ranging from direct, zero-day vulnerability exploits to social engineering. APTs study the victim for a long period, employing considerable amounts of resources.

Because APTs “fly under the radar,” organizations can be caught unaware. This was evidenced in a recent global survey, conducted by ISACA and sponsored by Trend Micro, which revealed respondents’ varied answers to this question: Would your enterprise be ready to deal with an APT attack?

Because some survey respondents replied “no”, ISACA addresses the issue of what enterprises can do to protect themselves.

In tandem with the release of COBIT 5 for Information Security, ISACA continued to develop messaging that addressed information security in a holistic manner, correlating business objectives with the security properties of technology, organization, culture, human factors, processes, flexibility and preparation to address new trends. 

We believe that the answer to protecting against APTs is the same. Organizations need to establish holistic frameworks and approaches in order to gain comprehensive understandings of information security in the context of their business environments. Being informed about new vulnerabilities, threats and protection methods makes information security a continuous effort (rather than a one-time task) of fighting attackers. We in this field must be as persistent as the threats.

ISACA took the initiative to conduct the global APT survey to gather and then share knowledge with the information security community to trigger discussions and support experts as they find solutions to these new problems.

The results of the survey are interesting. They highlight some of the issues that were recognized during the development of COBIT 5 for Information Security. They also highlight how enterprises are still struggling with issues that ISACA has addressed in past initiatives, such as the establishment of security awareness/education programs within enterprises that are contextualized to those enterprises’ unique needs.

In short, we believe this survey is mandatory reading for anyone affiliated with information security.

Jo Stewart-Rattray, CISA, CISM, CGEIT, CRISC
Director of Information Security at RSM Bird Cameron, Australia
Director of ISACA

Christos Dimitriadis, CISA, CISM
Head of Information Security—IINTRALOT GROUP, Greece

Continue the conversation…engage with your peers in the Intrusion Prevention/Detection section in ISACA’s Knowledge Center.

Category: Security
Published: 2/20/2013 4:03 PM

View full post on ISACA Now: Posts

High Tech Crime Solutions


http://www.Locatepc.net, http://computersecurityexpert.net, http://stolencomputeralert.com, http://www.computersecurityguru.com

Filed in IT Audit | Tagged: , , , ,

The art of the snake-oil salesman

Posted February 15, 2013 By
Body:

## If you are an information security professional who is anything like me, you are probably happiest sitting at your desk writing policies, evaluating controls and studying for the next exam.

However, as the world changes, we must adapt and change with it. And part of that change includes increased scrutiny from senior management about information security expenditures. “Are we maximizing the value of our money?” they are now asking.

It is a good question. We all know the answer. “Of course we are! I would not be asking for money if I did not believe it was a ‘critical risk control.’”

Since it is a good question and I have a good answer, why do I feel like a snake-oil salesman offering a cure-all? “Here Mr. CFO, one sip of this magic potion and everything will be all right. Yes, it is $500,000, but trust me…”

The answer here is simple—it is because we are not speaking the same language. And because we are not speaking the same language, we fall back to the old line: trust me.

That often works, but there is a better way. We must learn to speak to our business partners so that we become valued partners to them. (COBIT is a great tool in this regard.) If that can be accomplished, they will come to us early in their projects and ask for our advice as internal consultants. They will be happy to make time for us because they know we are supporting their business.

The alternative, of course, is more surprises as we learn about projects after they have been halfway completed, only to hear from our business partners when something catastrophic happens. Then we get that look of distrust when we ask for a meeting, because…here comes another request for half-a-million-dollar fix.

That is why I constantly try to improve my ability to communicate with my business partners. I am always looking for new ways to discover what is on their plates—what their needs and concerns are—and not just when I need something.

Building those personal relationships is key. It enables us to move beyond just asking for money when it is needed, but to discovering what the business really needs to be successful.

ISACA offers many classes on communications at its conferences and through other venues, which can bolster your skills and make you more valuable to your organization. Classes such as “Communications Skills for Security and Governance Professionals” and “How Communication and Behavior Influence Information Risk and Reporting Outcomes” were available at the recent ISRM/IT GRC conference in Las Vegas. I attended those classes—I benefited from them—and I encourage you to take them.

Good luck!

Jason Hurst, CISA, CISM, CRISC
Sr. Network Security Administrator, Panda Restaurant Group

Continue the conversation…engage with your peers in the Career Management topic in ISACA’s Knowledge Center.

Category: ISACA
Published: 2/15/2013 11:09 AM

View full post on ISACA Now: Posts

High Tech Crime Solutions


http://TheCyberWars.com, http://www.GregoryDEvans.net, http://computer-security-expert.com, http://www.hackerforhireusa.com

Filed in IT Audit | Tagged: ,

International President: Our industry shining in the spotlight

Posted February 12, 2013 By
Body:

Greg GrocholskiHave you seen the news lately? Our industry has been in the spotlight recently, and the messages—for IT professionals, at least—have been good ones.

This from the 1 February Chicago Tribune: “The [US] Federal Trade Commission called on the fast-growing mobile device marketplace to do a better job of alerting consumers to what the various market players do with their personal information.”

Days later, TechEurope reported on Sweden’s booming tech-entrepreneur culture, news that comes on the heels of reports about the US Pentagon’s plan to boost its cybersecurity force by as many as 4,000 professionals.

I have followed everything from alleged hacking of the New York Times to the international Data Privacy Day on 28 January (on which ISACA announced its new Privacy Advisory Task Force), which was soon followed by Safer Internet Day. The Times of India recently reported on BlackBerry’s growth in the field of “mobile computing architecture,” while Japan Today reported on Amazon’s virtual currency.

Some of these topics are exciting (Amazon coins?). Others are worrisome, such as the invasion of personal privacy and the increasing world of cyberthreats. But for those of us charged with optimizing the exciting new developments and combatting the worrisome problems, the growing need for our services is positive. There is much work to be done and we are the professionals to do it.

With stories such as these being publicized in mainstream media—and being viewed by mainstream audiences—there is greater understanding of the work IT professionals do and the need for their services. That is a good thing.

You might have noticed a trend in recent years—explaining your occupation to those outside of the industry has grown increasingly easier. An example: a restaurateur you might meet at a social event now understands IT; she offers Wi-Fi to her customers, she uses a service to process her credit-card purchases, she uses another digital system to track inventory. As a result, she has firsthand knowledge of the role IT/IS professionals play.

So too, I like to think, do most consumers of the media mentioned above. That news item about the US Federal Trade Commission included the fact that the regulatory body released guidelines that platforms, mobile-app developers and advertising networks must follow, including immediately informing consumers what apps do with their personal information and asking those consumers to grant permission before their data are collected.

This interplay of technology and information security, risk and privacy is at the core of our careers and ISACA itself. It is nice to see our field getting this attention—and for the public at large to become better educated—and it also means big and exciting things for our future.

Greg Grocholski, CISA
International President, ISACA and the IT Governance Institute

Category: ISACA
Published: 2/12/2013 1:25 PM

View full post on ISACA Now: Posts

High Tech Crime Solutions

Filed in IT Audit | Tagged: , , , ,

Cut through the fog of cloud computing

Posted February 11, 2013 By
Body:

Is cloud computing marketing hype, a reality or a bit of both? More than 40 years after singer Joni Mitchell’s “Both Sides Now” was written, the lyrics “It’s cloud illusions I recall, I really don’t know clouds at all” aptly capture a lot of the confusion about cloud computing in 2011.

 

New benchmark research by IT Policy Compliance Group (ITPCG) titled Managing the Benefits and Risks of Cloud Computing distills some actionable guidance from the current reality of cloud computing.

 

Current and near-term uses of cloud computing

Based on current use, larger organizations are indeed cutting through the fog of cloud computing, while small businesses are not, and the profile of cloud computing is decidedly “private” and focused on a variety of applications for now.

·            Two in 10 small firms are using cloud computing.

·            Five in 10 midsize are using cloud computing.

·            Seven in 10 large organizations are using cloud computing.

 

The majority of cloud use (from 50 to 66 percent) is for private clouds. “Private” clouds are being used for many applications, including almost everything but transaction-processing systems. Public and hybrid clouds make up the difference, with a majority of the latter being hybrid forms of cloud computing.

 

Benefits of cloud computing: what’s in it for you?

The benefits being sought and achieved from the use of cloud computing depend on the size of the organization. The primary benefits for small businesses are focused on reducing operating and capital expenses. The benefits for large organizations are more extensive and include:

  • Improved levels of flexibility and agility
  • Greater adaptability
  • Improvements in IT service levels
  • The ability to leverage new technology
  • Capital and operating expense reductions, enabling a rebalancing of the IT portfolio to focus on core competencies

According to participants in the ITPCG study, benefits of cloud computing are being achieved in less than a year—a short timeframe compared to the multi-year paybacks typical with on-premises software.

 

Cloud computing risk

Although there have been some reports of virtualized applications being stolen, the primary risk of cloud computing, according to the survey respondents, is the information that is accessible through cloud applications.

 

Other risk concerns cited by participants include:

·            An inability to recover critical data from cloud providers

·            Customer defections stemming from failures occurring at cloud providers

·            Loss of governance over data, applications, audits and risks

·            Service failures and business downtime

·            Reputational risks from activities of co-tenants at cloud providers

 

A wide variety of risk scenarios tested with the participants revealed that the top risk scenarios and controls for cloud computing include:

·            Eight in 10 are related to IT and information security events and controls.

·            Seven in 10 are related to operational event and controls.

·            Six in 10 are related to the organizational and policy lapses and controls.

·            Four in 10 are related to legal and regulatory problems and controls.

 

Are the benefits and risks of cloud being well-managed?

Although the benefit of lower costs from the use of Cloud computing is being achieved and managed by small firms, the risks are not: the study shows that there are twice as many worst performers among small firms than all other organizations. Small firms are displacing—on a one-for-one basis—on-premises applications with lower-cost cloud computing alternatives to achieve the operating and capital expense reductions being sought.

 

Unfortunately, many small firms are not implementing the significant actions that help manage the risks of cloud computing. Among larger organizations, only about half of all cloud applications are new, which is consistent with benefits besides cost reductions being a primary objective. Also among larger entities, the risks of cloud computing are better managed, with about twice as many experiencing much lower risk compared with the industry average. The difference: more large firms are implementing the significant actions that make a difference to manage the risks of cloud computing.

 

Significant actions to manage value and risk

Larger firms and the firms with the best performance outcomes are doing things very differently to drive more value and lower risk from the use of cloud computing. These actions include:

·            Involving key stakeholders throughout the organization

·            Not ignoring or discounting the risks involved

·            Not attempting to cover the risks via insurance contracts

·            Not attempting to wish away risks on the backs of cloud providers

·            Establishing organizational controls and policies about cloud use and contracts

·            Having IT manage the cloud providers

·            Involving internal audit, information security and legal counsel in managing the risks

·            Implementing more controls

·            Spending more on information security

·            Assessing and reporting on controls and risks weekly

 

Related research (from ITPCG, ISACA and ENISA) and the experience of others will help you cut through the fog and make better-informed decisions to drive more value and minimize risk from cloud computing. I look forward to hearing about your experiences with cloud computing in the comments below!

 

Jim Hurley

Managing Director, IT Policy Compliance Group

Chair, ISACA IT GRC Conference

 

We welcome your comments! Please log in using the Sign In button at the top right of this page and then leave your comment in the box at the end of the post.

 

To view all blog posts, please click on the ISACA Now button in the blue box on the left.

Category: Cloud Computing
Published: 9/8/2011 8:41 AM

View full post on ISACA Now: Posts

Hi Tech Crime Solutions

Filed in IT Audit | Tagged: , ,

How auditors can prepare for PS Prep certification

Posted February 11, 2013 By
Body:

PS Prep Certification is an outcome of US legislation enacted to increase the preparedness of the private sector. It is a partnership between the US Department of Homeland Security (DHS), the US Federal Emergency Management Agency (FEMA) and the private sector, and enables private entities to receive emergency preparedness certification from a DHS accreditation system created in coordination with the private sector. 

 

On 2 August 2007, Public Law 110-53 was enacted and documented in a report titled Implementing Recommendations of the 9/11 Commission 2007 Act—Comprehensive Summary of Public Law 110-53. Title IX of this law focuses on Private Sector Preparedness (PS Prep) and identifies a program for encouraging private sector organizations to voluntarily participate in being certified under PS Prep to demonstrate that they are prepared to manage risks and have increased the resiliency of the organization. With more than 80 percent of the US critical infrastructure owned and controlled by the private sector, this law is vital to ensuring that the private sector is prepared to provide its goods and services under all conditions.

 

Under Title IX, the Administrator and the Assistant Secretary for Infrastructure Protection were assigned to develop recommendations to foster action by the private sector to increase their resilience. Section 524 assigned the development of the Voluntary Private Section Preparedness Accreditation and Certification Program (PS Prep) to the American National Accreditation Board (ANAB). 

 

What are the standards for PS Prep?
In June 2010, three standards were identified and accepted for compliance: 

  1. ASIS SPC. 1-2009—Organizational Resilience: Security Preparedness, and Continuity Management Systems—Requirements With Guidance for Use
  2. British Standard 25999-2:2007—Business Continuity Management
  3. National Fire Protection Association 1600- 2010—Standard on Disaster/Emergency Management and Business Continuity Programs

PS Prep will raise the level of private-sector preparedness through a number of means, including:

  1. Establishing a system for DHS to adopt private-sector preparedness standards
  2. Encouraging creation of those standards
  3. Developing a method for a private-sector entity to obtain a certification of conformity with a particular DHS-adopted private sector standard, and encouraging such certification
  4. Making preparedness standards adopted by DHS more widely available

How do organizations become certified?

According to Title IX, small businesses (the criteria as to what a small business is under the law has yet to be determined) are allowed to use a first-party self-declaration of conformity to one or more of the standards. All other organizations are required to use third- party certification by an ANAB-accredited certifying body. The certifying bodies must have completed rigorous training to ensure that they are competent to conduct the certifying audits. 

 

How can auditors help organizations prepare?

Before an organization applies for third-party certification from an ANAB-approved certifying body, it must be ready. Internal auditors and consultants need to understand what the third-party auditors will require for PS Prep Certification and should also have a solid understanding of the business continuity management system and the required standards.

 

The first decision that needs to be made is to which standard or standards the organization should be certified. To answer this question, it is important to review each of the three standards to determine which one is best aligned to the program already in place.

 

Auditors who wish to prepare organizations for PS Prep Certification should consider completing a training course. There are several options in the marketplace, offered by such organizations as ASIS International, the Business Continuity Institute, DRI International and the International Consortium for Organizational Resilience (ICOR), which offers a Business Continuity Management System Auditor credential.

 

Lynnda Nelson

President, The International Consortium for Organizational Resilience

Lynnda@theicor.org

 

We welcome your comments! Please log in using the Sign In button at the top right of this page and then leave your comment in the box at the end of the post.

 

To view all blog posts, please click on the ISACA Now button in the blue box on the left.

Category: Certification
Published: 5/5/2011 8:15 AM

View full post on ISACA Now: Posts

Hi Tech Crime Solutions


http://www.hackerforhireusa.com, http://computer-security-expert.com, http://www.GregoryDEvans.com, http://www.Locatepc.net

Filed in IT Audit | Tagged: , , ,

With a little help from my friends

Posted February 8, 2013 By
Body:

Tal YampolskyI recently came across a notice that an Israeli-based immigration agency had published an Internet vilification on their customer-directed wall. The agency listed all the materials they possessed in an effort to show that this attack was triggered by a competitive agency. Their evidence included court protocols, apology letters and an interview that their spokesman had given, explaining how they had managed to obtain the IP addresses of the users who had placed the messages online.

As he explained, this process was easier than they had expected, due to their personal relationship with the forum moderators. From a legal standpoint, the accused did not make any effort to prove that the IP addresses were obtained illegally (Privacy Protection Act 1981, Section 32 “Exclusion of Evidence”). But, from a privacy-threat standpoint, this exemplifies the responsibility that rests on the shoulders of all organizations.

Imagine this scenario…

Interviewer: How did you find out against whom you needed to file a lawsuit?
Spokesman: All we had to do was approach the forum moderators, ask for the IP addresses and go to court with these details. The court ordered the internet service provider to identify the actual individuals.

Interviewer: Did they easily give you the IP addresses of those users?
Spokesman: We had been working with these moderators for a long time—they gave us the IP addresses hassle-free.

According to the Israeli Privacy Protection Act 1981, Section 32 “Exclusion of Evidence,” evidence obtained by compromising individuals’ privacy may be excluded. However, the respondents did not mention their privacy had been compromised and they did not interrogate the parties about the way they had acquired the IP addresses. Therefore, the court ordered the internet service provider to provide the identities and the case was settled—with a huge fine, apology letters and the guilty party having to relocate their office to another building.

They probably got what they deserved, but the primary concerns remain—lack of sufficient organizational controls and measures that protect personally identifiable information (PII). With one friend working as a discussion-board moderator and one friend part of the technical-support staff at an internet service provider, one can practically expose anyone who is discussing personal issues and use the information against that person.

In Israel, it is very likely that one will have friends working for both web-based companies and internet service providers, as well as people working in financial institutions, in the healthcare industry or in the defense sector. Considering the small population here and the fact that most citizens have served in the (relatively small) army, and analyzing other social/cultural aspects such as sociability, the threat of compromised privacy by exploiting cross-organizational vulnerabilities is relatively high.

Organizations should be sensitive not only to the information they store, but also to the information they share internally. In extra-sensitive organizations (internet service providers, healthcare organizations, financial institutions) the controls for access to customer information should be comprehensive. I believe that automated controls are inevitable, but that is a discussion for another time.  

Here, I will just remind Internet users that we all leave digital trails that can be easily exposed, unless we are using anonymizers. I remind organizations that there is always a data leakage risk due to threat from the inside. To governments and regulation agencies, I note that cross-organizational information security vulnerabilities sometimes are easier to exploit than regular internal organization vulnerabilities.

And to those perpetrating attacks, please remember that you do not need to social engineer just to be social.

Tal Yampolsky, CISA (@pingtal)
Entrepreneur, technologist, auditor
Member of ISACA’s Communities Committee

Continue the conversation…engage with your peers in the Privacy/Data Protection community in ISACA’s Knowledge Center.

Category: Privacy
Published: 2/8/2013 1:33 PM

View full post on ISACA Now: Posts
http://www.hackerforhireusa.com, http://computer-security-expert.com, AmIHackerProof.com, http://computersecurityexpert.net

High Tech Crime Solutions

Filed in IT Audit | Tagged: , , ,

Shallow questions or deep pools? Thoughts on the new hiring process

Posted February 4, 2013 By
Body:

Derek Duval

We are all familiar with the job-change process, either as a candidate or a hiring manager. Most companies still use traditional methods of creating candidate pools. The position is posted on the organization’s career site and on job boards. The human-resources department sources potential candidates, searches job boards and scours LinkedIn for “passive candidates.” Current team members are asked if they know anyone to recommend.

This system is well tested, and although it “works,” I believe it is error-prone, resulting in hiring mistakes that have their origins early on in the candidate-identification process. This approach exposes hiring managers primarily to prospects who are on the market, but not necessarily to the best candidates who are in the market.

So how do you create a stronger pool of candidates? My clients who are successful in this regard depend more on their own efforts—not only the talent-hunting abilities of their HR departments—to attract candidates. They attend relevant professional association and industry-related events and engage in active networking. They motivate current team members to produce referrals, often using an incentive system. They are always recruiting proactively even when they do not have openings to fill, so they are always a step ahead when positions become available.

Many enterprises that are successful in hiring participate actively in LinkedIn, making connections, joining groups, and engaging in discussions that lead them to the best candidates in the field. Although this rarely produces immediate results, LinkedIn is a wonderful tool in this regard because it enables constant proactive recruiting.

Once you have a robust candidate pool, of course, selecting the right candidate becomes easier. But there are pitfalls in the interview process as well.

It is often too one-sided, with companies not meeting candidates halfway. The recession is over, employers…you have to do equal amounts selling and screening to attract the strongest IT audit, risk, security, compliance and governance candidates.

Another holdover from the recession is that some employers still think they can take ample time in making a selection, and that if one candidate falls through, there will always be another equally attractive one out there. Now that the market has really heated up again, if the process is too slow, candidates can lose interest or accept different positions in the interim. Candidates at the coveted “senior” level commonly receive multiple offers in the current market.

There can also be too many and/or the wrong people involved in the selection process, and in many cases those conducting the interviews have no interview training. They ask questions based only on candidates’ resumes, when instead there should be a well-thought selection strategy including a variety of behavioral interview questions and case-study scenarios that go beyond ascertaining fundamentals and delve further into how candidates think, communicate and adapt to change.

Well-thought interview questions can also give more insight into candidates’ values, a critical and often-overlooked component to hiring someone who will not only address an immediate need, but who will be a successful long-term fit and will grow with your organization.

Finding and retaining the right talent is an ever-evolving challenge, and my clients who are most successful are engaging in constant, proactive recruiting. It takes more time, but investing the effort to optimize your most crucial resource—people—is well worth it.

Derek Duval

Owner, Duval Search Associates

Continue the conversation…engage with your peers in the Career Management topic in ISACA’s Knowledge Center.

Category: Audit-Assurance
Published: 2/4/2013 1:08 PM

View full post on ISACA Now: Posts

High Tech Crime Solutions


http://ParentSecurityOnline.com, http://computer-security-expert.com, http://HackerForHireinternational.com, http://stolencomputeralert.com

Filed in IT Audit | Tagged: , , , , , ,

10 privacy resolutions for 2013

Posted January 28, 2013 By
Body:

With the rise of big data come big challenges, including how to deal with increasingly challenging privacy issues. To help protect information, which has become the currency of the 21st century, here are10 resolutions for your enterprise to adopt in 2013:

1.     Assign someone to be responsible for your privacy issues. Appoint a chief privacy officer or, at minimum, designate someone as the person responsible for privacy in your organization.

2.     Know what personally identifiable information your organization collects and retains about your customers and employees. Take a data inventory so you know where the information is stored.

3.     Ensure that your privacy policies are clearly written and enforceable. They should address issues related to the collection, use, disclosure, retention and disposal of personally identifiable information. Do you do what your privacy policy says that you do?

4.     Disclose personally identifiable information to third parties only for the reasons stated in your privacy notice. Be sure to have the implicit or explicit consent of the individual.

5.     Create a privacy-friendly environment. Make sure your employees understand why it is important to protect personally identifiable information and the risk to the organization if they don’t.

6.     Address all privacy-related laws and regulations that apply to your business. Even if you do not have a physical presence in a state or country, you may be subject to its privacy regulations.  Know where your customers are located.

7.     Train your employees to protect the privacy of personally identifiable information. Implement a privacy training program for all employees that includes information sessions, posters, emails, etc., on the importance of keeping personally identifiable information secure, both in and out of the office.

8.     Provide a process for individuals to make complaints. Give customers an online form or email address for communicating their privacy problems or concerns. If problems arise, deal with them efficiently and effectively.

9.     Create an incident response plan. Privacy breaches can occur despite your best attempts at prevention. Creation of an incident-response plan enables you to respond promptly.

10.  Consider having a privacy audit performed by an outside trusted entity. Hire someone knowledgeable in privacy, such as someone who holds the Certified Information Systems Auditor (CISA) credential.

ISACA, a nonprofit association of more than 100,000 IT assurance, risk, security and governance professionals, offers a number of resources to help your enterprise govern and manage its information. From the COBIT 5 framework to the Privacy/Data Protection community in ISACA’s Knowledge Center, these tools will help your enterprise ensure trust in—and gain value from—your information and systems.

I encourage you to use those tools to help you adopt—and stick to—these resolutions. Make 2013 the year of privacy in your enterprise.

Yves Le Roux, CISM, CISSP

Member, ISACA Guidance and Practices Committee

 

Continue the conversation… engage with your peers in the Privacy/Data Protection community in ISACA’s Knowledge Center.

Note: This post was reprinted with permission from the National Cyber Security Alliance, the creators of Data Privacy Day. ISACA, a champion of Data Privacy Day, has created a new Privacy Advisory Task Force.

Category: Privacy
Published: 1/28/2013 1:05 PM

View full post on ISACA Now: Posts
http://TheCyberWars.com, http://computer-security-expert.com, http://HackerForHireinternational.com, http://www.GregoryDEvans.com

Hi Tech Crime Solutions

Filed in IT Audit | Tagged: , ,
« Older Entries

Join the mailing list

Check your email and confirm the subscription