Month: August 2014

Control effectiveness is measured by looking at the maturity of the process. Most people agree that mature processes are documented, but why? Transferring knowledge from the human brain requires conversion from tacit knowledge to explicit knowledge, so that it can be shared, reviewed, updated and tested. Think about it. If we relied on tacit knowledge all the time, there is a good chance that the outcomes would be different every time the process was executed, unless they had a plan to follow, which is where explicit knowledge comes into play. Quality management requires that we integrate feedback loops to push a process even higher in maturity. Continuously monitoring and making adjustments to perfect the process can only be achieved with explicit knowledge.

Building the perfect control to mitigate risk is one thing, but making sure that it gets implemented, monitored and maintained adequately, so that it is functioning 100 percent, is yet another. This requires the assessment of competence for those employees or contractors who have been assigned the responsibility to get the job done! I like to leverage my knowledge as a teacher using Bloom’s Taxonomy. I create at least six basic questions to determine how much the employee knows. For example, I recently created a one-page assessment for CyberSecurity Leader.

We have evaluated the control for maturity and assessed competence of the administrator. Now we need to verify and validate that the control is functioning as planned. There are similar approaches that work, from using quality assurance techniques to penetration testing. This part should be looked at every time changes occur that touch the control in any way. We need a solid baseline for assessment control effectiveness, and to accomplish that, I like to integrate the use of design qualification (DQ), installation qualifications (IQ), operational qualifications (OQ) and performance qualifications (PQ).

Based on my experience, the most secure systems are those that establish and maintain absolute control over the environment. I often joke with senior management about my number-one rule, “No surprises!” Quality management is deep in knowledge about establishing control and assessing process, so it is only logical that we would assimilate this knowledge into information security.

DQ is the architecture, or specifications, used to build a service or product. Any changes must be strictly controlled; so, while DQ sets out the design, IQ defines the specifications, or standard operating procedures, for installing a new piece of software or hardware. Control design is a related topic that would allow you to map where this control applies within the risk universe as it mitigates risk to a specific asset that is used to deliver a service or product. OQ documents the configuration specifications that could be recorded in the configuration management database used by ITIL also ISO 20000. Once everything has been documented and procedures have been followed, the PQs are reviewed. What were the expected response times? How can we optimize them to meet customer expectations?

Whomever gets the job of reviewing control effectiveness should be looking at three key elements—maturity, competence and testing—to verify and validate that what we said we would do we have actually achieved. The importance of assessing control effectiveness during regular audits is obvious. The assessment of control effectiveness during risk assessment as part of the risk management and governance process is absolutely crucial to provide all the facts to management quantified in a meaningful way.

I have seen plenty of external audits that have gone in a direction where hundreds of thousands of dollars and sometimes millions are spent on new controls that may not have been necessary if the current investment in security was better quantified and managed. This is an evidence approach that can easily be shared and reviewed and scrutinized. Too much control could negatively impact the business model, organizational culture, agility or time to market and resilience by creating more complexity that is expensive to maintain and difficult to replicate in emergency situations.

Mark E.S. Bernard, CISA, CISM, CGEIT, CRISC, CISSP, ISO 27001 Lead Auditor

[Source: ISACA]

Europe is poised to tackle cybersecurity headfirst with initiatives that are growing in strength and support. In 2013, the Cybersecurity Strategy for the European Union and the Commission Proposal for a Directive on Network and Information Security presented legal measures and provided incentives aimed at increasing the security of Europe’s online environment. These efforts are supported by theEuropean Network and Information Security Agency (ENISA), as well as by the Computer Emergency Response Team for the EU institutions (CERT-EU).

As part of ISACA’s holistic Cybersecurity Nexus (CSX), ISACA is addressing the need for cybersecurity guidance in Europe by releasing the European Cybersecurity Implementation Series of white papers and an audit program, which includes:

• European Cybersecurity Implementation: Overview
• European Cybersecurity Implementation: Risk
• European Cybersecurity Implementation: Resilience
• European Cybersecurity Implementation: Assurance
• European Cybersecurity Audit/Assurance Program

The white papers address cybersecurity in the context of European Union (EU) laws, regulations and best practice, with a focus on using the COBIT 5 framework and related materials. They provide practical implementation guidance that is aligned with ENISA, European requirements and good practices.

The overview outlines how cybersecurity is discussed and directed in the European context, including institutions, organisations and recognized best practices. In some aspects, this is different from what might be expected in a U.S. setting or other geographies, given that there are 28 EU member states and several associated countries. As a result, there are EU level cybersecurity recommendations as well as national strategies, laws and regulations to be taken into account. This overview paper is designed to provide orientation and set the scene for more detailed aspects discussed in the risk, resilience and assurance papers.

Cybersecurity creates a multitude of new risks, many of which are part of the cultural, social and technical context of security. The risk paper in the series therefore addresses typical European perspectives on cybersecurity risk, including those that may be unique to one or more countries within the Union. In line with the COBIT 5 lens concept, the risk paper further provides a drill-down on using the available COBIT 5 cybersecurity materials in a targeted manner.

Resilience is one of the primary, but often neglected, aspects of cybersecurity. In Europe, resilience thinking is an important element of cybersecurity, both in the business and in the technical sense. The resilience paper within the cybersecurity series addresses the European view on creating, maintaining and improving resilience through various steps of a life cycle. It also covers European and national laws, regulations and best practices in creating cybersecurity resilience.

With the advent of a directional and declared EU cybersecurity strategy and digital agenda, many cybersecurity initiatives are beginning to produce results, often set down as legal, regulatory or industry requirements. In terms of cybersecurity governance and management, it is important to provide robust assurance over cybersecurity arrangements, including auditable evidence and processes. The assurance paper within the cybersecurity series offers insights on how to set up, maintain and uphold the requisite level of assurance in the EU and associated countries. The paper makes use of tried and tested COBIT 5 concepts and the underlying control universe and applies these to the EU landscape.

The ISACA European Cybersecurity Implementation Series is a living set of documents. In the near future, additional helpful tools will be released. These include a matching and mapping tabular paper for quick reference purposes throughout the 28 member states, as well as so-called country files providing subject matter expert advice on cybersecurity details in many European countries.

Rolf von Roessing, CISA, CISM, CGEIT
President, Forfa AG
Past International Vice President, ISACA

He will discuss “Responding to Cyberattacks” and “COBIT 5 for Security” at ISACA’s 2014 EuroCACS/ISRM Conference taking place 28 September – 1 October in Barcelona, Spain. For more information about the conference and to register, visitwww.isaca.org/eucacs-isrm2014.

[Source: ISACA]

Hacktivists from Anonymous and from a presumed Islamic extremist group targeted a variety of online gaming services.

Services are up and running again after a denial of service took down Sony’s PlayStation Network for much of Sunday, coinciding with a bomb threat on American Airlines flight 362, which carried John Smedley, president of Sony Online Entertainment. The threats caused the airline to divert the flight.

Other online gaming services — including Microsoft’s XBox Live, Eve Online, and the services that host World of Warcraft and Diablo III — also experienced disruptions. The culprits seem to be hacktivists, but just which hacktivists is unclear, because several are trying to take credit for the attack, citing different motives.

One group, Lizard Squad, took credit for the attacks and presented two motives on Twitter. One tweet Sunday morning said that Sony “aren’t spending the waves of cash they obtain on their customers’ PSN service. End the greed.” A subsequent tweet stated, “Kuffar [non-believers] don’t get to play videogames until bombing of the ISIL [Islamic State of Iraq and the Levant] stops.” The account made many references to the Islamic extremist group ISIS.

On Sunday afternoon, Lizard Squad also tweeted the cryptic message “.@AmericanAir We have been receiving reports that @j_smedley’s plane #362 from DFW to SAN has explosives on-board, please look into this.”

The group tweeted at Smedley with the hashtag #PrayForFlight362 and a video from 2001 of a plane crashing into the World Trade Center.

On a separate account, a hacker associated with Anonymous claimed responsibility for the attack, showing screen shots to prove the work and stating that the attack was launched to highlight vulnerabilities in the PlayStation Network.

Microsoft confirmed that some customers were experiencing disruptions. However, it seems that Lizard Squad found that Microsoft’s XBox Live network was sturdier than Sony’s. The group tweeted Monday, “Microsoft props to you for giving us a challenge, good work. Sony, smh [shaking my head].”

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other topics. She authored the 2009 CSI Computer Crime and Security Survey and founded the CSI Working Group on Web Security Research Law — a collaborative project that investigated the dichotomy between laws regulating software vulnerability disclosure and those regulating Web vulnerability disclosure.

[Source: DarkReading]