Palo Alto Networks Accredited Systems Engineer (PSE) – Foundation Accreditation
Auditing Data Privacy Can Bring Major Value to Organizations
As new technologies facilitate innovative uses of data, the corporations, governments and nonprofits using these technologies assume responsibility for ensuring appropriate safeguards over the collection, storage and purging of the data.
Highly publicized data breaches have heightened corporations’ concerns around their abilities to successfully meet this task. The concern is well-founded as the consequences of a data breach extend beyond reputational loss to include regulatory consequences as well as the possibility of class action legal action.
In this landscape, an audit of data privacy is a prime assessment for IT auditors to showcase the value that they bring to their organizations. This opportunity stems from data privacy relating to all areas for which organizations rely on IT auditors for expertise: providing assurance over information systems, ensuring that compliance expectations are met, and consulting on changing and emerging technologies.
In performing an audit of data privacy, inclusion of the following areas in the IT audit program are beneficial:
Data governance and classification
The primary objective of this portion of the audit is to confirm that the organization has identified and classified its data. The IT auditor’s assessment of data classification assures the organization that controls are commensurate with the sensitivity of the data. If the control requires significant resources (either in time or expense), the results of this assessment could allow management to make informed decisions on where to reduce costs or gain efficiency. Similarly, efficiency gains can be made when roles and responsibilities for the people involved in the organization’s management of Data Governance for Privacy, Confidentiality, and Compliance (DGPC) for the enterprise have been clearly defined. Well-defined roles mitigate the potential that responsibilities are duplicated, resulting in inefficiency.
Data security
Two of the essential areas addressed under data security are data loss prevention and authentication/credentialing. Concerns with data security often arise from those new technologies that fuel innovation discussed earlier. For example, as an organization explores and implements tools that enhance communication and collaboration (think instant messaging, removable media and, yes, email), data sharing by those who should have access to the data is enhanced. On the other side, the intentional or unintentional ways that the data can leave the organization (data leakage) also have increased.
Data leakage also can occur if weaknesses in the organization’s authentication and credentialing processes do not adequately limit access to data. However, the IT auditor’s assessment of the controls and vulnerabilities in both these areas (authentication/credentialing and the organization’s data loss prevention program) add a layer of defense to avert data breaches.
Third-party contracts
As organizations partner with vendors for data storage and other needs, it is true that ensuring the vendor’s ability to protect the data is paramount. But, before organizations can conclude one way or the other in that regard, there must be clarity around what data the organization has and the level of protection that is required for the data. During its data privacy audit, the IT auditor can contribute to the success of the organization’s data management partnership by reviewing an inventory of data and the data’s location: this may not be information that the organization has a solid understanding of prior to engaging a third-party provider.
In conclusion, a data privacy audit may appear to be just another instance where the IT auditor wears the hats of assurance, compliance and consulting. Looking deeper, however, a data privacy audit presents an opportunity to contribute to achieving organizational objectives. The likelihood is strong that organizations will continue to look to manage costs and efficiency, to balance implementation of innovative technologies with mitigating the risk of data breaches, and to engage the services of third parties for data management. Given that, a conscious effort by the IT audit team to connect its data privacy audit to these organizational objectives will reinforce the value that IT audit brings to the organization.
Editor’s note: For further guidance on this topic, download ISACA’s data privacy audit program.
Robin Lyons, Technical Research Manager, ISACA
[ISACA Now Blog]
Build a Small Business with GEIT and Security in Mind
Small businesses or start-ups serve as the beginning point for many who are seeking to navigate the complexities of modern enterprise. One of the things that may be overlooked at the beginning are the implications of IT governance and security on an enterprise’s future health. Regardless of the sector, both factors have important roles to play in continued success. Below are some standard considerations for both areas.
General security perspectives needing consideration:
- What industry/market sector is being entered? It helps to understand the product/service to be developed.
- What are the sector’s regulations? It is critical to understand compliance and mandatory obligations.
- What are the risks? Understanding existing constraints and future possibilities provides essential context.
- What is the overall strategy and security strategy? Understand and build the risk appetite at the start.
General IT perspectives needing consideration:
- What existing technologies can we leverage at this time? Cloud; small, in-house data centers; and outsourcing options—all are considerations.
- What type of information is needed from customers? Basic information required to create mailing lists, personally identifiable information (PII) and or payment information may be required.
- How can IT work with and support the business plan/strategy? Ensure the correct investment is made based on business requirements.
- How does IT grow with the business? Explore digital avenues that can enhance the customer experience and increase the customer base.
There is a certain excitement for an entrepreneur entering into the market–the joys of prospects unknown and the hope of building a satisfied, stable customer base. However, cash flow can be a major challenge, so many things can be overlooked in order to get the business off the ground. This can be problematic and result in problems down the road, such as regulatory fines, data breaches and compliance issues, just to name a few.
The alignment of the entrepreneurial vision, security and IT can provide a strong foundation to build out the enterprise. GEIT principles can be helpful in the smallest of enterprises since they can be tailored as business expands and provide the necessary checks and balances to mitigate risk. A little time at the start can be helpful in the long run to face the digital disruption roller coaster of the future.
Ammett Williams CCIE, CGEIT, Telecommunication Team Leader – First Citizens, TT
[ISACA Now Blog]
Continuing the Conversation: More Secure Cloud
Recently, the (ISC)² ThinkTank tackled the cloud. The webinar, “Security Practices for a More Secure Cloud,” featured panelists Kurt Hagerman, CISO of Armor, Raj Goel, CTO of Brainlink, and Keith Young, Info Security Officer of Montgomery County.
Thank you to our panelists for sharing their expertise – let’s continue the conversation, shall we?
Since cloud is becoming a hot commodity these days, how can a cloud provider assure would be customers that data is 100% secured day-in-and-day-out? I guess there can never be a guarantee. In line with this, how can a cloud provider show that all measures are done to keep data secure?
Kurt Hagerman, CISO, Armor Defense:
No cloud provider can guarantee 100% security of your data. They can only provide assurance to the extent of the security controls they manage and even then, only to the extent the tools they use are able to detect or prevent malicious activity. Remember that there is no such thing as “perfect security,” so there is no way to be 100% assured that your data is secure. The best assurance you can get from your cloud vendor would be their annual audit attestations, such as their PCI Attestation of Compliance, SSAE 16 SOC 2 Type II report.
A key point in today’s discussion was education. Can you identify where to get training to understand the cloud and security-related items that need to be addressed?
Keith Young, Info Security Officer, Montgomery County, MD:
There are several well-known cloud security training and certification programs available. Below is a list of some of the more popular programs available. Note that I do not endorse or recommend any specific program:
In addition, technical training programs for specific vendor clouds (Amazon, Google, Microsoft, etc.) are available from the vendors and third parties.
How does privacy fit into this shared responsibility? Almost all things are governed by contract itself but privacy has lot of regulations around it. How do you deal in a situation where contract is contradictory to regulation requirement?
Raj Goel, CTO, Brainlink
In almost all cases, safeguarding customer/client data is the responsibility of the entity the consumer does business with – e.g., you or your firm, and not the backend cloud providers.
I would read the appropriate privacy rules & regs, review the cloud vendor EULAs, TOS, contracts and their history. Some vendors have great sounding policies, but in practice have a poor security track record, whereas others are quite competent at it.
Most importantly, I would ensure that my team, staff, developers, etc. are using approved, secure practices. A cloud vendor’s agreements are worthless if your developers leave their databases unsecured (see Mexican voters leak, GOP voter database leak, MongoDB defaults) or if your developers leave their private keys in the code, in configuration files or on GitHub.
At least in the US, regulators hold the data custodian (e.g. you or your firm) and not their backend providers liable for data breaches. And as history has shown, a majority of the time (somewhere between 80-99%), the breach occurs due to internal insecure practices, organizational inertia or bad design.
This is NOT to suggest that cloud vendors are off the hook – I would be leery of jumping on the latest fad, or trusting new, young startups with my most sensitive data. I prefer to work with established vendors who have worked with larger companies, have teams of information security professionals and lawyers who are well versed in compliance.
For more on cloud security, register for (ISC)² Security Congress in Austin, Texas this September. Cloud Security is one of 11 tracks at the annual conference.
[(ISC)² Blog]
Embracing Diversity in Cybersecurity – Key Takeaways From Palo Alto Networks Ignite Diversity Panel
Palo Alto Networks hosted its first-ever diversity panel session at Ignite, our annual end user conference, held this year in Vancouver, Canada. The session, “Embracing Diversity: The Catalyst to Effectively Solve Today’s Toughest Cyber Challenges,” was co-chaired by Carly Chaikin of the popular USA Network cybersecurity TV series “Mr. Robot” and our own Rick Howard, CSO at Palo Alto Networks. The panel was focused on discussing ways to encourage diversity in the field of cybersecurity as a means to protect today’s computing environments, including why different skillsets and cultural perspectives are instrumental in fostering innovation in the space.
Panelists included cybersecurity leaders from different career backgrounds, genders and ethnicities. With speakers from academia, government and industry, the audience heard a range of perspectives on cybersecurity as a career and ways to increase diversity in the field. Our speakers included Suzie Smibert, CISO at Finning International; Christina Ayiotis, co-chair of the advisory board at Georgetown Cybersecurity Law Institute; Teri Takai, former CIO at the U.S. Department of Defense and state of California; Lieutenant General Rhett Hernandez, former Commander of the U.S. Army Cyber Command; and Rinki Sethi, senior director of information security, Palo Alto Networks, U.S.
As a member of the organizing committee for the panel, I had been a little worried that only women would show up to the session, even though men also have an important role to play in increasing diversity in gender, perspectives and backgrounds in the field. However, it was amazing to see the high turnout of male attendees at the session and how much they cared about the diversity challenge in cybersecurity. The event allowed both women and men to share their insights and feelings on the subject. My colleagues and I go to many cybersecurity conferences around the world, and almost always, over 90 percent of audience and speakers at these events are men. It is rare to see female speakers.
According to the Women’s Society of Cyberjutsu, only 11 percent of the information security workforce is women. About 50 percent of IT users are women, so why not increase the ratio of women in cybersecurity to prevent successful cyberattacks and protect the digital age in which we live? It’s clear we need to bring more women into cybersecurity.
It was a full house in the panel room, and the vibe was electric. I sincerely hope that everyone who participated in the event felt inspired to join or stay in the cybersecurity field, or to encourage their colleagues, mentees, daughters and sons to be part of this exciting area. Every panelist emphasized the importance of having the courage to withstand potential judgment of their background or gender, and to bring their unique perspectives to their workplace. Even if some people may judge your past, not your prospects, you have to be brave enough to break away from that negativity, stay true to yourself and shatter the glass ceiling.
This should not discourage you from having a mentor or mentors who can challenge and help you grow professionally. Cybersecurity covers a wide variety of areas of expertise, such as artificial intelligence, business management and strategy, coding, endpoints, legal, networking, government policy, reverse engineering, and threat intelligence, just to name a few. Nobody knows everything about cybersecurity, and this field requires teamwork and collaboration. For this reason, the flexibility to accept different ideas and perspectives is indispensable.
Toward the end of the session, an attendee asked the speakers for career advice. She shared how she felt intimidated and unsure if she was “good enough” to get a new position she was aspiring to have. She’s not alone: A lot of people relate to her in this competitive market. To this courageous question, one panelist encouraged her to avoid using diminishing descriptions about herself and her skillset, and to stand and speak with confidence. This is just the first step to becoming more confident in the workplace and making changes in her professional life.
Cybersecurity is evolving quickly. Those in the field need to be competitive and open to new perspectives to stay up to date on the latest cyberthreats and technology. As Japanese mathematician Dr. Masahiko Fujiwara pointed out in his essay, “Gakumon wo kokorozasu hito he – Hanna heno tegami [To those who want to be in academia – my letter to Hanna],” those who want to be academics need to develop certain characteristics: be intellectually curious, be ambitious, and stay persistent and optimistic, even when things are difficult and you want to give up your goal. This also applies to cybersecurity professionals. If you can keep pushing the envelope for years, you can be anything – a C-suite executive, a general or a top-notch researcher – and pave the way for the next generation of upcoming cybersecurity talent.
Over the last few months, I’ve had the pleasure of speaking with four young women from different backgrounds and nationalities, from an undergraduate student to a mid-career professional. They are passionate about studying technology and policy and finding a job that bridges the gap between the two communities, which have their own unique cultures and languages. Witnessing their intellectual curiosity and ambition during our phone calls and face-to-face meetings made me smile. Many more women around the world are also enthusiastic about cybersecurity, which provides hope for the field as well as for increasing diversity in cybersecurity globally. They are our future.
The diversity panel occurred at the perfect time: right after the Ignite General Session, when Palo Alto Networks President Mark Anderson announced the new partnership between Palo Alto Networks and the Girl Scouts to deliver the first-ever national Girl Scout Cybersecurity badges for girls in grades K–12. This will allow us to work with girls across the U.S. and teach them about the cyberthreat landscape and best practices, as well as provide mentorship for young girls interested in cybersecurity.
I look forward to staying in touch with the diversity panel speakers and participants, and to working with the Girl Scouts to bring new, diversified talents and insights to cybersecurity.
[Palo Alto Networks Research Center]
