Year: 2017

Business leaders must take accountability for governing and managing IT-related assets within their units and functions just as they would other assets, such as those involving physical plant or human resources.

This is critical as achieving enterprise goals becomes increasingly interconnected with successfully managing and governing its technology. COBIT 5 provides the framework needed to connect business goals with IT goals while utilizing non-technical, business language, as explored in a recent ISACA podcast. John Jasinski, a COBIT certified assessor, discusses the framework’s core principles and enablers, and ways in which enterprises can successfully leverage them.

“The main purpose of the governance of enterprise IT is to achieve strategic alignment of information and related technology with the goals of the enterprise,” Jasinski said. “However, a continuing challenge for enterprises is how to achieve and maintain the alignment as stakeholder needs and enterprise goals change. The COBIT goals cascade provides context, structure and content for consistency of goals and meeting stakeholder needs.”

The COBIT 5 goals cascade provides a model to define and link enterprise goals and IT goals in support of stakeholder needs.

Decisions on how to utilize IT assets and resources should be made by business managers in an overall governance and management context, according to Jasinski. Directors should govern IT through three main tasks:

1. Evaluate the current and future use of IT;
2. Direct implementation of plans and policies to ensure the use of IT meets business objectives;
3. Monitor conformance to policies and performance against the plans.

COBIT 5, which aligns with other relevant standards and frameworks used worldwide, provides a technology-agnostic common language to more effectively address information and cyber security, risk, vendor management, cloud controls and many other challenges faced by enterprises. Distinctions between governance and management also are addressed.

“If you’re looking for context, structure and content to address your biggest digital business challenges and opportunities, you must have an understanding the COBIT goals cascade, enabling processes and the entire COBIT library,” Jasinski said. “COBIT can help you understand how to connect all the dots, and fit the puzzle pieces together. This is important stuff.”

Further ISACA insights on the topic can be found in the white paper, “COBIT 5 Principles: Where Did They Come From?”

Editor’s note: The ISACA Podcast is now available on iTunes, Google Play and SoundCloud. Listen to experts in cyber security, audit, governance and more as they explain the latest trends and issues facing professionals.

[ISACA Now Blog]

Editor’s note: Daymond John, the FUBU clothing founder, Shark Tank reality TV judge and a self-made multimillionaire, will deliver the closing keynote address at ISACA’s North America CACS 2017 conference, which will take place 1-3 May in Las Vegas, Nevada, USA. John visited with ISACA Now about what innovation means to him, his approach to taking business risks and the Shark Tank experience. The following is an edited transcript:

ISACA Now: The word ‘innovative’ is thrown around a lot. What does that mean to you, and in what ways has that kind of mindset allowed you to achieve such a high level of success with FUBU and your other ventures?
Innovation is the process of creating something new, which oftentimes is just a newer version of something that already existed. For example, to me, Twitter was a note on a pigeon’s leg hundreds of years ago. It’s just a new form of delivery.

There’s a huge misconception about innovation, which is that it starts with some grand idea. The truth is that it typically begins with people collaborating and working together on ordinary ideas that transform into something innovative.

When I started FUBU, I didn’t put three sleeves on my T-shirts. I didn’t start trying to be “innovative.” I just did what I could with what I had, and the brand became more than what even I imagined it could be.

ISACA Now: What advice would you give somebody who has a business idea that he or she is excited about but is nervous about taking that entrepreneurial plunge?
Take affordable steps. You don’t need to take great leaps of faith. Again, start with whatever you can afford to lose.

The idea is not to get over your fear of taking a plunge – it’s not to take a plunge at all. Baby steps; that way, you don’t hurt yourself too much when you run into problems. That way, you can survive your mistakes and live to take another step.

ISACA Now: What has it been like to be involved with Shark Tank, and what aspects of the show do you think resonate most with viewers?
It has been a great learning experience for me. I learn as much from the entrepreneurs as they learn from me sometimes.

What resonates with people? I think the show illustrates that the American Dream is still achievable. It shows that ordinary people can do extraordinary things if they’re willing to act on their ideas.

[ISACA Now Blog]

The overall objective for security controls is to support the organization’s services and infrastructure by identifying risks, improving the security level, and enabling rapid detection and response to security attacks.

It is also true that, in practice, no organization can place all the security controls against every cyberattack by itself. Consequently, it is now a growing practice that many organizations leverage a hybrid model for their security controls. For example, organizations put in place onsite or locally deployed security controls in the form of people, process and technology, together with cloud-based security controls.

On the other hand, risks, regulatory and compliance requirements drive business values of highly regulated industries, such as financial services and healthcare. Therefore, using a hybrid model for security controls in highly regulated industries raises compliance implications. Especially for highly regulated industries, the multitude of risk, regulatory and compliance requirements, such as PCI DSS, SOX, HIPAA and many others related to privacy and sensitive data, are increasing. There is more complexity, cost and operational overhead in the infrastructure – consequently, cloud-driven security controls are a natural choice for many organizations to address complexity, cost and operational issues. However, this also leads to new challenges to remain compliant with ever-increasing requirements.

Many compliance regulations cover specific requirements on processing personal information and cloud compliance for sensitive data. Organizations are required to ensure that their security polices, controls and IT systems remain compliant with these requirements. Selecting adequate cloud-based security control for specific data or applications would be a challenge if it is related to personally identifiable information (PII). Organizations must assess if PII needs to be part of the data processed in third-party cloud locations/data centers.

Furthermore, data may be stored and processed across different jurisdictions. It is important that while sharing data for security purposes, organizations remain compliant with pertinent laws. While choosing any particular cloud-based security control, organizations should be aware of related compliance requirements.

Organizations must also analyze technological aspects of particular compliance requirements – for example, how encryption/decryption will be performed inside or outside a particular jurisdiction, and where and how the data (alerts, logs) will be stored and handled. While decrypting traffic externally, who will have access to that decrypted data? More importantly, in the case of a breach or data leakage, how will accountability be established and how will fines be paid that are imposed by regulatory authorities?

Compliance and security are critical when protecting sensitive data and infrastructure. However, organizations often have a false sense of security, and consider their infrastructure secured if they are compliant. Instead, compliance can be considered a snapshot of overall security controls.

Being compliant does not guarantee a secured infrastructure. Many organizations make security more complex by developing separate programs for compliance and security, which leads to overlapping solutions. This adds significant expense to an overall organizational budget. Hence, for strengthened security, security initiatives must not be driven by compliance, and should go beyond particular sets of compliance requirements. Compliance and security initiatives should be tightly coupled. This will reduce cost, minimize overlapping solutions and deliver effective security infrastructure.

Compliance and security complement each other in various aspects. However, being compliant does not necessarily mean that an organization is covering all aspects of security required to protect infrastructure. There have been significant known breaches of many companies that were considered “compliant.” An effective security program integrated with an efficient compliance plan will strengthen overall security infrastructure and ensure compliance.

Muhammad Waheed Qureshi, CISA, CIPP/IT, PCIP-PCIDSS, ITIL V3, Senior IT Security Specialist, MSc (IT Security) – KTH

[ISACA Now Blog]