Year: 2017

Yves Le Roux, co-chair and public policy workgroup lead, (ISC)² EMEA Advisory Council

This Saturday marks the 10^th anniversary for Data Protection Day, celebrated each year on 28 January – which is the date the Council of Europe’s data protection convention, known as “Convention 108”, was established. Data Protection Day, known as Privacy Day outside of Europe, is now celebrated globally, raising awareness of people’s rights as they relate to the automatic processing of their data. Each year, events are held around the world to both arm citizens with the information they need to understand and protect their rights, while also helping companies and organizations understand the rules and responsibilities to which they should adhere.

In addition to the 10-year milestone, Data Protection Day is particularly noteworthy this year as organizations around the world grapple with the European Union’s (EU) General Data Protection Regulation (GDPR). The regulation, which passed this time last year, gave everyone two and half years to come to grips with and put into place the measures needed for compliance. With one of those years now behind us, GDPR is teaching us a lot about company attitudes in this area. There appears to be little progress on the compliance effort to date, as poor acceptance of accountability across organizations suggests a belief that the task ahead is one for the specialists – either legal or technical.

(ISC)²’s EMEA Advisory Council (EAC) has established an international GDPR Task Force of members from around the world who are actively charged with implementing GDPR to track and curate front-line experience with the compliance effort. The membership and work is relevant globally, as any company that works with, or processes personal data of, EU citizens must comply. Our aim is to work with the global membership of (ISC)² to share the insights, tools and strategies they are deploying to meet the May 2018 compliance deadline.

First observations from our group reveal that too many projects are falling at the first hurdle, with implementation teams unclear on or unable to secure business support or the budgets needed for compliance. Specialist knowledge is going into auditing and determining what is required, but it is being met with a lack of will or acceptance at a business unit level to move forward with projects that have been outlined. Progress that is being made tends to be linked to the roll out of new initiatives, leaving gaps in addressing existing systems and processes.

If business leaders are not appreciating the requirements placed on them, the effort now must shift to helping them be more clear about their role in the process and the resources (both people and financial) required. This involves us all taking a step back from the expert knowledge we may have about what is required and thinking about how to communicate the scope of the task ahead and why it is so important.

A first measure is to ensure GDPR gains a priority ranking on the corporate and board-level risk register. This is justified by both the impact of failing to comply and the likelihood of a breach in the current threat landscape. The impact goes beyond the now well-cited maximum fine of four percent of worldwide turnover. Individuals have gained new rights to demand action and compensation for damages linked to a breach of their rights, while the definition of what is considered “personal data” includes many new forms of electronic data, IP addresses and the like, that can lead back to them.    Data Protection Day will certainly serve to help more understand this.

The second measure is to emphasize the scope of what is required. This is not a simple “audit and adjust” exercise. The GDPR places greater emphasis on the documentation and existence of processes in place for the governance of personal data, and demands companies define how they will deal with user requests related to many new individual rights; the most cited of which is perhaps the right to remove their data from their systems. The (ISC)² EAC GDPR Task Force has published an overview of the basics that can be used as a tool to help everyone understand and communicate the scope of what is required.

The (ISC)² EAC GDPR Task Force is a grassroots effort. We are all volunteers who come together virtually every month to discuss the challenges and build a repository of experience. We welcome more input. (ISC)² members interested in joining the effort are encouraged to contact me directly at yleroux@eac.isc2.org, or (ISC)² EMEA managing director Adrian Davis at adavis@isc2.org.

PDF (Getting Started on the Basics: The EU General Data Protection Regulation (GDPR)) to be embedded for download.

[(ISC)² Blog]

Claudia Johnson always has had a knack for mathematics and statistics.

But even Johnson has trouble calculating the exact impact artificial intelligence and robotics will make on society. Her background qualifies her well to at least estimate.

“The opportunities through artificial intelligence and machine learning, particularly for security, are enormous,” Johnson says.

Johnson, an ISACA member and security specialist at Infoblox, spent about six years researching AI early in her career. She has continued to follow the field with great interest, saying she has come “full circle” given AI’s role in the cybersecurity space.

“Today I see machine learning making huge strides in IT security,” Johnson says. “One major advance in the world of today is that this approach is being combined with big data. This is an approach that will take us away from recognized, predictable threats and onto the plane of warding off zero days. The Infoblox Data Exfiltration detection algorithm based on machine learning and big data, for example, detects malicious activities where even next generation firewalls fail.”

After earning master’s and doctoral degrees – but ultimately tiring of academia – Johnson’s first job in the IT field was as a knowledge engineer at the Siemens Central Research division for artificial intelligence. Johnson found the material intriguing – especially as it pertained to how brains work and learning language – but noted that those involved in research today can leverage big data and other modern tools to accelerate their progress.

Johnson grew up in the United States – in the Seattle area – but has spent most of her adulthood in Germany, where she attained her Ph.D in Meteorology at Max-Planck-Institut. She briefly relocated to Australia for family reasons, and it was while there that fellow security professionals recommended that she join ISACA. Johnson is glad she did, calling it “a great way for me to further my security knowledge and network with other security colleagues.”

Although enthused about the potential of AI, Johnson shares a common concern that AI and robotics will displace a segment of the workforce.

“Robotics will change a lot of daily tasks,” Johnson says. “Entry level work like working at a cash register will disappear. Cleaning house, washing windows, will go down the same path. There will only be a privileged few who will still have well-paid jobs. What about the rest? How will they make ends meet?”

That sort of empathy is central to Johnson’s worldview. Upon returning to Munich from Australia last year, the flood of refugees who have entered Germany while she was away have made a profound impact on Johnson’s thoughts and priorities.

“Now that we as a family are back in central Europe, I would like to help with the refugee situation by volunteering,” says Johnson, who also counts hiking, bicycling and swimming among her interests. “A number of our personal friends are helping out – in small ways – and it is the small things that can add up.”

Johnson also is passionate about encouraging more women to enter the IT security realm.

“My current personal goal is to give back to the community, both in terms of social responsibility as well as IT security,” Johnson says.

Editor’s note: ISACA’s family of more than 140,000 members and certification holders consists of truly outstanding individuals who are making significant contributions to the profession and the world. Watch for more stories like Claudia’s coming soon, and contact jschwab@isaca.org if you have a member story you’d like to share. If you are not a member, consider joining our community. View the ISACA Member Advantage here.

[ISACA Now Blog]

We live and work in a high-tech, interconnected world that is seeing increases in the volume and sophistication of cyberattacks. In order to function safely in this technology-driven, digital world, we must have strong cybersecurity controls. But how do we know if we have the right controls or if our controls are functioning as planned?

Because of the need for audit and assurance programs and processes around cybersecurity, ISACA has developed a new IS audit/assurance program, Cybersecurity: Based on the NIST Cybersecurity Framework. The goal of this program is to provide organizations with a formal, repeatable way to validate cybersecurity controls.

The program is based on the NIST Cybersecurity Framework and is built around the following five critical cybersecurity activities:

1. Identify – Determine if the systems, assets, data and capabilities critical to cybersecurity have been identified and are understood by the organization. Process sub-areas include asset management, business environment, governance, risk assessment and risk management strategy.
2. Protect – Review cybersecurity safeguards designed to limit the impact of potential events.  Process sub-areas include access control, awareness and training, data security, information protection processes and procedures, maintenance, and protective technology.
3. Detect – Assess activities designed to identify the occurrence of cybersecurity events. Process sub-areas include anomalies and events, security continuous monitoring and detection processes.
4. Respond – Evaluate action plans to take after learning of a security event. Process sub-areas include response planning, communications, analysis, mitigation and improvements.
5. Recover – Analyze plans for resilience and the timely repair of compromised capabilities and services. Process sub-areas include recovery planning, improvements and communications.

The program is offered as a Microsoft Excel file with columns created so users can define controls to be tested (including frequency and results), as well as add references and comments. Testing steps have been identified for each NIST Cybersecurity Framework functional subcategory. These subcategories are labeled “Controls” in the program.

In addition, controls are referenced to COBIT 5 and ISO/IEC 27001:2013, making it easier for professionals to integrate the program into existing frameworks and/or audit programs.

Editor’s note: To download the Cybersecurity: Based on the NIST Cybersecurity Framework audit/assurance program, visit: www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Cybersecurity-Based-on-the-NIST-Cybersecurity-Framework.aspx.

ISACA also is offering a one-day workshop entitled “Cybersecurity for Auditors” immediately following the 2017 North America CACS conference in Las Vegas, Nevada. For more information and to register, visit: www.isaca.org/Education/Conferences/Pages/North-America-CACS-Presentations-and-Descriptions.aspx#ws7.

Russell Horn, CISA, CRISC, CISSP, President, CoNetrix

[ISACA Now Blog]

The Cloud Security Alliance’s Quantum-Safe Security (QSS) Working Group announces their latest release with the Quantum-Safe Security Glossary. The QSS Working Group was formed to address key generation and transmission methods and to help the industry understand quantum-safe methods for protecting networks and data. The working group is focused on long-term data protection amidst a climate of rising cryptanalysis capabilities. As the working group continues to produce documents to address concerns in a quantum world, the opportunity to share terms to provide a starting point to learn more about quantum-safe security.

This glossary is a collective contribution of the QSS Working Group to increase quantum-safe security awareness, and includes a compilation of common terms used in the world of quantum-safe cryptography. The document was created with the working groups input and went through an open peer review for collaboration and completeness. However, quantum-safe cryptography is a very dynamic issue, prone to unpredictable patterns and instability. In anticipation of these characteristics, the QSS Working Group plans to update this document from time to time moving forward. For more information on the Quantum-Safe Security Working Group, please visit https://cloudsecurityalliance.org/group/quantum-safe-security/.

[Cloud Security Alliance Blog]