Author: Dr. Philip Cao

Muzamil Riffat, CISA, CRISC, CISSP, PMP, GWAPT

For most people, the notion and understanding of privacy tends to be fluid. Here is a question then:  How much personal information should an individual be willing to sacrifice to reap the perceived benefits of convenience?

Well, if you are not certain about what the boundaries of privacy are, how are you supposed to make an informed decision about how much of it to sacrifice? Further complicating the matter is the rapid advancement in technology that is creating previously unimagined avenues of information collection and analysis with or without our knowledge. Users, organizations and governments have become three corners of a triangle in which the lines of the relationship, as far as privacy of information is concerned, are increasingly blurred.

Information is power, indeed. Therefore, it is not surprising that governments and organizations are employing all resources within their capabilities to utilize data collection and processing technologies for their noble or notorious goals (depending upon from which angle it is being viewed). This, in turn, is adding fuel to already bitter privacy disputes.

As our digital footprint is created at an unprecedented pace, some pundits are predicting that the concept of privacy as we know it, or knew it a few years ago, will quickly become a thing of the past. The drastic shift in the social/behavioral change for an information economy is due to the fact that the choice of privacy is slowly, but surely, snatched away from users. In response to the promises of technological advancements, users are willing to sacrifice a bit of privacy for each benefit in different areas of their lives. The cumulative effect of all these trade-offs will result in the end of privacy.

For auditors, the ever-changing landscape of information protection and utilization requires them to adopt a systematic and disciplined approach to ensure that all risk associated with privacy and/or potential information misuse has been mitigated to an acceptable level. Compliance to emerging laws and regulatory requirements should also be monitored to limit an organization’s liability or reputation risk.

Read Muzamil Riffat’s recent Journal article:
“Privacy Audit—Methodology and Related Considerations,” ISACA Journal, volume 1, 2014.

[Source: ISACA]

Samir Malaviya, CISA, CGEIT, CSSA

Supervisory Control and Data Access (SCADA) systems are the backbone of critical infrastructure. Recent developments, including headlines on cyberwarfare initiated by state and non-state actors, have brought security for industrial control systems, including SCADA systems, to the forefront of cybersecurity discussions.

It must be noted that the challenges of SCADA security are quite different when compared to the challenges faced in implementation of cybersecurity frameworks in the traditional IT world. While traditional cybersecurity is more concerned with confidentiality and integrity, for SCADA system, availability is of paramount importance. Imagine if your power utility experiences failure because some of the controls applied by its cybersecurity team result in crashing the device itself. This may be catastrophic for utilities and might result in loss of life, too. The traditional cybersecurity model for IT needs to be fine-tuned to meet challenges specific to the SCADA world.

The proposed SCADA security framework from my recent Journal article describes a model for owners/operators of critical infrastructure to build a cybersecurity model for their SCADA systems. The proposed framework also covers all of the components of the recently published draft version of Critical Infrastructure Cybersecurity Framework, from the US National Institute of Standards and Technology (NIST). The SCADA security framework also maps to some of the regulatory requirements to be followed by owners and operators of critical infrastructure. In fact, the SCADA security framework can be considered a comprehensive superset that meets all of the regulatory requirements of the concerned industry for the owner and operators of critical infrastructure.

The SCADA security framework can be used by owners and operators of critical infrastructure to develop the security program. It is envisioned that the SCADA security framework can help to develop a risk profile and control framework for the organizations.

Read Samir Malaviya’s recent Journal article:
“SCADA Cybersecurity Framework,” ISACA Journal, volume 1, 2014.

[Source: ISACA]

Stefan Beissel, Ph.D., CISA, CISSP

The handling of sensitive data requires compliance to standards and laws that include high demands on data security. But the handling of sensitive data can be restricted with tokenization. Companies that process sensitive data do not always need the specific data content in every processing step. Sometimes only the unique identification of data is required. Tokenization replaces sensitive data by unique strings that cannot be converted back to the original by an algorithm. Systems that use these strings do not handle sensitive data anymore.

Tokens can be generated with different techniques such as encryption, hashing and numbers. Tokens that were generated with encryption can be converted to their original state. Thus, encryption techniques are less suitable to generate tokens. By using hashing, a digital fingerprint is created, which is generally unique. But depending on the hashing algorithm used, the risk of collisions can be present and the uniqueness of the token is no longer ensured. Other techniques for the generation of tokens are the use of a serial number or a random number. In principle, any string of numbers may be used as a token as long as it allows a unique identification, almost no collisions and it cannot be converted by an algorithm to its original state.

An exemplary use case for a tokenization system is the integration of an e-commerce merchant who accepts credit card payments through a web store. It is most advantageous for the merchant to keep payment data outside of his/her network so that he/she is not bound to the regulations of the payment card industry. In a token-based method, the merchant must ensure that the web session is redirected to the systems of an external payment processor, e.g., by using a plug-in, before the payment information is entered by the customer. When customers enters their, cardholder data, the data are sent directly to the processor who operates a tokenization system. The processor assigns the cardholder data in the tokenization system to a multiusable token and sends the token to the merchant.

By using tokenization, the scope of systems that handle sensitive data and, therefore, must meet compliance and audit requirements can be reduced. It facilitates a more restrictive handling of sensitive data without adjusting business processes. Hencem tokenization offers not only a security improvement, but also potential savings.

Read Stefan Beissel’s recent Journal article:
“Meeting Security and Compliance Requirements Efficiently With Tokenization,” ISACA Journal, volume 1, 2014.

[Source: ISACA]

Where are we?

We are all familiar with the concept of classifying data as public or private or strategic. (In certain industries we further break out information as nonpublic personal, or NPI.) For most of the business world, these classifications reside in policy and are subject to broad control strokes.

Amid the complexity of regulations governing financial institutions, health care providers, and defense-department organizations, there are specific instructions to ensure confidentiality and security over NPI, and to disclose when such information is breached or lost.

In 2012, PWC released a survey stating that only 34% of regulated institutions knew what types of data they were holding and where all of their data resided on their networks. In other words, two thirds of regulated industries were unable to comply with standards and legislation that has been in place for a decade. This is disastrous. The 2012 Verizon Data Breach Investigations Report revealed that it takes almost seven months for organizations to realize data has been lost or a breach has occurred. The Chronology of Data Breaches maintained by the Privacy Rights Clearinghouse documents 3,964 reported breaches across industries since 2005, for a total of more than 616 million records.

In plain English, while we have long been required to ensure the confidentiality of NPI, two thirds of us are unaware of our own data. We are not aware of its loss in a timely manner. And most often we need an outside party to communicate to us that we have lost information in the past.

Why are we here?

With the evergreen oversight of information security, risk management, audit and examination cycles, it would seem illogical to remain in such an uncomfortable place. Our professional responsibility is to protect the private information of our customers (internal and external). Yet we are woefully behind. To be blunt, we are unsuccessful.

I believe that the roots of this trouble are the very advances that technology has provided, the mainstreaming of “access anywhere across devices.” There are simply too many repositories to store and sync information. With enterprises demanding quick scalability and end users demanding ease of access and storage, untrusted devices and repositories are everywhere.

Adding to this problem is the focus of our control efforts. We tend not to look at information, rather we look around it. We focus on data-in-motion. Our attention is focused on policy, risk assessments, audit-examination clearance and control structures around the data. Meanwhile, we are woefully unable to protect the data itself.

What must we do?

Information security professionals, especially those that hold designations such as the CISA, CISSP and CITP, should take a step back from the traditional audit and risk-assessment frameworks that focus on the existence of controls around data-in-motion. COBIT 5 can be used to conduct risk assessments in alignment with stakeholder requirements and enterprise goals. In particular, COBIT 5: Enabling Information addresses aspects including quality goals for information in all its states, including data at rest.

We should retarget efforts to include specific activities that identify the information assets at rest. Only when we start with the assets can we satisfy the objective to ensure their security. Only when we start with the assets can we effectively and efficiently establish a proper control environment.

Paul Hugenberg III, CISA, CRISC, CPA, CITP, CISSP
CVP–Chief Information Security Officer
First Place Bank, a subsidiary of Talmer Bancorp

[Source: ISACA]

Everything in this world, it seems, is becoming connected, from household appliances that “speak” to one another to drones that deliver groceries. These are part of the emerging world of disruptive technologies. Since businesses’ survival is more dependent on technology than ever before, today’s CIOs must act as technology leaders in addition to critical business partners who understand the nature and direction of their businesses.

A problem that continues to nag many CIOs, however, is that they are seen as technologists. This is exacerbated with the decrease of useful lifecycles of technology and increased awareness and empowerment of businesses to directly procure IT-enabled business solutions. This leads to investments in capital equipment that holds little value to organizations, causing some to question the CIO’s business acumen.

In response, many CIOs are transitioning to a new, agile environment where speed is critical. To deliver, they need to integrate at the rate and pace of business (based on the risk appetite, of course). This is not always easy, as too many IT organizations still do not classify their information properly, often implementing a single security approach rather than an information approach, which spurs business frustration as there are too many controls guarding the critical information.

The CIOs that make this transition will be best equipped to deal with upcoming trends such as the Internet of Things and Big Data. Information related to these developments, when correctly leveraged, will provide a critical competitive advantage, but many CIOs are still coming to grips with the resources required to drive value.

As such, the role of data scientists is emerging. This role will require sound business knowledge paired with the skills to read these new types of information and make speedy decisions about them.

Robert E. Stroud, CGEIT, CRISC
Vice president of strategy and innovation at CA Technologies
Chair of ISACA’s ISO Liaison Subcommittee