ISACA International President: COBIT Online Launches Today

I tried my first green drink recently and found that after avoiding them for a long time, I actually did like it. Green drinks have grown to be popular for their health benefits—they are basically smoothies made with a variety of fruits and vegetables—but since the ingredients often include spinach, kale and green apples, they turn green, hence the name.

This comes to mind as the online version of COBIT is officially launched today. Many professionals have already used COBIT and found that it benefits their enterprises. But there are still some folks who hesitate—much like me with the green drink—because they’re not fully aware of just how much value is packed into it.

At its core, the new online platform helps increase the usability of COBIT by bringing together the key resources for the governance and management of enterprise IT. This is especially critical at this moment in time as we see the daily news of businesses worldwide having to address and recover from major incidents that could have been mitigated by appropriate oversight. No business can ever be 100 percent secure, but having solid governance and management in place can help reduce the risk of financial loss and reputation damage.

The good news is that according to a recent ISACA survey of 1,245 professionals from 50 countries who downloaded the COBIT 5 framework, close to 8 in 10 people (78 percent) said they see increased value in IT governance. Making COBIT 5 available in this online format extends the ability of enterprises to protect their information assets and improve business performance. Users can now:

  • Personalize the new Goals & RACI Planner for their enterprise or clients.
  • Quickly view timely content from ISACA and external sources covering top issues.
  • Easily search, filter and export COBIT 5 publications.
  • Comment and ask questions.

I encourage you to take a few minutes and check out the new online version of COBIT 5. Just like the green drink, it provides a big dose of value and benefits in a compact package.

Robert E Stroud, CGEIT, CRISC, international president of ISACA

[Source: ISACA]

International President: Cybersecurity and Professionalization

Lately, it seems like a data breach, hack or cyberattack makes the news daily. I was at the recent ISACA/IIA Governance Risk and Control (GRC) conference when I read that hackers stole data on 4.5 million patients of a health system. With incidents like this occurring more frequently, there is an increasing demand for professionals who have the cybersecurity skills and resources to combat this growing threat. It is clear that bad actors have set their sights on the vulnerabilities of any type of enterprise, including medical, business and critical infrastructure.

Despite this growing need for cybersecurity skills, until recently the field was fragmented with no clear path set for those who want to pursue the cybersecurity profession. Recognizing this gap, ISACA conducted extensive research and planning with global business and cybersecurity experts. As a result, ISACA identified a need for a single, central location where security professionals and their enterprises can find cybersecurity research, guidance, certifications, education, mentoring and community. Subsequently, we launched the Cybersecurity Nexus (CSX) in April 2014.

The drumbeat for professionalizing cybersecurity is only getting stronger. A recent report from Salve Regina University’s Pell Centerfor International Relations and Public Policy also proposes an alternative to the current, ad hoc, decentralized approach to cybersecurity workforce development. The authors call for the creation of a professional association dedicated entirely to cybersecurity.

The Pell report notes that forming a new association focused on cybersecurity will take time—time that enterprises don’t have if they are to keep up with the rapidly expanding expertise of hackers. This is also one of the reasons why ISACA made the investment in creating CSX. ISACA is able to use much of its existing infrastructure and global subject matter experts to hit the ground running. ISACA, which has been serving IT professionals for 45 years, has been a highly respected provider of certifications, training and networking for global professionals for more than 30 years.

So when we established CSX, we made a commitment: We will do for cybersecurity professionals what we have done and continue to do for assurance and governance professionals. Whether you are a seasoned professional or new to the field, we will be your resource for the training, credentials, guidance and community to develop your cybersecurity career. In addition to other activities, we are offering the first Cybersecurity Fundamentals Certificate workshop and exam in October, which is also Cybersecurity Awareness Month—a cause for which we are a champion.

This is an exciting time in our industry and an extraordinary time for ISACA and our members. Organizations around the world are in need of skilled and knowledgeable cybersecurity professionals—and we’ll do everything we can to help you succeed in those roles.

Robert E Stroud, CGEIT, CRISC
International President, ISACA

[Source: ISACA]

Assessing Control Effectiveness — An Essential Part of Every Risk Assessment

Control effectiveness is measured by looking at the maturity of the process. Most people agree that mature processes are documented, but why? Transferring knowledge from the human brain requires conversion from tacit knowledge to explicit knowledge, so that it can be shared, reviewed, updated and tested. Think about it. If we relied on tacit knowledge all the time, there is a good chance that the outcomes would be different every time the process was executed, unless they had a plan to follow, which is where explicit knowledge comes into play. Quality management requires that we integrate feedback loops to push a process even higher in maturity. Continuously monitoring and making adjustments to perfect the process can only be achieved with explicit knowledge.

Building the perfect control to mitigate risk is one thing, but making sure that it gets implemented, monitored and maintained adequately, so that it is functioning 100 percent, is yet another. This requires the assessment of competence for those employees or contractors who have been assigned the responsibility to get the job done! I like to leverage my knowledge as a teacher using Bloom’s Taxonomy. I create at least six basic questions to determine how much the employee knows. For example, I recently created a one-page assessment for CyberSecurity Leader.

We have evaluated the control for maturity and assessed competence of the administrator. Now we need to verify and validate that the control is functioning as planned. There are similar approaches that work, from using quality assurance techniques to penetration testing. This part should be looked at every time changes occur that touch the control in any way. We need a solid baseline for assessment control effectiveness, and to accomplish that, I like to integrate the use of design qualification (DQ), installation qualifications (IQ), operational qualifications (OQ) and performance qualifications (PQ).

Based on my experience, the most secure systems are those that establish and maintain absolute control over the environment. I often joke with senior management about my number-one rule, “No surprises!” Quality management is deep in knowledge about establishing control and assessing process, so it is only logical that we would assimilate this knowledge into information security.

DQ is the architecture, or specifications, used to build a service or product. Any changes must be strictly controlled; so, while DQ sets out the design, IQ defines the specifications, or standard operating procedures, for installing a new piece of software or hardware. Control design is a related topic that would allow you to map where this control applies within the risk universe as it mitigates risk to a specific asset that is used to deliver a service or product. OQ documents the configuration specifications that could be recorded in the configuration management database used by ITIL also ISO 20000. Once everything has been documented and procedures have been followed, the PQs are reviewed. What were the expected response times? How can we optimize them to meet customer expectations?

Whomever gets the job of reviewing control effectiveness should be looking at three key elements—maturity, competence and testing—to verify and validate that what we said we would do we have actually achieved. The importance of assessing control effectiveness during regular audits is obvious. The assessment of control effectiveness during risk assessment as part of the risk management and governance process is absolutely crucial to provide all the facts to management quantified in a meaningful way.

I have seen plenty of external audits that have gone in a direction where hundreds of thousands of dollars and sometimes millions are spent on new controls that may not have been necessary if the current investment in security was better quantified and managed. This is an evidence approach that can easily be shared and reviewed and scrutinized. Too much control could negatively impact the business model, organizational culture, agility or time to market and resilience by creating more complexity that is expensive to maintain and difficult to replicate in emergency situations.

Mark E.S. Bernard, CISA, CISM, CGEIT, CRISC, CISSP, ISO 27001 Lead Auditor

[Source: ISACA]

European Initiatives For a More Secure Cyber World

Europe is poised to tackle cybersecurity headfirst with initiatives that are growing in strength and support. In 2013, the Cybersecurity Strategy for the European Union and the Commission Proposal for a Directive on Network and Information Security presented legal measures and provided incentives aimed at increasing the security of Europe’s online environment. These efforts are supported by theEuropean Network and Information Security Agency (ENISA), as well as by the Computer Emergency Response Team for the EU institutions (CERT-EU).

As part of ISACA’s holistic Cybersecurity Nexus (CSX), ISACA is addressing the need for cybersecurity guidance in Europe by releasing the European Cybersecurity Implementation Series of white papers and an audit program, which includes:

  • European Cybersecurity Implementation: Overview
  • European Cybersecurity Implementation: Risk
  • European Cybersecurity Implementation: Resilience
  • European Cybersecurity Implementation: Assurance
  • European Cybersecurity Audit/Assurance Program

The white papers address cybersecurity in the context of European Union (EU) laws, regulations and best practice, with a focus on using the COBIT 5 framework and related materials. They provide practical implementation guidance that is aligned with ENISA, European requirements and good practices.

The overview outlines how cybersecurity is discussed and directed in the European context, including institutions, organisations and recognized best practices. In some aspects, this is different from what might be expected in a U.S. setting or other geographies, given that there are 28 EU member states and several associated countries. As a result, there are EU level cybersecurity recommendations as well as national strategies, laws and regulations to be taken into account. This overview paper is designed to provide orientation and set the scene for more detailed aspects discussed in the risk, resilience and assurance papers.

Cybersecurity creates a multitude of new risks, many of which are part of the cultural, social and technical context of security. The risk paper in the series therefore addresses typical European perspectives on cybersecurity risk, including those that may be unique to one or more countries within the Union. In line with the COBIT 5 lens concept, the risk paper further provides a drill-down on using the available COBIT 5 cybersecurity materials in a targeted manner.

Resilience is one of the primary, but often neglected, aspects of cybersecurity. In Europe, resilience thinking is an important element of cybersecurity, both in the business and in the technical sense. The resilience paper within the cybersecurity series addresses the European view on creating, maintaining and improving resilience through various steps of a life cycle. It also covers European and national laws, regulations and best practices in creating cybersecurity resilience.

With the advent of a directional and declared EU cybersecurity strategy and digital agenda, many cybersecurity initiatives are beginning to produce results, often set down as legal, regulatory or industry requirements. In terms of cybersecurity governance and management, it is important to provide robust assurance over cybersecurity arrangements, including auditable evidence and processes. The assurance paper within the cybersecurity series offers insights on how to set up, maintain and uphold the requisite level of assurance in the EU and associated countries. The paper makes use of tried and tested COBIT 5 concepts and the underlying control universe and applies these to the EU landscape.

The ISACA European Cybersecurity Implementation Series is a living set of documents. In the near future, additional helpful tools will be released. These include a matching and mapping tabular paper for quick reference purposes throughout the 28 member states, as well as so-called country files providing subject matter expert advice on cybersecurity details in many European countries.

Rolf von Roessing, CISA, CISM, CGEIT
President, Forfa AG
Past International Vice President, ISACA

He will discuss “Responding to Cyberattacks” and “COBIT 5 for Security” at ISACA’s 2014 EuroCACS/ISRM Conference taking place 28 September – 1 October in Barcelona, Spain. For more information about the conference and to register, visitwww.isaca.org/eucacs-isrm2014.

[Source: ISACA]

English
Exit mobile version