You are here :   Welcome » RSS -
Preview  Print...  Print this page...
Knowledge base

 1635134 visitors

 5 visitors online


site Link

Neuchâtel, Suisse


Genere YOUR Code


ISACA Now: Posts

RSS feed for the Posts list.

ISACA’s Past, Future Come Together at North America CACS  View ?


David SamuelsonISACA’s 50th anniversary year is about simultaneously honoring our past while visualizing how our professional community will innovate the future. Last week’s experience at our North America CACS conference in Anaheim provided tremendous inspiration on both fronts.

I will pay homage to ISACA’s remarkable past later in this post, but I want to start by highlighting a member story that underscores why we have such a bright future. I had the privilege of helping to open the conference by sharing the stage with ISACA board chair Rob Clyde and Kelly Lin, an impressive young professional and board member of ISACA's Los Angeles Chapter. Kelly is a rising leader in the IT audit world and an example of how transformative ISACA can be in our members’ lives.

After our time onstage together, I had a 1-on-1 conversation with Kelly that reinforced how fortunate I am to have become CEO last month of such an outstanding organization. Kelly recalled hearing about ISACA from a professor during her time as a college student in Los Angeles, and attending a career night event with ISACA’s Los Angeles Chapter to find out more. She quickly developed connections with members of the chapter, and even took on leadership roles while still a student.

Watch video of David’s
conversation with Kelly

Watch Video



Those ISACA networking connections paid major dividends once she graduated from college as she learned more about career possibilities in IT audit, transitioning from financial audit. Both of Kelly's first two jobs in the IT field, including her current role as AVP IT Audit Lead with East West Bank, came together through her ISACA network. She also continued to gain valuable early leadership opportunities through the Los Angeles Chapter, adding roles as treasurer, programs chair, conference registrar, volunteer chair and her ongoing service on the chapter board of directors.

“This entire journey, ISACA was there to help me put everything together,” Kelly told me. “It shaped who I am today and also my career because if it wasn’t for ISACA being able to provide that networking platform, I would not have had the opportunity to explore and dive into the world of IT.”

David Samuelson and Kelly Lin

True to ISACA’s mission, Kelly is committed to helping the next wave of rising professionals find their professional footing by working with them to provide leadership opportunities, develop their soft skills and – perhaps most importantly – engage them in dialogue about what they want from ISACA to help them grow their careers. That willingness to “pay forward” the benefits Kelly gained through ISACA is the exact mindset that ISACA will need to be even more impactful in the next 50 years.

How did ISACA and its community arrive at this point, so well positioned to meet the challenges of the present and the future? Another component of my experience at North America CACS offered insight. As part of the 50th anniversary celebration, several past board chairs attended the conference, including one of our founding members, Eugene Frank. It was humbling to spend time with these visionary leaders and listen to how meaningful ISACA has been in their lives, both personally and professionally. Each had such genuine passion in their voices as they recounted highlights from their leadership roles, some of which coming from the era when ISACA was known as the EDPAA. Hearing these reflections, it is easy to understand how ISACA has blossomed from Eugene and a handful of his associates in the Los Angeles area in 1969 to become the thriving global association of more than 140,000 members today.

Certainly the growing importance of leveraging technology for organizations around the world has aided in ISACA’s ascent. However, it is clear our greatest resources are the women and men who supplied their visionary wisdom and boundless passion to the organization – the true catalysts of ISACA’s first 50 years and continuing into the future. From Eugene Frank to Kelly Lin, and all of our purpose-driven professionals in between, ISACA has provided the learning network to further great individual accomplishments, strengthen our professional fields of interest, and set in motion lifelong relationships with treasured colleagues.

As Kelly, Rob and I concluded our time onstage in Anaheim, we led a record-setting North America CACS crowd in wishing ISACA a happy 50th birthday. In that spirit, my birthday wish for our professional community is for all of us to build upon the passion that our past leaders have poured into this organization, and to join in Kelly’s pledge to mentor and support the technology professionals of the future.

There is no better way to honor our past than by committing to work together toward an even more promising future.

Category: ISACA
Published: 5/23/2019 12:03 PM

... / ...

(22/05/2019 @ 23:42)

Internal Audit Should Take Multifaceted Approach to Robotic Process Automation  View ?


David MalcomIn the same manner that the adoption of ERP applications and the use of offshore labor arbitrage and outsourcing previously transformed the workplace, robotic process automation (RPA) and intelligent automation are demonstrating the potential to be the next megatrends to help organizations improve the efficiencies and performance of back-office operations. As many organizations are just beginning their journeys to implement RPA technologies, this presents an opportunity for internal audit groups to work with their stakeholders to ensure appropriate governance and controls are built into the design of their RPA programs.

There are several risks in establishing an RPA program that internal audit should assess before organizations look to begin deploying bots into production.

  • First and foremost, ensure the organization has established guidelines for the development of RPA capabilities and clear ownership for the ongoing run and maintenance of activities associated with managing this technology.
  • Secondly, tried and true IT general controls that internal audit assesses in just about every review should be designed into RPA operations. Access to bots, change management, data integrity and disaster recovery/business continuity–all are critical operational procedures that should be defined prior to utilizing any bots in production.
  • Finally, internal audit can assist management with defining appropriate key performance indicators (KPIs) and benefits realization processes to monitor and measure the success of an RPA program.

As internal auditors, we should also evaluate the potential efficiencies that can be gained through adopting RPA capabilities ourselves.

  • At a time where we find ourselves in an increasing struggle to attract and retain top talent, utilizing RPA capabilities to automate highly manual, repetitive tasks that require little judgment could help provide opportunities to free our staff to focus on more interesting activities, improving their engagement.
  • Any audit testing that internal audit performs involving calculations, variance analysis, and reconciliations are prime candidates to be automated. Additionally, operational procedures that all internal audit departments perform, including the distribution of audit documentation requests and issue follow-up, can also be performed by RPA capabilities.

My department recently conducted a successful pilot where we automated the evidence gathering and testing of several SOX IT general controls. This is very straightforward testing that my team has been doing for years and, to be honest, no one really enjoys performing. We are now looking for additional ways we can leverage RPA to provide more real-time insights to our stakeholders and enable our team to focus on higher-value activities.

RPA is quickly moving from an emerging technology to an integral component of organizations’ operational capabilities. It is critical for internal audit to understand the associated risks that come with the adoption of RPA and provide assurance that their organization has designed effective controls as part of their RPA program. Additionally, internal audit should not ignore the value that can be gained by adopting RPA itself and the efficiency opportunities RPA can provide the department. As security and IT audit practitioners, we all have roles to play in ensuring our organizations deploy this new technology in a controlled manner.

Editor’s note: For more resources related to this topic, view ISACA’s new Audit Outlook video series.

Category: Audit-Assurance
Published: 5/22/2019 3:02 PM

... / ...

(21/05/2019 @ 21:22)

A Deeper Look Into the WhatsApp Hack and the Complex Cyber Weapons Industry  View ?


Phil Zongo and Darren ArgyleOn 13 May, the Financial Times reported the discovery of a major security flaw in the popular messaging app, WhatsApp. The pervasive vulnerability, which affected both Apple and Android devices, allowed malicious actors to inject commercial spyware by ringing up unsuspecting targets using WhatsApp’s VOIP-based call function.

The world is now accustomed to daily data breach news. What makes this threat particularly disturbing, however, is its novelty and deftness. This flaw allowed hackers to break into phones by simply calling a target. The victims didn’t even need to pick up, and the missed calls simply vanished from the logs. Device hacks that don’t require victim participation, such as clicking a weaponized hyperlink, are difficult to fend off and dramatically alter the game.

According to the report, the commercial spyware in question was developed by Israeli cybersecurity firm NSO Group. While NSO has denied the allegations, the incident has nonetheless brought to light the complex, secretive and dangerous world of the cyber arms market, in which companies like NSO operate. Within this industry, governments and other sophisticated groups buy advanced surveillance tools, zero-day vulnerabilities, exploit kits and several other malicious programs from defense contractors or niche malware developers.

These advanced digital munitions are used to debilitate adversary nations’ critical infrastructure, influence elections; jam airwaves to silence opposition; and spy on journalists, dissenters, suspected terrorists and a wide array of targets. According to research, the global cyber weapons market stood at US$406.77 billion in 2016 and is poised to reach a staggering US$524.27 billion by 2022.

When we dig deeper into factors that have spurred the exponential rise in the cyber weapons market, three insightful answers emerge. At the root of this predicament is the rapid shift in defense policies. As geo-political tensions rise, more and more nations are rushing to acquire offensive cyber capabilities. This props up the commercial cyber weapons industry, as governments find it easier and more economical to buy or rent digital arms than to develop their own. As a 2013 article highlighted, “A government or other entity could launch sophisticated attacks against just about any adversary anywhere in the world for a grand total of $6 million. Ease of use is a premium. It’s cyber warfare in a box.”

Back in 2017, US defense chiefs, via a joint statement to the US Senate Armed Services Committee, bemoaned the growing threat from adversary nations exploiting cyber space to steal military secrets, sensitive research and other high-value information. “Many countries view cyber capabilities as a useful foreign policy tool that also is integral to their domestic policy, and will continue to develop these capabilities,” they emphasized.

Secondly, and perhaps the most vexing, is the absence of collective will to curtail the development and acquisition of cyber weapons. As one of the co-authors of this blog post wrote in his book, The Five Anchors of Cyber Resilience, international cooperation between law enforcement agents is non-existent or weak at best. As both geo-political and geo-economic tensions crank up, according to the World Economic Forum Global Risks, the prospects of achieving a binding global cybercriminal justice system invariably pale.

Granted, there have been sporadic efforts to address this void. In 2018, Antonio Guterres, the United Nations chief, issued a withering assessment, saying, “Episodes of cyber warfare between states already exist. What is worse is that there is no regulatory scheme for that type of warfare; it is not clear how the Geneva Convention or international humanitarian law applies to it.”

History also is a guide. At the 2015 G20 summit held in 2015 in Belek, Antalya Province, Turkey, G20 leaders agreed on language pledging not to conduct cyber-enabled economic espionage. But because the G20 communiqué was non-binding, it represented only form, not substance. It did very little to de-escalate rising cyber tensions or alter deep-seated nationalistic motivations. Messy situations demand strong leadership, but as powerful nations have significant stakes in the game, we are likely to see more of the same.

Third, while commercial cyber arms creators may not harbor intentions to sell their wares to repressive regimes or criminal mobs, it’s inevitable that these tools will eventually fall into wrong hands. The NSO Group, for instance, claimed that its program is licensed to authorized government agencies “for the sole purpose of fighting crime and terror.” But once a vendor sells powerful cyber weapons, it has little to no control on how and when that software is used. The 2016 incident in which a ghostly group of hackers infiltrated the Equation Group, a complex hacking enterprise believed to be operated by the NSA, provides a chilling example. The cyber weapons were later repurposed to debilitate several institutions, such as the NHS hospitals in the UK, resulting in billions in damages. Further compounding an already grave situation, insurers are now refusing to pay cyber claims when attacks are deemed “acts of war.”

What’s at stake here is innovation, peace and human development. Hacker incursions into critical infrastructure such as WhatsApp, which connects more than a billion people across more than 180 countries, can negatively alter consumer trust – derailing innovation and human development. As Tim Cook, the CEO of Apple, accentuated in a recent Time article, “Technology has the potential to keep changing the world for the better, but it will never achieve that potential without the full faith and confidence of the people who use it.”

About the authors

Phil Zongo is a director and co-founder of, an enterprise that develops the next generation of cyber leaders. He is the Amazon best-selling author of “The Five Anchors of Cyber Resilience,” a practical cyber strategy book for senior business leaders. Zongo has won multiple industry awards, including the respected 2017 ISACA International’s Michael Cangemi Best Book/Article Award, for major contributions in the field of IS audit, control and security.

Darren Argyle is a non-executive director and co-founder of, an enterprise that develops the next generation of cyber leaders. He is a former Group Chief Information Security Officer (CISO) at Qantas Airlines. Argyle was named in the top 100 Chief Information Security Officers globally in 2017 and in the top 100 Global IT Security Influencers in 2018 by the SC Magazine. He was recently appointed Ambassador for the Global Cyber Alliance in recognition of his collaborative work advising small businesses on critical measures they can apply to defend against cyberattacks. He has nearly 20 years of experience in international cyber risk and security, with broad expertise in providing hands-on leadership, strategic C-level and board direction, and cybersecurity program execution.

Category: Security
Published: 5/21/2019 10:45 AM

... / ...

(20/05/2019 @ 22:46)

Controls in the Cloud – Moving Over Isn't As Easy As Flipping a Switch  View ?


Shane O'DonnellLift and shift.

While this phrase is not new, it’s now said with regularity in relation to moving infrastructure to the cloud. Providers promise seamless transitions as if you were moving a server from one rack to another right next door. While moving to the cloud can put companies in a more secure position, proper care needs to be taken. Assuming everything is the same can be a fatal mistake, one that is happening on a regular basis.

From a physical security perspective, moving infrastructure to the cloud will almost always be more secure. Large cloud providers place infrastructure in state-of-the-art data centers with top-of-the-line physical security measures. Organizations do not often have the budget, time, or expertise to build their own on-premise data centers to these specifications. I have seen the full spectrum of data centers over the years (umbrellas over server racks as a control to protect from a leaky roof, anyone?). Even the most advanced data centers we see on premise do not match those of the large cloud providers.

What hasn’t changed
Requirements and basic control concepts have not changed as the proliferation of cloud infrastructure unfolds. User access, change management, and firewalls are all still there. Control frameworks such as COBIT, ISO 27001, NIST CSF, and the CIS controls still apply and have great value. Sarbanes-Oxley controls are still a driver of security practices for public companies.

What has changed
How the controls of the past are performed has changed upon moving to the cloud. Here are some common examples:

Security administration is more in-depth. Some of the most high-risk access roles in organizations, admin rights, are a main target of malicious actors. Handling admin rights in the cloud is different and needs proper due care. Knowing which roles are administrative in nature can be confusing, so it’s important to implement correctly from the start. Separation of duties in relation to key administration and key usage is essential. Having the proper tools to administer access can be daunting. Don’t assume your cloud provider will guide you through all these intricacies; plan ahead.

Perimeter security has changed. While layered security always has been important, it becomes even more important in the cloud. Recently, several news stories have appeared where breaches occur due to things like “containers being exposed to the internet” with a large cloud provider’s name associated. At first blush, I have heard most people blame the cloud provider, but most often these breaches are the cloud customer’s fault. Some important items to think about are proper DMZs for critical and/or regulated data, firewall configurations, and proper restriction of admin rights to those resources.

Securing connectivity becomes more important. Servers and other hardware won’t be sitting down the hall when moving infrastructure to the cloud. Access will almost always be remote, thus creating new security challenges. Understanding all ingress and egress points is essential, as is putting proper controls around them.

Encryption. Encrypting data will be a top concern for many organizations, as the data is now “somewhere else.” The good news is the native encryption tools of many large cloud providers are advanced, and most times data at rest can be automatically encrypted using a strong algorithm. This is a huge step up right off the bat for many companies. Because encryption is so important in the cloud, key management becomes a high-risk control. Policies, procedures, and controls around key management need to be well-thought-out.

Fear not, it’s not all bad!
While some challenges may be present as outlined above, moving to the cloud is most often a great move for an organization. Improved security, improved performance, and cost savings are only a few benefits of a cloud migration. Multiple frameworks exist to provide a secure path to cloud adoption, so organizations are not approaching this “blind.” A cloud security framework can guide you through the process of secure adoption and also provide assurance over cloud adoptions you have already performed. We are helping clients in all industries with these cloud migrations/adoptions and have some great perspective on dos, don’ts, and best practices.

Editor’s note: For more cloud-related insights, download ISACA’s complimentary new white paper, Continuous Oversight in the Cloud.

Category: Risk Management
Published: 5/16/2019 3:00 PM

... / ...

(15/05/2019 @ 15:53)

Last import : 23/05/2019 @ 12:54