You are here :   Welcome » RSS -
Preview  Print...  Print this page...
Knowledge base

 1597924 visitors

 8 visitors online


site Link

Neuchâtel, Suisse


Genere YOUR Code


ISACA Now: Posts

RSS feed for the Posts list.

GDPR Progress Paves Way for Deeper Look at Role of Data in 2019  View ?


Andrew NealThe European Union’s General Data Protection Regulation (GDPR) commanded the attention of the business community throughout 2018. Thought leadership gatherings such as ISACA conferences and webinars attempted to answer questions like, “What does it take to comply?” and “What will enforcement look like?”

Answers were largely speculative, and the actual enforcement processes associated with the regulation are only now taking shape. We can, however, look back at 2018 and make some observations about what has been accomplished, the drivers of compliance activities, and the work left to be done.

At six months past the implementation deadline, many organizations have harvested the low-hanging GDPR fruit. Privacy policies have been updated, cookie notices added to websites, and mechanisms have been deployed to support opt-in, opt-out, and data subject requests. Those using third-parties to process data, or those who are the third-party, have defined commitments and expectations regarding personal Information. Training programs have been rolled out to educate about GDPR-related issues. Accomplishing these items has allowed organizations to mark a significant part of their GDPR checklist as complete and have a reasonable story to tell in case of an incident.

The desire to comply with GDPR and avoid any potential fines motivated much of this activity. Since GDPR, the regulatory landscape has continued to change and evolve. A proliferation of privacy and data breach regulations (such as the California Consumer Privacy Act, Brazil’s new data privacy regulation, etc.) has refocused the discussion from a single regulation to an overall issue of data privacy and business process. As recently explained by a business executive, “There is no way we can fund a new project to comply with each privacy and security regulation that comes along, so we must address these issues at a higher, more efficient level.” These conversations about compliance costs and efficiencies are driving the next wave of privacy-related projects.

Having addressed the basics, many of our clients now seek to reduce costs and lower their overall compliance risks. This often involves a deeper look at the role of data within business processes. Good information governance requires such things as accurate data and process maps, defined data lifecycles, security protections for data, and incident response plans. The ever-increasing risks related to compliance in a complex regulatory environment, and the standard benefits of good data governance, are causing many organizations to revisit some of these governance program elements. While 2018 saw a heavy focus on GDPR, 2019 may be a year of transformational governance projects as companies seek to reduce costs and compliance complexity by more precisely directing their use, management and protection of data.

The impact of GDPR has been significant, with more official guidance and enforcement decisions on the horizon. But the bigger story may be the pressures exerted on business processes by the combination of multiple data privacy and breach regulations, changing consumer expectations, and related B-to-B obligations. The next year may demonstrate how organizations are choosing to comply with GDPR while  addressing these additional pressures.

Category: Privacy
Published: 12/17/2018 3:00 PM

... / ...

(14/12/2018 @ 21:02)

Advocating for a Strong Cybersecurity Workforce, IT Audit Standards and NIST Reauthorization Act on Capitol Hill  View ?


Members of ISACA’s US Public Policy Working Group recently gathered on Capitol Hill in Washington, D.C., to listen to inspiring speakers and to advocate for issues important to ISACA constituents, drawing from their personal experiences and professional backgrounds.

Over the course of a productive day, these ISACA volunteers met with Congressional members and staff leaders from seven districts from California, Illinois, New York, Texas and Virginia—states from where ISACA’s participants hailed. Key topics discussed included the National Institute of Standards and Technology (NIST) Reauthorization Bill (H.R. 6229), the value of authoring and introducing legislation focused on the future of IT audit, and the importance of certifications in preparing the workforce for cybersecurity jobs and closing the skills gap.

The participants expressed the importance of supporting H.R. 6229, as it would not only reauthorize NIST, but also strengthen research and development programs related to cybersecurity, artificial intelligence (AI), internet of things (IoT), and quantum computing and increase opportunities within the cybersecurity profession.

ISACA’s US Public Policy Working Group recently came together from across the country to engage in advocacy efforts on Capitol Hill.

Additionally, as some of the Public Policy Working Group had worked or currently work within government, they could also personally speak to the challenges of managing several audits throughout any given year in addition to the rest of their workload. They emphasized that improving and streamlining standards for audits would not only help make the process more efficient and deliver more meaningful results, but also incorporate emerging technologies such as AI that are currently not factored into most audits.

“As a member of the ISACA US Public Policy Working Group, I appreciated the opportunity to visit Capitol Hill to discuss legislative initiatives that impact my profession,” said Howard Duck, CISSP, CISM, CISA, PCIP, past president of the ISACA Sacramento chapter. “Joining other ISACA members in these discussions was interesting and informative for me.”

Another ISACA volunteer, Kyle Foley, CISA, CGEIT, CRISC, PMP, agreed. “Meeting with Congressional staff in the House and Senate to discuss ISACA's mission and information security issues, such as the NIST reauthorization legislation and our ‘One-Audit’ initiative, was fun, interesting, and rewarding.”

Joel Creswell, Ph.D., Legislative Assistant to Congressman Daniel Lipinski (IL-03), who kicked off the advocacy day by speaking to the group on Rep. Lipinski’s work in the research and development and science and engineering spaces, as well as on initiatives related to AI, quantum computing and cybersecurity education, noted that IT audits were a focal point of the roundtable discussion with ISACA the day before.

Another common issue that causes concern to both ISACA members and Congressional staff was the challenge in building a strong cybersecurity workforce and addressing existing skills gaps.

Nick Leiserson, Legislative Director for Congressman Jim Langevin (RI-02), spoke to the group mid-day and provided highlights from this year, such as the creation of the Cybersecurity and Infrastructure Security Agency, as well as a preview of what ISACA’s professional community might expect to see come out of the work of the 116th Congress.

During ISACA’s advocacy day, participants discussed key issues such as supporting the NIST Reauthorization Bill, envisioning legislation around the future of IT audit and closing the skills gap with certifications.

The experience was not only an opportunity to raise important issues, but also ended up being a milestone for the ISACA volunteers who participated. It was the first time each of them had been involved in such an advocacy day—and it was an experience they found to be very positive.

"ISACA continues to exceed my expectations, and today’s advocacy event was no exception,” said Angel Contreras, CISA, CDFM, senior manager, technology risk at EY. “Being able to meet with policymakers—having open discussions on the key cyber and audit challenges with the common goal of making progress to secure our enterprises—was a memorable experience that embodies what ISACA is all about." 

Added ISACA volunteer Kevin McDonald, CISSP, CISA, CRISC, CBCP, PMP, senior program manager at Copper River Enterprise Services, “This is a prime example of ISACA’s support for the industry and proactive approach to supporting the next generation challenges in audit and technology.”

Category: ISACA
Published: 12/14/2018 3:02 PM

... / ...

(13/12/2018 @ 18:48)

Tightening Cybersecurity Assurance in Supply Chains: Three Essentials  View ?


Phil Zongo and Rohini Kuttysankaran NairIn October 2018, Bloomberg Businessweek sent shivers through the business and intelligence community when it published an astonishing report that claimed that Chinese spies had exploited vulnerabilities in the US technology supply chain, infiltrating computer networks of almost 30 prominent US companies, including Apple, Inc., a major bank, and government contractors.

These claims were indeed alarming, but not surprising. Since the infamous 2013 Target hack, in which hackers exploited security weaknesses at one of its little-known suppliers and exfiltrated millions of payment card details, cybersecurity experts have been warning that expanding supplier networks would exponentially increase digital touch points, providing several softer avenues for threat actors to exploit and access high-value systems.

There is no dearth of high-profile examples. For instance, back in 2017, cyber threat actors compromised the Ukrainian software firm MeDoc and implanted NotPetya – a highly destructive malware – deeply within its software update. Like the mythical Trojan Horse, NotPetya easily exploited the trusted software package, circumvented layers of security defences and crippled critical operations of high-profile enterprises, such as pharmaceutical giant Merck, shipping firm Maersk, and Ukrainian electric utilities Kyivenergo, to name but a few.

It’s certainly hard to argue with the benefits of business partnering, given the decades of studies demonstrating that well-thought alliances can enable an enterprise to focus on its competitive advantages, as well as measurably boost its bottom line. But at the same time, the raging demand for transfer of utilities, goods and data, combined with the rapid intersection of cyber espionage and geopolitics, also has substantially complicated the cyber risk equation. Cyber threats exploiting weak supply chains are on the rise, like sea levels. The stakes are also invariably higher, threatening global peace and undermining the benefits of globalization and open markets.

While tightening cyber risk assurance within complex supply chains is certainly challenging, it’s not impossible. In the section below, we provide three practical recommendations for business leaders to maximize the value of outsource relationships, while minimizing associated risks.

Have the right security clauses
Underpinning any robust supplier security assurance program is formally documented and legally enforceable security contractual clauses. During the contract negotiation phase, business leaders must have a clear understanding of cyber risks associated with each relationship, and ensure appropriate clauses are agreed upon from the outset and baked into contracts. At a minimum, high-risk suppliers must:

  1. Provide independent assurance reports to attest the operating effectiveness of key controls, such as the SOC 2 Type 2 report, ISO 27 001 certification or Payment Card Industry Data Security Standard (PCI DSS). These should be provided at least annually.
  2. Provide the enterprise with the right to audit in the event of a systemic control breakdown or legal requirements.
  3. Demonstrably comply with applicable data protection and privacy laws, not engage subcontractors without express approval from the enterprise and only host data within approved jurisdictions.
  4. Adhere with applicable data breach notification laws, including notifying the enterprise, without unreasonable delay, of any data or privacy breach, as well as results of subsequent investigations.
  5. Engage an independent, suitably qualified firm to regularly conduct penetration tests on critical applications and fix material vulnerabilities within agreed SLAs.

The significance of getting this right from the outset is hard to overstate. Requesting security assurance reports later into a relationship is complex, and without legally enforceable clauses, suppliers will likely push back, leaving an enterprise with no recourse in the event of disputes or systemic control breakdowns. This too, however, has its challenges. For instance, large cloud service providers will unlikely agree to a “right to audit clause” with a medium-sized corporate customer. This comes down to leverage. Hence, it’s important to set realistic expectations upfront, as well as ensure that security contractual requirements are reviewed and signed off by the legal team and business owners.

Limit vendor remote access to the network
As we learned from the Target breach, suppliers with remote access to the enterprise network can present soft avenues for threat actors to exploit and gain access to the enterprise network, escalate privileges and cause substantial harm. To manage this risk, the enterprise must adopt the least privilege principle, only giving remote access when there is no other cost-effective way for the vendor to deliver their services. Such access must be restricted to specifically segmented zones, channelled via secure virtual private networks and protected via multi-factor authentication. Furthermore, an up-to-date list of all vendors with access to the network, including their respective access rights, must be maintained and validated frequently, at least quarterly.

Segment suppliers based on risk
The basic risk management principles also apply to managing supplier related cyber-risk: the rigor of assurance process should be commensurate with the criticality of business process, and the potential impacts should the outsourced business process be compromised. For instance, suppliers that handle high-value payment processes, handle volumes of customer personally identifiable data, manage critical infrastructure or underpin most profitable business lines require tighter governance as compared to those that handle ancillary services, such as administrative tasks. Taking a risk-based approach maximizes the value of the security assurance budget, as well as reduces needless audits on suppliers. It also reduces noise, enabling limited security resources to focus on supplier arrangements that present the highest level of risk instead of spreading thin across all supplier arrangements, each of varying level of significance.

In conclusion
The benefits of outsourcing are vast, but business leaders can no longer afford to enter into these alliances blindly. Cyber resilience is no longer a nice-to-have, but a top business imperative with far-reaching consequences on brand perception, customer retention, margin, regulatory compliance, and more importantly, business survival.

About the authors
Phil Zongo is the author of The Five Anchors of Cyber Resilience, an Amazon best-selling book that strips away the complexity of cyber security and provides practical guidance to business executives.  His is also the 2016 – 17 winner of the ISACA’s Michael Cangemi Best Book / Article Award. Zongo is the Founder and CEO of CISO Advisory, a consultancy firm that helps enterprises build high-impact and cost-effective cyber resilience strategies.

Rohini Kuttysankaran Nair is an experienced project manager with more than a decade experience helping large enterprises deliver complex digital transformation programs. She now leveraging her strong technical background and project governance skills to help enterprises deliver business aligned cyber resilience uplift programs. She is based in Sydney, Australia.

Category: Audit-Assurance
Published: 12/13/2018 3:05 PM

... / ...

(12/12/2018 @ 18:21)

What is Driving Growth for AR/VR?  View ?


Kris KoloGartner’s recent list of top tech trends for 2019 included immersive experiences, which they described as follows:

“Conversational platforms are changing the way in which people interact with the digital world. Virtual reality (VR), augmented reality (AR) and mixed reality (MR) are changing the way in which people perceive the digital world. This combined shift in perception and interaction models leads to the future immersive user experience."

Below, I explore some of the anticipated themes related to VR/AR that will play a role in the coming year and beyond:

• Global AR & VR product revenues are expected to grow from US $3.8 billion in 2017 to US $56.4 billion in 2022, a 71 percent compound annual growth rate. This includes enterprise and consumer segments (ARtillry Intelligence).

  • In VR, consumer revenue will eclipse enterprise revenue by a 3:1 ratio in 2022. Standalone VR like Oculus Go will accelerate consumer adoption.
  • Head-worn AR will find a home with consumers. However, its specs and stylistic realities inhibit several consumer use cases in the near term. Apple’s potential 2021-2022 introduction of smart glasses will shift AR’s momentum and revenue share toward consumer spending.
  • By 2022, enterprise AR’s revenue dominance over consumer AR will decelerate as smart glasses begin to penetrate consumer markets. Until then, mobile will dominate consumer AR, with most revenue derived from software as opposed to hardware (smartphone sales aren't counted).

• The patterns of investment and development in the different sectors in which VR/AR are applicable – or potentially applicable –  show the increasing applicability of this technology beyond the games and entertainment fields that saw its birth in the 1990s; 38 percent of respondents, for example, believe VR growth in the enterprise sector has been “strong” or “very strong” for example, with an equivalent figure of 43 percent for AR (The XR Industry Survey 2018).

  • Education is the enterprise sector that has been prioritizing VR/AR the most, and is the most competitive, despite the fact that it traditionally has had much less spending power than industry. Of respondents who reported that they are already using XR technologies, 23 percent were in the education sector.
  • Architecture/engineering/construction was a close second at 18 percent. Healthcare is quite low on the list despite the obvious VR/AR potential in diagnosis and therapy, with just 7 percent of those using this technology coming from the healthcare sector.
  • Industry expectations are that AR will blossom in the mainstream before VR does, in part because of the availability of open content development platforms like ARCore and ARKit, which have no VR counterparts.
  • Many industries see benefits in the long term from combining VR and AR. VR’s superior ability to create a fully immersive environment currently gives it the edge in training and educational applications.
  • Sixty-two percent of service organizations say that AR is providing measurable value for service in the following ways: better knowledge transfer among employees, increased employee efficiency onsite, improved first-time fix rates, and fewer truck rolls (IDC / PTC).
Category: Risk Management
Published: 12/12/2018 3:09 PM

... / ...

(11/12/2018 @ 18:52)

COBIT 2019 is Our Framework and a Framework for Us  View ?


Graciela BragaI love COBIT. Why? To begin with, COBIT is useful and usable. Secondly, the newly updated framework combines community knowledge and flexibility.

The What Is COBIT and What Is It Not section from COBIT 2019 Framework: Introduction and Methodology is very clear, and demonstrates how useful and usable the updated version of COBIT will be.

COBIT users know that COBIT in its last two versions utilized the components (formerly enablers) to plan, build and maintain a governance system. They were and are principles, policies and procedures, processes, organizational structures, information flows, culture and behaviors, skills, and infrastructure.

We can find these components in all organizations, and work with them to fix some problems or weaknesses in order to improve the current and future maturity of their governance system and, thus, create value for relevant stakeholders. These “magic resources” that create an appropriate solution are the first element to confirm that COBIT is usable and useful.

New design factors are the second one, and the new Design Guide was published this week. They should be considered by the enterprise to build a best-fit governance system. Not all organizations need the same solution with the same kind and quantity of resources. It is all about the best combination of needed resources to achieve expected or required benefits with a good balance or acceptable level of risks.

Not all organizations have the same strategy, goals, risk profile, I&T-related issues and threats. Compliance requirements, size and role, adoption strategy, sourcing model and implementation methods of IT are factors that we must complete soon.

Design factors influence in different ways the tailoring of the governance system of an enterprise. COBIT 2019 distinguishes three different types of impact, illustrated below.

The New COBIT 2019 Framework: Governance and Management Objectives are free for members and non-members. I believe this is a remarkable step to increase the number of COBIT followers and professional community engagement. How many students and professionals will benefit from these complimentary publications? How many of them will be influenced by COBIT 2019 and decide to initiate an IT career or improve it through a certification?

Will these new followers influence COBIT’s future design? I am sure of it.

Editor’s note: For more information about COBIT 2019 guidance, products and training, visit, or view a webinar on the COBIT framework here or the Design Guide and Implementation Guide here.

Category: COBIT-Governance of Enterprise IT
Published: 12/11/2018 9:58 AM

... / ...

(10/12/2018 @ 22:53)

Last import : 18/12/2018 @ 22:13