You are here :   Welcome » RSS -
Preview  Print...  Print this page...
Knowledge base

 1634258 visitors

 5 visitors online


site Link

Neuchâtel, Suisse


Genere YOUR Code


ISACA Now: Posts

RSS feed for the Posts list.

Controls in the Cloud – Moving Over Isn't As Easy As Flipping a Switch  View ?


Shane O'DonnellLift and shift.

While this phrase is not new, it’s now said with regularity in relation to moving infrastructure to the cloud. Providers promise seamless transitions as if you were moving a server from one rack to another right next door. While moving to the cloud can put companies in a more secure position, proper care needs to be taken. Assuming everything is the same can be a fatal mistake, one that is happening on a regular basis.

From a physical security perspective, moving infrastructure to the cloud will almost always be more secure. Large cloud providers place infrastructure in state-of-the-art data centers with top-of-the-line physical security measures. Organizations do not often have the budget, time, or expertise to build their own on-premise data centers to these specifications. I have seen the full spectrum of data centers over the years (umbrellas over server racks as a control to protect from a leaky roof, anyone?). Even the most advanced data centers we see on premise do not match those of the large cloud providers.

What hasn’t changed
Requirements and basic control concepts have not changed as the proliferation of cloud infrastructure unfolds. User access, change management, and firewalls are all still there. Control frameworks such as COBIT, ISO 27001, NIST CSF, and the CIS controls still apply and have great value. Sarbanes-Oxley controls are still a driver of security practices for public companies.

What has changed
How the controls of the past are performed has changed upon moving to the cloud. Here are some common examples:

Security administration is more in-depth. Some of the most high-risk access roles in organizations, admin rights, are a main target of malicious actors. Handling admin rights in the cloud is different and needs proper due care. Knowing which roles are administrative in nature can be confusing, so it’s important to implement correctly from the start. Separation of duties in relation to key administration and key usage is essential. Having the proper tools to administer access can be daunting. Don’t assume your cloud provider will guide you through all these intricacies; plan ahead.

Perimeter security has changed. While layered security always has been important, it becomes even more important in the cloud. Recently, several news stories have appeared where breaches occur due to things like “containers being exposed to the internet” with a large cloud provider’s name associated. At first blush, I have heard most people blame the cloud provider, but most often these breaches are the cloud customer’s fault. Some important items to think about are proper DMZs for critical and/or regulated data, firewall configurations, and proper restriction of admin rights to those resources.

Securing connectivity becomes more important. Servers and other hardware won’t be sitting down the hall when moving infrastructure to the cloud. Access will almost always be remote, thus creating new security challenges. Understanding all ingress and egress points is essential, as is putting proper controls around them.

Encryption. Encrypting data will be a top concern for many organizations, as the data is now “somewhere else.” The good news is the native encryption tools of many large cloud providers are advanced, and most times data at rest can be automatically encrypted using a strong algorithm. This is a huge step up right off the bat for many companies. Because encryption is so important in the cloud, key management becomes a high-risk control. Policies, procedures, and controls around key management need to be well-thought-out.

Fear not, it’s not all bad!
While some challenges may be present as outlined above, moving to the cloud is most often a great move for an organization. Improved security, improved performance, and cost savings are only a few benefits of a cloud migration. Multiple frameworks exist to provide a secure path to cloud adoption, so organizations are not approaching this “blind.” A cloud security framework can guide you through the process of secure adoption and also provide assurance over cloud adoptions you have already performed. We are helping clients in all industries with these cloud migrations/adoptions and have some great perspective on dos, don’ts, and best practices.

Editor’s note: For more cloud-related insights, download ISACA’s complimentary new white paper, Continuous Oversight in the Cloud.

Category: Risk Management
Published: 5/16/2019 3:00 PM

... / ...

(15/05/2019 @ 15:53)

Securing Major League Baseball - On and Off the Field  View ?


Three strikes and you're out is one of the more well-known sayings in baseball, but it only takes one devastating cyberattack to inflict huge damage on Major League Baseball or any of its 30 teams.

At Wednesday's session, "It's Only Baseball: Technology and our National Pastime - A Security Perspective," at ISACA’s 2019 North America CACS conference in Anaheim, California, USA, Neil Boland, the CISO of Major League Baseball, and Albert Castro, director of information technology with the Los Angeles Angels, provided perspective on the scope of the security challenge for an organization with such high visibility as MLB.

“Baseball has a lot going on,” Boland said. “We have a lot of fans, a lot of games, a lot of activities throughout the course of the year, and a lot of exposures around the globe in many, many countries. The sport continues to grow, and the consumption of the sport continues to grow.”

The session traced the rise of prominence of security in baseball from when security was an afterthought to today’s state, in which the bottom line is: “This is critical. Don’t mess it up.”

MLB works with numerous partners, which is often where the most challenging security considerations come into play. Boland said MLB is taking steps to strengthen partner onboarding and provide further guidance on mitigating risks.

"There's just a vast amount of partners we work with to pull this off - 162 games a year, not even counting spring training and the postseason for a club, and [multiply] that by 30 teams," Boland said. "There's a lot of data, a lot of tools and a lot of systems, and some of them are really important, like industrial control systems to keep people safe."

Recognizing the scope of the challenge, in 2017, Boland helped to implement a program to better protect the league and its clubs from cyberattacks, standardizing the security stack and integrations. A vastly increased use of mobile platforms, IoT and cloud services means the traditional perimeter is gone, putting the onus on MLB to provide simple and reliable tools that prevent attacks.

"We wanted to raise the bar a lot higher," Boland said. "We wanted to be faster than the next guy running from the bear."

Boland encouraged session attendees to move quickly to upgrade their organizations’ security posture rather than delay in search of the ideal solution.

"Any layer that you can add that just makes life harder for your adversary is a good thing, even if it's not perfect," Boland said.

Unlike the sport’s signature rivals such as the Red Sox and Yankees or Cubs and Cardinals, Boland emphasized that everyone needs to be on the same team when it comes to cybersecurity, and said it is important to share information on cyber threats.

"I ring the bell, and I think that's really important to do, because we're all in this together," Boland said.

Beyond the security realm, Castro highlighted the way that teams leverage technology in areas such as ticketing, sponsorship activation, fan engagement and scouting and developing players.

“The access to information has just grown exponentially and with that has come the ability to do all kinds of really sophisticated analysis that just makes technology critical to running a baseball team,” Castro said.

Category: Security
Published: 5/15/2019 2:31 PM

... / ...

(15/05/2019 @ 19:41)

The Evolution and Power of Disruptive Technology: Insights From an Executive Panel at NA CACS  View ?


At ISACA’s North America CACS conference Tuesday morning, an executive panel spoke on the past 50 years of tech disruption—and where technology is taking us in the future.

Technology has truly democratized society, according to the panelists.

“I want to impress on everyone how easy it is to disrupt technology today and how little knowledge you need in order to do it,” panelist Jed Yueh, founder of Amavar and author of Disrupt or Die, told the audience. “You can go from idea to building a company in very little time, and there are so many resources available.”

As an example, consider how long it took college student Mark Zuckerberg to effectively transform the world and how we interact socially. He coded Facebook in one week—and he wasn’t even an engineer.

Joining Yueh on the panel were:

  • Kim Bollin, Vice President of internal Audit at Workday
  • Ken Venner, Former CIO of SpaceX
  • Jenai Marinkovic, CTO and CISO of Beyond
  • Moderator Thomas Phelps IV, vice president of corporate strategy and CIO of Laserfiche

The panelists looked at industry predictions—both those that came true (the 1980s prediction that “decisions can and will be made by artificial intelligence, by computers grown large or very small like a pocket encyclopedia“) and those that fortunately never materialized—including Ken Olson’s 1977 statement, “There is no reason anyone would want a computer in their home” and an ISACA (then the Electronic Data Processing Auditors Association) prediction that said, “Many members will leave the association if the name is changed from the EDPAA to ISACA.”

They also shared what they believe to have been the most disruptive technologies invented in the past decades. Among the responses:

  • The internet—It has democratized information and transformed the ability to transfer data
  • Social—We can take the collective minds of humanity and bring them together on social. The privacy considerations are daunting, but while consumers say they absolutely want privacy, they are remiss to hold companies accountable when that privacy is breached.
  • Mobile—We are now living in an always-on world.
  • Cloud—We’ve taken the expense away and enabled accessibility for so many organizations, regardless of size and budget.

The executives also looked at future challenges and opportunities, such as:

  • AI—How do you secure it? But even more importantly, what do you do if the data is laden in bias? If data or systems are biased, there are going to be serious social issues. AI is personalized in many ways. If a system has assumptions about certain races, for example, people’s livelihoods could be at risk.
  • Retail disruption—Amazon is considering a model shift from shop and ship to shift and shop—where predictions are made about what you want and need, and you pay after receiving the items.
  • Blockchain—The benefits are a more trusted, online, portable identity you can take with you everywhere—but there are still security issues and risks inherent with blockchain.
  • Quantum computing—The implications and knowledge needed to understand a totally new technology stack are huge.
  • The need to shift to data-centric organizations—Consider Disney, which has long been an entertainment, theme park and merchandise company. They are increasingly creating content and capturing data, and becoming truly data-centric.

Technology has truly changed the way we live and work for the past 50 years in which ISACA has been in existence —and the pace of change is only getting faster.

Where do you think technology will take us over the next decade?

Category: ISACA
Published: 5/14/2019 2:13 PM

... / ...

(14/05/2019 @ 19:49)

IT Audit: Stay Relevant or Perish  View ?


Ravikumar Ramachandran“Victory awaits him who has everything in order – luck, people call it. Defeat is certain for him who has neglected to take necessary precautions in time. This is called bad luck.” –Roald Amundsen, The South Pole

The title and the quote above says it all – and fits the essence of the 2019 Global IT Audit Benchmarking Study, conducted by ISACA and Protiviti.

An executive summary of the 2019 IT Audit Benchmarking Study, which will be released in full later this year, found that the biggest challenges for IT auditors are:

  • IT security and privacy/cybersecurity
  • Data management and governance
  • Emerging technology and infrastructure changes—transformation, innovation, disruption
  • Resource/staffing/skills challenges
  • Third-party/vendor management

Let us discuss in detail every challenge and the ways to get ahead of them:

IT security and privacy/cybersecurity
Cybersecurity is the chief risk for any organization that has a virtual presence. With the staggering numbers being quoted for Internet of things (IoT) devices being connected together and with more than 56 percent of the global populace – almost 4 billion users – connecting to the internet, the volume of cybercrimes and threats are going to accelerate in an unrelenting pace, posing formidable challenges for the IT audit community as well as business leadership.

Establishing a strong cybersecurity culture would help the IT auditors in tacking this menace, although this alone may not suffice. Business needs to move with the advancements in technologies to remain competitive. IT audit, as often pointed out by ISACA, needs to play an enabling role, meaning rendering their assurance functions in a manner that helps organizations to conduct their operations in a seamless and secure way, and also be compliant to various regulations.

To achieve this, IT auditors have to always be on top of new technologies, such as cloud, virtualization, big data analytics, AI and robotics, their associated threats, and evolving new threats, as well as being aware of how to remediate them in a timely and cost-effective way. In addition to having to perform these difficult tasks, they also need to be able to have strong communications skills so that leaders and business stakeholders are aware of the risk and, in turn, help the IT auditors to perform their task.

Data management and governance
Data management, sometimes referred to today as big data management, is synonymous with big innovation management, big opportunities management and, eventually, big money management. For an IT Auditor it is a twin challenge, first to assess how the organization uses the big data for its decision-making, where it stores the data, and how it achieves the CIA triad. Secondly, in the case of fraud detection, the challenge becomes how to harness the big data analytics or big data forensics to capture the audit trail and nab the culprit. Naturally it calls for skills in data science and analytics to handle these tasks and, as these are evolving technologies, the skillsets are difficult to find in the market.

Emerging technology and infrastructure changes – transformation, innovation, disruption
“Technology is a vector,” wrote Kevin Kelly in his excellent book, What Technology Wants. Kelly stresses the point that technology will move ahead regardless of people supporting it. In other words, technological advancement is imminent, and people are not the driving factor. To quote business executive Mark Cuban, “Artificial Intelligence, deep learning, machine learning – whatever you are doing, if you don’t understand it, learn it. Because otherwise, you are going to be a dinosaur within three years.”

Because global enterprises are embracing big data analytics, AI, and cloud computing in a huge way, audit professionals need to be familiar with these technologies so that they can perform their assurance function effectively.

Resource/staffing/skills challenges
In view of the above discussions, it is very clear that the audit function is going to face challenges in finding the right mix of resources. We need experienced auditors who have an understanding of emerging technologies, with special emphasis on data science. Although artificial intelligence cannot replace the audit function, it has the potential to complement the audit discipline by performing routine activities and highlighting exceptions for the attention of the auditors to make an informed judgement. The new-age technology will help to raise the standard of auditing, provided auditors make the effort to acquire the latest technical knowledge and upskill themselves from an audit perspective.

Third-party/vendor management
This is necessitated because of digital transformation, which enterprises around the world are pursuing. As a result, organizations increasingly resort to cloud and/or third-party service management, which leads to third party or vendor risk. Auditors need to help businesses mitigate this risk and help achieve their strategic objectives in cost-effective fashion. Effective handling of cybersecurity risk requires auditors to be thoroughly updated on the latest threats and also possess the counter-intelligence to prevent and contain cybercrimes.

IT audit exists to assist organizations in strategic technological management – that is, efficient and effective use of technology, combined with robust risk management. Technology is advancing at a rapid pace, thereby influencing and changing the way business is conducted. Business requires the help of IT audit to thrive and navigate through this stormy digital transformation period. Therefore, it is imperative for IT audit teams to equip themselves and stay relevant so that they can be of great value and play a key role in this fast-moving digital world.

Author’s note: The views expressed in this article are the author’s and do not represent that of the organization or of the professional bodies to which he is associated.

Category: Audit-Assurance
Published: 5/13/2019 3:23 PM

... / ...

(10/05/2019 @ 22:13)

A Spectrum of Professions: ‘The World Needs Us’  View ?


From the days of determining how to secure and derive value from early computers to today’s challenges as organizations enact digital transformation, it has been a remarkable 50 years for ISACA’s professional community. That trajectory came into focus Monday during the 50th anniversary-themed “Spectrum of Professions” panel, part of ISACA’s 2019 North America CACS conference in Anaheim, California, USA.

Moderator Marios Damianides and panelists Kelly Lin, Jenai Marinkovic, Dean Kingsley, Paul Regopoulos and Andrew Tinseth took a decade-by-decade look at the advancement of technology before sizing up the challenges faced by governance, audit, risk and security professionals now and in the future.

“There’s been a lot of change in the past 50 years, and there’s going to be a lot more,” said Damianides, a past ISACA board chair. “The beautiful thing is we’ve been able to remain relevant.”

While much has changed in the realm of computers, information systems and technology – the panelists nostalgically recalled using Commodore 64s, early Apple computers and a range of other outmoded devices – Regopoulos emphasized some of the principles that have endured over the decades.

“There’s always going to be change, whether it’s a new topic, a new tool, a regulation, whatever it may be,” said Regopoulos, senior manager, information security audit, with The Walt Disney Company. “The fundamentals are always going to be what are the risks associated with them, and how do we respond?”

Kingsley, principal with Deloitte & Touche, said today’s professionals are uniquely positioned at the intersection of risk/governance and technology. While pursuing a technical career track in areas such as audit or cybersecurity are viable options, being mindful of the broader implications of technology on businesses, the economy and society can also make for exciting career options, he said.

“If you think about yourself first and foremost as a risk and governance professional who happens to focus on technology, I think that gives you so many options,” Kingsley said.

On the career progression front, Marinkovic said that those in attendance at the conference are logical candidates to advance into high-impact organizational roles such as chief information security officer and chief technology officer.

“The reason is that no one knows the business – the intersection of business and technology – better than auditors and better than security people,” Marinkovic said.

Citing the proliferation of sensors and the rise of artificial intelligence, Marinkovic finds the growing interplay between technology and biologic systems to be intriguing. She said there could be valuable lessons learned from a renewed focus on science.

“I would say it’s time for us to go back to our high school biology and start studying because there are a lot of things the natural world can teach us about this new world that we’re about to go into,” Marinkovic said.

Lin, AVP IT Audit Lead with East West Bank, said adaptability will be essential to excel amid the shifting technology landscape, providing the example of IT auditors needing to be able to add auditing cybersecurity to their traditional skill sets.

In his closing comment, Kingsley noted some of the major technology-related risks threatening society, and called on attendees to be part of the solution.

“Be brave and have an opinion,” Kingsley said. “It’s our time in the sun. … The world needs us. There’s never been a better time to be in this profession.”

Category: ISACA
Published: 5/13/2019 3:00 PM

... / ...

(13/05/2019 @ 21:10)

Driving or Driven by Disruption: The AI Maturity Model  View ?


Jedidiah YuehOn 25 April 2019, Microsoft passed the trillion-dollar market cap threshold and passed Apple as the most valuable company in the world.

Almost a year earlier, Satya Nadella, Microsoft’s CEO, talked about a new world vision that has helped propel the organization’s cloud and revenue growth. “It's amazing to think of a world as a computer,” Nadella said, referring to a planet filled with smartphones, Internet of Things devices and cloud computing.

And in a world that is a computer, Nadella has put AI at the heart of Microsoft’s business strategy: “AI is the run-time which is going to shape all of what we do going forward in terms of applications as well as the platform.”

The three dominant cloud vendors—Microsoft, Amazon and Google—are all aggressively selling AI offerings to enterprises today, weapons providers for a technology arms race. And by the looks of Microsoft’s latest earnings report for the second quarter of 2019, the strategy is working, led by phenomenal 76 percent Azure revenue growth.

Today, product teams can quickly take advantage of natural language processing (NLP), image recognition, machine learning, deep learning and a range of other AI services available in all the major clouds. Companies can add these technologies to their web sites, internal operations, applications and products—all imbued with the limitless speed and scalability of modern clouds.

With so much focus and availability of AI technologies, it’s important to understand how companies are positioned when it comes to AI—perhaps the most disruptive technology wave since the internet itself.

Companies embarking on AI projects and opportunities can be classified according to an AI maturity model.

At Level I, companies run AI programs that drive operational efficiency. These are the “dabblers” – companies that drive tens of billions in revenues a year but save only a couple million using AI to automate tasks previously done by human employees. Level I companies generally apply AI to internal opportunities with a clear cost-benefit analysis, like call center automation, and use AI services like NLP along with robotic process automation (RPAs) to eliminate manual repetitive work.

At Level II, companies run AI programs to drive significant earnings or revenue impact. These are the “practitioners.” They layer machine learning through their businesses and use it to transform user experience and customer value. They reimagine digital and even physical products with AI services, adding value and improving interactions at every turn.

At Level III, companies run AI programs that drive industry change and transformation. This is often the domain of big tech—the “experts.”

Facebook determines what we see in our feeds with AI. Apple uses AI and AI chips to power marquee iPhone features like Face ID and Siri. Microsoft, Amazon and Google sell their AI services to arm the rest of the world.

But companies in every industry have an opportunity to remake their worlds with AI technologies. Here are some questions to ask when you look at your internal AI initiatives to determine your level of AI maturity:

  • Are you applying AI to a practical, internal project, with a clear target benefit? Then you are operating at Level I.
  • Are you layering AI throughout your business, making a material difference in user experience, growth, revenues, or earnings? Then you are operating at Level II.
  • Are you designing products that will redefine the future of your industry? Then you are operating at Level III.

If you haven’t started AI programs at all, you are at Level 0, and already falling fast behind the rest of the world.

In 10 years, the leading companies in nearly every industry will have taken full advantage of AI technologies to redefine their industry and solidify their positions. Companies need to use AI to drive disruption or will have competitors drive them to disruption.

Editor’s note: Jedidiah Yueh will be part of the “From Disruptive to Daily Dependence: 50 Years and Future Tech” panel on Tuesday, 14 May, at ISACA’s 2019 North America CACS conference in Anaheim, California, USA.

About the author: Jedidiah Yueh is the bestselling author of “Disrupt or Die,” a book that refutes conventional ideas on innovation with proven frameworks from Silicon Valley. Prior to his book, Jed put his frameworks to the test, leading two waves of disruption in data management, first as founding CEO of Avamar (sold to EMC in 2006 for $165M). Avamar pioneered data de-duplication and generated over $4B in cumulative sales. After Avamar, Jed founded Delphix, which accelerates enterprise data delivery for over 30% of the Global 100. In 2013, the San Francisco Business Times named Jed CEO of the Year. Jed has over 30 patents in data management and graduated Phi Beta Kappa, magna cum laude with a degree in English from Harvard.

Category: ISACA
Published: 5/9/2019 10:13 AM

... / ...

(08/05/2019 @ 19:18)

Last import : 19/05/2019 @ 16:26