You are here :   Welcome » RSS -
Preview  Print...  Print this page...
Knowledge base

 1647261 visitors

 4 visitors online


site Link

Neuchâtel, Suisse


Genere YOUR Code


ISACA Now: Posts

RSS feed for the Posts list.

NIST Risk Management Framework: What You Should Know  View ?


Baan AlsinawiIn late December 2018, NIST published a second revision of SP800-37, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. The revised publication addresses an updated Risk Management Framework (RMF) for information systems, organizations, and individuals, in response to Executive Order 13800 and OMB Circular A-130 regarding the integration of privacy into the RMF process.

Now that the dust has settled, we are taking another look at the update. If achieved as intended, these objectives tie C-level execs more closely to operations and significantly reduce the information technology footprint and attack surface of organizations. They also promote IT modernization objectives, and prioritize security and privacy activities to focus protection strategies on the most critical assets and systems. It also more closely incorporates supply chain risk management into the framework.

A Closer Look At The Updates
This version of the publication addresses how organizations can assess and manage risks to their data and systems by focusing on protecting the personal information of individuals. Information security and privacy programs share responsibility for managing risks from unauthorized system activities or behaviors, making their goals complementary and coordination essential. The second revision of the RMF now ties the risk framework more closely to the NIST Cybersecurity Framework (CSF). The update provides cross-references so that organizations using the RMF can see where and how the CSF aligns with the current steps in the RMF.

It also introduces an additional preparation step, addressing key organizational and system-level activities. On the organization level, these activities include assigning key roles, establishing a risk management strategy, identifying key stakeholders, and understanding threats to information systems and organizations. System level preparation activities include identifying stakeholders relevant to the system; determining the types of information processed, stored, and transmitted by the system; conducting a system risk assessment; and identifying security and privacy requirements applicable to the system and its environment.

Preparation can achieve efficient and cost-effective execution of risk management processes. The primary objectives of organization level and system level preparation are to:

  • Facilitate better communication between senior leaders and executives in the C-suite, and system owners and operators.
  • Align organizational priorities with resource allocation and prioritization at the system level
  • Convey acceptable limits regarding the selection and implementation of controls within the established organizational risk tolerance
  • Promote organization-wide identification of common controls and the development of tailored control baselines, to reduce the workload on individual system owners and the cost of system development and protection
  • Reduce the complexity of the IT infrastructure by consolidating, standardizing, and optimizing systems, applications, and services through the application of enterprise architecture concepts and models
  • Identify, prioritize, and focus resources on high-value assets and high-impact systems that require increased levels of protection
  • Facilitate readiness for system-specific tasks

The incorporation of supply chain risk management (SCRM) is another important theme addressed in the publication. Specifically, organizations must ensure that security and privacy requirements for external providers, including the controls for systems processing, storing, or transmitting federal information, must be delineated in contracts or other formal agreements. It is ultimately the responsibility of the organization and authorizing official to respond to risks resulting from the use of products, systems, and services from external providers.

Finally, SP800-37 Rev. 2 supports security and privacy safeguards from NIST’s Special Publication 800-53 Revision 5. The updated RMF document states that the revision 5 separates the control catalog from the control baselines that have been included historically in that publication. A new companion publication, NIST Special Publication 800-53B, Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations, defines the recommended baselines.

In other changes to the RMF, Appendix F System and Common Control Authorizations now includes Authorization to Use (ATU) as an authorization decision applied to cloud and shared systems, services, and applications. It would be employed when an organization chooses to accept the information in an existing authorization package generated by another organization. Page 123 notes, “An authorization to use requires the customer organization to review the authorization package from the provider organization as the fundamental basis for determining risk… An authorization to use provides opportunities for significant cost savings and avoids a potentially costly and time-consuming authorization process by the customer organization.” Additionally, the appendix  addresses a facility authorization, allowing systems residing within a defined environment to inherit the common controls and the affected system security and privacy plans.

Summing It Up
SP-800-37 promotes the integration of the agency’s privacy program into the RMF, allowing the organization to produce risk-related information on both the security and privacy posture of organizational systems and the mission/business processes supported by those systems. It also connects senior leaders to operations to better prepare for RMF execution, providing closer linkage and communication between the risk management processes and activities at the C-suite or governance level of the organization and the individuals, processes, and activities at the system and operational levels of the organization. All in all, these are much-welcome changes to the framework, as better integration means tighter and more efficient controls that ensure assets are properly safeguarded by private and public sector organizations.

Author's note: Baan Alsinawi, president and founder of integrated risk management firm TalaTek, has more than two decades of experience in information technology (IT). She is a member of ISC2 and is CISSP and ITIL certified.

Category: Risk Management
Published: 7/19/2019 2:55 PM

... / ...

(18/07/2019 @ 15:43)

Taking Precautions With Smart Home Gadget Security  View ?


Larry AltonSmart home gadgets have been among the most popular holiday, housewarming and any-occasion gifts for the last few years. Whether it’s an interconnected home security system, a pet camera, or a voice-activated assistant like the Amazon Echo, homeowners and renters alike love having these tech gadgets in their homes.

In fact, research has shown that homes with smart home devices sell faster and for more than those without. Additionally, renters show great interest in living in rentals that have interconnected gadgets and are willing to pay more for these units. Therefore, many landlords have been rushing to turn their properties into smart homes.

Unfortunately, many users of these devices are unaware of the safety implications that come with them. Most smart gadgets are connected to your home’s Wi-Fi, which is linked to a large network that hackers can access. With this information in mind, many smart gadget owners are wondering just how much their safety is threatened by their tech gadgets – and what can be done about it. Let’s take a closer look.

The Interconnected Worldwide Web
When you set up your home or apartment internet connection, you typically put a password on the connection. That way, neighbors and passers-by can’t steal your internet and slow down your bandwidth.

Many people believe that this simple password is enough to protect them against hacking attempts, but it’s not. It’s certainly better than a public network, but it’s still pretty easy for hackers with any level of experience to crack.

Plus, the worldwide web is aptly named because it’s completely interconnected, providing inviting access points to hackers. Charles Henderson, professional security specialist for IBM, told The NY Times that it just takes one access point to create a catalyst of problems.

“If one device gets compromised, it could be the same as allowing an attacker to plug into the entire network,” he says.

Security Products Aren’t Perfect
Consumers often fall victim to cybersecurity threats simply because they believe they’re impenetrable. Because a reputable business builds and sells these gadgets, they’re trustworthy, right?

While most companies in the smart tech sector do their best to create high-quality products, there’s no such thing as a perfect, impenetrable device. Most devices are released before they’re perfect, and the company will produce patches and updates to repair vulnerabilities along the way.

A recent cybersecurity breach is a great example of this problem. Orvibo, a Chinese-based organization that creates smart home devices and sells them globally, recently experienced a breach compromising billions of smart home devices. Billions of device owners had their records and privacy compromised as a result of a security hole. The breach revealed more than just an invasion of privacy. It indicated a larger issue of personal identity theft.

“Using the information on Orvibo's database, it would be relatively easy to build a complex picture of any given user,” wrote James Gelinas of “The database contains a number of telltale entries like location, username, device ID, and email addresses. So, anyone with basic knowledge of the user would be able to identify them with these bits and pieces.”

Take Precautions
These breaches are disconcerting, but they don’t mean users should have to say goodbye to smart home devices. Instead, they should simply take a few precautions. You wouldn’t leave home without locking all the doors and windows, and the same goes for managing security devices.

Perform research on the best ways to keep your devices safe and locked down from privacy invaders and identity thefts. In the meantime, here are a few recommended measures:

  • Use strong passwords and change them often.
  • Apply all updates sent to your devices.
  • Use a virtual private network (VPN) to connect your smart devices.
  • Consider biometric authentication for smart home devices.
  • Remove personal information from smart home devices.

As you apply these simple steps for securing your home network, you’ll experience greater peace of mind while enjoying the luxuries of your smart gadgets.

Category: Security
Published: 7/17/2019 3:01 PM

... / ...

(16/07/2019 @ 20:02)

Reimagining the Enterprise Landscape Through Advanced Technology  View ?


Stafford MasieEditor’s note: Stafford Masie, CEO of Google Africa (2006–09) and Non Executive Board Member at ADvTECH, will be the closing keynote speaker at the 2019 Africa CACS conference, to take place 19-20 August in Johannesburg. Masie, an inventor, mentor and keen observer of how to humanize technology, recently visited with ISACA Now to discuss how enterprises in Africa and beyond can take advantage of the major technological forces of the day, such as artificial intelligence and advances in fintech. The following is a transcript, edited for length and clarity:

ISACA Now: In what ways do organizations need to “wake up” to the realities of today’s change environment?
In each industry vertical we are experiencing incredible disruption, but this isn't due to traditional known competition. Technology now allows organizations to expand beyond their core focus and deliver on services that were previously unimaginable. Additionally, this innovation, incurring this metamorphic competitive atmosphere, is “inorganic” – we are discovering that organizational sustainability is derived from unlocking external latent human capital on the outside of your business versus only focusing on core competences and excellence. The call today is to become a *co-creative* ecosystem and deliver on outcomes derived from combinatorial innovation. Accenture provided the industry with a transversal benchmark: “The benchmark for innovation excellence is being a company for which 75% of current revenue comes from business activities that began in the last three years!” The most important call to action for all leaders today is “Reimagination!”

ISACA Now: From your experience at Google, how has Google made the greatest impact in Africa over the past decade?
It has been almost 10 years since I worked at Google. Establishing their presence in South Africa, with an incredible team, was such a privilege. Every business is challenged with discoverability, and Google is the world’s most powerful platform to achieve this – applicable to any size of business. Since its establishment in South Africa, the mere economic impact from consumers searching for services and being delivered relevant business access in this regard has been significant. The launching of localized maps, search, YouTube, etc., has unlocked massive value and given South Africans an amazing online experience. I will never forget how hard the team worked on delivering all these capabilities leading up to the soccer World Cup; everyone attending the games, local and internationally, primarily utilized Google's services to navigate the country and the events. It is very difficult to measure the actual “impact” because people have utilized Google when they need a plumber, when needing an answer while studying, all the way through to seeking help when your child’s fever spikes. Besides these obvious impacts on the surface, I know that Google has done so much silent work enabling/accelerating Africa's internet infrastructure on the western and eastern seaboards and also all the terrestrial capacity we access today.

ISACA Now: Where do you see the future of fintech headed?
About eight years ago when I founded the mobile point of sale (mPOS) company “Thumbzup,” the term “fintech” wasn't widely used or understood. Today it represents a diverse ecosystem of innovation spanning disparate payments mechanisms through to the modernization of the traditional banking system. This is all great for the consumer – expansive digital and physical methods of settling merchants and doing business electronically. The impact on a merchant’s business is significant because there are now so many options to accept omnichannel payment and generally manage your business electronically. There are two trends I am watching closely: 1) The convergence of the telecommunications, retail, banking and over-the-top tech sectors; each of these sectors believe they own the last mile and are all attempting to own the “store of value.” 2) The continual emergence of Bitcoin and its redefinition of the exchange of value without the need for a so-called trusted intermediary. Many folks believe that Bitcoin, and the broader cryptocurrency space, will hurt the existing incumbents. I do not. I believe we have the formal economy serviced by electronic mechanisms, the informal economy serviced by cash and then we have an un-defined “third economy” that Bitcoin will ultimately unlock. The transaction types and financial use cases for and by bitcoin in this “third economy” are difficult to envision or predict today but will have immeasurable impact on humanity.

ISACA Now: You have some experience with AI – which applications of AI do you consider most promising in the near future?
Tim O'Reilly said it beautifully: “The fundamental design pattern of technology is to allow us humans to do things that were previously impossible.” I think this is so very much more applicable specifically to artificial intelligence. There are many amazing neural network applications being developed and employed by organizations today; the list is too long to highlight here. But, the most interesting aspect of AI is watching disparate species of artificial intelligences augmenting each of us right now. This results in the emergence of a fascinatingly new organizational archetype; I call it an “algorithmic marketplace.” An example would be Uber, a business that owns an artificial intelligence platform augmented and enabled by big data and real-time feedback loops from its participants, the drivers and the riders – all of it combining to give us a form of transportation that was previously unimaginable. This is a metaphor for future businesses which, because of these AIs, will have to metamorphosize to orchestrate services in this manner. It’s not just a big artificial intelligence engine but rather a symphony of human machine symbioses, within and outside an organization.

ISACA Now: On the other side of the AI equation, what concerns you most about potential misuses of AI going forward, and what should be done to mitigate those concerns?
I tend to be an optimist regarding artificial intelligence but I believe we are already seeing AIs programmed with unfortunate fitness functions. … We need to understand that AI is our superpower but inequality is our kryptonite! A dystopian future has never been more possible and real. But, it doesn’t have to be this way! If we do let machines put us out of work, it will be because of a failure of imagination and a lack of will to make a better future. We do not have to do more with less humans to improve operating margins and increase so-called productivity. We should consider doing what was previously impossible with humans augmented by AIs: deliverable new services that were previously unimaginable!

Category: ISACA
Published: 7/16/2019 2:56 PM

... / ...

(15/07/2019 @ 18:19)

Getting Creative to Solve Security Challenges in Healthcare  View ?


Susan SnedakerA recent article about information security challenges in healthcare pointed to the lack of resources many security teams report. They face staff shortages, lack of expertise and tight budgets. They find themselves unable to do the work they believe needs to be done.

In thinking about any problem, I always focus on what can be done. The truth is, there’s almost always something that can be done even if you can’t fix the bigger problem. After all, part of risk management is making any risk smaller, so why not approach resource challenges in the same way?

Solving Small Team Concerns
When faced with a small security team, one healthcare organization decided to distribute the security team’s work across the infrastructure teams. Though they had two people dedicated to information security, they also shifted the culture and expectations so that everyone, from the service desk analyst to the desktop analyst to the server and network engineers, knew that security was part of their job. They eventually added the applications leads to the mix to ensure security was truly an IT department focus, not just a security team focus. This had the effect of extending the security team without adding people. And it created numerous added benefits because now managing and monitoring security was not “someone else’s job,” it was everyone’s job.

Update job descriptions, set expectations, train staff in information security fundamentals (according to their job function), auditing and monitoring. Give them the tools to be effective members of the IT department knowing that, in today’s environment, security is everyone’s job. When the server team adopts system-hardening processes and audits those results on their own, security is improved far more effectively than if you have some security team person harping on hardening servers. The same holds true for managing application security. When the apps team understands how to assess, deploy and test for secure applications, security is improved at the point of origin rather than fixing a defect later (and for those of you familiar with Lean, this is a core concept). Building security into the standard work of each team not only teaches them about security in their area of expertise (while adding to their job expertise and often their satisfaction), it enhances the organization overall.

Addressing Lack of Expertise
There is a growing industry of security service providers. Everyone is facing talent shortages, but healthcare can be particularly hard hit because financial margins don’t allow for spending top dollar for talent in a highly competitive field such as information security. Some healthcare organizations manage to recruit and retain top talent by offering excellent working conditions and continuous professional development – but that doesn’t mean you can find, retain or reward those individuals in a tight job market. That’s where professional services can come in. Renting security monitoring, for instance, can be less expensive on an annual basis than adding another person. So, having a 24x7 security monitoring and alerting service may be an excellent approach to improving security without adding additional staff. Look for services you can use on a subscription basis or on an as-needed basis to add to your security program without breaking the bank.

Managing on Tight Budgets
The other major complaint that often arises is lack of budget to purchase and implement new security tools such as network monitoring or user behavior analytics. While these tools provide tremendous benefit when implemented and used correctly, two things are true. Tools purchased are often only partially implemented because healthcare IT has so many spontaneous projects and needs that teams become overwhelmed or distracted. So, buying the latest tool may not really solve the problem. Secondarily, if you lack the budget to buy new tools, your very first step should be to re-assess the tools you do have. Sometimes you haven’t fully implemented the tool or implemented it in the most advantageous manner. Sometimes you have poor processes wrapped around the use of the tool that could be improved. If you’re not fully utilizing what you have, that should be your first effort.

Sometimes you can find add-ons or expansions to your existing tools that may be less expensive than bringing in a whole new software solution. Have your vendors come in and talk with you about what else their solutions can do for you. Sometimes there are no cost or low cost solutions you wouldn’t have considered.

Still other times, if you feel strongly that you need a particular tool, have the vendor help you make the business case. They should be able to provide industry data, comparison data and benefits data. If they help you implement a proof of concept implementation, take lots of notes about the before and after state so you can gather data to make your case.

Get Creative with Training
There are a lot of excellent training opportunities available to enhance the security skills of your team. Some are very expensive, but many are not. Try to negotiate for training dollars or training credits with major vendors when you sign a new contract or large purchase. Vendors will often toss these in if asked. If your expense is limited to travel (and not paying for the course), your training dollars will go much further. Look for online or distance learning options to reduce travel expense, and consider free webinars from industry leaders (ISACA, SANS, HIMSS, etc.) as well as vendor webinars, which may be skewed toward their product but may also educate on the broader topic at hand. Keeping staff trained will enhance their job satisfaction and improve your organization’s security. Additionally, certifications in security or auditing areas add credibility to your work and may help you make the case for more people or more funds.

Make the Business Case
Too often, those requesting additional resources fail to make the compelling business case. Make sure you have put together a concise document explaining the current state, the risk of that state, the proposed solution and why the investment is required. It may not always be approved, but you’re unlikely to get anything you need without it. And, as a leader, it’s good practice to present a professional business case in support of your requests.

None of these ideas will solve the problem of being short-staffed or under-budgeted, but they will help mitigate these risks while you work to make the business case to your executive team about why they need to support these kinds of investments. It’s often hard to fight for dollars to prevent the “hypothetical” event (the same problem exists with business continuity planning). Healthcare executives should understand that healthcare data is at the center of the target for attackers and, ultimately, they need to make the investments needed to keep the organization as safe as possible. In the meantime, you can reduce your risks by taking small, meaningful steps toward your goals.

Author’s note: For additional articles and resources focused on IT leadership, visit Susan’s website,

Category: Security
Published: 7/15/2019 10:21 AM

... / ...

(12/07/2019 @ 16:20)

Last import : 22/07/2019 @ 19:28