You are here :   Welcome » RSS -
Preview  Print...  Print this page...
Knowledge base

 1543679 visitors

 9 visitors online


site Link

Neuchâtel, Suisse


Genere YOUR Code


ISACA Now: Posts

RSS feed for the Posts list.

Happy ISACA Volunteer Appreciation Week!  View ?


Melissa SwartzHappy ISACA Volunteer Appreciation Week! While my colleagues and I agree that we should celebrate our volunteer partners at the chapter and international levels every day, we are thrilled to participate in a week of highlighting some of the ways volunteer support is essential. After all, ISACA exists to support our members in the IT audit, risk, governance, assurance and security industries, and our local and international volunteers are the ones fulfilling our purpose and promise, and exemplifying our values.

Where would we be without the passionate, dedicated and innovative experts advancing ISACA’s great work? For one, we would miss out on the camaraderie in networking and bonding over accomplishing sometimes-challenging objectives to advance our work. We love working with people like Jack Freund, CRISC Certification Working Group member and 2018 ISACA John W. Lainhart IV Common Body of Knowledge Award recipient, who is a huge proponent of giving back. “You should volunteer and get involved with ISACA because it is important, hard work,” he said. “It’s work that will put you in touch with the best in your industry at the local and international level, and working with the best makes you better as well.”

What makes our volunteers the best? It’s their interest and expertise that makes it possible to accomplish impactful initiatives. Check out these highlights from the first quarter of 2018.

  • The ISACA Foundation Working Group is establishing a mission and purpose for a philanthropic strategy at ISACA with the intent to better serve underrepresented segments of our community.
  • Through local and international events, research initiatives and creating a network of champions, the Women’s Leadership Council and SheLeadsTech Working Groups are advocating to empower female leaders in the tech industry.
  • As part of the new Accredited Training Program, the Chapter Accreditation Assessors are ensuring that certification training offered through our chapters represents ISACA’s highest standards of quality in content and presentation techniques, better preparing future exam-takers to successfully earn their CISA, CISM, CGEIT and/or CRISC designations.
  • Multiple working groups in the Advocacy and Public Affairs space are ensuring that ISACA’s voice is heard in legislative efforts through consultation responses and building relationships with government entities. They are also ensuring our membership has the tools and knowledge to successfully and smoothly ensure GDPR compliance.
  • The ISACA Awards Working Group and reviewers expanded the scope of our peer-recognition program, giving you an opportunity to nominate outstanding professional colleagues, thought leaders and volunteers for the accolades they deserve and to inspire future leaders in our industry.
  • Already this year, Subject Matter Experts (SMEs) have supported more than 10 new research initiatives. SMEs ensure all content issued by ISACA is accurate, timely and relevant in assisting our members with fulfilling their professional roles.

Just think of what we can accomplish for the rest of the year! Why should you join the more than 4,200 people spending their valuable free time giving back each year? Not only are they meeting new people, expanding their professional network, gaining new experiences to advance in their careers, ensuring the security of the future of their profession, and earning CPE hours, but they’re also gaining personal satisfaction by mentoring, teaching, learning leadership skills and much more.

As ISACA Belgium Chapter President and past ISACA board director Marc Vael says, “In return for the time you invest as a volunteer, you meet so many people from different backgrounds, with different experiences and knowledge in an international context. Basically, you get so much more back for the rest of your career. And that is priceless.”

Our volunteers are priceless, and there is no doubt that every day should be ISACA Volunteer Appreciation Day! Without you, our organization would not have existed for nearly 50 years, much less be looking to grow in the next 50. You are the reason ISACA exists and continues to provide valuable resources to our global professional community. Thank you!

Editor’s note: Learn more about volunteering and apply for an open opportunity at

Learn how to recognize outstanding international and chapter volunteer service with an ISACA Award at

Category: ISACA
Published: 4/18/2018 3:03 PM

... / ...

(17/04/2018 @ 21:09)

An Agile Approach to Internal Auditing  View ?


Meredith YonkerAs internal auditors, we’ve seen an uptick in usage of the term “Agile” in reference to how more and more companies are developing software. Agile software development has grown increasingly popular as both software and non-software companies transition from traditional development methodologies, such as the waterfall model, to a value-driven Agile approach. Like any auditable area, this requires internal auditors to understand the key concepts, evaluate the risks and determine how to effectively audit the process based on pre-defined objectives. However, that’s not the purpose of this blog post. What we auditors find even more intriguing is how the values and principles behind Agile software development apply to the field of internal auditing.

The Agile foundation
Agile is an overarching term for various software development methods and tools, such as Scrum and Scaled Agile Framework (SAFe), that share a common value system. Developed in 2001, the Agile Manifesto provides a set of fundamental principles that Agile teams and their leaders embrace to successfully develop software with agility. Companies that have adopted Agile development practices recognize the urgency to adapt quickly to changing technology and deliver enterprise-class software in a short amount of time; otherwise, they run the risk of becoming extinct.

Some of the top benefits of agile development include:

  • Accelerated product delivery
  • Improved project visibility
  • Increased team productivity
  • Better management of changing priorities

Why apply Agile to internal audit?
At The Mako Group, we have found that applying Agile concepts to the internal audit function is not a new concept, but has never been more crucial than in our current environment. Like the companies we aspire to protect through objective assurance and advice, internal audit must be able to address emerging critical risks and provide relevant insight in a timely fashion. Despite our best intentions, many audit departments still develop a long-term plan that cannot be easily changed and often employ antiquated audit methodologies. If we truly want to add significant organizational value and be a trusted partner with management, internal auditing must evolve, and Agile techniques can help us do that.

Agile internal audit tactics
Just as companies are scaling Agile software development based on the size, capabilities and culture of the organization, the extent of an internal audit function’s agility will vary widely for one group versus another. Nonetheless, we have narrowed our focus to three key areas that every internal audit department should consider when becoming more agile:

  • Planning and prioritizing. Agile development teams utilize a backlog as the single authoritative source of work items to be completed, which must be continually prioritized. Items on the backlog are removed if they no longer contribute to the goal of a product or release; whereas, items are added to the backlog if at any time a new essential task or feature becomes known. Similarly, the internal audit function should maintain a backlog of areas to be audited that is regularly evaluated and updated based on risk exposure. Instead of committing to a rigid audit plan, this approach allows for timely inclusion of new risks or auditable areas throughout the year. The importance of collaborating with stakeholders during the planning and prioritization process cannot be overstated. Before beginning work on a task or feature in the backlog, explicit and visible acceptance criteria must be defined based on end user requirements, which is called the definition of ready. This is met for an item on the audit backlog when internal audit has the necessary resources available and agrees with the stakeholders up front on the scope, the goal of the project and the value to be delivered.
  • Streamlining the process. Iterations are one of the basic building blocks of Agile development. Also known as a sprint, each iteration is a standard period of time, usually from one to four weeks, during which an Agile team delivers incremental value in the form of usable and tested software. Ultimately, items that move off the backlog must be divided into a series of sprints, which provide a structure and cadence for the work. In the context of internal auditing, the fieldwork associated with an audit should be broken into fixed-length activities that are appropriately sized to promote the motivation of a tight deadline without stressing the resources in place. As the goal is to be quick and iterative, versus confined to a pre-determined plan, eliminating unnecessary resources and efforts is instrumental to an audit team’s successful completion of the work within a sprint. Whenever possible, gathering evidence independently, which also alleviates the burden on stakeholders, is an excellent way for internal auditors to be more efficient. Moreover, examples of waste in the audit process commonly include:
    • Distributing requests for evidence that are too vague.
    • Sending emails back and forth when a phone call or in-person meeting would be a more productive solution.
    • Exhaustively explaining every step taken without considering that concise documentation could achieve the same effect.
  • Soliciting continuous feedback. One of the most commonly practiced Agile techniques is a daily stand-up meeting, normally lasting no longer than 15 minutes, in which an Agile development team discusses each member’s contributions and any obstacles. To be truly effective, internal audit team members must regularly check in with each other and not hesitate to raise questions or issues as soon as they come up. Rather than waiting until the fieldwork has been completed to start internal reviews, quality assurance should be built into the daily audit activities.

Furthermore, internal auditors must not wait until the end of an audit to provide results. Early and frequent communication with stakeholders means that the final report or presentation should simply reflect a visual summary of the insights already discussed. We should not only identify opportunities to enhance an organization’s operations but also continuously improve our own audit processes. A crucial role on an Agile team to help foster an environment of high performance and relentless improvement is the scrum master. Acting as the coach of an internal audit team, a scrum master would ensure that the agreed Agile process is followed and encourage a good relationship among team members as well as with others outside the team.

Category: Audit-Assurance
Published: 4/17/2018 8:58 AM

... / ...

(13/04/2018 @ 00:23)

What the Skills Shortage Means for Existing Cybersecurity Practitioners  View ?


Ed MoyleBy now, most practitioners have heard (probably from a few different sources) that organizations struggle when it comes to finding, hiring and retaining the right resources for information security and/or cybersecurity professionals. There has been quite a bit written about this trend: the impact that it has on security efforts within enterprise, advice and guidance about how to staff and manage your security team in light of the talent challenges, strategies for working around it, etc. However, there is another potential angle that is comparatively less analyzed: the impact to existing practitioners – both in the short and long term – in light of the shortage.

Understanding this is important for practitioners as preparation now translates directly to continued success down the road. In knowing what we do about the workforce dynamics, we can make sure that we’re optimally positioned when the time comes for us to change jobs and continue to be in demand down the line.

Skills gap characteristics
The first thing to note is that the skills gap has characteristics that can be measured. We know that it exists from numerous research reports and surveys, specifically findings citing the lengths of time required to fill open positions, perceived difficulty in finding qualified candidates and challenges in retaining existing staff. ISACA’s 2018 State of Cybersecurity research was no exception in pointing this out. Findings from previous years of ISACA research, as well as studies from other organizations, suggest that these challenges are persistent.

However, the actual areas of need have been comparatively less thoroughly analyzed, including which positions are most problematic to staff and retain, which skills are in more demand, where the most hiring activity occurs, etc. Much like the skills gap itself can be measured, so, too, can these other characteristics. This year, we attempted to gather more information about these secondary characteristics of the skills gap.

What we learned was that individual contributors are in higher demand than managers. We also learned that there is a higher demand for technical resources, relative to non-technical ones. While that may not be a complete surprise to anyone who has tried to staff a security team, it is an interesting data point because it informs organizational staffing and retention strategies. The report data can also be useful for practitioners – i.e., those on the other end of the staffing equation. Meaning, individuals wishing to position themselves optimally for their future career growth can use this information as part of the “career strategy.”

Career “Future Proofing”
We as practitioners can maximize our competitiveness in the short term and ensure that we continue to be marketable over the long term by taking this information into account. For example, the information indicating that technical resources are harder to find relative to non-technical ones can help motivate us to stand out in the workforce by taking active measures to invest in our personal technical acumen. There are a number of ways to do this, of course, but ensuring that we remain abreast of new technologies, that we diversify the set of technologies with which we are conversant and keeping abreast of new attack methods is a good way to start.

In fact, there are many resources available to ISACA members to assist; for example, our partnership with Wapack Labs can help ensure that members stay abreast of attacker tradecraft; ISACA webinars (particularly those of a technical nature) and publications like the ISACA Journal can keep technical skills honed; and chapter activities can provide opportunities to learn new technical skills. This is potentially advantageous even for those that are more senior in their careers. For example, if a hiring decision came down to two resources – if all other things are equal, but one is more “current” in their technical understanding – who would you hire? See what I mean?

Over the long term, this information about the skills gap is likewise important for practitioners as it can inform their future career planning. Why? Because logic dictates that the dynamics will change over time in a few specific ways. For those with a decade or more before retirement, planning accordingly is valuable.

First, current challenges in obtaining qualified technical staff mean that it is most likely that organizations (and, in fact, the market at large) are likely to innovate toward automation strategies for technical work being done by human analysts today. Will this mean the existing workforce will be left high and dry? Not necessarily …  but it does mean that technical acumen, while useful to help differentiate you among candidates in the short to intermediate term, isn’t a guaranteed way to future-proof your career over the long haul. This in turn means that establishing a diverse set of skills – as well as building a strong professional network – are important in the long term, in addition to building technical skills.

Second, the fact that there is increased demand for individual contributors relative to managers means that (again, thinking long-term), those who desire to move into manager positions should be looking to differentiate themselves as well from a competitive point of view. They might, for example, consider taking on management responsibilities now to give them skills that, down the road, will be important to their overall competitiveness.

As with most things, there’s no “one-size-fits-all” advice – there are as many viable career tracks as there are practitioners themselves. That said, one thing that’s probably universally true is that having a “career plan” that accounts for both near-term and longer-term changes is a good idea. The findings from this research can help accomplish that. 

Category: Security
Published: 4/16/2018 8:30 AM

... / ...

(12/04/2018 @ 15:55)

SQL Databases and Data Privacy  View ?


Robin LyonsIf anyone had any doubts, data privacy is still kind of a big deal. Beyond being at the core of regulations ranging from the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in the United States to the global, far-reaching General Data Protection Regulation (GDPR), data privacy has its own annual day of recognition – 28 January. As organizations design operational strategies and tactics around data privacy, opportunities to leverage applications with built-in functionality to safeguard sensitive and confidential data are valued. For those using Microsoft SQL Server 2016, there are a couple of areas where built-in functionality can assist with data privacy initiatives.

Where is the data?
Safeguarding of sensitive or confidential data generally begins with data classification. Once data has been identified and appropriately classified, the next effort is establishing internal controls commensurate with the sensitivity/confidentiality level of the data. Depending on the organization, designing and implementing internal controls may be a bit of a hurdle. In its 2017 State of Cybersecurity Metrics Annual Report, IT consulting firm Thycotic reported that 4 in 5 companies don’t know where their sensitive data is. Understandably, unknown data locations make it difficult to identify safeguards to protect the data. As in prior versions of SQL, using SQL Server Management Studio (SSMS) in SQL Server 2016 can provide a list of databases. Also, in addition to a variety of other data querying options, Transact-SQL (T-SQL) queries can be used to locate data and related tables.

Who has the data?
Having identified where the data resides, entities are faced with ensuring that access to the data is limited to those with the appropriate roles in their organizations. Once those access determinations are made (following the Principle of Least Privilege), organizations can then use Microsoft SQL Server 2016’s Dynamic Data Masking (DDM) feature to support its access strategy. With Dynamic Data Masking, sensitive/confidential data remains unchanged in the database while this data is hidden in designated database fields. Organizations can fully or partially mask the sensitive/confidential data depending on how they configure DDM.

Another option for limiting access to data is to use Always Encrypted. This feature allows encryption of sensitive data (at rest and in transit) within client applications. Since encryption and decryption happen outside of the SQL environment, it facilitates least privilege by limiting data access to those who own the data and need to view it.

As data privacy expectations become more permanent fixtures of entities’ operational landscapes, built-in features such as Dynamic Data Masking will become more commonplace. The newer DDM functionality, coupled with existing functionality through SQL Server Management Studio, can help entities achieve and maintain data privacy goals. Coupled with best practices in data management, this built-in functionality should provide an easier path to meeting the data privacy expectations of customers and compliance regulations.

Category: Privacy
Published: 4/13/2018 3:20 PM

... / ...

(13/04/2018 @ 00:28)

Data Breach Preparation and Response in Accordance With GDPR  View ?


Laszlo DelleiMany may be familiar with guidelines on personal data breach notification from Article 29 Working Party (WP29) prepared in October 2017 under Regulation 2016/679. In addition, the General Data Protection Regulation (GDPR) introduces the requirement for a personal data breach (henceforth “breach”) to be notified to the competent national supervisory authority.

The basic concept of personal data breaches was not introduced first by the GDPR, and there are also some EU Member States that already have their own national breach notification obligation. This may include the obligation to provide notification of breaches involving categories of controllers in addition to providers of publicly available electronic communication services (for example in Germany and Italy), or an obligation to report all breaches involving personal data (such as in the Netherlands).

GDPR contains several provisions relating to personal data breaches that data controllers (and processors) must also be aware of. Additional information can be found in ISACA’s Implementing the General Data Protection Regulation publication; however, I’ve outlined some key highlights on breaches below.

So first, what is a personal data breach?
The GDPR defines a “personal data breach” in Article 4(12) as: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

What type of personal data breaches exist?

  • Confidentiality breach
  • Availability breach
  • Integrity breach

It is also apparent from above that the concept of personal data breaches is closely linked to the principle of the integrity and confidentiality of personal data (Article 5 (1) (f) of the GDPR). Therefore, a wide variety of personal data breaches may occur, such as losing a laptop or USB drive that contains personal data, attacking an IT system, or even sending a letter or an email to wrong recipient.

Four years earlier, WP29, in its Opinion issued in 2014 (Opinion No. 03/2014), presented a number of practical examples of what is considered to be a personal data breach and the consequences it may have.

Why is it so important that the personal data breach is handled as soon as possible?
The Preamble to the GDPR (Point 85) states that "a personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons,” such as: 

  • Loss of control over their personal data or limitation of their rights
  • Discrimination
  • Identity theft or fraud
  • Financial loss

What should you do if a personal data breach occurs?
The data controller has several tasks when a personal data breach is noticed:

  1. The controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority.
  2. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
  3. The controller shall document any personal data breaches.
  4. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.

When does the personal data breach not need to be reported to the authority and when do the persons concerned not have to be notified directly?
If the data controller can demonstrate, in accordance with the principle of accountability, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons, the notification may be omitted. (For example, if mail sent by a controller to a wrong address is returned without being opened, meaning that no personal data has been accessed by an unauthorized person.

How can controllers prepare for handling personal data breaches?
Given that personal data breaches can occur at any data controller, and in such cases data controllers need to react quickly, it is important for controllers to be prepared in this respect as well.

First, every actor must prepare a data breach response plan, for which there may be internal rules as well. A data breach response plan enables an entity to respond quickly to a data breach. By responding quickly, an entity can substantially decrease the impact of a breach on affected individuals, reduce the costs associated with dealing with a breach, and reduce the potential reputational damage that can result.

Below is a data breach response plan quick checklist to help with this preparation:

Information to be included Yes/No Comments
What a data breach is and how staff can identify one



Clear escalation procedures and reporting lines for suspected data breaches



Members of the data breach response team, including roles, reporting lines and responsibilities



Details of any external expertise that should be engaged in particular circumstances



How the plan will apply to various types of data breaches and varying risk profiles with consideration of possible remedial actions



An approach for conducting assessments



Processes that outline when and how individuals are notified



Circumstances in which law enforcement, regulators (such as the OAIC), or other entities may need to be contacted



Processes for responding to incidents that involve another entity



A record-keeping policy to ensure that breaches are documented



Requirements under agreements with third parties such as insurance policies or service agreements



A strategy identifying and addressing any weaknesses in data handling that contributed to the breach



Regular reviewing and testing of the plan



A system for a post-breach review and assessment of the data breach response and the effectiveness of the data breach response plan



Recommendations on next steps:

An effective data breach response generally follows a four-step process — contain, assess, notify and review: 

  1. Contain the data breach to prevent any further compromise of personal information.
  2. Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, take action to remediate any risk of harm.
  3. Notify individuals and the Commissioner if required. If the breach is an "eligible data breach" under the NDB scheme, it may be mandatory for the entity to notify.
  4. Review the incident and consider what actions can be taken to prevent future breaches.

How does the Hungarian DPA prepare to perform its duties in relation to personal data breaches?
Based on available information from the Hungarian DPA, there is a separate department within the Hungarian DPA’s organization that addresses receiving and managing the personal data breach notifications. It is also expected that data breach notification must be made on the authority’s website, or there will be an online interface which the notifications can be sent to the authority.

Editor’s note: ISACA’s Implementing the General Data Protection Regulation publication is an educational resource for privacy and other interested professionals; it is not legal or professional advice. Consult a qualified attorney on any specific legal question, problem or other matter. ISACA assumes no responsibility for the information contained in this publication and disclaims all liability with respect to the publication. 2018 © ISACA. All rights reserved. For additional ISACA resources on GDPR, visit

Category: Security
Published: 4/11/2018 3:09 PM

... / ...

(10/04/2018 @ 22:46)

Last import : 19/04/2018 @ 13:48