Vous êtes ici :   Accueil » RSS - Isaca.org
Prévisualiser...  Imprimer...  Imprimer la page...
Base de connaissances

 1563381 visiteurs

 8 visiteurs en ligne


Notre site



Neuchâtel, Suisse

Mes coordonées

Crée votre Code

RSS - Isaca.org

ISACA Now: Posts


RSS feed for the Posts list.

Lower IT Department Expenses Without Compromising on Security  Voir?


Anna JohannsonThe IT department has risen to prominence as one of the more integral components of successful, modernized organizations. However, in the midst of this growth, IT has also become increasingly expensive for many of these companies. Discovering what it looks like to manage a cost-effective IT department could be the difference between running a profitable business and straining to make ends meet. 

Three Highly Effective Ways to Lower IT Expenses
According to an article coauthored by consultant Kevin Coyne in Harvard Business Review, there are two key points to keep in mind whenever you pursue cost savings, regardless of the organization or department.

“First, forget about finding a single idea that would radically change the cost structure of your organization or department, thereby solving your problem in one go,” Coyne writes. “(If such an idea existed, it would most likely entail so much risk that the organization would never be willing to implement it.)”

Instead, Coyne suggests reaching your goal through a combination of at least 10 different actions. Additionally, he notes that the degree of organizational disruption caused by the cost-cutting will typically be proportional to the degree of reduction that’s done. Incremental actions may reduce costs by 5 or 10 percent, whereas serious restructuring may be able to lower costs by 25 percent or more.

Assuming that you aren’t looking to slash your IT expenses by 25 or 50 percent, here are some incremental steps you can take to quickly and effectively lower costs.

  1. Defer non-critical initiatives. You always need to have an idea of which tasks and strategies within your IT department are most timely and important. Having this sort of internal priority list will help you defer non-critical IT initiatives when money is tight and reallocate that money towards the ones that matter.
  2. Shop for deals. In your personal life, you probably give careful thought to the purchases you make. In other words, you don’t just go around investing money into things without first doing a little bit of research. You need to take a similar approach in business. Shop around for the best price on software and tools – which may mean using coupons and deals – to ensure you’re saving money wherever possible.
  3. Virtualize wherever possible. When compared to traditional servers, virtualization software can increase utilization by fourfold or more. This means you can reduce the number of servers you need by the same ratio – leading to a stiff reduction in hardware and energy costs.

Don’t compromise on security
While there’s a time and place for lowering costs and eliminating superfluous IT expenditures, don’t be shortsighted in compromising on security at the expense of a few dollars. It’s far better to invest in cybersecurity than it is to deal with a costly attack that damages your brand and costs exponentially more to correct.

It’s up to you to find the sweet spot, so to speak. You must discover the optimal amount to spend, without opening your company to risk or falling behind on the innovation curve. This will require constant tweaking and regular optimization – so stay dialed in!

Category: Security
Published: 6/22/2018 2:59 PM

... / ... Lire la suite

(18/06/2018 @ 23:27)

AI: the Challenge and the Solution  Voir?


P.W. SingerEditor’s note: P.W. Singer, strategist and senior fellow at the New America Foundation, will deliver the closing keynote address at ISACA’s 2018 CSX North America conference, to take place 15-17 October in Las Vegas, Nevada, USA. Singer recently visited with ISACA Now to discuss pressing cybersecurity considerations that governments much grapple with, the multi-faceted impact of artificial intelligence and more. The following is a transcript of the interview, edited for length and clarity:

ISACA Now: What are the primary strategic considerations for governments today when it comes to protecting their people from cyberthreats?
The essential problem is that all the issues we've been dealing with the last 10 years – cybercrime, IP thefts, botnets, etc. – are still with us, but we also now have a series of new challenges to face. Governments, not just national, but state and local governments, have to understand the combination of how the internet is changing, and, in turn, the threat landscape. We are nearing the 50-year mark of internet history, an amazing moment when you consider the change, but it is also shifting. Once it was just an internet of people communicating, but it is also now one of “things” operating.

This, of course, brings enormous gains and efficiencies, but also massively grows the attack surface, as well as raises the consequences of attacks, shifting them to the physical realm. In turn, the internet has become one of web 2.0 via social media, where we all share information but also now spread and fight disinformation (what I call LikeWar). Add in the rise of issues like ransomware, hybrid threats from states and criminals, the blight of mega breaches, and it’s a daunting time. So, the key for governments is to ensure they are keeping pace with these shifts in internet use and threats.

ISACA Now: How do you envision malicious uses of AI reshaping the threat landscape in the coming years?
AI – and by that, I mean everything from machine learning to neural networks, will be used by bad actors in everything from developing malware to scoping out for vulnerabilities. But one area I think we really are not ready for is “deep fakes.” created by AI.  These hyper realistic videos, that aren’t actually true, will be weaponized against people, companies and governments. We’ve already seen examples tested in labs, where you can create a video of a speech that someone never gave, to how actresses have been put in adult films they never appeared in. This is just the start, where AI will be used to attack our very perceptions and sense of reality, in a malicious manner.

ISACA Now: Which new or emerging technologies can be most useful to governments in bolstering their security capabilities?
AI! Every technology has both good and bad uses, by good and bad people. For instance, AI is the very means to detect emergent cyber threats, scope out new anomalies before they can cause harm, sift through vast amounts of noise. Indeed, the means to detect AI-created deep fakes is other AI that can hunt for their tells. As I explore in an upcoming book, this creates a strange new world where the AIs battle, with us humans in the middle as the target.

ISACA Now: What appealed to you about joining the New America Foundation?
It is an organization that tackles the questions of what happens when technology and policy come crashing together, so people there are always wrestling with fascinating and important questions. At a recent staff meeting, for instance, we had people who were working on topics as varied as how to help the U.S. Army with cybersecurity to aiding the Rhode Island state government on adoption policy reform.

Category: ISACA
Published: 6/21/2018 3:07 PM

... / ... Lire la suite

(18/06/2018 @ 16:32)

CISA Payoff: Immediate and Enduring Throughout My Career  Voir?


Walt BlackwoodThe Certified Information Systems Auditor (CISA) certification has truly benefited my professional aspirations.

In 1997, when I transitioned from active duty as a Captain in the US Army, I had a 10-year-old computer science degree and not a great deal of experience in corporate America, particularly in the financial services industry. The extent of my background at that time was having an IRA. Fortunately, I was able to gain an entry level position as an IT Auditor at Prudential Insurance Company of America (now Prudential Financial) in Newark, New Jersey, through their junior military officer (JMO) hiring program.

It became very clear that on-the-job training was not going to be sufficient for me. During my first couple of months, I concluded that pursuing the CISA professional certification would give me the jump-start I needed to gain a baseline understanding of IT audit and risk management, IT general controls, and IT auditing—especially with regards to assessing applications and the technology environments they resided in. Studying for six months, two nights a week and a number of weekends, becoming a member of my local ISACA chapter, and taking full advantage of the available local chapter CISA preparation courses and materials enabled me to successfully pass the CISA examination and become a credentialed IT audit practitioner.

The professional payoff was immediate for my career development. Understanding IT risk management and associated controls to establish or maintain a well-controlled IT environment served to differentiate me from others in competing for positions and, honestly, just helped me be more successful in meeting or exceeding expectations. While these foundational audit and risk management skills helped to launch my IT audit career, more importantly, they also served to enhance what I had to offer in other risk management and project management roles.

As a result of increased threats to the digital processing environments and subsequent increased regulatory expectations, financial services companies gained an increased appreciation for employees who have the skills that the CISA certification fosters. Since my initial IT auditor role, I have continued to leverage the knowledge and experiences gained through not just the efforts required to gain the CISA certification, but also through completing required continuing education to stay abreast of emerging technologies and becoming a more active participant in ISACA-provided training (such as webinars, local chapter offerings, and attending or presenting at national conferences).

Whether managing IT or operational audit responsibilities at Wachovia, Wells Fargo, or TIAA, a mission-based company where I am fortunate to currently work, or performing project/risk management roles at previous employers such as Goldman Sachs and Ernst & Young, having an IT audit and risk management perspective has been a huge component of my personal success. I am grateful that for 40 years, ISACA has continued to provide the CISA certification, and I encourage all my employees and mentees to pursue the CISA to grow as professionals.

Category: Certification
Published: 6/19/2018 9:01 AM

... / ... Lire la suite

(14/06/2018 @ 23:06)

IT Audit Co-sourcing Requires a Strategic Touch  Voir?


Mais BarouqaThe 7th annual IT Audit Benchmarking Survey shed light on several IT challenges that are at the top of the agenda for executive management and will have a direct impact on IT audit plans for many enterprises in 2018.

While the survey highlighted several key challenges, I will be drilling more in-depth into one key aspect, which is the co-sourcing of IT audit. Within the survey, it was noted that IT audit’s role has grown since 2012, in that half of all organizations now have a designated IT audit director. Such growth emphasizes the importance of the IT audit role. Given the current technological advancements, IT audit plans are required to be aligned and inclusive of the risks that accompany them. That not only requires a different set of skills that are needed in order to have value-added audit results, but also requires internal management to reconsider their IT audit plans.

Before applying a co-sourcing practice, management should assess its current internal IT audit skills in order to clearly understand what should be added by the co-sourced team and what can be covered by the internal department. In order to conduct such an assessment, management should have started to identify the technological areas for the upcoming IT audits during the early planning stages. Moreover, the internal audit department holds a better understanding regarding the scoped systems, infrastructure, and processes, whereas such details will require further time for the co-sourced team to grasp. Accordingly, audit deadlines should take this into account while preparing the plan in order to deliver valuable audit results.

Another point that should be taken into consideration prior to co-sourcing is the emphasis of knowledge-sharing by the co-sourced team to ensure that the skills of the internal team members have been elevated and enhanced by the co-sourced practice.

Co-sourcing practice is applied by management in order to leverage the business and technical exposure of such individuals within the areas lacked by the internal IT auditors. Management should not utilize the co-sourcing practice to enforce a complete transformation of the internal audit to match the co-sourcing company. Having that said, management should always ensure that the company’s internal practices are applied and taken into consideration throughout the co-sourcing team’s deliverables and work.

Category: Audit-Assurance
Published: 6/18/2018 3:02 PM

... / ... Lire la suite

(15/06/2018 @ 16:21)

Is the NIST Cybersecurity Framework Enough to Protect Your Organization?  Voir?


Baan AlsinawiThe National Institute of Standards and Technology (NIST) Cybersecurity Framework, also known as the Framework for Improving Critical Infrastructure Cybersecurity and commonly referred to as CSF, is top of mind for many organizations.

Whether driven by the May 2017 Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, the need for a common framework between business partners or as a way to measure best practices, many organizations are considering adopting NIST’s framework as a key component of their cybersecurity strategy.

Initially designed by NIST to protect critical infrastructure, the framework is seeing much wider adoption across industries and organizations of various types and sizes. The CSF provides guidance and was built to be customized by organizations to meet their unique business and mission goals.

If you are embarking on implementing CSF, some areas to consider:

  • CSF does not prescribe control “requirements.” The framework only provides a very high-level requisite. While this allows organizations to perform a security assessment against CSF, the depth of the assessment is open to organizational interpretation and preference. This can lead to an assessment that leaves weaknesses undetected, giving the organization a false sense of security posture and/or risk exposure.
  • CSF does not make NIST SP 800-53 easier. If organizations use the NIST SP 800-53 requirements within the CSF framework, they must address the NIST SP 800-53 requirements per CSF mapping. This is not an easy task and generally requires additional focus.
  • CSF control categories … to what end? Control categories (IRM, RM, and EP) provided with CSF are available, but it is up to the implementing organization to determine the alignment for each control and how it applies to their risks. It is not terribly clear how these categories improve the risk assessment results.
  • CSF control tiers are not a maturity model. The CSF control tiers provided – partial, risk informed, repeatable, and adaptive – can be assigned to assessed controls. When used in aggregate, these tiers can provide an indication of the implementation level of the organization’s controls. However, if you are looking for a prescription, you might find that you are on your own. For example, CSF maintains that these tiers are not to be confused with a maturity model, so it’s up to you to decide if a ‘partial’ rating is (or is not) good enough for a particular risk. 

True to any successful risk management framework, CSF or not, a suitable implementation requires a determination of business impact, risk appetite/tolerance and actual threat vectors, among other key variables. Proper knowledge and true understanding of one’s organizational risks is required when implementing CSF (or any risk management framework for that matter). By going about CSF the wrong way, your end results may belie the true state of your organization’s risk, resulting in false confidence in your current program and potentially misguided investments in resources.

Here are five practical tips to effectively implementing CSF:

  1. Start by understanding your organizational risks.
  2. Define your risk appetite (how much) and risk tolerance (acceptable variance).
  3. Choose the CSF tier that best matches your business and mission (most likely you will end up with several tiers within the same organization).
  4. Map existing frameworks (FISMA, ISO, COBIT) in your environment to CSF based on your business model.
  5. Perform initial gap analysis, then use the findings to decide your CSF strategy.

It is best to plan on integrating CSF into your business as a long-term strategy. CSF is not a one-time, quick checklist, so best to allocate the proper resources to ensure a successful implementation for long-term, effective risk management.

Category: Security
Published: 6/15/2018 2:59 PM

... / ... Lire la suite

(14/06/2018 @ 17:18)

Dernière mise à jour : 23/06/2018 @ 10:40