Vous êtes ici :   Accueil » RSS - Isaca.org
Prévisualiser...  Imprimer...  Imprimer la page...
Base de connaissances

 1597175 visiteurs

 6 visiteurs en ligne


Notre site



Neuchâtel, Suisse

Mes coordonées

Crée votre Code

RSS - Isaca.org

ISACA Now: Posts


RSS feed for the Posts list.

Advocating for a Strong Cybersecurity Workforce, IT Audit Standards and NIST Reauthorization Act on Capitol Hill  Voir?


Members of ISACA’s US Public Policy Working Group recently gathered on Capitol Hill in Washington, D.C., to listen to inspiring speakers and to advocate for issues important to ISACA constituents, drawing from their personal experiences and professional backgrounds.

Over the course of a productive day, these ISACA volunteers met with Congressional members and staff leaders from seven districts from California, Illinois, New York, Texas and Virginia—states from where ISACA’s participants hailed. Key topics discussed included the National Institute of Standards and Technology (NIST) Reauthorization Bill (H.R. 6229), the value of authoring and introducing legislation focused on the future of IT audit, and the importance of certifications in preparing the workforce for cybersecurity jobs and closing the skills gap.

The participants expressed the importance of supporting H.R. 6229, as it would not only reauthorize NIST, but also strengthen research and development programs related to cybersecurity, artificial intelligence (AI), internet of things (IoT), and quantum computing and increase opportunities within the cybersecurity profession.

ISACA’s US Public Policy Working Group recently came together from across the country to engage in advocacy efforts on Capitol Hill.

Additionally, as some of the Public Policy Working Group had worked or currently work within government, they could also personally speak to the challenges of managing several audits throughout any given year in addition to the rest of their workload. They emphasized that improving and streamlining standards for audits would not only help make the process more efficient and deliver more meaningful results, but also incorporate emerging technologies such as AI that are currently not factored into most audits.

“As a member of the ISACA US Public Policy Working Group, I appreciated the opportunity to visit Capitol Hill to discuss legislative initiatives that impact my profession,” said Howard Duck, CISSP, CISM, CISA, PCIP, past president of the ISACA Sacramento chapter. “Joining other ISACA members in these discussions was interesting and informative for me.”

Another ISACA volunteer, Kyle Foley, CISA, CGEIT, CRISC, PMP, agreed. “Meeting with Congressional staff in the House and Senate to discuss ISACA's mission and information security issues, such as the NIST reauthorization legislation and our ‘One-Audit’ initiative, was fun, interesting, and rewarding.”

Joel Creswell, Ph.D., Legislative Assistant to Congressman Daniel Lipinski (IL-03), who kicked off the advocacy day by speaking to the group on Rep. Lipinski’s work in the research and development and science and engineering spaces, as well as on initiatives related to AI, quantum computing and cybersecurity education, noted that IT audits were a focal point of the roundtable discussion with ISACA the day before.

Another common issue that causes concern to both ISACA members and Congressional staff was the challenge in building a strong cybersecurity workforce and addressing existing skills gaps.

Nick Leiserson, Legislative Director for Congressman Jim Langevin (RI-02), spoke to the group mid-day and provided highlights from this year, such as the creation of the Cybersecurity and Infrastructure Security Agency, as well as a preview of what ISACA’s professional community might expect to see come out of the work of the 116th Congress.

During ISACA’s advocacy day, participants discussed key issues such as supporting the NIST Reauthorization Bill, envisioning legislation around the future of IT audit and closing the skills gap with certifications.

The experience was not only an opportunity to raise important issues, but also ended up being a milestone for the ISACA volunteers who participated. It was the first time each of them had been involved in such an advocacy day—and it was an experience they found to be very positive.

"ISACA continues to exceed my expectations, and today’s advocacy event was no exception,” said Angel Contreras, CISA, CDFM, senior manager, technology risk at EY. “Being able to meet with policymakers—having open discussions on the key cyber and audit challenges with the common goal of making progress to secure our enterprises—was a memorable experience that embodies what ISACA is all about." 

Added ISACA volunteer Kevin McDonald, CISSP, CISA, CRISC, CBCP, PMP, senior program manager at Copper River Enterprise Services, “This is a prime example of ISACA’s support for the industry and proactive approach to supporting the next generation challenges in audit and technology.”

Category: ISACA
Published: 12/14/2018 3:02 PM

... / ... Lire la suite

(13/12/2018 @ 18:48)

Tightening Cybersecurity Assurance in Supply Chains: Three Essentials  Voir?


Phil Zongo and Rohini Kuttysankaran NairIn October 2018, Bloomberg Businessweek sent shivers through the business and intelligence community when it published an astonishing report that claimed that Chinese spies had exploited vulnerabilities in the US technology supply chain, infiltrating computer networks of almost 30 prominent US companies, including Apple, Amazon.com Inc., a major bank, and government contractors.

These claims were indeed alarming, but not surprising. Since the infamous 2013 Target hack, in which hackers exploited security weaknesses at one of its little-known suppliers and exfiltrated millions of payment card details, cybersecurity experts have been warning that expanding supplier networks would exponentially increase digital touch points, providing several softer avenues for threat actors to exploit and access high-value systems.

There is no dearth of high-profile examples. For instance, back in 2017, cyber threat actors compromised the Ukrainian software firm MeDoc and implanted NotPetya – a highly destructive malware – deeply within its software update. Like the mythical Trojan Horse, NotPetya easily exploited the trusted software package, circumvented layers of security defences and crippled critical operations of high-profile enterprises, such as pharmaceutical giant Merck, shipping firm Maersk, and Ukrainian electric utilities Kyivenergo, to name but a few.

It’s certainly hard to argue with the benefits of business partnering, given the decades of studies demonstrating that well-thought alliances can enable an enterprise to focus on its competitive advantages, as well as measurably boost its bottom line. But at the same time, the raging demand for transfer of utilities, goods and data, combined with the rapid intersection of cyber espionage and geopolitics, also has substantially complicated the cyber risk equation. Cyber threats exploiting weak supply chains are on the rise, like sea levels. The stakes are also invariably higher, threatening global peace and undermining the benefits of globalization and open markets.

While tightening cyber risk assurance within complex supply chains is certainly challenging, it’s not impossible. In the section below, we provide three practical recommendations for business leaders to maximize the value of outsource relationships, while minimizing associated risks.

Have the right security clauses
Underpinning any robust supplier security assurance program is formally documented and legally enforceable security contractual clauses. During the contract negotiation phase, business leaders must have a clear understanding of cyber risks associated with each relationship, and ensure appropriate clauses are agreed upon from the outset and baked into contracts. At a minimum, high-risk suppliers must:

  1. Provide independent assurance reports to attest the operating effectiveness of key controls, such as the SOC 2 Type 2 report, ISO 27 001 certification or Payment Card Industry Data Security Standard (PCI DSS). These should be provided at least annually.
  2. Provide the enterprise with the right to audit in the event of a systemic control breakdown or legal requirements.
  3. Demonstrably comply with applicable data protection and privacy laws, not engage subcontractors without express approval from the enterprise and only host data within approved jurisdictions.
  4. Adhere with applicable data breach notification laws, including notifying the enterprise, without unreasonable delay, of any data or privacy breach, as well as results of subsequent investigations.
  5. Engage an independent, suitably qualified firm to regularly conduct penetration tests on critical applications and fix material vulnerabilities within agreed SLAs.

The significance of getting this right from the outset is hard to overstate. Requesting security assurance reports later into a relationship is complex, and without legally enforceable clauses, suppliers will likely push back, leaving an enterprise with no recourse in the event of disputes or systemic control breakdowns. This too, however, has its challenges. For instance, large cloud service providers will unlikely agree to a “right to audit clause” with a medium-sized corporate customer. This comes down to leverage. Hence, it’s important to set realistic expectations upfront, as well as ensure that security contractual requirements are reviewed and signed off by the legal team and business owners.

Limit vendor remote access to the network
As we learned from the Target breach, suppliers with remote access to the enterprise network can present soft avenues for threat actors to exploit and gain access to the enterprise network, escalate privileges and cause substantial harm. To manage this risk, the enterprise must adopt the least privilege principle, only giving remote access when there is no other cost-effective way for the vendor to deliver their services. Such access must be restricted to specifically segmented zones, channelled via secure virtual private networks and protected via multi-factor authentication. Furthermore, an up-to-date list of all vendors with access to the network, including their respective access rights, must be maintained and validated frequently, at least quarterly.

Segment suppliers based on risk
The basic risk management principles also apply to managing supplier related cyber-risk: the rigor of assurance process should be commensurate with the criticality of business process, and the potential impacts should the outsourced business process be compromised. For instance, suppliers that handle high-value payment processes, handle volumes of customer personally identifiable data, manage critical infrastructure or underpin most profitable business lines require tighter governance as compared to those that handle ancillary services, such as administrative tasks. Taking a risk-based approach maximizes the value of the security assurance budget, as well as reduces needless audits on suppliers. It also reduces noise, enabling limited security resources to focus on supplier arrangements that present the highest level of risk instead of spreading thin across all supplier arrangements, each of varying level of significance.

In conclusion
The benefits of outsourcing are vast, but business leaders can no longer afford to enter into these alliances blindly. Cyber resilience is no longer a nice-to-have, but a top business imperative with far-reaching consequences on brand perception, customer retention, margin, regulatory compliance, and more importantly, business survival.

About the authors
Phil Zongo is the author of The Five Anchors of Cyber Resilience, an Amazon best-selling book that strips away the complexity of cyber security and provides practical guidance to business executives.  His is also the 2016 – 17 winner of the ISACA’s Michael Cangemi Best Book / Article Award. Zongo is the Founder and CEO of CISO Advisory, a consultancy firm that helps enterprises build high-impact and cost-effective cyber resilience strategies.

Rohini Kuttysankaran Nair is an experienced project manager with more than a decade experience helping large enterprises deliver complex digital transformation programs. She now leveraging her strong technical background and project governance skills to help enterprises deliver business aligned cyber resilience uplift programs. She is based in Sydney, Australia.

Category: Audit-Assurance
Published: 12/13/2018 3:05 PM

... / ... Lire la suite

(12/12/2018 @ 18:21)

What is Driving Growth for AR/VR?  Voir?


Kris KoloGartner’s recent list of top tech trends for 2019 included immersive experiences, which they described as follows:

“Conversational platforms are changing the way in which people interact with the digital world. Virtual reality (VR), augmented reality (AR) and mixed reality (MR) are changing the way in which people perceive the digital world. This combined shift in perception and interaction models leads to the future immersive user experience."

Below, I explore some of the anticipated themes related to VR/AR that will play a role in the coming year and beyond:

• Global AR & VR product revenues are expected to grow from US $3.8 billion in 2017 to US $56.4 billion in 2022, a 71 percent compound annual growth rate. This includes enterprise and consumer segments (ARtillry Intelligence).

  • In VR, consumer revenue will eclipse enterprise revenue by a 3:1 ratio in 2022. Standalone VR like Oculus Go will accelerate consumer adoption.
  • Head-worn AR will find a home with consumers. However, its specs and stylistic realities inhibit several consumer use cases in the near term. Apple’s potential 2021-2022 introduction of smart glasses will shift AR’s momentum and revenue share toward consumer spending.
  • By 2022, enterprise AR’s revenue dominance over consumer AR will decelerate as smart glasses begin to penetrate consumer markets. Until then, mobile will dominate consumer AR, with most revenue derived from software as opposed to hardware (smartphone sales aren't counted).

• The patterns of investment and development in the different sectors in which VR/AR are applicable – or potentially applicable –  show the increasing applicability of this technology beyond the games and entertainment fields that saw its birth in the 1990s; 38 percent of respondents, for example, believe VR growth in the enterprise sector has been “strong” or “very strong” for example, with an equivalent figure of 43 percent for AR (The XR Industry Survey 2018).

  • Education is the enterprise sector that has been prioritizing VR/AR the most, and is the most competitive, despite the fact that it traditionally has had much less spending power than industry. Of respondents who reported that they are already using XR technologies, 23 percent were in the education sector.
  • Architecture/engineering/construction was a close second at 18 percent. Healthcare is quite low on the list despite the obvious VR/AR potential in diagnosis and therapy, with just 7 percent of those using this technology coming from the healthcare sector.
  • Industry expectations are that AR will blossom in the mainstream before VR does, in part because of the availability of open content development platforms like ARCore and ARKit, which have no VR counterparts.
  • Many industries see benefits in the long term from combining VR and AR. VR’s superior ability to create a fully immersive environment currently gives it the edge in training and educational applications.
  • Sixty-two percent of service organizations say that AR is providing measurable value for service in the following ways: better knowledge transfer among employees, increased employee efficiency onsite, improved first-time fix rates, and fewer truck rolls (IDC / PTC).
Category: Risk Management
Published: 12/12/2018 3:09 PM

... / ... Lire la suite

(11/12/2018 @ 18:52)

COBIT 2019 is Our Framework and a Framework for Us  Voir?


Graciela BragaI love COBIT. Why? To begin with, COBIT is useful and usable. Secondly, the newly updated framework combines community knowledge and flexibility.

The What Is COBIT and What Is It Not section from COBIT 2019 Framework: Introduction and Methodology is very clear, and demonstrates how useful and usable the updated version of COBIT will be.

COBIT users know that COBIT in its last two versions utilized the components (formerly enablers) to plan, build and maintain a governance system. They were and are principles, policies and procedures, processes, organizational structures, information flows, culture and behaviors, skills, and infrastructure.

We can find these components in all organizations, and work with them to fix some problems or weaknesses in order to improve the current and future maturity of their governance system and, thus, create value for relevant stakeholders. These “magic resources” that create an appropriate solution are the first element to confirm that COBIT is usable and useful.

New design factors are the second one, and the new Design Guide was published this week. They should be considered by the enterprise to build a best-fit governance system. Not all organizations need the same solution with the same kind and quantity of resources. It is all about the best combination of needed resources to achieve expected or required benefits with a good balance or acceptable level of risks.

Not all organizations have the same strategy, goals, risk profile, I&T-related issues and threats. Compliance requirements, size and role, adoption strategy, sourcing model and implementation methods of IT are factors that we must complete soon.

Design factors influence in different ways the tailoring of the governance system of an enterprise. COBIT 2019 distinguishes three different types of impact, illustrated below.

The New COBIT 2019 Framework: Governance and Management Objectives are free for members and non-members. I believe this is a remarkable step to increase the number of COBIT followers and professional community engagement. How many students and professionals will benefit from these complimentary publications? How many of them will be influenced by COBIT 2019 and decide to initiate an IT career or improve it through a certification?

Will these new followers influence COBIT’s future design? I am sure of it.

Editor’s note: For more information about COBIT 2019 guidance, products and training, visit www.isaca.org/cobit, or view a webinar on the COBIT framework here or the Design Guide and Implementation Guide here.

Category: COBIT-Governance of Enterprise IT
Published: 12/11/2018 9:58 AM

... / ... Lire la suite

(10/12/2018 @ 22:53)

Ryan Envisions ‘Very Positive’ Future for Women in Cybersecurity  Voir?


Editor’s note: Pat Ryan’s wide-ranging career included serving as an analyst in the British intelligence community, partnering with her husband on an oil exploration consultancy specializing in underwater seismic operations and satellite imaging, setting up and running a non-profit that installed IT equipment and educational software into UK hospitals where children were being treated, and founding Cyber Girls First, which encourages girls in the UK to take up coding and cybersecurity. Ryan, who spoke last month at ISACA’s UK Chapters conference, recently visited with ISACA Now to share about her past experiences and current efforts to inspire girls in cybersecurity. The following is a transcript of the interview, edited for length and clarity:

ISACA Now: You have a unique and varied professional background. Which aspects of your career are you most proud of, and at what point did you become focused on cybersecurity?
I am most proud of my children and what they have achieved. I stayed at home until they went off to their chosen careers before returning to the workplace. This was extremely difficult, even though I had partnered with my husband to set up and run an oil exploration consultancy. That’s when I realized how impossible it was for women to return to work after a time away raising children or caring for elderly parents. It’s even more difficult these days.

ISACA Now: Given your background, what is your perspective on cybersecurity as a national security issue – what needs to occur in the UK and around the world for governments to better protect their citizens from cyberthreats?
We have not woken up to the intense threats we face as a nation from cyberattacks on our hospitals, banks, government, schools, companies and infrastructure. During 2018, at least two attempts were made to hack into our power grid and transport systems.

Women represent 51 percent of the population of the UK, yet only 12 percent of coding and cyber positions are taken by women. We are losing a large portion of the potential workforce. In school, girls have a preconceived notion about taking computer science (mostly derived from boys whose comments are under the general terminology that “Computers aren’t for girls.”). I had seen this when mixed classes come into the National Museum of Computing at Bletchley Park. In the UK, our National Curriculum is an advantage, where all schools use the same software packages. I noticed that the boys push the girls off the machines or take the iPads away from them. That was when I decided to set up a program across the UK where girls were on their own for a whole day.

ISACA Now: How and why did Cyber Girls First come about?
As mentioned earlier, I saw first-hand how girls were taking second-place in classes, when in fact they were extremely adept at coding and in using various pieces of equipment. Starting Cyber Girls First would have been almost impossible without the support of universities and companies such as J.P. Morgan, Field Fisher, pi-top Computing, SEARCH (IT Recruitment) and ISACA.

J.P. Morgan and pi-top helped from the start, and a year after starting the program, I no longer had to go out to sell it – companies, schools and universities are asking to be included, and after four years, it has moved into a new dimension.

ISACA Now: What were the main points you were looking to convey during your remarks at the ISACA UK and Ireland chapters event?
I wanted to explain to the mostly male audience exactly what problems are faced by girls and women in the workplace. It starts at school, continues into employment, and becomes even worse if a woman chooses to care for her children until they go to school. That could mean maybe seven or eight years out of employment. The way that technology is moving, even a year can be difficult for a return-worker, so seven or eight years could be daunting.

I pointed out that each time a woman takes time out to care for children or elderly parents, she returns to work in a lower position with no attention paid to their levels of experience in previous careers. They need to be given the confidence to take up re-training, and companies should re-think their employment rules relating to job-sharing and part-time working. Women who are given this support tend to remain in those companies, so employers would benefit from a stable workforce.

ISACA Now: What impression has your interactions with school-aged girls left you with about the future of women in the cybersecurity workforce?
Very positive. We concentrate on direct communication with the girls, finishing the day with a session of round-table talks with six girls to each table. They have a 15-minute session and move to another table. Throughout those two hours, the girls will have heard from banks, IT companies, lawyers, the local police on-line security people and Government employees. We have someone from GCHQ/NCSC who tells them about the work they do to keep Britain safe.

After an event at Cardiff University, I heard from a teacher that all 10 girls who had attended our event had signed up to take computer science as one of their chosen subjects. At our Field Fisher event in London, attended by (past board director) Michael Hughes from ISACA, I had an email from a parent who said that her daughter had run into the house and said: “I know now what I want to do.” This program is not a “Wouldn’t it be nice if…” It is essential to our future security.

ISACA Now: How can enterprises do a better job of appealing to prospective female technology practitioners?
The government has set aside millions for schools and organizations to come to grips with the lack of trained people, particularly women. They have also put further millions into teacher training on computer science. Businesses should invest in apprenticeships and re-training programs to attract graduates and women “returners” into these roles.

One girl told me that her parents had said that everything would be done by robots. I suggested she should think about who would design the robots; who would design the software to run them; who would repair them (until that’s done by robots as well). She hadn’t thought of that and decided to do computer science.

Category: ISACA
Published: 12/7/2018 3:02 PM

... / ... Lire la suite

(05/12/2018 @ 16:52)

Dernière mise à jour : 15/12/2018 @ 06:42