Vous êtes ici :   Accueil » RSS - Isaca.org
Prévisualiser...  Imprimer...  Imprimer la page...
Base de connaissances

 1640819 visiteurs

 8 visiteurs en ligne


Notre site



Neuchâtel, Suisse

Mes coordonées

Crée votre Code

RSS - Isaca.org

ISACA Now: Posts


RSS feed for the Posts list.

ISACA’s Future Brimming With Opportunity  Voir?


Brennan P. BaybeckAs my relationship with ISACA unfolded through various volunteer roles for the past 25 years, I have had the privilege of seeing the organization evolve – through good times and challenging times – just as many of us have experienced in our personal lives and careers.

I’ve stayed with ISACA for the long haul because regardless of the hot technology or top-of-mind regulation of the day, I have consistently been proud to serve a global organization that provides the resources needed to advance business technology professionals’ careers and strengthen the technology workforce, while addressing some of the biggest challenges in our industry.

Now that ISACA is celebrating its 50th anniversary, the math is not lost on me that I have been part of this organization for half of its illustrious history. It is an honor to begin my term as chair of the ISACA board of directors at such a consequential time for our professional community and the organizations that they serve. Whether it is helping to shape the future of IT audit, evangelizing an executive-sponsored approach to data governance, navigating the rise of automation or promoting the need for our professional community to be lifelong learners, ISACA is well-equipped to make a profound impact in the years to come. Best of all, we have so many avenues through which our professional community can set that impact in motion.

From chapter leadership roles, which I have experienced first-hand through ISACA’s Denver Chapter, to hands-on advocacy opportunities, to championing our SheLeadsTech program, and so much more – ISACA’s breadth of experiences provides a terrific complement to the organization’s core credentialing, learning and professional development resources.

One of ISACA’s greatest strengths is its diversity. Diversity will be the key to solving many of the current and future challenges in our fields, especially security. ISACA will be taking more concrete actions in this area and will serve a central role in this space. Having diverse teams – including gender, race and ethnicity – and diverse perspectives is critically important, and you will see more from me on this in the coming year.

As I begin this new role as board chair, I want to extend deep appreciation to my predecessor, Rob Clyde, whose wisdom and passion for this organization will remain tremendous assets going forward. Fortunately for all of us, Rob will remain part of the board of directors. I look forward to teaming with a talented and purpose-driven mix of board members (as listed below) in the year ahead:

2019-2020 ISACA Board of Directors

  • Brennan P. Baybeck, CISA, CRISC, CISM, CISSP, chair; Vice President - Customer Support Services Security Risk Management for Oracle Corporation
  • Rolf von Roessing, CISA, CISM, CGEIT, CISSP, FBCI, vice chair; Partner and CEO, Forfa Consulting AG
  • Tracey Dedrick, director; former Chief Risk Officer, Hudson City Bancorp
  • Pam Nigro, CRMA, CISA, CGEIT, CRISC, director; Senior Director, Information Security, GRC Practice, Health Care Service Corporation (HCSC)
  • R.V. Raghu, CISA, CRISC, director; Director of Versatilist Consulting India Pvt. Ltd.
  • Gabriela Reynaga, CRISC, CISA, GRCP, director; Founder and CEO of Holistics GRC Consultancy
  • Greg Touhill, CISM, CISSP, Brigadier General (ret), director; President of Cyxtera Federal Group, Cyxtera Technologies
  • Asaf Weisberg, CISA, CRISC, CISM, CGEIT, director; Founder and CEO, IntroSight
  • Tichaona Zororo, CISA, CISM, CGEIT, CRISC, COBIT 5 Certified Assessor, CIA, CRMA, director; Director, IT Advisory Executive with EGIT | Enterprise Governance of IT (Pty) Ltd.
  • Chris Dimitriadis, CISA, CRISC, CISM, ISO 20000 LA, director and 2015-17 board chair; Group Chief Services and Delivery Officer at INTRALOT
  • Rob Clyde, CISM, NACD Board Leadership Fellow, director and 2018-2019 board chair; Managing Director, Clyde Consulting LLC
  • David Samuelson, ISACA Chief Executive Officer

Working together with nearly a half-million engaged professionals around the world and ISACA’s professional staff, the board is committed to driving toward an ambitious and promising future. The work that ISACA’s professional community performs in audit, governance, risk and security not only is essential to the success of the organizations that we serve, but also is becoming central to the health of our broader society as artificial intelligence and other high-impact technologies become pervasive.

ISACA has experienced remarkable growth during the 25 years in which I have been an active volunteer. During that time, the technology environment has become much more complex as we have ushered in the era of digital transformation and growing cyber threats. This change environment, and the corresponding challenges that have been created, provides a healthy sense of urgency to ensure that ISACA delivers even greater value to our professional community. In a world increasingly reliant on securely and effectively leveraging technology, the need to help professionals and their enterprises around the world realize the positive potential of technology provides a shared sense of purpose, and I am proud to play a part in this important work.

Category: ISACA
Published: 6/17/2019 9:57 AM

... / ... Lire la suite

(14/06/2019 @ 17:09)

Drive Your Own Destiny in Achieving Goals  Voir?


Adam KohnkeAn individual would be hard-pressed to debate that behaviors and habits individuals exercise in their personal lives have no bearing or effects on their professional career. To that end, the ability to visualize, establish and pursue goals is a useful tool to realizing our personal desires, both personally and professionally. This blog post will provide some insight on basic, but useful, practices that individuals may adopt to help them start setting and achieving relevant goals, as well as explore common problems individuals run into with setting goals, with examples of how to overcome those problems and achieve what they desire.

As individuals, we typically find ourselves strictly focusing on the end result we’d like without really assessing the actions, outcomes, time and effort necessary to achieve the desired result. This leads us to having eyes bigger than our stomachs and is likely to result in failure to achieve our goals. Whether the goal involves obtaining a new security certification, a desired job promotion or paying the mortgage off early, these goals require adequate thought and planning on the challenges to be faced. As Abraham Lincoln is quoted as having said, “Give me six hours to chop down a tree, and I’ll spend the first four sharpening the axe.” Focusing on the journey and preparation necessary to achieve our goals and not the final destination puts us on a track to action and allows us to shed wasted energy on wishful thinking.

My own approach to setting personal and professional goals always uses the SMART method. Goals should be Specific, Measurable, Achievable, Relevant and Time bound. Most organizations adopt the SMART goal method for employee goal-setting, but they are useful for setting personal goals, as well. For example, a SMART personal goal related to achieving the CISA certification could be as follows (assuming a 30 June start date):

  1. Schedule the CISA exam for 1 October
  2. Finish reading the CISA exam preparation guide by 31 July
  3. Complete all CISA practice exam questions with a passing scope of 85 percent by 31 August

Each element is specific to CISA exam preparation, is measurable with dates on each item included, is achievable (as three months of preparation are provided), is relevant to passing the certification exam and is time-bound because the first step of scheduling the exam is driving completion of the following steps. This example shows how achieving small steps can lead us to our larger desired end result. Obviously, there is no guarantee of a pass on the exam, but by setting necessary preparatory goals, there is an increased likelihood of success.

A useful tool for ensuring the continued pursuit of goals is a printed list, either written or typed and printed. The list should be hung somewhere where it serves as constant reminder to fulfill the actions written on it. The medium is not too important as long as the list stares you in the face every day and burns a hole in your brain to get it done! I personally aim to write down and achieve approximately 12 goals every quarter that fulfill a mix of professional and personal accomplishments. Some are easy, such as attend a volunteer event, and some are more difficult goals, such as finish my first Cybrary course.

Revisit your overall personal goals at least quarterly and set new goals on a non-stressful schedule. Make it fun and enjoyable, but ensure goals are meaningful to move you in the direction you desire. Slowly, you’ll start seeing the results and stronger habits will be formed to achieve loftier goals. By leveraging this mindset in my professional life, I have found that I start setting and achieving mini-goals at work when conducting audit engagements. I often use lists to drive my daily work activities and sometimes rework the daily list several times. I usually keep no more than six items on my list, then as I achieve 50 percent or more, I create a new list starting with what’s left over from the previous list.

Our goals will not achieve themselves. Getting what we want typically will require some patience, grit, experimentation and the desire to see things through to the bitter (or hopefully pleasant) end. We are the drivers of our destiny, so again, let’s focus on the journey, and soon enough we will arrive at our intended destination.

Category: Audit-Assurance
Published: 6/14/2019 3:23 PM

... / ... Lire la suite

(06/06/2019 @ 21:24)

Rethinking Cost Analysis in the Era of Cloud Computing and Emerging Tech  Voir?


Katsumi SakagawaHave you thought about cost analysis in the era of cloud operation, combined with other emerging technologies? There is an orthodox way of considering cost analysis: Costs can be fixed, variable or some combination of the two. However, when it comes to analyzing IT costs, traditional cost analysis in the era of emerging technologies is inadequate.

The entire cost element must be taken into account: from where the cost occurs to what the cost consumes. An enterprise not only has to consider emerging technologies, but also has to consider the current legacy system. An inevitable, necessary cost exists in the file service required to produce what an enterprise needs.

You have the groupware function relating to the workplace and project activities, and the firewall function to avoid malicious access and protect data, and their updated plans.

On the other side, a for-profit-enterprise has to earn a profit. A company may have to restructure its home pages and address new systems, possibly with newly emerging technologies like RPA, AI and so on.

The whole cost consists of three categories:

  • The first category involves the fixed costs to maintain the current computer system. There are costs for the hardware and software, middleware, network facility and applications to communicate with employees and outside partners (using, for example, Office 365® and its automatic updating systems), and maintenance of a cloud subscription.
  • The second category includes the inevitable costs to earn profit, such as restructuring a new site where customers access and select goods to purchase in order to gain an advantage against competitors. Here, a cost will vary depending on how much development and re-structuring is needed. A certain company may decide to invest huge amounts in RPA to reduce future cost. Another company may migrate the current on-premise environment to the cloud to pursue reduced costs. These are neither fixed costs nor variable costs, but the costs should be planned for in the budget. It is crucial to analyze the gap between the planned budget and costs consumed.
  • The third category deals with a contingency and risk response costs. I have seen many companies and projects budget for contingencies. For example, 10 percent of the fixed costs often is planned as a contingency cost or the risk response cost. In a sense, this is a semi-fixed cost, not a true fixed cost.
Category: Audit-Assurance
Published: 6/12/2019 3:01 PM

... / ... Lire la suite

(06/06/2019 @ 20:31)

A Look at CIS Controls Version 7.1  Voir?


K. HarisaiprasadCIS Controls Version 7.1, released in April 2019, was developed by Center for Internet Security (CIS), which consists of a community of IT experts. CIS Controls has a set of 20 prioritized controls, divided into three categories as basic, foundational and organizational, which are also termed as Implementation Group (IG) IG1, basic; IG2 – IG1, foundational; and IG3 – IG2, organizational.

The basic category consists of controls for the inventory and control of hardware assets, inventory and control of software assets, continuous vulnerability management, controlled use of admin rights, and the secure configuration for hardware and software on mobile devices, laptops, workstations and servers.

The foundational category has 10 controls: email and web browser protection, malware defenses, limitation and control of network ports protocols and services, data recovery capabilities, secure configuration for network devices, boundary defenses, data protection, controlled access based on the need to know, wireless access control, and account monitoring and control.

The organizational category includes controls for implementing a security awareness and training program, application software security, incident response and management, penetration tests and red team exercises. These controls together form a net that provides best practices for mitigating common attacks against systems and networks.

Organizations should implement basic controls first, followed by foundational and organizational. Basic controls also are referred to as “cyber hygiene,” as these are the essential protections that must be in place to defend against common attacks. IG1 is recommended for small businesses, IG2 is suitable for regional organizations and IG3 is implemented for large corporations. Each control has sub-controls with descriptions for each, and each control has the following elements:

  • Description mentioning criticality of control
  • Actions that the organization should take to implement the control
  • Procedure and tools to enable implementation
  • Entity relationship diagrams that show components of implementation

For example, control 5 is described below as given in the CIS V7.1 document.

CIS control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.

Why is the control critical?
As delivered by manufacturers and resellers, the default configurations for operating systems and applications are normally geared toward ease-of-deployment and ease-of-use – not security. Basic controls, open services and ports, default accounts or passwords, older (vulnerable) protocols, and pre-installation of unneeded software can be exploitable in their default state.

Developing configuration settings with good security properties is a complex task beyond the ability of individual users, requiring analysis of potentially hundreds or thousands of options in order to make good choices (the procedures and tools section below provides resources for secure configurations). Even if a strong initial configuration is developed and installed, it must be continually managed to avoid security “decay” as software is updated or patched, new security vulnerabilities are reported, and configurations are “tweaked” to allow the installation of new software or to support new operational requirements. If not, attackers will find opportunities to exploit both network-accessible services and client software.

Actions organization should take to implement control


Asset Type

Security Function

Control Title

Control Description







Establish Secure Configurations

Maintain documented security configuration standards for all authorized operating systems and software






Protect Δ

Maintain Secure Images

Maintain secure images or templates for all systems in the enterprise based on the organization’s approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates







Securely Store Master Images

Store the master images and templates on securely configured servers, validated with integrity monitoring tools, to ensure that only authorized changes to the images are possible







Deploy System Configuration Management Tools

Deploy system configuration management tools that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals







Implement Automated Configuration Monitoring Systems

Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to verify all security configuration elements, catalogue approved exceptions, and alert when unauthorized changes occur




* Asset type includes assets such as applications, devices, users, network, data, etc.,
Δ Security function include Identify, protect, detect, respond and recover

Procedures and tools
Rather than start from scratch developing a security baseline for each software system, organizations should start from publicly developed, vetted, and supported security benchmarks, security guides, or checklists. Excellent resources include:

Organizations should augment or adjust these baselines to satisfy local policies and requirements, but deviations and rationale should be documented to facilitate later reviews or audits.

For a complex enterprise, the establishment of a single security baseline configuration (for example, a single installation image for all workstations across the entire enterprise) is sometimes impractical or deemed unacceptable. It is likely that you will need to support different standardized images, based on the proper hardening to address risks and needed functionality of the intended deployment – for example, a web server in the demilitarized zone (DMZ) versus an email or other application server in the internal network. The number of variations should be kept to a minimum in order to better understand and manage the security properties of each, but organizations then must be prepared to manage multiple baselines.

Commercial and/or free configuration management tools can then be employed to measure the settings of operating systems and applications of managed machines to look for deviations from the standard image configurations. Typical configuration management tools use some combination of an agent installed on each managed system, or agentless inspection of systems by remotely logging in to each managed machine using administrator credentials. Additionally, a hybrid approach is sometimes used whereby a remote session is initiated, a temporary or dynamic agent is deployed on the target system for the scan, and then the agent is removed.

Category: Security
Published: 6/10/2019 2:58 PM

... / ... Lire la suite

(06/06/2019 @ 21:02)

Dernière mise à jour : 18/06/2019 @ 16:34