Vous êtes ici :   Accueil » RSS - Isaca.org
Prévisualiser...  Imprimer...  Imprimer la page...
Base de connaissances

 1584569 visiteurs

 5 visiteurs en ligne


Notre site



Neuchâtel, Suisse

Mes coordonées

Crée votre Code

RSS - Isaca.org

ISACA Now: Posts


RSS feed for the Posts list.

The Beginnings of a New Privacy Framework Through NIST  Voir?


NIST conducted a workshop on 16 October in Austin, Texas, USA, to discuss plans for a voluntary privacy framework, and attendees had the opportunity to have a robust discussion about what such a framework should entail. The workshop was attended by individuals from industry, academia, and government.

The need for a framework, according to NIST, is because we live in an “increasingly connected and complex environment with cutting-edge technologies such as the Internet of Things and artificial intelligence raising further concerns about an individual’s privacy. A framework that could be used across industries would be valuable in helping organizations identify and manage their privacy risks.” It would also assist an organization in preparing and maintaining a comprehensive privacy plan.

“I think being able to have guidance at a federal level that takes into consideration key other privacy legislation and regulations as well as standards will be important,” said Paula deWitte, computer scientist, author, and privacy attorney. “The comment at the workshop about relentless interoperability of standards and the framework will be key to its usability.”

NIST discussed how the process for creating the privacy framework was largely aligned with how its Cybersecurity Framework was created, with collaboration from the public, and iteratively. NIST envisions the privacy framework as being “developed through an open, transparent process, using common and accessible language, being adaptable to many different organizations, technologies, lifecycle phases, sectors and uses and to serve as a living document.”

“The Cybersecurity Framework is more about critical infrastructure. Privacy is a different beast, and frankly, a bigger lift. We don’t even have a clear definition for privacy. On top of that, privacy is multi-dimensional. One must look at privacy from its impact on the individual, groups, and society,” said deWitte.

“The major elephant in the room identified at the hearing is that we don’t have a grip on what data needs to be protected and where the company’s data is. By that I mean, we don’t fully understand what data must be kept private and we must consider that organizations must be in complete control of data throughout its entire lifecycle including from procuring it, to storing it, to sharing it (as appropriate) to disposing of it,” said Harvey Nusz, Manager, GDPR, and ISACA Houston Chapter President.

With more work to do on the general strategic front, the group determined the overall approach for the framework would be enterprise risk management, a focus both Nusz and deWitte applaud, while offering words of caution.

“I agree that we need to fit the framework into an enterprise risk management approach, but how do we actually define and conduct risk management? Risk management encompasses all types of enterprise risk, so there is the issue of how one defines risk. Is anyone using a good methodology for risk management we can all get behind?” said deWitte.

“Every organization should at a minimum create a risk register,” said Nusz. “That needs to be part of privacy planning.”

The workshop attendees discussed that the risk-based approach represents the reality that privacy has moved beyond a compliance, checklist mentality. It is now a viable business model with data considered an asset. The key is identifying the acceptable level of risk and owning responsibility if something goes wrong.

“This creates legal questions because our laws are written for the physical world, but if my identity is stolen, it can encompass legal issues of including jurisdiction, standing and damages. Who has jurisdiction in the cyber world? Law always lags technology, so all of this has yet to be determined,” said deWitte.

“We have an opportunity to build trust with consumers through the way we handle their privacy,” said Nusz. “I look forward to this challenge and working with NIST to see it recognized.”

Some of the ideas for how to put the framework in practice to improve trust with consumers included: incorporating human-centered research in work done to protect privacy, attempts to de-identify information and be as transparent as possible with the process, as well as leveraging privacy enhancing techniques.

NIST will take the feedback from the hearing and build an initial outline, which it will present at a workshop in early 2019. To stay current on the privacy initiative, please visit the NIST Privacy Framework website.

Category: Privacy
Published: 10/19/2018 3:01 PM

... / ... Lire la suite

(18/10/2018 @ 21:23)

My Organization’s HIPAA Data Got Hacked: Now What?  Voir?


Brian GillYou’ve been hacked, and electronic protected health information (ePHI) has been exposed. You have certain compliance requirements, and there are also (intertwined with the needs of compliance) reasonable steps to take to halt the compromise and protect your patients. You may be working with managed service partners who want you to think that everything is fine, but due diligence demands you trust no one and assume the worst (even if you are not yet convinced that ePHI was actually exposed). You must start moving – but what are your first steps? You need to stop the immediate breach, recover your data, follow the law, bolster your security, and consider hiring an incident response company.

Plug the leak.
The highest priority when you get hacked is to make sure that you have successfully blocked access to the intruders. To better understand what has happened (e.g., how broadly data was accessed, the specific methods used by the attackers, their location, etc.), perform a risk assessment. You want to know the time the hack took place and its duration; whether the attack was due to insiders or outsiders; whether someone on your staff is at fault (whether intentionally or not); and whether electronic protected health data was accessed and/or stolen. Incident response firms can potentially help you through this process, as described below.

Get help with data recovery.
HIPAA compliance requires data backup, as indicated by the US Department of Health & Human Services. Being able to rapidly restore your ePHI via RAID data recovery and other means is important, though, especially given the proliferation of ransomware within healthcare. A strong and credible data recovery company will help you know how well you can restore your information, as well as your data backup integrity, through testing. Data backup stipulations should be within your contingency plan. Responding to a security event relies on well-constructed contingency and data restoration plans, the steps of which can be implemented most effectively through partnership with a data recovery service.

Follow state and federal law.
You must be aware which agencies must be contacted in your state and within the federal government. Since the passing of the Health Information for Economic and Clinical Health Act (HITECH), which was part of the American Recovery and Reinvestment Act of 2009 (ARRA) and was first enforced in 2013, you are responsible for protecting ePHI whether you are a healthcare covered entity (CE) or a business associate (BA) handling health records for a CE. (See more on that law and the HHS’s Breach Notification Rule below.) You need to contact the Office for Civil Rights (OCR) within the HHS no more than 60 days following the hack. As advised by Mahmood Sher-Jan of ID Experts, be aware that regulators may want to see the individual notification messages you send to patients or users – so ensure that those are compliant, too.

The parameters for notifying agencies and people of this incident are outlined in the Breach Notification Rule. First, make sure that the rule applies. The HHS specifically states that the only relevant data for notifications is unsecured protected health information (so you are safe if the data is encrypted and the hacker does not have a key). Once you determine that the data accessed was not properly secured, you want to start preparing notifications for individuals, the HHS, and – under certain circumstances – the media. If a business associate is breached, it only must worry about notifying the relevant covered entity:

HHS – Whenever you experience a hack, you must report it to the Secretary of the HHS through this portal. It is important to contact the agency right away when there is ePHI of more than 500 people involved – within 60 days and “without unreasonable delay,” per the agency. When the number of impacted individuals is lower than 500, you can report annually for the previous year – as long as you do so no more than 60 days into the next year (i.e., February 29 or March 1).

Individuals – A healthcare organization has to send a notice to anyone who was affected by the hack by email (if you have a signed authorization to send these notifications to the person electronically) or first-class mail. When a firm does not have the current contact details for 10 or more people, they need to take alternative means to get the word out by either sending an announcement to the local media (broadcast or print) in areas where the patients or consumers live, or by posting information about the hack on their website homepage within 90 days. A toll-free number should be available and live for at least 90 days, so that affected people can learn basic information about the compromise. If the number of people for which contact information is outdated is lower than 10, the healthcare company can use a different means of alternative contact, such as telephone or another written format.

Media – Finally, you must contact “prominent” media organizations within areas that are home to 500 or more people whose data was exposed. Just the same as the deadline for contacting the HHS for a larger (500+) hack, you have 60 days maximum to make this contact – and it should happen “without unreasonable delay.”

Covered entity – Business associates do not need to be concerned with the above contact parameters since that aspect is handled by the healthcare firm. However, they do need to notify the covered entity that is involved. Regardless of the number of people whose ePHI is exposed, the BA must get official notice of breach discovery to the covered entity within 60 days.

Improve your security to mitigate risks.
When you get hacked, you want to fix whatever the most immediate vulnerability is right away. However, some steps to address risk can wait until you have thwarted the invasion and have sent out notifications as required by law. Having assessed the risk of the applicable environment (above), a comprehensive assessment should be performed, revealing any other risks that exist and what security steps you can take to keep the hack from occurring again.

Consider working with an incident response (IR) firm.
When you experience a hack, it is critical to move quickly, and having help is fundamental. So that you take the right steps in the first two hours and the first 24 hours, contract with a company that specializes in incident response – one aspect of which is data recovery. Through that function, IR specialists can help determine the exact data that was accessed and vulnerable to the attacker, which limits the scope and reduces the set of notifications that must be sent. With an IR firm, you do not need to handle any of the above steps on your own, grappling to determine if a bad actor remains within your network or how to reestablish your defenses. You will not have to think about contacting the attorneys that need to be involved, or which staff members can shut down hacked email accounts. You simply put their details in your incident response plan. They can then get to work immediately.

Responding rapidly to a healthcare hack
If your HIPAA data is hacked, you want to be able to move quickly and confidently. Whether you recover from the attack yourself or work with an outside organization, the process involves mitigating the immediate issue, recovering the data, sending notifications, improving security long-term, and considering an IR partnership. One way or another, it is key that you are prepared for these events and ready for fast movement in response so that the attack does not turn into a string of violations and lawsuits.

Category: Security
Published: 10/17/2018 3:00 PM

... / ... Lire la suite

(16/10/2018 @ 20:53)

Three Keys to a Cybersecurity Culture That Will Stick  Voir?


Heather WildeEveryone doing business today shares an unfortunate truth: no matter how strong your cybersecurity program, your employees are your biggest potential source of failure.

It’s not that you’ve hired bad people, but there simply isn’t enough understanding around the issues that are important to keep the company safe. This leads to increased vulnerability to social engineering and phishing attacks at a minimum, which can cause the potential for a greater incursion.

When it comes to cybersecurity, though, businesses are faced with a classic conundrum: How much money and resources should be spent on something that hasn’t – and may never have – happened? It’s easy to blame your employees for being susceptible to spear phishing attempts, but if they weren’t given proper training to spot them, then the fault lies elsewhere.

And that’s just the tip of the iceberg. According to a recent ISACA/CMMI survey on cybersecurity culture, more than 70 percent of companies have specific policies in place for password management, automated device updates and device security, as well as employee training and proper communication workflows in place. However, only 40 percent of respondents say that their organizations’ efforts to create a culture of cybersecurity with substantial employee buy-in have been more than moderately successful.

Interestingly, while 66 percent of respondents said their organization experienced a reduction in cyber incidents, several of the most common benefits were customer-facing: increased customer trust, better brand reputation, increased profitability and strong customer engagement. It appears that while employees may not care about cybersecurity, customers certainly do.

At my former company, Evernote, we suffered a security breach that affected 50 million users. The breach was contained quickly due to the training and procedures we had in place. More importantly, the damage to the brand was minimal due to the communication we had with the customers throughout the investigation. Interestingly, what we learned was that our customers were more annoyed with us at the heightened security measures we put into their accounts – now by default.

The most common support request at that time was for us to allow people to use their old passwords again – because people didn’t want to have to come up with a new one for each site they log into. (Rather than grant that request, we created training on the benefits of unique passwords.)

How, then, can you ensure you have a cyber culture that sticks? Here are three key components:

1. Find a “driving why”
There’s no surer way to demotivate someone to do something than to be told corporate wants them to do it. Likewise, employees are not usually swayed by talk of how much money the company will potentially lose, especially if it means they have to spend an extra 20 minutes every day on a new security process.

Instead, find a way to motivate employees to complete the process; for example, providing subsidized telecommunications plans for employees who install auto-provisioning software on their personal mobile phones rather than using a guest internet (or none.)

2. Train, then train some more
The cybersecurity threat landscape is changing rapidly. Every month there are new issues to tackle that didn’t even exist before.

Whether your company is established or just starting out, frequent communication and hands-on training is crucial to maintaining a safe and secure environment.

3. Lead from the top down
No matter how much training you provide, and what incentives you provide your team, if they don’t see leadership following the process, then everything will fall apart. In order to have a strong culture, you need strong leadership to model it.

With those points in mind, the cybersecurity culture of your organization can only grow stronger.

Editor's note: Heather Wilde will participate in a panel discussion on cybersecurity culture this week at ISACA's CSX North America conference.

Category: Security
Published: 10/15/2018 8:25 AM

... / ... Lire la suite

(25/09/2018 @ 22:32)

The Business Benefits of a Strong Cybersecurity Culture  Voir?


Doug GrindstaffI recently discovered a fascinating C-suite report that used an apt metaphor to capture why culture is so challenging for businesses: Organizational culture is like an iceberg. That was Deloitte’s take, and it resonates with me. The relatively small portion you see above the waves represents isolated, highly visible problems—like the employee who opens the door to an attacker by clicking on a link in a phishing email. But the bulk of the culture iceberg is submerged: the shared, but often hidden, beliefs and assumptions that ultimately allow those major security problems to occur.

That’s why creating a healthy cybersecurity culture is such a high priority—and also such a significant challenge. Employees are on the front line of a company’s cyber defense, and their involvement is critical not only in preventing compromise but also in helping the organization respond quickly to the few inevitably successful attacks. For this reason, I consider a security-aware workforce to be one of the three essential elements of a cyber-resilient organization, along with mature cybersecurity capabilities and security-focused technology operations.

The challenge is that building a cyber-resilient organization involves instilling a security-aware culture that involves all employees—including executives, managers and line workers, as well as IT and security experts. And changing the beliefs and assumptions of an entire workforce is not easy.

Yet meeting that challenge can deliver business benefits that extend far beyond a reduction in cyber-incidents, according to a landmark CMMI and ISACA study of the cybersecurity culture at more than 4,800 organizations worldwide. Yes, two thirds of organizations that successfully implemented a cybersecurity culture with substantial employee buy-in said they reduced cyber incidents as a result. That’s a huge benefit in itself.

But more than half of those companies also built strong customer trust and improved their brand reputation, and a substantial number increased profitability and speed to market. In fact, 87 percent of all surveyed organizations believe that strengthening their cybersecurity culture would increase profitability or viability. The financial implications are perhaps not so not surprising, since other studies have found that more than half of corporate data breaches result in significant costs, sometimes including lost revenue, not to mention the long-term impact of a tarnished reputation.

Editor’s note: Click here to read the rest of this blog post. For information on the CMMI Cybermaturity Platform, visit the CMMI website.

Category: Security
Published: 10/15/2018 8:26 AM

... / ... Lire la suite

(26/09/2018 @ 21:02)

Deployment of Emerging Technology in FinTech  Voir?


Mahmoud AbouelhassanFighting poverty and achieving a high economic growth rate are two key priorities for developing countries.

Achieving both of these goals is reliant on financial inclusion. Developing a national digital transformation strategy that focuses on transforming the traditional economy to a digitized economy is the best way to accelerate the run rate in achieving this end goal. 

The journey to financial inclusion is reliant on fintechs; disruptors in the financial sector, driving innovative transformation and changing the way financial services are delivered, the medium of transactions and the approach to business analysis.

Unlike traditional financial services firms, fintechs are not tied by legacy systems which can delay progress: they can move faster toward new and innovative services by adopting new technologies and redefining standards and expectations within the industry. Fintechs can quickly deploy emerging technologies like blockchain, artificial intelligence and machine learning – technologies that will fundamentally change the world of financial services. PWC UK notes that already “Some large financial institutions are also relying on blockchain for internal transactions between territories, effectively reducing the internal cost of moving money.”

Rapid development in consumer technologies also means customers’ expectations have grown and they now expect a level of personalization and customization which can only be addressed through automation and keeping up with the pace of emerging technologies. Further, these technologies can be used to streamline customer service through the use of chatbots and automated tools. Electronic payments, biometric-enabled authentication and blockchain for digital transactions will all improve security and reduce fraud while increasing customer satisfaction – making them core to new financial services solutions.

Artificial intelligence and machine learning in particular have the ability to improve fraud detection and reduce the need for human oversight by up to 50%. Financial Fraud Action UK (FFA UK) stated this year that fraud costs the UK £2 million every day (according to 2016 figures), and experts expect to see costs reaching $32 billion yearly on online credit card fraud alone by 2020. Artificial intelligence can play a key part in detecting this, automating the process and reducing occurrences by following different approaches like oversampling, undersampling, and combined class methods.

Governments and banks are already seeing the benefits of these emerging technologies. There are two particular examples where their deployment is lowering the cost of financial transactions. In April 2018, the National Bank of Egypt announced that it has joined a large initiative focusing on the research and application of blockchain, with R3. More than 200 banks and international companies have joined this initiative.

By 2021, Dubai will be using blockchain technology for more than 50% of financial transactions, expecting to save 11 billion AED by doing so. When announcing its blockchain strategy, Dubai predicted a 300 million dollar blockchain market across the financial sector, healthcare, transportation, urban planning, smart energy, digital commerce, and tourism.

Emerging technologies readiness
The Emerging Technologies Readiness Survey, published in Egypt during August 2018 by my team, collected the responses of 91 executives from different sectors across technology, banking and fintech. The results show that almost 74% are already using emerging technologies, with almost 29% using big data, 18% machine learning, 17% artificial Intelligence, and almost 8% are using blockchain.

Figure 1: Emerging Technologies Readiness Survey

The main driver behind adopting emerging technologies was business improvements, with 62% of respondents using emerging technologies citing this.

Figure 2: Emerging Technologies Readiness Survey

Half of respondents said their companies measured the ROI after using these technologies, but a surprising 32% do not measure the ROI and almost 18% were unsure whether their company does or does not.

Figure 3: Emerging Technologies Readiness Survey

Almost 70% of respondents whose companies were yet to adopt emerging technologies in their business stated that they have plans to deploy one or more within the next five years.

Figure 4: Emerging Technologies Readiness Survey

When asked which emerging technologies they were most interested in deploying, almost 34% of respondents said they would consider blockchain, nearly 35% said artificial intelligence, 41% said big data, and nearly 30% said machine learning.

Figure 5: Emerging Technologies Readiness Survey

Embracing emerging technologies for financial inclusion in developing countries
It is clear that emerging technologies will be essential to accelerate the goals of developing countries in achieving high economic growth rates and in driving financial inclusion and a thriving digital economy. Yet, traditional Financial Services firms can’t adopt themselves easily to these emerging technologies because of their legacy systems They can, however, partner with fintechs to get the benefit of emerging technologies deployment and achieve great mutual success.

Fintechs, traditional financial services firms, technology companies and governments need to develop and build digital transformation strategies together – strategies that include a plan of secure emerging technologies deployment and that have a clear vision of how they will maximize the benefits and minimize the risks of these technologies.

Security readiness for emerging technologies
Using emerging technologies is not only beneficial in terms of innovative new financial services, but also improves the security of information systems.

At the same time, emerging technologies such as machine learning and artificial intelligence will increasingly be used for cyber-attacks and many are not yet equipped to withstand these attacks. Two-thirds of respondents to the survey see potential risks from emerging technologies, with almost 59% saying their companies also realize these potential risks. A somewhat smaller 44% said their companies have a risk mitigation plan for emerging technologies.

Figure 6: Emerging Technologies Readiness Survey

Figure 7: Emerging Technologies Readiness Survey

Figure 8: Emerging Technologies Readiness Survey

Despite the concerns around risks, most respondents could see a great opportunity for using emerging technologies to improve the level of information security at their companies, with almost 81% saying they will use emerging technologies for that purpose.

Figure 9: Emerging Technologies Readiness Survey

Editor’s note: Mahmoud Abouelhassan will provide further insights on this topic on 30 October at ISACA’s CSX Europe 2018 conference in London.

Category: Risk Management
Published: 10/12/2018 3:05 PM

... / ... Lire la suite

(09/10/2018 @ 18:58)

Dernière mise à jour : 20/10/2018 @ 09:22