Vous êtes ici :   Accueil » RSS - Isaca.org
Prévisualiser...  Imprimer...  Imprimer la page...
Base de connaissances

 1544519 visiteurs

 1 visiteur en ligne


Notre site



Neuchâtel, Suisse

Mes coordonées

Crée votre Code

RSS - Isaca.org

ISACA Now: Posts


RSS feed for the Posts list.

Develop Your Information Security/Privacy Career  Voir?


Rebecca Herold Jaret PflugerInformation security and privacy careers are expanding. There is more need for such professionals than ever before, as more technologies emerge and are used by businesses, government, healthcare and other types of organizations; as more personal data is constantly being collected through the technologies; and as more laws and legal requirements are enacted to protect that exponentially growing digital ocean of personal data. Certainly, the number of entities that see this endless tsunami of generated personal data as profit opportunities, through malicious or surreptitious use, also is increasing.

Information security and privacy opportunities will continue to become more numerous. Despite this, many trying to break into the fields, or trying to advance, lament that they don't know how to find these job openings or are not getting the opportunities they had hoped for.

One way to resolve these frustrations and career bottlenecks is to join professional associations, such as (of course) ISACA. These can help you leverage your abilities and experiences to get the positions that you want the most and have helped us throughout our careers.

Here are a few ways we have experienced career development benefits with ISACA throughout the years, as well as how you can expand your skillset and knowledge in the areas of information security and privacy.

Local ISACA Chapters
There are many benefits for being active in your local ISACA chapter. For example, consider the ILLOWA ISACA chapter in the US (where Jaret Pfluger is chapter president), which serves eastern Iowa and western Illinois.
The ILLOWA ISACA Chapter exemplifies many of the ways that a local ISACA chapter is providing career development and networking opportunities for their members. Here is an example of some of its activities that might provide ideas to energize your members:

  • Monthly Cyber-Chats. ISACA Cyber-Chats, which debuted in January of 2018, provide a spicy, modern, online interactive learning format. It was recently discussed on the international radio show, "Data Security & Privacy with the Privacy Professor.” The connection to radio was coincidently apropos since the ILLOWA chapter members discussed the ISACA Cyber-Chats as a 21st-century “fireside chat,” reminiscent of those addresses that former President Franklin D. Roosevelt delivered via radio to Americans in the 1930s. The ISACA Cyber-Chat conversations focus on addressing important cyber events from the prior month, in addition to covering predefined mini-presentations. Everyone, whether or not they are ISACA members, are welcome to listen to the monthly broadcasts and register online for free. Those attending will get 1 CPE. See our events page for updated Cyber-Chats links each month.

What other online offerings might other chapters offer in your area?

    • Online events are relatively common but not necessarily consistent. Moreover, these events typically are a deep-dive into a single topic as opposed to a smorgasbord of current events. The event may or may not have a cost associated with it. Check which events are offered by your local chapter – your mileage may vary.
    • ILLOWA welcomes members from other chapters to join our Cyber-Chats. Our website is updated monthly with new event information.
  • 1-Day Seminars. ILLOWA offers two full-day seminars per year. The Spring Seminar will be 25 April, focused on “Building a Privacy Management Program & Performing Privacy Impact Assessments,” taught by Rebecca Herold. The class participants will receive 8 CPEs, and four people will have the opportunity to win  two copies of the ISACA Privacy Principles and Program Management Guide and two copies of Implementing a Privacy Protection Program: Using COBIT 5 Enablers with the ISACA Privacy Principles as door prizes. These books will also support the privacy impact assessment case studies that will be provided during the class.

What may chapters offer in your locale?

    • Full or half-day events are common at larger chapters. For example, the Detroit chapter offers a multi-day, multi-track format each spring.
    • If you are a smaller chapter spread out over a large territory that makes it difficult to get together often, consider offering a 1-Day Seminar once or twice a year and supplementing with monthly online learning opportunities.
    • If a large city is nearby or if you happen to be visiting a large city, check out that local chapter’s website to see what is being offered.
  • Monthly (or Weekly) Meetings/Socials. The ILLOWA ISACA chapter board meets monthly for planning purposes but squeezes in full-member meetings during the end of its spring and fall seminars. Because of its large territory coverage, ILLOWA encourages volunteers in their immediate vicinity to provide local meetups at cafes or micro-breweries. Small chapters may not have enough interest to maintain a crowd from month-to-month. Reach out to other groups in the area and invite them to participate.

What are other chapters doing for monthly meetings/socials?

    • In large chapters, monthly or even weekly meetups are quite common.
    • For example, the Atlanta chapter’s event page has a Twitter feed where it advertises monthly meetings.
    • The Minnesota chapter offers social events that may include a presentation once a week. These events are offered in the Twin Cities area and will hop from location to location to make them more accessible to members throughout the month.
    • If you are in a chapter that lacks monthly meetings or social events, contact your chapter’s leadership. Who knows? If nothing is going on, maybe an opportunity awaits you to spearhead a meetup – and don’t worry if initial turnout is small. Over time, persistence will yield more participation.

While these are just a few examples, we are providing them with the goal of giving you a good boost to your own brainstorming for what you can do within your own local ISACA chapters. We view them all as great opportunities for networking, as well as professional development.

Connect with ISACA International
ISACA has been working for the past several years on building its privacy management resources and expertise. So, if you want to move into a privacy career, or are interested in learning or beefing up your privacy management knowledge, and getting more privacy management tools, using the ISACA privacy research and tools will provide you with a great amount of practical resources.

In 2017, ISACA published two privacy books to provide information assurance professionals with information about the key privacy and data protection concepts they need to establish their own privacy management programs and to support privacy audits. ISACA has also provided several privacy management webinars and tools to members as well. Some of these publications and tools include:

Then, of course, there are the many ISACA education offerings. These include opportunities such as conferences, held globally throughout the year, along with a large number of online events. All of these can help ISACA members obtain the information necessary to support their career development goals, including in the areas of security and privacy.

Bottom Line
There are many opportunities for advancing your information security, privacy and/or compliance careers. One effective pathway is through a very wide range of existing professional and career associations, and by actively participating in your local association chapters and networking with members. You can also advance your career by learning about information security and privacy news, pivotal events, and careers, such as on Data Security & Privacy and other radio shows that give such advice.
If you want to take your career forward, proactively take advantage of the opportunities that are waiting for you to seize them.

Category: Security
Published: 4/20/2018 2:57 PM

... / ... Lire la suite

(19/04/2018 @ 18:57)

Happy ISACA Volunteer Appreciation Week!  Voir?


Melissa SwartzHappy ISACA Volunteer Appreciation Week! While my colleagues and I agree that we should celebrate our volunteer partners at the chapter and international levels every day, we are thrilled to participate in a week of highlighting some of the ways volunteer support is essential. After all, ISACA exists to support our members in the IT audit, risk, governance, assurance and security industries, and our local and international volunteers are the ones fulfilling our purpose and promise, and exemplifying our values.

Where would we be without the passionate, dedicated and innovative experts advancing ISACA’s great work? For one, we would miss out on the camaraderie in networking and bonding over accomplishing sometimes-challenging objectives to advance our work. We love working with people like Jack Freund, CRISC Certification Working Group member and 2018 ISACA John W. Lainhart IV Common Body of Knowledge Award recipient, who is a huge proponent of giving back. “You should volunteer and get involved with ISACA because it is important, hard work,” he said. “It’s work that will put you in touch with the best in your industry at the local and international level, and working with the best makes you better as well.”

What makes our volunteers the best? It’s their interest and expertise that makes it possible to accomplish impactful initiatives. Check out these highlights from the first quarter of 2018.

  • The ISACA Foundation Working Group is establishing a mission and purpose for a philanthropic strategy at ISACA with the intent to better serve underrepresented segments of our community.
  • Through local and international events, research initiatives and creating a network of champions, the Women’s Leadership Council and SheLeadsTech Working Groups are advocating to empower female leaders in the tech industry.
  • As part of the new Accredited Training Program, the Chapter Accreditation Assessors are ensuring that certification training offered through our chapters represents ISACA’s highest standards of quality in content and presentation techniques, better preparing future exam-takers to successfully earn their CISA, CISM, CGEIT and/or CRISC designations.
  • Multiple working groups in the Advocacy and Public Affairs space are ensuring that ISACA’s voice is heard in legislative efforts through consultation responses and building relationships with government entities. They are also ensuring our membership has the tools and knowledge to successfully and smoothly ensure GDPR compliance.
  • The ISACA Awards Working Group and reviewers expanded the scope of our peer-recognition program, giving you an opportunity to nominate outstanding professional colleagues, thought leaders and volunteers for the accolades they deserve and to inspire future leaders in our industry.
  • Already this year, Subject Matter Experts (SMEs) have supported more than 10 new research initiatives. SMEs ensure all content issued by ISACA is accurate, timely and relevant in assisting our members with fulfilling their professional roles.

Just think of what we can accomplish for the rest of the year! Why should you join the more than 4,200 people spending their valuable free time giving back each year? Not only are they meeting new people, expanding their professional network, gaining new experiences to advance in their careers, ensuring the security of the future of their profession, and earning CPE hours, but they’re also gaining personal satisfaction by mentoring, teaching, learning leadership skills and much more.

As ISACA Belgium Chapter President and past ISACA board director Marc Vael says, “In return for the time you invest as a volunteer, you meet so many people from different backgrounds, with different experiences and knowledge in an international context. Basically, you get so much more back for the rest of your career. And that is priceless.”

Our volunteers are priceless, and there is no doubt that every day should be ISACA Volunteer Appreciation Day! Without you, our organization would not have existed for nearly 50 years, much less be looking to grow in the next 50. You are the reason ISACA exists and continues to provide valuable resources to our global professional community. Thank you!

Editor’s note: Learn more about volunteering and apply for an open opportunity at www.isaca.org/volunteer.

Learn how to recognize outstanding international and chapter volunteer service with an ISACA Award at www.isaca.org/awards.

Category: ISACA
Published: 4/18/2018 3:03 PM

... / ... Lire la suite

(17/04/2018 @ 21:09)

An Agile Approach to Internal Auditing  Voir?


Meredith YonkerAs internal auditors, we’ve seen an uptick in usage of the term “Agile” in reference to how more and more companies are developing software. Agile software development has grown increasingly popular as both software and non-software companies transition from traditional development methodologies, such as the waterfall model, to a value-driven Agile approach. Like any auditable area, this requires internal auditors to understand the key concepts, evaluate the risks and determine how to effectively audit the process based on pre-defined objectives. However, that’s not the purpose of this blog post. What we auditors find even more intriguing is how the values and principles behind Agile software development apply to the field of internal auditing.

The Agile foundation
Agile is an overarching term for various software development methods and tools, such as Scrum and Scaled Agile Framework (SAFe), that share a common value system. Developed in 2001, the Agile Manifesto provides a set of fundamental principles that Agile teams and their leaders embrace to successfully develop software with agility. Companies that have adopted Agile development practices recognize the urgency to adapt quickly to changing technology and deliver enterprise-class software in a short amount of time; otherwise, they run the risk of becoming extinct.

Some of the top benefits of agile development include:

  • Accelerated product delivery
  • Improved project visibility
  • Increased team productivity
  • Better management of changing priorities

Why apply Agile to internal audit?
At The Mako Group, we have found that applying Agile concepts to the internal audit function is not a new concept, but has never been more crucial than in our current environment. Like the companies we aspire to protect through objective assurance and advice, internal audit must be able to address emerging critical risks and provide relevant insight in a timely fashion. Despite our best intentions, many audit departments still develop a long-term plan that cannot be easily changed and often employ antiquated audit methodologies. If we truly want to add significant organizational value and be a trusted partner with management, internal auditing must evolve, and Agile techniques can help us do that.

Agile internal audit tactics
Just as companies are scaling Agile software development based on the size, capabilities and culture of the organization, the extent of an internal audit function’s agility will vary widely for one group versus another. Nonetheless, we have narrowed our focus to three key areas that every internal audit department should consider when becoming more agile:

  • Planning and prioritizing. Agile development teams utilize a backlog as the single authoritative source of work items to be completed, which must be continually prioritized. Items on the backlog are removed if they no longer contribute to the goal of a product or release; whereas, items are added to the backlog if at any time a new essential task or feature becomes known. Similarly, the internal audit function should maintain a backlog of areas to be audited that is regularly evaluated and updated based on risk exposure. Instead of committing to a rigid audit plan, this approach allows for timely inclusion of new risks or auditable areas throughout the year. The importance of collaborating with stakeholders during the planning and prioritization process cannot be overstated. Before beginning work on a task or feature in the backlog, explicit and visible acceptance criteria must be defined based on end user requirements, which is called the definition of ready. This is met for an item on the audit backlog when internal audit has the necessary resources available and agrees with the stakeholders up front on the scope, the goal of the project and the value to be delivered.
  • Streamlining the process. Iterations are one of the basic building blocks of Agile development. Also known as a sprint, each iteration is a standard period of time, usually from one to four weeks, during which an Agile team delivers incremental value in the form of usable and tested software. Ultimately, items that move off the backlog must be divided into a series of sprints, which provide a structure and cadence for the work. In the context of internal auditing, the fieldwork associated with an audit should be broken into fixed-length activities that are appropriately sized to promote the motivation of a tight deadline without stressing the resources in place. As the goal is to be quick and iterative, versus confined to a pre-determined plan, eliminating unnecessary resources and efforts is instrumental to an audit team’s successful completion of the work within a sprint. Whenever possible, gathering evidence independently, which also alleviates the burden on stakeholders, is an excellent way for internal auditors to be more efficient. Moreover, examples of waste in the audit process commonly include:
    • Distributing requests for evidence that are too vague.
    • Sending emails back and forth when a phone call or in-person meeting would be a more productive solution.
    • Exhaustively explaining every step taken without considering that concise documentation could achieve the same effect.
  • Soliciting continuous feedback. One of the most commonly practiced Agile techniques is a daily stand-up meeting, normally lasting no longer than 15 minutes, in which an Agile development team discusses each member’s contributions and any obstacles. To be truly effective, internal audit team members must regularly check in with each other and not hesitate to raise questions or issues as soon as they come up. Rather than waiting until the fieldwork has been completed to start internal reviews, quality assurance should be built into the daily audit activities.

Furthermore, internal auditors must not wait until the end of an audit to provide results. Early and frequent communication with stakeholders means that the final report or presentation should simply reflect a visual summary of the insights already discussed. We should not only identify opportunities to enhance an organization’s operations but also continuously improve our own audit processes. A crucial role on an Agile team to help foster an environment of high performance and relentless improvement is the scrum master. Acting as the coach of an internal audit team, a scrum master would ensure that the agreed Agile process is followed and encourage a good relationship among team members as well as with others outside the team.

Category: Audit-Assurance
Published: 4/17/2018 8:58 AM

... / ... Lire la suite

(13/04/2018 @ 00:23)

What the Skills Shortage Means for Existing Cybersecurity Practitioners  Voir?


Ed MoyleBy now, most practitioners have heard (probably from a few different sources) that organizations struggle when it comes to finding, hiring and retaining the right resources for information security and/or cybersecurity professionals. There has been quite a bit written about this trend: the impact that it has on security efforts within enterprise, advice and guidance about how to staff and manage your security team in light of the talent challenges, strategies for working around it, etc. However, there is another potential angle that is comparatively less analyzed: the impact to existing practitioners – both in the short and long term – in light of the shortage.

Understanding this is important for practitioners as preparation now translates directly to continued success down the road. In knowing what we do about the workforce dynamics, we can make sure that we’re optimally positioned when the time comes for us to change jobs and continue to be in demand down the line.

Skills gap characteristics
The first thing to note is that the skills gap has characteristics that can be measured. We know that it exists from numerous research reports and surveys, specifically findings citing the lengths of time required to fill open positions, perceived difficulty in finding qualified candidates and challenges in retaining existing staff. ISACA’s 2018 State of Cybersecurity research was no exception in pointing this out. Findings from previous years of ISACA research, as well as studies from other organizations, suggest that these challenges are persistent.

However, the actual areas of need have been comparatively less thoroughly analyzed, including which positions are most problematic to staff and retain, which skills are in more demand, where the most hiring activity occurs, etc. Much like the skills gap itself can be measured, so, too, can these other characteristics. This year, we attempted to gather more information about these secondary characteristics of the skills gap.

What we learned was that individual contributors are in higher demand than managers. We also learned that there is a higher demand for technical resources, relative to non-technical ones. While that may not be a complete surprise to anyone who has tried to staff a security team, it is an interesting data point because it informs organizational staffing and retention strategies. The report data can also be useful for practitioners – i.e., those on the other end of the staffing equation. Meaning, individuals wishing to position themselves optimally for their future career growth can use this information as part of the “career strategy.”

Career “Future Proofing”
We as practitioners can maximize our competitiveness in the short term and ensure that we continue to be marketable over the long term by taking this information into account. For example, the information indicating that technical resources are harder to find relative to non-technical ones can help motivate us to stand out in the workforce by taking active measures to invest in our personal technical acumen. There are a number of ways to do this, of course, but ensuring that we remain abreast of new technologies, that we diversify the set of technologies with which we are conversant and keeping abreast of new attack methods is a good way to start.

In fact, there are many resources available to ISACA members to assist; for example, our partnership with Wapack Labs can help ensure that members stay abreast of attacker tradecraft; ISACA webinars (particularly those of a technical nature) and publications like the ISACA Journal can keep technical skills honed; and chapter activities can provide opportunities to learn new technical skills. This is potentially advantageous even for those that are more senior in their careers. For example, if a hiring decision came down to two resources – if all other things are equal, but one is more “current” in their technical understanding – who would you hire? See what I mean?

Over the long term, this information about the skills gap is likewise important for practitioners as it can inform their future career planning. Why? Because logic dictates that the dynamics will change over time in a few specific ways. For those with a decade or more before retirement, planning accordingly is valuable.

First, current challenges in obtaining qualified technical staff mean that it is most likely that organizations (and, in fact, the market at large) are likely to innovate toward automation strategies for technical work being done by human analysts today. Will this mean the existing workforce will be left high and dry? Not necessarily …  but it does mean that technical acumen, while useful to help differentiate you among candidates in the short to intermediate term, isn’t a guaranteed way to future-proof your career over the long haul. This in turn means that establishing a diverse set of skills – as well as building a strong professional network – are important in the long term, in addition to building technical skills.

Second, the fact that there is increased demand for individual contributors relative to managers means that (again, thinking long-term), those who desire to move into manager positions should be looking to differentiate themselves as well from a competitive point of view. They might, for example, consider taking on management responsibilities now to give them skills that, down the road, will be important to their overall competitiveness.

As with most things, there’s no “one-size-fits-all” advice – there are as many viable career tracks as there are practitioners themselves. That said, one thing that’s probably universally true is that having a “career plan” that accounts for both near-term and longer-term changes is a good idea. The findings from this research can help accomplish that. 

Category: Security
Published: 4/16/2018 8:30 AM

... / ... Lire la suite

(12/04/2018 @ 15:55)

SQL Databases and Data Privacy  Voir?


Robin LyonsIf anyone had any doubts, data privacy is still kind of a big deal. Beyond being at the core of regulations ranging from the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in the United States to the global, far-reaching General Data Protection Regulation (GDPR), data privacy has its own annual day of recognition – 28 January. As organizations design operational strategies and tactics around data privacy, opportunities to leverage applications with built-in functionality to safeguard sensitive and confidential data are valued. For those using Microsoft SQL Server 2016, there are a couple of areas where built-in functionality can assist with data privacy initiatives.

Where is the data?
Safeguarding of sensitive or confidential data generally begins with data classification. Once data has been identified and appropriately classified, the next effort is establishing internal controls commensurate with the sensitivity/confidentiality level of the data. Depending on the organization, designing and implementing internal controls may be a bit of a hurdle. In its 2017 State of Cybersecurity Metrics Annual Report, IT consulting firm Thycotic reported that 4 in 5 companies don’t know where their sensitive data is. Understandably, unknown data locations make it difficult to identify safeguards to protect the data. As in prior versions of SQL, using SQL Server Management Studio (SSMS) in SQL Server 2016 can provide a list of databases. Also, in addition to a variety of other data querying options, Transact-SQL (T-SQL) queries can be used to locate data and related tables.

Who has the data?
Having identified where the data resides, entities are faced with ensuring that access to the data is limited to those with the appropriate roles in their organizations. Once those access determinations are made (following the Principle of Least Privilege), organizations can then use Microsoft SQL Server 2016’s Dynamic Data Masking (DDM) feature to support its access strategy. With Dynamic Data Masking, sensitive/confidential data remains unchanged in the database while this data is hidden in designated database fields. Organizations can fully or partially mask the sensitive/confidential data depending on how they configure DDM.

Another option for limiting access to data is to use Always Encrypted. This feature allows encryption of sensitive data (at rest and in transit) within client applications. Since encryption and decryption happen outside of the SQL environment, it facilitates least privilege by limiting data access to those who own the data and need to view it.

As data privacy expectations become more permanent fixtures of entities’ operational landscapes, built-in features such as Dynamic Data Masking will become more commonplace. The newer DDM functionality, coupled with existing functionality through SQL Server Management Studio, can help entities achieve and maintain data privacy goals. Coupled with best practices in data management, this built-in functionality should provide an easier path to meeting the data privacy expectations of customers and compliance regulations.

Category: Privacy
Published: 4/13/2018 3:20 PM

... / ... Lire la suite

(13/04/2018 @ 00:28)

Dernière mise à jour : 21/04/2018 @ 20:33