Vous êtes ici :   Accueil » RSS - Isaca.org
 
Prévisualiser...  Imprimer...  Imprimer la page...
!Introduction
Technique
Outils
Base de connaissances
Visites

 1592098 visiteurs

 5 visiteurs en ligne

Contact

Notre site
griessenconsulting-Tag-Qrcode.png

info@griessenconsulting.ch

ch.linkedin.com/in/thierrygriessenCISA

Neuchâtel, Suisse


Mes coordonées
griessenconsulting-Tag-Vcard-OK.png

Crée votre Code

RSS - Isaca.org

ISACA Now: Posts

http://www.isaca.org/Knowledge-Center/Blog/Lists/Posts/AllPosts.aspx


RSS feed for the Posts list.


The Impact of GDPR on Cybersecurity Managers  Voir?

Body:

Anna Vladimirova KryukovaAround six months have passed since the General Data Protection Regulation (GDPR) took effect. Among many unclear implication of GDPR, the vaguest might be how to ensure compliance with the security requirements, including data protection by design and by default. It has been a tough task for cybersecurity professionals to understand how to interpret the GDPR requirements and probably will be a continuous struggle over the next several years.

However, the interpretation of these GDPR provisions should not be the only aspect to command our attention. The increased penalties (up to 20 million Euros or 4 percent of the total annual turnover) made many companies think not only about how to ensure compliance, but also about what happens if the required measures are not implemented. Thus, the question for many companies is who will be liable for compliance failures regarding GDPR security rules: the company or cybersecurity manager?

There is no single answer and many aspects depend on the laws, regulations and case-law in each country. For example, there are cases in the UK that prove that the issue of employees’ responsibility for data protection should be addressed, but the scope of the liability may vary. For instance, in one case an employee was sentenced to eight years in prison, and the company is still in court trying to prove that it should not be liable. In another case, a six-month sentence was imposed only on the employee for unauthorized access to personal data.

Moreover, the scope of responsibility might be a concern for companies that have offices all around the globe, which entails different application of laws regarding the liability of employees. Taking into consideration high stakes and new broad security requirements introduced by the GDPR, it is time for companies and their cybersecurity managers to make their relationship as transparent as possible for both parties. This can be done in the following way:

  1. Define the scope of responsibility. Cybersecurity managers should have a clear understanding of their specific role regarding the GDPR implementation, the systems that are covered, and their access rights.
  2. Define the territory. It is necessary to understand the territorial scope of the GDPR compliance that a specific person is responsible for. Is it the place where the manager is physically located or is it broader? This question should be answered especially in cases of international group companies where one person can be in charge of several organizations.
  3. Agree on communication. If the scope of the responsibility overlaps with other managers or employees, it is crucial to agree on how you work together and how common tasks are distributed.
  4. Prove it. All of the agreements reached on the scope of responsibility and distribution of tasks should be provable. If it is possible and reasonable to put them on paper, it should be done. Other options (such as communicating the main terms over email) are also relevant if the company and cybersecurity manager will be able to prove, if a conflict takes place that a certain order was accepted by all stakeholders.

It might seem that it is sometimes more beneficial to avoid agreeing on specific things and engaging in unpleasant talk about what happens in case of an incompliance penalty. However, a clear framework addressing the scope of responsibility and liability can be considered a personal incident response plan for cybersecurity managers that will help them to perform their work in transparent and clear conditions.

Category: Security
Published: 11/19/2018 3:04 PM

... / ... Lire la suite

(16/11/2018 @ 22:48)

Is HIPAA Compliance Enough to Keep Your Organization Safe?  Voir?

Body:

Anna JohannsonThe Health Insurance Portability and Accountability Act (HIPAA) has evolved considerably to keep up with the demands of our modern society. Now that protected health information (PHI) is kept via electronic records, healthcare organizations need to comply with the HIPAA Security Rule if they want to keep their patients’ data private (and avoid a hefty fine).

What’s Required for HIPAA Compliance?
HIPAA compliance requirements can be complicated, but at a minimum, you’ll need to do the following:

  • Only access PHI information when you need to and/or when you have permission. First, you’ll need to comply with all former iterations of HIPAA by not accessing PHI data unless you have the patient’s explicit, written permission to do so, or if it’s required to treat your patient adequately.
  • Have an emergency plan to access PHI. In some cases, you may not be able to get your patient’s permission, and you may not have the account access necessary to retrieve it. What happens then? To be HIPAA-compliant, you’ll need to have an emergency plan in place.
  • Limit and secure email transmissions of PHI. At times, you may need to transmit patient information via email. Avoid these situations when possible, and make sure you’ve upgraded your email platform to be HIPAA-compliant when transmitting via email becomes necessary.
  • Back up all patient data. This should be common sense, but have a backup in place for all patient data, preferably, a HIPAA-compliant source of cloud storage. Don’t risk the damage or destruction of patient data.
  • Give role-based permissions to staff. Your staff members shouldn’t have universal access to patient records. Establish multiple roles, with varying types of permissions, so staff members can access only the data they need.
  • Take precautions against malware. Malware can bring your entire system down, so make sure you have a strong antivirus platform in place, and keep all your apps updated.
  • Maintain different passwords, and change them routinely. Every staff member should have a unique password, and be prompted to change those passwords regularly.
  • Maintain activity logs and audit controls. Your digital systems should keep track of activity, noting when records are accessed or changed. That way, you can audit them in event of a breach or other suspicious activity.
  • Never leave PHI out in the open. Avoid leaving PHI open on a computer. Always log out before leaving a room.
  • Enable automatic logouts. Computers should log out automatically if left unattended for a few minutes.
  • Don’t share PHI information. Staff members shouldn’t share PHI with anyone unless they have explicit permission from the patient and/or orders from a physician to do so.
  • Dispose of PHI information properly and completely. If and when you need to delete patient records, do so completely and securely. That means shredding all documents and wiping all hard drives.
  • Keep an updated training program. Your staff should always be up-to-date on the latest HIPAA security practices. Make sure your training program dedicates enough time to learning these fundamentals, and introduces new information as it becomes available.
  • Have and test a disaster recovery program. What happens if your system’s integrity is compromised? Have a plan in place and test it to ensure it’s working and that staff understand it.
  • Ensure all partners and vendors are following proper procedures. A breach from outside your organization can compromise your PHI; make sure your partners and vendors are HIPAA-compliant as well.
  • Report any security incidents. If you do encounter a security breach, report it, and update your policies to guard against similar events in the future.

Are these standards enough?
Meeting HIPAA standards will ensure your organization remains HIPAA-compliant, avoiding legal trouble that could arise if you slip up. But is it truly enough to keep patient data safe?

HIPAA doesn’t have set requirements for specific types of security; for example, it doesn’t mandate that you use a certain encryption standard, or set your passwords in a specific format. Instead, it’s up to your discretion how to set those standards for your own organization. Competent security isn’t just about checking items off a list; it’s about creating an environment that’s actively searching for and guarding against potential new threats, and evolving to face those threats more efficiently.

In short, HIPAA standards are a great start to any organization’s data security, but they aren’t enough to have a truly comprehensive security program.

Learning to keep up
Even if you believe all your current practices keep your organization HIPAA-compliant, and even if that level of compliance is enough to keep your patients’ data safe, it may not stay that way for long. HIPAA is constantly being updated to respond to new threats and add newer, better layers of protection for patients in the United States. If you want to stay ahead of cybercriminals, and remain in compliance with these regulatory requirements indefinitely, you’ll need to stay plugged into the latest news—and be willing to adapt your security protocols at a moment’s notice.

Category: Government-Regulatory
Published: 11/15/2018 3:01 PM

... / ... Lire la suite

(14/11/2018 @ 21:36)

Before You Commit to a Vendor, Consider Your Exit Strategy  Voir?

Body:

Baan AlsinawiVendor lock-in. What is it? Vendor lock-in occurs when you adopt a product or service for your business, and then find yourself locked in, unable to easily transition to a competitor's product or service. Vendor lock-in is becoming more prevalent as we migrate from legacy IT models to the plethora of sophisticated cloud services offering rapid scalability and elasticity, while fueling creativity and minimizing costs.

However, as we rush to take advantage of what the cloud has to offer, we should plan strategically for vendor lock-in. What happens if you find another cloud provider that you prefer? How will you migrate your services? What are the costs, how disruptive will it be, and will you have the professional talent to transition successfully?

As a vendor, locking in customers by ensuring that they cannot easily transition elsewhere is smart business. However, as a buyer looking for innovative solutions and a better value for services, you require flexibility if your business needs change, or if a vendor is no longer available due to bankruptcy or restructuring.

As you adopt a growing array of cloud-based anything-as-a-service (XaaS) to outsource your business support functions—from Salesforce to AWS services, Google docs to Microsoft Office 365—consider your exit strategy if your business needs change, or your vendor is no longer available.

Take a step back and consider vendor lock-in as part of your overall risk management strategy. A single cloud provider can offer great options for redundancy, risk management and design innovation. But what happens when you consider redundancy across multiple providers? How easy is it to have a primary service on AWS and a secondary/backup on Google? Not so easy.

Best practices suggest that you shouldn’t put all your eggs in one basket. However, developing a SaaS solution designed to work on two disparate cloud services is a complex undertaking. If you are simply using the cloud for storage/raw data backup, you may be able to transfer data between providers. Even then, you need to pay attention to data structures and standards across platforms. When developing complex solutions that rely on outsourced technologies such as AWS continuous development/continuous integration (CD/CI), Splunk Cloud for auditing, or Qualys Cloud for vulnerability scanning, how much redundancy and portability are you baking into your risk management strategy?

Also, what happens if AWS is no longer available? This seems highly unlikely today, with their stocks hovering at around US $2K a share. But what if your new CIO decides Azure offers better widgets? Or your CISO wants a primary platform on AWS and a backup on Oracle? There are vast differences in these platforms, and one development effort will not be easily portable to the other.

For example, TalaTek is developing its own next-generation cloud-based solution for its current platform. We must consider the additional time, multiple developers and increased complexity required to operate on two different cloud platforms to manage this risk. The question we ask is can we afford not to plan for an exit strategy if our strategic business goals were to change?

Acknowledging the risk, and in some cases accepting it, is a key aspect of risk management. TalaTek has accepted the risk in adopting a single cloud platform, since it makes business sense to do so.

What should you consider when adopting cloud-based services? Here are our top five considerations:

  • Have a resilient risk management strategy that requires you to continuously re-evaluate your risk assumptions and diligently monitor market changes.
  • Negotiate strong service-level agreements, vetted by legal experts, in the design of your cloud strategy.
  • Align your business and IT/cloud strategies to protect your investments and ensure continuity of operations.
  • Where possible, use open source stacks and standard API structure to provide portability and interoperability.
  • Consider whether your risk tolerance allows you to accept some risk. If you are offering a SaaS solution to manage your client’s CRM, your risk tolerance risk is different from that of a hospital using the cloud to manage all of its client health data.

The cloud is here to stay. Assess your options, be smart about your strategy, and consider your exit options as you embark on the exciting journey into the cloud.

Category: Cloud Computing
Published: 11/14/2018 3:01 PM

... / ... Lire la suite

(13/11/2018 @ 17:56)

COBIT 2019 Makes Framework Easier to Understand, Customize  Voir?

Body:

Mark ThomasPractitioners charged with effective governance of information and technology have a tremendous new resource to draw upon with a significant refresh to the COBIT framework. Today, the first two books of COBIT 2019 have been released, with additional publications to follow later this year.

I could go on for hours about the elements of COBIT 2019 that I believe will be well-received by our passionate global community of COBIT users (and considering I am one of those passionate COBIT users, if I catch you in person at an ISACA event, I might just do so). For the purposes of this blog post, I will put forward a list of five aspects of COBIT 2019 that I consider especially appealing.

1. Sharper clarity. Past iterations of COBIT, most recently COBIT 5, helped practitioners across the world solve countless business challenges and help their enterprises better manage and govern enterprise IT. There was a lot to like, but that doesn’t mean they were perfect. In COBIT 2019, we have identified areas for improvement to ensure that COBIT users are able to extract even more value from the framework while making the content more accessible and straightforward.

For example, I often was asked to describe the COBIT 5 enablers, and it was difficult for me to succinctly explain, so I started calling them ingredients. We now have transitioned to referring to them as components of a governance system, a much clearer characterization. Throughout the COBIT 2019 publications, the terminology is less academic and more applicable, allowing users to streamline the adoption timeline.

2. New focus areas. I’m enthused about the new focus areas that are set up to organize certain hot governance topics, such as small/medium sized businesses, cybersecurity, digital transformation, cloud computing, privacy and DevOps.

While the COBIT framework has thrived for 20-plus years because it addresses core business principles that are every bit as true now as they were in the 1990s, it nonetheless was important to provide updated guidance pertinent to key drivers of the current technology landscape, and COBIT 2019 takes a big step forward in that regard.

3. New design factors. COBIT 2019 highlights new factors that can influence the design of an enterprise’s governance system and position organizations for success in the use of information and technology. These include:

  • Enterprise strategy
  • Enterprise goals
  • Risk profile
  • Enterprise size
  • Threat landscape
  • Compliance requirements
  • Role of IT
  • Sourcing model for IT
  • IT implementation methods
  • Technology adoption strategy

These design factors take into account enterprise strategy and allow users to better customize COBIT to a specific organizational structure.

4. Updated goals cascade. The new goals cascade supports the prioritization of governance and management objectives based on enterprise goals.  Starting with stakeholder drivers and needs, this model seeks to avoid the frequent misunderstanding that these goals indicate purely internal objectives of the IT department within an enterprise. The alignment goals have also been consolidated, reduced, updated and clarified where necessary. These goals are organized using the Balanced Scorecard view and include example metrics to measure the achievement of each goal.

5. Integration between the CMMI maturity model and our current capability model. Performance management is an essential part of a governance and management system. It expresses how well the system and all components of an enterprise work, and how they can be improved up to the required level. As such, it includes concepts and methods such as capability and maturity levels. COBIT 2019 performance management leverages both the current capability model and the CMMI maturity model using the following principles:

  • Simple to understand and use
  • Consistent with and supports the COBIT conceptual model
  • Provides reliable, repeatable and relevant results
  • Flexible
  • Supports different types of assessments

Editor’s note: For more information on COBIT 2019, its publications and guidance, and new training opportunities, visit www.isaca.org/cobit.

Category: COBIT-Governance of Enterprise IT
Published: 11/13/2018 7:56 AM

... / ... Lire la suite

(08/11/2018 @ 17:41)

Dernière mise à jour : 20/11/2018 @ 20:24