ISACA Journal Blog

Simplifying Enterprise Risk Analysis

Luigi Sbriz, CISM, CRISC, ISO/IEC 27001:2013 LA, ITIL v3, UNI 11697:2017 DPO Posted: 4/8/2019 3:12:00 PM | Category: Risk Management | Permalink | Email this post

How many enterprise risk analysis reports must an organization release? A few years ago, I faced this question in light of cost, time and complexity of the solution. My conclusion is that 1 is fine.

Cost is a consequence of the details I need, the number of people involved and their time. Complexity can come from the need for training sessions (and increased costs). A lot of time spent on refreshing basic information means it is updated less frequently, and the obsolescence will decrease the quality of the results.

I want to propose a methodology to assess the risk based on 2 levels of evaluations in order to cover any need for details, to cut any redundancy in data collection, to provide simplicity in the assessment, to keep a low time to update, and to ensure great flexibility to add and maintain any new control framework with minimal cost.

 
Read More >>
    

Proactively Embracing Innovation

K. Brian Kelley, CISA, CSPO, MCSE, Security+ Posted: 4/1/2019 2:58:00 PM | Category: Audit-Assurance | Permalink | Email this post

When looking at innovation, it may seem daunting to involve audit properly to protect the organization. With any new effort, there are a lot of unknowns. In traditional project processes, there should be enough time to discover major issues and handle the risk revealed. Innovation, though, wants to move quicker. As a result, the increased speed can mean risk is not properly identified and reviewed. Therefore, it is important for audit to proactively become involved in innovation efforts as the organization attempts to improve its ability to compete.

Be Engaged With the Effort
Innovation is proactive and, in some respect, aggressive. Therefore, audit cannot take a passive approach to innovation. Rather, it needs to be an active participant, whether we are talking about an innovation team or an overall, organizationwide effort. Let us look at 2 ways audit can engage proactively.

 
Read More >>
    

Defining the Role of the CISO

Robert Putrus, CISM, CFE, CMC, PE, PMP
Posted: 3/28/2019 2:59:00 PM | Category: Security | Permalink | Email this post

Robert PutrusOrganizations have diverse understandings of what digital security is and is not. As a consequence, they wrestle with who is responsible and who is accountable for digital security. This further complicates the question of whether the chief information security officer (CISO) position ought to be considered and instituted. CISO positions and responsibilities are greatly unsettled because digital security crosses many aspects of enterprise transactions, challenging if it is even possible to place boundaries on the responsibilities of the role.

Do organizations expect the CISO to be a technology wizard, business savvy or a hybrid of both? Do organizations expect the CISO to be the responsible and accountable person in securing the computing environment and informational assets in the enterprise? Should the CISO be part of the executive team, or should the role be confined within the IT group?

 
Read More >>
    

Cybersecurity Auditing Skills

Ian Cooke, CISA, CRISC, CGEIT, COBIT Assessor and Implementer, CFE, CIPM, CIPP/E, CIPT, CPTE, DipFM, ITIL Foundation, Six Sigma Green Belt Posted: 3/25/2019 3:00:00 PM | Category: Security | Permalink | Email this post

Ian CookeAccording to the Ponemon Institute/Accenture Ninth Annual Cost of Cybercrime Study, the number of cyberattacks each enterprise has seen has increased, and these incidents take more time to resolve while the cost of cybercrime continues to rise. In the last year, the report notes, there have been many stealthy, sophisticated and targeted cyberattacks against public and private sector organizations. Combined with the expanding threat landscape, organizations are seeing a steady rise in the number of security breaches—from 130 in 2017 to 145 in 2018. Indeed, there has been a 67% increase in the number of security breaches in the last 5 years.

 
Read More >>
    

How to Ensure Data Privacy and Protection Through Ecosystem Integration

Dave Brunswick Posted: 2/25/2019 2:46:00 PM | Category: Privacy | Permalink | Email this post

My recent ISACA Journal article, “Data Privacy, Data Protection and the Importance of Integration for GDPR Compliance,” describes how the movement and processing of personal data, along with the procedures around those workflows, are central to General Data Protection Regulation (GDPR) compliance. Here are actionable steps enterprises can take to implement a modern integration strategy that ensures both data protection and data privacy.

Ensure Data Protection
The keys to ensuring enterprise data protection through a combination of tools and policy include:

 
Read More >>
    
        Page: 1 of 87     Next >   Last >>