ISACA Journal Blog

Skills You Will Not Find on a Resume

Kevin Alvero, CFE, Randy Pierson, CISA, and Wade Cassels, CISA, CIA, CFE, CRMA Posted: 6/25/2018 3:08:00 PM | Category: Audit-Assurance | Permalink | Email this post

In our recent Journal article about merging internal audit departments, we discussed a practical approach to taking a skills inventory and then using that skills inventory as one of the primary inputs in making staffing decisions following a merger or acquisition.

In taking a skills inventory, however, it is important for audit management to not overlook critical skills that do not often show up on an auditor’s resume. Many of these can be just as important to the overall success of the department as subject matter expertise and technical skills.

The audit manager should understand which people on his or her team fill these vital, often unofficial roles. For example, who is comfortable talking with external stakeholders? Who can deliver bad news? Who is good at writing and editing and making reports look good? Who loves teaching and coaching? Who has a knack for networking and connecting people? Who champions team building, employee morale and recognition?

 
Read More >>
    

The Assessment Will Help Your Organization Tackle Any Security Obstacle

Tyler Hardison, CISSP, PCI-QSA Posted: 6/18/2018 3:03:00 PM | Category: Security | Permalink | Email this post

When faced with an obstacle, how do you take the first step? I have found it helps to follow the steps outlined in Lisa Avellan’s article “Five Simple Steps When You Don’t Know Where to Start”:

  1. Breathe and relax
  2. Prioritize
  3. Make the best decision
  4. Act immediately
  5. Evaluate

Today’s obstacles in business are typically around managing information security and the growing cyberthreats. As you are faced with security obstacles, these 5 steps can help:

  1. Breathe and relax—The scope and complexity of an assessment can seem stressful and overwhelming at first. Take a breath, relax and begin to tackle it step by step. You will find the actual process to be less agonizing then at first assumed.
  2. Prioritize—I recommend that you start by conducting an assessment. Assessing the risk and gaps in your information security structure will help you identify what type of information is stored, how it is transmitted and accessed, and determine what risk poses possible threats to the information. The risk assessment enables you to identify hazards and risk factors that could cause harm, analyze and evaluate these hazards, and determine the best course of action to mediate the harms and risk.
  3. Make the best decision for your organization—As I outline in my recent Journal article, every organization has different needs—some may need a complete overhaul, while others just need a tune-up. There are a number of different approaches to assessing the security needs of your organization. A risk assessment helps you to determine your security needs to mitigate risk. A gap analysis helps you to find the holes. A security audit is an extensive overview of an organization’s security systems and processes and helps you determine specific security needs.
  4. Act immediately—No need to panic! Since the assessment precedes your proactive security efforts, it is important that you first take inventory. An effective risk assessment is the foundation of an effective risk management program. Regular assessments are important to the success of any business and form the foundation of an effective IT risk management program. If you are looking to improve your security posture and boost your compliance, risk assessments and gap assessments are the key to continuous improvement and well-informed leadership decisions.
  5. Evaluate—Think of an assessment as a way to evaluate where you are. For example, a risk assessment is about gathering data, determining threats, analyzing risk factors and prioritizing to determine mitigation.

When it comes to managing information security, I would add a sixth step to Avellan’s list:  breathe and repeat. Repeated assessments and tests allow for continuous, targeted improvements that allow for optimal risk mitigation over the long term.

 
Read More >>
    

Formalizing the Cybersecurity Role in MDM

Sonja Hammond, CISSP, ITIL Foundation, PCI-ISA, and Chip Jarnagin, CISSP, CSM, PMP Posted: 6/11/2018 3:08:00 PM | Category: Security | Permalink | Email this post

While some cybersecurity teams may be anxious to get involved with master data management (MDM), there are prerequisites that we strongly recommend be in place prior to starting down the implementation path. Having a well-defined software development life cycle (SDLC) in place is important. Even more important is that adherence to the SDLC be institutionalized. Tied into this is the architecture review board, which should be reviewing all significant changes or new implementations of data, systems, technology, etc. These 2 processes should be addressed in the information security policy and, where applicable, the data governance policy.

With these building blocks in place, the following steps will get you started mapping a data protection plan that can be outlined in a governance standard document and referenced in your company’s information security policy and data governance policy:

 
Read More >>
    

Understanding the Threat Landscape

Yuri Bobbert, CISM, CISA, SCF, and Talitha Papelard-Agteres, CISM Posted: 6/4/2018 3:06:00 PM | Category: Security | Permalink | Email this post

Privacy and security are issues society struggles with on a daily basis, both in our private lives and in our work. We all strive to be happy, and safety is an important but an uncertain factor in our lives. When I was younger, I worked in prison, where I felt safer than I do these days on the Internet. In prison, there was insight into the threat landscape and the measures you had to take when threats occur. It was clear and visible. You simply had to press a red button and a guard or fence was there to protect you. The Internet, on the other hand, is complex, invisible and difficult to handle. There is a sense of urgency to have information security in place, but often one has no idea how to do this.

 
Read More >>
    

Establishing a Triumvirate—Understanding the Interests for Enhancing Collaboration Between the CISO, the CIO and the CRO

Ofir Eitan, CISM, CCSK, CTI Posted: 5/21/2018 4:00:00 PM | Category: Security | Permalink | Email this post

Ofir EitanIn one of my recently published ISACA Journal articles, “Clash of the Titans: How to Win the ‘Battle’ Between Information Security and IT Without Losing Anyone,” I pointed out some of the challenges the chief information security officer (CISO) faces when it comes to prioritizing information security interests over IT interests. Although my insights refer mainly to finding common ground with the IT and infrastructure departments, at times the CISO needs to find other resources and common interests with other units to either “finance” the CISO’s solutions or implement the CISO’s policies.

 
Read More >>
    
        Page: 1 of 80     Next >   Last >>