Documentos de Académico
Documentos de Profesional
Documentos de Cultura
MOBILE
WORKFORCE 04
www.isaca.org
Secure your seat and your future—take the first step today!
1 August – 30 September 2017 | Register today at www.isaca.org/exams2017-Jv4
What are the advantages of Take the first step towards obtaining a globally
computer-based testing? respected ISACA certification and becoming
recognized as one of the most-qualified
> More opportunities to take an exam professionals in your field of information systems.
> Larger test center network—over 880 locations
> Faster exam results Want to see how ISACA members save?
• earn the latest and best solutions for compliance & ethics challenges,
L
including anti-corruption, data protection, and risk management
• arn the continuing education units you need, and take the Certified
E
Compliance & Ethics Professional - International (CCEP-I)® exam
europeancomplianceethicsinstitute.org | lizza.catalano@corporatecompliance.org
The ISACA® Journal
Journal
seeks to enhance
the proficiency and
competitive advantage of
its international readership
3 39 by providing managerial
Information Security Matters: André Maginot’s Line Key Ingredients to Information Privacy Planning
Steven J. Ross, CISA, CISSP, MBCP Larry G. Wlosinski, CISA, CRISC, CISM, CAP,
and technical guidance
CBCP, CCSP, CDP, CIPM, CISSP, ITIL v3, PMP from experienced global
6
IS Audit Basics: Audit Programs 46 authors. The Journal’s
Ian Cooke, CISA, CRISC, CGEIT, COBIT Assessor Challenges and Lessons Learned Implementing
and Implementer, CFE, CPTE, DipFM, ITIL ITIL, Part 1 noncommercial,
Foundation, Six Sigma Green Belt Mathew Nicho, Ph.D., CEH, CIS, ITIL Foundation,
RWSP, SAP, Shafaq Khan, Ph.D., CIS, PMBOK, peer-reviewed articles
10 PMP, SAP, and Ram Mohan, CRISC, CISM, CGEIT, focus on topics critical to
The Network ISO 27001, ITIL Foundation
Theresa Grafenstine, CISA, CRISC, CGEIT, CGAP, professionals involved
CGMA, CIA, CISSP, CPA
PLUS in IT audit, governance,
FEATURES 52 security and assurance.
Tools: Mobile Security Tools on A Budget
13 Ed Moyle
Social Media Rewards and Risk
Mohammed J. Khan, CISA, CRISC, CIPM 54
(Disponible également en français) Help Source Q&A
Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI,
18 AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA,
Mobile Workforce Security Considerations MCA, PMP
and Privacy
Guy Ngambeket, CISA, CISM, CGEIT, ITIL v3 , PMP 56
(Disponible également en français) Crossword Puzzle
Myles Mellor
24
Exploring How Corporate Governance Codes 57
Address IT Governance CPE Quiz
Steven De Haes, Ph.D., Anant Joshi, Ph.D., Prepared by Sally Chan, CGEIT, ACIS, CMA, CPA
Tim Huygh and Salvi Jansen
59
31 Standards, Guidelines, Tools and Techniques
A Guide to Auditing Attachment Fields
in Access Databases S1-S4 Read more from
Joshua J. Filzen, Ph.D., CPA and Mark G. Simkin, ISACA Bookstore Supplement these Journal
Ph.D. authors...
Features
www.isaca.org/journal/
blog. Visit the ISACA
Journal blog, Practically
Speaking, to gain
Do not miss out on the Journal’s online-exclusive content. With new content weekly through feature articles
and blogs, the Journal is more than a static print publication. Use your unique member login credentials to
practical knowledge
access these articles at www.isaca.org/journal. from colleagues and to
participate in the growing
Online Features
The following is a sample of the upcoming features planned for July and August 2017. ISACA® community.
Some time ago in this space, I used an obscure invaded in 1940 through Belgium instead. In cyber
statement by a nearly forgotten British Prime security terms, a strategy of protecting critical data Do you have
Minister to make some points about cyber security.1 resources, with less consideration given to so-called something
As it happens, I studied the history of the period “Tier 2,” simply exposes everything via the easiest to say about
between the World Wars in my university days, so I route for an attacker to traverse. In other words, this article?
often use some of the insights I gained in looking at cyber security needs to treat the security of the IT Visit the Journal
pages of the ISACA®
then-current affairs when thinking about information environment holistically.
website (www.isaca.
security. I would like to turn now to a somewhat
org/journal), find the
more famous artifact of the interwar years, the Moreover, it must be recognized that the methods article and click on
Maginot Line. of the cyberattackers are not monolithic and the Comments link to
invariable. As an organization implements certain share your thoughts.
Here is what most people know: The Maginot preventive measures, so those attackers intent
Line was a series of fortifications near the French- on violating the integrity of information systems http://bit.ly/2shfuWv
German border intended to prevent German forces adjust their tactics. Effective antivirus filters once
from invading France through Alsace and Lorraine, forced hackers to develop other forms of malware.
as Germany had done in two previous wars. Once Then, organizations became better at countering
those two nations entered into war again in 1939, these new forms of hostile software. Now, it seems
the German forces went around the Maginot Line that the attackers are focusing instead on stolen
and invaded France once again. Thus, the term credentials taken from authorized data users. This
“Maginot Line” is today a catch-phrase for an approach favors the antagonist in many ways:
expensive, foolhardy security failure. There is no need to find a zero-day or unpatched
vulnerability, it is harder to detect, and it is more
The infamous line was named for André Maginot, flexible once the credentials are used.4
a French politician who served in many cabinets in
the 1920s and ‘30s, three times as the Minister for
War.2 Having spent much of his life in Lorraine, he
was primarily concerned with protecting that part
of France. He was not the visionary of the line; the
idea came from the World War I French generals,
particularly Marshal Henri Petain, the “hero of
Verdun.”3 Neither was Maginot the leader who built
the line; that was Paul Painlevé, his successor as
War Minister.
So, what did André Maginot do? And what are the
lessons of André Maginot and his line regarding
information security generally (this is, after all, the
Information Security Matters column), and cyber
security specifically?
Get Members.
Get Rewarded.
REACH OUT AND HELP FRIENDS, COLLEAGUES AND OTHER PROFESSIONALS BECOME ISACA® MEMBERS.
THEY GET THE BENEFITS OF ISACA MEMBERSHIP. YOU GET REWARDED.
MEMBER GET A MEMBER 2017 PROGRAM STARTS ON 1 AUGUST.
THE MORE MEMBERS YOU RECRUIT, THE MORE VALUABLE THE REWARDS.
When ISACA grows, members benefit. More recruits mean more connections,
more opportunities to network—and now, more valuable rewards!
Be sure to go to www.isaca.org/GetMembers after 1 August to learn full details
of this year's program.
* Rules and restrictions apply. Full rules will be available after 1 August 2017.
© 2017 ISACA. All Rights Reserved.
and present the subject matter and against which One such instance might be when you are auditing
an IS auditor evaluates the subject matter.8 Many an Oracle database. Where an organization has Enjoying
of these will be defined by the entity that is being defined its own Oracle database standard, then
this article?
audited (e.g., contracts, service level agreements, you audit to that standard. However, if no standard
policies, standards); however, there will be exists, it is good practice to use an external
• Read Information
instances, for example, when an organization has benchmark if it is objective, complete, relevant,
Systems Auditing:
not defined its own standards when other criteria measurable, understandable, widely recognized,
Tools and
should be applied (figure 3). authoritative and understood by, or available to, all
Techniques—IS
readers and users of the report.9 Further, IS audit
Audit Reporting.
www.isaca.org/
Figure 2—Creating an Audit Program creating-audit-
programs
Determine audit subject.
Identify the area to be audited (e.g., business function, system, physical location).
• Learn more about,
1 Define audit objective.
discuss and
Identify the purpose of the audit. For example, an objective might be to
collaborate on
audit tools and
2 determine whether program source code changes occur in a well-defined
and controlled environment. techniques in the
Knowledge Center.
Set audit scope. www.isaca.org/
Identify the specific systems, function or unit of the organization it-audit-tools-and-
3 to be included in the review. For example, in the previous example
(program changes), the scope statement might limit the review to techniques
a single application, system or a limited period of time.
Creating an Perform preaudit planning.
Audit Program • Conduct a risk assessment, which is critical in setting the final
The first steop in creating an scope of a risk-based audit. For other types of audits
audit program is to develop
as audit plan. An audit plan
4 (e.g., compliance), conducting a risk assessment is a good
practice because the results can help the IS audit team to
justify the engagement and further refine the scope and
should comprise all five steps preplanning focus.
shown here. Once you have • Interview the auditee to inquire about activities or area of
researched and completed a concern that should be included in the scope of the engagement.
properly executed audit plan, • Identify regulatory compliance requirements.
the result is an audit program • Once the subject, objective and scope are defined, the audit
ready for implementation. team can identify the resources that will be needed to perform
the audit work.
White papers11
Cloud computing guidance12
Cyber security resources13
US Department of Defense Security Technical Implementation Guides (STIGs)14
CIS Center for Internet Security Benchmarks15
ISO International Organization for Standardization, ISO/IEC 27000 family—Information security
management systems16
CSA Cloud Security Alliance17
NIST US National Institute of Standards and Technology
Framework for Improving Critical Infrastructure Cybersecurity18
Security and Privacy Controls for Federal Information Systems and Organizations19
NIST publications20
PCI DSS Payment Card Industry Data Security Standard21*
ITIL Information Technology Infrastructure Library22
*ISO and PCI DSS can also be used as sources of best practice even where compliance is not required.
Source: Ian Cooke. Reprinted with permission.
and assurance professionals should consider the risk and criteria. Further, other members could
source of the criteria and focus on those issued contribute to and enhance these documents. Over
by relevant authoritative bodies before accepting time, we, as a community, could build up many
lesser-known criteria.23 I would also disclose the audit/assurance programs that are continuously
criteria used and why—in this case, auditors were enhanced and kept up to date.
required to give an opinion on the security of an
Oracle database, but management had no standard Conclusion
defining what “secure” means. A further finding An audit/assurance program is defined by ISACA
from such an audit may be that management as a step-by-step set of audit procedures and
should define such a standard. Selecting the right instructions that should be performed to complete
criteria is vital for the success of the audit. an audit.25 Many of these steps are common to
most enterprises; however, each also has its own
Collaborate culture, ethics and behavior. We can utilize and
share existing audit/assurance programs and even
We live in a world where it is very much a viable
option to run a business using open-source
software. I, therefore, pose a simple question:
Why cannot we, as an ISACA community, develop
open-source audit/assurance programs?
Why cannot
we, as an ISACA
The Documents and Publications section of Audit
Tools and Techniques24 allows every member
community, develop
to contribute user-created documents and open-source
publications. Members could, therefore (with their
organization’s permission), upload completed audit/assurance
audit/assurance programs, making them available
(with the right terms and conditions) for other
programs?
members to adopt for their own enterprise’s
Editor’s Note
ISACA is currently exploring several methods for
community-driven audit program sharing and
development models.
Endnotes
1 ISACA® Knowledge Center, Audit Tools and
Techniques, www.isaca.org/it-audit-tools-and-
techniques
2 ISACA Knowledge Center, Oracle Databases,
www.isaca.org/topic-oracle-database 14 Department of Defense, Security Technical
3 ISACA Knowledge Center, SQL Server Implementation Guides, USA, http://iase.disa.
Databases, www.isaca.org/topic-oracle- mil/stigs/Pages/index.aspx
database 15 Center for Internet Security Benchmarks and
4 ISACA, Audit/Assurance Programs, Controls, https://benchmarks.cisecurity.org/
www.isaca.org/auditprograms downloads/
5 Institute of Internal Auditors, Global Technology 16 International Organization for Standardization/
Audit Guides, https://na.theiia.org/standards- International Electrotechnical Commission,
guidance/topics/Pages/Information-Technology. ISO/IEC 27000 Family—Information Security
aspx Management Systems, https://www.iso.org/
6 AuditNet, Audit Programs, www.auditnet.org/ isoiec-27001-information-security.html
audit_programs 17 Cloud Security Alliance, https://cloudsecurity
7 ISACA, Information Systems Auditing: Tools alliance.org/group/security-guidance/#_
and Techniques: Creating Audit Programs, downloads
USA, 2016, www.isaca.org/Knowledge-Center/ 18 National Institute of Standards and Technology,
Research/Documents/IS-auditing-creating- Framework for Improving Critical Infrastructure
audit-programs_whp_eng_0316.PDF Cybersecurity, USA, https://www.nist.gov/
8 ISACA, ITAF: Information Technology cyberframework
Assurance Framework, USA, 2014, www.isaca. 19 Security and Privacy Controls for Federal
org/Knowledge-Center/ITAF-IS-Assurance- Information Systems and Organizations,
Audit-/IS-Audit-and-Assurance/Pages/ http://nvlpubs.nist.gov/nistpubs/
ObjectivesScopeandAuthorityofITAudit.aspx SpecialPublications/NIST.SP.800-53r4.pdf
9 Op cit, ITAF, p. 20 20 National Institute of Standards and Technology,
10 ISACA COBIT 5, USA, 2012, www.isaca.org/ NIST publications, https://www.nist.gov/
cobit/pages/default.aspx publications
11 ISACA, White Papers, www.isaca.org/ 21 Payment Card Industry Data Security Standard,
Knowledge-Center/Research/Pages/White- https://www.pcisecuritystandards.org/
Papers.aspx 22 Information Technology Infrastructure Library,
12 ISACA, Cloud Computing Guidance, https://www.itil.org.uk/all.htm
www.isaca.org/Knowledge-Center/Research/ 23 Op cit, ITAF, p. 20
Pages/Cloud.aspx 24 Op cit, ISACA Knowledge Center
13 ISACA, Cyber Security Resources, www.isaca. 25 ISACA Glossary, https://www.isaca.org/Pages/
org/KNOWLEDGE-CENTER/RESEARCH/ Glossary.aspx
Pages/Cybersecurity.aspx
She Leads IT
1
What is the biggest security
challenge that will be faced
in 2017? How should it be
addressed?
The biggest challenge, is the human element. Lack of
employee cyberawareness, weak passwords, failure
to implement patches, falling for phishing scams and
insider threat will do more cumulative damage than
complex emerging issues.
broader professional In my seven years as IG, reduces enterprise risk.
community and helps
you grow as an industry
I have served under three
different Speakers of the
When there is a pipeline
shortage of women to 2
What are your three goals
for 2017?
• Developing a leadership pipeline
leader. When hiring staff House and four different fill senior leadership
at the House, I look for congressional oversight roles or in science, • Continuing and strengthening ISACAs Women in
diverse certifications committee chairmen. technology, engineering Technology initiative
and higher degrees to With all of these changes and mathematics (STEM) • Exploring charitable options through ISACA’s
help address the broad in leadership come career fields in general, ITGI foundation to give opportunities to people in
range of problems we changes in priorities, this puts organizations at developing nations or underrepresented demographics
face. Even as a senior focus and direction. It risk. Women leaders bear to obtain leadership skills, relevant training and
executive, I like to show teaches you to be nimble a special responsibility certifications.
my commitment to the in adjusting the audit to help fill this pipeline
profession and prove
my capability to my
plan. You also need to be
able to quickly acquire
by serving as role
models and mentors 3
What is your favorite blog?
ISACA International does a great ISACA Now blog.
staff (and to myself!) by new or different skills to to our next generation CyberScoop and NextGov do a great job of reporting on
sometimes sitting for the adjust to the changing of leaders. We need to important issues.
same training and exams priorities. That agility connect with girls and
they are pursuing—which
is the reason why I have
has made me a better
auditor and a better
young women to show
them what a Woman 4
What is your number-one
piece of advice for other audit
professionals?
so many certifications! leader because it forces in Technology leader
me to constantly think on looks like. If we wait until Do not rest on the fact that you are a regulatory
Q: What has my feet and help others, they have already made requirement. Provide value to your organization every day.
been your biggest who may struggle with career decisions, it may
workplace or career change, to adapt. be too late. I think it is
challenge and how did
you face it? Q: What do you think
important to volunteer
at local schools as
5
What is your favorite benefit of
your ISACA membership?
The fantastic people—the members, the volunteer
are the most effective speakers on career day. leaders and the staff. ISACA has benefited my career in
A: I think an ongoing ways to address the I think it is especially monumental ways, but the biggest benefit has been the
challenge for any lack of women in the important to reach out friendships.
professional is the rapid information security to schools in at-risk
pace of change. How workspace? communities to show
do we keep up with it?
How do I find and retain A: Diversity goes
beyond a feel-good
students that IT security
is an amazing career 6
What do you do when you are
not at work?
When I am not at work and I am not doing ISACA work,
staff who can meet the option. If they have never
changing demands? social initiative; it heard of it, they cannot I am at my son’s ice hockey game, helping my daughter
This is even more so impacts the bottom choose it. We can not find the right college or walking the dogs with my
husband.
in the congressional line. It is a powerful only address some of
environment. Every resource that, if properly the pipeline issues, but
member of the House leveraged, increases we can literally change
of Representatives is up an organization’s the trajectory of young
for reelection every two ability to connect with people’s lives.
years. In addition to the a broader base of
changes brought about people, deepens an
by elections, leadership organization’s knowledge
positions change as well. base and, ultimately,
The intensive, 5-day CSX Accelerated Cybersecurity Skills Training from ISACA®’s Cybersecurity Nexus™
(CSX) will elevate your skills to the level of an experienced, in-demand cyber security first responder — and
prep you for the SC Magazine award-winning† CSX Practitioner Certification — at the pace you need for
success.
P
Certified Cybersecurity Practitioner
12 *ISACA’s January
ISACA JOURNAL VOL 42016 Cybersecurity Snapshot survey. ISACA JOURNAL VOL 4 12
†
CSX Practitioner is the 2016 SC Magazine Award Winner for Best Professional Certification Program.
feature
feature
Social Media Rewards
and Risk
As for the risk (figure 2), some of the most common
Disponible également en français ones include:
Do you have
www.isaca.org/currentissue • Reputational risk—Damage to an organization’s something
reputation stemming from a social media mishap to say about
can bring the organization to its knees, whether this article?
Social media is a powerful tool that gives Visit the Journal
organizations the ability to expand their brand it is the chief executive officer (CEO) stating
pages of the ISACA®
something controversial on his/her Twitter account
value; it can also tarnish a brand overnight. There website (www.isaca.
are more than 18 social media platforms globally or an organization-bashing employee video that org/journal), find the
that have started to grow and have an enterprise- goes viral. According to a leading publisher, “A article and click on
level following, and this is only the beginning. reputational crisis can wipe tens of millions of the Comments link to
Given the visibility, risk, and real-time monitoring pounds from a company’s value, and this risk has share your thoughts.
and response required to effectively manage increased because the rise of online and social
social media channels, companies must establish media means crises are now less predictable and http://bit.ly/2sUGrw7
extensive protocols for use by their organization in can happen faster.”1
order to engage with external channels. Companies • Data security breach—According to research
representing themselves externally should engage from Forrester:
the appropriate and authorized spokespersons and
executives designated by their communications From reconnaissance to brand hijacking
department in order to speak to, initiate, provide and threat coordination, cyber criminals
and/or post information within the social media have been using social media to boost the
space. While there are several key risk factors to be effectiveness of their attacks for years. It’s
addressed relative to social media, there are many clear that social media risk isn’t solely about
rewards as well. Some of the most advanced topics brand and reputation damage but is a sinister
and benefits include (figure 1): cybersecurity threat that can lead to major
data breaches, numerous compliance issues,
• Connecting with customers—The ability to and large amounts of lost revenue due to
engage with customers is the most critical aspect of fraud and counterfeit sales, along with a slew
social media. Developing a brand and promoting it of other risks.2
through various channels of social media can create
further brand value and awareness. • Social engineering—Employees in almost all
organizations are savvy, and many have a social
• Marketing intelligence—Social media marketing media presence on major sites such as Facebook,
gives the organization the ability to monitor the LinkedIn, Quora and Twitter. Each platform has
brand and listen to what the public is saying in the
social media space. The insight is the reward the
Mohammed J. Khan, CISA, CRISC, CIPM
organization reaps by playing a larger role in social Is a global audit manager at Baxter International, a global medical device
media, which can be invaluable. The organization and health care company. He has more than 12 years of experience focused
can enhance its marketing, business development on providing privacy, security and information governance. Most recently,
efforts and other valuable venues to further its he has focused specifically on medical device cyber security, global privacy
ability to be competitive. frameworks, and helping his organization with strategic, cost-effective
initiatives in the audit and compliance space. Khan previously worked for
• Pulse on brand reputation—Keeping the pulse a leading consultancy firm as an assurance and advisory professional,
of the organization’s social media reputation and and prior to that, he worked as a global enterprise resource planning and
metrics is critical to staying ahead of the brand’s business intelligence professional at a leading technology firm. Khan has
recognition and signs of reputational risk. helped develop and author several publications and has presented at
industry conference events focusing on privacy and cyber security.
Reward 1
Reward 2
Connect Reward 3
Engage with
customers
Intelligence
Develop promotional Reputation Get Rewarded
material with industry Insight into
consortium competitors’ market Pulse on brands’
integrity in the
social media space
Build brand Relevance in the
awareness marketplace
Return on 5
Employees who Investment/
Reward
access social
media websites 6 Virus and
Malware
can act as brand
ambassadors; on Source: M. Khan. Reprinted with permission.
leave an open door Some industries may shy away from this situation
for viruses and in light of audits that occur due to being in the
social media space so frequently.
malware to enter • Return on investment—The benefit the
into the network. organization gains from being present in the
social media space is hard to calculate and very
subjective. The risk over reward, therefore, cannot
be calculated without proper assurance, which
leaves the decision to enter the social media
• Compliance to changing the regulatory
space questionable for some industries.
climate3—These regulatory changes require the
organization to adapt its strategy if it wishes to • Phishing—One of the popular techniques used
comply on a global basis. This approach, while by criminals is to get unknowing individuals
necessary for an organization that uses social to disclose personal information while posing
ASK
how you can make more
connections locally and globally
with ISACA’s Member Advantage.
Members know that community ACCESS includes special opportunities that only
counts! ISACA’s Member members can receive:
Advantage helps connect you with • Insights from Global Conferences with thought leaders
over 150,000 professionals in more • Invitations to online career fairs—connect with hiring
than 180 countries. Network locally managers at top companies
through your chapter and meet • Professional networking through local and global
like-minded people who can enhance events—be sure to get your member discount!
your skills, connections, business • NEW Volunteer opportunities on the 2017 horizon
development efforts and future • Professional and Industry Advocacy
prospects for employment. And members have access to 72 FREE CPEs in 2017!
regulatory requirements redefine the responsibilities behavior of the board toward IT governance and
of the BoD for IT governance.8 digital leadership can be influenced by external
factors, such as corporate governance codes,12 and
describes the study that answers the questions:
level involvement underpin the study and to define the main concepts
that were used in the research project.
in IT governance, it
Next, a sample of international corporate governance
appears that this is codes was analyzed. The selection of national
more the exception corporate governance codes was based on two
dimensions—geography (i.e., continent) and economy
than the rule in (i.e., income groups). Using an index of all of the
Brazil (BR)
Belgium (BE)
Lebanon (LB)
Guyana (GY)
Mexico (MX)
Country
Australia (AU)
Armenia (AM)
Seychelles (SC)
South Africa (ZA)
Macedonia (MK)
Year
2011
2009
2010
2008
2014
2010
2006
2009
2009
2010
2015
2010
2009
2010
16
74
42
United States (US) 2013 27
16
44
18
26
Code Info
Pages
X
IT expert on the board
X
IT expert with experience on the board
X
A chief information officer (CIO) or an equivalent position in the firm
X
IT committee
X
IT risk is part of audit committee or risk committee
X
IT is part of audit committee
(ITSA)
X
IT steering committee
IT planning committee
Technology committee
IT Strategic Alignment
X
IT committee at an executive level
X
IT governance framework standard: ITIL/COBIT®/ISO, etc.
X
IT as an issue in the board meeting
X
Suggestion/decision/advice by the board on IT
Special report/section on IT/IT projects in annual report
X
IT mentioned as a strategic business issue
transparency framework was used.14 This IT
IT projected as strength
governance disclosure framework contains 39
To analyze each corporate governance code for
IT-governance-related content, an IT governance
IT projected as opportunity
(ITVD)
Comments/updates on IT performance
IT training
Green IT
Direction and status about IT outsourcing and insourcing
IT Governance Disclosure Items
X
IT is referred under the operational risk
X
Special ITRM program
X
X
X
X
X
X
X
X
X
X
X
Use of IT for regulation and compliance
IT/electronic data processing (EDP) audit
(ITRM)
IT Risk
X
Information and security policy/plan (IT security)
Management
X
Operations continuity plan
Explicit information on IT expenditure
IT budget
IT hardware cost
IT software cost
Figure 2—Item-level Analysis of Corporate Governance Codes for IT Governance-related Guidance
IT Performance
remaining IT governance focus areas.16 Using the
• Video files such as recordings of interviews with Microsoft Access is one of several databases that
clients and job applicants support attachment fields. Other popular systems
include Oracle, Informix and most alternate
• Specialized files such as PowerPoint files of
Microsoft products, such as Microsoft SQL Server.
presentations and PDF files of legal documents
Many database systems also allow users to
download smaller data sets into Access (sometimes
Because of the popularity of attachment fields,
using third-party tools), which is a convenient
an auditor may encounter client data that include
attached files or may be asked how best to store
such information in database records. Some
Exact-match Queries
Queries enable database users to identify the
records of a database table that satisfy specific
search criteria. One of the easiest ways to search
for specific attachment files is by filename—for
example, to verify the presence of a particular Source: Microsoft Corporation. Reprinted with permission.
Finally, it is also a simple matter to search for are a datasheet listing all records that have files in
nonblank data fields using the NOT operator. In their Résumé attachment field. For a certification
effect, the expression “Not Is Null” creates a query application that stores PDF files of test results, for
that displays all records that contain something in example, using the “Not Is Null” expression in a
the data field of interest. Figure 13 illustrates the query allows an auditor to identify those employees
query for job applicants with résumés. The results who have taken a required test.
•P
erforming impact assessments/audits. A privacy is developed or changed. The PIA should identify
impact assessment (PIA) questionnaire should the types of data, the scope of people affected, the
be used to inform the PO of possible concerns type of information, any new information obtained
and potential problems when a computer system and the other concerns described previously.
Privacy Controls
There are four types There are four types of privacy controls:
of privacy controls: management, computer operations, business
operations and technical. Implementing the controls
management, is critical to a successful privacy program. If time
permits, they should be implemented in the following
computer operations, order: identify areas of concern, implement protective
business operations measures, install detection mechanisms and employ
response management techniques.
and technical.
The four types of privacy controls are described
as follows.6
4. Technical controls
Director—GIT
Administrative
Assistant
IT Manager IT Manager
(STP) (Retail)
IT Security
IT Customer Manager (Process Operations Systems Development
Manager IT Project and Integration BI and DW
Relationships Development and Architect
Manager Compliance) Delivery Manager
Manager
Solutions
IT Projects Manager
IT Services Manager EI Analyst
Coordinator (2) QA Manager Corporate
IT Products
Manager
Solutions Manager
IT Operations (Smart Services)
Manager
Solutions Manager
(Oil and Gas)
Solutions Manager
(EBS)
Solutions Manager
(Retail)
Service Delivery
Manager
Team
Team Team Team Lead Lead
Team Lead Infra
Lead Lead (Network (System
(Unix, (Security Application Application
(DBA) Admins Admins) Admins) Support
Storage, Admin) Branches Application
Help Desk HQ Desktop Consultant Support
Backup Support Desktop
Analysts Support Application (Legacy) Consultant
and Analyst Support
Facilities Analysts (Microsoft
Consultant and
Admins) Oracle (EBS) Others)
DBAs
Network System
and Admins
Telecom
Security Admins
Unix, Admins
Storage, SQL
Backup DBAs
and
Facilities
Admins
IT Structure and
Leadership
Change
Product Implementation Implementation
Selection Phase 2 Phase 4
Identifying
Constraints Going Live CMDB Live
)
Q3 Q4 Q1 Q2 Q3 1 Q1 Q2 Q4 Q3 4 Q1 Q2 oing
9 9 0 0 0 1 2 3 5
200 00 01
2 01 201 201 201 2 01 201 201 201 (ong
2 2 2
Objectives Stabilization and
1 6Q
Generation of 20 ITSM Tool
Analytics
Implementation Implementation Upgrade
Phase 1 Phase 3
Source: M. Nicho, S. Khan and R. Mohan. Reprinted with permission.
For each of the 14 value drivers (F1 to LG4), the 17 Business Goals
organization drafted value driver statements for the (3 financial, 6 customer,
6 internal and 2 learning of the BSC)
four quadrants.
Financial
IT will: 28 IT Goals
IT Risk
• Maintain the ratio of IT operational expenditure Assessed to
(OPEX) to the company’s OPEX. (F1) Align Select
IT Goals With
• Adhere to the approved budget. (F1) IT Controls and
Processes
• Ensure IT cost recovery based on the approved COBIT ITIL
budget. (F2)
Providing ENOC with innovative and cost-effective IT solutions, and services optimally combined
with world-class standards of services, quality and operational effectiveness
Value Creation
Financial
Services Stakeholders
Customers
C1. Deliver quality and C2. Meet or exceed C3. Achieves “reliable C4. Support customers’ key
reliable IT services customer’s expectation business partner” image strategic objectives
Organizational Capabilities/Culture
L and G
Internal Processes
IT will:
Ed Moyle Endnotes
Is director of thought leadership and research at ISACA®. Prior to joining
ISACA, Moyle was senior security strategist with Savvis and a founding 1W
eidman, G.; “Using Dagah GUI,”
partner of the analyst firm Security Curve. In his nearly 20 years in
YouTube video, 30 March 2017,
information security, he has held numerous positions including senior
https://www.youtube.com/
manager with CTG’s global security practice, vice president and information
security officer for Merrill Lynch Investment Managers, and senior security watch?v=dqBOs4YT36M
analyst with Trintech. Moyle is coauthor of Cryptographic Libraries for
Developers and a frequent contributor to the information security industry as
an author, public speaker and analyst.
3 5
or the business applications they commonly
run. Insofar as testing of applications goes,
web proxying tools such as Burp Suite
Mobile Repurposing
(https://portswigger.net/burp/) and Open Forensics Mobile
Web Application Security Project’s (OWASP)
ZAP (https://www.owasp.org/index.php/ Tools Devices
OWASP_Zed_Attack_Proxy_Project) are
excellent choices. These tools allow users
to “snoop” on traffic between the mobile Of course, situations arise whereby one may One area of opportunity—particularly for
device (or, really, any device) and web need to investigate a device to determine an SMB or severely budget-strapped
applications with which they interact. A if the device has been attacked—or to organization—is the repurposing of mobile
web testing proxy such as this intercepts otherwise evaluate a potential incident devices to accomplish other security tasks.
messages between the mobile device and impacting a mobile device. If one is Anybody who works in IT will tell you that
the application and allows the manipulation investigating a specific device from an one thing they tend to have quite a bit of
of various parameters (e.g., HTTP headers, investigation standpoint, a fantastic resource is old, out-of-date or otherwise unused
response parameters) in between the to have in any arsenal is the Santoku Linux mobile devices such as decommissioned
mobile device and the web application. distribution (https://santoku-linux.com/). employee smartphones. Under the right
Note that these tools are useful outside of Santoku is an entire Linux distribution circumstances, these devices can actually
the mobile device world as well; they can be dedicated specifically to mobile device still provide some value to a security team.
used to test any web application regardless forensic examination. Other testing and For example, there are applications that
of the platform on which it is employed. incident response platforms do contain allow an Android or Apple smartphone to
However, because mobile device use is tied mobile tools; for example, both Kali operate as a remote security camera. The
so closely to the applications they run, they (https://www.kali.org/) and CAINE specific app to do this varies by platform,
are addressed here. (www.caine-live.net/) contain mobile analysis but almost any smartphone with a camera
tools. However, Santoku has the advantage (even if no longer connected to the
of being entirely designed specifically from a cellular network) can provide video or still
mobile analysis perspective. image data via a WiFi connection. Is this
a replacement for an “enterprise-grade”
2
monitoring capability? Of course not.
4
Device OS
appropriately monitored on a short-term
basis in certain situations—for example, in
Testing Tools Management the interim period between when a gap in
coverage is identified and new equipment
ACROSS 1 2 3 4 5 6 7
Answers on page 58
TRUE OR FALSE
CPE
RAVAL AND SHAH ARTICLE SMITH ARTICLE
quiz
1. To address risk exposures in third-party 7. Most blockchain proofs of concept are
risk management environments, host designed to achieve benefits that fall loosely
companies consider the vendor as the target into one of the three categories: reduce costs
of evaluation at the time of onboarding and and create process efficiencies, create an
on an ongoing basis as well. For this, the ecosystem with higher-than-standard levels of
host company should implement and use trust, or facilitate digital currency exchange.
both traditional and innovative monitoring Prepared by
8. Ongoing review to ensure the sustainability
approaches for continuous monitoring of the Sally Chan,
of the assurance solution in blockchain will
identified risk factors. not be necessary, but the nature, timing
CGEIT, ACIS,
2. Agile and effective trust relationships do and extent of the review work cannot CMA, CPA
not rely on governance practices. Most be determined by the technology used,
organizations working with third parties the business-use case and the evolving Take the quiz online
do have a coherent plan for ongoing ecosystem in which the instance is deployed.
management of the relationship and the http://bit.ly/2r3cj5c
services that are provided. The contract and
ALEXIOU ARTICLE
the various service agreements will be self-
managing. 9. Agile audit is primarily about increasing
3. Given the complex cyber-based the efficiency mainly of complex audits by
relationships with third parties, the new parallelizing tasks, eliminating or mitigating
direction used to track the relevant bottlenecks, and assigning time to various
engagement risk is dynamic risk profiling. tasks that is proportional to each task’s
importance.
KRESS AND HILDEBRAND ARTICLE 10. With regard to the audit aspect of leadership,
Agile audit is more democratic, as all team
4. Without a consolidated data set to analyze, members participate more or less equally (in
the process of gathering and managing data principle) to planning.
is inherently inefficient. The absence of a 11. Some of the Agile audit guidelines include
coordinated, functionwide strategy led to striving to gain an early understanding of
the analytics enthusiasts having a hard time the key audit issues and disseminate this
getting started and a harder time getting information within the audit team, discussing
access to the right data. findings as they are gathered, and shifting
5. Maximizing the power of analytics during resources if necessary.
the execution of the audit includes creating
automated dashboards for department risk
PAREEK ARTICLE
assessments and review of effectiveness
of testing procedures in governance, risk 12. Efforts at quantification of either black-box
and control (GRC) (control tested vs. issues logic, such as modeling loss distributions
noted). based on extreme-value theory, or the
6. Tomorrow’s use of analytics in the execution combination of various security metrics (often
of an audit includes increasing horizontal using weighted averages) as a composite
review across all teams and encouraging metric have been successful enough to win
disruption using an innovative analytical widespread adoption.
approach through custom analytics. 13. In situations where thresholds have been
established, an alternative and simpler
approach that relies on z-scores can be
adopted. This approach is just as sensitive
and precise as the standardized scores.
TRUE OR FALSE
RAVAL AND SHAH ARTICLE ALEXIOU ARTICLE Name
PLEASE PRINT OR TYPE
1.
9.
2.
3. 10. Address
11.
KRESS AND HILDEBRAND
ARTICLE PAREEK ARTICLE CISA, CRISC, CISM or CGEIT #
4. 12.
5. 13.
6. Answers: Crossword by Myles Mellor
See page 56 for the puzzle.
1 2 3 4 5 6 7
M A G I N O T L I N E G I G
SMITH ARTICLE
O R E R N U E
8 9 10
7. R E A C T O B J E C T I V E
A F J E O D K
8.
11 12 13
L I E P L A N T E D I D S
N A N E N
14 15 16 17 18 19
P O S I T S S I X S I G M A
20 21
O T C H A I N V I
22 23 24
W E I G H E D F C Y B E R
E N E D O I A
Please confirm with other designation-granting professional bodies for their CPE qualification acceptance criteria. 25 26 27
Quizzes may be submitted for grading only by current Journal subscribers. An electronic version of the quiz is R U E S C R I T E R I A
available at www.isaca.org/cpequiz; it is graded online and is available to all interested parties. If choosing to submit 28
C
29
I M E R S
using this print copy, please email, fax or mail your answers for grading. Return your answers and contact information 30 31 32 33 34
by email to info@isaca.org or by fax to +1.847.253.1755. If you prefer to mail your quiz, in the US, send your CPE C R E D E N T I A L S I N K
35
Quiz along with a stamped, self-addressed envelope, to ISACA International Headquarters, 3701 Algonquin Rd., O G L O G N E S
#1010, Rolling Meadows, IL 60008 USA. Outside the US, ISACA will pay the postage to return your graded quiz. You 36 37
need only to include an envelope with your address. You will be responsible for submitting your credit hours at year- S P O O F I N T H E O R Y
end for CPE credits. A passing score of 75 percent will earn one hour of CISA, CRISC, CISM or CGEIT CPE credit.
Get Noticed!
Advertise in the ISACA® Journal
Journal
For more information, contact media@isaca.org
Please note that the guidelines are effective 1 September 2014. An online glossary of terms used in ITAF is provided at www.isaca.org/glossary.
General
1001 Audit Charter Prior to issuing any new standard or guideline, an exposure draft is
1002 Organizational Independence issued internationally for general public comment.
1003 Professional Independence
Comments may also be submitted to the attention of the Director,
1004 Reasonable Expectation
Thought Leadership and Research via email (standards@isaca.org);
1005 Due Professional Care fax (+1.847.253.1755) or postal mail (ISACA International Headquarters,
1006 Proficiency 3701 Algonquin Road, Suite 1010, Rolling Meadows, IL 60008-3105,
1007 Assertions USA).
1008 Criteria
Links to current and exposed ISACA Standards, Guidelines, and Tools
and Techniques are posted at www.isaca.org/standards.
Performance
1201 Engagement Planning Disclaimer: ISACA has designed this guidance as the minimum
1202 Risk Assessment in Planning level of acceptable performance required to meet the professional
1203 Performance and Supervision responsibilities set out in the ISACA Code of Professional Ethics.
1204 Materiality ISACA makes no claim that use of these products will assure a
1205 Evidence successful outcome. The guidance should not be considered inclusive
1206 Using the Work of Other Experts of any proper procedures and tests or exclusive of other procedures
1207 Irregularity and Illegal Acts and tests that are reasonably directed to obtaining the same results. In
determining the propriety of any specific procedure or test, the control
professionals should apply their own professional judgment to the
Reporting specific control circumstances presented by the particular systems or IS
1401 Reporting environment.
1402 Follow-up Activities
supporters
from policies and official
statements of ISACA and/or
the IT Governance Institute
and their committees, and from
leaders and
opinions endorsed by authors,
employers or the editors of the
Journal. ISACA Journal does
not attest to the originality of
Editor Tushar Gokhale, CISA, CISM, CISSP, Smita Totade, Ph.D., CISA, CRISC,
authors’ content. ISO 27001 LA CISM, CGEIT
Jennifer Hajigeorgiou Tanja Grivicic Jose Urbaez, CISA, CISM, CSXF, ITIL
© 2017 ISACA. All rights publication@isaca.org Manish Gupta, Ph.D., CISA, CRISC, Ilija Vadjon, CISA
reserved. CISM, CISSP Sadir Vanderloot Sr., CISA, CISM, CCNA,
Managing Editor Mike Hansen, CISA, CFE CCSA, NCSA
Instructors are permitted to Maurita Jasper Jeffrey Hare, CISA, CPA, CIA Varun Vohra, CISA, CISM
photocopy isolated articles for
Sherry G. Holland Manoj Wadhwa, CISA, CISM, CISSP,
Jocelyn Howard, CISA, CISMP, CISSP ISO 27000, SABSA
noncommercial classroom use Contributing Editors Francisco Igual, CISA, CGEIT, CISSP Anthony Wallis, CISA, CRISC, CBCP, CIA
without fee. For other copying, Jennifer Inserro, CISA, CISSP Kevin Wegryn, PMP, Security+, PfMP
Sunil Bakshi, CISA, CRISC, CISM, CGEIT,
reprint or republication, ABCI, AMIIB, BS 25999 LI, CEH, Khawaja Faisal Javed, CISA, CRISC, CBCP, Tashi Williamson
permission must be obtained CISSP, ISO 27001 LA, MCA, PMP ISMS LA Ellis Wong, CISA, CRISC, CFE, CISSP
in writing from the association. Sally Chan, CGEIT, CPA, CMA Mohammed Khan, CISA, CRISC, CIPM
Where necessary, permission Ian Cooke, CISA, CRISC, CGEIT, COBIT Farzan Kolini, GIAC ISACA Board of Directors
is granted by the copyright Foundation, CFE, CPTS, DipFM, ITIL Abbas Kudrati, CISA, CISM, CGEIT, CEH, (2017-2018)
Foundation, Six Sigma Green Belt CHFI, EDRP, ISMS
owners for those registered Chair
Kamal Khan, CISA, CISSP, CITP, MBCS Shruti Kulkarni, CISA, CRISC, CCSK, ITIL
with the Copyright Clearance Bhanu Kumar Theresa Grafenstine, CISA, CRISC, CGEIT,
Vasant Raval, DBA, CISA
Center (CCC) (www.copyright. Steven J. Ross, CISA, CBCP, CISSP Hiu Sing (Vincent) Lam, CISA, CPIT(BA), CGAP, CGMA, CIA, CPA
com), 27 Congress St., Salem, Smita Totade, Ph.D., CISA, CRISC, CISM, ITIL, PMP Vice-chair
MA 01970, to photocopy CGEIT Edward A. Lane, CISA, CCP, PMP Rob Clyde, CISM
articles owned by ISACA, Romulo Lomparte, CISA, CRISC, CISM,
CGEIT, COBIT 5 Foundation, CRMA, Director
for a flat fee of US $2.50 per Advertising Brennan Baybeck, CISA, CRISC,
article plus 25¢ per page. IATCA, IRCA, ISO 27002, PMP
media@isaca.org Larry Marks, CISA, CRISC, CGEIT CISM, CISSP
Send payment to the CCC Director
Tamer Marzouk, CISA, ABCP, CBAP
stating the ISSN (1944-1967), Media Relations Krysten McCabe, CISA Zubin Chagpar, CISA, CISM, PMP
date, volume, and first and Brian McLaughlin, CISA, CRISC, CISM,
news@isaca.org Director
last page number of each CIA, CISSP, CPA Peter Christiaans, CISA, CRISC, CISM, PMP
article. Copying for other Brian McSweeney
than personal use or internal
Reviewers Irina Medvinskaya, CISM, FINRA, Series 99 Director
David Earl Mills, CISA, CRISC, CGEIT, Hironori Goto, CISA, CRISC, CISM, CGEIT
reference, or of articles or Matt Altman, CISA, CRISC, CISM, CGEIT
Sanjiv Agarwala, CISA, CISM, CGEIT, MCSE Director
columns not owned by the
CISSP, ITIL, MBCI Robert Moeller, CISA, CISSP, CPA, CSQE Michael Hughes, CISA, CRISC, CGEIT
association without express David Moffatt, CISA, PCI-P
Vikrant Arora, CISM, CISSP Director
permission of the association Ramu Muthiah, CISM, CRVPM, GSLC,
Cheolin Bae, CISA, CCIE Leonard Ong, CISA, CRISC, CISM, CGEIT,
or the copyright owner is Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ITIL, PMP
COBIT 5 Implementer and Assessor,
expressly prohibited. ABCI, AMIIB, BS 25999 LI, CEH, Ezekiel Demetrio J. Navarro, CPA
CFE, CFP, CGFA, CIPM, CIPT, CISSP
CISSP, ISO 27001 LA, MCA, PMP Jonathan Neel, CISA
ISSMP-ISSAA, CITBCM, CPP, CSSLP,
ISSN 1944-1967 Brian Barnier, CRISC, CGEIT Nnamdi Nwosu, CISA, CRISC, CISM,
GCIA, GCIH, GSNA, PMP
Pascal A. Bizarro, CISA CGEIT, PfMP, PMP
Jerome Capirossi, CISA Anas Olateju Oyewole, CISA, CRISC, CISM, Director
Anand Choksi, CISA, CCSK, CISSP, PMP CISSP, CSOE, ITIL R. V. Raghu, CISA, CRISC
Joyce Chua, CISA, CISM, PMP, ITILv3 David Paula, CISA, CRISC, CISSP, PMP Director
Ashwin K. Chaudary, CISA, CRISC, CISM, Pak Lok Poon, Ph.D., CISA, CSQA, MIEEE Jo Stewart-Rattray, CISA, CRISC,
CGEIT John Pouey, CISA, CRISC, CISM, CIA CISM, CGEIT
Burhan Cimen, CISA, COBIT Foundation, Steve Primost, CISM
Parvathi Ramesh, CISA, CA Director
ISO 27001 LA, ITIL, PRINCE2
Antonio Ramos Garcia, CISA, CRISC, CISM, Ted Wolff, CISA
Ken Doughty, CISA, CRISC, CBCP
Nikesh L. Dubey, CISA, CRISC, CDPP, ITIL Director
CISM, CISSP Michael Ratemo, CISA, CRISC, CISM, Tichaona Zororo, CISA, CRISC, CISM,
Subscription Rates: CSXF, ACDA, CIA, CISSP, CRMA
Ross Dworman, CISM, GSLC CGEIT, COOBIT Assessor and Trainer,
Robert Findlay Ron Roy, CISA, CRP CIA, CRMA
US: John Flowers Louisa Saunier, CISSP, PMP, Six Sigma Director and Chief Executive Officer
one year (6 issues) $75.00 Jack Freund, CISA, CRISC, CISM, Green Belt Matthew S. Loeb, CGEIT, CAE, FASAE
CIPP, CISSP, PMP Daniel Schindler, CISA, CIA
All international orders: Sailesh Gadia, CISA Sandeep Sharma Director and Past Chair
Amgad Gamal, CISA, COBIT Foundation, Catherine Stevens, ITIL Christos Dimitriadis, Ph.D., CISA, CRISC,
one year (6 issues) $90.00.
CEH, CHFI, CISSP, ECSA, ISO 2000 Johannes Tekle, CISA, CFSA, CIA CISM, ISO 20000 LA
Remittance must be made LA/LP, ISO 27000 LA, MCDBA, MCITP, Robert W. Theriot Jr., CISA, CRISC Director and Past Chair
MCP, MCSE, MCT, PRINCE2 Nancy Thompson, CISA, CISM, Robert E Stroud, CRISC, CGEIT
in US funds. CGEIT, PMP
Robin Generous, CISA, CPA Director and Past Chair
Tony Hayes, CGEIT, AFCHSE, CHE, FACS,
FCPA, FIIA
ISACA BOOKSTORE
RESOURCES FOR YOUR
PROFESSIONAL DEVELOPMENT
www.isaca.org/bookstore
Enter JOURNAL20 at checkout and receive a 20% discount off your order
The main purpose of ISACA Privacy Principles and Program Management Guide is to
provide readers with a harmonized privacy framework. The book offers a set of privacy
principles that align with the most commonly used privacy standards, frameworks and
PRINT good practices, as well as fill in the gaps that exist among these different standards.
Product Code: IPP This practical guide can support or be used in conjunction with other privacy frameworks,
Member / Nonmember: good practices, and standards to create, improve and evaluate a privacy program
$45.00 / $90.00 specific to the practitioner’s enterprise. Special guidance on how to use the COBIT 5
WEB DOWNLOAD framework to implement a more robust privacy program is included in this publication.
Product Code: WIPP
Member / Nonmember:
$35.00 / $70.00
Getting Started With GEIT: A Primer for Implementing Governance of Enterprise IT by ISACA
How do organizations know they are effectively utilizing enterprise technology resources to best realize business
goals? Do organizations know the extent to which their business goals are dependent on technology? How do
they know the technology they have in place is providing value and realizing the expected return on investment?
Governance of enterprise IT (GEIT) is the systematic process of answering these and other related questions.
Implementing a GEIT system can bring many benefits to an organization, including lower costs, greater control,
more efficient and effective use of resources, and overall better strategic alignment and risk management. The
primary purpose of adopting and using a GEIT system is to deliver value to stakeholders. This guide provides
the necessary steps to implement GEIT to help the enterprise achieve its goals and demonstrate value delivery.
This guide is intended for people who are new to GEIT or have recently been tasked with implementing a
GEIT structure. Whether the enterprise is already familiar with GEIT concepts and practices or is exploring
the possibilities, this guide will help provide an understanding of the steps to implement GEIT and examples
WEB DOWNLOAD
Product Code: WCGEIT of the benefits of GEIT, so that buy-in from senior leadership can be obtained and a framework to guide
Member / Nonmember: implementation efforts can be used.
FREE / $15
Browse a variety of publications featuring the latest research and expert thinking on standards,
S-1
best practices, emerging trends and more at https://support.isaca.org
FEATURED BOOKS
Privacy Means Profit: Prevent Identity Theft and Secure You and the Your Bottom Line
Bulletproof your organization against data breach, identity theft, and corporate espionage.
In this updated and revised edition of Privacy Means Profit, John Sileo demonstrates how to keep data theft from
destroying your bottom line, both personally and professionally. In addition to sharing his gripping tale of losing
$300,000 and his business to data breach, John writes about the risks posed by social media, travel theft, workplace
identity theft, and how to keep it from happening to you and your business.
By interlacing his personal experience with cutting-edge research and unforgettable stories, John not only inspires
change inside of your organization, but outlines a simple framework with which to build a Culture of Privacy. This
book is a must-read for any individual with a Social Security Number and any business leader who doesn't want the
negative publicity, customer flight, legal battles and stock depreciation resulting from data breach.
Protect your net worth and bottom line using the 7 Mindsets of a Spy
by John Sileo • Accumulate Layers of Privacy • Eliminate the Source
Product Code: • Destroy Data Risk • Lock Your Assets
1WPMP
• Evaluate the Offer • Interrogate the Enemy
Member / Nonmember:
$15.00 / $25.00 • Monitor the Signs
In this revised edition, John includes an 8th Mindset, Adaptation, which serves as an additional bridge between
personal protection and bulletproofing your organization. Privacy Means Profit offers a one-stop guide to protecting
what's most important and most at risk-your essential business and personal data. Please note that COBIT 5
Implementation Guide is also available as a complimentary web download to both ISACA members and nonmembers.
Cyber Threat! How to Manage the Growing Risk of Cyber Attacks is an in-depth examination of the very real cyber
security risks facing all facets of government and industry, and the various factors that must align to maintain
information integrity. Written by one of the nation's most highly respected cyber risk analysts, the book describes how
businesses and government agencies must protect their most valuable assets to avoid potentially catastrophic
consequences. Much more than just cyber security, the necessary solutions require government and industry to work
cooperatively and intelligently. This resource reveals the extent of the problem, and provides a plan to change course
and better manage and protect critical information.
Recent news surrounding cyber hacking operations show how intellectual property theft is now a matter of national
security, as well as economic and commercial security. Consequences are far-reaching, and can have enormous
effects on national economies and international relations. Aggressive cyber forces in China, Russia, Eastern Europe
and elsewhere, the rise of global organized criminal networks, and inattention to vulnerabilities throughout critical
by MacDonnell Ulsch
infrastructures converge to represent an abundantly clear threat. Managing the threat and keeping information safe is
Product Code: now a top priority for global businesses and government agencies. Cyber Threat! breaks the issue down into real
108WCT
terms, and proposes an approach to effective defense. Topics include:
Member / Nonmember:
$33.00 / $43.00
• The information at risk
• The true extent of the threat
• The potential consequences across sectors
• The multifaceted approach to defense
The growing cyber threat is fundamentally changing the nation's economic, diplomatic, military, and intelligence
operations, and will extend into future technological, scientific, and geopolitical influence. The only effective solution
will be expansive and complex, encompassing every facet of government and industry. Cyber Threat! details the
situation at hand, and provides the information that can help keep the nation safe.
Advanced Persistent Threats: How to Manage the Risk to your Business explains the nature of the security
phenomenon known as the advanced persistent threat (APT). It also provides helpful advice on how to assess
the risk of an APT to the organization and recommends practical measures that can be taken to prevent, detect
and respond to such an attack. In addition, it highlights key differences between the controls needed to counter
the risk of an APT attack and those commonly used to mitigate everyday information security risk.
This book is designed primarily for security managers, IT managers, IT auditors and students studying for
computer science or information security qualifications. It is written in clear, nontechnical language so it will
also be of value to business managers and government officials responsible for valuable intellectual assets
or critical services that might be the target of an APT attack.
by ISACA
Product Code:
APT
Member / Nonmember:
$35.00 / $60.00
Enter JOURNAL20 at checkout and receive a 20% discount off your order S-3
Enter JOURNAL20 at checkout and receive a 20% discount off your order
The CRISC Review Manual 6th Edition is a comprehensive reference guide designed to help individuals prepare for
the CRISC exam and understand IT-related business risk management roles and responsibilities. The manual has
been enhanced over the past editions and represents the most current, comprehensive, peer-reviewed IT-related
business risk management resource available worldwide.
The 6th edition manual is organized to assist candidates in understanding essential concepts and studying the
following job practice areas:
• IT Risk Identification • IT Risk Assessment
• Risk Response and Mitigation • Risk and Control Monitoring and Reporting
The CRISC Review Manual 6th Edition offers an easy-to-navigate format. Each of the book’s four chapters has been
by ISACA divided into two sections for focused study. Section one of each chapter contains:
Print Product Code: • Definitions and objectives for the four areas
CRR6ED
• Task and knowledge statements
EBook Product Code:
EPUB_CRR6ED • Self-assessment questions, answers and explanations
Member / Nonmember: • Suggested resources for further study
$85.00 / $115.00
Section two of each chapter consists of reference material and content that support the knowledge statements. The
material enhances CRISC candidates’ knowledge and/or understanding when preparing for the CRISC certification
exam. Also included are definitions of terms most commonly found on the exam.
CRISC Review Questions, Answers & CRISC Review Questions, Answers &
Explanations, 4th Edition Explanations Database - 12 Month Subscription
The CRISC™ Review Questions, Answers & The CRISC™ Practice Question Database
Explanations Manual, 4th Edition is is a comprehensive 500-question pool of
designed to familiarize candidates with the items that contains the questions from the
question types and topics featured in the CRISC™ Review Questions, Answers &
CRISC exam. The 500 questions in this Explanations Manual, 4th Edition. The
manual have been consolidated from the database is available via the web, allowing
CRISC™ Review Questions, Answers & CRISC candidates to log in at home, at
Explanations Manual 2015 and the CRISC work or anywhere they have Internet
™ Review Questions, Answers & connectivity. The database is MAC and
Explanations Manual 2015 Supplement. Windows compatible.
by ISACA by ISACA
Many questions have been revised or Exam candidates can take sample exams
Product Code: completely rewritten to be more represen- Product Code: with randomly selected questions and view
CRQ4ED XMXCR14-12M
tative of the CRISC exam question format, the results by job practice domain, allowing
Member / Nonmember: and/or to provide further clarity or Member / Nonmember: for concentrated study in particular areas.
$72.00 / $96.00 $185.00 / $225.00
explanation of the correct answer. These Additionally, questions generated during a
questions are not actual exam items, but study session are sorted based on previous
are intended to provide CRISC candidates scoring history, allowing CRISC candidates
with an understanding of the type and to identify their strengths and weaknesses
structure of questions and content that and focus their study efforts accordingly.
have previously appeared on the exam.
TM
R-CAP brings Audit Universe & KPIs to your fingertips.