Professional Documents
Culture Documents
TRANSFORMING
DATA 06
www.isaca.org
Digital Identity—Will the New Oil Create Fuel or Fire in Today’s Economy?
Governance, Risk, Compliance and a Big Data Case Study
Auditing Big Data in Enterprises
S E E W H AT ’ S N E X T, N O W
G E T C E RT I F I E D.
G E T A H E A D.
Obtain certifications that bring value to your career now, and in the future.
Choose your certification and get started today to secure your spot for the
1 November – 31 December exams!
• earn the latest and best solutions for compliance & ethics challenges,
L
including anti-corruption, data protection, and risk management
• arn the continuing education units you need, and take the Certified
E
Compliance & Ethics Professional - International (CCEP-I)® exam
europeancomplianceethicsinstitute.org | lizza.catalano@corporatecompliance.org
Journal The ISACA® Journal
seeks to enhance
the proficiency and
competitive advantage of
its international readership
3 42 by providing managerial
Information Security Matters: Information Security Making the SoA an Information
in Context Security Governance Tool and technical guidance
Steven J. Ross, CISA, CISSP, MBCP Daniel Gnana, CISA, ISO/IEC 27001:2013 LA,
PRINCE2 from experienced global
6
IS Audit Basics: Auditing Mobile Devices 48 authors. The Journal’s
Ian Cooke, CISA, CGEIT, CRISC, COBIT Assessor Evasive Malware Tricks
and Implementer, CFE, CPTE, DipFM, ITIL Clemens Kolbitsch
noncommercial,
Foundation, Six Sigma Green Belt peer-reviewed articles
52
12 The AICPA’s New Cybersecurity Attestation focus on topics critical to
The Network Reporting Framework Will Benefit a Variety of
Sarah Orton, CISA Key Stakeholders professionals involved
Sandra Herrygers, Gaurav Kumar and Jeff Schaeffer
14 in IT audit, governance,
The Practical Aspect: Challenges of Security security and assurance.
Log Management PLUS
Vasant Raval, DBA, CISA, ACMA, and Saloni Verma,
CISA, CEH 54
Help Source
Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI,
FEATURES AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA,
MCA, PMP
19
Digital Identity—Will the New Oil Create Fuel or 56
Fire in Today’s Economy? Crossword Puzzle
( 亦有中文简体译本 ) Myles Mellor
Dan
Blum, CISSP
57
22 CPE Quiz
Governance, Risk, Compliance and a Big Data Prepared by Kamal Khan, CISA, CISSP, CITP, MBCS
Case Study
Guy Pearce 59
Standards, Guidelines, Tools and Techniques
29
Auditing Big Data in Enterprises S1-S4
( 亦有中文简体译本 ) ISACA Bookstore Supplement Read more from
Abdullah
Al-Mansour, Security+ these Journal
33 authors...
A Risk-Based Management Approach to
Third-Party Data Security, Risk and Compliance Journal authors are
Robert Putrus, CISM, CFE, CMC, PE, PMP
now blogging at
www.isaca.org/journal/
blog. Visit the ISACA
Online-Exclusive Journal blog, Practically
Assurance Across the Creating and Defining a An IoT Control Audit Methodology
Three Lines Culture of Security Marcin Jekot, CISSO, ISO 27001 LA, SSP
Ability Takuva, CISA Pedro Alexandre de Freitas and Yiannis Pavlosoglou, Ph.D., CISSP
Pereira, CCNA 3701 Algonquin Road,
Suite 1010
Rolling Meadows, Illinois
60008 USA
Discuss topics in the ISACA® Knowledge Center: www.isaca.org/knowledgecenter
Telephone
Follow ISACA on Twitter: http://twitter.com/isacanews; Hashtag: #ISACA +1.847.660.5505
Follow ISACA on LinkedIn: www.linkedin.com/company/isaca
Like ISACA on Facebook: www.facebook.com/ISACAHQ
Fax +1.847.253.1755
www.isaca.org
information
security
matters
5
ISACA®, ISACA
the JOURNALNexus™
Cybersecurity VOL 6 (CSX) Mark, and ISACA's Cybersecurity Nexus™ (CSX) products, certifications, ISACA JOURNAL VOL 6 5
and services are not affiliated with CSX Corporation or its subsidiaries, including CSX Transportation, Inc.
Auditing Mobile Devices
By the time this article is published, it will have been of the organization in question. This is a risk that
Do you have about 20 months since the US Federal Bureau IT auditors can and should influence. So how can
something of Investigation (FBI) unlocked the iPhone of the practitioners audit to help mitigate this and other
to say about San Bernardino, California, gunman who killed 14 mobile device risk scenarios?
this article? people.1 The request by the FBI for Apple to build
Visit the Journal new software to unlock the mobile device resulted in In a previous column,6 I advocated the use of an
pages of the ISACA® strongly held opinions on encryption and backdoors ISACA® paper on creating audit programs.7 This
website (www.isaca. on both sides2 that have yet to be resolved. I have process can be applied to build an audit program
org/journal), find the
sympathy for all involved, but, as a technologist, I for mobile devices for an organization.
article and click on
passionately believe that backdoors should not be
the Comments link to
share your thoughts. developed. This conviction has been strengthened by Determine Audit Subject
the recent WannaCry3 and Petya4 attacks, which were
developed using the leaked Shadow Brokers exploit, The first thing to establish is the audit subject. What
http://bit.ly/2gimJq5
EternalBlue, which is generally believed to have been does a mobile device mean in the enterprise? If
developed by the US National Security Agency (NSA). there are distinct types of mobiles devices in use,
they should probably be recorded as separate audit
Although a critical issue, this is not the focus of this universe items. ISACA categorized mobile devices
column, nor is it something that we, as IT auditors, (figure 1) in a 2012 white paper8 while an earlier
can influence on a day-to-day basis. However, white paper9 listed the type of mobile devices:
an aspect of this case that received little or no • Full-featured mobile phones with personal
coverage was the fact that San Bernardino County computer-like functionality, or smartphones
owned mobile device management (MDM) software
that was not installed on the device.5 This would • Laptops and netbooks
have allowed its IT department to remotely unlock • Tablet computers
the phone and, in my opinion, save the reputation
• Portable digital assistants (PDAs)
When the
objectives of
• Define objectives for each category or type of the audit have
selected device; refer to information value and
information risk. This is key. been defined, the
• Focus on a limited number of audit objectives for scoping process
a reasonable scope. should identify
It is worth noting that although ISACA’s Securing the actual mobile
Mobile Devices white paper considered the
vulnerability of the enterprise not managing the
devices that need
device, it did not consider a San Bernardino to be audited.
County scenario. The lesson? Spend some time
considering emerging risk scenarios.
RECRUIT NEW
MEMBERS TODAY—
SHAPE THE FUTURE
OF TECHNOLOGY
The more members you recruit,
the better reward you enjoy.
THE MORE MEMBERS YOU RECRUIT, THE MORE WE CAN HELP THE BUSINESS
AND IS/IT COMMUNITIES IMPACT TECHNOLOGY’S FUTURE.
When ISACA grows, members benefit. More recruits mean more connections, more opportunities to
network—and now, more rewards you can use for work or fun!
Get recruiting today. It’s easy. Learn more at www.isaca.org/GetMembers-Jv6
* Rules and restrictions apply and can be found at www.isaca.org/rules. Please be sure to read and understand these rules. If your friends or colleagues
do not reference your ISACA member ID at the time they become ISACA members, you will not receive credit for recruiting them. Please remember to
have them enter your ISACA member ID on the application form at the time they sign up. © 2017 ISACA. All Rights Reserved.
She Leads IT 1
What is the biggest security
challenge that will be faced
in 2018?
The EU General Data Protection Regulation
(GDPR).
2
What are your three goals
for 2018?
As mentioned earlier, Q: What do you think response, i.e., an Build my profile, explore the next opportunity
ISACA provides a are the most effective organizationwide and be happy.
perfect, safe forum for ways to address security culture and
you to start to build
your confidence in
networking.
the lack of women
in the technology
workspace?
awareness campaign
supported by security
monitoring and reporting
3
What is on your desk
right now?
A5 pads with different information relating to the
tailored to the business different subject matter I work on throughout the
As part of my A: Women who are with cyber risk being day, in addition to two mobile phones, a Costa
SheLeadsTech role, I already successful reported at the highest cup, a small handbag and, of course, the laptop
encourage women to in the technology levels within the on which I am typing this.
engage with the local workspace need to organization.
4
ISACA chapter, offering sponsor and support
What are your favorite
myself as a contact qualified women coming
benefits of your ISACA®
point for them initially through and be role Q: What has
membership?
until they build their models for them. Where been your biggest
The ability to keep up to date with IS audit hot
confidence to engage the environment is workplace or career
topics and current and relevant methodologies,
more broadly with predominantly male, challenge and how did
the group. A recent male advocates can act you face it? the opportunity to network with great people
new female member as mentors and support globally, and being able to give back to the
attended the local women in leadership A: On numerous profession that has served me so well over
ISACA chapter Annual roles to address the occasions, I have the years.
General Meeting with underrepresentation worked with others
the aim of building her
profile by increasing
of women in the
technology workspace.
in internal audit
departments who have 5
What is your number-one
piece of advice for other
her contacts in the tended to have very information security
local market. When different personality professionals, especially
she arrived, she was Q: What do you types and styles than women?
surprised to already see as the biggest mine. Over time this has Be bold and strong and use your network to
know so many people risk factors being required a “chameleon- support any gaps you feel you have.
in the room and was addressed by IS audit, style” approach to
6
very comfortable risk and governance ensure that my opinions What do you do when you
networking with new professionals? How are received in a way are not at work?
people. Her confidence can businesses that is valued and I am a mother, a yogini and a traveler.
has grown so much that protect themselves? allows me to influence
this month she is going others to deliver the
to be a panelist for A: Currently, cyberrisk right outcomes for the
the inaugural meeting is a key strategic risk business.
of SheLeadsTech for organizations and
in Manchester, UK, allows the IS auditor to It is important as a
as a cyber security broaden their role more leader to recognize the
specialist in her field. I into the business area value of learning lessons
am absolutely delighted due to it being an issue from any mistakes made
for her. that is broader than and adapt behavior, and
IS. Businesses need to understand that “one
a cross-organizational size does not fit all.”
Some businesses, such as Fitbit, thrive on events Most businesses have both operational data and
in the life of their customers. The Fitbit wearer security-related data, sometimes integrated into the
generates continuous data in very large measure. Of same database. To manage security-related data
course, the Fitbit user is not interested in individual within the operational logs and data in dedicated
event data, but rather the aggregate information, security logs, a sophisticated technology called
such as the number of steps walked in a day, or security information and event management (SIEM)
trends. For this, Fitbit logs each event—literally has emerged. SIEM attempts to fulfill two separate
each step walked by the user—and processes data needs: real-time monitoring, correlation and
into information useful to the user. processing of security events (called security event
management [SEM]) and the historical analysis
As businesses capture and store high volumes of of log file information (called security information
data in their operational logs every day, they also management [SIM]), for example, to support forensic
create a challenge for themselves: ensuring that investigations. SEM is closely related to incident
the data are accurate, the common data types response management when the incident may
are standardized across all logs and the logs are concern information security. SEM represents a
protected. For Fitbit, this becomes a question continuous, ongoing effort while SIM is undertaken
of protecting the privacy of users by securing only as needed.1 A high-level overview of a log
personally identifiable information (PII) in the best management scenario is presented in figure 1.
Events
Logs of events
Security Security
Operational incident event information
response and management management
monitoring
It is important to recognize that logs of operational the FTC, Uber declared that, for a similar application
events, while only incidentally involved in information now in use at Uber, it has limited access only to those
security initiatives, may be of value to the with a critical need to access such data. As part of
organization. For example, a real-time monitoring the settlement, Uber agreed that it will undergo third-
of disk space utilization may be programmed to party audits every two years for the next 20 years
send an alert once the disk space is 80 percent full. to seek assurance that it meets or exceeds the FTC
Operational event logs should also be filtered for requirements for privacy protections.2
security-relevant data. An audit of operational logs
to identify any deviations from the compliance of
security log management policy should prove helpful
in proactively addressing any emerging issues. An Organizations that do not
example can be seen in Uber’s experience.
value the importance of logging
Organizations that do not value the importance of
logging and monitoring may have to face issues
and monitoring may have to
in case of a breach or incident due to absence of face issues in case of a breach
records and evidence, or lax data management
practices. This may also lead to legal, contractual
or incident due to absence of
or regulatory noncompliance. For example, Uber records and evidence, or lax data
used a program called “God View,” which allowed
employees to monitor the locations of riders. The US management practices.
Federal Trade Commission (FTC) alleged that this was
an improper business practice. In a settlement with
NEW!
STUDY ON
YOUR SCHEDULE
CRISC™ ONLINE REVIEW COURSE
www.isaca.org/crisconlinereview
Strategic Theme
Data-driven customercentricity
Figure 3—What Was Achieved and What Bank Staff Said to the Project Team
Outcomes
Utilization
60
50 Payments
40 Transactions
30
20 Credit
10
0
May Jun Jul Aug Sep Oct Nov
Audited Value Enabled
What they said:
“We will use your work to boost sales scorecard performance,” AVP sales
“Come and help us meet our scorecard targets,” AVP New Business
“Where have you been all our lives?,” Provincial sales manager
“When are you coming to help us?,” Provincial sales manager
“The great thing is that it is not rocket science,” EVP
“We need to entrench your work,” VP
“This is big,” VP
“Go big,” EVP
• High-variety data—Structured and unstructured Consider what the impact of today’s corporate
data, both internally and externally sourced governance and data governance disciplines would
from across multiple divisions of the bank and have been if the big data project was taken on now,
from specialist data vendors. They included starting with corporate governance.
government gazettes and national, provincial
and regional economic forecasts. The potential For data governance, note that the impact is
of these disparate data sources was unlocked by partially reflected by the integrity pillar in figure 4
data fusion for data enrichment and partially by privacy principle two in figure 5.
• Innovative processing—New database
technology was needed to accelerate the daily The overall governance implications of the big data
data processing required to produce up-to-date project are clearly significant. Three of the six pillars
customer insights to the field in a timely manner. of corporate governance would demand at least
some change to the project’s approach, with data
• Enhanced insight and decision making— governance possibly having the most governance
Better customer insights mean significantly higher implications for implementation.
Figure 6—The Drivers of the Biggest Impact to an Enterprise-Scale Big Data Project
Category Governance Impact Summary
Governance Corporate Given the scope and duration of the project, succession planning is needed to
ensure the appropriate level of continuity for long-term projects.
Risk Corporate and data There is a clear need to establish the relevant data controls and oversight and to
understand the risk and impact of a breach of sensitive personal and financial
information both before and during deployment.
Compliance Data There is a need to ensure the requisite level of data quality. Ensure that the
privacy regulations around these data in the relevant jurisdictions are adhered
to if any data are purposefully collected (i.e., not already existing in a database).
Check the applicability of the limited use principle (principle three in figure 5).
)
les
1. Process area—This represents the degree of
Ro
CI
RA
er
risk and compliance against which third parties
old
eh
are measured. It represents the development
tak
(S
steps of the risk register, which is the critical and
final outcome of the methodology presented in
this article. The development and conclusion The Proposed Process Approach
of the risk register is a successive approach
The following are the recommended procedural
represented by five tiers.
steps of the risk-based management approach:
2. Frequency—This is the repeatable period or
• Prepare inventory list of third-party vendors—
schedule of the examination/reporting required
One size does not fit all. When compiling the list of
from the third parties by the enterprise receiving
third parties and developing the criteria to assess
the services. The frequency is an integral part of
the third parties’ security risk to the enterprise,
the risk register since it relies on the third-party
the list must be within the context of the industry,
levels of risk and types of substantiated required
types of rendered services and the degree of
evidence.
impact of service dependencies on the enterprise.
3. Responsible, accountable, consulted, The enterprise’s expectations of third-party data
informed (RACI)—This is the roles and security compliance will vary and depend on:
responsibilities model for any activity that the – The business relationship and what is rendered
stakeholders of the enterprise manage and (products or services) by the third party—
oversee. The RACI cross-functional stakeholders e.g., if the nature of the rendered services
could be drawn from various departments such is transactional data, the Statements on
as compliance, information technology, supply Standards for Attestation Engagements (SSAE)
chain, legal and human resources. The basic 18 is effective for Service Organization Control
elements of the RACI model are: (SOC) report opinions.
– The criticality to the core processes of what
• Responsible—The stakeholders who perform
is rendered to the enterprise—e.g., when the
the work
relationship between the enterprise and the third
• Accountable—The stakeholders who are party is governed through information technology
accountable for the work and decision making outsourcing (ITO) services.
exert multiple risk factors on the – Information management and security risk—
This is a combination of information technology
enterprise, which will increase services, information technology security and
regulatory compliance risk. For example, a
the due diligence and compliance from-and-to transfer of information will pose
assurance required from the a number of security challenges, such as data
security during the transmission. Additional
third party. risk factors include confidentiality, user access,
media location, physical security, device
security and fourth-party risk, if any.
– Resiliency risk—This is related to the
–T
he entity type of the third party (e.g., public, enterprise’s mission-critical activities and how
private, government)—e.g., if the entity is a US resilient the third party is to ensure information
government agency, it will require compliance availability, disaster recovery, business
with the US Federal Information Security continuity, incident management, recovery time
Management Act (FISMA). This act requires objective (RTO), recovery point objective (RPO)
each federal agency to develop, document and and single point of failure (SPOF).
implement an agencywide program to provide
information security for the information systems There could be regulatory compliance
that support the operations and assets of the expectations or key controls in place that are
agency, including those provided or managed exclusive to the third-party industry type, nature
by another agency, contractor or other source. of rendered services or market capitalization. For
•T
riage the risk and map the third parties example, the third party may require complying
(risk register)—When dealing with a third party, with the US Sarbanes-Oxley (SOX) Act, HIPAA,
the enterprise must examine the types of risk that the US Gramm-Leach-Bliley Act (GLBA), the
are posed. Depending on the services rendered, Payment Card Industry Data Security Standard
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Critical Risk = 20
Moderate Risk = 44
Low Risk = 16
Advantages of the Outlined Process objective, critical success factors (CSFs) and
Approach business challenges are all linked and supported by
cyber security initiatives.4
One of the challenges facing the enterprise in forming
a team to manage third-party data security risk Using a risk-based management approach to third-
and compliance is the cost justification of such an party data security risk and compliance can yield
investment. Using traditional accounting methods, numerous benefits, including:
such as discounted cash flow, to determine the return
on investment (ROI) for cyber security initiatives may 1. Establishing a single repository of third-party
not be very suitable in this case. suppliers
• CO 8 (Asset Management)
• Scope of responsibilities. In this subsidiary
A careful reading of the ISO/IEC 27001:2013 context, two types of responsibilities are
standard helps clarify that the previously considered:
mentioned control objectives are compulsory. – The HR department is responsible for hiring
Indeed, any organization targeting such a personnel for fixed or long-term contracts;
standard has to fix at least one high-level candidate background screening is the HR
information security policy and one set of department’s responsibility.
responsibilities to control its application – Any department, including HR, that is willing
throughout the organization. Any organization to hire subcontractors is responsible for
has to manage the assets and the stakeholders; verifying a candidate’s background.
therefore, it is necessary to identify them.
• Declining the ISO/IEC 27001:2013 requirement
2. With the help of the risk assessment results, in the organizational context given the scope;
shed light on the priorities relating to every declining one or more items to come later:
set of measures—To be able to determine the – Requirement 1 (responsibility of HR
minimum responses that correlate to each set department)—Before hiring personnel, the
of measures of the SoA, it is worth analyzing the following verifications are to be performed
organization-level risk assessment and ranking for considered candidates: identity control,
the corresponding priorities (e.g., 1 = low risk, low criminal record, education, professional
priority; 2 = medium risk, medium priority; 3 = high credentials and contact of former employers.
risk, high priority) to weigh every measure. – Requirement 2 (responsibility of all
departments)—Before hiring subcontractors,
Avoid waiting until the perfect risk assessment
the same verifications previously mentioned
is complete. Perfection is a lure and a hurdle
should be performed.
against a successful quick scan of the SoA.
Rather, develop a first version by considering • Examining how much the concerned organization
which control objective the organization is complying with previous requirements:
considers a major risk. Should the enterprise take – Compliance with requirement 1: 1 (Full
up the exercise again, the second version can compliance)
widen the scope of the risk assessment. – Compliance with requirement 2: 0, 2 The
organization has handled the personal
VM-Based Evasion Examples At the very least, sandboxes have to monitor the
primary subject, i.e., the program that is to be
In addition to looking for user activity, criminals executed, and the processes with which it interacts.
program their malware to detect when it is running Interactions can be as simple as one program
in a virtual machine and, therefore, likely is a starting another or injecting new code into a target
sandbox. As with user activity, there is a long list process. WMI is simply another type of inter-process
of techniques criminals use, the most recently communication (IPC), but it uses a more complicated
detected examples of which are described here. client-server model. More precisely, it uses advanced
local procedure calls (ALPC) to send queries to be
Look for Zone:Identifier executed in the context of system server processes.
When a file is downloaded from the Internet onto
a computer running Microsoft Windows, the If a sandbox is not able to intercept this type of
operating system adds an alternate data stream communication, it will miss the activities performed
(ADS) to the file to store Zone:Identifier metadata. by malware using WMI. Examples of malware using
This metadata includes information about the file, WMI to evade sandboxes include:
such as information about the URL from which the
file was downloaded, and Windows uses it to show • Checking cores count—Due to resource
appropriate warning messages to the user before constraints, sandboxes attribute the minimum
opening potentially untrusted content. required central processing unit (CPU) cores
to a VM, typically just one, so they can run in
On the other hand, when a file is copied into a parallel on as many VMs on a server as possible.
sandbox for analysis, this Zone:Identifier metadata However, most modern computers have multiple
is usually not present, as the sandbox cannot know CPU cores. Malware will execute a WMI query to
where the file originated. Malware will check for this fetch the cores count, and if the value is one, it
discrepancy. The presence of the Zone:Identifier concludes that it is running inside a sandbox.
Without the ability to see this type of IPC, a Using Specific Instructions
sandbox is unable to intercept (and manipulate) the Modern virtualization technologies support
data returned by the server process. Thus, malware instructions that will unconditionally provoke a
finds the limited hardware resources and detects “VM Exit” into the hypervisor (a system that creates
the sandbox. and runs VMs). This allows a VM to modify how the
instruction triggering the VM Exit behaves, similar
BIOS Info to an interrupt handler. However, this interrupt
Basic Input/Output System (BIOS) information introduces a discrepancy in the execution time:
for VMs and emulators is different from BIOS When executed on a real machine, such instructions
information for a real system, and it often contains are faster than when they are executed inside the
strings indicative of VMs. Malware can create a list hypervisor managing VMs. Malware can use this
of strings found in BIOS information for VMs and discrepancy to detect the hypervisor, thereby tipping
can check if the current system BIOS information it off that it is running inside a VM. For example, it can
contains those strings. If so, malware can be fairly measure the execution time of the CPUID instruction
certain that it is running in a VM. and compare it to the expected execution time of this
instruction on a real machine.
http://bit.ly/2ySgksA
A
Data or information is a primary enabler
for any organization, as established in
COBIT® 5. Organizations today generate, process,
are not possible without identifying and classifying
the organization’s data and information.
use and store volumes of data/information. Many One more point also needs to be considered:
organizations face similar problems when classifying implementing only DLP solutions may not provide the
data/information. Although there is no panacea to required level of assurance on the protection of data.
this problem, it can be addressed based on the It may have to be supplemented with implementing
approaches used by various organizations. and integrating digital rights management (DRM) and
access management solutions.
ISACA’s Data Leak Prevention1 white paper
identifies three key objectives for a DLP solution: Other aspects to consider while implementing a
DLP solution include:
• Locate and catalog sensitive information stored
throughout the enterprise. (Data classification) • Generally, regulatory requirements mean data
leaks can be catastrophic for organizations,
• Monitor and control the movement of sensitive
and the possibility of liability and litigation are
information across enterprise networks.
main drivers for organizations to consider DLP
(Network-level controls)
technologies.
• Monitor and control the movement of
• Many times, DLP is deployed by organizations
sensitive information on end-user systems.
with a focus on protecting intellectual property
(End-user controls)
rights and trade secrets only.
The white paper provides guidelines for • DLP and digital rights managements (DRM)
implementing DLP. These guidelines are: implementation should be considered as an
organizational program rather than as an IT
• Data classification should be the first step
initiative.
of the program.
• Such programs may have multiple projects/phases
• Define and implement data classification and
and may require one to three years to fully
protection policies.
implement depending on the size of the
• Implement and configure DLP solutions per policy. organization.
• DLP can protect data/information within the
organization’s perimeter, but cannot be extended
Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS
beyond boundaries such as DRM.
25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP
Has worked in IT, IT governance, IS audit, information security and IT • Data classification forms the foundation for DLP
risk management. He has 40 years of experience in various positions in to be successful.
different industries. Currently, he is a freelance consultant and visiting
faculty member at the National Institute of Bank Management, India. • DLP is not an adequate protection in cases where
the organization uses cloud technologies.
ACROSS
1 2 3 4 5 6 7 8
DOWN 37 38
Answers on page 58
TRUE OR FALSE
KHAN ARTICLE 10. Of the 554,454,942 breaches reported in 2016,
CPE
quiz
49 percent of the incidents were for personally
1. There are less than 18 social media platforms identifiable information (PII), 28 percent were
globally that have started to grow and have an for credit and debit card data, and 23 percent
enterprise-level following. were for physical health information (PHI).
2. Brand value and awareness can be created by 11. Governance of privacy-related information
engaging with customers on social media. requires that a custom strategy be developed Prepared by
for any organization and should include
Kamal Khan
3. The four key areas of concern due to the activities such as identifying the stakeholders
CISA, CISSP,
growth in global privacy regulations are and developing vision, mission and value
statements with goals and objectives. CITP, MBCS
privacy, content ownership, intellectual
property (IP) infringement and unauthorized
activities. 12. A privacy impact assessment (PIA)
questionnaire should be used to inform the
Take the quiz online
4. A
social media crisis and communication plan privacy officer of possible concerns and
potential problems when a computer system http://bit.ly/2fXWWGR
is unnecessary and any member of staff can
deal with whatever crisis arises. is developed or changed.
6. It is forecasted that by 2020, 82.4 percent of 14. A key issue often cited by information systems
the US workforce will be remote. (IS) executives in the last three decades is
aligning IT with business.
7. In recent years, many technology companies
such as Google, Amazon and IBM have 15. Research indicates that alignment of IT
started to invest massively to offer cloud- with the business was the top IT management
based services to respond to businesses’ concern for four consecutive years since 2012.
expectations.
16. IT is considered to be very important to the
8. The biggest risk associated with a mobile delivery of the overall business strategy and
workforce is loss or damage to assets such as vision.
laptops, tablets and customer data when they
are in possession of remote employees. 17. The value driver for financial IT includes
maintaining the ratio of IT operational
expenditure (OPEX) to the company’s
WLOSINSKI ARTICLE
OPEX, adherence to the approved budget
and ensuring IT cost recovery based on the
9. In 2016, 554,454,942 records were breached
approved budget.
from 974 reported incidents.
TRUE OR FALSE
KHAN ARTICLE WLOSINSKI ARTICLE Name
PLEASE PRINT OR TYPE
1. 9.
2. 10. Address
3. 11.
4. 12.
CISA, CRISC, CISM or CGEIT #
13.
NGAMBEKET ARTICLE
NICHO, KHAN, MOHAN
ARTICLE
5. Answers: Crossword by Myles Mellor
See page 56 for the puzzle.
6. 14.
1 2 3 4 5 6 7 8
P R O S E L Y T I Z E G I G
7. 15. R N N O M R O P
9 10 11 12
I D S T H U M B D R I V E S
8. 16. V E I
13
U N O N
14 15 16 17 18
A T T A C K S E A R B U D S
17. T E P N E
19 20 21 22 23
E X P E D I E N T D E S C
24
U A E R A Q U
25 26 27
A N T I V I R U S T R U E R
C E T A I E
Please confirm with other designation-granting professional bodies for their CPE qualification acceptance criteria. 28 29 30 31
Quizzes may be submitted for grading only by current Journal subscribers. An electronic version of the quiz is C A P T C H A S U B V I
32
available at www.isaca.org/cpequiz; it is graded online and is available to all interested parties. If choosing to submit E E T A O B
using this print copy, please email, fax or mail your answers for grading. Return your answers and contact information 33 34 35
by email to info@isaca.org or by fax to +1.847.253.1755. If you prefer to mail your quiz, in the US, send your CPE S E T S O N W A N N A C R Y
36
Quiz along with a stamped, self-addressed envelope, to ISACA International Headquarters, 3701 Algonquin Rd., S Y R P C K A O
#1010, Rolling Meadows, IL 60008 USA. Outside the US, ISACA will pay the postage to return your graded quiz. You 37 38
need only to include an envelope with your address. You will be responsible for submitting your credit hours at year- R A N S O M S S O L I D
end for CPE credits. A passing score of 75 percent will earn one hour of CISA, CRISC, CISM or CGEIT CPE credit.
Get Noticed!
Advertise in the ISACA® Journal
Journal
For more information, contact media@isaca.org
Please note that the guidelines are effective 1 September 2014. An online glossary of terms used in ITAF is provided at www.isaca.org/glossary.
General
1001 Audit Charter Prior to issuing any new standard or guideline, an exposure draft is
1002 Organizational Independence issued internationally for general public comment.
1003 Professional Independence
Comments may also be submitted to the attention of the Director,
1004 Reasonable Expectation
Thought Leadership and Research via email (standards@isaca.org);
1005 Due Professional Care fax (+1.847.253.1755) or postal mail (ISACA International Headquarters,
1006 Proficiency 3701 Algonquin Road, Suite 1010, Rolling Meadows, IL 60008-3105,
1007 Assertions USA).
1008 Criteria
Links to current and exposed ISACA Standards, Guidelines, and Tools
and Techniques are posted at www.isaca.org/standards.
Performance
1201 Engagement Planning Disclaimer: ISACA has designed this guidance as the minimum
1202 Risk Assessment in Planning level of acceptable performance required to meet the professional
1203 Performance and Supervision responsibilities set out in the ISACA Code of Professional Ethics.
1204 Materiality ISACA makes no claim that use of these products will assure a
1205 Evidence successful outcome. The guidance should not be considered inclusive
1206 Using the Work of Other Experts of any proper procedures and tests or exclusive of other procedures
1207 Irregularity and Illegal Acts and tests that are reasonably directed to obtaining the same results. In
determining the propriety of any specific procedure or test, the control
professionals should apply their own professional judgment to the
Reporting specific control circumstances presented by the particular systems or IS
1401 Reporting environment.
1402 Follow-up Activities
supporters
leaders and
from policies and official
statements of ISACA and/or
the IT Governance Institute
and their committees, and from
opinions endorsed by authors,
employers or the editors of the
Journal. ISACA Journal does
not attest to the originality of
authors’ content. Editor Tushar Gokhale, CISA, CISM, CISSP, Smita Totade, Ph.D., CISA, CRISC,
ISO 27001 LA CISM, CGEIT
Jennifer Hajigeorgiou Tanja Grivicic Jose Urbaez, CISA, CRISC, CISM, CGEIT,
© 2017 ISACA. All rights publication@isaca.org Manish Gupta, Ph.D., CISA, CRISC, CSXF, ITIL
reserved. CISM, CISSP Ilija Vadjon, CISA
Managing Editor Mike Hansen, CISA, CFE Sadir Vanderloot Sr., CISA, CISM, CCNA,
Instructors are permitted to Maurita Jasper Jeffrey Hare, CISA, CPA, CIA CCSA, NCSA
photocopy isolated articles for
Sherry G. Holland Varun Vohra, CISA, CISM
Jocelyn Howard, CISA, CISMP, CISSP Manoj Wadhwa, CISA, CISM, CISSP,
noncommercial classroom use Contributing Editors Francisco Igual, CISA, CGEIT, CISSP ISO 27000, SABSA
without fee. For other copying, Jennifer Inserro, CISA, CISSP Anthony Wallis, CISA, CRISC, CBCP, CIA
Sunil Bakshi, CISA, CRISC, CISM, CGEIT,
reprint or republication, ABCI, AMIIB, BS 25999 LI, CEH, Khawaja Faisal Javed, CISA, CRISC, CBCP, Kevin Wegryn, PMP, Security+, PfMP
permission must be obtained CISSP, ISO 27001 LA, MCA, PMP ISMS LA Tashi Williamson
in writing from the association. Sally Chan, CGEIT, CPA, CMA Mohammed J. Khan, CISA, CRISC, CIPM Ellis Wong, CISA, CRISC, CFE, CISSP
Where necessary, permission Ian Cooke, CISA, CRISC, CGEIT, COBIT Farzan Kolini, GIAC
is granted by the copyright Foundation, CFE, CPTS, DipFM, ITIL Abbas Kudrati, CISA, CISM, CGEIT, CEH, ISACA Board of Directors
owners for those registered Foundation, Six Sigma Green Belt CHFI, EDRP, ISMS (2017-2018)
Kamal Khan, CISA, CISSP, CITP, MBCS Shruti Kulkarni, CISA, CRISC, CCSK, ITIL
with the Copyright Clearance Bhanu Kumar Chair
Vasant Raval, DBA, CISA
Center (CCC) (www.copyright. Steven J. Ross, CISA, CBCP, CISSP Hiu Sing (Vincent) Lam, CISA, CPIT(BA), Theresa Grafenstine, CISA, CRISC, CGEIT,
com), 27 Congress St., Salem, Smita Totade, Ph.D., CISA, CRISC, CISM, ITIL, PMP CGAP, CGMA, CIA, CPA
MA 01970, to photocopy CGEIT Edward A. Lane, CISA, CCP, PMP Vice-chair
articles owned by ISACA, Romulo Lomparte, CISA, CRISC, CISM, Rob Clyde, CISM
for a flat fee of US $2.50 per Advertising CGEIT, COBIT 5 Foundation, CRMA,
Director
article plus 25¢ per page. IATCA, IRCA, ISO 27002, PMP
media@isaca.org Larry Marks, CISA, CRISC, CGEIT Brennan Baybeck, CISA, CRISC,
Send payment to the CCC
Tamer Marzouk, CISA, ABCP, CBAP CISM, CISSP
stating the ISSN (1944-1967), Media Relations Krysten McCabe, CISA Director
date, volume, and first and Brian McLaughlin, CISA, CRISC, CISM, Zubin Chagpar, CISA, CISM, PMP
news@isaca.org
last page number of each CIA, CISSP, CPA Director
article. Copying for other Brian McSweeney Peter Christiaans, CISA, CRISC, CISM, PMP
than personal use or internal
Reviewers Irina Medvinskaya, CISM, FINRA, Series 99
David Earl Mills, CISA, CRISC, CGEIT, Director
reference, or of articles or Matt Altman, CISA, CRISC, CISM, CGEIT
MCSE Hironori Goto, CISA, CRISC, CISM, CGEIT
columns not owned by the Sanjiv Agarwala, CISA, CISM, CGEIT,
CISSP, ITIL, MBCI Robert Moeller, CISA, CISSP, CPA, CSQE Director
association without express David Moffatt, CISA, PCI-P
Vikrant Arora, CISM, CISSP Michael Hughes, CISA, CRISC, CGEIT
permission of the association Ramu Muthiah, CISM, CRVPM, GSLC,
Cheolin Bae, CISA, CCIE Director
or the copyright owner is Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ITIL, PMP
Leonard Ong, CISA, CRISC, CISM,
expressly prohibited. ABCI, AMIIB, BS 25999 LI, CEH, Ezekiel Demetrio J. Navarro, CPA
CGEIT, CFE, CIPM, CIPT, CPP, CISSP
CISSP, ISO 27001 LA, MCA, PMP Jonathan Neel, CISA
ISSMP-ISSAP, CITBCM, CSSLP,
ISSN 1944-1967 Brian Barnier, CRISC, CGEIT Nnamdi Nwosu, CISA, CRISC, CISM,
GCFA, GCIA, GCIH, GSNA, PMP
Pascal A. Bizarro, CISA CGEIT, PfMP, PMP
Jerome Capirossi, CISA Anas Olateju Oyewole, CISA, CRISC, CISM, Director
Anand Choksi, CISA, CCSK, CISSP, PMP CISSP, CSOE, ITIL R. V. Raghu, CISA, CRISC
Joyce Chua, CISA, CISM, PMP, ITILv3 David Paula, CISA, CRISC, CISSP, PMP Director
Ashwin K. Chaudary, CISA, CRISC, CISM, Pak Lok Poon, Ph.D., CISA, CSQA, MIEEE Jo Stewart-Rattray, CISA, CRISC,
CGEIT John Pouey, CISA, CRISC, CISM, CIA CISM, CGEIT
Burhan Cimen, CISA, COBIT Foundation, Steve Primost, CISM
Parvathi Ramesh, CISA, CA Director
ISO 27001 LA, ITIL, PRINCE2
Antonio Ramos Garcia, CISA, CRISC, CISM, Ted Wolff, CISA
Ken Doughty, CISA, CRISC, CBCP
Nikesh L. Dubey, CISA, CRISC, CDPP, ITIL Director
CISM, CISSP Michael Ratemo, CISA, CRISC, CISM, Tichaona Zororo, CISA, CRISC, CISM,
Subscription Rates: CSXF, ACDA, CIA, CISSP, CRMA
Ross Dworman, CISM, GSLC CGEIT, COOBIT Assessor and Trainer,
Robert Findlay Ron Roy, CISA, CRP CIA, CRMA
US: John Flowers, CISA, CRISC Louisa Saunier, CISSP, PMP, Six Sigma Director and Chief Executive Officer
one year (6 issues) $75.00 Jack Freund, CISA, CRISC, CISM, Green Belt Matthew S. Loeb, CGEIT, CAE, FASAE
CIPP, CISSP, PMP Daniel Schindler, CISA, CIA
All international orders: Sailesh Gadia, CISA Sandeep Sharma Director and Past Chair
Amgad Gamal, CISA, COBIT Foundation, Catherine Stevens, ITIL Christos Dimitriadis, Ph.D., CISA, CRISC,
one year (6 issues) $90.00.
CEH, CHFI, CISSP, ECSA, ISO 2000 Johannes Tekle, CISA, CFSA, CIA CISM, ISO 20000 LA
Remittance must be made LA/LP, ISO 27000 LA, MCDBA, MCITP, Robert W. Theriot Jr., CISA, CRISC Director and Past Chair
MCP, MCSE, MCT, PRINCE2 Nancy Thompson, CISA, CISM, Robert E Stroud, CRISC, CGEIT
in US funds. CGEIT, PMP
Robin Generous, CISA, CPA Director and Past Chair
Tony Hayes, CGEIT, AFCHSE, CHE, FACS,
FCPA, FIIA
ISACA BOOKSTORE
RESOURCES FOR YOUR
PROFESSIONAL DEVELOPMENT
www.isaca.org/bookstore
Browse a variety of publications featuring the latest research and expert thinking on standards,
best practices, emerging trends and more at isaca.org/bookstore S-1
Featured Exam Prep Materials
CISA® Review Manual, 26th Edition CISA® Review Questions, Answers & Explanations
The CISA® Review Manual, 26th Edition is a comprehensive Manual, 11th Edition
reference guide designed to help individuals prepare for the CISA Designed to familiarize candidates with the question types and
exam and understand the roles and responsibilities of an information topics featured in the CISA exam, the CISA® Review Questions,
systems (IS) auditor. The manual has been revised according to Answers & Explanations Manual, 11th Edition consists of 1,000
the 2016 CISA Job Practice and represents the most current, multiple-choice study questions that have previously appeared in
comprehensive, peer-reviewed IS audit, assurance, security and the CISA® Review Questions, Answers & Explanations Manual 2015
control resource available. and the CISA® Review Questions, Answers & Explanations Manual
2015 Supplement. The manual has been updated according to the
The 26th edition is organized to assist candidates in understanding
newly revised 2016 Job Practice.
essential concepts and studying the following job practice areas:
The Process of Auditing Information Systems; Governance and Many questions have been revised or completely rewritten
Management of IT; Information Systems Acquisition, Development to be more representative of the CISA exam question format and/or
and Implementation; Information Systems Operations, Maintenance to provide further clarity or explanation of the correct answer. These
and Service Management; Protection of Information Assets. questions are not actual exam items but are intended to provide
CISA candidates with an understanding of the type and structure of
The manual also serves as an effective
questions and content that have previously appeared on the exam.
desk reference for IS auditors.
This publication is ideal to use in conjunction with the:
• CISA® Review Manual, 26th Edition
Member: US $105.00
Non-member: US $135.00 • CISA® Review Questions, Answers & Explanations
Print Product Code: CRM26ED Database – 12 Month Subscription
eBook Product Code: EPUB_CRM26ED
Member: US $120.00
Non-member: US $156.00
Product Code: QAE11ED
NEW!
CRISC™ Review Questions, Answers & Explanations
Manual, 4th Edition CISM® Review Manual, 15th Edition
The CRISC™ Review Questions, Answers & Explanations Manual, 4th The CISM® Review Manual, 15th Edition is designed to helpyou
Edition is designed to familiarize candidates with the question types prepare for the CISM® exam. This comprehensive, easy-to-navigate
and topics featured in the CRISC exam. manual is organized into chapters that correspond to the four job
practice areas covered in the CISM exam. The Manual is primarily
The 500 questions in this manual have been consolidated from the designed as a tool for exam prep, but can also be useful as a
CRISC™ Review Questions, Answers & Explanations Manual 2015 reference manual for information security managers.
and the CRISC™ Review Questions, Answers & Explanations Manual
2015 Supplement. New to the 15th Edition:
• In Practice Questions help you explore the concepts in the
Many questions have been revised or completely rewritten to be
CISM Review Manual in your own practice.
more representative of the CRISC exam question format, and/or to
provide further clarity or explanation of the correct answer. These • Knowledge Checks are designed to help reinforce important
questions are not actual exam items, but are intended to provide concepts from the Review Manual to further enhance your
CRISC candidates with an understanding of the type and structure learning.
of questions and content that have previously appeared on the exam. • Case Studies provide real-world scenarios to help you gain a
practical perspective on the Review Manual content and how it
Member: US $72.00 relates to the CISM’s practice.
Non-member: US $96.00 • Comprehensive Index has been updated to make navigating
Product Code: CRQ4ED
the Review Manual easier and more intuitive.
Available in Spanish
Product Code: CRQ4EDS Member: US $105.00
Non-member: US $135.00
Print Product Code: CM15ED
eBook Product Code: EPUB_CM15ED
Member: US $120.00
CISM Review Questions, Answers & Explanations Manual
Non-member: US $156.00
Product Code: CQA9ED
9 Edition
th
CISM
3701 Algonquin Road | Suite 1010
Rolling Meadows, IL 60008 | USA
P: +1.847.253.1545
F: +1.847.253.1443
E: info@isaca.org
isaca.org
NEW!
The database is available via the web, allowing our CISM candidates to log in at home, at work or anywhere
they have Internet connectivity. The database is MAC and Windows compatible.
Exam candidates can take sample exams with randomly selected questions and view the results by job practice
domain, allowing for concentrated study in particular areas. Additionally, questions generated during a study
session are sorted based on previous scoring history, allowing CISM candidates to identify their strengths and
weaknesses and focus their study efforts accordingly.
Member: US $185.00
Non-member: US $225.00
Product Code: XMXCM15-12M
CGEIT® Review Manual, 7th Edition CGEIT® Review Questions, Answers & Explanations
The CGEIT® Review Manual, 7th Edition is designed to help Manual, 4th Edition
individuals prepare for the CGEIT exam and understandthe The CGEIT® Review Questions, Answers & Explanations
responsibilities of those who implement or manage the governance Manual, 4th Edition is designed to familiarize candidates with the
of enterprise IT (GEIT) or have significant advisory or assurance question types and topics featured in the CGEIT exam.
responsibilities in regards to GEIT. It is a detailed reference guide
that has been developed and reviewed by subject matter experts The 250 questions in this manual have been consolidated from
actively involved in governance of enterprise IT worldwide. the CGEIT® Review Questions, Answers & Explanations Manual,
2015 and the CGEIT® Review Questions, Answers & Explanations
The manual is organized to assist candidates in understanding
essential concepts and studying the following updated job Manual, 2015 Supplement.
practice areas:
Many questions have been revised or completely rewritten to be
• Framework for the governance of enterprise IT more representative of the CGEIT exam question format and/or to
• Strategic management provide further clarity or explanation of the correct answer. These
• Benefits realization questions are not actual exam items but are intended to provide
• Risk optimization CGEIT candidates with an understanding of the type and structure
of questions and content that has previously appeared on the
• Resource optimization
exam. This publication is ideal to use in conjunction with the:
S-4
Train Your
Employees.
Prep for
Enterprise
Success.
TM
R-CAP brings Audit Universe & KPIs to your fingertips.