You are on page 1of 68

www.isaca.

org January/February 2016


STAY AHEAD OF THREATS.
MOVE AHEAD IN YOUR CAREER.
Cybersecurity NexusTM (CSX) is your premier resource for knowledge, tools, guidance and professional
development in the critical areas of cybersecurity. And now, you can test your abilities with our new
skills-based training programs and prove them with our performance-based certifications.
Because it’s not about showing you have the knowledge — it’s about getting the job done.

Visit www.isaca.org/cybercertcsx for more information.


CREATE VALUE FOR YOURSELF AND YOUR ENTERPRISE—START BY REGISTERING FOR AN ISACA® CERTIFICATION EXAM TODAY!

“EMPLOYERS SEE MY
ISACA CERTIFICATIONS.
THEY KNOW I WILL BE A
VALUABLE RESOURCE.”
— MARCUS CHAMBERS, CISM, CGEIT
CONSULTANT
LONDON, UNITED KINGDOM
ISACA MEMBER SINCE 2012

Becoming ISACA-certified showcases your knowledge


and expertise. Give yourself an edge and gain the
recognition you deserve with ISACA certifications—
register for an upcoming exam soon!
Register at www.isaca.org/2016exams-Jv1

UPCOMING CERTIFICATION EXAM

11 June 2016
Early registration deadline: 10 February 2016
Final registration deadline: 8 April 2016
Take the first step towards gaining the recognition you deserve—register for a June exam today!

Register early to save US $50! www.isaca.org/2016exams-Jv1


VOLUME 1, 2016

ISACA
Journal
®

The ISACA® Journal


Columns 18 44
Transforming the IT Audit Function— Actionable Security Intelligence From Big, seeks to enhance
4 Taking the Digital Journey
(Disponible también en español)
Midsize and Small Data
C. Warren Axelrod, Ph.D., CISM, CISSP
the proficiency and
Information Security Matters: competitive advantage
Cyber/Privacy Robert (Bob) E. Kress
Steven J. Ross, CISA, CISSP, MBCP 51 of its international
22 Comparison of PCI DSS and
readership by providing
7 Auditing Cybersecurity ISO/IEC 27001 Standards
Tolga Mataracioglu, CISA, CISM, COBIT
Guest Editorial: Why Everyone Dislikes the Martin Coe, DBA, CISA, CISM, CPA managerial and
Foundation, CCNA, CEH, ISO 27001 LA,
IT Auditor and How To Change It
BS 25999 LA, MCP, MCTS, VCP technical guidance from
Tommie Singleton, CISA, CGEIT 27
The Art of Data Visualization, Part I experienced global
10 Karina Korpela, CISA, CISM, CISSP, PMP
Plus authors. The Journal’s
The Network
32 noncommercial,
Urmilla Persad, CISA, CISM, CRISC,
ITIL V3 Foundation
56
How to Be the Most Wanted IS Auditor Crossword Puzzle peer-reviewed articles
Sanjiv Agarwala, CISA, CISM, CGEIT, Myles Mellor
12 BS 25999/ISO 22301 LA, CISSP, focus on topics critical to
ISO 27001:2013 LA, MBCI
IS Audit Basics: Trust, but Verify
Ed Gelbstein, Ph.D.
57 professionals involved
35 CPE Quiz #164
Based on Volume 5, 2015—
in IT audit, governance,
Features Seven Software-related Incidents and
How to Avoid or Remediate Them
Cybersecurity security and assurance.
Prepared by Sally Chan, CGEIT, CMA, CPA
14 Frederick G. Mackaden, CISA, CMA, PMP
How COBIT 5 Improves the Work Process 59
Capability of Auditors, Assurance 41 Standards, Guidelines, Tools
Professionals and Assessors Managing Data Protection and and Techniques
(Disponible también en español) Cybersecurity—Audit’s Role
Graciela Braga, CGEIT, COBIT Foundation, CPA Mohammed J. Khan, CISA, CRISC, CIPM S1-S4 Read more from these
ISACA Bookstore Supplement Journal authors…
Journal authors are
now blogging at
www.isaca.org/journal/blog.
Online­-exclusive Features Visit the ISACA Journal
Do not miss out on the Journal’s online-exclusive content. With new content weekly through feature articles and blogs, the Journal is more than a Author Blog to gain more
static print publication. Use your unique member login credentials to access these articles at www.isaca.org/journal. insight from colleagues and
Online Features to participate in the growing
The following is a sample of the upcoming features planned for January and February. ISACA community.
A Framework for Automated Compliance IS Audit Basics: Is There Such a Using Color to Enhance Spreadsheet
Monitoring in Oracle/SAP Environment Thing as a Bad IS Auditor?, Part 1 Accuracy and Usefulness
Balraj Thuppalay, CISM, CISSP Ed Gelbstein, Ph.D. Joshua J. Filzen, Ph.D., CPA, and
Mark G. Simkin, Ph.D.

Discuss topics in the ISACA Knowledge Center: www.isaca.org/knowledgecenter

Follow ISACA on Twitter: http://twitter.com/isacanews; Hashtag: #ISACA 3701 Algonquin Road, Suite 1010
Rolling Meadows, Illinois 60008 USA
Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial Telephone +1.847.253.1545
Fax +1.847.253.1443
Like ISACA on Facebook: www.facebook.com/ISACAHQ
www.isaca.org
THERE’S NO SHORTAGE OF
CYBER SECURITY THREATS
BUT THERE IS A SHORTAGE OF IT SECURITY PROFESSIONALS

DO YOU HAVE WHAT IT TAKES TO BE PART OF THE SOLUTION?

Cyber attacks are on the rise. Information security professionals are in high demand.
Get up-to-date security skills with Capella University’s master’s or graduate certificate in Digital
Forensics or Network Defense, aligned to the latest NSA focus areas.

The new graduate certificates can be completed in as little as 9 months, then applied toward
your Master’s in Information Assurance and Security (MS-IAS) to make an even bigger impact.

Plus, the knowledge you gained for your CISSP®, CEH®, or CNDA® certifications can help you
earn credit toward your MS-IAS, saving you time and money.

ANSWER THE CALL. START TODAY TO LEARN MORE AND EARN MORE.
CAPELLA.EDU/ISACA OR 1.866.933.5836

See graduation rates, median student debt, and other information at www.capellaresults.com/
outcomes.asp.
ACCREDITATION: Capella University is accredited by the Higher Learning Commission.
CAPELLA UNIVERSITY: Capella Tower, 225 South Sixth Street, Ninth Floor, Minneapolis, MN
55402, 1.888.CAPELLA (227.3552), www.capella.edu. ©Copyright 2015. Capella University. 15-8066
Information SecurityMatters

Cyber/Privacy
Steven J. Ross, CISA, CISSP,
MBCP, is executive principal
of Risk Masters International
LLC. Ross has been writing
one of the Journal’s most Twice in the past year or so I have received financial privacy. I have not seen much in the
popular columns since 1998. replacement credit cards because the numbers public discussion of cyberattacks to indicate an
He can be reached at and expiration dates had been disclosed by understanding that privacy violations have been
stross@riskmastersintl.com. merchants that I frequented. Each time, this the focal point of the most widely publicized
resulted in about an hour of researching my attacks.3
credit card records, visiting the web sites of
companies that I regularly pay via the card and GENERALLY ACCEPTED PRIVACY PRINCIPLES
updating my records. Surely, I am not the only The Generally Accepted Privacy Principles
one who has been affected. Multiply my lost hour (GAPP)4 is the definitive statement on data
by 70 million here, 40 million there, and sooner privacy. It defines privacy as “the rights and
or later it adds up to some real inconvenience. obligations of individuals and organizations
The merchants in question had not simply with respect to the collection, use, retention,
lost control of their customer records, nor did disclosure, and destruction of personal
they publish my credit card information in information.” Considering the cybercrimes that
the newspapers. They had been victimized by have affected cardholders’ financial privacy,
criminals who had penetrated their systems perhaps GAPP can offer some insight into how
specifically to steal my data and that of millions privacy can be protected from cyberattackers.
of others; in other words, they had suffered There are 10 principles.
a cybercrime. All the attention has focused
on the crime; I am concerned here about Principle 1: Management
the information. There must be an enterprisewide policy
regarding privacy that must be communicated
INTRINSIC AND CONSEQUENTIAL IMPACTS within the organization. Thus, privacy and, by
When information is stolen, it may have either extension, prevention of the breach of privacy
intrinsic or consequential impact. In the former are explicitly assigned to a designated person,5
category, some lost information has value unto such as a chief privacy officer (CPO). I am not
itself. Books and movies, for example, have aware of any CPOs who are taking a leading
Do you have intrinsic value. (When Sony was attacked last role in cybersecurity and I would welcome
something year, it was reported that in addition to crashing communications to the contrary. That being the
to say about vital systems and publicizing embarrassing case, perhaps GAPP might be extended to require
this article? emails, the perpetrators stole several films. I am a chief cyber officer, part of whose mandate
Visit the Journal amused by the thought of the attackers—widely would be developing methods to protect data
pages of the ISACA® attributed to be North Koreans—sitting around privacy against cyberthieves.
web site (www.isaca. and watching Annie.1)
org/journal), find the Indeed, stolen credit card numbers are said Principle 2: Notice
article and choose to have intrinsic value, since thieves sell them to Organizations are supposed to notify data
the Comments tab to
yet other criminals, who then use the numbers subjects about the purposes for which personal
share your thoughts.
and expiration dates to buy stuff.2 In the case information is collected, used, retained and
Go directly to the article: of stolen debit cards, the information is used to disclosed. No one is going to say, “We collect
withdraw money from peoples’ accounts. That your credit card information in order to turn it
is the consequential impact: what perpetrators over to criminals.” But it would be nice to learn
can do with the information to create value for that my card had potentially been compromised
themselves once they have it. From my personal at the time the merchant or the bank knew
perspective, the net effect was inconvenience, about it. My new credit cards just showed up
but at a deeper level, it was a violation of my in the mail.

4 ISACA JOURNAL VOLUME 1, 2016


Principle 3: Choice and Consent
Of course, I had no choice in the matter of whether my credit
card information would be stolen, but I do have a choice as
to whether or not to shop with merchants who do not protect • Read Keeping a Lock on Privacy: How Enterprises Are
me. Evidently, after the announcement of several major data Managing Their Privacy Function.
thefts, customers have voted with their wallets to take their www.isaca.org/
business elsewhere.6
2015-privacy-survey-report
Principle 4: Collection
• Learn more about, discuss and collaborate on
My credit card information was used by criminals for purposes cybersecurity and privacy/data protection in the
other than that for which it was collected by the merchants. But Knowledge Center.
were the merchants’ systems designed and used in a manner
cognizant of the risk? Systems containing personal information
www.isaca.org/Knowledgecenter
should be subject to especially tight security.
happened, it seems that access control systems are being
Principle 5: Use, Retention and Disposal used to keep the honest honest. Keeping out well-funded,
My credit card is supposed to be used to buy things. If the dedicated cyberthieves has proven as effective as the Maginot
information associated with the card was stolen one card at a Line (more on this in a future article).


time from a point-of-sale
(POS) device, then this Principle 9: Quality
The underlying privacy principle was not The authors of GAPP defined quality as the maintenance
vulnerability of violated. But if it was of “accurate, complete and relevant personal information.”
information systems is taken wholesale from That is not what I mean by the term and it is
unencrypted files, then not how I would apply this principle to privacy protection in
not inferior security, but


the merchants’ systems the age of cyberattacks. As I have written previously, I believe
inadequate software. did not retain and dispose that the underlying vulnerability of information systems is not
of the information in a inferior security, but inadequate software.7
proper fashion. Unfortunately, technical details on how some
of the major retail cybercrimes occurred are sketchy at best. Principle 10: Monitoring and Enforcement
From press reports, it would seem that both POS terminals and One of the most maddening aspects of major thefts of personal
central servers have been the source of the stolen information. information, according to media reports, is that in many cases
the losses occurred for lengthy periods of time before the
Principles 6 and 7: Access and Disclosure to Third Parties organization under attack even realized it. For just one example,
My ability to access, review and update information about the US Office of Personnel Management (OPM) notified its
myself has nothing to do with cybercrime. Neither does the personnel in July 2014 that a breach of personnel records had
disclosure provision. While giving my personal information to occurred in March of that year.8 Then, in June of 2015, OPM
crooks fits under this principle, I doubt that it was what was announced that 4 million records were taken, which by July
meant by the authors. had been raised to 21.5 million.9 I do not know precisely how
the breach occurred, but I do believe that someone should
Principle 8: Security for Privacy have noticed it was going on the moment it happened. The
This principle, as applied to cybercrime, is exactly what the technology is there for that purpose and evidently it was not
authors had in mind. Prevention of unauthorized access, used, because the computer systems were too old.10
either physical or logical, is what current IT practices
evidently fail to do. In light of all the cyberattacks that have

ISACA JOURNAL VOLUME 1, 2016 5


CONCLUSION 4
 merican Institute of Certified Public Accountants (AICPA)
A
There is a lot to be learned by considering certain and Canadian Institute of Chartered Accountants (CICA),
cyberattacks as privacy violations. GAPP offers some Generally Accepted Privacy Principles, August 2009.
guidance, but the principles are not a tight fit with the ISACA® and the Institute of Internal Auditors were also
cybertheft of personal information. Will organizations apply contributors to this document.
those lessons? That remains to be seen. 5
Ibid., p. 13. The document referenced here is the version for
business people, not the one for accounting practitioners.
6
For example, see Target, “Target Provides Update on Data
ENDNOTES Breach and Financial Performance,” press release,
1
Sakoui, Anousha; “Sony Films ‘Fury’ and ‘Annie’ Said http://pressroom.target.com/news/target-provides-update-
Stolen in Cyberattack,” Bloomberg Business, 29 November on-data-breach-and-financial-performance.
2014, www.bloomberg.com/news/articles/2014-11-30/ 7
Ross, Steven J.; “Microwave Software,” ISACA® Journal,
sony-films-fury-and-annie-said-stolen-in-cyberattack USA, vol. 1, 2015
2
Hackett, Robert; “Online, a Bazaar Bursting With Stolen 8
Email reproduced in the Washington Post, “E-mail to
Credit Card Information,” Fortune, 21 September 2014, OPM Staff on Security Breach,” 10 July 2014.
http://fortune.com/2014/09/21/home-depot-stolen-card- 9
Bisson, David; “The OPM Breach: Timeline of a Hack,”
information-market/ Tripwire, 29 June 2015, www.tripwire.com/state-of-
3
Interestingly, the Preliminary Cybersecurity Framework security/security-data-protection/cyber-security/the-opm-
issued by the US National Institute of Standards and breach-timeline-of-a-hack/
Technology contained a section on a “Methodology to 10
C-SPAN, Testimony by the Office of Personnel Director
Protect Privacy and Civil Liberties for a Cybersecurity Katherine Archuleta, www.c-span.org/video/
Program” that was eliminated in the final version issued in ?326767-1/opm-director-katherine-archuleta-testimony-
February 2014. data-security-breach

www.isaca.org/Journal2016-Jv1

6 ISACA JOURNAL VOLUME 1, 2016


Guest Editorial INDUSTRY LEADERS EXAMINE
THE LATEST BUSINESS ISSUES

Tommie Singleton, CISA,


CGEIT, is the director of Why Everyone Dislikes the
IT Auditor and How to Change It
consulting for Carr Riggs
& Ingram, a large regional
public accounting firm.
His duties involve forensic Well, to be truthful, not everyone dislikes the IT and needs and strategically formulate
accounting, business auditor. But there have been a lot of remarks made communications with those needs in mind. If it
valuation, IT assurance and over the years, and some personal observations, is a general user, keep in mind that they are less
service organization control that indicate some dissonance between the IT likely to understand our information, so convert
engagements. Singleton is auditor and management or users of IT audit it to a more simplified level for the more general
responsible for recruiting, services. Some of them are beyond our ability reader. I know of one person who talked to his
training, research, support to affect a change. But some can be remediated eight-year-old daughter while preparing a major
and quality control for those with an appropriate effort on our part. This report and kept revising his information until she
services and the staff who article will address some of the more common understood it. He later claimed that it was his
perform them. He is also a criticisms made about IT auditors and what we, as most successful presentation ever.
former academic, having professionals, can do to address them. We should strive to present our reports and
taught at several universities recommendations in “plain English.” Some
from 1991-2012. Singleton CRITICISM 1—IT AUDITORS ARE DIFFICULT suggestions to consider:
has published numerous TO UNDERSTAND • Do not use acronyms (except within our
articles, coauthored books, There are some who rely on or use IT auditors yet own profession).
and presented many sessions have a difficult time understanding what they are • Use relatable anecdotes or stories to
on IT auditing and fraud. He trying to say when recommendations or reports demonstrate your point.
authored the ISACA® Journal’s come back. Some individuals are not familiar • Compare your results or recommendations with
IS Audit Basics column from with IT and will be unable to fully understand things the audience already understands—such
2005-2014. much about the results in technical jargon. Some, as current events or stories in the news.
if not many, of those people will simply rely on Also, we should take opportunities to improve
the IT auditor with blind faith. IT auditors can our communication craft.1
address this issue.
It is important to recognize that our CRITICISM 2—IT AUDITORS WASTE RESOURCES
profession is a highly technical field (with a (OVER AUDIT)
limited number of professionals who understand I have heard this comment several times, usually
Do you have it well) and we have our own language. To from professionals who do not have a positive
something complicate our language, we use many acronyms. relationship with IT. It is said in different ways,
to say about
And to complicate the knowledge base, it is but the point being made by this group appears
this article?
constantly changing. Combine those factors, to be related to their perception that IT auditors
Visit the Journal and there is a probability, at some level, that our spend a lot of time providing services, but with a
pages of the ISACA
communications will be a challenge to many who disproportionate benefit to the firm, user or client
web site (www.isaca.
use IT auditors. in the end. There are several points we should
org/journal), find the
article and choose Therefore, IT auditors should make a keep in mind and, when appropriate, gently
the Comments tab to concerted effort to tailor their communication remind others of these circumstances.
share your thoughts. to the audience. Take time to know where the First, for public accounting, our technical
audience is in its understanding of IT and in its literature requires the use of an IT auditor (or
Go directly to the article: ability to understand our language, concepts and auditor trained in IT assurance) in the financial
technologies. When the hearers are not literate in audit, except where internal controls are assessed
IT and do not understand our words, concepts, at the maximum weakness (i.e., controls cannot
terms and acronyms, we need to become the be relied upon at all). The truth is that very few
interpreters of our own communications for clients have systems where controls cannot be
them. When communicating with management, relied upon at all in financial audits. Certified
take the time to understand their perspective public accountants (CPAs) cannot simply

ISACA JOURNAL VOLUME 1, 2016 7


ignore the technical literature because it makes sense to do IT auditors can explain IT risk by using easy-to-understand
so for some reason (e.g., from a budget or perceived benefit illustrations to help make the point. Adding value to the team,
perspective). It is a requirement. such as using IT to facilitate the team processes or even to
Second, the risk related to IT in a financial audit is real gain efficiencies, is another way.
and growing. These risk factors have an impact on the risk
of material misstatement (RMM). It may be true that most of CRITICISM 3—IT AUDITORS LIVE IN A DIFFERENT WORLD
the time IT risk does not materially affect financials, but one IT auditors live in the world of IT; it is full of things most
does not know that without going through a diligent process people do not understand and we do use a language that is
with integrity and professional care. For example, how many foreign to most people. But it does not have to lead to this
companies use a spreadsheet to do some part of the financial criticism. We can speak in “plain English,” relate findings to
reporting process? Does the fact that a spreadsheet is used our audience and generally make an effort to relate
in financial reporting cause the associated risk (i.e., RMM) to those involved in
with the technology and not the accounting transactions or our services.
processes per se? Yes! In addition, IT auditors can add value That relating can start with considering existing business
to an audit even when the conclusion is that IT risk has a risk, goals, strategies, etc., not only in performing our services,
nominal or limited effect on RMM (e.g., client relations). but in communicating with others during and after completion
Third, one thing the IT assurance profession can do of those services. IT auditors can also avoid this criticism by
to diminish this criticism is to be sure to properly scope being realistic about IT risk. For instance, a firewall that is
engagements related to IT. There is a temptation for IT ineffective, broken and needs to be fixed is definitely a security


assurance professionals to get involved in assessing all of breach waiting to happen.
the “broken” things in the IT space and to lose track of their But that broken firewall
proper scope. For instance, in a financial audit, the IT auditor IT auditors should needs to be considered in
will be tempted (due to natural tendencies) to identify all of always use a realistic light of the scope of the


the things that are “broken” in the IT space and report on all
assessment about risk. service. If it is a financial
of them, without considering the RMM for each one. There audit and logical access
is a temptation to spend time evaluating IT that is, in reality, controls at the server and
out of scope and, thus, results in “over auditing” IT. Thus, if application layers are good, then the firewall becomes irrelevant
IT auditors are not careful, they can inadvertently create an in light of the RMM. That is, if someone does break through
atmosphere to justify the criticism of wasting resources. The the firewall, what are they going to do to financial data? It is
truth is that all IT spaces will have several things that are true the intruder can go around the application by accessing
“broken,” but IT auditors need to filter through them with the the data, but if that happens, will other controls (manual
audit objectives of the service being provided and not include or automated) be able to recognize a material misstatement
something just because it is “broken.” That being said, broken and make a timely correction? If so, then the broken firewall
things need to be fixed.2 is irrelevant to the RMM. However, it is relevant to client
Lastly, IT auditors should be careful to add value to each relations, and the IT auditor would want to mention it to
audit, either through client relations or internally to the entity. management, probably off the record, so it can be fixed.
Referring back to IT things that are broken and need fixing, Another point using the same scenario is that IT
those items that are excluded for scope purposes are still auditors should always use a realistic assessment about risk.
prospective items to be communicated to the client or entity, Specifically, that assessment should include the magnitude of
even if it is “off the record.” Most of the time, management is the risk (should the risk lead to a deleterious fruition) and the
interested in learning about IT deficiencies or security holes, likelihood that the risk will lead to a “bad” event. Sometimes
whether they are in scope or not. IT auditors focus solely on the magnitude without a realistic
There are a lot of other ways IT auditors can add value to appraisal of the likelihood. That approach leads to this
the service beyond the testing and formal reporting processes. criticism of living in a different world. For small businesses

8 ISACA JOURNAL VOLUME 1, 2016


with a low public profile, the likelihood that a hacker will the response came without discussing some reasonable
break through that firewall and do something bad is quite compensating controls that could be employed to remediate
low. In fact, it may be so low as to be reasonably ignored. the privacy risk.
It is true that if someone breaks through the firewall, they IT auditors need to avoid any response or actions that
can do something bad, but specifically, what will the hacker appear to be those of a control freak. We do not need
do, and, specifically, how would that be a violation in light to sacrifice our responsibilities in our role as IT audit
of the service being provided? If the service is internal audit professionals, but we also do not need to alienate management
evaluating security, it is in scope and is an exception that or clients when a different, responsible and reasonable
should be reported and remediated; however, realistically, response or alternative solution is possible.
there is a low probability of a breach. If the service is A basic principle that can be used to avoid this criticism is
external audit, the firewall risk can be reasonably ignored in to stop and think about cost-effective solutions that take into
most cases. consideration magnitude and likelihood instead of seeking


Lastly, it is a valuable exercise to practice good social skills absolute perfection
when working with clients and management. Being nice to in solutions. After all,
Stop and think about
people always leads to benefits for both parties. no solution is truly
cost-effective solutions perfect in the IT space.
CRITICISM 4—IT AUDITORS ARE TOO RESTRICTIVE AND PROTECTIVE that take into consideration A suitable response
Sometimes people in our profession are quick to respond to goes back to a principle
magnitude and likelihood
certain requests with a curt remark. When management asks above: Make sure to
instead of seeking absolute


about doing X, IT auditors need to avoid using the phrase understand the needs
“X cannot be done.” IT auditors need to think through the perfection in solutions. and purposes users/
request and seek alternative solutions. In some rare cases, X management have for
does not need to be done, but even then, we should seek an their request before dismissing it unilaterally without due
alternative response such as, “I wish we could do X, but here diligence in seeking reasonable alternatives.
are some concerns I have….” Then try to work through the
responses to come up with a reasonable, secure, appropriate, CONCLUSION
alternative solution. Some criticisms that are aimed at IT auditors can sometimes
Another frequent response some IT auditors use is “That make us feel like everyone dislikes the IT auditor. Some of
is a security risk,” and then they resist doing anything related those criticisms cannot be avoided because of attitudes that
to the request. It may be a security risk, but we need to first are not susceptible to efforts to the contrary. But often we can
use the magnitude X likelihood approach mentioned above to mitigate those criticisms, make people appreciate us and even
determine if it is necessary to seek an alternative solution that cause users/management to like the IT auditor.
has an acceptable level of (residual) risk, as opposed to just
saying, “No, it is a security risk.” ENDNOTES
For instance, in a recent scenario, an IT auditor was told 1
Singleton, T.; “IT Audit Basics: Beyond the IT in
that management planned to have its customers access their IT Audit (Part 2),” ISACA Journal, vol. 4, 2014,
proprietary data in the entity’s database remotely, whereupon www.isaca.org/archives
the IT auditor said, “No way. The customer could potentially 2
Singleton, T.; “IT Audit Basics: What Every IT Auditor
access anyone’s data and that is a privacy issue.” While that Should Know About Scoping an IT Audit,” ISACA Journal,
is theoretically true, the response was totally focused on the vol. 4, 2009, www.isaca.org/archives
magnitude without consideration of likelihood. In addition,

ISACA JOURNAL VOLUME 1, 2016 9


Urmilla Persad, CISA, CISM,
CRISC, ITIL V3 Foundation, Urmilla Persad
has more than 18 years of
experience in the IT field. Q: How do you think the role of the IS auditor is supporting routine back-end processes to complex
changing or has changed? What would be your best e-banking interfaces. As IT is increasingly relied on
Her career started (with to enable business strategy, the role of GEIT has to
advice for IS auditors as they plan their career path
PricewaterhouseCoopers) and look at the future of IS auditing? be increasingly focused on keeping business and
in IT administration. From IT initiatives on track by understanding how much
there, she moved to external A: While the core objectives of the IS auditor value IT is creating, how its day-to-day operations
have remained the same and auditors continue to are performing, and how IT risk and IT resources
auditing and IT advisory are managed.
be assurance providers and advisors within their
services. She is now an IT organisations, the fast pace of technology, its uptake
audit manager with First and the resulting changing business environments As GEIT continues to improve, the involvement
Citizens Bank Ltd., Trinidad have driven the changing role of IS auditors. of all the stakeholders within the organisation is
imperative in ensuring that IT strategy is linked
and Tobago and has strategic to business strategy and drives balance between
In response to the changing environment and
responsibility for the IT audit the increasing expectations of management and investments and efficient use of IT resources.
needs of the bank with a the board, the IS auditor’s role is evolving into a
focus on IT systems and IT more business-like one, where developing more Q: What do you see as the biggest risk factors
efficient and effective audit plans aligned with being addressed by IS audit, risk and governance
initiatives, as well as system-
strategic objectives is imperative. This requires professionals? How can businesses protect
related development and themselves?
IT auditors to be professionally qualified,
implementation activities and multiskilled, knowledgeable, and have a high level
oversight of the execution of understanding of not just technology elements A: The biggest risk factors being faced by IS audit,
and controls, but the business that the controls are risk and governance professionals are preserving
of IT audit programs. Persad
designed to secure. the business (i.e., systems, data, reputation) amidst
has held various roles in the increasing technology change as digital strategies
ISACA Trinidad and Tobago This all makes for an exciting time for IS auditors are rolled out. With the pace of change, it is a
Chapter over the past six as the opportunity exists to contribute to an challenge ensuring that the controls environment
organization’s overall success more than ever (including internal policies and procedures) can be
years and is currently the
before. My advice for IS auditors as they plan their maintained at an equal pace to mitigate the risk.
chapter’s president.
career in these new times:
• Get certified—ensure that you have the necessary Businesses can protect themselves from the risk
foundation knowledge (e.g., Certified Information associated with technology investment and change
Systems Auditor® [CISA®], Certified Internal by ensuring that adequate discussions, collaboration
Auditor [CIA]). and due diligence in decision making occurs with
• Commit to continuous learning, invest in yourself. the right people (across the business and including
Once certified, consider enhancements with assurance providers) from inception to execution
Do you have and implementation.
credentials such as those related to COBIT®, ITIL,
something
CAPM/PMP and Cybersecurity Nexus (CSX).
to say about • Pay attention to nontechnical skills Q: What has been your biggest workplace or career
this article? development—critical thinking, relationship challenge and how did you face it?
Visit the Journal building, partnering, communication and
openness to diverse viewpoints. A: Successful internal auditing today requires
pages of the ISACA a deep understanding of the business and the
• Understand the business/industry you work
web site (www.isaca. in as this will support your ability to articulate strategic direction of the organisation. That
org/journal), find the business insights, better assess existing and new understanding requires continuous collaboration
article and choose technology, and provide recommendations that and partnering with management and key
the Comments tab to can add value to the business. stakeholders across the organisation. Maintaining
independence and objectivity has proven
share your thoughts.
Q: How do you see the role of governance of challenging as closer collaboration can easily lead
enterprise IT (GEIT) changing in the long term? to the rationalising of risk factors being assessed.
Go directly to the article:
Being self-aware of this has proven useful in
A: The role of GEIT has changed with the role of addressing it because it requires strong adherence
IT within organisations. The days where IT was to auditing standards; getting input from other
merely a support function are long gone as the auditing peers and the chief audit executive (CAE)
pace of technology advancement and its adoption has also helped in safeguarding from any potential
in enabling strategic initiatives has ingrained IT compromise of independence and/or objectivity.
in almost every part of the business. The banking (Another growing career challenge is balancing a
sector is a good example as it is impossible to successful career with successful parenting!)
think of a bank that runs without IT applications,
10 ISACA JOURNAL VOLUME 1, 2016
WHAT DO YOU ANTICIPATE BEING THE BIGGEST
COMPLIANCE CHALLENGE IN 2016? HOW WILL
YOU FACE IT?
Cybersecurity. The increase in connected devices
and how businesses harness the benefits of the
Internet of Things to support their digital business
strategy will only add to the cybersecurity challenge.

WHAT ARE YOUR THREE GOALS FOR 2016 AS YOU


ENTER THE NEW YEAR?
1. Execute an IS audit strategy that meets the
assurance needs of my organization as well as
the career development needs of my team.
2. Work with my peers on the board of our
local ISACA® chapter to find and execute
new and innovative ways to deliver value to
our members.
3. Spend more time with my son, with his
schoolwork and new adventures.

WHAT IS ON YOUR DESK RIGHT NOW?


Laptop, water, art calendar, family photo,
bamboo plant

HOW HAS SOCIAL MEDIA IMPACTED YOU


PROFESSIONALLY?
Social networking—staying connected with peers
and professional groups

WHAT IS YOUR NUMBER ONE PIECE OF ADVICE


FOR OTHER RISK PROFESSIONALS?
Understand the business and collaborate with
stakeholders across the organisation.

WHAT ARE YOUR FAVORITE BENEFITS OF YOUR


ISACA MEMBERSHIP?
1. The knowledge resources (white papers, work
programs, webinars)
2. The networking and professional development
opportunities that come with volunteering

WHAT DO YOU DO WHEN YOU ARE NOT AT WORK?


Read, spend time with my family, watch Netflix.

ISACA JOURNAL VOLUME 1, 2016 11


Trust, but Verify
Ed Gelbstein, Ph.D., worked
in IS/IT in the private and public
sectors in various countries
for more than 50 years.
Gelbstein did analog and digital “Trust, but verify” is a Russian proverb that the arrangements are really poor, it may be good
development in the 1960s, became more widely known when then-US to have the chief audit executive (CAE) speak with
incorporated digital computers President Ronald Reagan used it in the 1980s. a senior manager who can act to resolve the issue
in the control systems for ( ). The and understand the root cause of the situation.
continuous process in the fact that proverbs are passed unchanged through
late ‘60s and early ‘70s, and generations implies that they are seen as the truth. THINGS AUDITEES MAY “FORGET” TO DISCLOSE
managed projects of increasing A competent and experienced information
size and complexity until the
TO RE-AUDIT OR NOT TO RE-AUDIT systems (IS) manager would be expected
early 1990s. In the 1990s, he
The auditors arrive, do their work, write a report to anticipate what the auditors may find by
became an executive at the
that includes critical recommendations that could conducting a brutally honest assessment of
preprivatized British Railways
be seen as an instruction: “...the auditee shall....” the many aspects of IS and IT. Guidelines and


and then the United Nations
Should the audit strategy frameworks such as COBIT® 5 can
global computing and data
and planning call for a review facilitate this task. In practice, this
communications provider. The audit universe has
(e.g., one year after issuing the does not happen often as other
Following his (semi) retirement
final report) to see if they have become so large that activities, deemed more urgent,
from the UN, he joined the
audit teams of the UN Board
been implemented and, if so, re-auditing issues are displace these and before you
whether the implementation has bound to conflict with the know it, it is audit time again.


of Auditors and the French
been completed in a way that If the auditee can demonstrate
National Audit Office. Thanks
significantly reduces business risk?
overall audit plan. to the auditor that they care
to his generous spirit and
While this makes good sense, about the audit process; that
prolific writing, his column will
the challenge is that the audit universe has they understand how it is conducted; and then
continue to be published in the
ISACA® Journal posthumously.
become so large that re-auditing issues are bound come up with a list of findings, observations and
to conflict with the overall audit plan. corrective actions by themselves, the relationship
would be strengthened and it would make better
THAT UNWELCOME FEELING use of the auditor’s knowledge and experience.
Many auditees mistrust the auditors: Their The downside of keeping information from the
Do you have findings are the equivalent of calling the auditee’s auditors is that they will find out by chance or
something
baby “ugly.” No parent would ever do this, but by process.
to say about
then, there are ugly babies. Therefore, unless a In one example, there was a wiring cabinet in
this article?
good working relationship has been established an office environment for a critical network that
Visit the Journal
over the years, the auditor cannot expect a the “owner” had known for years consisted of
pages of the ISACA
warm welcome or for the auditees to share their spaghetti cabling, equipment on the floor and a
web site (www.isaca.
org/journal), find the problems and concerns. tree of extension leads. This was not mentioned
article and choose A poor welcome could include finding at the start of the audit, but as the auditors were
the Comments tab to that the auditors have been assigned poor passing by, someone opened the cupboard door.
share your thoughts. accommodations, possibly in an inconvenient A photograph of the scene was included in the
location, limited support facilities (e.g., printers, draft and final audit reports, despite requests for
Go directly to the article:
photocopiers, locked doors and cabinets, its removal.
shredders), an unhelpful contact point or
discovering on short notice that a critical person LOOK AND LISTEN
is not available for discussions. The examples in the previous section show
There will be many plausible excuses. It carelessness and incompetence, but not malice.
is never a good time to conduct an audit and Unfortunately there are many more things that
accommodation is an issue almost everywhere. If the auditees know that their management does

12 ISACA JOURNAL VOLUME 1, 2016


not. This becomes an explosive issue when it involves the two leased lines entered the building through a single point
means to work around sound policies (e.g., need to know, accessible through a manhole in the street just outside the
least privilege, segregation of duties, change management). main entrance.
Here are some examples collected over many years. • External audit of a large and complex information
A homemade, old (e.g., COBOL) financial application systems and technology department—During an audit,
was made Y2K-compliant and fully met the needs of the the systems architecture, i.e., how applications exchanged
organization. It was robust, reasonably well documented and data with other applications—with or without format
maintained by a small team that had done so since the initial conversion, dynamically, by file transfer—was requested.
design. During an audit that did not involve this application, Lo and behold, it had not been documented. There was no
it was discovered that the lead developer had embedded comprehensive systems architecture listing, for example,
undocumented hidden accounts and backdoors, not to be the name of the system, its custodian, purpose, high-
abused, but to “help” the organization toward bypassing level functionality and interfaces. Moreover, there was no


the usual controls. And, there was no record of who had statement about the system’s
what access controls and privileges or if any were kept by condition (e.g., robust, well
individuals as their careers progressed. Furthermore, weak There is much to documented, frozen) and
change control supported these changes. be gained from an planned activities. This led
The lead designer was due to retire, and once the auditors to an unplanned question
open, collaborative
became unofficially aware of this, the question arose as to about the data architecture,
relationship between


whether a colleague months or years away from retirement as the audit team tried to
should hold the “secret” of these unofficial features. The auditors and auditees. understand how many
management view was a clear no, and the system was retired data entities were
and replaced by a commercial application with role-based duplicated across systems (in incompatible formats, of
access controls and more manageable superuser features. course), and this was received with a “not in my job
Superuser privileges can be a problem. In another case description” response.
at a different organization, the design of an enterprise • Hidden or forgotten opportunities—In fact, there is plenty out
resource planning (ERP) system had a project manager who there neatly hidden or forgotten, including software licenses
assigned himself extensive superuser rights. After the project that are paid for, but not used; large, over-optimistic and
was completed, nobody thought to verify what rights were underresourced projects; renewals and upgrades postponed
retained by the implementation team. until the service deteriorates, bypassing procurement rules;
An even more extraordinary situation happened when critical activities for which there are no backups for the
a senior executive at an organization instructed that all responsible individuals; and unqualified individuals (e.g.,
security policies be withdrawn and the organization’s data be interns or trainees) doing things beyond their capabilities.
declassified in order to be fully transparent. Neither internal Some are due to weak management or political posturing
audit, risk management or legal counsel were consulted and (e.g., “It is my budget and I will do it despite what you say.”);
nobody was willing to say, “The emperor has no clothes.” others are caused by SMRC (saving money regardless of cost),
also referred to as “shareholder value.”
SERENDIPITY
Sometimes one has the good fortune of coming across CONCLUSION
something interesting without looking for it. Here are some There is much to be gained from an open, collaborative
examples. relationship between auditors and auditees in which both
• The invisible single point of failure—A law enforcement parties focus on understanding and managing business risk.
unit (in the 1980s) was implementing a new secure network Rationally, we all know this is the case, but human factors
of leased lines. The service provider designed it to ensure such as lack of trust and organizational politics often get in
that different cable routes provided resilience. Surprise! The the way.

ISACA JOURNAL VOLUME 1, 2016 13


Feature

How COBIT 5 Improves the Work Process


Graciela Braga, CGEIT,
COBIT Foundation, CPA,
is vice president of the
Commission for the Study
of Record Systems of the
Capability of Auditors, Assurance Professionals
Buenos Aires Institute of
CPAs in the city of Buenos
and Assessors
Aires, Argentina. She is also
IS and IT auditors, assurance professionals and
a researcher at the Instituto
assessors undertake audits, assurance work or Also available in Spanish
Autónomo de Derecho
Contable (Autonomous
assessments of IT processes (the assignment) Disponible también en español
and, in addition to the final objective, have
Accountancy Law Institute),
common tasks to complete such as planning and
Argentina. She has worked
performing activities and reporting results. Because ISACA’s COBIT® Self-assessment
on audits and internal control
The work entails evaluating processes owned Guide: Using COBIT® 52 and COBIT® Process
reviews for public and private
by others. But, who is looking at the work Assessment Model (PAM): Using COBIT® 53
entities using international
processes of the auditor, assurance professional explain in detail how to perform the assessment,
frameworks such as COBIT®,
or assessor? How capable are the work processes this article does not discuss the performance of
COSO and the ISO 27000
with regard to meeting the assignment objective this task. Instead, it provides an example of how
series. She has participated in
defined by the employer, executive manager, to determine whether a work process is at a
the preparation and review of
board of directors (BoD), client, sponsor or level 1 capability and a reflection on why and
ISACA® products and research
external reviewer? how auditors, assurance professionals and
related to COBIT, privacy and
The COBIT® 5 Assessment Programme assessors have to think about and improve their
big data.
can help. own capability levels.
It incorporates the COBIT® 5 Process
Reference Model and ISO/IEC 15504 as the basis THE MEASUREMENT FRAMEWORK
for the measurement framework and assessment As the COBIT® Self-assessment Guide: Using
process. This means that: COBIT® 5 mentions, the assessment process
• The specifications of the process used in the involves establishing a capability rating for a
assessment are based on COBIT® 5. process, which involves:4
• The capability of each process assessed is • Defined capability levels (from ISO/IEC
expressed in terms of a rating scale from 15504) (figure 1)
Do you have
0 to 5, based on international standards from • Process attributes used to rate each process
something
to say about the International Organization for (from ISO/IEC 15504) (figure 2)
this article? Standardization (ISO).1
Visit the Journal
pages of the ISACA Figure 1—Process Capability Levels
web site (www.isaca. Process Level Capability
org/journal), find the
0 (Incomplete) The process is not implemented or fails to achieve its process purpose. At this level, there is little or no
article and choose evidence of any systematic achievement of the process purpose.
the Comments tab to
share your thoughts. 1 (Performed) The implemented process achieves its process purpose.
2 (Managed) The performed process is now implemented in a managed fashion (planned, monitored and adjusted)
Go directly to the article: and its work products are appropriately established, controlled and maintained.
3 (Established) The managed process is now implemented using a defined process that is capable of achieving its
process outcomes.
4 (Predictable) The established process now operates within defined limits to achieve its process outcomes.
5 (Optimizing) The predictable process is continuously improved to meet relevant current and projected business goals.
Source: ISACA, COBIT Self-assessment Guide: Using COBIT 5, USA, 2013

14 ISACA JOURNAL VOLUME 1, 2016


Figure 2—Process Attributes
Level 5: Optimising
PA 5.1 Process Innovation
PA 5.2 Process Optimisation

6 Process Level 4: Predictable


PA 4.1 Process Measurement
Capability PA 4.2 Process Control
Levels Level 3: Established
PA 3.1 Process Definition
PA 3.2 Process Deployment

Level 2: Managed
PA 2.1 Performance Management
PA 2.2 Work Product Management

Level 1: Performed 9 Process


PA 1.1 Process Performance Attributes
Level 0: Incomplete

Source: ISACA, COBIT Self-assessment Guide: Using COBIT 5, USA, 2013

• Indicators on which to base the assessment achievement of • Professional environment—The required level can be set by
each process attribute (based on and aligned with ISO/IEC regulations or standards if the assignment is under revision
15504): of a third party or controller (i.e., Protecting Investors
–C apability level 1—Indicators are specific for each Through Audit Oversight [PCAOB] or government
process and assess whether the following attribute has agencies), or it shall comply with certain standards (i.e.,
been achieved: The implemented process achieves its ISACA frameworks).
process purpose. Level 1 deals with the detailed content • Expected goals, benefits and resourcing considerations—
of COBIT 5 processes, so one needs to define his/her For example, if the professional wants to position his/
work in COBIT 5 terms. her work or fees as “first class” or improve his/her work
– Capability levels 2 to 5—Assessment of capability is based process; if the professional staff is very large; or if the
on generic process indicators of performance. These are structure is complex with a lot of levels.
called generic because they apply across all processes, but
they are different from one capability level to another. PROCESS CAPABILITY INDICATORS LEVELS 2 TO 5
Assessment of capability levels 2 to 5 is based on generic
CAPABILITY LEVEL 1: DEFINING WORK PROCESS SPECIFICATIONS process indicators of performance.8 There are six capability
There are very recognized and useful audit frameworks, such levels and nine process attributes (PAs) associated. Each
as ISACA’s ITAF: A Professional Practices Framework for IS PA has indicators called “generic practices,” or a means of
Audit/Assurance5 or the Institute of Internal Auditors’s (IIA) achieving the capabilities addressed by them and “work
International Standards for the Professional Practice of Internal products” required to support the management of a process.
Auditing (Standards),6 but, in general, key aspects are the same. At level 2, process performance is now implemented in a
Following COBIT 5, one must define the process itself, managed fashion (planned, monitored and adjusted) and its
including purpose, outcomes, base practices and work products. work products are appropriately established, controlled and
For example, work may be defined using the words in figure 3. maintained. At first glance, professionals could think that
these requirements are included in the audit process and they
DEFINING THE RIGHT OR REQUIRED CAPABILITY LEVEL are met at level 1, but the difference is the documentation
As part of the assessment, professionals should choose requirement. Perhaps the assignment activities and, of course,
which level of capability their work requires, depending on the report are documented at level 1, but the process itself has
some considerations:7 to be documented.

ISACA JOURNAL VOLUME 1, 2016 15


Figure 3—Assignment Process Definition
Process Name Assignment process (audit, engagement, assessment)
Process description Perform specific procedures to provide an appropriate level of assurance about the subject matter in compliance with the
applicable professional practices framework, including professional’s ethics, independence, objectivity and due care, as well
as knowledge, competency and skill.
Process purpose Plan, perform and report on the results of the assignment (audit, engagement, assessment) while meeting applicable
statement professional standards, assuring organizational and professional independence, exercising due professional care, and
possessing an adequate level of skills around and knowledge of the subject matter.
Outcomes (Os)
Number Description
01 Report to communicate the results upon completion of the assignment
Base Practices (BPs)
Number Description
BP1 Assignment Planning
Professionals shall plan the assignment to address objective(s), scope, timeline and deliverables, compliance with applicable
laws and professional standards, assignment-specific issues, and documentation and reporting requirements.
BP2 Assignment Performance and Supervision
Conduct the work in accordance with the plan, obtain sufficient and appropriate evidence to achieve the assignment
objective, and provide supervision and professional education to staff, if required.
BP3 Assignment Reporting
Provide a report to communicate the results upon completion of the assignment and include in the report findings,
assessments, conclusions and recommendations.
Work Products (WPs)
Inputs
Number Description Supports
Outside Process Terms of the assignment defined by the overall IS audit plan, engagement letter or agreement on ALL
the purpose and scope of the assessment
Output
Number Description Supports
WP1 Assignment Project Plan BP1
A document that describes the assignment nature, objectives, timeline and resource requirements,
and timing and extent of procedures to complete the assignment.
WP2 Assignment Program BP2
A step-by-step set of procedures and instructions that should be performed to complete the
assignment and the evidence that supports findings, assessments and conclusions.
WP3 Continuing Professional Education (CPE) Requirements BP2
A set of basic and new knowledge and skills needed to perform current or future works.
WP 4 Assignment Report BP3
A document that communicates the results upon completion of the assignment, including findings,
assessments, conclusions and recommendations.
Based in part on: ISACA, ITAF: A Professional Practices Framework for IS Audit/Assurance, 3rd Edition, USA, 2014,
www.isaca.org/research. ISACA, Glossary of Terms, USA, 2015, www.isaca.org/glossary

16 ISACA JOURNAL VOLUME 1, 2016


At level 2, process documentation has to specify who is
responsible for its design (process owner) and its scope; roles;
Responsible, Accountable, Consulted and Informed (RACI)
chart; and internal control matrix. At level 3, a document • Learn more about, discuss and collaborate on COBIT 5
outlining the activities required to achieve the required process assessment and COBIT 5 Use It Effectively in the
Knowledge Center.
outcomes (“process procedures”) and a process map are www.isaca.org/knowledgecenter
required and, thus, the process documentation is completed.
The same considerations apply to the rest of level 2’s work
product, process plan, quality plan and quality record. At CONCLUSIONS
this level, very important aspects of the assignment report are IS and IT auditors, assurance professionals and assessors must
established, including content, quality criteria (against which comply with different professional standards and maintain
it will be reviewed and approved), documentation and control, and improve their own process work at the appropriate
including identification, traceability and approvals, and capability level to meet the assignment objective defined by
procedures for versioning and change control to be applied. employers, executive managers, BoDs, clients, sponsors or
At level 3, the established process completes level 2 and external reviewers. This can be achieved by transforming
adds two work products: policies and standards and process the auditors’, assurance professionals’ and assessors’ own
performance records. At this level, a managed process is processes by applying the COBIT® 5 Assessment Programme.
now implemented using a defined process that is capable of
achieving its process outcomes. ENDNOTES
Its indicators include the following products: 1
ISACA, COBIT® Assessor Guide: Using COBIT® 5, USA,
• A defined standard process, including appropriate tailoring 2013, www.isaca.org/COBIT/Pages/Assessor-Guide.aspx
guidelines, and the sequence and interaction with 2
ISACA, COBIT Self-assessment Guide: Using COBIT 5,
other processes USA, 2013, www.isaca.org/COBIT/Pages/Self-Assessment-
• Required competencies and roles and infrastructure for Guide.aspx
performing the defined process 3
ISACA, COBIT Process Assessment Model (PAM): Using
• Suitable methods for monitoring the effectiveness and COBIT 5, USA, 2013, www.isaca.org/COBIT/Pages/
suitability of the defined process COBIT-5-PAM.aspx
At this point, questions arise, including: Which is the 4
Op cit, ISACA, COBIT Self-assessment Guide
appropriate level to comply with professional standards— 5
ISACA, ITAF: A Professional Practices Framework for IS
level 3 or level 1? Indicators suggest the answer. It is, at Audit/Assurance, 3rd Edition, USA, 2014, www.isaca.org/
least, level 3: A defined process is capable of achieving the Knowledge-Center/Research/ResearchDeliverables/Pages/
process outcomes, including analyze process and product ITAF-3rd-Edition.aspx
measurement results, identify and implement corrective 6
The Institute of Internal Auditors, International Standards
actions, and reestablish control. for the Professional Practice of Internal Auditing
At level 4, the established process now operates within (Standards), USA, 2012, https://na.theiia.org/standards-
defined limits to achieve its process outcomes by measuring guidance/mandatory-guidance/Pages/Standards.aspx
results and controlling the process. 7
Op cit, COBIT Assessor Guide: Using COBIT 5
Of course, level 5, Optimizing Process, is a great objective 8
Op cit, ISACA, COBIT Process Assessment Model (PAM)
and resources and efforts should be assigned to reach it.

ISACA JOURNAL VOLUME 1, 2016 17


Feature

Transforming the IT Audit Function—


Robert (Bob) E. Kress is the
managing director of global IT
audit in Accenture’s internal
audit organization, which
supports the US $31 billion
Taking the Digital Journey
company and its 358,000 Today’s digital revolution is disrupting every
employees working in more corner of the business world and every function Also available in Spanish
than 120 countries. He has across the business enterprise, including IT Disponible también en español
overall responsibility for audit. Where does IT audit need to go when the
identifying, evaluating and mantra is “better, faster, cheaper?” The relentless
reporting on the full range transformational impact of IT is redefining the IT for every IT audit group embarking on this
of client-facing and internal audit function itself, forcing auditors to question transformational journey. While IT will have
technology risk. long-established practices, rethink fundamental different capabilities and maturities from one
processes and recalibrate their function for the company to the next, envisioning the future
digital era. state of an organization’s IT operation is the
first and surest prerequisite for setting off on a
DEFINING THE DIGITAL DESTINATION transformational journey with the confidence
As with so many enterprises, particularly well- of knowing that successfully arriving at that
established global players, digital disruption was destination can be achieved.
the major challenge facing Accenture two years Accenture knew that IT audit had to support
ago. At that time, work was largely siloed by risk the high-performance business strategy by
category and retrospective. Digital disruption identifying, evaluating and reporting the fullest
was sweeping aside established companies and possible range of client-facing and internal risk
reshaping markets and industries, and these factors in the digital age. Accenture’s audit team
pressures were felt acutely. So the organization also aimed to be a value-add partner to the
pondered what implications all this digital business by providing objective and relevant IT
change held for IT audit. The internal audit assurance and contributing to the effectiveness
(IA) function knew that it needed to be better and efficiency of governance, risk management
integrated across the entire risk spectrum, so and control processes.
that a holistic approach could be taken. With Less obvious were two strategic conclusions
markets, the business environment, competition to which the group came. Given the speed with
Do you have and client needs changing so rapidly, there was which business changes today, the IT audit
something also a sense that purely retrospective audits team felt that it would be necessary to shed the
to say about would be increasingly inadequate going forward. traditional stance of IT audit as an “outsider”
this article? coming in to measure after the fact. Rather,
Lastly, while the digital revolution was driving
Visit the Journal much of this change, it was also understood continuous alignment with the business and its
pages of the ISACA that digital technologies provided the tools evolving strategy would be essential to measure
web site (www.isaca. needed to respond and adapt to the disruptive whether IT audit was advancing the company’s
org/journal) find the
forces buffeting the organization, assuming the business strategy. Similarly, the audit team
article and choose
knowledge of how to use them effectively. believed that it could be more effective if it shed
the Comments tab to
share your thoughts. So the team began by reexamining the IT audit’s historic cost-center mentality in favor
fundamental mission and strategy, asking: of running IT audit “like a business,” which
Go directly to the article: What is the digital destination, and what kind meant using a managed services approach and
of capabilities are needed to audit the IT of treating the organizations it served as customers.
tomorrow? For Accenture, a global giant in
technology services with more than 358,000 LEVERAGING DIGITAL TECHNOLOGY
professionals, this question went to the very core The audit team’s strategy depended on value,
of the business. But the same issues of mission, flexibility and efficiency—qualities not always
strategy and long-term goals are relevant associated with audit functions in the past—and

18 ISACA JOURNAL VOLUME 1, 2016


it sensed that leveraging new and powerful technologies The challenge was in deciding how to automate and
would be essential for executing that strategy effectively. manage a risk assessment effort that interviews more than
Accenture’s audit team set about evaluating, selecting and 400 top leaders to identify risk themes and then sharing this
integrating new technologies that were aligned with the information across a global IA group. The team decided to take
strategy and would allow a step-function improvement in an innovative approach and leverage customer relationship
the capability. management (CRM) technology to manage the interview
The group began by looking at how to enhance audit process, capturing risk notes and themes and making this
management through the use of end-to-end audit life cycle information available on a real-time basis to the global team.
management tools. There are several powerful platforms The audit group knew, from innovations in other parts
available in the marketplace. The team systematically assessed of Accenture, that collaboration and communication tools
the capabilities and costs of each before selecting the solution had become immense force multipliers capable of increasing
that best matched Accenture’s requirements. Implementing a the productivity of a relatively small audit staff. So the
robust governance, risk and compliance (GRC) capability is group set out to leverage these new technologies, using
critical for IA. GRC would provide the platform to automate videoconferencing to eliminate travel wherever possible
the audit work and improve productivity, ensure consistency and using internal social media channels to accelerate IT
across global teams, enhance risk coverage and assessment, audit collaboration throughout the enterprise. Leveraging


and improve the ability to collaboration technology enhanced the auditors’ ability to
manage the audit process. share knowledge across global teams, improved their ability to
Collaboration and The group then sought work virtually, and strengthened the relationships between the
communication tools to leverage analytics to enterprise’s people, teams and customers.
had become immense support continuous audit,
continuous monitoring RESULTS
force multipliers capable
and value identification. What results was the team able to achieve with these moves?
of increasing the Once again, the digital In Accenture’s case, the team increased the number of IT
productivity of a relatively revolution has made audits provided by more than 250 percent (from 16 to 45


sophisticated analytics annually) between 2012 and 2015 (see figure 1).
small audit staff.
software available for Accenture’s digitization of IT audit has helped it manage
this purpose. Analytics risk better, faster and more cost effectively. By moving into the
software enables auditors to increase risk coverage across digital realm, Accenture has been able to increase productivity,
an entire universe of data (versus using sampling) and focus add new services and be far more proactive in monitoring the
on outliers in higher-risk areas. Analytics also allow auditors changing risk profiles of the enterprise’s rapidly growing global
to identify trends and predict areas of higher risk, while businesses. Leadership can now reach out to the audit team
creating a clear line of sight on cost-saving opportunities for to assess risk before making strategic decisions, rather than
the business. calculating costs afterward. The group’s experience can be
The third item on the digital shopping list was a tool for instructive for every IT audit leader who is evaluating how and
enabling a continuous risk assessment approach. Previously, the where digital technologies fit into their scope of work.
group had focused on an annual risk assessment, but the pace The success of the team’s transformation also established
of change in the business and the associated risk is accelerating, a model for the broader evolution of the entire IA function at
rendering strictly annual assessments potentially anachronistic. Accenture (figure 2). Having brought the IT audit team into
By moving to a continuous risk assessment approach, the audit the digital era, the group followed the same road map for the
group was able to stay current with the business, anticipate rest of IA.
risk and proactively offer services to help manage risk, and
implement appropriate controls before issues occur.

ISACA JOURNAL VOLUME 1, 2016 19


Figure 1—IT and Internal Audit Transformation, Before and After

2012 Today
Back office Coverage Focus Client delivery and back office

Once/year, based on Continuous; risk framework by


experience, unstructured Risk Assessment organization/function/ COBIT

Baseline Audits Completed 250+%

50 Internal Auditors 80

6 IT Auditors 17

18% Auditors in 35%


low-cost locations
Financial, operational, IT audits PLUS; integrated, horizontal, continuous
Services Offered audits; advisory services; analytics
NA Advisory Services 20+
16 IT Audits 45
NA Integrated Audits >20
Limited audit automation; Global, web-based eGRC; enterprisewide
desktop analytics Technology server analytics; web portal; CRM;
collaboration suite
Source: Robert Kress. Reprinted with permission

Figure 2—Accenture’s IT Audit Journey

Phase 1 Phase 2 Phase 3 Phase 4

Value
• Advisory services
• Continuous risk
Effectiveness discussions
• Analytics and
• Extend focus to all of continuous monitoring
internal audit. • CRM to support
Foundation • Service offerings— risk assessment
integrated audits,
• Establish internal audit strategy continuous auditing.
and governance • Technology upgrade.
Assessment • Align with the business. • People programs.
• Implement comprehensive risk model. • Metrics and reporting.
• Stakeholder • Run internal audit like a business.
input
• Benchmarking • Upgrade skills.
• Focus on • Ensure low-cost locations.
IT audit • Focus on coverage.

Source: Robert Kress. Reprinted with permission

20 ISACA JOURNAL VOLUME 1, 2016


LESSONS LEARNED
It is important to note that while digital technology enabled
many of the performance improvements that were realized
at Accenture, these tools alone do not get the job done. • Learn more about, discuss and collaborate on audit
Just as critical are the changes in mind-set that were made tools and techniques in the Knowledge Center.
throughout the process
www.isaca.org/
Here are the most important lessons learned during
Accenture’s IT audit transformation: topic-audit-tools-and-techniques
• Align IT audit strategy with business strategy—In today’s
business environment, corporate strategies can change • Go big—Make bold decisions to drive step-function
frequently in response to market pressures, competitive increases in the enterprise’s capabilities, and apply rigor and
challenges or emerging technologies. IT capabilities and the discipline in executing the changes. Be just as tough on the
IT audit function need to be just as nimble in adjusting to internal business processes of IT audit as on the business
the changing needs of the business and new technologies. areas tasked with auditing.
• Clarify governance—It is critical to have senior business • Communicate success—This, along with benchmarking,
leadership input on new and changing risk factors resulting is helpful to demonstrate the value IT audit adds and the
from changes in business strategy, IT audit’s assessment progress being made to senior leadership as well as the
of risk, and high-level IA plans. This demands a more IA team. Do not be embarrassed to speak highly of the IT
robust governance regimen in which input is solicited audit function when meaningful and measurable progress
from business leads on a near-continuous basis, rather are achieved.
than once a year. How applicable are these lessons to IT audit teams at
• Run IT audit like a business—Operate the IT audit other organizations? After all, one could argue that the
function like a business, and treat the people and circumstances at Accenture were not representative, since
organizations served as true customers. Provide these internal audit is part of a company that lives and breathes IT
customers with a set of defined service offerings in a every minute of every business day.
‘managed service’ approach, so they can request the services
they want based on the changing needs of the business. CONCLUSION
Focus relentlessly on value-add to the business, and measure Looking back over the digital journey at Accenture, it is
customer satisfaction. likely that, if anything, this transformation stands as a hyper-
• Manage performance metrics—Measure critical success example of what IT audit transformation can achieve for all
factors, benchmark progress, and use the overall metrics IA organizations. Stakeholders are viewed as true customers,
to drive change. The role of IT audit leadership is critical and the IT audit role is focused on providing a variety of
here, intervening where necessary to rectify deficiencies and valuable services to meet the needs of the audit committee
capitalize on achievements. and the company. These transformation results demonstrate
• Transform people—An integral part of transforming the potential prize that every IT audit team committed to
the function may involve transforming the people and digital transformation can pursue and win.
the internal culture in which they are working. An audit
function that historically has been retrospective needs to
undergo a radical shift when moving to a proactive stance.
Strong leadership is required to drive culture and process
change, so be sure to have the right people in senior
management positions. Work to instill new ways of thinking
and working throughout the function.

ISACA JOURNAL VOLUME 1, 2016 21


Feature

Auditing Cybersecurity
Martin Coe, DBA, CISA,
CISM, CPA, is an accounting
professor at Western Illinois
University (USA). His research
has been published in Information security risk has dramatically Organizations.4 NIST SP 800-53 identifies
professional and academic evolved; however, security strategies that are 198 security practices that are divided into 18
journals and he is regarded typically compliance-based and perimeter-oriented families and three classes. Each of these security
as an expert in the fields have not kept pace. Consequently, sophisticated practices has been mapped to ISO 27001.
of accounting, accounting intruders can bypass perimeter defenses to SP 800-53 defines three security baselines that
information systems and perpetrate attacks that are highly targeted and provide a starting point for determining the
information systems auditing. difficult to detect. This article discusses an security controls that should be implemented for
He is also the president of approach to assess the adequacy of a firm’s low-impact, moderate-impact and high-impact IT
Vistabon, an IT auditing firm. cybersecurity posture. systems. These baselines could serve as the basis
Coe has managed information The results of the Global State of for a risk-based security standard for various
technology vulnerability Information Security Survey published by categories and subcategories of assets.
assessments since 1998. PricewaterhouseCoopers (PwC) in September In February 2013, recognizing that the
of 2013 show that while information security national and economic security of the US
risk factors have dramatically evolved, security depends on the reliable functioning of critical
strategies that are typically compliance-based infrastructure, US President Barack Obama
and perimeter-oriented have not kept pace.1 issued Executive Order 13636, Improving
Consequently, sophisticated intruders can bypass Critical Infrastructure Cybersecurity.5 The
perimeter defenses to perpetrate dynamic attacks order directed NIST to work with stakeholders
that are highly targeted and difficult to detect. to develop a voluntary framework (based on
The results of the PwC survey suggest that today’s existing standards, guidelines and practices) for
elevated risk landscape demands a new approach reducing cyberrisk to critical infrastructure. NIST
to security—one that is driven by knowledge of released the first version of the Framework for
threats, assets and adversaries. Improving Critical Infrastructure Cybersecurity
Given the need for a strong cybersecurity on 12 February 2014.6 The framework, created
posture, there have been various efforts to create through collaboration between industry and
cybersecurity standards. One such standard is ISO government, consists of standards, guidelines
27001, Information security management systems,2 and practices to promote the protection of
Do you have which provides a set of specifications against which critical infrastructure. The prioritized, flexible,
something an organization can have its information security repeatable and cost-effective approach of the
to say about management system independently certified. framework was designed to help owners and
this article? ISO 27001 is tied to ISO 27002, Information operators of critical infrastructure to manage
Visit the Journal technology—Security techniques—Code of practice cybersecurity-related risk.
pages of the ISACA for information security controls,3 which contains While the certified public accountant’s (CPA’s)
web site (www.isaca. 39 control objectives for protecting information external audit responsibilities do include the
org/journal), find the assets from threats to their confidentiality, integrity responsibility to assess security as part of certain
article and choose and availability. Each of the 39 objectives is then engagements, such as audits of controls at service
the Comments tab to
broken down into many specific controls. The organizations, the CPA’s financial statement audits
share your thoughts.
standard does not require any specific controls to do not usually include the responsibility to assess
Go directly to the article: be implemented, but rather leaves it to the user to cybersecurity. However, the internal IT audit
select those controls appropriate for their specific function frequently does include the responsibility
requirements. to assess cybersecurity. Indeed, assessing security
Another standard is the US National Institute is a key component of the Certified Information
of Standards and Technology’s (NIST) Special Systems Auditor® (CISA®) job practice analysis,
Publication (SP) 800-53, Recommended Security which reflects the responsibilities of IT auditors.7
Controls for Federal Information Systems and Regarding cybersecurity assessment approaches,

22 ISACA JOURNAL VOLUME 1, 2016


IT audit standards include a procedure related to cybersecurity represents the characteristics of a vulnerability that are unique
assessment. ISACA’s IS Auditing Procedure P8 Security to any user’s environment. When the base metrics are assigned
Assessment—Penetration Testing and Vulnerability Analysis, values by an analyst, the base equation computes a score ranging
(P8)8 provides scope and procedure guidance related to from 0.0 to 10.0 as illustrated in figure 1.
cybersecurity assessments. The Nessus reports use the base metric group to aid in the
performance of qualitative risk analysis.12 Vulnerabilities with
CYBERVULNERABILITY ASSESSMENT APPROACH a CVSS base score in the 7.0-10.0 range are critical, those in
Managing many cybervulnerability projects has revealed the 4.0-6.9 range are major, and those in the 0.0-3.9 range are
valuable insights into approaches used to assess a firm’s minor. The CVSS scores correspond to the Tenable severity
cybersecurity posture. Utilizing ISACA’s IS Auditing P8 levels, which are:
offers an approach that focuses on attack vectors and has • 10.0 = Critical
assessment phases for the relevant attack vectors (i.e., the • 7.0-9.9 = High
Internet and the internal network). • 4.0-6.9 = Medium
The assessment phases are typically conducted utilizing • 0.0-3.9 = Low
the Tenable Network Security Nessus vulnerability scanning At each severity level, the number of vulnerabilities is
tool (Nessus)9 combined with other assessment procedures. displayed along with the percentages of those vulnerabilities
Nessus utilizes the Common Vulnerability Scoring System in each CVSS score grouping.
(CVSS) to facilitate risk assessment. A risk assessment requires The assessment team uses the Nessus results to identify
a qualitative analysis of vulnerabilities within a network. The hosts that warrant interrogation. In general, the team focuses
Forum of Incident Response and Security Teams (FIRST)10 on hosts that have vulnerabilities rated as medium, high
created CVSS to normalize the methodology of analyzing risk. or critical. The team then performs procedures to confirm
CVSS provides an open framework for communicating the the validity of the findings and rule out false positives. The
characteristics and impacts of IT vulnerabilities. CVSS consists team uses a variety of tools to assist in the interrogation of
of three metric groups: base, temporal and environmental.11 vulnerabilities. Another term for this aspect of the assessment
The base metric represents the intrinsic qualities of a is exploitation.
vulnerability. The temporal metric reflects the characteristics of Often the goal of exploitation is to gain control over a
a vulnerability that change over time. The environmental metric system. More specifically, an exploit is a way to leverage a

Figure 1—CVSS Metrics and Equations

10

0
+
CVSS Vector
Score String

Exploit (AV, AC, PR, UI) Temp (E, RL, RC) Env (CR, IR, AR,…)
Impact (C, I, A), S

Base Metrics Temporal Environmental


Metrics Metrics
Optional

Source: FIRST.Org, Inc., https://www.first.org/cvss/specification-document#i1.1. Reprinted with permission.

ISACA JOURNAL VOLUME 1, 2016 23


security flaw or circumvent security controls. The process energy on areas of greatest risk. Such an approach is
can take many forms; however, the goal is usually to gain consistent with the NIST framework.
administrative access to a computer or device. The wide range • Proposition 2a—Cybersecurity assessments should be
of activities, tools and options related to exploitation make risk-based.
this step more of an art than a science. Indeed, exploitation • Proposition 2b—Cybersecurity assessments should require
is one of the most ambiguous phases of the cybersecurity a step to ensure that false positives are eliminated.
assessment process. The reason for this is simple; each
system is different and each target is unique. Depending on a PATCH MANAGEMENT
multitude of factors, the attack vectors will vary from target to IT change and patch management can be defined as the set of
target, so skilled attackers have to understand the nuances of processes executed within the organization’s IT department
each system they are attempting to exploit.13 designed to manage the enhancements, updates, incremental
While the assessment approach discussed here is an effective fixes and patches to production systems, which include
way to assess cybersecurity, there are several propositions to application code revisions, system upgrades and infrastructure
improve the cybervulnerability assessment process. changes.14 Patch management tasks include:
• Maintaining current knowledge of available patches
SKILLS AND TOOLS • Deciding what patches are appropriate for particular systems
The assessment team needs to include skilled attackers who • Ensuring that patches are installed properly
understand the nuances of each system they are attempting • Testing systems after installation


to exploit. For example, • Documenting all associated procedures, such as specific
assessors should have configurations required
Exploitation is one of the a current and thorough Patches often are designed to fix security vulnerabilities.
most ambiguous phases understanding of security Indeed, many of the recommendations to address
of the cybersecurity related to operating vulnerabilities identified in a cybersecurity assessment include
systems, firewalls, routers the installation of a specific patch. Accordingly, implementing
assessment process. The and other network patch management practices such as a tactical, integrated and
reason for this is simple; devices. The team should automated approach to handling vulnerabilities can boost a
each system is different also utilize a mix of company’s cybersecurity posture. Likewise, successful patch


tools to perform the management policies can also help with security audits and
and each target is unique.
assessment. For example, compliance audits. For example, continuous auditing routines
assessors should utilize could be developed to ensure that patches are applied on a
a variety of programs to discover potential vulnerabilities and timely basis.
determine if the vulnerability can be exploited. In response to increased cyberattacks, there is a need
• Proposition 1a—Cybersecurity assessments should require for models to focus limited administrator attention and
a step to ensure that assessors understand the nuances of build cases for additional resources. One proposed method
each system they are attempting to exploit. is based on Markov-decision processes for the generation
• Proposition 1b—Cybersecurity assessments should require and graphical evaluation of relevant maintenance policies
a step to ensure that assessors have a variety of tools at for cases with limited data availability.15 Since cybersecurity
their disposal. assessments provide security information by host, steps
should be taken to categorize hosts (i.e., ordinary host
RISK FOCUS with no sensitive data, critical host with sensitive data) to
It is important to eliminate false positives. Given the large ensure that maintenance policies are directed toward the most
number of vulnerabilities identified by Nessus, the task to critical hosts.
eliminate false positives can be significant. The assessment • Proposition 3a—Cybersecurity assessments should include
team should utilize a risk-based approach to focus audit an assessment of patch management policies.

24 ISACA JOURNAL VOLUME 1, 2016


• Proposition 3b—Cybersecurity assessments should leverage • Proposition 5b—Cybersecurity assessments should utilize
continuous auditing procedures to ensure that patches are specific regulatory security standards that must be met for
applied on a timely basis. applicable categories of assets or specific assets.
• Proposition 3c—Cybersecurity assessments should categorize
hosts to ensure that maintenance recommendations can be CONCLUSION
directed toward the most critical hosts. Cybersecurity assessments should be conducted in phases
and focus on attack vectors, as indicated in IS Auditing P8.
ATTACK VECTORS AND DEFENSE-IN-DEPTH In addition, cybersecurity assessments should include steps to
Given that adversaries can attack a target from multiple ensure that the assessment team has adequate skills and tools
points using either insiders or outsiders, an organization to perform the assessment. The assessment should focus on the
needs to deploy protection mechanisms at multiple locations greatest risk and include steps to reduce false positives. Given
to resist all classes of attacks. Defense-in-depth is a practical the importance of patch management, assessments should
strategy for achieving information assurance in today’s highly include steps to assess the adequacy of patch management.
networked environments.16 Accordingly, some information Since attacks can come from multiple points, assessments
security postures utilize a defense-in-depth model. Such a should include a review of defense-in-depth security layers.
model refers to the way hardware and software is configured Since cybersecurity assessments should test an actual state
to provide different levels of security. A defense-in-depth against a desired state, assessments should utilize standards.
model recognizes that not all resources require the same level
of security. In addition, this model can mitigate exposures that ENDNOTES
might otherwise exist. For example, if a server is vulnerable 1 PricewaterhouseCoopers, The Global State of
to an exploit because it is not able to be updated, a defense- Information Security Survey 2013, USA,
in-depth layer can be added to mitigate the exposure. www.pwc.ru/en/riskassurance/publications/information-
Accordingly, cybersecurity assessments should include a security-survey.html
review of defense-in-depth security layers. Likewise, since a 2 International Organization for Standardization,
company may accept a risk related to one attack vector by ISO/IEC 27001, Information security management,
relying on defense-in-depth, the assessment should include www.iso.org/iso/home/standards/management-standards/
various exploitation paths to test defense-in-depth. iso27001.htm
• Proposition 4—Cybersecurity assessments should include a 3 International Organization for Standardization,
review of defense-in-depth security layers. ISO 27002, Information technology—Security
• Proposition 4b—Cybersecurity assessments should include techniques—Code of practice for information security
various exploitation paths to test defense-in-depth. controls, www.iso.org/iso/home/store/catalogue_tc/
catalogue_detail.htm?csnumber=54533
STANDARDS 4 National Institute of Standards and Technology, Security
Given the fact that a cybersecurity assessment should test an and Privacy Controls for Federal Information Systems
actual state against a desired state, it is necessary to and Organizations, SP 800-53, Revision 4, USA,
have a standard against which to audit. At this point in time, 30 April 2013, http://csrc.nist.gov/publications/PubsSPs.
NIST SP 800-53, Recommended Security Controls for html#800-53
Federal Information Systems and Organizations,17 which has 5 National Archives and Records Administration, Executive
been mapped to ISO 27001, is a logical standard to utilize. Order 13636, Improving Critical Infrastructure
In addition, specific regulatory security standards that must Cybersecurity, USA, 19 February 2013, www.gpo.gov/
be met for categories of assets or specific assets (e.g., ports/ fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf
services and default account requirements related to critical 6 National Institute for Standards and Technology,
infrastructure protection assets) should be utilized. Framework for Improving Critical Infrastructure
• Proposition 5a—Cybersecurity assessments should utilize Cybersecurity, USA, 2014, www.nist.gov/
standards such as NIST SP 800-53. cyberframework/

ISACA JOURNAL VOLUME 1, 2016 25


7 ISACA®, Certified Information Systems Auditor Job 12 Dumont, Cody; “Understanding Risk,” Tenable Network
Practice, USA, June 2011, www.isaca.org/Certification/ Security, 14 October 2014, www.tenable.com/
CISA-Certified-Information-Systems-Auditor/Job-Practice- sc-dashboards/understanding-risk
Areas/Pages/CISA-Job-Practice-Areas.aspx 13 Engebretson, Patrick; The Basics of Hacking and
8 ISACA, IS Auditing Procedure P8, Security Assessment- Penetration Testing: Ethical Hacking and Penetration
Penetration Testing and Vulnerability Analysis, IS Testing Made Easy, Elsevier, USA, 2013
Standards, Guidelines and Procedures for Auditing and 14 Institute of Internal Auditors, Global Technology Audit
Control Professionals, USA,15 March 2008 Guide Change and Patch Management Controls: Critical
9 Tenable Network Security, Nessus, www.tenable.com/ for Organizational Success, 2012
products/nessus-vulnerability-scanner 15 Afful-Dadzie, A.; T. Allen; “Data-driven Cyber-
10 Forum of Incident Response and Security Teams, vulnerability Maintenance Policies,” Journal of Quality
www.first.org/ Technology, vol. 46, no. 3, 2014, p. 234-250
Mell, P.; K. Scarfone; “A Complete Guide to the Common
11
National Security Agency, “Defense in Depth,” USA,
16

Vulnerability Scoring System Version 2.0,” First.org, www.nsa.gov/ia/_files/support/defenseindepth.pdf


June 2007, www.first.org/cvss/cvss-v2-guide.pdf 17 Op cit, National Institute for Standards and Technology 2013

Pinpoint your next job opportunity


with ISACA’s CareerLaser
ISACA’s CareerLaser newsletter offers monthly updates on the latest jobs, top-of-mind industry news,
events and employment trends to help you navigate a successful career in the information systems industry.
Let CareerLaser become your top resource for quality jobs matched specifically to your talents in audit,
assurance, security, cyber security, governance, risk management and more.

Subscribe today by visiting www.isaca.org/careerlaser

Visit the ISACA Career Centre at www.isaca.org/careercentre to


find additional career tools, including access to top job candidates.

26 ISACA JOURNAL VOLUME 1, 2016


Feature

The Art of Data Visualization


Karina Korpela, CISA,
CISM, CISSP, PMP, is the IT
audit manager at AltaLink, a
Berkshire Hathaway Energy
A Gift or a Skill?, Part 1
Company and Alberta’s
largest transmission provider. The ability to create eye-catching visuals is not departments? Do the data have geospatial
She has more than 13 years an inherited skill. The skills required for most variables, such as country, city, address or
of experience with IT risk and effectively displaying information are not intuitive postal codes? What about dates? What are the
controls, performing data and rely largely on principles that can be learned. quantitative variables? Is the categorical data
analytics and developing There are, indeed, some visualization techniques nominal, ordinal, hierarchical or interval (≥70
continuous controls that are best left to designers, but there are points, <70 and ≥50 points, and <50) in nature?
monitoring applications for others, e.g., audit findings, key performance Understating the data types can aid in
many different business indicators (KPIs) and cybermonitoring indicators, selecting the best graph to visualize the data.
processes. She began her that do not need the designer’s touch. After identifying the data types, it is necessary
career at Coopers & Lybrand Scientific evidence supports the importance of to understand the relationships among all
as a system administrator data visualization. As Neil DeGrasse Tyson once variables, because one variable by itself is not
and she was later invited said, “The good thing about science is that it’s very interesting. The first question to ask about a
to join its Computer Audit true whether or not you believe in it.” And there number is “Compared to what?”2
Assistance Group (CAAG) is as much science behind data visualization as Relationships are data’s way to tell their
as an IT auditor. Korpela there is behind analytics. story. It is important to identify whether one or
later became a manager in The brain receives 8.96 megabits of data more of these relationships exist in the data set:
PricewaterhouseCooper’s from the eye every second. The average person nominal comparison, time-series, correlation,
Global Risk Management comprehends 120 words per minute when ranking, deviation, distribution, part-to-whole
Solution practice. She reading, which is equivalent to 81.6 bits of data relationships and geospatial.
can be reached at per second.1
karina.korpela@altalink.ca. Humans are not wired to read quickly; they KNOW THE MESSAGE
are wired to visualize quickly. Brains perform What is being conveyed? Is the purpose to find
more efficiently and more information is retained the story the data are telling or simply to provide
when the learning comes from visuals. an explanation of a known issue?
A well-designed dashboard allows the viewer Visualization for exploring is useful when
to analyze massive data sets at a glance. Learning what the data have to tell is unknown and it is
Do you have how to represent data in a way that immediately still necessary to get a sense of the relationships
something tells a story, sparks an insight or provokes and patterns contained within it for the first time.
to say about
discussion is as important as being able to run It allows for imprecision.
this article?
data analytics. Certain graphs are better at enabling
Visit the Journal Data visualization is comprised of a set of exploration, while others, such as pie charts,
pages of the ISACA
tools and techniques to create graphs (also called provide only a simple explanation. Interactive
web site (www.isaca.
charts or diagrams) that, when used the right dashboards allow internal auditors to find their
org/journal), find the
article and choose way, are extremely powerful. It is not about own stories in the data. Some graphs are more
the Comments tab to flashy 3-dimensional rainbow graphs. Data forgiving, allowing for the use of many categories
share your thoughts. visualization is about being simple and and colors since users will be able to apply filters.
representing data effectively. Visualization for explaining is best when it
Go directly to the article: Before considering design principles, there are is cleanest.3 Here, the ability to pare down the
important layers to be covered in preparation for information to its simplest form—to strip away
the design layer. the noise entirely—will increase the efficiency
with which a decision maker can understand it.
KNOW THE DATA This is the approach to take once it is understood
What data types are in the data set? Are the what the data are saying and when that message
variables mostly categorical, e.g., regions and is ready to be communicated to the audience.

ISACA JOURNAL VOLUME 1, 2016 27


KNOW THE AUDIENCE of times, people don’t know what they want until you show it
Knowing the audience goes a long way toward making a to them.”
connection and maximizing the chances that management will And finally, color blindness and cultural differences must
understand and retain the information being conveyed. What be taken into consideration as well. Both need to be factored
experience, skill and understanding of the subject will the in when selecting a color palette for graphs.
audience members have? What is their ability to focus? How
interested are they? KNOW THE OPTIONS
Organize, group or prioritize the information in order to This is one of the most interesting parts of data visualization—
emphasize what should be conveyed to the audience, and do choosing the correct graph for the data type and relationships
not bury the key messages in a mass of detail and graphs. in the data set. This is when the relationships identified earlier
Most audiences are used to plain bar, line and pie charts. come to life.
Bar charts can be useful to convey information, but it may When putting together a graph, one of four things with the
help to provide the audience with some initial attention- data should be shown: a relationship between/among data
grabbing visuals to “wow” them and, as a result, draw their points, a comparison of data points, a composition of data, a
attention to the story that follows. Consider compelling distribution of data or the geospatial location of data points.4
visuals to include everything that calls the reader’s attention To help determine which graph to use, see figure 1, created
without sacrificing or obfuscating the message. Do not be by Andrew Abela, author of the book Advanced Presentations
afraid of trying different chart types. As Steve Jobs said, “A lot by Design.5

Figure 1—Chart Suggestions

Variable Width Table or Table With Bar Chart Column Chart Circular Area Chart Line Chart Column Chart Line Chart
Column Chart Embedded Charts

Many Items Few Items Cyclical Data Noncyclical Data Single or Few Categories Many Categories
Two Variables Many
per Item Categories
Few Categories Many Periods Few Periods

One Variable per Item


Over Time
Among Items
Column Histogram
Few
Single Data
Comparison Variable Points

Scatter Chart Two


Variables

What would you Line Histogram


Relationship like to show? Distribution Many
Data
Points

Bubble Chart

Three
Composition Scatter Chart
Variables
Two
Variables

Changing Static
Over Time
3D Area Chart

Three
Few Periods Many Periods Variables

Only Relative Relative and Absolute Only Relative Relative and Absolute Simple Share Accumulation or Components
Differences Matter Differences Matter Differences Matter Differences Matter of Total Subtraction to Total of Components
Stacked 100% Stacked Stacked 100% Stacked Area Chart Pie Chart Watterfall Chart Stacked 100% Column
Column Chart Column Chart Area Chart Chart With
Subcomponents

Source: Andrew Abela. Reprinted with permission.

28 ISACA JOURNAL VOLUME 1, 2016


Some other graphs not featured in figure 1 are shown one thing in common—they use color to communicate the
in figure 2: relationship between categorical and numerical variables.
• Bubble chart—This is a variation of the scatter plot. This is • Trellis chart—This is not a grouping of line charts copied
one of the charts that should be used only as eye-candy or and pasted together. It is one graph using the same scale and
when getting to know the data set. This chart looks fun, but axes as line charts, but it is divided into categories. Trellis
is ineffective in communicating meaningful data, and it is charts are useful for finding the structure and patterns in
often troublesome to get the scaling right. complex data.
• Tree map—This is a way to compare data types so that • Word cloud—This is an engaging way to visualize the
categorical data are represented by the colors and numerical frequency distribution of words with textual data; however,
variables by their size. Tree maps display large numbers it should be used sparingly as word clouds cannot show how
of values that exceed the number that could be displayed a word is used. It is best used to highlight categorical data
simply and effectively with a bar graph. types, e.g., departments with most sales. A word cloud can
• Heat map—This is a representation of data in which the display the filter being applied if using an interactive tool.
individual values contained in a matrix are represented as • Bullet graph—This graph was developed by Stephen Few6
colors. There are many types of heat maps, but they all have to replace the meters and gauges that are often used on

Figure 2—Additional Graph Suggestions

Word cloud Tree map Box plot

Heat map Bullet graph Map

Doughnut Trellis chart Bubble chart

Source: Tableau Public. Reprinted with permission

ISACA JOURNAL VOLUME 1, 2016 29


dashboards. Its linear, no-frills design provides a rich display
of data in a small space, which is essential on a dashboard.
Like most meters and gauges, bullet graphs feature a single
quantitative measure (i.e., year-to-date revenue) along • Learn more about, discuss and collaborate on career
with complementary measures to enrich the meaning of management in the Knowledge Center.
the featured measure. Its design not only gives it a small www.isaca.org/
footprint, but it also supports more efficient readings than
radial meters.
topic-career-management
• Box plot—This represents data by showing the lowest value,
highest value, median value, and the size of the first and somehow). Each variable in a doughnut chart adds a ring
third quartile. The box plot is useful in analyzing small data to the chart. The first variable is displayed in the center of
sets that do not lend themselves easily to histograms. the chart.
• Doughnut chart—This is basically a pie chart with a hole • Map—This is the perfect graph to use if there are geospatial
in the middle. The beauty of it is that the blank space in the data types in the data set. It is not necessary to have street
middle gives room to add a text or even one more variables, addresses; just the city is sufficient to map, for example,
e.g., total percentage complete. A doughnut chart can be where most of the transactions are occurring.
combined with a pie chart to represent more than one For the purpose of awareness, figure 3 has examples of
categorical variable or data set (assuming those relate other graphs that may be useful. Many data visualization

Figure 3— Combining Data Visualization Methods

Doughnut and Pie Stacked bars and line Map and bubble

Bar and dot Bar and area


(aka) lollipop chart) (aka Funnel chart) Bars and tree map

Source: Tableau Public. Reprinted with permission.

30 ISACA JOURNAL VOLUME 1, 2016


gurus make strong cases against using some of these for very 2
 ew, Stephen, “Effectively Communicating Numbers,”
F
valid reasons. These graphs combine two types of graphs in Perceptual Edge, November 2005
order to best convey the information. 3
Steele, Julie; “Why Data Visualization Matters,” Radar,
As part 1 of this series, this article is meant to provide 15 February 2012, http://radar.oreilly.com/2012/02/why-
the basics in data visualization, but it also establishes the data-visualization-matters.html
importance of data science. Knowledge is not power. Power is 4
Op cit, Few
what is done with this knowledge and the decisions and actions 5
Abela, Andrew; “Choosing a Good Chart,”
taken as a result of understanding the information. And data The Extreme Presentation Method, 6 September, 2006,
visualization is key in making sense of it. Part 2 of this article http://extremepresentation.typepad.com/blog/2006/09/
will discuss how to make appropriate and effective use of colors, choosing_a_good.html
fonts and gestalt principles, and how to avoid chartjunk. 6
Stephen Few is an innovator, consultant and educator in the
fields of business intelligence and information design.
ENDNOTES http://perceptualedge.com/about.php
1
Koch, K., “How Much the Eye Tells the Brain,” Current
Biology, 25 July 2006; 16(14): p. 1428–1434,
www.ncbi.nlm.nih.gov/pmc/articles/PMC1564115/

ADVANCE YOUR CYBER SKILLS AND CAREER


Train for the new performance-based CSX Practitioner Certification. Acquire hands-on instruction in a
cyber-lab environment—available through CSX certification training partners. Embrace skills aligned with
globally recognized NIST Cyber Security Framework domains. Gain the certification that affirms your readiness
to be an in-demand first responder in the global cyber security workforce.

Start now at: www.isaca.org/cybercertcsxp

ISACA_CSX_FINAL_Half.indd 1 12/2/15 4:25 PM


ISACA JOURNAL VOLUME 1, 2016 31
Feature

How to Be the Most Wanted IS Auditor


Sanjiv Agarwala, CISA,
CISM, CGEIT, BS 25999/ISO
22301 LA, CISSP,
ISO 27001:2013 LA, MBCI,
is currently director and The audit profession is known to businesses of auditors are working in a familiar environment,
principal consultant at Oxygen all kinds, especially those that are governed by they should look at it with fresh eyes every time
Consulting Services Pvt. Ltd. regulation. While businesses understand the they audit. The auditor knows there are changes
Agarwala has more than 17 importance of audits, some people perceive in the environment, so there are definite areas for
years of experience across audits as a postmortem exercise directed at improvement. When auditors are passionate, they
multiple industry domains in finding faults and reporting to regulators, are able to continuously learn and contribute.
various information security management and other interested parties. IS
roles and has expertise in audit is a stream of the broader audit profession. RESPECT THE PEOPLE AND CULTURE AND
areas such as information It involves the audit of the business with respect USE SOFT SKILLS
security management to the usage of IT. While it is true and obvious Auditors need to recognize the fact that they
systems, risk management, that the IS auditor has the additional role of are dealing with people. Auditees are the people
cybersecurity, systems audit, understanding the technology and its associated who will provide the information and evidence
IT governance and business risk, the question persists as to whether the needed to conduct a smooth audit. Auditors need
continuity management. perception of the auditee is any different. to respect auditees’ time and what they do in
Most organizations have an audit function, their daily organizational activities. In addition,
whether it be a part-time internal auditor or every organization has its own culture and way of
full-fledged audit teams and independent audit doing things.1 Auditors need to understand and
committees. The role of auditors, in most cases, is respect the company culture, or auditors may not
to independently report on significant risk factors be received with true respect.
in the current environment. From the viewpoint of Auditors should not create an environment
the auditee, the same auditor would identify risk of fear in the enterprise. When auditors better
in the auditee’s environment. After sharing this connect with people, properly explain the
risk with management, management may conclude audit observations to the auditee in terms
that auditees are not managing their area well, so of risk and value, and obtain acceptance, a
during the audit, the auditees may be reluctant to level of trust is created between the auditor
share weaknesses with the auditor. and auditee. Communication throughout the
Technology advancements are occurring audit engagement is important. Soft skills
Do you have quickly, businesses are adopting new and such as observation, listening, presenting,
something dynamic business models, and there is an communicating, documenting and negotiating
to say about emerging trend of increasing cybercrimes and are important skills for an IS auditor. Soft skills
this article? fraud. Because of these challenges, it is time are difficult to learn and apply in real-life audits2
Visit the Journal that IS auditors play a more significant role. when compared to technical skills.
pages of the ISACA This article provides strategies for how the IS
web site (www.isaca. auditor can become the most wanted by auditees, UNDERSTAND THE CLIENT’S BUSINESS DOMAIN
org/journal), find the meet expectations of the business, and gain true Auditors need to understand the business
article and choose respect from one and all. processes of the client’s business domain. Though
the Comments tab to
IS auditors are evaluating the IS controls, no IS
share your thoughts.
BE PASSIONATE ABOUT THE PROFESSION controls work in isolation from business controls.
Go directly to the article: Auditors should be passionate about audits. Technology is important but is primarily an
When auditors are passionate, it creates a enabler. Without proper understanding of the
positive environment. Even the auditees can feel business process, auditors may not be positioned
when the auditor is there in full heart and mind to understand the real risk to the business process.
to do the assignment. Auditors with passion send In addition, the auditee may not share important
positive signals, and auditees will potentially information with the auditor if the auditor does
demonstrate more interest in the audit. Even if not talk in terms of business processes.

32 ISACA JOURNAL VOLUME 1, 2016


STAY UP-TO-DATE ON TECHNOLOGY TRENDS AND INDUSTRY ISSUES FOLLOW THE AGREED-UPON AUDIT PROCESS
Auditors need to be up-to-date on current technologies and The IS audit should be conducted by following the standard
upcoming technologies, how these technologies can be used and well-known approach that is endorsed by recognized
for business advantage, the risk inherent in these technologies, industry leaders. ISACA® provides a number of IS audit-
and how various industry issues are related to information related standards and references.4 The Institute of Internal
systems. The IS auditor should subscribe to audit journals, Auditors (IIA) is another useful source for such audit
knowledge resources and industry newsletters to stay aware practices. There are auditing guidelines for the popular
of the latest trends. When IS auditors explain real-time and standard ISO 27001 for information security management
current issues with examples, auditees may be more open to systems.5 In some scenarios, auditors and client audit
discussing the issues that may be present in their environment. management can agree upon the audit process of their choice.
Auditors frequently face challenges while auditing the IT Once the process is decided upon, it is best to follow the
department in terms of the complexity of the IT systems they process as it helps in the smooth conduct of the IS audit.


need to audit. When Typically, drawing up the audit schedule, conducting the audit
IS auditors are unable and drafting the final audit report are essential components
When IS auditors are unable to speak the IT of any audit assignment. A risk-based audit approach is
to speak the IT language, language, they a popular IS audit approach in the banking and financial
they may not get the respect may not get the industry; auditors need to follow the approach best suited as


respect they desire. per the audit engagement. Auditor knowledge of all of these
they desire. Keeping up to date audit standards and best practices increases the confidence of
on technology the auditee and client audit management.
concepts and asking the right technical questions will help in
such scenarios. BE INNOVATIVE WHEN STUCK WITH CHALLENGES
It is not uncommon that during the course of audits, auditors
KEEP THE OBJECTIVES IN FOCUS AND PROVIDE REALISTIC VALUE will face various challenges, such as the auditee not being
In the context of COBIT® 5,3 any business would expect that available due to emergencies in the operational environment,
if benefits are delivered and risk and resources are optimized, the auditee not understanding the question being asked, the
value would be created for stakeholders. While there auditee being defensive about providing more details and
would be specific audit objectives depending on the audit other similar situations.
in question, audits generally tie back to value delivery, risk Sometimes the audit schedule agreed upon previously
management and resource optimization. may be difficult to implement, and auditors are tasked with
The COBIT 5 framework is based on a holistic set of the challenge of doing proper audits and producing a report.
seven enablers. The seven enablers are Principles, Policies and While the audit schedule is important, there are moments
Frameworks; Processes; Organizational Structures; Culture, when the auditor needs to be dynamic to make changes
Ethics and Behavior; Information; Services, Infrastructure and in the schedule to accommodate unforeseen challenges in
Applications; and People, Skills and Competencies. When the business environment. Auditors need to come up with
IS auditors take all of these enablers into consideration, they innovative approaches to gather audit-related information,
provide realistic value added to the organization. When auditors restrategize on how to audit an area in limited time, collect
are able to explain the larger picture of the audit to the auditees, relevant evidence and reach an opinion.
e.g., what is in it for them and possible improvement actions,
auditees are able to relate more. Keeping the audit objectives in CREATE A PROPER IS AUDIT REPORT
focus, considering these important enablers, and recommending The IS audit report is an important component of the IS
a practical and relevant assessment of the audit areas brings audit process. When possible, IS auditors should explain
forth greater respect for the auditor and greater buy-in from all. the audit findings to the auditee in terms of risk, value and
benefits to the organization. Doing so during the audit and

ISACA JOURNAL VOLUME 1, 2016 33


obtaining an agreement with the auditee ensures that the audit boosts auditee confidence and increases recognition. When the
observations will be taken seriously and the auditee will not IS auditor systematically applies lessons learned from obtaining
be caught by surprise. these certifications in real-life audits, it helps the auditor to gain
When the findings are properly communicated, it creates more respect.
a good impression and corrective actions can be initiated.
Audit reports should be drafted with proper recognition of CONCLUSION
the accomplishments in each of the audit areas; otherwise, Organizations are increasingly adopting technology to fuel
the report looks like a fault-finding mission and gives a bad their business growth engine. Data security threats, fraud
reputation to the IS auditor. and advanced attacks are on the rise. Boards of directors are
Considering the importance of the IS audit report, auditors increasingly concerned with whether the system on which
should spend 40-50 percent of their time on the audit report the business is dependent is secure enough, optimized and
preparation and finalization. IS audit reports can be sent to contributes value to the entire enterprise.
many interested parties, including some that the auditor may Auditors play a critical role by being an independent
not have even met during the engagement, so the report has to entity and being the eyes and ears for the organization. It is
properly communicate the results of the audit. time that IS auditors understand the expectations of various
stakeholders. Auditors need to effectively fight the negative
EMBED THE LESSONS LEARNED INTO THE AUDIT PROCESS perceptions that are in the minds of many auditees to become
Audit management may be tasked with the important job of the most wanted IS auditor.
independently identifying risk factors and areas of concern
that need improvement. Auditors verify if the process owners ENDNOTES
have a lessons learned process to improve on the issues 1
White, S.; “How Internal Audit Can Assess and Support
reported. But there is a high likelihood they may not properly Culture,” CGMA Magazine, 12 August 2015,
follow the lessons learned process for the IS audit process. www.cgma.org/Magazine/News/Pages/how-internal-audit-
Auditors may not achieve the intended objectives for various can-assess-and-support-culture-201512818.aspx
reasons, or there can be some formal and informal feedback 2
Chambers, R.; “Five Things Internal Auditing Has Taught
from auditees and the audit client. Me About Human Nature,” Internal Auditor Online,
Postaudit, it is good practice for an auditor to perform 11 February 2013, https://iaonline.theiia.org/five-things-
a root-cause exploration for the feedback obtained, if any, internal-auditing-has-taught-me-about-human-nature
and also perform a self-assessment of how the overall audit 3
ISACA, COBIT 5, USA, 2012, www.isaca.org/cobit
process went and areas for improvement, e.g., the need 4
ISACA, ITAF, www.isaca.org/itaf
for better planning, improving soft skills or training in 5
ISO/IEC 27007:2011, Information technology—
upcoming technologies. Doing this will help auditors improve Security techniques—Guidelines for information
their audit skills. security management systems auditing, www.iso.
org/iso/iso_catalogue/catalogue_tc/catalogue_detail.
ACQUIRE POPULAR AUDIT CERTIFICATIONS htm?csnumber=42506
Many organizations have a minimum requirement for IS auditor 6
ISACA, Certified Information Systems Auditor (CISA),
qualifications. Popular IS audit certifications test the candidate www.isaca.org/cisa
on recognized audit practices, and acquiring certifications 7
The Institute of Internal Auditors, Certified Internal Auditor
demonstrates the minimum level of understanding of IS audit (CIA), https://na.theiia.org/certification/CIA-Certification/
practices. Acquiring a popular, industry-recognized IS audit Pages/CIA-Certification.aspx
certification, such as the Certified Information Systems Auditor® 8
Global Information Assurance Certification, GIAC
(CISA®),6 Certified Internal Auditor (CIA),7 GIAC Systems Systems and Network Auditor (GSNA), www.giac.org/
and Network Auditor (GSNA)8 and other similar certifications, certifications/audit

34 ISACA JOURNAL VOLUME 1, 2016


Feature

Seven Software-related Incidents and


Frederick G. Mackaden,
CISA, CMA, PMP, is currently
with Crowe Horwath, a
leading consulting network
in the global top 10. He
How to Avoid or Remediate Them
recently implemented
Verizon’s 2015 Data Breach Investigations measures in place so that such events can be
management controls for a
leading hospital group in the Report,1 which addresses industry verticals such prevented, at best, or recovered from, at worst,
Middle East through Horwath as education, entertainment and manufacturing, with minimal impact to the business as a whole.
MAK, the consulting arm points to key incidents related to data breaches Lessons learned from incidents when
of Crowe Horwath in the to watch for, primarily: they occur are very important. Effective
Middle East. His previous • Education: Crimeware (represents “Malware communication is key in all of this, especially
employers include a Fortune infections within Organizations not associated when programmers are offshore in another
500 multinational, where with specialized patterns”2), miscellaneous country and only telephonic or other electronic
he worked as an enterprise errors, cyberespionage communication methods are possible (figure 1,
resource planning (ERP)
• Manufacturing: Cyberespionage, crimeware, incident 1). Of course, everyone knows that face-
specialist supporting finance,
insider misuse to-face communication is best, but that is not
sales, purchasing and
This article focuses on miscellaneous possible when one team is located in one country
manufacturing modules.
errors and insider misuse as these are not and another team is located in the headquarters
He has more than a decade
of experience in the ERP as closely monitored, perhaps because they in a different country. If weekly project calls
consulting environment are not perceived as an external threat. The are not held and interactions with the offshore
and more than 25 years of potential incident is created by errors of insiders programmers and the onshore functional
experience overall. He is (employees) and approved suppliers who consultants are minimal, it can lead to problems
one of the contributors and function as trustworthy insiders. In these cases, down the line.
reviewers of A Guide to the a malicious intent may not be present, yet the Effective change management acts as
Project Management Body of errors can become catastrophic. a preventive step, especially with respect
Knowledge, 5th Edition. It goes without saying that risk relating to to programming code movement across
incidents such as those mentioned need to be environments. When customized code is moved
Do you have planned for, and potential disaster recovery across software environments, it needs to
something options should be in place. Otherwise, the follow a gate review process in which the senior
to say about organization will be caught off guard and suffer management representatives (who look at the
this article?
real business losses in terms of delays in cash business in its entirety) along with concerned
Visit the Journal flow, which could seriously impact the stability independent specialists (who focus on the
pages of the ISACA of the business, especially in markets where technical angle) open the gate or door into the
web site (www.isaca.
customers delay payments. next environment or request the programmers to
org/journal), find the
This article will focus on seven software review the code due to a critical testing failure.
article and choose
the Comments tab to incidents that caused a great deal of panic and This process enables the team to revisit the work
share your thoughts. heartache.3 Nearly 60 percent of the incidents and check whether all is well before launching
resulted from incorrect or accidental deletions. The the (software) vessel on the high seas. Figure 2
Go directly to the article: others were caused by faulty customized code and gives a graphic design of this process. Change
lack of comprehensive testing prior to promotion management can be done for hardware as well as
to the live environment. The whole point is that software changes. Unfortunately, this was not the
such errors often slip by unnoticed by the IT case in the examples in figure 1, incidents
department until operations actually grind to a halt. 1 and 2.
Any multinational organization should have Figure 1 details seven incidents which caused
incident management and disaster recovery significant turmoil and distress.

ISACA JOURNAL VOLUME 1, 2016 35


In one instance (figure 1, incident 3), the functional Once an incident has happened, it should be logged
consultant had forgotten the program number of the into the incident reporting system. The incident reporting
functional route to the problem and resorted to the technical system alerts key personnel to an emergency and analysts
route to solve the issue. The technician concerned also did not and programmers relevant to the task can be deployed.
know the English language well and further complicated the The recovery project needs to be monitored closely. In one
situation as he also was not sure of what needed to be done. instance (figure 1, incident 7), the recovery was possible
within a few

Figure 1—Seven Incidents to Be Avoided and/or Remediated


Remedial Suggested
Incident Industry Broad Threat Impact Measures Preventive
Number Vertical Category Actor Type Incident Incident Details Rating Initiated Measures
1 Education Miscellaneous External Inadequate Failure to test A program was Low The code in the live Comprehensive testing
errors/insider supplier test for foreign conducted by the environment was is key. It requires
misuse scenarios currencies offshore team suspended and the quiet reflection and
and the functional code was redone discussion with
tester assumed that in the development client stakeholders to
foreign currencies environment; ensure that testers
were tested. With comprehensive testing have not missed a
this assumption, he for domestic and scenario. A list of client
tested all scenarios foreign currencies transactions across
for the Great Britain was conducted and a quarter would have
pound (GBP) currency, the code was then revealed what needed
as the client was in promoted to the live to be tested.
the UK. When the environment.
code went into the Use of comprehensive
live environment, a use case diagrams
transaction for the for the proposed
Euro currency failed system may help to
and the program had prevent missing any
to be stopped and live scenarios being
redone. tested in the test
environment prior to
the software going
live.
2 Education External Inadequate Automatic The customized High The program was Prior to promotion
supplier testing reconciliation program was to cater suspended in the of code regression,
program with to the bank receipt live environment and testing needs
recursive and payment types reconciliations had to be done and
code, which of the client. A senior to be done manually better coordination
reconciled programmer inserted from the previous measures should be
unreconciled a code she thought reconciled period. initiated between the
transactions would be perfect programmers working
in the live at the last minute. offshore and the
environment Testing had previously functional consultant
worked in the final working on the client’s
acceptance test (FAT) sites across the globe.
environment. The code
was moved to the live
environment.

In the live
environment, the
code added the
reconciled code “R”
to transactions that
should not have been
reconciled otherwise.

36 ISACA JOURNAL VOLUME 1, 2016


Figure 1—Seven Incidents to Be Avoided and/or Remediated (cont.)
Remedial Suggested
Incident Industry Broad Threat Impact Measures Preventive
Number Vertical Category Actor Type Incident Incident Details Rating Initiated Measures
3 Professional External Database The functional Emergency The database had to Key files should be
supplier administrator consultant and project be restored using the mirrored on a
who was lead had to do a repost last available backup. real-time basis so that
asked to of the ledger since recovery is complete
delete record there was trial balance down to the minute.
locks instead imbalance between
deleted log debits and credits.
files, making During the process
the database of reposting, all users
suspect should have been out
of the system. The
functional consultant
checked with the
network administrator
who confirmed all
users were out in
that location. When
the repost was done,
several users were
on the system at a
remote branch and
this caused record
locks.

The functional
consultant could
not remember the
functional program
to delete record
locks and sought the
help of a database
administrator (DBA).

The inexperienced
DBA deleted log
files instead and the
database became
suspect.
4 Manufacturing Accidental In the process of Medium The standard program All SQLs should be
deletion of correcting a cash to recreate header checked separately in
receipt header receipt record, the records was used the FAT environment
records finance functional to re-create all the before being run in the
consultant accidentally missing headers. live environment.
deleted all the receipt
header table records
by hitting the Enter
key without a where
clause in the delete
Structured Query
Language (SQL).

ISACA JOURNAL VOLUME 1, 2016 37


Figure 1—Seven Incidents to Be Avoided and/or Remediated (cont.)
Remedial Suggested
Incident Industry Broad Threat Impact Measures Preventive
Number Vertical Category Actor Type Incident Incident Details Rating Initiated Measures
5 Manufacturing Employee Accidental The functional High After the investigating Refreshing of the FAT
deletion of the consultant was team inspected environment with
manufacturing replicating setups for journals (a customized live setups enabled a
warehouse a new manufacturing program detailing reference state when
in the live facility. user actions on the the correction of the
environment applications database damage done was
Instead of copying, generating attempted.
he accidentally cut user-friendly reports,
and pasted deleting but referring to
the manufacturing database logs of
warehouse setup in insert, delete and
the live environment. update actions) and
discovered who was
When the interfaces responsible, the
ran in the live functional consultant
environment for the was notified and
manufacturing facility, asked to remedy
it showed errors of the the damage done.
missing setup. He was then able to
replicate the setup
The order while referring to the
administrator was FAT environment for
puzzled by this error reference.
as all was well the
previous morning.
6 Manufacturing Employee Accidental The financial controller Medium The FAT environment Weekly refreshing of
deletion of was having some had just been the FAT environment
records of the trouble with a trial refreshed with live with live data can
trial balance balance report and data, so the functional help when correcting
file sought the help of the consultant replicated accidents.
functional consultant. the file structure in the
In the process of FAT environment and
investigating, the then used the printout
consultant accidentally of the financial
deleted a few records controller to get the
in the trial balance file. figures in order using
SQL updates.
7 Manufacturing External Sudden An order administrator Emergency The interface was Mirroring key files on
supplier appearance reported that the sales immediately stopped a real-time basis was
of corrupt orders were showing and the mirror images key to an effective
records in incorrect figures; of the file prior to recovery in a few
sales detail file investigation revealed running the interface hours’ time with
that an interface had restored. minimal impact to the
corrupted sales order business.
detail records. The faulty code
in the sales order Interface programs
interface to the with new code should
compliance software be regression tested to
was then fixed and ensure that there are
the interfaces ran no new errors.
successfully the
following day.
Source: Frederick G. Mackaden. Reprinted with permission.

38 ISACA JOURNAL VOLUME 1, 2016


Figure 2—Environment-gate Review for Effective Change Management

Environment- Environment- Environment-


gate gate gate
Review Review Review

User Acceptance
Development Conference Test (UAT)/Final Production or
Room Pilot Acceptance Test Live
(FAT)

Source: Frederick G. Mackaden. Reprinted with permission.

hours as it was one of the best practices of that organization have an effective backup regime. Mirroring of key files on a
to mirror key files of the enterprise resource planning (ERP) real-time basis nightly, along with regular weekly and monthly
system on a real-time basis. This, coupled with the fact that backups, ensures that data are protected. Occasionally
the organization had extremely skilled technicians who set restoring runs of the available backup helps ensure that staff
to work immediately and were successful in their endeavor, are prepared for such incidents and also supports confirming
enabled the organization to recover within the same business the veracity of the backup tapes, even when things are
day. The disaster recovery measures in place thus enabled going pretty well. In fact, the recovery in just a few hours
the organization to recover from the emergency and ensured demonstrated in one of the scenarios (figure 1, incident 7)
correction of the issue in an extraordinarily swift manner. It is was possible due to the mirroring of the key files and the
notable that in this case, an incident report from one country’s backup that resulted from this.
user who noticed the anomaly triggered the response. This
underscores the need, even in the midst of a crisis, to issue the CONCLUSION
appropriate communication to all users of the software and IT stakeholders need to look inward to ensure that their data
the senior management concerned. A matrix of who needs are safe at all times. Maintenance of confidentiality, integrity
to be informed and when, (e.g., hourly or at the end of the and availability are priorities that are always present in the
business day) would also be helpful. increasingly complex world of enterprise software among
Maintenance of journal files (which tracked database others. IT professionals must watch for miscellaneous errors
activity such as Update, Delete, Insert to the concerned users) and insider misuse especially.
ensured tracing the root cause of the incident in at least one of Five processes, when performed effectively, can help
the instances (figure 1, incident 5). prevent dire and distressing situations:
IT heads also need to focus inward as the actors • Effective communication
responsible for incidents may be within the same building. An • Change management
organization with effective internal control systems needs to • Backup and restore

ISACA JOURNAL VOLUME 1, 2016 39


• Incident reporting
• Crisis management
That “integrity rings like fine glass, true, clear and
reassuring”3 is true for data and the software environments • Learn more about, discuss and collaborate on
that create and sustain it. Indeed, this needs to be assured incident management in the Knowledge Center.
not just for the data within an organization, but all of the www.isaca.org/
hardware, software, and people responsible and accountable
for them. topic-incident-management

ENDNOTES 3
 his article highlights software incidents that caused great
T
1
Verizon, 2015 Data Breach Investigations Report, distress in the author’s personal experience or led to a
www.verizonenterprise.com/DBIR/2015/ project failure, but the focus is on a preventive, rather than a
2
Ibid., page 39 corrective, approach.
4
Brown, P.; Helen Exley Giftbook, Watford, UK, 2002

PLAN AHEAD FOR 2016.


KEEP AHEAD WITH ISACA’S
WORLD-CLASS TRAINING.
READY YOUR SKILLS TODAY FOR TOMORROW’S CHALLENGES AND OPPORTUNITIES.
Gain new expertise or refresh your skills to align with current industry standards, protocols and best practices.
ISACA® Training Week offers invaluable tools, proven techniques and state-of-the-art thinking—something for
professionals at every level—in information systems audit, security, cybersecurity, privacy, governance, and risk.

REGISTER EARLY: $200 USD Early Bird discount available!


Register today or learn more at: www.isaca.org/train16-jv1
EARN UP TO 32 CPE CREDITS!

40 ISACA JOURNAL VOLUME 1, 2016


Feature

Managing Data Protection and


Mohammed J. Khan, CISA,
CRISC, CIPM, is a global
audit, security and privacy
manager serving the teams of
the chief information security
Cybersecurity—Audit’s Role
officer, chief privacy officer
Data protection and cybersecurity go hand-in- enterprises face in the growing threat landscape
and chief audit executive at
hand due to the nature of the risk involved. The operating at a global level. As a result, every
Baxter International. He has
underlying assumption is that all data, whether audit function should consider spending time
spearheaded multinational
they are stationary or in motion, are threatened to on identifying opportunities to perform a review
global audits in several areas,
be compromised. around data protection and cybersecurity within
including enterprise resource
A prime example of this can be seen in the its respective enterprise to help identify gaps and
planning systems, global data
medical device industry. Due to the explosion work with key departments in the enterprise
centers, third-party reviews,
of medical device innovation, resulting in to help reduce and/or eliminate the gaps as best
process reengineering and
both economic and consumer/patient health as possible.
improvement, global privacy
advancement, the industry has seen a growing
assessments (EMEA, APAC,
number of threats from a cybersecurity risk RISK ASSESSMENT
UCAN), and cybersecurity
landscape. The US is the largest medical device To begin, enterprises should consider performing
readiness in several major
market in the world with a market size of a risk assessment of the threat landscape; making
countries over the past five
approximately US $110 billion, and it is expected this happen starts with the tone at the top. The
years. Khan has worked
to reach US $133 billion by 2016.1 The industry risk assessment normally should be owned by
previously as a senior
has seen a rise in innovation since the early 2000s, the enterprise-level functions, and it can be
assurance and advisory
primarily due to the advent of technological a joint effort between the audit function and
consultant for Ernst & Young
advancement and the demand from consumers the business functions in an effort to ensure
and as a business systems
and health care practitioners to further the that there is synergy between the two. Risk
analyst for Motorola.
quality of the patient care provided. A few of assessments are meant to help identify and
the relevant, more commonly known medical address the gaps that may be exacerbated in
devices are pacemakers, infusion pumps, operating the event of a cyberrisk due to a lack of key
room monitors, dialysis machines—all of which controls. One of the primary resources for
retain and potentially transmit vital patient and creating an internal risk assessment analysis
equipment data to medical professionals and other of an organization is the framework provided
sources gathering data. by the American Institute of Certified Public
Do you have Security experts say cybercriminals are Accountants (AICPA).4 The AICPA has
something
increasingly targeting the US $3 trillion drafted a white paper that attempts to simplify
to say about
US health care industry, in which many the practitioner’s understanding of the risk
this article?
companies remain reliant on aging computer assessment standards and process by focusing
Visit the Journal
systems that do not use the latest security on the end game and how that objective can be
pages of the ISACA
features.2 As a result, the percentage of health achieved in an effective, yet efficient, manner.5
web site (www.isaca.
org/journal), find the care organizations that have reported a criminal An effective way to simplify the risk assessment
article and choose cyberattack rose to 40 percent in 2013 from 20 is by dividing the areas of the assessment into the
the Comments tab to percent in 2009, according to an annual survey following categories (figure 1):
share your thoughts. by the Ponemon Institute think tank on data • Understand the business. It is vital to include
protection policy. As revealed in the 2014 Cost of the fundamentals of the organization from the
Go directly to the article:
Data Breach Study: Global Analysis, sponsored top. This includes knowing who the customers
by IBM, the average cost of a breach to a are and what the key products are that drive
company was US $3.5 million dollars, 15 percent the very engine of the enterprise. One of the
more than what it cost the previous year.3 best resources for US companies to utilize
The role of IT security professionals, especially to further the organizational knowledge is
in the audit function, is to be the front line in to review Form 10-K, an annual report
identifying and helping to address the risk that required by the US Securities and Exchange

ISACA JOURNAL VOLUME 1, 2016 41


Commission (SEC). This gives a comprehensive summary Figure 1—Steps Required to Perform a Robust Risk Assessment
of a company’s financial performance. It can help further
an understanding of the enterprise based on the knowledge
already amassed and enable a view of the risk from a Understand
business and financial perspective. the Business
• Know the organization’s internal control environment.
Elements of a strong internal control environment include
the right combination of IT and transactional-level controls
that are backed by a process to manage the reporting of any Know the
breakdown of controls and actionable plans stemming from Collaborate Risk Organization’s
Among Assessment Internal
such a breakdown. The DNA of the internal controls of an Departments Control
organization is composed of the philosophy, adaptation, Environment
integrity and stance of the organization’s resources toward
the control environment.
• Collaborate among departments. The audit function has
Summarize
one of the best positions in the company when it comes to and
bringing together various departments to collaborate on all Communicate
the Risk
aspects of key business, financial and regulatory risk—both Assessment
internal and external. Collaboration among the chief privacy
officer (CPO), chief information security officer (CISO), Source: Mohammed J. Khan. Reprinted with permission.
chief audit executive (CAE) and chief risk officer (CRO) is
vital to have a robust risk assessment program in place.6 environmental/physical security, and all applicable vendors
• Summarize and communicate the risk assessment. Risk or third parties in any of these areas. Specifically, for each of
communication is commonly defined as the “process of the areas, the auditor should consider the following areas as
exchanging information among interested parties about part of the audit:
the nature, magnitude, significance, or control of a risk.”7 • Key IT systems and applications located in the local
It is important to include all the key stakeholders of the data centers:
organization as part of the risk assessment summary of – Verification of the security management of the systems
recipients, which should be ideally communicated for each and applications, including the logging and monitoring of
key business and function, as well as at the enterprisewide systems containing sensitive data
level. This helps with the delivery and the overall execution • HR (full-time and temporary labor):
of the proposed audits that are planned for the year and – Recruitment and vetting of candidates for key roles
in paving the way for having a robust audit plan clearly within the organization that have access to highly
defining the audit and the risk that correlates to why the confidential data
audit is being conducted. – Management of the on-boarding process and proper
training and compliance monitoring as needed for specific
DATA PROTECTION AND CYBERSECURITY AUDIT SCOPE roles, while paying attention to company and country laws
To have a meaningful scope for an audit around data around employee rights and privacy
protection and cybersecurity, one must consider all relevant – Off-boarding process of employees and agreements of
areas of the organization that require inclusion in the scope of noncompete and confidentiality of organizational and
the audit. The functional entities that ought to be considered product intellectual property
in scope should include customer operations, finance, • Internal collaboration tools management:
human resources (HR), IT systems and applications, legal, – Enterprise content and document management (ECDM)
pharmacovigilance, purchasing, regulatory affairs, system usage and data handling:

42 ISACA JOURNAL VOLUME 1, 2016


. Verification of the overall management of data within
the organization that are shared among peers on
collaboration tools and platforms
– File share management: • Learn more about, discuss and collaborate on
. File management and permissions on massive file shares privacy/data protection and cybersecurity in the
utilized by the organization’s departments, the protection Knowledge Center.
of the file shares via proper system administrative www.isaca.org/knowledgecenter
authorities, and monitoring of key file shares
• Third-party interaction and data sharing:
– Contract management end-to-end life cycle, including chance of an organization’s maturity level to increase when it
standard language of key vendors that would have access comes to fighting the ever-growing threat of cyberespionage
to highly confidential data, including patient health and internal malicious data loss through organizational
information and intellectual property employee resources and temporary labor workforces.
• Personal computer device physical protection and encryption:
– Internal and external technological controls necessary to ENDNOTES
deter flight of data from employees and/or contractors
1
SelectUSA, “The Medical Device Industry in the USA,”
• Records storage and management: http://selectusa.commerce.gov/industry-snapshots/medical-
– Onsite and off-site physical security of confidential paper device-industry-united-states
data, including electronic tapes if off-site storage is utilized
2
Humer, C.; J. Finkle; “Your Medical Record Is Worth
for backup purposes More to Hackers Than Your Credit Card,” Reuters, 24
• Incident response and handling: September 2014, www.reuters.com/article/2014/09/24/us-
– Electronic asset management of key devices, including cybersecurity-hospitals-idUSKCN0HJ21I20140924
laptops, desktops, servers and mobile devices:
3
Ponemon Institute, 2014 Cost of Data Breach: Global
. End-to-end life cycle of asset loss and disposal process Analysis, www.ponemon.org/blog/ponemon-institute-
releases-2014-cost-of-data-breach-global-analysis
CONCLUSION
4
While the AICPA framework is generally used for financial
Data protection and cybersecurity management is a key statements, it has proven to be a valuable framework for the
area that all organizations have to manage well. A CIO general management and creation of guidance that embodies
Network event held by The Wall Street Journal included a a generic model for other risk assessments—those that are
panel of CIOs who prioritized a set of recommendations to not necessarily related to financial statements.
drive business and policy in the coming years. Cybersecurity
5
American Institute of Certified Public Accountants, “Risk
was one of the key themes that came out of the event and Assessment,” USA, www.aicpa.org/InterestAreas/FRC/
corresponding special report. AuditAttest/Pages/RiskAssessment.aspx
A primary responsibility for a CIO or CISO when talking
6
Tsikoudakis, M.; “Collaboration Between Risk Management,
to the chief executive officer (CEO) or board of directors Internal Audit Valuable: Report,” Business Insurance, 11
(BoD) is to articulate how cybersecurity translates into April 2012, www.businessinsurance.com/article/20120411/
revenue. Putting monetary value on security events and tying NEWS06/120419970
security to real-life business cases can show senior executives
7
Covello, V. T.; “Risk Communication: An Emerging Area
the potential impact of a cyberevent in terms that make sense of Health Communication Research,” Communication
to them.8 Yearbook 15, Sage, USA, 1992, p. 359-373
The role of audit is to embrace the function it plays as a
8
Norton, S.; “CIOs Name Their Top 5 Strategic Priorities,”
key member of the organization that has to independently The Wall Street Journal CIO Journal, 3 February 2015,
assess the organization’s management of risk around data loss http://blogs.wsj.com/cio/2015/02/03/cios-name-their-top-5-
and prevention by performing robust risk assessments at the strategic-priorities/
organization level and delivering meaningful data protection
and cybersecurity-related audits. This will help further the

ISACA JOURNAL VOLUME 1, 2016 43


Feature

Actionable Security Intelligence From Big,


C. Warren Axelrod, Ph.D.,
CISM, CISSP, is a senior
consultant with Delta
Risk LLC, specializing
in cybersecurity, risk
Midsize and Small Data
management and business Information security professionals continue realization by big data analysts of a need for
resiliency. Previously, he was to struggle with acquiring and understanding so-called “small data,” which derive from
the business information the most relevant and useful data in order to surveys and interviews of subject matter experts,
security officer and chief anticipate threats, guard against attacks and alerts, reports, internal and external audits and
privacy officer for US determine forensically what happened after a assessments, and the like.3
Trust. He was a founding hack occurs. However, despite such efforts, data Furthermore, the myriad of traditional
member of the Financial breaches, such as those recently perpetrated security metrics, which this article calls “midsize
Services Information Sharing against Target and the US Government’s Office data” and which are obtained from logs of
and Analysis Center and of Personnel Management (OPM), are getting network and host intrusion detection systems
represented financial services much bigger in scope; more damaging as to (IDSs) and intrusion protection systems (IPSs),
cybersecurity interests in consequences; more difficult to monitor, analyze applications, network and systems firewalls, and
the US National Information and address; and more costly to resolve.1 Is there the like, must not be forgotten. Data from these
Center during the Y2K date anything on the horizon that might make security sources are aggregated, correlated and analyzed
rollover. He testified before metrics more effective? The answer: Quite by increasingly sophisticated security information
the US Congress in 2001 possibly. and event management (SIEM) systems. Midsize
on cybersecurity. His most data can bring further meaning to big data and
recent book is Engineering WHAT HAS CHANGED? may also be put into context by small data.
Safe and Secure Software Over the past five or so years, big data has burst This article shows the synergistic effects of
Systems. Previously he onto the scene along with highly efficient tools combining big, midsize and small data. It further
published Outsourcing for big data storage and analysis. The sources suggests how one might aggregate, correlate and
Information Security and of big data are many, ranging from search data analyze data to fully understand the business and
was coordinating editor captured by the likes of Google and reported operational environment that an organization’s
of Enterprise Information to advertisers to enable targeted marketing, to computer systems and networks support. From
Security and Privacy. transaction data from Amazon and other major such an understanding emanates focused actions
online retailers and auction sites that identify that should be taken to ensure a higher degree of
products that might interest customers, and information security.
Do you have network traffic monitored by telecommunications It should be noted, however, that the collective
something companies and used for billing, analysis and power of big, midsize and small data does not
to say about other applications.2 preclude the need for incorporating value and
this article?
This mother lode of data, the development uncertainty into the mix.4 These characteristics
Visit the Journal of high-efficiency tools, including open-source are obtained via small data processes, such as
pages of the ISACA products such as software framework Apache the Operationally Critical Threat, Asset, and
web site (www.isaca.
Hadoop, and the dramatic drops in the costs of Vulnerability Evaluation (OCTAVE) approach to
org/journal), find the
processing and storage, have led to an environment handling risk.5
article and choose
the Comments tab to that can be exploited for many purposes—in this
share your thoughts. case, cybersecurity. Never before has so much BIG, MIDSIZE AND SMALL DATA
information been available to security and risk The differentiation among big, midsize and
Go directly to the article: professionals. In addition, the rapidly evolving small data appears, at first look, to be fairly
creative and innovative benefits from this data and straightforward. Nevertheless, complexities are
analysis bonanza are being realized. introduced when combining analyses of various
Nevertheless, results from the cloud, while data sources since they frequently are not in
clearly adding considerably to resources already compatible formats. Some tools operate on both
available to fend off cyberattacks, are by no structured and unstructured data and others do
means the whole story. There is a growing not. Some unstructured information can add to

44 ISACA JOURNAL VOLUME 1, 2016


the analyses of structured data, such as providing business Midsize Data
context for network traffic, whereas in other situations, Data collected by network and host IDSs and IPSs, network
unstructured data yield few benefits because they are not in and application firewalls, and application instrumentation
formats that are mutually compatible. can run typically gigabytes, but even terabytes, per day. Yet,
There are some groundbreaking efforts being made to such data are still considered to be significantly smaller than
standardize data structures across certain big and midsize data the terabytes and petabytes typical of big data, which is why
collection programs to provide consistency and improve ease the term “midsize” is used when referring to data relating
of use. A notable example is the Soltra approach created by specifically to the organization and collected by internally
the US financial services industry. Soltra uses open standards, deployed security products or third-party services. These data
including Structured Threat Information eXpression (STIX) are typically aggregated, correlated, analyzed and displayed
and Trusted Automated eXchange of Indicator Information by SIEM systems, which also issue alerts when suspicious,
(TAXII),6 to be able to interoperate with established security unusual or unexpected activities occur.
tools using the same standards.7 Even though SIEM data can result in very large databases,
which can be analyzed in real time, they provide only part of
Big Data the picture. There is a strong, largely unmet need to generate
Data in this category are usually collected in real time in and analyze data about activities within applications and
enormous volumes from web traffic and internal traffic.8 The system software. This area is, unfortunately, underserved
data are then often analyzed rigorously using increasingly in many organizations, as suggested by so many reports of
sophisticated tools. It is common in today’s world to run companies, government agencies, academic institutions and
massive amounts of data through analytic engines and others not knowing exactly who and what was affected by a
announce interesting relationships, often regardless of data breach and when the breach might have occurred. The
whether or not there is any predictable cause and effect. key here is to incorporate security data collection capabilities
Judging from the claims of some security product and into software early in the development life cycle. This will
service vendors, one might think that if only one were to largely avoid the expensive reworking of applications that
gather enough data, then one should be able to anticipate all postdevelopment instrumentation incurs.10
applicable threats, exploits and attacks sufficiently well in
advance so as to take preventive or defensive action as the Small Data
analysis of the data would suggest. Clearly this utopian view Big and midsize data need to be supplemented with small
is not reality. Some considerable expertise is still needed to data to better understand their meaning and context. The
interpret results and put them in context. Notwithstanding information value of small data is derived mainly from analysts
their limitations, however, big data analyses contribute being able to put other data analyses into perspective. By
significantly to better understanding of security posture and surveying or interviewing business managers, users, customers,
environments and may well provide an edge that information business partners, suppliers, and other internal areas, such as
security professionals have been seeking for decades, as legal, compliance, and marketing, one can get a better sense of
supported by a number of publications and articles.9 what is important to each area and how its activities vary with
Another important aspect of the big data revolution has new business, seasonal factors and the like.
been the proliferation of highly efficient analytical tools As an example, network- and host-based IDSs and IPSs
designed to rapidly sift through huge volumes of structured and monitor message volumes and traffic characteristics. In the
unstructured data. These tools can run against data obtained case of IPSs, the systems also respond to unusual activities
from external sources and internally generated data or a and block specific messages. Often the IT and information
combination of both. Whether or not predictive analysis can security areas are not fully aware of business changes and
derive patterns to enable forecasting future events remains to might, as a result, interpret a sudden surge in traffic volume
be seen, but the prospect is encouraging for a profession that as a cyberattack or nefarious insider activities, for example,
usually deals with attacks after the fact rather than proactively. when in fact the increase might be due solely to taking on a

ISACA JOURNAL VOLUME 1, 2016 45


large new customer. Similarly, a big drop in volume might be The results can then be pooled to provide an overall view
due to the loss of a major customer. The prospect of any such of information security threats, attacks and vulnerabilities
major business shifts needs to be conveyed to the security staff, potentially affecting an organization’s networks, systems
which, in turn, need to pass on the information in advance to and applications, leading to situational awareness. The
those responsible for IDSs, IPSs and other monitoring systems. organization then must respond to the possibility of attacks by
No amount of analysis of historical data would anticipate such patching vulnerabilities and updating security tools to protect
changes, so it makes sense to regularly communicate such against known attacks.
changes in the form of small data inquiries and reports. When data collection, analysis and reporting are performed
It is important to have accurate and timely reporting in real time, systems will likely issue instantaneous alerts.
systems in place that inform security staff of events and Immediate responses are then usually required. However,
potential changes that might affect any and all aspects of many analyses are done in batch mode, taking weeks or even
business operations, IT and information security. Such months before results are issued. Responses to these reports
advisories might include system failures, lost data media, are tactical and strategic rather than operational, as are
unusual activities and system upgrades. reactions to real-time incident reports.
Another example of small data collection is implementing It is important that analysts have a holistic view of an
a method for determining information security risk, such as organization’s business functions and IT systems so that their
OCTAVE.11 In this approach, all involved departments, which responses do not result in unintended consequences. For
often means the entire enterprise, are asked very specific example, a sudden increase in transaction volume might be due
questions about their assessment of security risk relating to to a denial-of-service (DoS) attack or may result from taking
information systems. The responses are evaluated and an on a big new customer. In such a case, the incident response
overall security risk posture is established. team needs to know in advance about significant changes in the
business so that they interpret changes appropriately.
PUTTING IT ALL TOGETHER Figure 2 shows the various sources of data and
As shown in figure 1, big, midsize and small data are collected corresponding analyses for both batch and real time
and preliminary analyses are performed using a variety of (stream) and illustrates how results might be consolidated and
tools relevant to each source of data. actions taken.

Figure 1—Processes for Acquiring and Analyzing Figure 2—Real-time and Batch Data Collection and Processing
Security Data From Various Sources
Structured and
Unstructured Internal and External Event
Data From Data From Applications and
Structured and Internal and From System and Network
Big Data Small Data Unstructured Data From External Data Collectors
Midsize Data Surveys, Interviews and Sources
Published Reports

Structuring
of Data
Aggregation
of Data
Summarization
of Data (e.g., via BIG Midsize
(e.g., Hadoop) (e.g., SIEM) Survey Monkey) Small
Data DATA Data

Analytics Correlation Analysis of Aggregation, Batch Event


Stream

Engines and Analysis Results Summarization Data Aggregation,


and Analysis Mining Correlation
Key: and Analysis
Real-time (SIEMs)
Threats, Attacks, Context, Value, Processing
Exploits, Unusual Uncertainty, Enterprisewide Analysis, Reporting and Decision Making
Incidents Behavior Criticality Batch Actions Actions
Processing

Source: C. Warren Axelrod. Reprinted with permission.


Source: C. Warren Axelrod. Reprinted with permission.

46 ISACA JOURNAL VOLUME 1, 2016


In general, big data are collected in real time, typically continually being introduced. In general, but clearly not in
running into the millions of transactions per second for large all cases, innovative big data capabilities are appearing at
organizations.12 Big data are usually analyzed in batch mode, the fastest rate, with moderate evolution for midsize data
but increasingly, tools are becoming available for real-time methods and procedures, and small data showing relatively
analysis.13 Midsize data are typically collected, analyzed, little change. While small data methods and procedures are
reported and acted upon in real time. Small data are usually generally well established, their rate of adoption is slower
collected and analyzed over longer periods, such as days, than hoped. Similarly the adoption of approaches for midsize
weeks or months. data is not as rapid as needed, particularly when it comes to
providing security information from within applications.
CHARACTERISTICS OF DATA TYPES Figure 3 summarizes the characteristics, capabilities
Each category of data, whether big, midsize or small, has its and information produced by data type. It is provided as
own particular characteristics and capabilities and produces guidance and is by no means comprehensive, particularly with
different results. It should be noted that the field of security respect to capabilities, since new uses of these data types for
intelligence is very dynamic and new tools and methods are developing better security intelligence are being created daily.

Figure 3—Characteristics, Capabilities and Information From Big, Midsize and Small Data
Data Type Size of Data Characteristics Capabilities Information Produced
Big Terabytes to • Volume (huge amounts of data) • Data capture • Threat advisories
petabytes • Velocity (very high speed of data in • Analysis • Exploits “in the wild”
and out) •D atabase curation (healing, manual • Incidents/events/attacks
• Variety (broad range of data types updating) • Unusual activities
and sources) • Search • Predictive analytics
• Veracity (trustworthiness of data • Sharing • Supply-chain events
and analytics) • Storage • Geopolitical events
• Transfer
• Security
• Visualization
Midsize Gigabytes to • Continuous real-time monitoring • Data logging • Attempted attacks
terabytes and logging from IDS/IPS systems, • Data aggregation • Successful attacks
firewalls, etc. • Correlation • Details of attackers
• Real-time logging of user activities • Alerting • Unusual activities
within applications and databases • Dashboards • Relationships among events
• Real-time analysis and reporting • Compliance
(visualization) for network, host and • Retention
applications analyses • Forensic analysis
• Report generation for auditors,
management, regulators,
shareholders, corporate customers
Small Kilobytes to • Surveys/interviews tailored to •B  uilding of asset-based threat • Context
gigabytes specific departments profiles • Business value
• Internal operational reports • Identification of infrastructure • Uncertainty/risk
• External public and private reports vulnerabilities • Different perspectives on criticality
• Internal and external alerts and • Vulnerability assessments of systems and data
notifications •D  evelopment of security strategy • Investment in security, privacy and
• Internal and external audit reports and plans secrecy
• Internal and third-party
assessments
• Vendor/supply chain risk
management
Source: C. Warren Axelrod. Reprinted with permission.

ISACA JOURNAL VOLUME 1, 2016 47


REAL-WORLD CASES
The following is a series of example cases.14

Big Data • Learn more about, discuss and collaborate on big


Long before big data as such were on the radar, data in the Knowledge Center.
telecommunications companies and ISPs had been gathering www.isaca.org/topic-big-data
and analyzing huge amounts of data regarding activities on
their networks. Shortly after the structured query language
(SQL) Slammer computer worm struck in January 2003, one Furthermore, early SIM systems did not have user-friendly
ISP was able to show retrospectively how the implementer of interfaces, and interpreting events required significant effort
the worm had made several trial runs against a particular port by subject matter experts. However, it was found that it was
before launching the main attack. In this case, the analysis helpful to obtain information from business units regularly
was after the fact, but the goal has been to develop predictive so that teams expected and were prepared for major
capabilities for teasing out questionable activities from the anticipated changes.
huge amounts of collected traffic data.
A current example of using big data to provide organizations Small Data
with immediate notifications of threats is the Soltra Edge The types of data that comprise small data and the means of
initiative sponsored by the Financial Services Information collecting them are many and diverse. While some measure
Sharing and Analysis Center (FS-ISAC) and the Depository of automation can be invoked to assist in collecting and
Trust and Clearing Corporation (DTCC). The goal of Soltra is to analyzing survey data, the quantity of data collected and
“deliver software automation and services that collect, distill and the number of persons surveyed are usually small and few,
speed the transfer of threat intelligence from a myriad of sources respectively. While periodic reporting of security metrics may,
to help safeguard against cyber attacks.”15 at some level, also be automated, there is often a need for
manual data entry. Consequently, there are limits to what one
Midsize Data might ask for and the quality and quantity of the data received
As one company began to implement security information in response. Such data are often unstructured, although some
management (SIM) technology (SIM was later superseded, are designated specific formats ahead of time as dictated by
at least in name, by SIEM), its operation of, and support for, the products being used.
firewalls was moving from information security to network
operations since the technology had become mainstream. OCTAVE Method
IDSs and SIM systems were still managed by information One such approach is the OCTAVE method, which was
security staff, but soon thereafter IDSs transitioned to developed by Carnegie Mellon University’s (Pittsburgh,
operations. Then, when IPSs were introduced, the technology Pennsylvania, USA) Software Engineering Institute.
was considered too dangerous to move into day-to-day One definition of OCTAVE is “a security framework for
operations, since a single misstep in supporting IPSs could determining risk level and planning defenses against cyber
rapidly lead to major business catastrophes. An IPS vendor assaults.”16 Since its initial development in 2001 for the
illustrated the point by giving the example of a company that US Department of Defense (DoD), OCTAVE has broadened
implemented an IPS on a Friday evening. The system, which its scope to include the private sector and has undergone a
monitored traffic patterns in order to set up prevention rules, number of changes and enhancements. It has been published
observed and established its baseline volume pattern on in several versions, including the most recent version,
typical low-volume weekend traffic. On Monday morning, OCTAVE Allegro, which is based on OCTAVE Original
when everyone came to work, the IPS saw a sharp jump and OCTAVE-S. Today, OCTAVE-S is used for smaller
in volume and proceeded to close down new traffic, which organizations, while OCTAVE Allegro is used for large
meant all employees and connected customers. organizations with multilevel structures.

48 ISACA JOURNAL VOLUME 1, 2016


OCTAVE defines three phases:17 with respect to the value of the systems involved and the
1. Build asset-based threat profiles. importance of making sure that the applications and the data
2. Identify infrastructure vulnerabilities. are adequately protected.
3. Develop security strategy and plans.
Clearly, being able to develop a security strategy requires Recommendations
more than the responses to OCTAVE questions, which is why Here is a summary of actions to be taken in order to fully
an overall program requires additional analyses of data from benefit from the rich inventory of security-related data that is
other sources. increasing rapidly as new sources and tools are discovered:
Management of an OCTAVE project for a smaller financial • Determine appropriate information security metrics for
organization found significant benefits in being able to decision making and action.
approach all areas of the company with a prepared set of • Determine the sources from which data supporting decision
questions. In some organizations, it may be more effective to making and action might be extracted.
have outside parties conduct the surveys since often internal • Socialize benefits of collecting and analyzing data and
department staff is more responsive to outside consultants. reporting and reacting to metrics.
• Introduce policies and procedures that formalize data
Supplementary Information collection, analysis and reporting.
Many organizations report security metrics, such as threats • Obtain senior-level management commitment to apply
from big data sources and numbers of attempted and sufficient resources to build the necessary capabilities for
successful intrusions from network and system monitoring data collection, analysis, reporting and response.
products (firewalls, IDSs, etc.). In some cases, third-party • Formalize the interactions within and among the various
services will match threats against a company’s particular constituencies (i.e., information security, risk management,
infrastructure and software and hardware products in use so application development, quality assurance, operations,
that organizations are provided with information relevant to vendor management, internal audit, business continuity).
their environment. In other situations, one has to perform the
matching oneself. In either case, a full, accurate and up-to- CONCLUSIONS
date inventory is needed. While there are automated systems The proliferation of enormous data sources and advanced
that run through an organization’s systems and networks analytical tools has lead the world to the brink of major
and pick up details of software installed, including version breakthroughs for determining threats, predicting and avoiding
numbers to determine whether patching is current, there attacks, and detecting and responding to breaches. The full
is usually a considerable ongoing manual effort involved in benefits of these innovations will not automatically accrue in
making sure that all resources have been covered. the cybersecurity world. They require work in selecting and
Even when the above “scoreboards” are presented to integrating known data and expressing results in terms that are
management, auditors and regulators, they often require understandable and actionable for decision makers.
supplementary information without which the numbers This article ex amines the potential and suggests
have little meaning. For example, if a report shows that 80 approaches that will help realize synergies among big, midsize
percent of installations of a particular software product have and small data analyses and result in capabilities that will, for
been updated with the latest patch, it is still necessary to the first time, give defenders a chance to overtake the rapidly
know whether the remaining 20 percent includes systems rising abilities of attackers.
that are critical to the functioning of the organization.18 If so,
there may be considerable risk exposure until all systems are ENDNOTES
patched or otherwise fixed. 1
For an authoritative account of the characteristics of recent
If the reported security metrics do not include descriptions data breaches, see Verizon, 2015 Data Breach Investigations
of their criticality and their purpose within the organization, Report, www.verizonenterprise.com/DBIR/2015/.
then decision makers will not have sufficient information

ISACA JOURNAL VOLUME 1, 2016 49


2
 ccording to IBM, 2.5 x 1015 bytes of data are being
A infotype=SA&subtype=WH&htmlfid=WGW03020USEN.
created daily. This number is increasing rapidly in that 90 Marko, Kurt; “Big Data: Cyber Security’s Silver Bullet? Intel
percent of all data were created in the prior two years, as Makes the Case,” Forbes.com, 9 November 2014, www.
described in Bringing Big Data to the Enterprise, www-01. forbes.com/sites/kurtmarko/2014/11/09/big-data-cyber-
ibm.com/software/data/bigdata/what-is-big-data.html. security/. Ponemon Institute, Big Data Analytics in Cyber
3
Peysakhovich, Alex; Seth Stevens-Davidowitz; “How Not to Defense, Ponemon Institute Research Report, Sponsored
Drown in Numbers,” Sunday Review, The New York Times, by Teradata, February 2013, www.ponemon.org/library/
2 May 2015, www.nytimes.com/2015/05/03/opinion/ big-data-analytics-in-cyber-defense. Teradata, Big Data
sunday/how-not-to-drown-in-numbers.html?_r=0 Analytics: A New Way Forward for Optimizing Cyber
4
Axelrod, C. Warren; “Accounting for Value and Uncertainty Defense, November 2013, www.teradata.com/Resources/
in Security Metrics,” ISACA Journal, vol. 6, 2008 Brochures/Big-Data-Analytics-A-New-Way-Forward-for-
5
Caralli, Richard A.; James F. Stevens; Lisa R. Young; Optimizing-Cyber-Defense-Government-Version/?LangType
William R. Wilson; Introducing OCTAVE Allegro: =1033&LangSelect=true
Improving the Information Security Risk Assessment 10
Axelrod, C. Warren; “Creating Data from Applications for
Process, Technical Report CMU/SEI-2007-TR-012 Detecting Stealth Attacks,” STSC CrossTalk: The Journal of
ESC-TR-2007-012, Software Engineering Institute, Defense Software Engineering, September/October 2011
May 2007, http://resources.sei.cmu.edu/asset_files/ 11
Op cit, Caralli
TechnicalReport/2007_005_001_14885.pdf 12
Op cit, CSA, 2011
6
Depository Trust and Clearing Corporation, “FS-ISAC and 13
Ibid.
DTCC Announce Soltra, a Strategic Partnership to Improve 14
These cases are examples from the author’s personal
Cyber Security Capabilities and Resilience of Critical experiences.
Infrastructure Organizations Worldwide,” press release, 15
Op cit, Depository Trust and Clearing Corporation
24 September 2014, www.dtcc.com/news/2014/ 16
TechTarget, “Definition: OCTAVE,” WhatIs.com,
september/24/fs-isac-and-dtcc-announce-soltra.aspx http://whatis.techtarget.com/definition/OCTAVE
7
Tripwire, “Soltra Edge and Tripwire Enterprise,” https:// 17
Ibid.
www.tripwire.com/solutions/integrations/soltra/. 18
“Criticality” has several definitions with respect to computer
8
In the case of Hewlett-Packard, for example, the enterprise systems. In regulated industries, such as financial services,
reportedly generated one trillion events per day, or about 12 systems that are needed to comply with legal and regulatory
million events per second in 2013, as noted in section 4.2 requirements are highly critical, as are those systems that
in CSA Big Data Working Group; Big Data Analytics for are needed to maintain the continuous operation of the
Security Intelligence, Cloud Security Alliance, September organization in both normal circumstances and contingency
2013, https://cloudsecurityalliance.org/download/big-data- mode. Real-time systems (such as trading systems) are
analytics-for-security-intelligence/. time-critical, since even a short outage can incur significant
9
CSA Big Data Working Group, Big Data Taxonomy, monetary and reputation costs and bring on the wrath of
Cloud Security Alliance, September 2014, https:// regulators. Batch systems may not be as time critical as
cloudsecurityalliance.org/download/big-data-taxonomy/. online systems, but their compromise (failure, malfunction,
IBM, Extending Security Intelligence with Big Data loss of data integrity) may affect timely and accurate
Solutions: Leveraging Big Data Technologies to Uncover processing of data and can hugely impact the continued
Actionable Insights into Modern, Advanced Data Threats, survival of the organization from financial and operational
Thought Leadership white paper, IBM Software, January perspectives.
2013, www-01.ibm.com/common/ssi/cgi-bin/ssialias?

50 ISACA JOURNAL VOLUME 1, 2016


Feature

Tolga Mataracioglu, CISA,


CISM, COBIT Foundation,
CCNA, CEH, ISO 27001 LA,
Comparison of PCI DSS and
BS 25999 LA, MCP, MCTS,
VCP, is chief researcher
ISO/IEC 27001 Standards
at TUBITAK BILGEM Cyber
The Payment Card Industry Data Security What if those two standards were to be
Security Institute in Turkey.
Standard (PCI DSS) is an information security combined? Is that feasible? What are the
He is the author of many
standard for organizations that handle branded differences between the standards?
papers about information credit cards from the major card companies, This article discusses and examines
security published nationally including Visa, MasterCard, American Express, the interoperability of PCI DSS 3.1 and
and internationally. His areas Discover and JCB. PCI DSS “was created to ISO/IEC 27001:2013. Further, the pros and
of specialization are system increase controls around cardholder data to cons of the PCI DSS and ISO/IEC 27001
design and security, operating reduce credit card fraud via its exposure.”1 “[The] standards are compared and contrasted.
systems security, information ISO/IEC 27001 standard is a specification for an
security management information security management system (ISMS) PCI DSS
systems, business continuity, published by the International Organization for PCI DSS is a standard developed by a council
COBIT®, and social Standardization (ISO) and the International consisting of Visa, MasterCard, American Express,
engineering. Electrotechnical Commission (IEC) under the Discover and JCB in order to preserve payment
joint ISO and IEC subcommittee.”2 card and cardholders’ sensitive information.3 There
While both standards focus on information are six goals and 12 requirements in the standard
security, ISO/IEC 27001 is suitable for every (figure 1).
type of organization and PCI DSS focuses on These 12 requirements have been addressed
organizations dealing with e-commerce. at a high level in ISO/IEC 27001:2013 standard

Figure 1—Overview: 12 Requirements of PCI DSS


PCI Data Security Standard: High-level Overview
Build and maintain a secure network and systems. 1. Install and maintain a firewall configuration to protect
cardholder data.
2. D
 o not use vendor-supplied defaults for system passwords
Do you have and other security parameters.
something Protect cardholder data. 3. P rotect stored cardholder data.
to say about
4. E ncrypt transmission of cardholder data across open,
this article? public networks.
Visit the Journal Maintain a vulnerability management program. 5. P rotect all systems against malware and regularly update
pages of the ISACA antivirus software or programs.
web site (www.isaca.
6. Develop and maintain secure systems and applications.
org/journal), find the
article and choose Implement strong control access measures. 7. R
 estrict access to cardholder data by business need
to know.
the Comments tab to
share your thoughts. 8. Identify and authenticate access to system components.
9. Restrict physical access to cardholder data.
Go directly to the article:
Regularly monitor and test networks. 10. Track and monitor all access to network resources and
cardholder data.
11. Regularly test security systems and processes.
Maintain an information security policy. 12. M
 aintain a policy that addresses information security for
all personnel.
Source: Tolga Mataracioglu. Reprinted with permission. Based on PCI Security Standards Council, PCI DSS Quick Reference Guide,
October 2010, https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf

ISACA JOURNAL VOLUME 1, 2016 51


Figure 2—High-level Mapping of PCI DSS Requirements to ISO/IEC 27001
PCI DSS Requirement ISO/IEC 27001 Clause
1. Install and maintain a firewall configuration to protect cardholder data. A.12 Operations security
A.13 Communications security
2. D
 o not use vendor-supplied defaults for system passwords and other A.12 Operations security
security parameters. A.13 Communications security
3. Protect stored cardholder data. A.12 Operations security
A.13 Communications security
4. Encrypt transmission of cardholder data across open, public networks. A.14 System acquisition, development and maintenance
5. P rotect all systems against malware and regularly update antivirus A.14 System acquisition, development and maintenance
software or programs.
6. Develop and maintain secure systems and applications. A.14 System acquisition, development and maintenance
7. Restrict access to cardholder data by business need to know. A.12 Operations security
A.13 Communications security
8. Identify and authenticate access to system components. A.12 Operations security
A.13 Communications security
9. Restrict physical access to cardholder data. A.11 Physical and environmental security
10. Track and monitor all access to network resources and cardholder data. A.12 Operations security
A.13 Communications security
11. Regularly test security systems and processes. A.14 System acquisition, development and maintenance
A. 6 Organization of information security
A.18 Compliance
12. Maintain a policy that addresses information security for all personnel. A.5 Information security policies
Source: Tolga Mataracioglu. Reprinted with permission.

developed by the ISO and the IEC. Figure 2 shows high-level Figure 3—Compliance of PCI DSS
mapping of these 12 PCI DSS requirements to ISO/IEC
Merchant
27001:2013 clauses. Level Merchant Definition Compliance
Companies must be audited by a qualified security
Level 1 More than 6 million Annual onsite PCI data
assessor (QSA) and an approved scanning vendor (ASV) in V/MC transactions annually security assessment and
predetermined periods that have been authorized by the PCI across all channels, quarterly network scans
Council.4 Further, the International Society of Automation including e-commerce
(ISA) can perform assessments using self-assessment Level 2 1,000,000-5,999,999 Annual self-assessment
questionnaires (SAQs), depending on the size and the level of V/MC transactions annually and quarterly network
scans
the merchants.
Figure 3 illustrates the compliance of PCI DSS in four Level 3 20,000-1,000,000 V/MC Annual self-assessment
e-commerce transactions and quarterly network
different levels based on number and type of transactions. annually scans
Figure 4 depicts the compliance of JCB. Figure 5 portrays
Level 4 Less than 20,000 V/MC Annual self-assessment
the compliance of American Express. These three figures e-commerce transactions and annual network scans
help organizations by providing information on how to audit annually and all merchants
information security within the context of the number of across channel up
to 1,000,000 VISA
transactions performed annually. By using the information transactions annually
in the following figures, chief information security officers Source: Tolga Mataracioglu. Reprinted with permission. Based on Compliance
(CISOs) can easily decide in what circumstances to perform Resource Kit, What Is PCI DSS, complianceresourcekit.com/index.php?
a self-assessment, a security scan or an on-site review for option=com_content&task=view&id=67

auditing information security.


52 ISACA JOURNAL VOLUME 1, 2016
Figure 4—Compliance of JCB
If cardholder data and transaction data are handled via the Internet or Internet-accessible network:
Merchants Payment Processors
One million JCB transactions or more Less than 1 million JCB transactions per Regardless of the number of
per year year JCB transactions
Self-assessment N/A ✓ N/A
Security scan Quarterly Quarterly Quarterly
Onsite review Yearly N/A Yearly

If cardholder data and transaction data are not handled via the Internet or Internet-accessible network
Merchants Payment Processors
One million JCB transactions or more Less than 1 million JCB transactions per Regardless of the number of
per year year JCB transactions
Self-assessment N/A ✓ N/A
Security scan N/A N/A N/A
Onsite review Yearly N/A Yearly
Source: Tolga Mataracioglu. Reprinted with permission. Based on JCB, JCB Data Security Program, partner.jcbcard.com/security/jcbprogram/index.html

Figure 5—Compliance of American Express


Levels Explanation
Level 1 2.5 million or more American Express card transactions per year
Level 2 50,000 to 2.5 million American Express card transactions per year (Service providers: fewer than 2.5 million transactions)
Level 3 designated Fewer than 50,000 American Express card transactions per year and have been designated by American Express as being
required to submit validation documents
Level 3 Fewer than 50,000 American Express card transactions per year (merchants only)
Level EMV 50,000 or more American Express chip-enabled card transactions per year with at least 75 percent made on an EMV-enabled
(chip-enabled) terminal capable of processing contact and contactless American Express transactions
Source: Tolga Mataracioglu. Reprinted with permission. Based on American Express, The Data Security Operating Policy, https://www209.americanexpress.com/
merchant/services/en_US/data-security

ISO/IEC 27001 STANDARD Coordination Group (JTCG).6 Using the same titles defined
This standard includes seven main titles within the scope in the annex SL is useful for those organizations that choose
of annex SL: organization, leadership, planning, support, to operate a single management system that meets the
operation, performance evaluation and improvement.5 Annex requirements of two or more management system standards.
SL is a new management system format that helps streamline Although ISO/IEC 27001 does not suggest a Plan-Do-Check-
creation of new standards and make implementing multiple Act (PDCA) cycle, the seven titles can be mapped into the
standards within one organization easier. It was created by cycle as shown in figure 6.
ISO Technical Management Board’s (TMB) Joint Technical

ISACA JOURNAL VOLUME 1, 2016 53


Figure 6—Mapping of ISO/IEC 27001 Titles Into PDCA Cycle
Act Plan

5. Leadership
10. Improvement

4. Context of the
Requirements Organization 6. Planning Managed Risks

9. Performance Evaluation
7. Support

8. Operation

Check Do
Source: Tolga Mataracioglu. Reprinted with permission.

ISO/IEC 27001 contains 14 control domains, shown in COMPARISON OF THE STANDARDS


figure 7, and 114 controls. InformationShield has developed a table that provides
high-level mapping between the security requirements of
Figure 7—The 14 Control Domains of ISO/IEC 27001 PCI DSS and ISO/IEC 27001.7
It is recommended that combining both PCI DSS and
Control Domains Number of
Controls ISO/IEC 27001 provides better solutions about information
A.5: Information security policies 2 security to organizations. The flexibility of ISO/IEC 27001
is higher than that of PCI DSS, since all of the controls have
A.6: Organization of information security 7
been written at a high level.
A.7: Human resources security 6
“The organizations have to determine the boundaries and
A.8: Asset management 10 applicability of the information security management system
A.9: Access control 14 to establish its scope.”8 When comparing the scope of the two
A.10: Cryptography 2 standards, scope selection in ISO/IEC 27001 depends on the
A.11: Physical and environmental security 15 company; however, the scope is exactly the credit cardholder
information in PCI DSS.
A.12: Operations security 14
Although the controls in ISO/IEC 27001 are
A.13: Communications security 7
recommendations, it is important to note that the controls in
A.14: S ystem acquisition, development 13 PCI DSS are compulsory.
and maintenance
Since ISO/IEC 27001 is more flexible than PCI DSS, it is
A.15: Supplier relationships 5 easier to conform to the ISO/IEC 27001 standard.
A.16: Information security incident management 7 When comparing the costs, establishing a typical
A.17: Information security aspects of business 4 information security management system (ISMS) and
continuity management completing the PDCA cycle costs approximately
A.18: Compliance 8 US $150,000 in a typical organization. The cost of a typical
TOTAL: 114 PDCA cycle includes:9
Source: Tolga Mataracioglu. Reprinted with permission. Based on International • The costs that are caused by information security incidents
Organization for Standardization, ISO/IEC 27002, Information technology— • The costs for managing information security
Security techniques—Code of practice for information security controls, www.
iso.org/iso/catalogue_detail?csnumber=54533 • The costs that are related to information security measures
• The costs of capital that are induced by information
security risk

54 ISACA JOURNAL VOLUME 1, 2016


However, the cost of compliance with PCI DSS is CONCLUSION
approximately US $120,000 to US $700,000, due to the PCI DSS is a standard to cover information security of credit
differences among the four levels. cardholders’ information, whereas ISO/IEC 27001 is a
And what about auditing? Recertification auditing of specification for an information security management system.
ISO/IEC 27001 is performed in three-year cycles and Mapping of PCI DSS and ISO/IEC 27001 standards is vital
small-scope auditing is performed every year. There are also information for managers who are tasked with conforming
surveillance audits that are performed at least once a year. In to either standard in their organizations. It is recommended
contrast, there are four network scanning audits and an onsite that PCI DSS and ISO/IEC 27001 be combined to give better
audit for level 1 in PCI DSS. solutions about information security to organizations.
There are compliance levels in PCI DSS to measure the
maturity level of the company; no compliance levels exist in ENDNOTES
ISO/IEC 27001. 1 CDS, PCI Security Standards Council, cdsus.com/default/
Mapping of PCI DSS and ISO/IEC 27001 is shown in PCICompliance.php?url=PCICompliance&PHPSESSID=
figure 8. bdd07f210c2e5109832eee383d0b1656
International Organization for Standardization,
2

Figure 8—Mapping of PCI DSS and ISO/IEC 27001:2013 Technical Commitees, www.iso.org/iso/home/standards_
development/list_of_iso_technical_committees.htm
ISO/IEC 27001:2013
Parameter Standard PCI DSS 3 PCI Security Standards Council, What Is the PCI Security
Creator ISO PCI Council Standards Council?, www.pcisecuritystandards.org/
security_standards/role_of_pci_council.php
Flexibility High Low
4 PCI Security Standards Council, Payment Card Industry
Scope Depends on the Credit cardholders’
Data Security Standard Approved Scanning Vendors,
company information
May 2013, https://www.pcisecuritystandards.org/
Controls applied Flexible Tight
documents/ASV_Program_Guide_v2.pdf
Controls High-level Low-level 5 Tangen, S.; A. Warris; “Management Makeover - New
Control types “Should” “Must” Format for Future ISO Management System Standards,”
Compliance Easy Hard International Organization for Standardization, 18 July
Number of controls 114 224 2012, www.iso.org/iso/news.htm?refid=Ref1621
Auditing Three-year cycles Four network 6 The 9000 Store, ISO 9001:2015 in Detail: What is the
and a small-scope scanning audits and New Annex SL Platform?, the9000store.com/
audit performed an onsite audit for iso-9001-2015-annex-sl.aspx
every year level 1
7 InformationShield, PCI-DSS Policy Mapping Table,
Certification May be given to all Any companies that www.informationshield.com/papers/ISO27002%20PCI-
companies provide information
DSS%20V3%20Policy%20Map.pdf
security for critical
paying processes International Organization for Standardization,
8

Compliance level Does not exist Exists ISO/IEC 27001 Information Technology—Security
Techniques—Information Security Management
Source: Tolga Mataracioglu. Reprinted with permission.
Systems—Requirements, www.iso.org/iso/iso_catalogue/
catalogue_tc/catalogue_detail.htm?csnumber=42103
9 Brecht, M.; T. Nowey; A Closer Look at Information
Security Costs, working paper, The Workshop on the
Economics of Information Security, www.econinfosec.org/
archive/weis2012/papers/Brecht_WEIS2012.pdf

ISACA JOURNAL VOLUME 1, 2016 55


Crossword
Puzzle
By Myles Mellor
www.themecrosswords.com

1 2 3 4 5 6 7 8 31. Family of operating systems


9
32. What an IT auditor should come up with rather than
“cannot be done”
10 11 12
36. COBIT-related credential
13 37. End weakly
14 15 16 38. Morning time
41. File sorting aid
17 18 19
43. It can affect the reliable operation of computer equipment
20 21 22
44. Money paid out
23 24 45. Like a room that has not been used for a long time
25 26 27 28 29
DOWN
30 31
1. Its role has to be focused on keeping business and
32 33
IT initiatives on track, abbr.
34 35 2. Rights and obligations relating to personal information
36 37 38 39
4. Incautious
5. One of the Poles
40 41 42
6. Holding, storing
43 44 45 7. Defect in a computer system
8. Magnitude
9. Nimbleness, ability to adapt
16. It may stand in the way of changing viewpoint
ACROSS 17. Key factor to establish and stick to during an IT audit
1. Definitive statement on data privacy, abbr. 19. Firm, for short
3. Open to attack 21. Blemish
10. Verifying identity 22. Formed into a structured and coherent whole
11. Open conflict 23. Established standard by which things are measured
12. The best kind of security relating to storage of 24. “____, but verify” old Russian proverb made popular
personal information by Ronald Reagan
13. “This __ test,” 2 words 26. Decide
14. Prove deficient 27. Continent (abbr)
15. Be determined by, 2 words 28. Scribble
18. Very cold 29. Warnings that might be delivered by an IT auditor
20. Secret prefix 31. Short for dealer
21. Check, track and observe 33. General direction
23. Exclude 34. IS auditor certification, abbr.
25. Type of device that has been susceptible to cyberattack, abbr. 35. Like some predictions
28. Computerese, e.g., language that can cause IT auditors to 39. Bathroom need
be unappreciated 40. High grades
29. Popular rental 42. Word indicating authorship
30. Organization to improve the quality of the environment

(Answers on page 58)

56 ISACA JOURNAL VOLUME 1, 2016


CPE Quiz
Prepared by Sally Chan, CGEIT,
CMA, CPA,

Take the quiz online:


QUIZ #164
Based on Volume 5, 2015—Cybersecurity
Value—1 hour of CISA/CISM/CGEIT/CRISC continuing professional education (CPE) credit

TRUE OR FALSE

MOSCA ARTICLE WLOSINSKI ARTICLE


1. What organizations need to begin thinking about quantum 9. The annual cost of cybercrime to consumers in the US is more
computers now is not an immediate drastic overhaul of their than US $38 billion; in China, it is more than US $37 billion;
security infrastructure, but rather an “ounce of prevention” as and in Europe, more than US $13 billion.
quantum technologies begin to take shape on the horizon. 10. The problem with the underground threat is not at the
2. Quantum cryptography is based on the law of quantum organization’s enterprise or system level; rather, it is a world
mechanics that says that observing quantum data necessarily threat. Stopping all sources is a monumental task that requires
disturbs them; this means that any eavesdropping on a quantum the cooperation of many countries and organizations.
transmission used for key establishment can be instantly detected 11. Some of the countermeasures that can be implemented at
before any data can possibly be compromised. the global level include developing an inventory system that
would document what it discovers and having those who use
SHARKASI ARTICLE encryption employ something that cannot be broken, such as
3. For a long time, service providers, government organizations developing an internal proprietary encryption formula that
and private enterprises have been able to benefit from the works for a single organization only.
cost savings and flexibility of choosing the right security
tools to mitigate the risk of deliberately intercepted, stolen or SULLIVAN ARTICLE
corrupted sensitive data. 12. Microcertifications periodically validate access privileges
4. Without a coordinated risk management strategy, organizations against business policies when they are triggered by
will continue to struggle with repeated policy iterations before questionable activities and events. If violations are found,
risk-handling procedures and controls are efficiently aligned. notifications are batched to the relevant managers for remedial
5. All cloud application providers offer basic transport layer action. Managers constantly rectify compliant user accounts.
security, such as Secure Sockets Layer (SSL), to protect data 13. Implementing microcertifications requires two elements: a
while in transit to their servers. Employees uploading sensitive unified IT security infrastructure and big data analysis tools.
documents on unencrypted connections is not an issue that The COBIT® 5 governance map, developed by ISACA®,
must be addressed. addresses the current patchwork nature of most identity and
6. Optimal cloud security practices should include encryption of access management systems.
sensitive data used by cloud-based virtual machines, centralized
key management that allows the user (and not the cloud LIEBERMAN ARTICLE
provider) to control cloud data, and an assurance that cloud data 14. In any well-designed business continuity/disaster recovery
are accessible according to established enterprise policies. (BC/DR) program, there are three roles that provide
7. End-point protection should be focused on tools that deliver leadership: sponsorship, ownership and custodianship.
a centrally managed, web-based, easy-to-use, fully integrated Traditionally, a successful program starts with sponsorship that
management interface that delivers a full suite of protection to flows from the C-suite and the board of directors (BoD) to the
end points. End-point security tools should also be supported rest of the firm.
by a management dashboard that provides real-time security 15. As part of the development and implementation of the
posture reporting over all managed end points. BC/DR cyberbreach program, and prior to any cyberbreach
8. Security tools cannot keep Internet users from becoming actually happening, the chief executive officer (CEO) should
Internet abusers or guard against network-draining viruses, locate an experienced outside cyberbreach expert—one who
spam and chain email, or mitigate legal, compliance and understands the technical, legal and regulatory implications of
reputational risk. particular types of cyberbreaches.

ISACA JOURNAL VOLUME 1, 2016 57


ISACA® Journal
CPE Quiz
Based on Volume 5, 2015—Cybersecurity

Quiz #164 Answer Form


(Please print or type)

Get noticed…
Name______________________________________________
__________________________________________________
Address_____________________________________________

Advertise in the
__________________________________________________
__________________________________________________
CISA, CISM, CGEIT or CRISC #_____________________________

Quiz #164 ISACA® Journal


True or False
For more information, contact
MOSCA ARTICLE WLOSINSKI ARTICLE
1.___________ 9.___________
media@isaca.org.
2.___________ 10.__________

SHARKASI ARTICLE 11.__________

3.___________ SULLIVAN ARTICLE


4.___________ 12.__________
5.___________ 13.__________
6.___________ LIEBERMAN ARTICLE Answers—Crossword by Myles Mellor
See page 56 for the puzzle.
7.___________ 14.__________
1 2 3 4 5 6 7 8
8.___________ G A P P V U L N E R A B L E
15.__________ 9
E R A N O E U X
10 11 12
I D I N G W A R T I G H T
13
T V I S A T E E
14 15 16
F A I L R H I N G E O N
17 18 19
S C I C Y T G T
20 21 22
C R Y P T O M O N I T O R
23 24
Please confirm with other designation-granting professional bodies for their O Y B A R O T
25 26 27 28 29
CPE qualification acceptance criteria. Quizzes may be submitted for grading only P O S J A R G O N C A R
by current Journal subscribers. An electronic version of the quiz is available at 30 31
www.isaca.org/cpequiz; it is graded online and is available to all interested parties. E P A D O S A A U
If choosing to submit using this print copy, please email, fax or mail your 32 33
answers for grading. Return your answers and contact information by email to T A L T E R N A T I V E S
info@isaca.org or by fax to +1.847.253.1443. If you prefer to mail your quiz, 34 35
in the US, send your CPE Quiz along with a stamped, self-addressed envelope, C D R L I R E T
to ISACA International Headquarters, 3701 Algonquin Rd., #1010, Rolling 36 37 38 39
Meadows, IL 60008 USA. I T I L F I Z Z L E A M
Outside the US, ISACA will pay the postage to return your graded quiz. 40 41 42
You need only to include an envelope with your address. S R A N E N T A B
43 44 45
You will be responsible for submitting your credit hours at year-end for A G E S P E N D D U S T Y
CPE credits.
A passing score of 75 percent will earn one hour of CISA, CISM, CGEIT or
CRISC CPE credit.

58 ISACA JOURNAL VOLUME 1, 2016


Standards
Guidelines
ISACA MEMBER AND CERTIFICATION HOLDER COMPLIANCE
Tools and Techniques
The specialised nature of information systems (IS) audit and assurance and the skills necessary to perform such engagements require standards that
apply specifically to IS audit and assurance. The development and dissemination of the IS audit and assurance standards are a cornerstone of the
ISACA® professional contribution to the audit community.
IS audit and assurance standards define mandatory requirements for IS auditing. They report and inform:
n IS audit and assurance professionals of the minimum level of acceptable performance required to meet the professional responsibilities set out in the
ISACA Code of Professional Ethics
n Management and other interested parties of the profession’s expectations concerning the work of practitioners
n Holders of the Certified Information Systems Auditor® (CISA®) designation of requirements. Failure to comply with these standards may result in an
investigation into the CISA holder’s conduct by the ISACA Board of Directors or appropriate committee and, ultimately, in disciplinary action.
ITAF TM, 3rd Edition (www.isaca.org/itaf) provides a framework for multiple levels of guidance:
n IS Audit and Assurance Standards
The standards are divided into three categories:
–G  eneral standards (1000 series)—Are the guiding principles under which the IS assurance profession operates. They apply to the conduct of
all assignments and deal with the IS audit and assurance professional’s ethics, independence, objectivity and due care as well as knowledge,
competency and skill.
–P  erformance standards (1200 series)—Deal with the conduct of the assignment, such as planning and supervision, scoping, risk and materiality,
resource mobilisation, supervision and assignment management, audit and assurance evidence, and the exercising of professional judgement and
due care.
–R  eporting standards (1400 series)—Address the types of reports, means of communication and the information communicated.
n IS Audit and Assurance
 The guidelines are designed to directly support the standards and help practitioners achieve alignment with the standards. They follow the same
categorisation as the standards (also divided into three categories):
–G  eneral guidelines (2000 series)
–P  erformance guidelines (2200 series)
–R  eporting guidelines (2400 series)
n IS Audit and Assurance Tools and Techniques
– These documents provide additional guidance for IS audit and assurance professionals and consist, among other things, of white papers, IS audit/
assurance programmes, reference books, and the COBIT® 5 family of products. Tools and techniques are listed under www.isaca.org/itaf.
An online glossary of terms used in ITAF is provided at www.isaca.org/glossary.
Disclaimer: ISACA has designed this guidance as the minimum level of acceptable performance required to meet the professional responsibilities set
out in the ISACA Code of Professional Ethics. ISACA makes no claim that use of this product will assure a successful outcome. The guidance should
not be considered inclusive of any proper procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtaining the
same results. In determining the propriety of any specific procedure or test, the control professionals should apply their own professional judgment to
the specific control circumstances presented by the particular systems or IS environment.

IS Audit and Assurance Standards IS Audit and Assurance Guidelines


The titles of issued standards documents are listed as follows: Please note that the new guidelines became effective 1 September 2014.
General General
1001 Audit Charter 2001 Audit Charter
1002 Organisational Independence 2002 Organisational Independence
1003 Professional Independence 2003 Professional Independence
1004 Reasonable Expectation 2004 Reasonable Expectation
1005 Due Professional Care 2005 Due Professional Care
1006 Proficiency 2006 Proficiency
1007 Assertions 2007 Assertions
1008 Criteria 2008 Criteria
Performance Performance
1201 Engagement Planning 2201 Engagement Planning
1202 Risk Assessment in Planning 2202 Risk Assessment in Planning
1203 Performance and Supervision 2203 Performance and Supervision
1204 Materiality 2204 Materiality
1205 Evidence 2205 Evidence
1206 Using the Work of Other Experts 2206 Using the Work of Other Experts
1207 Irregularity and Illegal Acts 2207 Irregularity and Illegal Acts
2208 Sampling
Reporting
1401 Reporting Reporting
1402 Follow-up Activities 2401 Reporting
2402 Follow-up Activities

The ISACA Professional Standards and Career Management Committee (PSCMC) is dedicated to ensuring wide consultation in the preparation of
ITAF standards and guidelines. Prior to issuing any document, an exposure draft is issued internationally for general public comment.
Comments may also be submitted to the attention of the Director of Professional Standards Development via email (standards@isaca.org); fax
(+1.847. 253.1443) or postal mail (ISACA International Headquarters, 3701 Algonquin Road, Suite 1010, Rolling Meadows, IL 60008-3105, USA).
Links to current and exposed ISACA Standards, Guidelines, and Tools and Techniques are posted at www.isaca.org/standards.

ISACA JOURNAL VOLUME 1, 2016 59


Advertisers/Web Sites
Capella capella.edu/ISACA 3
Chiron chirontech.com Back Cover

Leaders and Supporters


Editor Khawaja Faisal Javed, CISA, CRISC, CBCP, ISACA Board of Directors
Jennifer Hajigeorgiou ISMS LA (2015–16)
publication@isaca.org Farzan Kolini GIAC International President
Abbas Kudrati, CISA, CISM, CGEIT, CEH, CHFI, Christos Dimitriadis, Ph.D., CISA, CISM, CRISC,
Assistant Editorial Manager EDRP, ISMS ISO 20000 LA
Maurita Jasper Shruti Kulkarni, CISA, CRISC, CCSK, ITIL V3
Vice President
Bhanu Kumar
Rosemary Amato, CISA, CMA, CPA
Contributing Editors Hiu Sing (Vincent) Lam, CISA, CPIT(BA),
Sally Chan, CGEIT, CPA, CMA ITIL, PMP Vice President
Ed Gelbstein, Ph.D. Edward A. Lane, CISA, CCP, PMP Garry Barnes, CISA, CISM, CGEIT, CRISC
Kamal Khan, CISA, CISSP, CITP, MBCS Romulo Lomparte, CISA, CISM, CGEIT, CRISC, Vice President
Vasant Raval, DBA, CISA CRMA, ISO 27002, IRCA Rob Clyde, CISM
Steven J. Ross, CISA, CBCP, CISSP Juan Macias, CISA, CRISC
Larry Marks, CISA, CGEIT, CRISC Vice President
B. Ganapathi Subramaniam, CISA, CIA,
Theresa Grafenstine, CISA, CGEIT, CRISC, CGAP,
CISSP, SSCP, CCNA, CCSA, BS 7799 LA Norman Marks
CGMA, CIA, CPA
Smita Totade, Ph.D., CISA, CISM, CGEIT, CRISC Tamer Marzouk, CISA
Krysten McCabe, CISA Vice President
ISACA® Journal, formerly Information Systems
Control Journal, is published by the Information Advertising Brian McLaughlin, CISA, CISM, CRISC, CIA, Leonard Ong, CISA, CISM, CGEIT, CRISC, CFE,
Systems Audit and Control Association® media@isaca.org CISSP, CPA CFP, CIPM, CIPT, CISSP, CISSLP, PMP
(ISACA®), a nonprofit organization created for the Brian McSweeney
public in 1969. Membership in the association, Vice President
Media Relations Irina Medvinskaya, CISM, FINRA, Series 99
a voluntary organization serving IT governance Andre Pitkowski, CGEIT, CRISC, CRMA, OCTAVE
professionals, entitles one to receive an annual news@isaca.org David Earl Mills, CISA, CGEIT, CRISC, MCSE
subscription to the ISACA Journal. Robert Moeller, CISA, CISSP, CPA, CSQE Vice President
Editorial Reviewers Ramu Muthiah, CISM, GSLC, ITIL, PMP Edward Schwartz, CISA, CISM, CAP, CISSP,
Opinions expressed in the ISACA Journal Gretchen Myers, CISSP ISSEP, NSA-IAM, PMP, SSCP
represent the views of the authors and
Matt Altman, CISA, CISM, CGEIT, CRISC
advertisers. They may differ from policies and Sanjiv Agarwala, CISA, CISM, CGEIT, CISSP, Ezekiel Demetrio J. Navarro, CPA Past International President, 2014-2015
official statements of ISACA and/or the IT ITIL, MBCI Jonathan Neel, CISA Robert E Stroud, CGEIT, CRISC
Governance Institute and their committees, and Cheolin Bae, CISA, CCIE Anas Olateju Oyewole, CISA, CISM, CRISC,
from opinions endorsed by authors, employers CISSP, CSOE, ITIL Past International President, 2013–2014
Brian Barnier, CGEIT, CRISC
or the editors of this Journal. ISACA Journal does Tony Hayes, CGEIT, AFCHSE, CHE, FACS,
Pascal A. Bizarro, CISA Pak Lok Poon, Ph.D., CISA, CSQA, MIEEE
not attest to the originality of authors’ content. FCPA, FIIA
Jerome Capirossi, CISA John Pouey, CISA, CISM, CRISC, CIA
© 2016 ISACA. All rights reserved. Joyce Chua, CISA, CISM, PMP, ITILv3 Steve Primost, CISM Past International President, 2012–2013
Ashwin K. Chaudary, CISA, CISM, CGEIT, CRISC Parvathi Ramesh, CISA, CA Greg Grocholski, CISA
Instructors are permitted to photocopy isolated Antonio Ramos Garcia, CISA, CISM, CRISC,
articles for noncommercial classroom use Ken Doughty, CISA, CRISC, CBCP Director
without fee. For other copying, reprint or Nikesh L. Dubey, CISA, CISM, CRISC, CISSP CDPP, ITIL
Ron Roy, CISA, CRP Zubin Chagpar, CISA, CISM
republication, permission must be obtained in Ross Dworman, CISM, GSLC
writing from the association. Where necessary, Robert Findlay Louisa Saunier, CISSP, PMP, Six Sigma Director
permission is granted by the copyright Green Belt Raghu Iyer, CISA, CRISC
owners for those registered with the Copyright John Flowers
Jack Freund, CISA, CISM, CRISC, CIPP, Nrupak D. Shah, CISM, CCSK, CEH, ECSA ITIL
Clearance Center (CCC) (www.copyright. Director
com), 27 Congress St., Salem, MA 01970, CISSP, PMP Shaharyak Shaikh
Jo Stewart-Rattray, CISA, CISM, CGEIT, CRISC
to photocopy articles owned by ISACA, for a Sailesh Gadia, CISA Sandeep Sharma
flat fee of US $2.50 per article plus 25¢ per
Robin Generous, CISA, CPA Catherine Stevens, ITIL Chief Executive Officer and Secretary
page. Send payment to the CCC stating the Matthew S. Loeb, CAE
ISSN (1944-1967), date, volume, and first and Anuj Goel, Ph.D., CISA, CGEIT, CRISC, CISSP Johannes Tekle, CISA, CFSA, CIA
last page number of each article. Copying for Tushar Gokhale, CISA, CISM, CISSP, Robert W. Theriot Jr., CISA, CRISC
other than personal use or internal reference, ISO 27001 LA Nancy Thompson, CISA, CISM, CGEIT, PMP
or of articles or columns not owned by the Smita Totade, Ph.D., CISA, CISM, CGEIT,
Tanja Grivicic
association without express permission of the
Manish Gupta, Ph.D., CISA, CISM, CRISC, CRISC
association or the copyright owner is expressly
prohibited. CISSP Ilija Vadjon, CISA
Mike Hansen, CISA, CFE Sadir Vanderloot Sr., CISA, CISM, CCNA,
Subscription Rates: CCSA, NCSA
Jeffrey Hare, CISA, CPA, CIA
US: one year (6 issues) $80.00 Anthony Wallis, CISA, CRISC, CBCP, CIA
All international orders: one year (6 issues) Jocelyn Howard, CISA, CISMP, CISSP
$95.00. Remittance must be made in US Francisco Igual, CISA, CGEIT, CISSP Kevin Wegryn, PMP, Security+, PFMP
funds. Jennifer Inserro, CISA, CISSP Tashi Williamson
Ellis Wong, CISA, CRISC, CFE, CISSP
ISSN 1944-1967
ISACA BOOKSTORE
RESOURCES FOR YOUR
PROFESSIONAL DEVELOPMENT
www.isaca.org/bookstore

NOW AVAILABLE!

NEW! UPDATED CERTIFICATION EXAM


PREPARATION MATERIALS
GET PREPPED FOR EXAM AND CAREER SUCCESS

Browse over 450 publications featuring the latest research and expert thinking on standards,
best practices, emerging trends and more at www.isaca.org/bookstore S-1
ISACA® Certification Exam Prep Materials
BESTSELLING PRODUCT

CISA® Review Questions, Answers & CISA® Review Manual, 26th Edition
Explanations Database—12-Month Subscription The CISA® Review Manual, 26th Edition is a comprehensive
The CISA Review Questions, Answers & Explanations reference guide designed to help individuals prepare for the
Database is a comprehensive 1,000-question pool of items CISA exam and understand the roles and responsibilities
that contains the questions from the CISA Review Questions, of an information systems (IS) auditor. The manual has
Answers & Explanations Manual, 11th Edition. The database been revised according to the 2016 CISA Job Practice and
has been revised according to the recently updated 2016 represents the most current, comprehensive, peer-reviewed
CISA Job Practice. IS audit, assurance, security and control resource available.

Exam candidates can take sample exams with randomly The 26th edition is organized to assist candidates in
selected questions and view the results by job practice understanding essential concepts and studying the following
domain, allowing for concentrated study in particular areas. job practice areas: The Process of Auditing Information
Additionally, questions generated during a study session Systems; Governance and Management of IT; Information
are sorted based on previous scoring history, allowing CISA Systems Acquisition, Development and Implementation;
candidates to identify their strengths and weaknesses and Information Systems Operations, Maintenance and Service
focus their study efforts accordingly. Management; Protection of Information Assets.

The information contained in the 12-month subscription is Member: US $105.00


26 Edition
th

the same information that is contained in the CISA Review


CISA Non-member: US $135.00
3701 Algonquin Road | Suite 1010
Rolling Meadows, IL 60008 | USA

P: +1.847.253.1545
F: +1.847.253.1443
E: info@isaca.org

Questions, Answers & Explanations Manual, 11th Edition. The Product Code: CRM26ED
isaca.org

Review Manual

database is available via the web, allowing candidates to log


CISA Review Manual — 26th Edition

Available in: Chinese Simplified, French, Italian,


in anywhere they have Internet connectivity. This database is
Japanese, and Spanish.
MAC and Windows compatible.

2016
Member: US $185.00
Non-member: US $225.00
CISA
Review Questions, Answers
& Explanations Database
Product Code: XMXCA15-12M
The CISA® Review Questions, Answers &
Explanations Database is also available on
CISA® Review Questions, Answers &
CD-Rom in Spanish. Explanations Manual, 11th Edition
Designed to familiarize candidates with the question types
and topics featured in the CISA exam, the CISA® Review
Questions, Answers & Explanations Manual, 11th Edition
consists of 1,000 multiple-choice study questions. The
CISA® Review Questions, Answers & information contained in the CISA Review Questions,
Explanations Database—6-Month Extension Answers & Explanations is the same information that is
contained in the 12-Month Subscription.
The CISA® Questions, Answers & Explanations Database—
6-Month Extension can only be purchased only as an Many questions have been revised or completely rewritten
extension to the CISA Questions, Answers & Explanations to be more representative of the CISA exam question
Database—12-Month Subscription. The database is available format and/or to provide further clarity or explanation of
via the web, allowing CISA Candidates to log in at home, the correct answer. These questions are not actual exam
at work or anywhere they have Internet connectivity. items but are intended to provide CISA candidates with an
understanding of the type and structure of questions and
Member: US $45.00 content that have previously appeared on the exam.
2016
Non-member: US $65.00
CISA
Review Questions, Answers
& Explanations Database
Product Code: XMXCA15-EXT180 Member: US $100.00
CISA Review Questions, Answers & Explanations Manual

Non-member: US $130.00
Product Code: QAE11ED
11 Edition
Available in: Chinese Simplified, Italian,
th

CISA
3701 Algonquin Road | Suite 1010
Rolling Meadows, IL 60008 | USA

P: +1.847.253.1545

Japanese, and Spanish


F: +1.847.253.1443
E: info@isaca.org
isaca.org

Review Questions, Answers &


Explanations Manual
11th Edition

S-2
NE
UP W
DA LY
TE
BESTSELLING PRODUCT
D!
CISM® Review Questions, Answers & CISM® Review Manual, 14th Edition
Explanations Database—12-Month Subscription The CISM® Review Manual, 14th Edition assists candidates
The CISM® Review Questions, Answers & Explanations to study and understand essential concepts in the following
Database is a comprehensive 950-question pool of items job practice areas: Information Security Governance;
that contains the questions from the CISM® Review Information Risk Management and Compliance; Information
Questions, Answers & Explanations Manual, 8th Edition. Security Program Development and Management;
Information Security Incident Management.
The database is available via the web, allowing our CISM
candidates to log in at home, at work or anywhere they Each of the book’s four chapters has been divided into two
have Internet connectivity. The database is MAC and sections for focused study. Section one of each chapter
Windows compatible. contains the definitions and objectives for the four
areas, as well as the corresponding tasks performed by
Exam candidates can take sample exams with randomly information security managers and knowledge statements
selected questions and view the results by job practice that are tested on the exam. Section two of each chapter
domain, allowing for concentrated study in particular areas. consists of reference material and content that support
Additionally questions generated during a study session are the knowledge statements. The material enhances CISM
sorted based on previous scoring history, allowing CISM candidates’ knowledge and/or understanding when
candidates to identify their strengths and weaknesses and preparing for the CISM certification exam. Also included are
focus their study efforts accordingly. definitions of terms most commonly found on the exam.

The information contained in the 12-Month Subscription is


Member: US $105.00
the same information that is contained in the CISM Review Non-member: US $135.00
Questions, Answers & Explanations Manual, 8th Edition. Product Code: CM14ED

Member: US $185.00 Also available in Spanish


2016
Product Code: CM14EDS
CISM
Review Questions, Answers
& Explanations Database
Non-member: US $225.00
Product Code: XMXCM15-12M

CISM® Review Questions, Answers &


Explanations Manual, 8th Edition
The CISM® Review Questions, Answers & Explanations
CISM Review Questions, Answers &
® Manual, 8th Edition consists of 950 multiple-choice study
Explanations Database—6-Month Extension questions, answers and explanations, which are organized
according to the CISM job practice domains.
The CISM® Questions, Answers & Explanations Database—
6-Month Extension can only be purchased only as an The questions, answers and explanations are intended
extension to the CISM Questions, Answers & Explanations to introduce the CISM candidate to the types of questions
Database—12-Month Subscription. The database is available that appear on the CISM exam. They are not actual
via the web, allowing CISM Candidates to log in at home, questions from the exam. Questions are sorted by CISM
at work or anywhere they have Internet connectivity. job practice domains and a sample exam of 200 questions
is also provided. The information contained in the CISM
2016
Member: US $45.00 Review Questions, Answers & Explanations is the same
CISM
Review Questions, Answers
& Explanations Database
Non-member: US $65.00
Product Code: XMXCM15-EXT180
information that is contained in the 12-Month Subscription.

Member: US $100.00
Non-member: US $130.00
Product Code: CQA8ED

S-3
ISACA® Certification Exam Prep Materials

CGEIT® Review Manual, 7th Edition CRISC™ Review Questions, Answers &
The CGEIT® Review Manual is designed to help individuals Explanations Database—12-Month Subscription
prepare for the CGEIT exam and understand the responsibilities The CRISC™ Practice Question Database is a comprehensive
of those who implement or manage the governance of 500-question pool of items that contains the questions from
enterprise IT (GEIT). It is a detailed reference guide that has the CRISC™ Review Questions, Answers & Explanations
been developed and reviewed by subject matter experts Manual, 4th Edition. The database is available via the web,
actively involved in governance of enterprise IT worldwide. allowing CRISC candidates to log in at home, at work or
anywhere they have Internet connectivity. The database is
The CGEIT® Review Manual features an easy-to-use format.
MAC and Windows compatible.
Each of the book’s five chapters has been divided into
two sections for focused study. Section one contains the Exam candidates can take sample exams with randomly
definitions and objectives for each of the five CGEIT practice selected questions and view the results by job practice
areas, as well as the corresponding tasks performed by domain, allowing for concentrated study in particular areas.
GEIT professionals and knowledge statements necessary Additionally, questions generated during a study session are
to perform these tasks. Section two of each chapter sorted based on previous scoring history, allowing CRISC
consists of content and reference material that supports the candidates to identify their strengths and weaknesses and
knowledge statements. focus their study efforts accordingly.

7 Edition
th
Member: US $85.00 Member: US $185.00
2016

CGEIT Non-member: US $115.00


CRISC Non-member: US $225.00
3701 Algonquin Road | Suite 1010
Rolling Meadows, IL 60008 | USA

P: +1.847.253.1545
F: +1.847.253.1443

Product Code: CGM7ED


E: info@isaca.org

Product Code: XMXCR14-12M


isaca.org

Review Manual
Review Questions, Answers
& Explanations Database
CGEIT Review Manual — 7th Edition

CRISC Review Manual — 6th Edition

Available in Japanese CRISC Review Questions, Answers & Explanations


Product Code: CGM7EDJ Manual, 4th Edition is available in print.
Member: US $60.00
Non-member: US $80.00
Product Code: CRQ4ED
Available in Spanish. Product Code: CRQ4EDS

CGEIT® Review Questions, Answers &


Explanations Manual, 4th Edition
The CGEIT® Review Questions, Answers & Explanations CRISC™ Review Manual, 6th Edition
Manual is designed to familiarize candidates with the question The CRISC™ Review Manual is a comprehensive reference
types and topics featured in the CGEIT exam. The questions guide designed to help individuals prepare for the CRISC
are not actual exam items but are intended to provide CGEIT exam and understand IT-related business risk management
candidates with an understanding of the type and structure roles and responsibilities. The manual has been enhanced
of questions and content that has previously appeared on the over the past editions and represents the most current,
exam. To help candidates maximize—and customize—study comprehensive, peer-reviewed IT-related business risk
efforts, questions are presented in the following two ways: management resource available worldwide. The CRISC™
• Sorted by job practice area Review Manual, 6th Edition offers an easy-to-navigate
• Scrambled as a sample 75-question exam format. Each of the book’s four chapters has been divided
into two sections for focused study.
Member: US $60.00
CGEIT Review Questions, Answers & Explanations Manual

Non-member: US $75.00 6 Edition


th
Member: US $85.00
CRISC Non-member: US $115.00
3701 Algonquin Road | Suite 1010

Product Code: CGQ4ED


Rolling Meadows, IL 60008 | USA

P: +1.847.253.1545
F: +1.847.253.1443
E: info@isaca.org

Product Code: CRR6ED


isaca.org

Review Manual
4 Edition
th

CGEIT
CRISC Review Manual — 6th Edition

Available in Spanish
Review Questions, Answers &
Explanations Manual
Product Code: CRR6EDS
4th Edition

2 EASY WAYS TO ORDER:


1. Online — Access ISACA’s bookstore online anytime 24/7 at www.isaca.org/bookstore
S-4
2. Phone — Contact us by phone M – F between 8:00AM – 5:00PM Central Time (CT) at 847.660.5650
DEVELOP YOUR EDGE AS A CYBER SECURITY
FIRST RESPONDER.
Build and hone your abilities to be an in-demand professional in the growing global cyber workforce.
CSX Practitioner Labs enable you to develop your technical skills in an adaptive, performance-based cyber
laboratory environment. You’ll practice applying essential concepts and industry-leading methods, using an
array of open-source tools, within real-world scenarios. Gain critical skills to help you advance your career –
and prove you have what it takes to get the job done, by preparing for the CSX Practitioner certification.

Visit www.isaca.org/csxplabs for more information.


TRAIN
LIKE YOU
FIGHT

CHIRON’S TEAM OF EXPERT INSTRUCTORS BRING YEARS OF


RELEVANT, REAL-WORLD EXPERIENCE INTO THE CLASSROOM.

Chiron’s cyber protection program trainees are challenged and OFFENSIVE AND DEFENSIVE
tested with real-world scenarios based on today’s dynamic, CYBER OPERATIONS
agile and constantly evolving threat environment. Unlike
ADVANCED THREAT SIMULATION
simulated training, Chiron’s classes are held in a laboratory
setting unrestricted by rigid network security constraints that NETWORK FORENSICS AND
hamper the hands-on learning experience. THREAT ANALYSIS
Our customized training approach creates qualified Information
MALWARE REVERSE ENGINEERING
Operations professionals that are tested and equipped to
handle the real-life cyber threats of today. SIMULATED TRAINING ENVIRONMENT

LEARN MORE ABOUT OUR TRAINING:


410-672-1522, ext. 113 | training@chirontech.com
or visit chirontech.com