You are on page 1of 68

Volume 4, 2017

MOBILE
WORKFORCE 04
www.isaca.org

Social Media Rewards and Risk


Mobile Workforce Security Considerations and Privacy
Exploring How Corporate Governance Codes Address IT Governance
RECOGNIZED
GLOBALLY.
IN-DEMAND
LOCALLY.
REGISTER FOR AN UPCOMING ISACA CERTIFICATION EXAM TODAY!
®

Secure your seat and your future—take the first step today!
1 August – 30 September 2017 | Register today at www.isaca.org/exams2017-Jv4

What are the advantages of Take the first step towards obtaining a globally
computer-based testing? respected ISACA certification and becoming
recognized as one of the most-qualified
> More opportunities to take an exam professionals in your field of information systems.
> Larger test center network—over 880 locations
> Faster exam results Want to see how ISACA members save?

> Test centers designed specifically for testing www.isaca.org/JustASK


> Increased flexibility for changing exam times
Register today at www.isaca.org/exams2017-Jv4.
SAVE
THE DATE… or
— REGISTER —
6th Annual
NOW
European
Compliance & Ethics Institute
25–28 March 2018 | Frankfurt, Germany
• Hear from top compliance & ethics professionals from Europe and
around the world

• earn the latest and best solutions for compliance & ethics challenges,
L
including anti-corruption, data protection, and risk management

• Build your professional network

• arn the continuing education units you need, and take the Certified
E
Compliance & Ethics Professional - International (CCEP-I)® exam

europeancomplianceethicsinstitute.org | lizza.catalano@corporatecompliance.org
The ISACA® Journal

Journal
seeks to enhance
the proficiency and
competitive advantage of
its international readership
3 39 by providing managerial
Information Security Matters: André Maginot’s Line Key Ingredients to Information Privacy Planning
Steven J. Ross, CISA, CISSP, MBCP Larry G. Wlosinski, CISA, CRISC, CISM, CAP,
and technical guidance
CBCP, CCSP, CDP, CIPM, CISSP, ITIL v3, PMP from experienced global
6
IS Audit Basics: Audit Programs 46 authors. The Journal’s
Ian Cooke, CISA, CRISC, CGEIT, COBIT Assessor Challenges and Lessons Learned Implementing
and Implementer, CFE, CPTE, DipFM, ITIL ITIL, Part 1 noncommercial,
Foundation, Six Sigma Green Belt Mathew Nicho, Ph.D., CEH, CIS, ITIL Foundation,
RWSP, SAP, Shafaq Khan, Ph.D., CIS, PMBOK, peer-reviewed articles
10 PMP, SAP, and Ram Mohan, CRISC, CISM, CGEIT, focus on topics critical to
The Network ISO 27001, ITIL Foundation
Theresa Grafenstine, CISA, CRISC, CGEIT, CGAP, professionals involved
CGMA, CIA, CISSP, CPA
PLUS in IT audit, governance,
FEATURES 52 security and assurance.
Tools: Mobile Security Tools on A Budget
13 Ed Moyle
Social Media Rewards and Risk
Mohammed J. Khan, CISA, CRISC, CIPM 54
(Disponible également en français) Help Source Q&A
Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI,
18 AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA,
Mobile Workforce Security Considerations MCA, PMP
and Privacy
Guy Ngambeket, CISA, CISM, CGEIT, ITIL v3 , PMP 56
(Disponible également en français) Crossword Puzzle
Myles Mellor
24
Exploring How Corporate Governance Codes 57
Address IT Governance CPE Quiz
Steven De Haes, Ph.D., Anant Joshi, Ph.D., Prepared by Sally Chan, CGEIT, ACIS, CMA, CPA
Tim Huygh and Salvi Jansen
59
31 Standards, Guidelines, Tools and Techniques
A Guide to Auditing Attachment Fields
in Access Databases S1-S4 Read more from
Joshua J. Filzen, Ph.D., CPA and Mark G. Simkin, ISACA Bookstore Supplement these Journal
Ph.D. authors...

Journal authors are

Online-exclusive now blogging at

Features
www.isaca.org/journal/
blog. Visit the ISACA
Journal blog, Practically
Speaking, to gain
Do not miss out on the Journal’s online-exclusive content. With new content weekly through feature articles
and blogs, the Journal is more than a static print publication. Use your unique member login credentials to
practical knowledge
access these articles at www.isaca.org/journal. from colleagues and to
participate in the growing
Online Features
The following is a sample of the upcoming features planned for July and August 2017. ISACA® community.

Challenges and Lessons Demystifying Cyber Security Enterprise Security


Learned Implementing ITIL, in Industrial Control Systems Architecture—A Top-down
Part 2 Sri Mallur Approach
Mathew Nicho, Ph.D., CEH, by Rassoul Ghaznavi-Zadeh,
CIS, ITIL Foundation, RWSP, CISM, COBIT, SABSA, TOGAF
SAP, Shafaq Khan, Ph.D., CIS,
PMBOK, PMP, SAP, and Ram
Mohan, CRISC, CISM, CGEIT, 3701 Algonquin Road,
ISO 27001 Suite 1010
Rolling Meadows, Illinois
60008 USA
Discuss topics in the ISACA® Knowledge Center: www.isaca.org/knowledgecenter
Telephone
Follow ISACA on Twitter: http://twitter.com/isacanews; Hashtag: #ISACA +1.847.660.5505
Follow ISACA on LinkedIn: www.linkedin.com/company/isaca
Like ISACA on Facebook: www.facebook.com/ISACAHQ
Fax +1.847.253.1755
www.isaca.org
André Maginot’s Line information
security
matters

Some time ago in this space, I used an obscure invaded in 1940 through Belgium instead. In cyber
statement by a nearly forgotten British Prime security terms, a strategy of protecting critical data Do you have
Minister to make some points about cyber security.1 resources, with less consideration given to so-called something
As it happens, I studied the history of the period “Tier 2,” simply exposes everything via the easiest to say about
between the World Wars in my university days, so I route for an attacker to traverse. In other words, this article?
often use some of the insights I gained in looking at cyber security needs to treat the security of the IT Visit the Journal
pages of the ISACA®
then-current affairs when thinking about information environment holistically.
website (www.isaca.
security. I would like to turn now to a somewhat
org/journal), find the
more famous artifact of the interwar years, the Moreover, it must be recognized that the methods article and click on
Maginot Line. of the cyberattackers are not monolithic and the Comments link to
invariable. As an organization implements certain share your thoughts.
Here is what most people know: The Maginot preventive measures, so those attackers intent
Line was a series of fortifications near the French- on violating the integrity of information systems http://bit.ly/2shfuWv
German border intended to prevent German forces adjust their tactics. Effective antivirus filters once
from invading France through Alsace and Lorraine, forced hackers to develop other forms of malware.
as Germany had done in two previous wars. Once Then, organizations became better at countering
those two nations entered into war again in 1939, these new forms of hostile software. Now, it seems
the German forces went around the Maginot Line that the attackers are focusing instead on stolen
and invaded France once again. Thus, the term credentials taken from authorized data users. This
“Maginot Line” is today a catch-phrase for an approach favors the antagonist in many ways:
expensive, foolhardy security failure. There is no need to find a zero-day or unpatched
vulnerability, it is harder to detect, and it is more
The infamous line was named for André Maginot, flexible once the credentials are used.4
a French politician who served in many cabinets in
the 1920s and ‘30s, three times as the Minister for
War.2 Having spent much of his life in Lorraine, he
was primarily concerned with protecting that part
of France. He was not the visionary of the line; the
idea came from the World War I French generals,
particularly Marshal Henri Petain, the “hero of
Verdun.”3 Neither was Maginot the leader who built
the line; that was Paul Painlevé, his successor as
War Minister.

So, what did André Maginot do? And what are the
lessons of André Maginot and his line regarding
information security generally (this is, after all, the
Information Security Matters column), and cyber
security specifically?

The Fallacy of Protecting


Critical Resources
With the wisdom of hindsight, we know that the
Maginot Line failed to protect France, but that was Steven J. Ross, CISA, CISSP, MBCP
not André Maginot’s primary objective at the time. Is executive principal of Risk Masters International LLC. Ross has been
He and the generals before him wanted to make writing one of the Journal’s most popular columns since 1998. He can be
invasion through Alsace and Lorraine impractical, reached at stross@riskmastersintl.com.
if not impossible. And it worked! France was

ISACA JOURNAL VOL 4 3


Winning the Budget Battle Wins Cyber Security Must Align
Enjoying the Cyberwar With the Culture
this article? Maginot’s great achievement was to recognize the Even as the Maginot Line was being built, French
spirit of his times, the zeitgeist, and take advantage generals realized that it might prove ineffective
• Read Transforming of it. In an era marked equally by fear, pacifism if it did not extend to the sea. But the Belgian
Cybersecurity. and unemployment, he found it easy to appeal for government could not be convinced to build its
www.isaca.org/ funding of a line of battlements, a passive measure own line nor would the French build one along
cybersecurity-cobit to strengthen defenses and create jobs at the same its Belgian frontier. The political and economic
time. In fact, Maginot did not attempt to sell the environment would not permit more to be spent on
line of fortifications as the sole or even the primary preventing invasion.
means of preventing invasion. He stated, “We could
hardly dream of building a kind of Great Wall of There are political and economic environments
France, which would in any case be far too costly. within companies and government agencies that
Instead we have foreseen a powerful but flexible we often term the “corporate culture,” within which
means of organizing defense, based on the dual there is a security culture.6 Organizations will not,
principle of taking full advantage of the terrain and or cannot, do more for information security than
establishing a continuous line of fire everywhere.”5 that culture allows. Maginot understood that.
Paraphrasing him in today’s terms, the security
culture within all organizations is the best safeguard
against overspending (or underspending) on cyber
If we can gain security. “It controls not only the purse, but the
man-power of the organization.”7
the budget to make
this war easier to Moreover, it appears that Maginot recognized
that no one protective measure could win a war,
fight and the risk although it could provide an essential edge in

easier to manage, a battle, just as no one security tool is going to


solve the problem of cyberattacks. Preventive
that may be victory software and hardware must fit within a technology
environment that includes alarms and responsive
enough. triggers, analytics and recoverability. In addition,
and closer to the context of culture, these tools
must be incorporated into an organizational
structure of monitoring and preparedness.
Is any organization today prepared to build a Great
Wall of IT? Even contemporary militaries do not In one contemporary perspective, only slightly
have infinite budgets for cyberdefense (or attack, adapted, the Maginot Line was a dream, a hopeful
for that matter). What we are seeking is to take full dream full of security, warmth and promises. How
advantage of organizing the preventive, detective many tons of cement? How many tons of steel?
and recoverability techniques we have in as And how much money? Cyber security preventions,
economical a manner as possible and to establish like the infamous line, may serve as a temporary
a comprehensive program of cyber security. Budget measure to seal a potential breach. They can heal
monies are available with these wide-ranging, but and even cure. But these protections can also die or
nonetheless finite, goals. We may never “win” the become ragged.8 It is for us security professionals
war against cyberattacks, whatever winning means to carry on this war, using the weapons available
in this case. If we can gain the budget to make this to us, constantly vigilant, with the strengths and
war easier to fight and the risk easier to manage, limitations of our culture to guide us.
that may be victory enough.

4 ISACA JOURNAL VOL 4


Endnotes 7 Philip, P. J.; “Death of Maginot a Loss to France,”
The New York Times, 8 January 1932. What
1 Ross, S.; “Stanley Baldwin’s Bomber,” ISACA® Maginot actually said, as translated by the The
Journal, vol. 5, 2015, www.isaca.org/Journal/ New York Times, was, “Public opinion in all
archives/Pages/default.aspx free democracies is the best safeguard against
2 Charles River Editors, The Maginot Line: The overarmaments. It controls not only the purse
History of the Fortifications that Failed to Protect but the man-power of the nation. It is only in
France from Nazi Germany During World War autocratic countries in which the people [sic] are
II, USA, 2015. The historical material on André not their own masters that armies and military
Maginot and the Maginot Line comes from caste become a menace. That is what happened
several sources. This publication is a good in Germany in 1914. If we are still unconvinced
general discussion. that it will happen again we must be excused. Give
3 And the traitor of Vichy. us, and let us give Germany, time.” In finding this
4 Schneier, B.; “Credential Stealing as an Attack quotation, I was amazed at how much Maginot’s
Vector,” Schneier on Security blog, 4 May 2016, views from the early 1930s resound today.
https://www.schneier.com/blog/archives/2016/05/ 8 Greilsamer, L.; “De l’autre côté du mur,” (from the
credential_stea.html Other Side of the Wall as translated by myself),
5 WebCite, “André Maginot: A History,” Le Monde, 28 January 2008, www.lemonde.fr/
www.webcitation.org/5kn33HV01 idees/article/2008/01/28/de-l-autre-cote-du-
6 Ross, S.; Creating a Culture of Security, ISACA®, mur-par-laurent-greilsamer_1004472_3232.
USA, 2011, p. 21. Will this shameless self- html?xtmc=andre_maginot&xtcr=19
promotion never stop?

MEMBER GET A MEMBER

Get Members.
Get Rewarded.
REACH OUT AND HELP FRIENDS, COLLEAGUES AND OTHER PROFESSIONALS BECOME ISACA® MEMBERS.
THEY GET THE BENEFITS OF ISACA MEMBERSHIP. YOU GET REWARDED.
MEMBER GET A MEMBER 2017 PROGRAM STARTS ON 1 AUGUST.
THE MORE MEMBERS YOU RECRUIT, THE MORE VALUABLE THE REWARDS.
When ISACA grows, members benefit. More recruits mean more connections,
more opportunities to network—and now, more valuable rewards!
Be sure to go to www.isaca.org/GetMembers after 1 August to learn full details
of this year's program.

* Rules and restrictions apply. Full rules will be available after 1 August 2017.
© 2017 ISACA. All Rights Reserved.

ISACA JOURNAL VOL 4 5


Audit Programs
It was a great compliment, if somewhat daunting, not applicable to the organization. This, in turn,
Do you have to be invited to follow in the footsteps of Tommie can damage your reputation with the auditee and,
something Singleton and the late Ed Gelbstein to contribute to ultimately, with senior management.
to say about this column. I can only hope to match their insights
this article? by bringing my own experiences to bear. Figure 1—Existing Audit/Assurance
Visit the Journal
Programs
pages of the ISACA® Speaking of which, one of the most common
website (www.isaca. Source Description
requests I get as a community leader on the ISACA®
org/journal), find the ISACA Audit/assurance programs4
Knowledge Center1, 2, 3 is for audit/assurance
article and click on
programs or sources of assurance. So, what are our IIA Global Technology Audit Guides (GTAGs)5
the Comments link to
share your thoughts. options and where should we look? AuditNet Audit Programs6
Source: Ian Cooke. Reprinted with permission.
http://bit.ly/2rWOyL8 Utilize Existing Audit/Assurance
Programs Build Your Own
ISACA, the Institute of Internal Auditors (IIA) and other During your career as an IS auditor, there will be
organizations have developed programs a requirement to build your own audit/assurance
(figure 1) that address commonly audited areas such programs. These would typically be required when
as cyber security, commonly utilized applications the audit subject is a custom-built application or
such as SAP and common requirements for when the organization being audited is implementing
compliance such as the Payment Card Industry Data tools or processes that are on the cutting edge. How
Security Standard (PCI DSS). These are excellent do you approach such assignments?
resources and can save a lot of time. My only word
of warning is that they are not one size fits all. They In March 2016, ISACA released an excellent white
should be considered a starting point and adjusted paper titled Information Systems Auditing: Tools and
based upon risk factors and criteria that are relevant Techniques Creating Audit Programs.7 The paper
to the organization you are auditing. Failure to do describes the five steps in developing your own audit
so can result in a checklist approach that can lead program (figure 2). Essentially, these steps are:
to the auditor recommending controls that are
1. Determine audit subject—What are you
auditing? This is often set as part of the overall
Ian Cooke, CISA, CRISC, CGEIT, COBIT Assessor and audit plan.
Implementer, CFE, CPTE, DipFM, ITIL Foundation, Six Sigma 2. Define audit objective—Why are you auditing
Green Belt it? Again, this may have been set as part of the
Is the group IT audit manager with An Post (the Irish Post Office based in overall audit plan.
Dublin, Ireland) and has 30 years of experience in all aspects of information
systems. Cooke has served on several ISACA® committees and is a current 3. Set audit scope—What are the limits to
member of ISACA’s CGEIT® Exam Item Development Working Group. He your audit?
is the community leader for the Oracle Databases, SQL Server Databases,
and Audit Tools and Techniques discussions in the ISACA Knowledge 4. Perform preaudit planning—What are the
Center. Cooke assisted in the updates of the CISA® Review Manual for the specific risk factors?
2016 job practices and was a subject matter expert for ISACA’s CISA Online
Review Course. He is the recipient of the 2017 John W. Lainhart IV Common 5. Determine audit procedures and steps for
Body of Knowledge Award for contributions to the development and data gathering—How will you test the controls
enhancement of ISACA publications and certification training modules. He for these risk?
welcomes comments or suggestions for articles via email at Ian_J_Cooke@
hotmail.com, Twitter (@COOKEI) or on the Audit Tools and Techniques topic A crucial component of step 5 is developing the
in the ISACA Knowledge Center. Opinions expressed in this column are his criteria for evaluating tests. “Criteria” is defined as
own and do not necessarily represent the views of An Post. the standards and benchmarks used to measure

6 ISACA JOURNAL VOL 4


IS audit
basics

and present the subject matter and against which One such instance might be when you are auditing
an IS auditor evaluates the subject matter.8 Many an Oracle database. Where an organization has Enjoying
of these will be defined by the entity that is being defined its own Oracle database standard, then
this article?
audited (e.g., contracts, service level agreements, you audit to that standard. However, if no standard
policies, standards); however, there will be exists, it is good practice to use an external
• Read Information
instances, for example, when an organization has benchmark if it is objective, complete, relevant,
Systems Auditing:
not defined its own standards when other criteria measurable, understandable, widely recognized,
Tools and
should be applied (figure 3). authoritative and understood by, or available to, all
Techniques—IS
readers and users of the report.9 Further, IS audit
Audit Reporting.
www.isaca.org/
Figure 2—Creating an Audit Program creating-audit-
programs
Determine audit subject.
Identify the area to be audited (e.g., business function, system, physical location).
• Learn more about,
1 Define audit objective.
discuss and
Identify the purpose of the audit. For example, an objective might be to
collaborate on
audit tools and
2 determine whether program source code changes occur in a well-defined
and controlled environment. techniques in the
Knowledge Center.
Set audit scope. www.isaca.org/
Identify the specific systems, function or unit of the organization it-audit-tools-and-
3 to be included in the review. For example, in the previous example
(program changes), the scope statement might limit the review to techniques
a single application, system or a limited period of time.
Creating an Perform preaudit planning.
Audit Program • Conduct a risk assessment, which is critical in setting the final
The first steop in creating an scope of a risk-based audit. For other types of audits
audit program is to develop
as audit plan. An audit plan
4 (e.g., compliance), conducting a risk assessment is a good
practice because the results can help the IS audit team to
justify the engagement and further refine the scope and
should comprise all five steps preplanning focus.
shown here. Once you have • Interview the auditee to inquire about activities or area of
researched and completed a concern that should be included in the scope of the engagement.
properly executed audit plan, • Identify regulatory compliance requirements.
the result is an audit program • Once the subject, objective and scope are defined, the audit
ready for implementation. team can identify the resources that will be needed to perform
the audit work.

Determine steps for data gathering.


At this stage of the audit process, the audit team shold have enough information
to identify and select the audit approach or strategy and start developing the audit
5 program. Some of the specific activities in this step are:
• Identify and obtain departmental policies • Develop audit tools and methodology
standards and guidelines for review. to test and verify controls.
• Identify any regulatory compliance • Develop test scripts.
requirements. • Identify criteria for evaluating the test.
• Identify a list of individuals to interview. • Define a methodology to evaluate that
• Identify methods (including tools) to the test and its results are accurate
perform the evaluation. (and repeatable if necessary).

Source: ISACA®, Audit Plan Activities: Step-By-Step, 2016

ISACA JOURNAL VOL 4 7


Figure 3—Sources of Assurance/Good Practice
Source Description
ISACA COBIT 5 10

White papers11
Cloud computing guidance12
Cyber security resources13
US Department of Defense Security Technical Implementation Guides (STIGs)14
CIS Center for Internet Security Benchmarks15
ISO International Organization for Standardization, ISO/IEC 27000 family—Information security
management systems16
CSA Cloud Security Alliance17
NIST US National Institute of Standards and Technology
Framework for Improving Critical Infrastructure Cybersecurity18
Security and Privacy Controls for Federal Information Systems and Organizations19
NIST publications20
PCI DSS Payment Card Industry Data Security Standard21*
ITIL Information Technology Infrastructure Library22
*ISO and PCI DSS can also be used as sources of best practice even where compliance is not required.
Source: Ian Cooke. Reprinted with permission.

and assurance professionals should consider the risk and criteria. Further, other members could
source of the criteria and focus on those issued contribute to and enhance these documents. Over
by relevant authoritative bodies before accepting time, we, as a community, could build up many
lesser-known criteria.23 I would also disclose the audit/assurance programs that are continuously
criteria used and why—in this case, auditors were enhanced and kept up to date.
required to give an opinion on the security of an
Oracle database, but management had no standard Conclusion
defining what “secure” means. A further finding An audit/assurance program is defined by ISACA
from such an audit may be that management as a step-by-step set of audit procedures and
should define such a standard. Selecting the right instructions that should be performed to complete
criteria is vital for the success of the audit. an audit.25 Many of these steps are common to
most enterprises; however, each also has its own
Collaborate culture, ethics and behavior. We can utilize and
share existing audit/assurance programs and even
We live in a world where it is very much a viable
option to run a business using open-source
software. I, therefore, pose a simple question:
Why cannot we, as an ISACA community, develop
open-source audit/assurance programs?
Why cannot
we, as an ISACA
The Documents and Publications section of Audit
Tools and Techniques24 allows every member
community, develop
to contribute user-created documents and open-source
publications. Members could, therefore (with their
organization’s permission), upload completed audit/assurance
audit/assurance programs, making them available
(with the right terms and conditions) for other
programs?
members to adopt for their own enterprise’s

8 ISACA JOURNAL VOL 4


collaborate on the building of same if we remember
that we have an obligation to consider the risk to
our own organizations.

Editor’s Note
ISACA is currently exploring several methods for
community-driven audit program sharing and
development models.

Endnotes
1 ISACA® Knowledge Center, Audit Tools and
Techniques, www.isaca.org/it-audit-tools-and-
techniques
2 ISACA Knowledge Center, Oracle Databases,
www.isaca.org/topic-oracle-database 14 Department of Defense, Security Technical
3 ISACA Knowledge Center, SQL Server Implementation Guides, USA, http://iase.disa.
Databases, www.isaca.org/topic-oracle- mil/stigs/Pages/index.aspx
database 15 Center for Internet Security Benchmarks and
4 ISACA, Audit/Assurance Programs, Controls, https://benchmarks.cisecurity.org/
www.isaca.org/auditprograms downloads/
5 Institute of Internal Auditors, Global Technology 16 International Organization for Standardization/
Audit Guides, https://na.theiia.org/standards- International Electrotechnical Commission,
guidance/topics/Pages/Information-Technology. ISO/IEC 27000 Family—Information Security
aspx Management Systems, https://www.iso.org/
6 AuditNet, Audit Programs, www.auditnet.org/ isoiec-27001-information-security.html
audit_programs 17 Cloud Security Alliance, https://cloudsecurity
7 ISACA, Information Systems Auditing: Tools alliance.org/group/security-guidance/#_
and Techniques: Creating Audit Programs, downloads
USA, 2016, www.isaca.org/Knowledge-Center/ 18 National Institute of Standards and Technology,
Research/Documents/IS-auditing-creating- Framework for Improving Critical Infrastructure
audit-programs_whp_eng_0316.PDF Cybersecurity, USA, https://www.nist.gov/
8 ISACA, ITAF: Information Technology cyberframework
Assurance Framework, USA, 2014, www.isaca. 19 Security and Privacy Controls for Federal
org/Knowledge-Center/ITAF-IS-Assurance- Information Systems and Organizations,
Audit-/IS-Audit-and-Assurance/Pages/ http://nvlpubs.nist.gov/nistpubs/
ObjectivesScopeandAuthorityofITAudit.aspx SpecialPublications/NIST.SP.800-53r4.pdf
9 Op cit, ITAF, p. 20 20 National Institute of Standards and Technology,
10 ISACA COBIT 5, USA, 2012, www.isaca.org/ NIST publications, https://www.nist.gov/
cobit/pages/default.aspx publications
11 ISACA, White Papers, www.isaca.org/ 21 Payment Card Industry Data Security Standard,
Knowledge-Center/Research/Pages/White- https://www.pcisecuritystandards.org/
Papers.aspx 22 Information Technology Infrastructure Library,
12 ISACA, Cloud Computing Guidance, https://www.itil.org.uk/all.htm
www.isaca.org/Knowledge-Center/Research/ 23 Op cit, ITAF, p. 20
Pages/Cloud.aspx 24  Op cit, ISACA Knowledge Center
13 ISACA, Cyber Security Resources, www.isaca. 25 ISACA Glossary, https://www.isaca.org/Pages/
org/KNOWLEDGE-CENTER/RESEARCH/ Glossary.aspx
Pages/Cybersecurity.aspx

ISACA JOURNAL VOL 4 9


Q: As ISACA’s to tackle changes in believe in, you need to
incoming chair of the technology, threats and understand a problem
Board of Directors, future trends. from all sides—and
how do you see be able to argue with
ISACA® growing Q: Can you briefly equal strength from all
and adapting to the describe your role sides. As a person who
constantly changing as inspector general needs to get bipartisan
marketplace (IG) of the US House approval on everything
and needs of its of Representatives? I do, understanding
constituents over the What in your past how people think, how
next year? experience has best they solve problems
prepared you for this and how they prioritize
A: New technologies— position? things has been critical
and threats—are in tackling important
introduced almost daily. A: As IG of the issues, bridging divides
ISACA represents an US House of and, ultimately, making
interrelated, yet diverse, Representatives, I am a difference.
set of constituents. As a nonpartisan, senior
risk, audit, security, House official who is Q: How do you believe
Theresa Grafenstine, CISA, CRISC, cyber and governance jointly appointed by the the certifications
CGEIT, CGAP, CGMA, CIA, CISSP, CPA professionals, we speaker, majority leader you have attained
Is chair of ISACA®’s Board of Directors and need to be agile and and minority leader have advanced or
the inspector general (IG) of the US House of prepared. Whether it of the House. I am enhanced your career?
Representatives (House). Over the past 25 years, is through partnering responsible for planning What certifications
Grafenstine has served in the IG community in both with other professional and leading independent do you look for
the legislative and executive branches of the US associations on audits, advisories when recruiting new
federal government. As the IG, she is responsible content development and investigations members to your
for planning and leading independent, nonpartisan or training, or the way of the financial and professional team?
audits, advisories, and investigations of the financial
in which it structures its administrative functions
and administrative functions of the House. Prior to
joining the US House Office of Inspector General volunteer committees, of the House. Aside A: I believe getting
(OIG), Grafenstine served at the US Department of ISACA is looking at from having the certifications has proven
Defense OIG where she led acquisition audits of ways to become more necessary technical my commitment to
major weapon systems and was selected to respond agile to better serve skills, I believe the my profession and
to high-profile US Congress audit requests. She is its members and experience that most to life-long learning.
a past chair of ISACA’s Audit Committee, Finance their professions. For prepared me for this Certifications are an
Committee, Communities Committee, and Relations example, ISACA was position is, oddly, outward representation
Board and a past president of the ISACA National once tied to a volunteer a moral philosophy and assurance of
Capital Area Chapter. Grafenstine also serves on the structure that allowed class that I took as an your skills, but they
board of directors of the Association of International
appointments and undergraduate at St. represent only one
Certified Professional Accountants (AICPA) and as
the audit committee chair of the Pentagon Federal changes on only an Joseph’s University aspect of professional
Credit Union. She has received numerous awards annual basis. By moving (Philadelphia, commitment. Getting
and accolades, including the Golden Gov: Federal to a more agile model, Pennsylvania, USA). involved and participating
Executive of the Year and, most recently, the Greater ISACA is now able to Father Lombardi in a professional
Washington Society of CPAs 2016 Women to Watch move from a reactive stressed that to really association demonstrates
and 2016 Outstanding CPA in Government awards. to a proactive posture understand what you your connection to the

10 ISACA JOURNAL VOL 4


the
network www.sheleadsit.org

She Leads IT
1

What is the biggest security
challenge that will be faced
in 2017? How should it be
addressed?
The biggest challenge, is the human element. Lack of
employee cyberawareness, weak passwords, failure
to implement patches, falling for phishing scams and
insider threat will do more cumulative damage than
complex emerging issues.
broader professional In my seven years as IG, reduces enterprise risk.
community and helps
you grow as an industry
I have served under three
different Speakers of the
When there is a pipeline
shortage of women to 2
What are your three goals
for 2017?
• Developing a leadership pipeline
leader. When hiring staff House and four different fill senior leadership
at the House, I look for congressional oversight roles or in science, • Continuing and strengthening ISACAs Women in
diverse certifications committee chairmen. technology, engineering Technology initiative
and higher degrees to With all of these changes and mathematics (STEM) • Exploring charitable options through ISACA’s
help address the broad in leadership come career fields in general, ITGI foundation to give opportunities to people in
range of problems we changes in priorities, this puts organizations at developing nations or underrepresented demographics
face. Even as a senior focus and direction. It risk. Women leaders bear to obtain leadership skills, relevant training and
executive, I like to show teaches you to be nimble a special responsibility certifications.
my commitment to the in adjusting the audit to help fill this pipeline
profession and prove
my capability to my
plan. You also need to be
able to quickly acquire
by serving as role
models and mentors 3
What is your favorite blog?
ISACA International does a great ISACA Now blog.
staff (and to myself!) by new or different skills to to our next generation CyberScoop and NextGov do a great job of reporting on
sometimes sitting for the adjust to the changing of leaders. We need to important issues.
same training and exams priorities. That agility connect with girls and
they are pursuing—which
is the reason why I have
has made me a better
auditor and a better
young women to show
them what a Woman 4
What is your number-one
piece of advice for other audit
professionals?
so many certifications! leader because it forces in Technology leader
me to constantly think on looks like. If we wait until Do not rest on the fact that you are a regulatory
Q: What has my feet and help others, they have already made requirement. Provide value to your organization every day.
been your biggest who may struggle with career decisions, it may
workplace or career change, to adapt. be too late. I think it is
challenge and how did
you face it? Q: What do you think
important to volunteer
at local schools as
5
What is your favorite benefit of
your ISACA membership?
The fantastic people—the members, the volunteer
are the most effective speakers on career day. leaders and the staff. ISACA has benefited my career in
A: I think an ongoing ways to address the I think it is especially monumental ways, but the biggest benefit has been the
challenge for any lack of women in the important to reach out friendships.
professional is the rapid information security to schools in at-risk
pace of change. How workspace? communities to show
do we keep up with it?
How do I find and retain A: Diversity goes
beyond a feel-good
students that IT security
is an amazing career 6
What do you do when you are
not at work?
When I am not at work and I am not doing ISACA work,
staff who can meet the option. If they have never
changing demands? social initiative; it heard of it, they cannot I am at my son’s ice hockey game, helping my daughter
This is even more so impacts the bottom choose it. We can not find the right college or walking the dogs with my
husband.
in the congressional line. It is a powerful only address some of
environment. Every resource that, if properly the pipeline issues, but
member of the House leveraged, increases we can literally change
of Representatives is up an organization’s the trajectory of young
for reelection every two ability to connect with people’s lives.
years. In addition to the a broader base of
changes brought about people, deepens an
by elections, leadership organization’s knowledge
positions change as well. base and, ultimately,

ISACA JOURNAL VOL 4 11


CSX
ACCELERATED
CYBERSECURITY
SKILLS TRAINING
DEEPEN YOUR TECHNICAL SKILLSET IN JUST 5 DAYS
Enterprises worldwide need qualified cyber professionals to fill the gap in their cyber security capabilities.
Eight in ten organizations would be more likely to hire a candidate with a performance-based certification.*

The intensive, 5-day CSX Accelerated Cybersecurity Skills Training from ISACA®’s Cybersecurity Nexus™
(CSX) will elevate your skills to the level of an experienced, in-demand cyber security first responder — and
prep you for the SC Magazine award-winning† CSX Practitioner Certification — at the pace you need for
success.

Join us for our next course:


• Chicago, Illinois: 31 July – 4 August 2017
Seats are limited. Act now to secure this invaluable training.
Visit CSXPTraining.com to learn more.

P
Certified Cybersecurity Practitioner

12 *ISACA’s January
ISACA JOURNAL VOL 42016 Cybersecurity Snapshot survey. ISACA JOURNAL VOL 4 12

CSX Practitioner is the 2016 SC Magazine Award Winner for Best Professional Certification Program.
feature
feature
Social Media Rewards
and Risk
As for the risk (figure 2), some of the most common
Disponible également en français ones include:
Do you have
www.isaca.org/currentissue • Reputational risk—Damage to an organization’s something
reputation stemming from a social media mishap to say about
can bring the organization to its knees, whether this article?
Social media is a powerful tool that gives Visit the Journal
organizations the ability to expand their brand it is the chief executive officer (CEO) stating
pages of the ISACA®
something controversial on his/her Twitter account
value; it can also tarnish a brand overnight. There website (www.isaca.
are more than 18 social media platforms globally or an organization-bashing employee video that org/journal), find the
that have started to grow and have an enterprise- goes viral. According to a leading publisher, “A article and click on
level following, and this is only the beginning. reputational crisis can wipe tens of millions of the Comments link to
Given the visibility, risk, and real-time monitoring pounds from a company’s value, and this risk has share your thoughts.
and response required to effectively manage increased because the rise of online and social
social media channels, companies must establish media means crises are now less predictable and http://bit.ly/2sUGrw7
extensive protocols for use by their organization in can happen faster.”1
order to engage with external channels. Companies • Data security breach—According to research
representing themselves externally should engage from Forrester:
the appropriate and authorized spokespersons and
executives designated by their communications From reconnaissance to brand hijacking
department in order to speak to, initiate, provide and threat coordination, cyber criminals
and/or post information within the social media have been using social media to boost the
space. While there are several key risk factors to be effectiveness of their attacks for years. It’s
addressed relative to social media, there are many clear that social media risk isn’t solely about
rewards as well. Some of the most advanced topics brand and reputation damage but is a sinister
and benefits include (figure 1): cybersecurity threat that can lead to major
data breaches, numerous compliance issues,
• Connecting with customers—The ability to and large amounts of lost revenue due to
engage with customers is the most critical aspect of fraud and counterfeit sales, along with a slew
social media. Developing a brand and promoting it of other risks.2
through various channels of social media can create
further brand value and awareness. • Social engineering—Employees in almost all
organizations are savvy, and many have a social
• Marketing intelligence—Social media marketing media presence on major sites such as Facebook,
gives the organization the ability to monitor the LinkedIn, Quora and Twitter. Each platform has
brand and listen to what the public is saying in the
social media space. The insight is the reward the
Mohammed J. Khan, CISA, CRISC, CIPM
organization reaps by playing a larger role in social Is a global audit manager at Baxter International, a global medical device
media, which can be invaluable. The organization and health care company. He has more than 12 years of experience focused
can enhance its marketing, business development on providing privacy, security and information governance. Most recently,
efforts and other valuable venues to further its he has focused specifically on medical device cyber security, global privacy
ability to be competitive. frameworks, and helping his organization with strategic, cost-effective
initiatives in the audit and compliance space. Khan previously worked for
• Pulse on brand reputation—Keeping the pulse a leading consultancy firm as an assurance and advisory professional,
of the organization’s social media reputation and and prior to that, he worked as a global enterprise resource planning and
metrics is critical to staying ahead of the brand’s business intelligence professional at a leading technology firm. Khan has
recognition and signs of reputational risk. helped develop and author several publications and has presented at
industry conference events focusing on privacy and cyber security.

ISACA JOURNAL VOL 4 13


Figure 1—Organizational Benefits of Social Media

Reward 1

Reward 2

Connect Reward 3
Engage with
customers
Intelligence
Develop promotional Reputation Get Rewarded
material with industry Insight into
consortium competitors’ market Pulse on brands’
integrity in the
social media space
Build brand Relevance in the
awareness marketplace

Source: M. Khan. Reprinted with permission.

14 ISACA JOURNAL VOL 4


the potential to provide a hacker several key
Figure 2—Risk Factors for Social Media
data points about employees, which can enable Enjoying
use of the data to hack the employee account at
this article?
the enterprise layer by spoofing and launching a
social engineering attack on the company. Due to
1
• Learn more about,
the multitude of options of going through social Reputation
discuss and
media accounts with exposed data, attackers
collaborate on risk
can gather these data to further their advances in
management in the
terms of hacking into accounts.
2 Security
Knowledge Center.
• Compliance or regulatory violations—The Breach www.isaca.org/risk-
growing number of privacy changes and management
regulations globally is impacting how customer
data are utilized in the social media space. There Social 3
are four key areas with which to be concerned: Engineering
– Privacy
– Content ownership
– Intellectual property (IP) infringement Regulatory
4 and
– Unauthorized activities Compliance

Return on 5
Employees who Investment/
Reward
access social
media websites 6 Virus and
Malware
can act as brand
ambassadors; on Source: M. Khan. Reprinted with permission.

the other hand, media regularly, may result in the organization’s


their activity may increased visibility with authorities.

leave an open door Some industries may shy away from this situation
for viruses and in light of audits that occur due to being in the
social media space so frequently.
malware to enter • Return on investment—The benefit the
into the network. organization gains from being present in the
social media space is hard to calculate and very
subjective. The risk over reward, therefore, cannot
be calculated without proper assurance, which
leaves the decision to enter the social media
• Compliance to changing the regulatory
space questionable for some industries.
climate3—These regulatory changes require the
organization to adapt its strategy if it wishes to • Phishing—One of the popular techniques used
comply on a global basis. This approach, while by criminals is to get unknowing individuals
necessary for an organization that uses social to disclose personal information while posing

ISACA JOURNAL VOL 4 15


department, whether it is IT, finance, marketing
or human resources (HR), has a different
perspective of how social media can or will
be utilized by the department on behalf of the
organization. There is no prescribed rulebook
for eliminating social media risk to an enterprise;
however, some key areas to consider for preventing
social media risk are:

• Guidelines—As general best practice, a high-


level overall policy should be rolled out to guide
the use of social media by all employees of
the organization and any third party acting on
behalf of the organization. The guidelines should
highlight key components including:
– Scope—Defining the overall scope of the policy
as a fictitious representative of a legitimate guidelines that is set forth by the enterprise for
professional or company. This, primarily, is the its employees
key driver for collecting personal data for financial – Purpose—Definition of the purpose of the
gain to individuals or organizations. Due to the guidelines for the organization, specifically,
lack of awareness about the phishing techniques how social media activity on behalf of the
used by hackers, employees fall victim to email, organization will take place and what sort of
phone call and website phishing schemes, information is relevant to share via that activity
resulting in exposure to enterprise-level risk.

• Viruses and malware—Hackers’ ability to


penetrate the organization’s network via unsafe
social media websites and accounts opens a
A robust social
new threat vector. On one hand, employees who media crisis and
access social media websites can act as brand
ambassadors; on the other hand, their activity communication
may leave an open door for viruses and malware plan must be
to enter into the network. According to security
experts, “A majority of current attacks simply use developed in the
the social platforms as a delivery mechanism,
and have been modeled after the older Koobface
event that a crisis
malware.”4 occurs.
Preventing Social Media Risk
Some organizations struggle to develop the best – Goals—Clear definition of the overall outcome
solution to manage risk around social media. The that is to be achieved from the social media
first question to ask is who, in fact, owns the presence for the organization and how the social
social media platforms for the organization and, media platform will get the organization there
more importantly, the overall governance of the – Ownership guidelines—General guidelines for
social media of employees. Social media impacts the creation and maintenance of all social media
all departments of the organization, and each sites for the organization

16 ISACA JOURNAL VOL 4


– Contributor guidelines—General guidelines Conclusion
and principles directing contributors to the
social media sites Organizations that plan to increase or decrease their
– Approved social media platforms— presence on social media would be well advised
Expectation for departments assessing social to exercise awareness and vigilance. Different
media solutions outside of the company to industries may experience various benefits and
demonstrate how the social media presence will disadvantages to jumping on the social media
contribute to achievement of the overall goal bandwagon. Organizations planning to engage
and, more importantly, the platform’s degree of on social media platforms must have a clearly
utilization and security defined policy and communication plan in place.
Proper considerations should be made for good
• Training and awareness—It is key for the governance, a communication plan in the event of a
organization to embody the proper use of social breach, a social media policy and monitoring tools,
media etiquette as part of the onboarding training which are all important for enterprise-level social
of all employees, especially in roles such as media risk mitigation.
marketing, HR and IT—departments that will
most likely be representing the organization as Deciding which social media channels to use
part of their ongoing job functions. Embedding and performing due diligence and evolutionary
the behaviors and instilling the right concepts management of the social media space the
of social media norms that align with the organization enters are critical. The first step is to
organizational policies and processes will help understand the benefits and the disadvantages
in the long run as more and more employees while keeping in mind the basic steps that can be
participate on social media and represent their taken to mitigate risk.
organization and its products and interests.

• Social media crisis and communication Endnotes


plan—A robust social media crisis and
1 Spanier, G.; “Reputational Risk in the Social
communication plan must be developed in the
Media Age,” Raconteur, 11 June 2015, https://
event that a crisis occurs. There has to be a single
www.raconteur.net/business/reputational-risk-in-
point of contact, usually the communications
the-social-media-age
team, for all communication with the media and
2 Hayes, N.; “Why Social Media Sites Are the New
stakeholders. Key department personnel have
Cyber Weapons of Choice,” DarkReading,
to be involved, especially if there is a matter that
6 September 2016, www.darkreading.com/
applies to that specific department.
attacks-breaches/why-social-media-sites-are-the-
new-cyber-weapons-of-choice/a/d-id/1326802
It is critical to practice the plan in terms of
3 McNickle, M.; “5 Keys to the Legal Issues of
performing the scripted tasks required for
Social Media in Healthcare,” Healthcare IT News,
smooth control of the social media crisis that
2 July 2012, www.healthcareitnews.com/news/5-
is bound to happen to any organization as its
keys-legal-issues-social-media
social media presence increases over time. This
4 McAfee, “How Cybercriminals Target Social
requires significant amounts of collaboration and
Media Accounts,” https://www.mcafee.com/us/
communication across key departments and
security-awareness/articles/how-cybercriminals-
personnel at all times.
target-social-media-accounts.aspx

ISACA JOURNAL VOL 4 17


Mobile Workforce Security
Considerations and Privacy
as expected it is because working remotely is
Do you have Disponible également en français holding them back; therefore, they will work even
something www.isaca.org/currentissue more than the contractual hours to deliver. It also
to say about helps companies cut costs, especially in rent and
this article? utilities, and find skilled employees regardless of
Visit the Journal In 2012, a software developer who mainly worked their location. With the progress of technology, the
pages of the ISACA® remotely for a US firm had the idea of fully mobile workforce is a trend that is not going to stop
website (www.isaca. outsourcing his work to China.1 He was finally and will even expand. It is forecasted that by 2020,
org/journal), find the caught after a few months because of suspicions 72.3 percent of the US workforce will be remote.3
article and click on about the origination of his virtual private network
the Comments link to
(VPN) connections. Indeed, he literally sent his It is also clear that this modern workforce comes
share your thoughts.
physical VPN key access to his remote “employee” with risk, which can be substantial if not properly
to allow him to access the company’s systems. addressed.
http://bit.ly/2rCJ9IP
Although this story might appear to some extent
anecdotal, it raises some serious issues about Mobile Workforce and Technology
security considerations and even privacy around
remote working and what it entails. How is it Technology enables the mobile workforce. In recent
possible that an employee gave unauthorized years, many technology companies such as Google,
access to his company information to an outsider Amazon and IBM have started to invest massively to
for so long without it being noticed? What are offer cloud-based services to respond to businesses’
the legal and reputational consequences for the expectations. Beyond being willing to promote
company? Are the connections of employees workforce mobility, an investment should be made in
always monitored, and what are the employer’s technology to effectively implement it.
intentions when monitoring them?
With the development and continuous improvement
Remote working has a lot of advantages, both for of cloud technologies, it is now very easy to
the company and the employees. In the past years, bring almost all the tools used at the physical
it has become increasingly used by companies workplace to employees’ homes and even to their
as a perk. In some countries such as the UK, it is smartphones. In many companies, employees are
even an employee right to request mobile working.2 even allowed to use their own devices and install
The desire for mobility comes from the sense of security systems to secure information.
flexibility, liberty and self-management it entails,
especially for those who need to watch over their There are also many companies providing various
children and/or have a long commuting time to tools for videoconferencing, conference calls
reach their physical office location. It also gives a and document sharing such as Skype, Webex
sense of job ownership to the employees, although and Google Hangout, that enable connection
it often adds a “hidden” pressure on them. For and collaboration among employees and
example, remote employees do not want their with customers. One recent major example
management to think that if they are not delivering of investment in cloud-based technology is
PricewaterhouseCoopers’s (PwC’s) partnership
Guy Ngambeket, CISA, CISM, CGEIT, ITIL v3 , PMP with Google to switch to collaborative tools in
Is a risk assurance professional with eight years of experience. He has order to stay at the forefront of the technology
worked at PricewaterhouseCoopers Cameroon, France and the United and use the full opportunity that mobile workforce
Kingdom. He is currently enrolled at London Business School, where he offers.4 According to a survey conducted by PwC,
is studying for a Master in Business Administration (MBA). He can be 77 percent of chief executive officers (CEOs)
reached at guy.hnd@gmail.com. believe that technologies are a top value driver for

18 ISACA JOURNAL VOL 4


feature
feature

secured, or they could choose to work in public area


like cafes, parks or bus stops. Of course, this causes
While the serious threats, not only to data integrity, but also to
the physical security of employees. These threats
negligence of are more easily mitigated when working in a physical
remote employees office because there are plenty of countermeasures
companies have been implementing for decades.
can be one major While the negligence of remote employees can be
source of risk one major source of risk related to the company’s
assets, there is also risk related to cloud technology.
related to the The key areas of risk to consider when it comes to a
mobile workforce follow.
company’s assets,
there is also risk Company Assets
The biggest risk in this area is loss or damage to the
related to cloud assets when they are in possession of the remote
technology. employees. These assets can be physical (laptops,
mobile phones, tablets) or logical (customers’ data,
employees’ data, other critical information). Threats
can range from a child pouring water on a laptop
collaboration.5 This is another indication that the to a device shared within the employee’s family
trend of workforce mobility is likely to continue. New without appropriate safeguards to a computer
related solutions and concepts are still to come. screen inadvertently left unlocked while displaying
sensitive information. There are many situations that
Other major beneficiaries of these cloud services
are entrepreneurs and start-ups, who have not
only seen a dramatic decrease in IT cost and skills
dependency from where they were years ago, but
also have been able to find the right people around
the world to support their business without having
to worry about immigration. This is particularly
important as the world is currently experiencing a
surge of start-ups, challenging existing business
models by introducing digitalization and big data.
In response to that, companies are transforming
their businesses to survive by following the trends.
Increasingly, customers’ data are collected, stored
and analyzed to predict customers’ needs.

Key Risks Associated With the


Mobile Workforce
As pointed out earlier, the goal of workforce mobility
is to enable employees to work wherever they want.
They could be working at home, which is relatively

ISACA JOURNAL VOL 4 19


can lead to the impairment of assets. In a simple activities and, therefore, increase their likelihood
example, Kendi, who is an employee of ABC, has of succeeding.
an important call to discuss confidential information.
She decides to make the call from her garden and Cloud Technologies
her neighbor and even one of her guests is listening Whether a company partially or totally outsources
to the conversation. In the worst-case scenario, its systems and infrastructures, typical IT risk
Kendi’s part of the conversation is recorded and related to confidentiality, integrity and availability
that information disclosed to the general public. The around IT governance and management, access
consequences could be catastrophic for her firm, its to programs and data, change management,
clients and even herself. and operations still holds. In addition to the risk
that usually exists in an office environment, the
risk arising from Internet use and all that entails
increases significantly. Indeed, because cloud
Companies need to be providers have many customers, the information
extremely careful about they store and manage has great value for hackers,
who will try to take advantage of Internet use to
regulations with which all the find breaches into the information system and gain

stakeholders involved in mobile access to the data.

working must abide. It is critical for companies to be aware that cloud


providers have their own employees who can
access companies’ data (thereby customers’ data)
and steal that data for various purposes.
Also, hackers or other individuals or organizations
willing to steal data from a company can take Regulation and Compliance
advantage of remote workers to accomplish their Depending on their activities, companies are
tasks knowing they are more likely to succeed by required to comply with various laws and regulations
attacking one isolated employee than breaking the regarding their information systems and the data they
security layers of an entire organization. manipulate. These regulations differ from one country
to another. In the US, health care data security
Personal Security is chiefly governed by the US Health Insurance
Employees who are carrying or storing important Portability and Accountability Act (HIPAA), while in the
assets of companies at home are at increased risk UK there are the National Health Service (NHS) Act of
of being attacked to take control of the asset. It can 2006, the Health and Social Care Act of 2012, and the
be a single robber who is willing to steal a mobile Data Protection Act.
phone and resell it without any knowledge of the
contents, or it can be a more organized criminal Companies need to be extremely careful about
group that is fully aware of the value of the data in regulations with which all the stakeholders
the employee’s possession. involved in mobile working must abide. In general,
companies are liable for the security of their
This is particularly true for workers who consistently information systems, regardless of whether or
work at home because the level of home security not they outsource their IT. It is the company’s
is unlikely to be as rigorous as at an office building, responsibility to ensure that customers’ data remain
and criminals realize, from the worker’s regular, confidential and accurate. If the cloud vendor or
daily routine, that they can take time to plan their a remote worker is located in a region or country

20 ISACA JOURNAL VOL 4


where data protection is not stringent, the data assets and resources should be used remotely to
could potentially be at risk. guarantee their security. The acceptable use policy
should clearly state what remote employees can or
Enjoying
Privacy Concerns cannot do with the assets of the company, placing
this article?
particular emphasis on personal use.
When setting up policies relating to the mobile • Read ISACA
workforce, companies may take actions that can Human resources policies have to be clear on Privacy Principles
be viewed as privacy breaches for employees. privacy issues, so those policies should clearly and Program
Some companies monitor all activities (including define the boundaries within which monitoring and Management Guide.
communication) and files on devices given to the (potentially) tracking will be performed and how www.isaca.org/
employees and even track their location. Of course, employees’ privacy is protected by the company. privacy-principles
if there is no mandatory regulation that protects Companies should make sure that their employees
employees’ privacy, there can be abuses that can are aware of those policies and have given their • Learn more about,
have tragic consequences. consent. These policies should be enforced discuss and
and monitored by an independent function, and collaborate on
Companies will always promote the benefits of employees should have a dedicated person or team security policies
monitoring their devices for security or business to speak to if they feel that their privacy is and procedures
reasons, but employees need to be aware of not respected. in the Knowledge
privacy concerns and ensure that their personal life Center.
and information will not be impacted. According to www.isaca.org/
a survey conducted by MobileIron, 30 percent of information-security-
mobile employees are ready to quit their company if policies-and-
their devices are monitored.6
Actively involving procedures
employees in defining
Working remotely can often affect or expose your
family. Recently, the children of Professor Robert and monitoring the
Kelly walked into his office during his television
interview with the BBC, followed by his wife, who
security of company
was trying to pull them out of sight. That video was assets gives them
viewed millions of time on social media networks,
and his family became public.
a better sense of
ownership and
Recommendations
increases compliance
There are several measures companies can take
to protect their assets and resources. The first is to the security
to clearly identify and document all potential policies.
security and privacy risk areas that relate to mobile
working. It will help the company to structure its
response to those risk areas and find appropriate
measures. Some typical responses that can be
Training and Awareness Programs
implemented follow.
One of the most effective ways to secure company
assets is to offer regular training and awareness
Security and Privacy Policies
campaigns. These events should describe the
Appropriate policies and related procedures
risk associated with information systems used
should be defined to give clear directions on how

ISACA JOURNAL VOL 4 21


by employees who are working remotely and the In relation to the last item, the vendor should be
potential consequences of a privacy breach for able to produce a third-party assurance report,
the employee, the company, its customers and signed by an independent auditor, which shows the
staff. The awareness communications should status of its internal security control. Of course, the
discuss topics ranging from avoiding domestic provider’s system of internal control should always
accidents that can damage assets to not plugging be in addition to the controls managed and operated
an unknown universal serial bus (USB) drive into a by the company itself. It is worth noting that just
company laptop to using public devices to access receiving the report is not sufficient; companies need
business applications. Ultimately, employees have to analyze it in detail and ensure that the level of
to commit to information security; otherwise, many security is appropriate to their business.
other measures could be useless.
Secure Remote Communications
Actively involving employees in defining and Remote communication is definitely one of the
monitoring the security of company assets key areas to look at carefully with regard to mobile
gives them a better sense of ownership and working. The company’s systems are not only
increases compliance to the security policies. accessed from its offices, but also from unknown
Also, remote workers have to be consistently made locations that can present their own risk and
aware that their personal security could be at risk weaknesses. To avoid, or at least to significantly
and they should do their best to avoid being in decrease, the risk of intrusion into company
threatening situations. systems, continuous network monitoring should be
performed using the most advanced and up-to-date
technology the company can afford.

Critical data should be In addition, critical communications between


encrypted, and strong password devices and the company’s servers should
be encrypted. Employees should regularly
and session security configuration be made aware to avoid using public Wi-Fi,
should be enforced. unless appropriate security measures (e.g., VPN
connection) have been implemented.

Secure Devices and Their Content


Insurance If a device is lost, intruders can easily get access if
If customers’ data are disclosed, financial damage it has not been properly secured. Therefore, critical
can be significant. By taking out an insurance policy data should be encrypted, and strong password
against loss or damage of assets, companies can and session security configuration should be
protect themselves against such costs. Of course, enforced. The screen lockdown after a period of
the insurance premium can potentially rise due to inactivity should be set to a low value. Antivirus
the increased risk arising from remote working. software should be regularly updated using a
“push” method, and devices whose antivirus
Monitoring Cloud Providers software is not up to date must be restricted from
The choice of cloud provider is the key decision connecting remotely to critical systems.
companies must make once they commit to using
cloud services. The provider must be appropriate From a physical perspective, computer locks can
not only in terms of cost, but also with regard to be given to employees so they can physically lock
reputation, compliance with regulations and evidence their computer when they are away from it. On
of a strong control culture. mobile phones or tablets, device management

22 ISACA JOURNAL VOL 4


applications and suites such as Good or MobileIron 4 Archer, T.; M. Daigle; “PwC and Google for Work,”
can help secure business data. https://gsuite.google.co.uk/intl/en_uk/learn-more/
pwc_and_google_bringing_transformation_to_
Endnotes work.html
5 PricewaterhouseCoopers, “Redefining Business
1 BBC, “US Employee ‘Outsourced Job to Success in a Changing World—CEO Survey,”
China’,” 16 January 2013, www.bbc.co.uk/news/ January 2016, https://www.pwc.com/gx/en/
technology-21043693 ceo-survey/2016/landing-page/pwc-19th-annual-
2 Gov.UK, “Flexible Working,” https://www.gov.uk/ global-ceo-survey.pdf
flexible-working/overview 6 Cook, D.; “Employees Expect Mobile Device
3 The Telegraph, “Today’s Mobile Workforce: Privacy at Work,” BenefitsPro, 22 July 2015,
Any Time, Any Place,” 5 September 2016, www.benefitspro.com/2015/07/22/employees-
www.telegraph.co.uk/business/ready-and- expect-mobile-device-privacy-at-work
enabled/todays-mobile-workforce-any-time- 7 BBC, “BBC Interview With Robert Kelly
any-place/ Interrupted by Children Live on Air,” 10 March
2017, www.bbc.co.uk/news/world-39232538

ASK
how you can make more
connections locally and globally
with ISACA’s Member Advantage.

Members know that community ACCESS includes special opportunities that only
counts! ISACA’s Member members can receive:
Advantage helps connect you with • Insights from Global Conferences with thought leaders
over 150,000 professionals in more • Invitations to online career fairs—connect with hiring
than 180 countries. Network locally managers at top companies
through your chapter and meet • Professional networking through local and global
like-minded people who can enhance events—be sure to get your member discount!
your skills, connections, business • NEW Volunteer opportunities on the 2017 horizon
development efforts and future • Professional and Industry Advocacy
prospects for employment. And members have access to 72 FREE CPEs in 2017!

ASK to see all of the access you will gain as


a member at www.isaca.org/justask

ISACA JOURNAL VOL 4 23


Exploring How Corporate
Governance Codes Address
IT Governance
IT governance, also referred to as governance of • Strategic alignment—Focuses on aligning
Do you have enterprise IT (GEIT) or corporate governance of IT, is business and IT strategies and operations
something a subset of corporate governance that is concerned
• Value delivery—Concentrates on optimizing
to say about with enterprise IT assets. In an analogy to corporate
this article? expenses and proving the value of IT
governance, IT governance is concerned with the
Visit the Journal oversight of IT assets, their contribution to business • Risk management—Addresses the IT-related
pages of the ISACA® value and the mitigation of IT-related risk.1 A business risk
website (www.isaca.
commonly referenced definition states:
org/journal), find the • Resource management—Optimizes IT-related
article and click on knowledge and resources
the Comments link to Enterprise governance of IT is an integral
share your thoughts. part of corporate governance exercised by • Performance measurement—Monitors IT-
the board and addresses the definition and enabled investment and service delivery
http://bit.ly/2sh4jNu implementation of processes, structures and
relational mechanisms in the organization Emerging research calls for more board-level
that enable both business and IT people to engagement in IT governance and identifies
execute their responsibilities in support of serious consequences for enterprises if the
business/IT alignment and the creation of board is not involved. For example, high levels of
business value from IT-enabled business board engagement in IT governance, regardless
investments.2 of existing IT needs, increases enterprise
performance.7 From the board perspective, there is
Prior studies identify five domains that warrant also a growing need to comply with an increasing
oversight of the board of directors (BoD) and amount of regulatory and legal requirements (e.g.,
executive management in governing IT assets:3, 4, 5, 6 privacy), of which many also impact IT. These

Steven De Haes, Ph.D. Tim Huygh


Is a full professor of information systems Is a Ph.D. candidate in information technology
management at the University of Antwerp— governance at the department of management
Faculty of Applied Economics and at the Antwerp information systems of the Faculty of Applied
Management School (Belgium). He is actively Economics at the University of Antwerp. His
engaged in teaching and applied research in the research interests include IT governance and
domains of digital strategies; IT governance and management, and business/IT alignment.
management; IT strategy and alignment; IT value
and performance management; IT assurance Salvi Jansen
and audit; and information risk and security. He Is a business engineer in management
acts as the academic director for this research information systems and a consultant at
program. KPMG Advisory in Belgium. Working in the IT
governance and strategic alignment field, he
Anant Joshi, Ph.D. aims to provide the business with fact-based
Is a researcher at the University of Antwerp and insights and enjoys delivering audit and advisory
Antwerp Management School (Belgium) and engagements in a variety of sectors. His research
an assistant professor at Maastricht University interest is IT governance and focuses on the
(The Netherlands). His research interests include processes, controls and capabilities that are
corporate governance of IT, business value of IT needed at the executive level to direct and
and corporate governance. control IT management.

24 ISACA JOURNAL VOL 4


feature
feature

regulatory requirements redefine the responsibilities behavior of the board toward IT governance and
of the BoD for IT governance.8 digital leadership can be influenced by external
factors, such as corporate governance codes,12 and
describes the study that answers the questions:

• What IT governance-related guidelines are


Despite the contained in national corporate governance codes?
agreement between • What differences can be observed between
researchers and various corporate governance codes?

practitioners on Research Design


the need for board- The research began with a literature review to

level involvement underpin the study and to define the main concepts
that were used in the research project.
in IT governance, it
Next, a sample of international corporate governance
appears that this is codes was analyzed. The selection of national
more the exception corporate governance codes was based on two
dimensions—geography (i.e., continent) and economy
than the rule in (i.e., income groups). Using an index of all of the

practice. corporate governance codes around the world,13 a


national corporate governance code was selected to
populate as many cells as possible (figure 1). When a
country had multiple corporate governance codes, the
Despite the agreement between researchers most recent code for listed companies was selected.
and practitioners on the need for board-level An additional requirement was that the corporate
involvement in IT governance, it appears that this is governance code should be available in English. The
more the exception than the rule in practice.9, 10, 11 final sample of national corporate governance codes
This article builds on the assumption that the (N=15) is presented in figure 1.

Figure 1—Final Sample of National Corporate Governance


Codes by Continent and Income Group (N=15)
Continent
North South
Africa Asia Europe Australia America America
Income High Seychelles Japan (JP) Belgium (BE) Australia (AU) United States –
group (SC) (US)
Middle South Africa Lebanon (LB) Macedonia Fiji (FJ) Mexico (MX) Brazil (BR)
(ZA) (MK)
Low Ghana (GH) India (IN) Armenia (AM) – – Guyana (GY)
Source: S. De Haes, A. Joshi, T. Huygh, and S. Jansen. Reprinted with permission.

ISACA JOURNAL VOL 4 25


26
Fiji (FJ)
India (IN)
Japan (JP)
Ghana (GH)

Brazil (BR)
Belgium (BE)
Lebanon (LB)

Guyana (GY)
Mexico (MX)
Country

Australia (AU)
Armenia (AM)
Seychelles (SC)
South Africa (ZA)

Macedonia (MK)
Year

2011
2009
2010
2008
2014
2010
2006
2009
2009
2010
2015
2010
2009
2010

ISACA JOURNAL VOL 4


42
24
28
44
27
66
44

16
74
42
United States (US) 2013 27
16
44
18
26
Code Info
Pages

X
IT expert on the board

X
IT expert with experience on the board

X
A chief information officer (CIO) or an equivalent position in the firm

X
IT committee

X
IT risk is part of audit committee or risk committee

X
IT is part of audit committee

(ITSA)

X
IT steering committee
IT planning committee
Technology committee

IT Strategic Alignment

X
IT committee at an executive level

Source: S. De Haes, A. Joshi, T. Huygh, and S. Jansen. Reprinted with permission.


CIO or equivalent is on the board

X
IT governance framework standard: ITIL/COBIT®/ISO, etc.

X
IT as an issue in the board meeting

X
Suggestion/decision/advice by the board on IT
Special report/section on IT/IT projects in annual report

X
IT mentioned as a strategic business issue
transparency framework was used.14 This IT

following domains (focus areas): IT strategic


disclosure items that are distributed over the

IT projected as strength
governance disclosure framework contains 39
To analyze each corporate governance code for
IT-governance-related content, an IT governance

IT projected as opportunity
(ITVD)

Project updates or comments


IT is explicitly mentioned for achieving specific business objectives
IT Value Delivery

Comments/updates on IT performance
IT training
Green IT
Direction and status about IT outsourcing and insourcing
IT Governance Disclosure Items

X
IT is referred under the operational risk

X
Special ITRM program

X
X
X
X
X
X

X
X
X
X
X
Use of IT for regulation and compliance
IT/electronic data processing (EDP) audit
(ITRM)
IT Risk

X
Information and security policy/plan (IT security)
Management

The role of IT in accounting and the reporting standards (IAS)

X
Operations continuity plan
Explicit information on IT expenditure
IT budget
IT hardware cost
IT software cost
Figure 2—Item-level Analysis of Corporate Governance Codes for IT Governance-related Guidance

Explicit IT manpower cost is mentioned


and IT performance measurement (figure 2).

overlays all other focus areas,15 the framework


Because the IT resource management domain

IT expenses are mentioned under administrative cost


alignment, IT value delivery, IT risk management

IT Performance
remaining IT governance focus areas.16 Using the

IT-related assets are mentioned under intangible assets


Measurement (ITPM)
incorporates IT resource items across all of the four

Direct cost on IT is mentioned in currency or percentage


IT governance transparency framework as a coding compliance. Finally, the IT is part of audit committee
frame, a binary classification approach was used to item, belonging to the IT strategic alignment Enjoying
analyze the national corporate governance codes, domain, is also found in the Macedonia corporate
i.e., an item is scored 1 if the item is present as a
this article?
governance code. These are the only two disclosure
guideline or practice in the corporate governance items that were found in corporate governance
• Learn more
code and scored 0 otherwise. codes other than South Africa.
about, discuss
and collaborate
Corporate Governance Codes Make Indeed, the South Africa corporate governance
on governance of
Little Reference to IT Governance code, King III,19 contains a significant amount of
enterprise IT (GEIT)
or Digital Leadership IT-governance-related guidance. King III came into
in the Knowledge
effect for South African entities beginning 1 March
Figure 2 presents the item-level analysis of the 15 Center.
2010 and is applicable to all entities (regardless of
corporate governance codes for IT governance- www.isaca.org/
their size and whether or not they are listed). King
related content. A first general observation is that, governance-of-
III contains an IT-governance chapter consisting of
aside from the South African code, the corporate enterprise-it
seven IT-governance principles and some additional
governance codes score very low overall for and more detailed recommended practices for each
including IT-governance-related practices or of these principles (figure 3).20
guidelines. A reasonable explanation is that many
national corporate governance codes are based Conclusions and Implications
on the Organization for Economic Cooperation
and Development (OECD) principles of corporate In this research project, a selection of national
governance.17 Eight of the 15 national corporate corporate governance codes was analyzed for
governance codes explicitly state that they are IT governance-related content. The findings
based on the OECD principles. The remaining showed that only the contemporary South African
seven corporate governance codes show a lot corporate governance code, King III, contains
of similarities with the OECD principles, but do a significant amount of IT governance-related
not explicitly refer to OECD. Because the G20/ guidance.
OECD principles do not include specific directives
regarding IT governance or IT-governance As IT becomes more pervasive in firms all over
disclosure (aside from using the company the world, it makes sense for boards to take on
website as a disclosure channel for material accountability for IT-related matters. This view is
company information), it is not an unreasonable shared by researchers and practitioners alike. In
assumption that this might lead to a low attention transitioning from COBIT® 4.1 to COBIT® 5, ISACA®
to IT-governance-related matters in the national clearly emphasized the need for board involvement
corporate governance codes that use these in enterprise governance and management of
principles as a blueprint. IT. It did so by explicitly including board-level
accountabilities and responsibilities in the EDM
An interesting observation at the item level is that domain, thereby further emphasizing the separation
use of IT for regulation and compliance in the IT between the governance and management of
risk management domain is found in 11 of the 15 IT. Because boards around the world are directly
selected corporate governance codes. Again, a influenced by corporate governance codes, it
reasonable explanation can be found in the G20/ makes sense for the committees that are drafting
OECD principles on corporate governance. As part national corporate governance codes to include
of disclosure and transparency, it states that the guidance for board members, to enable them for
organization website provides an excellent means their accountabilities and responsibilities in the
to disclose material company information.18 This realm of IT governance.
is, indeed, a way of using IT for regulation and

ISACA JOURNAL VOL 4 27


Figure 3—King III IT Governance Principles and Recommended Practices
Principle Description Recommended Practices
5.1 The board should be responsible for • 5.1.1. The board should assume the responsibility for the
information technology governance. governance of IT and place it on the board agenda.
• 5.1.2. The board should ensure that an IT charter and policies are
established and implemented.
• 5.1.3. The board should ensure promotion of an ethical IT
governance culture and awareness of a common IT language.
• 5.1.4. The board should ensure that an IT internal control
framework is adopted and implemented.
• 5.1.5. The board should receive independent assurance on the
effectiveness of the IT internal controls.
5.2 IT should be aligned with the • 5.2.1. The board should ensure that the IT strategy is integrated
performance and sustainability with the company’s strategic and business processes.
objectives of the entity. • 5.2.2. The board should ensure that there is a process in place to
identify and exploit opportunities to improve the performance and
sustainability of the company through the use of IT.
5.3 The board should delegate the • 5.3.1. Management should be responsible for the implementation
responsibility for the implementation of the structures, processes and mechanisms for the IT governance
of an IT governance framework to framework.
management. • 5.3.2. The board may appoint an IT steering committee or similar
function to assist with its governance of IT.
• 5.3.3. The chief executive officer (CEO) should appoint a CIO
responsible for the management of IT.
• 5.3.4. The CIO should be a suitably qualified and experienced
person who should have access and interact regularly on strategic
IT matters with the board and/or appropriate board committee and
executive management.
5.4 The board should monitor and • 5.4.1. The board should oversee the value delivery of IT and
evaluate significant IT investments and monitor the return on investment from significant IT projects.
expenditure. • 5.4.2. The board should ensure that intellectual property contained
in information systems is protected.
• 5.4.3. The board should obtain independent assurance on the IT
governance and controls supporting outsourced IT services.
5.5 IT should form an integral part of the • 5 .5.1. Management should regularly demonstrate to the board that
entity’s risk management process. the company has adequate business resilience arrangements in
place for disaster recovery.
• 5 .5.2. The board should ensure that the company complies with IT
laws and that IT-related rules, codes and standards are considered.
5.6 The board should ensure that • 5 .6.1. The board should ensure that there are systems in place for
information assets are managed the management of information, which should include information
effectively. security, information management and information privacy.
• 5 .6.2. The board should ensure that all personal information is
treated by the company as an important business asset and is
identified.
• 5 .6.3. The board should ensure that an information security
management system (ISMS) is developed and implemented.
• 5 .6.4. The board should approve the information security strategy
and delegate and empower management to implement the
strategy.

28 ISACA JOURNAL VOL 4


Figure 3—King III IT Governance Principles and Recommended Practices (cont.)
Principle Description Recommended Practices
5.7 A risk committee and audit committee • 5.7.1. The risk committee should ensure that IT risk is adequately
should assist the board in carrying out addressed.
its IT responsibilities. • 5.7.2. The risk committee should obtain appropriate assurance that
controls are in place and effective in addressing IT risk.
• 5.7.3. The audit committee should consider IT as it relates to
financial reporting and the going concern of the company.
• 5.7.4. The audit committee should consider the use of technology
to improve audit coverage and efficiency.
Source: Institute of Directors in South Africa; King III Code of Corporate Governance for South Africa, 2009, https://c.ymcdn.com/sites/www.iodsa.co.za/
resource/collection/94445006-4F18-4335-B7FB-7F5A8B23FB3F/King_III_Code_for_Governance_Principles_.pdf

Acknowledgment 5 Posthumus, S.; R. Von Solms; “The Board


and IT Governance: Towards Practical
This research is part of a co-created research project Implementation Guidelines,” Journal of
by KPMG Belgium, CEGEKA Belgium, Samsung Contemporary Management, vol. 7, 2010,
Belgium, the Antwerp Management School and the p. 574-596
University of Antwerp (Belgium). The leadership role 6 Valentine, E.; G. Stewart; “Enterprise Business
of the industry partners in supporting this research Technology Governance: Three Competencies
is focused on better understanding the crucial to Build Board Digital Leadership Capability,”
accountability of the BoD in governing digital assets 48th Hawaii International Conference on System
and providing solutions and tools for these board Sciences, IEEE, 2015, p. 4513-4522,
members to assume their accountability. http://ieeexplore.ieee.org/document/7070359/
7 Turel, O.; C. Bart; “Board-level IT Governance
Endnotes and Organizational Performance,” European
Journal of Information Systems, vol. 23, iss.
1 Weill, P.; J. Ross; IT Governance: How Top
2, 2014, p. 223-239, http://link.springer.com/
Performers Manage IT Decision Rights for
article/10.1057%2Fejis.2012.61
Superior Results, Harvard Business School
8 Trites, G.; “Director Responsibility for IT
Press, USA, 2004, www.abebooks.com/book-
Governance,” International Journal of
search/isbn/1591392535/
Accounting Information Systems, vol. 5.,
2 De Haes, S.; W. Van Grembergen; Enterprise
iss. 2, 2004, p. 89-99, www.sciencedirect.com/
Governance of Information Technology,
science/article/pii/S1467089504000089
Springer, Germany, 2015, www.springer.com/
9 Bart, C.; O. Turel; “IT and the Board of Directors:
gp/book/9781441946621
An Empirical Investigation Into the Governance
3 Butler, R.; M. J. Butler; “Beyond King III:
Questions Canadian Board Members Ask
Assigning Accountability for IT Governance
About IT,” Journal of Information Systems:
in South African Enterprises,” South African
Fall 2010, vol. 24, iss. 2, 2010, p. 147-172,
Journal of Business Management, vol. 41,
http://aaajournals.org/doi/abs/10.2308/
iss. 3, 2010, p. 33-35
jis.2010.24.2.147
4 IT Governance Institute, Board Briefing on IT
10 Andriole, S.; “Boards of Directors and
Governance, 2nd Edition, 2003,
Technology Governance: The Surprising
www.isaca.org/knowledge-center/research/
State of the Practice,” Communications of the
researchdeliverables/pages/board-briefing-on-
Association for Information Systems,
it-governance-2nd-edition.aspx
vol. 24, article 22, 2009, http://aisel.aisnet.org/
cgi/viewcontent.cgi?article=3418&context=cais

ISACA JOURNAL VOL 4 29


11 Coertze, J.; R. Von Solms; “The Board and CIO: 5 
1 Op cit, IT Governance Institute
The IT Alignment Challenge,” 47th Hawaii 16  Op cit, Joshi
International Conference on System Sciences, 17 Organisation for Economic Co-operation
IEEE, 2014, http://ieeexplore.ieee.org/ and Development, G20/OECD Principles of
document/6759147/ Corporate Governance, 30 November 2015,
12 Parent, M.; B. H. Reich; “Governing Information www.oecd-ilibrary.org/governance/g20-
Technology Risk,” California Management oecd-principles-of-corporate-governance-
Review, vol. 51, iss. 3, 2009, p. 134 2015_9789264236882-en
13 European Corporate Governance Institute, 18  Op cit, OECD
“Index of Codes,” www.ecgi.org/codes/all_ 19 The next version of the Corporate Governance
codes.php Code, King IV, will be released in 2017.
14 Joshi, A.; L. Bollen; H. Hassink; “An Empirical 20 Institute of Directors in South Africa; King III
Assessment of IT Governance Transparency: Code of Corporate Governance for South Africa,
Evidence from Commercial Banking,” 2009, https://c.ymcdn.com/sites/www.iodsa.
Information Systems Management, 2013, co.za/resource/collection/94445006-4F18-
www.tandfonline.com/doi/abs/10.1080/ 4335-B7FB-7F5A8B23FB3F/King_III_Code_for_
10580530.2013.773805 Governance_Principles_.pdf

Pinpoint your next job opportunity


with ISACA’s CareerLaser
ISACA’s CareerLaser newsletter offers monthly updates on the latest jobs, top-of-mind industry news,
events and employment trends to help you navigate a successful career the information systems industry.
Let CareerLaser become your top resource for quality jobs matched specifically to your talents in audit,
assurance, security, governance, risk management and more.

Subscribe today by visiting www.isaca.org/careerlaser

Visit the ISACA Career Centre at www.isaca.org/careercentre to


find additional career tools, including access to top job candidates.

30 ISACA JOURNAL VOL 4


feature
feature

A Guide to Auditing Attachment


Fields in Access Databases
Attachments are popular in several accounting examples include contracts attached to customer
contexts. Many of the same file types that can or supplier records, employment records, various Do you have
be attached to emails can also be attached to types of inspection reports and patient records. something
the records in databases. For example, a user Clients may not give much thought to attachment to say about
could store PDF files of professional certifications fields, including why they should name or store this article?
in attachment fields, thereby helping to maintain them systematically. However, if attachment files Visit the Journal
complete records of employee accreditations. require further inspection, auditors need to know pages of the ISACA®
website (www.isaca.
Examples of database attachment files include: how to create attachment fields in databases, how
org/journal), find the
to advise clients why some naming or storage
• Microsoft Word documents such as contracts, job article and click on
approaches are better than others, and how to the Comments link to
applications, work orders and tax returns
query attachment fields effectively. These queries share your thoughts.
• Photographs such as pictures of clients, assets include the ability to automate tests for the:
and professional events http://bit.ly/2sF0hfa
• Existence of attachment files
• Spreadsheets such as budgets and forecast
• Absence of attachment files
projections
• Ability to find specific types of attachments using
• Audio files such as WAV files of phone
various query tools
conversations

• Video files such as recordings of interviews with Microsoft Access is one of several databases that
clients and job applicants support attachment fields. Other popular systems
include Oracle, Informix and most alternate
• Specialized files such as PowerPoint files of
Microsoft products, such as Microsoft SQL Server.
presentations and PDF files of legal documents
Many database systems also allow users to
download smaller data sets into Access (sometimes
Because of the popularity of attachment fields,
using third-party tools), which is a convenient
an auditor may encounter client data that include
attached files or may be asked how best to store
such information in database records. Some

Joshua J. Filzen, Ph.D., CPA


Is assistant professor of accounting in the
College of Business and Economics at Boise
State University (Idaho, USA).

Mark G. Simkin, Ph.D.


Is professor of information systems in the
College of Business at the University of Nevada
(USA). He is the author or coauthor of more
than 100 journal articles. His new book, Core
Concepts of Accounting Information Systems,
published by John Wiley and Sons, will be
available in November of 2017.

ISACA JOURNAL VOL 4 31


feature for auditors who are more familiar with The examples illustrate the tasks using Access
Microsoft tools than tools requiring SQL logic. 2016, but most of the discussions and figures also
apply to Access 2013.
This article describes how to create and view
attachment fields and how to audit attachment Creating and Viewing Attachments
fields in Access databases. It further explains how
to perform some useful audit tasks if an auditor Creating and viewing attachments in databases like
encounters databases that include attachment Access is relatively straightforward. The discussions
fields. This article discusses this functionality using that follow briefly review these tasks
the example of organizing hiring documents that for those unfamiliar with them.
are associated with a job candidate search. This
example is used because of its broad applicability. Creating Attachment Fields
It assumes that readers have a working knowledge If a business owner wants to store electronic
of Access, but not necessarily attachment fields. information about job applicants—for example,
Word or PDF documents—one way to do this is
Figure 1—Defining an Attachment Data Field in Access to store them as attachments to each applicant’s
record in an applicant database table. Figure 1
illustrates the design for this table, which lists some
exemplary data fields and their data types. To
create an attachment field:

1. Add a field for attachments to the main record list


of fields.

2. Name the field (it does not have to be called


“ApplicantAttachments” as shown in figure 1).

3. Select the “attachment” data type for the new


attachments field from the drop-down list, as
shown in figure 1.
Source: Microsoft Corporation. Reprinted with permission.
4. To attach specific files to the attachments field,
switch to the datasheet view (shown in figure 2)
Figure 2—How to Add a File to an Attachment Field and double-click on the attachment field of a
particular applicant’s record. This launches the
Attachments dialog box (see the open dialog box
in figure 2).

Note: Access replaces the field name


(“ApplicantAttachments”) of an attachment data-
type field with a paper clip symbol. To display
The number in the desired field name instead of the paper clip
parentheses is
the number of symbol, specify the desired field name (e.g.,
attachments for “Applicant Letters”) in the “Caption” setting of
this record.
the Field Properties for this field.

Figure 2 illustrates that the content of attachment


data-type fields (for example, in the first record)
also contains the paper clip symbol. A “(0)” in the
applicant-record Attachments field indicates that
there are no attachments.
Source: Microsoft Corporation. Reprinted with permission.

32 ISACA JOURNAL VOL 4


5. To add attachments, click on the Add button in the Open button on the right, or double-click the
the Attachments dialog box. The Choose File filename itself.
dialog box (not shown) will be displayed.
An attachment opens in its parent software,
6. In the Choose File dialog box, select the particular
which Access launches when a user selects
file to attach to the record and then click OK in the
the attachment for viewing. For example, if
Attachments dialog box. The system returns to the
the attached file is an Excel spreadsheet, then
data sheet view of records (figure 2). The paper
Access launches the Excel parent software.
clip (attachments) field for the applicant record
Opening attachments allows auditors to view
contains (1), indicating that the attachments field
now contains one attachment.
Figure 3—An Attachment Data Field With Two Attachments
Attaching Multiple Files to a Record
Normally, each field of a database record can only
contain one piece of information. The exception is
the attachment data-type field of a record, which
can contain multiple files.

To add another attachment to an attachment data-


type field, repeat steps 5 and 6 in the previous
section. Figure 3 illustrates the example applicant
record with a picture file attachment and a résumé
file attachment.

The ability to store multiple attachments in the


same data field can be a disadvantage if the field
contains many files. For example, if an Access table
of car accidents contains picture files of accidents
and written report files about them, then a single Source: Microsoft Corporation. Reprinted with permission.

attachment data-type field may not be the best way


to store them. In these instances, auditors can advise Figure 4—Viewing an Attachment Field in Datasheet View
clients to create two attachment data-type fields per
record—one to store pictures and a second field to A paper clip
symbol
store written reports. This approach can also improve replaces the
the auditability of the database records. field name.

Viewing Attachment Fields The


An auditor can inspect the contents of attachment number in
parentheses
fields in two ways—in the datasheet view and in a is the
database form. number of
attachments
for this
Datasheet View record.
To view attachments in the datasheet view:

1. Go to the datasheet view (shown in figure 4),


and double-click on the attachment field of an
applicant’s record. This launches the Attachments
dialog box (see the open dialog box in figure 4).

2. In the Attachments dialog box, either click the


attachment name once to select it and then click Source: Microsoft Corporation. Reprinted with permission.

ISACA JOURNAL VOL 4 33


photographs, Word documents and spreadsheet filenames of other file types that are stored in
attachments; listen to an audio attachment; play the attachment field—a convenient way to view
a video attachment; or use other parent software several attachment photographs quickly and
to view an attachment in the same way that email speed up the audit process.
software opens email attachments.
3. To open and view an attachment that is not a
photograph (e.g., a Word document, PDF file,
In the dialog box of figure 4, be careful not to
audio file or video file) and for which only a
click the Remove button. Clicking the Remove
filename displays, double-click the filename in
button permanently deletes the selected file as an
the attachment area of the form. Access will
attachment, and the action cannot be undone. If
launch the appropriate parent software and open
an attachment is accidentally removed, it must be
the file for viewing.
added as an attachment to the record again, using
the instructions in the “Creating Attachment Fields”
Attachment Field Rules
section, beginning with step 4.
Figure 6 lists some important Access guidelines
that auditors should know.
Database Form View
A database form is a convenient way to view
photograph attachments. To view attachments in a Figure 6—Rules Governing the Creation
database form: and Use of Attachment Fields
1. The size of an attached file must be no larger than
1. Create a database form for a database record 256 Mb.
(figure 5). When a form becomes active, Access
2. There is a maximum of 500 files per attachment field,
displays the first photograph (or the filename of
but a record design can contain several attachment
another file type, if photographs are not the only file fields.
type attached) of the attachment field in the record.
3. The attachments stored in a database are static and
2. To quickly review additional files (photographs will not automatically update if new underlying data
and other file types) in an attachment field, click (e.g., a new applicant photograph) become available.
the displayed photograph or filename in the 4. The maximum size limit for an Access database
attachment. A navigation bar displays above the is 2 GB, which limits the total size or number of
attachments that are stored in the database.
field, as shown in figure 5.
5. The contents of an attached file, e.g., the name of a
Click the navigation bar arrows to scroll through company contained in a Word document attachment,
are not searchable. Therefore, queries are constrained
and view additional photographs and the to the attachment field itself.
Figure 5—Viewing an Attachment Field in a Database Form 6. It is only possible to edit an attachment if the local
computer has the necessary software, e.g., Microsoft
Navigation bar Word if the attachment is a Word file. Edited files
for viewing
multiple must be removed, modified and then reattached.
attachments. 7. Users can only add or delete attached files through
the Attachments dialog box.
8. If needed, Access compresses files that are
uncompressed in attachments before storing them.
9. Generally, users can attach files from any location on
their disk drives or networks.
10. Users can work with attachments programmatically,
using Visual Basic for Applications (VBA) and the new
Attachment object. This object supports a number of
properties, methods and events.
Source: J. Filzen and M. Simkin. Reprinted with permission.

Source: Microsoft Corporation. Reprinted with permission.

34 ISACA JOURNAL VOL 4


Creating Audit Queries of attachment document for a specific record. In
Attachment Fields Access parlance, this is an example of an exact-
match query.
One of the advantages of using databases such as
Access to store various types of data is the ability to Access can search all record attachment files in
create queries to find information quickly—a way of a table of records and display only the record(s)
automating the audit process. This advantage also containing the desired file(s). For example, to verify
applies to attachment fields. For example, it could the presence of a photograph file named JoshPicture.
be used to identify all employees who do not have a jpg, create a query to search for this filename directly.
current picture on file. If all of the picture files were Enter the full filename, including the file extension
organized in system file folders, the search might (.jpg) in the Criteria cell for the Attachments field
require a lengthy manual inspection, even though (figure 7). The query finds the record containing the
the storage medium is electronic. Alternatively, if the photograph file, even if the record contains several
pictures were stored in the attachment fields of an files in addition to the queried file.
Access database, a simple query can immediately
identify all records that are missing photographs. Figure 7 shows quotation marks around the
filename. Access adds these marks automatically to
This section presents different ways that auditors signify that this is an exact-match query. Thus, it is
can examine attachment fields in the context of not necessary to type them separately.
a database table of job applicants. The methods
discussed in this section are valuable in a variety Parameter Queries
of additional auditing contexts, such as examining To view numerous pictures with known filenames, it
lending documents, supplier contracts or other may be helpful to use a parameter query to search
important business records that are stored as for and display records containing photograph files,
record attachments. or view them in a database form (see the “Database
Form View” section).

To create a parameter query (such as the one


Access can shown in figure 8):
search all record 1. Create the criterion “[What is the file name?].” Be
attachment files in sure to include square brackets around the term.
At run time, Access displays the Enter Parameter
a table of records Value dialog box for the “What is the file name?”
criterion.
and display only
2. Enter the full filename, with its file extension, in
the record(s) the Enter Parameter Value dialog box, and click
containing the
Figure 7—An Access Query to Select a Specific File From an
desired file(s). Attachment Field

Exact-match Queries
Queries enable database users to identify the
records of a database table that satisfy specific
search criteria. One of the easiest ways to search
for specific attachment files is by filename—for
example, to verify the presence of a particular Source: Microsoft Corporation. Reprinted with permission.

ISACA JOURNAL VOL 4 35


“OK.” Access will display the record containing queries based on partial information. For example,
the photograph file. suppose several audio filenames begin with the term
“PhoneInterview,” such as PhoneInterviewFilzen.
3. To search for and display another photograph
wav and PhoneInterviewSimkin.mp4, in a job-
attachment, rerun the parameter query in
applicant table. To find all attachments that begin
figure 8 with the different filename.
with PhoneInterview, add an asterisk (wildcard) after
the known part of the filename (e.g., PhoneInterview*)
The advantage of using parameter queries is that the
in the Attachment field Criteria cell portion of
auditor does not have to create new queries to find
the query. Access will find all records whose
every desired file attachment. Instead, the auditor can
attachment files begin with “PhoneInterview,”
rerun the same parameter query as many times as
including PhoneInterviewSimkin.mp4 and
needed, thus speeding up the audit process.
PhoneInterviewFilzen.wav.
Wildcard Searches
Multiple wildcards can be used in the same query.
If the full name of a desired attachment file is
For example, suppose an attachment field contains
unknown, a wildcard search can be used to create
the files “2016PhoneInterviewSimkin.mp4” and
“2017PhoneInterview.wav.” An Access query using
Figure 8—Example Parameter Query and Enter Parameter
the criteria *PhoneInterview* (with wildcards at both
Value Dialog Box
the beginning and end of the search criteria) finds
the records for both of the files, plus all records in
the table that contain this criteria—not just the phone
interview files for a desired client. This problem can
be overcome by including the client name as an
additional search element in a separate criteria field of
the query (see the “Too Many Record Hits?” section).
Source: Microsoft Corporation. Reprinted with permission.

Knowing how to use wildcards enables auditors


Figure 9—Access Wildcard Query to Find all to find, for example, all picture files ending in .jpg
Attachment Files Ending in .jpg (using *.jpg as the search criteria) or .gif (using *.gif
as the search criteria). These are searches that look
for file types instead of filenames. In each case,
Access automatically embeds the LIKE operator
with the wildcard criteria, as illustrated in figure 9
for the first example. When the query in figure 9
runs, the displayed result shows all records with
attachment filenames that end in .jpg.
Source: Microsoft Corporation. Reprinted with permission.

The OR operator can be used in wildcard queries


to find filenames satisfying two (or more) alternate
Figure 10—Wildcard Search Using the OR Operator
endings (or beginnings). For example, to find .jpg or
.gif files, use the compound criteria shown in
figure 10. This query identifies all files with
filenames ending in “.jpg” or “.gif.” An alternate
way to express an OR condition is to enter each file
type query on separate lines under the Attachments
field, which might be easier if there are more than
Source: Microsoft Corporation. Reprinted with permission. two or three conditions.

36 ISACA JOURNAL VOL 4


The availability of wildcard searches provides
Figure 11—Access Query to List all JPEG or GIF Files
motivation for naming files systematically to for Thomas Trenton
facilitate the ability to audit them later. An example
is using the naming convention PhoneInterview
Name for the name of all files that are recordings of
phone interviews.

Too Many Record Hits?


The query examples in this article are generic and
may result in thousands of returned records in large
Source: Microsoft Corporation. Reprinted with permission.
database tables. One way to narrow the search is to
use additional fields in a record to specify additional
search requirements. For example, to see a list of
all photograph files for the client Thomas Trenton,
Figure 12—Query to Identify Records With Blank Résumé Fields
simply include the first and last name in the search
criteria. Additional field criteria (figure 11) narrow
the list considerably, because all search criteria
listed on the same criteria line in an Access query
specify an AND condition. The search criteria in
figure 11 instructs Access to display all records
containing .jpg or .gif files only for Thomas Trenton.

Testing for the Absence or Presence


of Attachments
An auditor may want to confirm that the Attachment Source: Microsoft Corporation. Reprinted with permission.

field in each record is not empty. This task can be


automated in Access. For example, to confirm that
all job-application records include résumés, use Figure 13—A Query to Identify Records Containing Résumés
“Is Null” in the query to identify missing résumé
attachments. Be sure to include a space in this
term. Figure 12 illustrates the appropriate query.

When the auditor runs this query, the results are a


datasheet that displays all job applicant records that
are missing résumés in the Résumé Attachment
field. This approach does not work for attachment
fields that store résumés and other files, e.g.,
photographs, in the same attachment field. The
query in figure 12 only lists records that contain Source: Microsoft Corporation. Reprinted with permission.
nothing in their attachment fields.

Finally, it is also a simple matter to search for are a datasheet listing all records that have files in
nonblank data fields using the NOT operator. In their Résumé attachment field. For a certification
effect, the expression “Not Is Null” creates a query application that stores PDF files of test results, for
that displays all records that contain something in example, using the “Not Is Null” expression in a
the data field of interest. Figure 13 illustrates the query allows an auditor to identify those employees
query for job applicants with résumés. The results who have taken a required test.

ISACA JOURNAL VOL 4 37


Conclusion • Encouraging clients to name files consistently,
using embedded generic terms such as interview
The advantages of using attachment fields in or photo, helps users to organize attachments
databases are considerable, enabling users to logically and helps auditors to identify them more
store multiple photographs, Word documents, easily, as needs require.
spreadsheets, PowerPoint presentations and similar
files in electronic formats; consolidate information • Auditors can test for the presence or absence
from several locations; and perhaps come closer of attachment files and identify types of file
to the ideal of a paperless office. Because of attachments using wildcard file extensions.
these advantages, auditors may find themselves However, Access does not allow auditors to test
in a situation where they need to retrieve or verify the contents of attached files.
information stored in attachment fields. Some key • The information that is typically stored in a
items for auditors to keep in mind regarding the use database is sensitive and attachments typically
of attachments in Access include: contain information that increases this sensitivity.
• Modern database software enables users to For this reason, auditors should encourage clients
attach, and auditors to query, attachment files to protect database information with passwords
conveniently—for example, to create queries and create backup copies of their databases.
by filename, by file format, by client name or by
some combination of these criteria.

The Africa CACS Conference is the premier


conference for Audit/Assurance, Compliance, Risk,
Security and Strategy/Governance professionals.
This year’s programme will include sessions on:
• IS Audit & Assurance
11 – 12 SEPTEMBER | ACCRA, GHANA • Security & Cybersecurity
• Governance, Risk & Controls
• Compliance/Privacy
Embrace new knowledge and inspiration you can
apply immediately to any role in information systems,
or IT roles in business and government.
Register today! www.isaca.org/africacacs-jv4

38 ISACA JOURNAL VOL 4


feature
feature

Key Ingredients to Information


Privacy Planning
The metrics associated with privacy data breaches and techniques that need to be employed include
are astounding. In 2016, 554,454,942 records were data identification, protective measures, intrusion Do you have
breached from 974 reported incidents.1 To break detection monitoring and reporting, responding to something
down the type of data affected, 48 percent of data privacy events and incidents, and recovery of the to say about
breach incidents were for personally identifiable organization to normalcy (when possible). this article?
information (PII), 27 percent were for credit and Visit the Journal
debit card data, and 11 percent were for physical Governance Activities pages of the ISACA®
website (www.isaca.
health information (PHI).2
Governance of privacy-related information requires org/journal), find the
that a custom strategy be developed for any article and click on
The root causes of privacy incidents include the the Comments link to
outsourcing of data, malicious insiders, system organization. Governance activities should include:
share your thoughts.
glitches, cyberattacks, and the failure to shred or • Identifying the stakeholders and internal
dispose of privacy data properly. The human element partnerships. http://bit.ly/2sUOfhc
of data breaches is the result of social engineering,
financial pretexting (the practice of obtaining personal • Developing vision, mission and value statements
information under false pretenses), digital extortion, with goals and objectives. This information would
insider threat and partner misuse.3 Conduit devices be a reference and resource for a privacy charter
used include Universal Serial Bus (USB) infection, that can be used throughout the course of the
rogue network connections, manipulation of privacy policy development effort.
account balances and backdoor access accounts. • Establishing connections within the organization Larry G.
Configuration exploitation and malicious software are to ensure cooperation and efficiency. Wlosinski, CISA,
also causes of data compromises. CRISC, CISM,
• Writing a privacy policy (described in a following
section) to address warning banners; system
CAP, CBCP, CCSP,
This article will review many aspects of privacy CDP, CIPM, CISSP,
and is intended as a primer for information privacy. compromise alerts; key persons to contact; and
response, containment, and recovery processes
ITIL v3, PMP
Topics to be reviewed are categories of privacy, Is a senior associate
privacy officer (PO) concerns, governance strategy, and procedures.
at Coalfire Systems
privacy controls and the privacy plan. • Developing a data governance strategy that Inc./Veris Group
includes data collection, authorized use, access LLC. He has more
Categories of Privacy than 18 years of
controls, information security and destruction of
experience in IT
the data/information. The key functional aspects
ISACA® has identified seven categories of privacy security and privacy.
are assessment, protection, sustaining privacy Wlosinski has been
that every enterprise must address, as shown in
operations and responding to compromises. a speaker on a
figure 1.4
variety of IT security
• Establishing a privacy budget that includes outreach
and privacy topics
Privacy Information Concerns activities and a contingency reserve for recovery
at US government
and emergency expenditures. The expenditures and professional
To address the personal and organizational would include forensic investigations, victim conferences and
concerns of data privacy, the position of PO was notification, call center support, outside counsel meetings, and
created. Figure 2 shows data concerns, areas of (e.g., litigation costs), security enhancements, lost he has written
risk and questions the PO must ask. revenue and stock value, insurance, remediation numerous articles
actions, punitive costs (e.g., civil penalties and for professional
All of these concerns help to identify the scope and fines), customer retention, card replacement, victim magazines and
complexity of the work. Data governance methods newspapers.
damages, and opportunity costs.

ISACA JOURNAL VOL 4 39


Figure 1—The Seven Privacy Categories
Category Area of Concern Examples
Data and image Rules that govern the collection and handling of • Financial information
(Information) personal information • Medical information
• Government records
• Records of personal activity
Person/bodily Person’s physical being and invasion thereof • Genetic testing
• Drug testing
• Body cavity searches
• Birth control
• Abortion
• Adoption
Communications Protection of the means of communication • Postal mail
• Telephone conversations
• Email
• Hidden microphones
• Other forms of communicative behavior and
apparatus
• Not informing citizens when surveillance occurs
Thoughts and Protection of individuals to ensure that their thoughts • Being forced to provide social media passwords
feelings and feelings are not shared inappropriately with when applying for a job
others, or they are not forced to share and have • Being forced to reveal religious beliefs or political
negative impacts against them in some way views when applying for a job
Association Addresses the right people have to associate •D  NA testing that demonstrates ethnicity or
with anybody they wish to, without unauthorized ancestry
monitoring or marginalization, and addresses •D  enying membership of any kind after
the types of groups that individuals belong to, DNA testing revealed predisposition to an
for which they have no control, e.g., ethnicity or “undesirable” condition
ancestry • E mployers using DNA testing to make
termination decisions
• Any type of segregation based on religion,
behavior, assembly or membership
Location and space Concerned with placing limits on the ability to • Home
(Territorial) intrude into an individual’s location, space and • Workplace
general environment. The environment is not • Public space
limited to the home; it also includes the workplace • Video surveillance
and public spaces. Invasion into an individual’s • ID checks
territorial privacy typically takes the form of •O ther technology, e.g., flying a drone over an
monitoring, such as video surveillance, the use of individual’s property to take photos
drones, identification checks and use of similar •R ecording individuals behind their property fence
technology and procedures.
Behavior and action This is an extension of a person’s privacy. It is • Sexual preferences
focused on thoughts and emotions before they are • Political views
expressed to somebody, activities in public and • Religious beliefs and activities
private, and targeted monitoring. • Use of traffic signal cameras to catch those who
commit traffic violations
• Use of police body cameras
Source: L. Wlosinski. Reprinted with permission.

40 ISACA JOURNAL VOL 4


Figure 2—Data Privacy Concerns and Risk
Concern Area of Risk Description/Questions Enjoying
Laws and regulatory Compliance, penalties, fines, public • Each country has its own version of what
this article?
landscape embarrassment, and loss of business and revenue privacy means and has laws for the types of
privacy data. The PO should be familiar with • Read A Privacy
the laws, directives, standards, guidelines Principles
and policies that can be developed by the and Program
government, professional associations and the
organization itself.
Management Guide.
www.isaca.org/
Type of data Exposure of personal information; exposure of There are many questions associated with privacy-principles
business sensitive, confidential or classified data type:
information trade secrets; inability to control or • Are the data considered PII?
manage data securely • Are the personal data medical in nature (e.g., • Learn more about,
person’s current health, medical history, DNA discuss and
information)? collaborate on
• Are the data personal financial data, such as information security
salary, loans, amount of debt or credit history?
• Are the data about records of personal activity policies and
or history (e.g., level of clearance, citizenship, procedures in the
arrest record, association membership, web Knowledge Center.
activity)? www.isaca.org/
• What is the information medium (e.g., text, information-security-
audio, video, email, screen captures, photo or
paper format)? policies-and-
procedures
Amount of data Not knowing where the data exist and, • How many systems have privacy data?
consequently, not being able to control the data • How many records are in the system?
• How many devices store and process the data?
•H ow many data are accumulated daily, weekly
and monthly?
•H ow long does the government and/or the
business require the data to be stored and
protected?
Location of data Unauthorized access, use or disclosure of • How many locations are affected (e.g., primary
data; unable to investigate or litigate if offshore facility, mirrored facility, off-site backup files,
offender; unable to protect data cloud service providers, contractor-managed
facilities)?
• Are the data on social media or on a website (by
accident or by malicious intent)?
• Do the data reside in retired systems and data
stores?
Source of data Not acquiring accurate information; obtaining the • How is the information gathered?
data illegally •D  o the data exist in an internal system or in
hard copy?
•D  o the data come from an external business
partner?
• Are the data from a major application or
a general support system (GSS) in the
organization?
• Were the data obtained by internal and/or
external surveillance devices (e.g., cameras,
drones)?
• Are cookies used by company web applications?

ISACA JOURNAL VOL 4 41


Figure 2—Data Privacy Concerns and Risk (cont.)
Concern Area of Risk Description/Questions
Availability of data Production; not having the data when needed; • Are the data available publicly via the Internet,
other party involvement internally on the intranet or remotely via a virtual
private network (VPN) connection?
• Will the data be available via a new system?
• Are production data of a private nature and used
by the developers when testing the system?
• Are the data shared with other organizations/
partners?
• Has the organization employed data
minimization techniques for privacy-related
data?
• Who has access to the data?
• Are the data accessible by mobile devices (e.g.,
smartphones, tablets, laptops)?
• How will the data be shared/exchanged?
Protective measures Poor or inadequate device configuration protection • Does the organization employ technical
protective measures such as account
authentication (e.g., account with a password),
user access cards, multifactor authentication,
data encryption in transit and at rest, network
protective devices and software, software
updates and patches?
• What data integrity controls are in place, and are
they effective?
• Are the system access control lists checked on
a regular basis for leftover accounts (that could
be used as backdoors into the system)?
• Are physical access controls in place?
Internal policy, Accidental or malicious activity; possibility of • What kind of record keeping is required?
processes and insider threat; not adhering to government laws or • A re the operational hard-copy data protected at
procedures company requirements; exposure of personal data work and in the field?
of employees and hiring candidates • Are the soft-copy and/or hard-copy data saved
and protected for extended periods when
required for investigations?
• How is the information controlled?
• Are administrative safeguards sufficient?
• Are there privacy procedures for email and
texting?
• Are the data sanitized and destroyed in
compliance with government regulations?
• Are the processes and procedures periodically
audited for suitability and confidentiality?
• What are everyone’s privacy roles and
responsibilities?
Source: L. Wlosinski. Reprinted with permission.

•P
 erforming impact assessments/audits. A privacy is developed or changed. The PIA should identify
impact assessment (PIA) questionnaire should the types of data, the scope of people affected, the
be used to inform the PO of possible concerns type of information, any new information obtained
and potential problems when a computer system and the other concerns described previously.

42 ISACA JOURNAL VOL 4


Privacy audits can measure effectiveness, points of contact information (e.g., security,
demonstrate compliance, increase awareness, management, legal, public relations, governing
reveal gaps, and provide a basis for remediation organizations), and communication procedures.
and improvement plans. PIAs can be at all levels,
• Providing an information privacy awareness and
e.g., department, system and process.
training program. This could include developing
•E
 stablishing a continuous monitoring program. Does awareness brochures and flyers for internal staff
the PO receive system monitoring and network and contractors. All employees, business partners
access tracking information? Is the PO informed of and contractors need to be trained on the privacy
the results of independent and/or internal systems policy and procedures.
assessments? Does the assessment cover all of the
• Developing a public privacy website to explain
necessary privacy controls (which are mentioned
the program and display whom to contact with
in the following section)? Have all remedial actions
questions. It could also include frequently
been performed to limit the possibility of a privacy
asked questions.
incident? Noncompliance reports should answer the
questions what, where, when, why, who and how. • Ensure that the contingency and disaster recovery
plans can recover the data.

Privacy Controls
There are four types There are four types of privacy controls:
of privacy controls: management, computer operations, business
operations and technical. Implementing the controls
management, is critical to a successful privacy program. If time
permits, they should be implemented in the following
computer operations, order: identify areas of concern, implement protective
business operations measures, install detection mechanisms and employ
response management techniques.
and technical.
The four types of privacy controls are described
as follows.6

• Instituting metrics. Metrics should be specific/ 1. Management controls


simple, manageable, actionable, relevant/results- • Identification—Responsibilities include
oriented and timely (SMART). Examples of privacy documenting legal authority, scrutinizing the
metrics include number of privacy data systems, new uses of PII, and having an inventory of PII
percentage of data lost, number of privacy programs and systems.
incidents, number of systems affected, average
time between incidents and average time to • Protective measures—Management must
recover. Privacy events may not always be large or monitor laws for changes; appoint the PO; provide
computer-oriented in nature, but might occur on a funding; update procedures and tools; explain the
small scale, e.g., identity theft. privacy program; assign roles and responsibilities;
define privacy statements on contracts,
• Implementing a privacy incident response plan acquisition documents and websites; issue
(PIRP). To quickly respond to data breaches, privacy notices, policies and procedures; develop
the PO must be informed of all breaches and a strategic privacy plan; identify and explain why
have information about the data and systems PII is collected; limit the collection and retention of
compromised. The breach plan should include PII; design systems to support privacy (e.g., data
a questionnaire/form, roles and responsibilities, minimization); issue data integrity guidance; have

ISACA JOURNAL VOL 4 43


external sharing agreements; and appoint a data 3. Business operations controls
integrity board and retain PII.
• Identification—Identify what business
• Detection—This activity includes conducting operations are affected.
PIAs, assessing risk and tracking incidents.
• Protective measures—Measures include
• Response management—This activity approving website content, explaining the
includes reporting incidents to management consent and information usage program,
and governing bodies according to the law. and obtaining consent of the affected party
when applicable.

• Detection—This activity includes monitoring


business practices for fraud, identity theft and
A privacy plan must include data misuse.
information for management, data • Response management—This area covers
handling operations (e.g., the data spillage-handling activities, tracking and
retaining records of disclosure, notifying those
data center or service provider), affected, supplying information to requestors,
correcting erroneous PII, explaining individual
business operations and technical rights, managing complaints, and responding to
controls. privacy spillage incidents.

4. Technical controls

• Identification—This activity includes reviewing


and assessing security tools and determining if
2. Computer operations controls
other tools need to be acquired and implemented.
• Identification—Identify systems and files
• Protective measures—Measures include
affected.
account authentication (e.g., account with a
• Protective measures—Responsibilities include password); providing user access cards; using
implementing and maintaining data protection and multifactor authentication, automatic time-out and
spillage prevention systems; protect PII in testing, external/remote access controls; data encryption
training and research; developing and maintaining in transit and at rest, network protective devices
a PIRP; and training and monitoring staff. and software; software updates and patches; data
integrity controls; technical control testing; and
• Detection—Operations needs to write incident
sanitizing and destroying data in compliance with
and activity reports for management.
government regulations.
• Response management—Responsibilities
• Detection—This category includes the use
include training for and providing forensic
of data mining software and cyberdetection
support; issuing spillage and data breach alerts;
techniques. It could also include the use of
and using approved methods to delete or
surveillance software in the systems infrastructure
destroy PII as prescribed by management.
and devices in the building, as well as system
and application transaction audit controls.

44 ISACA JOURNAL VOL 4


• R
 esponse management—Computer forensic Conclusion
analysis techniques and software are needed.
The PO must identify the data, understand the
Privacy Plan business use of the data, protect the data, detect
when the data are in jeopardy or have been
A privacy plan must include information for exposed, and know how and what to do about
management, data handling operations (e.g., it. Joining privacy associations, subscribing
the data center or service provider), business to privacy-related journals, following best
operations and technical controls. The plan content practices from privacy organizations and having a
should include the following: comprehensive privacy plan will help to protect the
data and everyone involved.
• List of authorities—This list identifies who
is dictating the compliance and reporting
requirements and could also include the source of
Endnotes
guidance and standards. 1 Gemalto, 2016 It’s All About Identity Theft, 2016,
• Definitions—The types of privacy data must be www6.gemalto.com/breach-level-index-report-
defined to support the information contained in 1H-2016-press-release
the plan. 2 Verizon, 2016 Data Breach Investigations Report,
2016, www.verizonenterprise.com/verizon-
• Scope and purpose—The plan should state who insights-lab/dbir/2016
is affected by the plan, a general description of 3 Verizon, Verizon Data Breach Digest: Perspective
the plan and why it was written. Is Reality, 2017, www.verizonenterprise.com/
• Roles and responsibilities—The roles of various resources/reports/rp_data-breach-digest_xg_
enterprise areas, including the PO, the office of en.pdfwww.verizonenterprise.com/resources/
information security, legal department, human reports/rp_data-breach-digest_xg_en.pdf
resources, public relations, marketing, business 4 ISACA®, “The Seven Categories of Privacy That
development, finance and customer care need to Every Enterprise Must Address,” www.isaca.org/
be listed in the privacy plan. It is important for each knowledge-center/research/researchdeliverables/
area to know what needs to be communicated pages/isaca-privacy-principles-and-program-
and what needs to be done, in what order and in management-guide.aspx
what time frame. This should be supplemented by 5 International Association of Privacy Professionals
training and periodic tabletop exercises. (IAPP), Privacy Program Management: Tools for
Managing Privacy Within Your Organization, USA,
• Privacy controls—The plan should describe the 2013
requirements of the four categories of controls 6 National Institute of Standards and Technology
(previously described) and how the controls are to (NIST), Security and Privacy Controls for Federal
be implemented. Information Systems and Organizations, Special
• Other considerations—This part of the plan Publication (SP) 800-53 Rev. 4, USA, 2013,
would address areas of the governance strategy http://nvlpubs.nist.gov/nistpubs/
not covered and could be oriented to the industry SpecialPublications/NIST.SP.800-53r4.pdf
or area of personal concern (e.g., financial,
medical). A list of acronyms may also be needed.

ISACA JOURNAL VOL 4 45


Challenges and Lessons Learned
Implementing ITIL, Part 1
Realizing Value Through Business IT Alignment
A key issue often cited by information systems (IS) important to the delivery of the overall business
Do you have executives in the last three decades is aligning IT strategy and vision, where the contribution of IT
something with business, which assists in realizing value from to the business is widely recognized, with value
to say about IT investments. This article demonstrates how a creation of IT investments being one of the most
this article? multinational oil company deployed an automated important dimensions.3 Subsequently, getting
Visit the Journal implementation of the Information Technology value from IT investments has been a top priority
pages of the ISACA® Infrastructure Library (ITIL) integrated with COBIT® in for organizations. Moreover, one of the four major
website (www.isaca.
an effort to achieve alignment between IT goals and activities of chief information officers (CIOs) is
org/journal), find the
business goals. The article, based on a longitudinal IT services, which encompass managing the IT
article and click on
the Comments link to study conducted over a period of three-and-a- organization, its people and its external partners
share your thoughts. half years (2012 to 2017), presents the challenges, to ensure delivery of IT infrastructure, applications,
value realized and lessons learned in moving from projects and related services across the enterprise
http://bit.ly/2r3sjEj the planning stage of implementing an IT service at the desired cost, risk and service levels.4
management (ITSM) strategy to the dynamic phase of
managing and distilling business value from IT. Profile of Case Study Company

Research indicates that alignment of IT and/with The company is a 24-year-old government-


the business has been the top IT management owned multinational oil company, registered
concern for three consecutive years since 2013, and headquartered in the United Arab Emirates
and has remained within the top three since (UAE). Its annual revenue was US $14.7 billion
2005.1 “Alignment” has been defined as the in 2015. As of 2014, it had 39 companies in its
degree of fit and integration between business portfolio, with more than 250 remote locations and
strategy, IT strategy, business infrastructure and IT diversified operations. The company has more than
infrastructure.2 Hence, IT is considered to be very 6,500 employees. It directly or indirectly owns 39

Mathew Nicho, Ph.D., CEH, CIS, ITIL Foundation, RWSP, SAP


Is a faculty member at the School of Computing and Digital Media at Robert Gordon University,
Scotland. He has given talks on IT governance and cyber security at ISACA® chapters in Auckland
(New Zealand) and Dubai (United Arab Emirates). He has published numerous papers in journals and
presented at international conferences.

Shafaq Khan, Ph.D., CIS, PMBOK, PMP, SAP


Is an assistant professor in the College of Engineering and Information Technology (CEIT) at the
University of Dubai. She has more than 18 years of teaching experience, both at undergraduate and
graduate levels, and she has presented at ISACA events in Dubai.

Ram Mohan, CRISC, CISM, CGEIT, ISO 27001, ITIL Foundation


Is manager of IT service management with Emirates National Oil Company Limited (ENOC)
LLC, Dubai. During this time, he has led several transformation projects, including the IT service
management automation project, IT service catalog for the shared services center and setting up
the project management office in ENOC. His experience within ENOC also includes IT strategy and
business alignment, budget and performance management, and audit/risk management.

46 ISACA JOURNAL VOL 4


feature
feature
companies which operate through four business in four departments covering policy and planning, IT
segments: service, infrastructure, and business solutions.
As part of a continuous improvement program, the
• Supply, trading and processing—Condensate
IT service department was restructured in May 2016
and gas processing and oil trading
(figure 2).
• Terminals—Storage for various petroleum and
chemical products The IT architecture, which consists of five
mainframes, 165 physical servers, 200 virtual
• Marketing—Marketing of aviation fuel, lubricants,
servers, 650 network devices and 2,200 desktops,
chemicals and industrial products
presents a challenging environment for the
• Retail—Retail fuel and nonfuel services at company in its operations. Interviews were
retail stations conducted with the following personnel:

• Director of IT services—For overall strategy


IT Department Profile
• IT service manager—For customer satisfaction
The IT department at the company head office and service catalog
manages the IT services of the entire group of
companies using its own resources and outsourcing • IT infrastructure manager—For availability
several IT services (figure 1). The IT department management, change management, release
consists of 89 full-time equivalent (FTE) employees management

Figure 1—IT Organizational Structure

Director—GIT

Administrative
Assistant
IT Manager IT Manager
(STP) (Retail)

Manager Manager (Planning Manager Manager Solutions Manager IT Manager


and Performance IT Manager
(IT Services) (Infrastructure and (Business
(BI and DW) (Terminal and
Management) Information Security) Solutions) (Marketing)
Corp. Affairs)

IT Security
IT Customer Manager (Process Operations Systems Development
Manager IT Project and Integration BI and DW
Relationships Development and Architect
Manager Compliance) Delivery Manager
Manager
Solutions
IT Projects Manager
IT Services Manager EI Analyst
Coordinator (2) QA Manager Corporate
IT Products
Manager
Solutions Manager
IT Operations (Smart Services)
Manager

Solutions Manager
(Oil and Gas)

Solutions Manager
(EBS)

Solutions Manager
(Retail)

Source: M. Nicho, S. Khan and R. Mohan. Reprinted with permission.

ISACA JOURNAL VOL 4 47


Figure 2—IT Service Structure as of 2017 (Service Level Agreement Team)

Service Delivery
Manager

Manager Team Lead Team Lead


(Infrastructure Manager
(Help Desk Analysts) (Desktop Support) (Business Applications
Support)
Support)

Team
Team Team Team Lead Lead
Team Lead Infra
Lead Lead (Network (System
(Unix, (Security Application Application
(DBA) Admins Admins) Admins) Support
Storage, Admin) Branches Application
Help Desk HQ Desktop Consultant Support
Backup Support Desktop
Analysts Support Application (Legacy) Consultant
and Analyst Support
Facilities Analysts (Microsoft
Consultant and
Admins) Oracle (EBS) Others)
DBAs
Network System
and Admins
Telecom
Security Admins
Unix, Admins
Storage, SQL
Backup DBAs
and
Facilities
Admins

Source: M. Nicho, S. Khan and R. Mohan. Reprinted with permission.

• Service delivery manager—For incident experience in establishing processes and procedures


management over a period of 36 months in his previous organization. He was entrusted with
the major responsibility of managing in-house IT with
IT Governance Process and four clear priorities to realize value from IT:
Leadership
1. Setting up a world-class shared services center
The company started to plan for ITSM 2. Implementing best practices in ITSM for high-
implementation in September 2009. During that quality service delivery
time, it underwent major restructuring and brought
in a new CIO to lead the ITSM implementation. To 3. Developing an efficient cost-recovery model with
restructure the IT service management function, the a well-defined IT service catalog for recharge
company appointed a new director of IT to oversee transparency
the IT functions of the entire group of companies. The 4. Bringing in process automation and innovation
newly appointed director of IT had a lot of vision and for faster time-to-market services and products

His first jobs were to invest judiciously in IT and


evaluate the current application to add value. He
In its ITSM implementation decided to scrap the current help-desk application
and invest in what was needed to achieve the
journey, the company proved that organization’s vision of what an ideal IT service
IT/business strategic alignment organization should be and how these challenges
should be addressed.
can be facilitated through the
organization’s appropriate Therefore, he continued augmenting the initial cost of
operation with a long-term view. He gave the
management practices and go-ahead to invest in IT in contrast to maintaining an
attitude of containing cost and working with limited
strategic IT choices. resources. His position was not to cut costs, but that
the organization should benchmark itself with the

48 ISACA JOURNAL VOL 4


industry leader. Therefore, there were industry class Phase 4 started with the implementation of release
systems that were needed and implemented. and quality management, which involved a full-
fledged quality management system incorporating
ITIL Phases the entire software development life cycle (SDLC) as
part of release management. The automated ITSL
In its ITSM implementation journey (figure 3), tool (product) upgrade that started in quarter 2 of
the company proved that IT/business strategic 2016 was still ongoing as of March 2017. This task
alignment can be facilitated through the entails upgradation of the automated ITSM tool to
organization’s appropriate management practices enable IT service mobility for support personnel
and strategic IT choices. In line with the principle and end users.
of starting with relevant and simple processes, in
phase 1 the organization implemented a 24/7 call Alignment of Business and IT Goals
center with an interactive voice response (IVR) With IT Service Processes
integrated to the help desk, incident management,
problem management, change management, Midway through the ITSM journey, one of the exercises
and the creation of foundation data for service was to align 17 business goals (based on the four
management and service level management. quadrants of the balanced scorecard [BSC]) to 28 IT
goals. This was aligned subsequently to key ITIL and
Based on the lessons learned from this phase, governance processes, and then further mapped to
the second phase saw the introduction of outage ISO 20000 and COBIT® controls (figure 4) using a
management, setting up of the customer care proprietary IT governance tool (based on COBIT© 4.1)
systems with a toll-free number and establishment developed by an external consultant.
of incident handling in another division. These
accumulated experiences enabled the organization Within the tool, an analysis of the business and IT
to move to phase 3, which consisted of release goals and an overview of the impact of certain IT
management (initial phase: user acceptance test risk factors on the organization were used to assess
only), upgrade of outage management, creation of and select the COBIT processes relevant to the
IT work order billing information, the automation of organization. Once this was completed, the tool
service operating procedure (SOP) and creation of allowed for a maturity assessment to be performed
a configuration management database (CMDB). on these processes. In 2013, the organization created

Figure 3—Timeline of the Ongoing ITSM Journey as of March 2017

IT Structure and
Leadership
Change
Product Implementation Implementation
Selection Phase 2 Phase 4
Identifying
Constraints Going Live CMDB Live

)
Q3 Q4 Q1 Q2 Q3 1 Q1 Q2 Q4 Q3 4 Q1 Q2 oing
9 9 0 0 0 1 2 3 5
200 00 01
2 01 201 201 201 2 01 201 201 201 (ong
2 2 2
Objectives Stabilization and
1 6Q
Generation of 20 ITSM Tool
Analytics
Implementation Implementation Upgrade
Phase 1 Phase 3
Source: M. Nicho, S. Khan and R. Mohan. Reprinted with permission.

ISACA JOURNAL VOL 4 49


a strategy map with value drivers (figure 5) for
Figure 4—Alignment of Business and IT
guidance in measuring the four quadrants of the BSC. Goals to IT Service Processes

For each of the 14 value drivers (F1 to LG4), the 17 Business Goals
organization drafted value driver statements for the (3 financial, 6 customer,
6 internal and 2 learning of the BSC)
four quadrants.

Financial
IT will: 28 IT Goals
IT Risk
• Maintain the ratio of IT operational expenditure Assessed to
(OPEX) to the company’s OPEX. (F1) Align Select
IT Goals With
• Adhere to the approved budget. (F1) IT Controls and
Processes
• Ensure IT cost recovery based on the approved COBIT ITIL
budget. (F2)

• Achieve benefits on identified projects and


initiatives by effective resource utilization. (F2)
Mapped to ISO 20000

Customers Source: M. Nicho, S. Khan and R. Mohan. Reprinted with permission.


IT will:

• Deliver quality and reliable services that meet or


exceed agreed service-level targets. (C1)

Figure 5—Alignment of Business and IT Goals to IT Service Processes

Providing ENOC with innovative and cost-effective IT solutions, and services optimally combined
with world-class standards of services, quality and operational effectiveness

Maintain an infrastructure and Promote an IT security


architecture that are reliable, program that proactively assures Provide cost-effective and
adaptable, sealable and driven confidentiality, integrity innovative solutions to Empower business to
by changing business and and availability of enable ENOC to achieve its leverage information
technological requirements corporate information strategic objectives

Value Creation
Financial

F1. Optimize resource


utilization

Services Stakeholders
Customers

C1. Deliver quality and C2. Meet or exceed C3. Achieves “reliable C4. Support customers’ key
reliable IT services customer’s expectation business partner” image strategic objectives

Operational Excellence Customer Management Strategic Support


IP3. Develop and provide
IP

IP1. Streamline key IP2. Improve customer strategic and innovative


operational processes partnership business solutions

Organizational Capabilities/Culture
L and G

LG1. Create positive LG2. Develop key LG3. Leverage technology


work environment competencies and knowledge assets

Source: M. Nicho, S. Khan and R. Mohan. Reprinted with permission.

50 ISACA JOURNAL VOL 4


• Strive to meet customer demands and improve
the standard of its services through regular
customer feedback. (C2)

• Enhance its partnership with business units


through continued engagement and business
alignment. (C3)
• Actively engage with its customers to understand
their business strategies and growth aspirations,
then use its functional expertise to develop and
deliver solutions that contribute to its customers’
success. (C4)

Internal Processes
IT will:

• Streamline and automate key operational


processes to enable efficient service delivery. (IP1)

• Execute the customer relationship strategy


plan to ensure ongoing customer and business
alignment. The strategy will focus on effective
Conclusion
customer engagements, value proposition Transitioning from a cost-centered IT service
promotions and customer feedback. (IP2) approach to creating value out of IT investments
• Develop a plan to identify prospective customers requires strong leadership, restructuring of IT and
for rolling out various services and solutions. (IP3) organizational hierarchy, alignment of IT goals
with business goals, and deploying the balanced
• Provide project support services that are driven by scorecard to assess their maturity level. These three
the customers’ dynamic business requirements activities enable the enterprise to clearly envision the
and aligned with their strategic goals. (IP4) IT service-specific challenges that are ahead and
learn from the incremental implementation of ITIL
Learning and Growth processes for continuous improvement of IT services.
IT will:

• Focus on selecting the competent; developing


and rewarding top talent; encouraging open
Endnotes
communication, teamwork and collaboration; and 1 Kappelman, L.; E. McLean; V. Johnson; R. Torres;
maintaining a supportive work environment that “The 2015 SIM IT Issues and Trends Study,” MIS
empowers employees, encourages innovation Quarterly Executive, vol. 15, 2016
and rewards service excellence. These activities 2 Henderson, J. C.; N. Venkatraman; “Strategic
recognize the importance of the human capital Alignment: Leveraging Information Technology
resource. (LG1) for Transforming Organizations,” IBM Systems
• Develop key competencies in areas of IT Journal, vol. 32, 1993, p. 4-16
functions, customer management and business 3 ISACA® and the IT Governance Institute, Global
alignment. (LG2) Status Report on the Governance of Enterprise
IT (GEIT), USA, 2011
• Leverage and utilize technology with knowledge 4 Weill, P.; S. L. Woerner; “The Future of the CIO in
assets to improve shared services center (SSC) a Digital Economy,” MIS Quarterly Executive,
business process efficiencies. (LG3) vol. 12, 2013
• Foster a customer-centric culture to bring greater
focus on customer requirements in order to
meet/exceed their service expectations and
continuously improve processes. (LG4)

ISACA JOURNAL VOL 4 51


Do you have
something
Mobile Security Tools
to say about
this article?
Visit the Journal
on A Budget
pages of the ISACA®
website (www.isaca. Mobile has arisen as one of the most flexible—and of both mobile devices and the applications (apps)
org/journal), find the most prevalent—business tools available. From that reside on those devices means a wider array
article and click on email to calendaring to business applications, of security and assurance challenges than has ever
the Comments link to before been the case. Granted, it is true that both
employees are, quite literally, doing business from
share your thoughts.
any device, any time of the day or night, from organizations and practitioners are becoming more
anywhere and everywhere on the planet. Mobile sophisticated in their approaches to mobile and,
http://bit.ly/2rCnBMg
functionality has evolved from a convenience to a thereby, are becoming better able to anticipate
necessity, from a luxury to a necessary and critical and respond to challenges in the mobile space.
component of the business environment. However, it is still very much an area of focus for
organizations as it continues to represent one of
As mobile has increased its business utility, it has the leading attack vectors and a large chunk of the
also become one of the more challenging areas overall enterprise attack surface.
to safeguard. Not only is bring your own device
(BYOD) becoming the norm in many enterprises, Because of this, savvy practitioners are always on
bringing with it an array of disparate devices into the hunt for tools and techniques they can apply
the workplace, but the increase in sophistication and adapt to help them ensure that devices are
protected appropriately. Fortunately, there are quite
a few good tools and resources out there that are
available for relatively little (or no) cost.

Note that the tools described in this article are not


the only tools out there—nor is this list intended
to be an exhaustive one. This article’s focus is
specifically on tools that are freely available—
open source, community-supported editions of
commercial tools, free resources, etc. These tools,
indexed by category, might help solve specific
security and assurance challenges relative to the
mobile environment. Some of them pertain to
testing scenarios on the mobile devices themselves,
others relate to ensuring known-good configuration,
and still others relate to leveraging older mobile
devices (always easy to come by) to accomplish
other security and assurance tasks.

Ed Moyle Endnotes
Is director of thought leadership and research at ISACA®. Prior to joining
ISACA, Moyle was senior security strategist with Savvis and a founding 1W
 eidman, G.; “Using Dagah GUI,”
partner of the analyst firm Security Curve. In his nearly 20 years in
YouTube video, 30 March 2017,
information security, he has held numerous positions including senior
https://www.youtube.com/
manager with CTG’s global security practice, vice president and information
security officer for Merrill Lynch Investment Managers, and senior security watch?v=dqBOs4YT36M
analyst with Trintech. Moyle is coauthor of Cryptographic Libraries for
Developers and a frequent contributor to the information security industry as
an author, public speaker and analyst.

52 ISACA JOURNAL VOL 4


tools
1 tools
Mobile
Application
Testing Tools
For those organizations that have the skill
set internally to perform hands-on testing,
there are a number of tools that can assist
in the testing of mobile devices themselves

3 5
or the business applications they commonly
run. Insofar as testing of applications goes,
web proxying tools such as Burp Suite
Mobile Repurposing
(https://portswigger.net/burp/) and Open Forensics Mobile
Web Application Security Project’s (OWASP)
ZAP (https://www.owasp.org/index.php/ Tools Devices
OWASP_Zed_Attack_Proxy_Project) are
excellent choices. These tools allow users
to “snoop” on traffic between the mobile Of course, situations arise whereby one may One area of opportunity—particularly for
device (or, really, any device) and web need to investigate a device to determine an SMB or severely budget-strapped
applications with which they interact. A if the device has been attacked—or to organization—is the repurposing of mobile
web testing proxy such as this intercepts otherwise evaluate a potential incident devices to accomplish other security tasks.
messages between the mobile device and impacting a mobile device. If one is Anybody who works in IT will tell you that
the application and allows the manipulation investigating a specific device from an one thing they tend to have quite a bit of
of various parameters (e.g., HTTP headers, investigation standpoint, a fantastic resource is old, out-of-date or otherwise unused
response parameters) in between the to have in any arsenal is the Santoku Linux mobile devices such as decommissioned
mobile device and the web application. distribution (https://santoku-linux.com/). employee smartphones. Under the right
Note that these tools are useful outside of Santoku is an entire Linux distribution circumstances, these devices can actually
the mobile device world as well; they can be dedicated specifically to mobile device still provide some value to a security team.
used to test any web application regardless forensic examination. Other testing and For example, there are applications that
of the platform on which it is employed. incident response platforms do contain allow an Android or Apple smartphone to
However, because mobile device use is tied mobile tools; for example, both Kali operate as a remote security camera. The
so closely to the applications they run, they (https://www.kali.org/) and CAINE specific app to do this varies by platform,
are addressed here. (www.caine-live.net/) contain mobile analysis but almost any smartphone with a camera
tools. However, Santoku has the advantage (even if no longer connected to the
of being entirely designed specifically from a cellular network) can provide video or still
mobile analysis perspective. image data via a WiFi connection. Is this
a replacement for an “enterprise-grade”

2
monitoring capability? Of course not.

Mobile But it can provide a stopgap mechanism


to ensure that locations are being

4
Device OS
appropriately monitored on a short-term
basis in certain situations—for example, in
Testing Tools Management the interim period between when a gap in
coverage is identified and new equipment

In terms of specific testing of the mobile


Tools is fielded or in the case of a short-term
extension in coverage.
devices themselves—including malicious
applications and testing of user behavior From a device management standpoint, Likewise, older (typically Android) devices
such as responding to phishing or SMishing there are a few options as well. Not only are can be used as remote wireless access
(phishing via short message service there tools that are built into the ecosystems point detection mechanisms in certain
[SMS])—there are some fantastic options as of both Android and iOS, for example, the situations, for example, an organization
well. The first one is the community Apple Configurator (https://support.apple. with a large physical area to cover (e.g.,
version of Shevirah’s Dagah tool com/apple-configurator) and the Android numerous remote field offices or retail
(https://www.shevirah.com/dagah/). Those Device Manager (https://www.google.com/ locations). There are literally dozens of free
in the penetration testing space may recall android/devicemanager), but there are also WiFi analyzers in the Android marketplace
the Smartphone Pentest Framework tools that provide privacy tools (e.g., The that will provide information about wireless
(www.bulbsecurity.com/products/ Guardian Project [https://guardianproject. networks in range. When used at a
smartphone-pentest-framework/), info/]) and hardened OS configurations location where rogue access points are
developed by Georgia Weidman in (e.g., CopperheadOS [https://copperhead. an issue and monitored remotely, these
response to the Defense Advanced co/android/]). Depending on an tools can alert to new, unexpected access
Research Projects Agency’s (DARPA) organization’s needs and usage context, points. Again, is this the ideal solution for
now-defunct Fast Track grant. The these tools could potentially have a role all wireless intrusion prevention needs?
community edition does have some to play. A small/medium business (SMB), Probably not. But can it make for a low-
limitations (in terms of number of targets for example, might find that the Apple cost stopgap to help accomplish very
per campaign), but it does provide the Configurator fits the bill for initial hardening targeted tasks such as rogue access point
tester with the ability to target mobile or that Android device manager’s basic detection in the short term? Yes, it can—
devices and customize attack scenarios device protection services, such as remote and under the right circumstances, that can
and delivery of those attacks to a mobile wipe in the event of a lost or stolen device, be valuable.
device. There are even video instructions1 are sufficient for its needs without employing
that explain common usage scenarios. a heftier (read “more expensive”) solution.

ISACA JOURNAL VOL 4 53


help
source
Do you have Q
Our organization has employees who work
mostly in the field. Previously, they had
3. What assurance does the organization have that
the employees comply with the compliance- and
something been provided laptops and mobile phones by the privacy-related policies when accessing and
to say about organization. Now, the organization has adopted a using the organization’s data?
this article? bring your own device (BYOD) policy. The security
4. What assurance does the organization have that
Visit the Journal team has implemented policies to secure these
pages of the ISACA® employees back up organization-related data
devices. The question I have is what are the privacy
website (www.isaca. from personal devices?
issues associated with these mobile teams using
org/journal), find the their own devices for the organization’s work? 5. What assurance does the organization have
article and click on
that employees will not install any unauthorized
the Comments link to
share your thoughts.
A
There are multiple aspects in this one
question. Let us break down the question into
small questions:
software that will compromise the organization’s
proprietary data?
http://bit.ly/2rN5Hon 6. What assurance does the organization have
1. While allowing users to use their mobile devices that employees will hand over their devices for
for the organization’s purposes, which security investigation in case of any suspected/actual
settings are likely to affect their privacy? privacy breach?

2. What assurance does the device owner have


Many organizations today have implemented
that the organization does not monitor privacy-
technology to monitor employee communications
related information while monitoring the device
to ensure that employee behavior is compliant
for security?
with privacy laws, regulations and policies.
These measures might particularly be required
for organizations such as banks, utility providers,
finance companies and listed companies that are
highly regulated, especially to ensure the security
of information, track insider breaches, and prevent
crimes such as collusion and insider trading. The
main challenge is to draw a line between
organizational privacy, compliance and the personal
privacy of employees.

This issue must be addressed by the policies of


the organization so as to strike a balance between
compliance and employee privacy.

Many organizations implement security monitoring


processes using technology such as mobile device
management (MDM) and security information and
event management (SIEM). The features of MDM
Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS allow organizations to:
25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP • Protect devices from unauthorized access
Has worked in IT, IT governance, IS audit, information security and IT
risk management. He has 40 years of experience in various positions in • Restrict the installation of applications (apps) to
different industries. Currently, he is a freelance consultant and visiting safeguard devices against malware
faculty member at the National Institute of Bank Management, India.
• Track the physical location of a device

54 ISACA JOURNAL VOL 4


• Wipe data on a device if it is lost or stolen, or if the • Consent—Employees must consent to such
employee leaves the company monitoring. Some employees may refuse to
comply, in which case the organization cannot
In other words, organizations can remotely access monitor their devices. Of course, the organization
an employee’s devices and track the employee’s has every right then to not allow BYOD for those
activities. Therefore, the answer to the first question employees. Employee consent should also
is, “Yes, organizations can remotely access devices include the handing over of their devices for
and privacy-related information.” investigation in case of an incident.

• Security—The organization is accountable for


Monitoring of devices also answers the third,
securing privacy-related information, including
fourth and fifth questions. The organization can
backup information.
monitor mobile staff activities to ensure privacy-
related compliance. Now, with regard to the second • Disclosure—The processes of data collection,
question, the prima facie answer is “none.” When storage and disposal may be explained to the
the organization monitors devices, the organization employees within the limits of the security policy.
can access the privacy-related information of the
• Access—Employees should be kept informed
employee/device owner. As for the sixth question,
about the status of privacy-related data.
the answer is none.
• Accountability—The organization is accountable
To overcome this situation, an organization’s for the breach of privacy-related data collected
BYOD and privacy policies must address it. The in any manner, including monitoring of mobile
compliance related to privacy can be addressed devices. This may be considered an extension
by adopting the Organisation for Economic Co- of the principle of security. Organizations need to
operation and Development (OECD) principles for implement reasonable security to protect privacy-
protecting privacy-related data: related information collected. In cases where there
is a security breach resulting in leakage of privacy-
• Notice—The organization needs to provide
related information, the organization is accountable.
notice to the mobile staff that their devices
are monitored for security and there is the • Acceptance—Mobile staff must be made aware
possibility that privacy-related information of the policy and consent must be obtained
may be collected by the organization. This before configuring the device and allowing it to be
notice should also include remote access to used by the employee for official business.
the device and the backup of device data that
may include privacy-related information. The monitoring of devices may be active (when a
device such as a smartphone is in use) or passive
• Purpose—The organization should also inform the
(when a device is connected to the network). In
employees as to the objectives of remote access
either case, following privacy-related principles helps
and monitoring, which are focused primarily on
organizations monitor data usage by mobile staff.
ensuring security over the organizational information
contained in the device.

ISACA JOURNAL VOL 4 55


crossword
puzzle by Myles Mellor
www.themecrosswords.com

ACROSS 1 2 3 4 5 6 7

1 Catchphrase for a foolhardy, expensive,


security failure, 2 words
6 Many megs 8 9 10
8 Respond reciprocally
9 One of the steps in considering an audit
program
11 Misrepresent 11 12 13
12 Inserted clandestinely
13 They are needed to gain access
14 Speculates
16 You can get a green belt and a black belt in 14 15 16 17 18 19
these business management techniques,
2 words 20 21
20 Word used with supply and command
22 Took into account 22 23 24
23 New ISACA publication, Transforming ___
Security
25 Regret
26 Standards 25 26 27
30 Hackers now focus more on stealing these
from authorized users of a system 28 29
34 Sign, as in a contract
35 It records all the activities in a system
30 31 32 33 34
36 Deception, often carried out in cyberspace
37 ___ it is fine, but will it work in practice?,
35
2 words
36 37
DOWN
1 Word used before compass or hazard 16 Scientists’ metric system, abbr.
2 Chair of ISACA’s Board of Directors and 17 Whistleblower
Inspector General of the US House of 18 Top US school category
Representatives, Theresa 19 Broadcast
3 World wide web 21 Explain further
4 Deceptive type of software 23 Sources, as in a paper
5 Converts into a particular form technically 24 Obstruction
6 Channeling 27 Questions
7 Techies, in slang 28 Data storer
10 Forceful stream 29 ISACA’s charitable foundation
12 Failing to implement these is one of the major 30 Firms, for short
causes of security failures 31 Sense of self
14 Kind of surge 32 Little toymaker
15 That ship 33 Reject word

Answers on page 58

56 ISACA JOURNAL VOL 4


quiz#173
Based on Volume 2, 2017—The Evolution of Audit
Value—1 Hour of CISA/CISM/CGEIT Continuing Professional Education (CPE) Credit

TRUE OR FALSE

CPE
RAVAL AND SHAH ARTICLE SMITH ARTICLE

quiz
1. To address risk exposures in third-party 7. Most blockchain proofs of concept are
risk management environments, host designed to achieve benefits that fall loosely
companies consider the vendor as the target into one of the three categories: reduce costs
of evaluation at the time of onboarding and and create process efficiencies, create an
on an ongoing basis as well. For this, the ecosystem with higher-than-standard levels of
host company should implement and use trust, or facilitate digital currency exchange.
both traditional and innovative monitoring Prepared by
8. Ongoing review to ensure the sustainability
approaches for continuous monitoring of the Sally Chan,
of the assurance solution in blockchain will
identified risk factors. not be necessary, but the nature, timing
CGEIT, ACIS,
2. Agile and effective trust relationships do and extent of the review work cannot CMA, CPA
not rely on governance practices. Most be determined by the technology used,
organizations working with third parties the business-use case and the evolving Take the quiz online
do have a coherent plan for ongoing ecosystem in which the instance is deployed.
management of the relationship and the http://bit.ly/2r3cj5c
services that are provided. The contract and
ALEXIOU ARTICLE
the various service agreements will be self-
managing. 9. Agile audit is primarily about increasing
3. Given the complex cyber-based the efficiency mainly of complex audits by
relationships with third parties, the new parallelizing tasks, eliminating or mitigating
direction used to track the relevant bottlenecks, and assigning time to various
engagement risk is dynamic risk profiling. tasks that is proportional to each task’s
importance.
KRESS AND HILDEBRAND ARTICLE 10. With regard to the audit aspect of leadership,
Agile audit is more democratic, as all team
4. Without a consolidated data set to analyze, members participate more or less equally (in
the process of gathering and managing data principle) to planning.
is inherently inefficient. The absence of a 11. Some of the Agile audit guidelines include
coordinated, functionwide strategy led to striving to gain an early understanding of
the analytics enthusiasts having a hard time the key audit issues and disseminate this
getting started and a harder time getting information within the audit team, discussing
access to the right data. findings as they are gathered, and shifting
5. Maximizing the power of analytics during resources if necessary.
the execution of the audit includes creating
automated dashboards for department risk
PAREEK ARTICLE
assessments and review of effectiveness
of testing procedures in governance, risk 12. Efforts at quantification of either black-box
and control (GRC) (control tested vs. issues logic, such as modeling loss distributions
noted). based on extreme-value theory, or the
6. Tomorrow’s use of analytics in the execution combination of various security metrics (often
of an audit includes increasing horizontal using weighted averages) as a composite
review across all teams and encouraging metric have been successful enough to win
disruption using an innovative analytical widespread adoption.
approach through custom analytics. 13. In situations where thresholds have been
established, an alternative and simpler
approach that relies on z-scores can be
adopted. This approach is just as sensitive
and precise as the standardized scores.

ISACA JOURNAL VOL 4 57


CPE
quiz#173 THE ANSWER FORM
Based on Volume 2, 2017

TRUE OR FALSE
RAVAL AND SHAH ARTICLE ALEXIOU ARTICLE Name
PLEASE PRINT OR TYPE
1.
9.
2.

3. 10. Address

11.
KRESS AND HILDEBRAND
ARTICLE PAREEK ARTICLE CISA, CRISC, CISM or CGEIT #
4. 12.
5. 13.
6. Answers: Crossword by Myles Mellor
See page 56 for the puzzle.
1 2 3 4 5 6 7
M A G I N O T L I N E G I G
SMITH ARTICLE
O R E R N U E
8 9 10
7. R E A C T O B J E C T I V E
A F J E O D K

8.
11 12 13
L I E P L A N T E D I D S
N A N E N
14 15 16 17 18 19
P O S I T S S I X S I G M A
20 21
O T C H A I N V I
22 23 24
W E I G H E D F C Y B E R
E N E D O I A
Please confirm with other designation-granting professional bodies for their CPE qualification acceptance criteria. 25 26 27
Quizzes may be submitted for grading only by current Journal subscribers. An electronic version of the quiz is R U E S C R I T E R I A
available at www.isaca.org/cpequiz; it is graded online and is available to all interested parties. If choosing to submit 28
C
29
I M E R S
using this print copy, please email, fax or mail your answers for grading. Return your answers and contact information 30 31 32 33 34
by email to info@isaca.org or by fax to +1.847.253.1755. If you prefer to mail your quiz, in the US, send your CPE C R E D E N T I A L S I N K
35
Quiz along with a stamped, self-addressed envelope, to ISACA International Headquarters, 3701 Algonquin Rd., O G L O G N E S
#1010, Rolling Meadows, IL 60008 USA. Outside the US, ISACA will pay the postage to return your graded quiz. You 36 37
need only to include an envelope with your address. You will be responsible for submitting your credit hours at year- S P O O F I N T H E O R Y
end for CPE credits. A passing score of 75 percent will earn one hour of CISA, CRISC, CISM or CGEIT CPE credit.

Get Noticed!
Advertise in the ISACA® Journal

Journal
For more information, contact media@isaca.org

58 ISACA JOURNAL VOL 4


standards guidelines
tools and techniques
ISACA Member and Certification Holder IS Audit and Assurance Guidelines
 he guidelines are designed to directly support the standards and help
T
Compliance practitioners achieve alignment with the standards. They follow the same
categorization as the standards (also divided into three categories):
The specialized nature of information systems (IS) audit and assurance and
the skills necessary to perform such engagements require standards that apply • General guidelines (2000 series)
specifically to IS audit and assurance. The development and dissemination of the
IS audit and assurance standards are a cornerstone of the ISACA® professional • Performance guidelines (2200 series)
contribution to the audit community. • Reporting guidelines (2400 series)
IS audit and assurance standards define mandatory requirements for IS auditing.
They report and inform:
General
• IS audit and assurance professionals of the minimum level of acceptable 2001 Audit Charter
performance required to meet the professional responsibilities set out in the 2002 Organizational Independence
ISACA Code of Professional Ethics 2003 Professional Independence
2004 Reasonable Expectation
• Management and other interested parties of the profession’s expectations
2005 Due Professional Care
concerning the work of practitioners
2006 Proficiency
• Holders of the Certified Information Systems Auditor® (CISA®) designation 2007 Assertions
of requirements. Failure to comply with these standards may result in an 2008 Criteria
investigation into the CISA holder’s conduct by the ISACA Board of Directors or
appropriate committee and, ultimately, in disciplinary action. Performance
2201 Engagement Planning
ITAF , 3 Edition
TM rd
2202 Risk Assessment in Planning
2203 Performance and Supervision
(www.isaca.org/itaf) provides a framework for multiple levels of guidance: 2204 Materiality
2205 Evidence
IS Audit and Assurance Standards 2206 Using the Work of Other Experts
The standards are divided into three categories: 2207 Irregularity and Illegal Acts
2208 Sampling
• General standards (1000 series)—Are the guiding principles under which the
IS assurance profession operates. They apply to the conduct of all assignments
and deal with the IS audit and assurance professional’s ethics, independence,
Reporting
2401 Reporting
objectivity and due care as well as knowledge, competency and skill.
2402 Follow-up Activities
• Performance standards (1200 series)—Deal with the conduct of the
assignment, such as planning and supervision, scoping, risk and materiality,
resource mobilization, supervision and assignment management, audit and IS Audit and Assurance Tools and Techniques
assurance evidence, and the exercising of professional judgment and due care. These documents provide additional guidance for IS audit and assurance
professionals and consist, among other things, of white papers, IS audit/assurance
• Reporting standards (1400 series)—Address the types of reports, means of programs, reference books and the COBIT® 5 family of products. Tools and
communication and the information communicated. techniques are listed under www.isaca.org/itaf.

Please note that the guidelines are effective 1 September 2014. An online glossary of terms used in ITAF is provided at www.isaca.org/glossary.

General
1001 Audit Charter Prior to issuing any new standard or guideline, an exposure draft is
1002 Organizational Independence issued internationally for general public comment.
1003 Professional Independence
Comments may also be submitted to the attention of the Director,
1004 Reasonable Expectation
Thought Leadership and Research via email (standards@isaca.org);
1005 Due Professional Care fax (+1.847.253.1755) or postal mail (ISACA International Headquarters,
1006 Proficiency 3701 Algonquin Road, Suite 1010, Rolling Meadows, IL 60008-3105,
1007 Assertions USA).
1008 Criteria
Links to current and exposed ISACA Standards, Guidelines, and Tools
and Techniques are posted at www.isaca.org/standards.
Performance
1201 Engagement Planning Disclaimer: ISACA has designed this guidance as the minimum
1202 Risk Assessment in Planning level of acceptable performance required to meet the professional
1203 Performance and Supervision responsibilities set out in the ISACA Code of Professional Ethics.
1204 Materiality ISACA makes no claim that use of these products will assure a
1205 Evidence successful outcome. The guidance should not be considered inclusive
1206 Using the Work of Other Experts of any proper procedures and tests or exclusive of other procedures
1207 Irregularity and Illegal Acts and tests that are reasonably directed to obtaining the same results. In
determining the propriety of any specific procedure or test, the control
professionals should apply their own professional judgment to the
Reporting specific control circumstances presented by the particular systems or IS
1401 Reporting environment.
1402 Follow-up Activities

ISACA JOURNAL VOL 4 59


websites
advertisers/
ISACA® Journal, formerly
Information Systems Control
Journal, is published by the
Information Systems Audit and
Control Association® (ISACA®),
a nonprofit organization
created for the public in 1969.
Membership in the association, Tronixss www.rcap.online Back Cover
a voluntary organization
serving IT governance SCCE europeancomplianceethicsinstitute.org 1
professionals, entitles one to
receive an annual subscription
to the ISACA Journal.

Opinions expressed in the


ISACA Journal represent
the views of the authors and
advertisers. They may differ

supporters
from policies and official
statements of ISACA and/or
the IT Governance Institute
and their committees, and from
leaders and
opinions endorsed by authors,
employers or the editors of the
Journal. ISACA Journal does
not attest to the originality of
Editor Tushar Gokhale, CISA, CISM, CISSP, Smita Totade, Ph.D., CISA, CRISC,
authors’ content. ISO 27001 LA CISM, CGEIT
Jennifer Hajigeorgiou Tanja Grivicic Jose Urbaez, CISA, CISM, CSXF, ITIL
© 2017 ISACA. All rights publication@isaca.org Manish Gupta, Ph.D., CISA, CRISC, Ilija Vadjon, CISA
reserved. CISM, CISSP Sadir Vanderloot Sr., CISA, CISM, CCNA,
Managing Editor Mike Hansen, CISA, CFE CCSA, NCSA
Instructors are permitted to Maurita Jasper Jeffrey Hare, CISA, CPA, CIA Varun Vohra, CISA, CISM
photocopy isolated articles for
Sherry G. Holland Manoj Wadhwa, CISA, CISM, CISSP,
Jocelyn Howard, CISA, CISMP, CISSP ISO 27000, SABSA
noncommercial classroom use Contributing Editors Francisco Igual, CISA, CGEIT, CISSP Anthony Wallis, CISA, CRISC, CBCP, CIA
without fee. For other copying, Jennifer Inserro, CISA, CISSP Kevin Wegryn, PMP, Security+, PfMP
Sunil Bakshi, CISA, CRISC, CISM, CGEIT,
reprint or republication, ABCI, AMIIB, BS 25999 LI, CEH, Khawaja Faisal Javed, CISA, CRISC, CBCP, Tashi Williamson
permission must be obtained CISSP, ISO 27001 LA, MCA, PMP ISMS LA Ellis Wong, CISA, CRISC, CFE, CISSP
in writing from the association. Sally Chan, CGEIT, CPA, CMA Mohammed Khan, CISA, CRISC, CIPM
Where necessary, permission Ian Cooke, CISA, CRISC, CGEIT, COBIT Farzan Kolini, GIAC ISACA Board of Directors
is granted by the copyright Foundation, CFE, CPTS, DipFM, ITIL Abbas Kudrati, CISA, CISM, CGEIT, CEH, (2017-2018)
Foundation, Six Sigma Green Belt CHFI, EDRP, ISMS
owners for those registered Chair
Kamal Khan, CISA, CISSP, CITP, MBCS Shruti Kulkarni, CISA, CRISC, CCSK, ITIL
with the Copyright Clearance Bhanu Kumar Theresa Grafenstine, CISA, CRISC, CGEIT,
Vasant Raval, DBA, CISA
Center (CCC) (www.copyright. Steven J. Ross, CISA, CBCP, CISSP Hiu Sing (Vincent) Lam, CISA, CPIT(BA), CGAP, CGMA, CIA, CPA
com), 27 Congress St., Salem, Smita Totade, Ph.D., CISA, CRISC, CISM, ITIL, PMP Vice-chair
MA 01970, to photocopy CGEIT Edward A. Lane, CISA, CCP, PMP Rob Clyde, CISM
articles owned by ISACA, Romulo Lomparte, CISA, CRISC, CISM,
CGEIT, COBIT 5 Foundation, CRMA, Director
for a flat fee of US $2.50 per Advertising Brennan Baybeck, CISA, CRISC,
article plus 25¢ per page. IATCA, IRCA, ISO 27002, PMP
media@isaca.org Larry Marks, CISA, CRISC, CGEIT CISM, CISSP
Send payment to the CCC Director
Tamer Marzouk, CISA, ABCP, CBAP
stating the ISSN (1944-1967), Media Relations Krysten McCabe, CISA Zubin Chagpar, CISA, CISM, PMP
date, volume, and first and Brian McLaughlin, CISA, CRISC, CISM,
news@isaca.org Director
last page number of each CIA, CISSP, CPA Peter Christiaans, CISA, CRISC, CISM, PMP
article. Copying for other Brian McSweeney
than personal use or internal
Reviewers Irina Medvinskaya, CISM, FINRA, Series 99 Director
David Earl Mills, CISA, CRISC, CGEIT, Hironori Goto, CISA, CRISC, CISM, CGEIT
reference, or of articles or Matt Altman, CISA, CRISC, CISM, CGEIT
Sanjiv Agarwala, CISA, CISM, CGEIT, MCSE Director
columns not owned by the
CISSP, ITIL, MBCI Robert Moeller, CISA, CISSP, CPA, CSQE Michael Hughes, CISA, CRISC, CGEIT
association without express David Moffatt, CISA, PCI-P
Vikrant Arora, CISM, CISSP Director
permission of the association Ramu Muthiah, CISM, CRVPM, GSLC,
Cheolin Bae, CISA, CCIE Leonard Ong, CISA, CRISC, CISM, CGEIT,
or the copyright owner is Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ITIL, PMP
COBIT 5 Implementer and Assessor,
expressly prohibited. ABCI, AMIIB, BS 25999 LI, CEH, Ezekiel Demetrio J. Navarro, CPA
CFE, CFP, CGFA, CIPM, CIPT, CISSP
CISSP, ISO 27001 LA, MCA, PMP Jonathan Neel, CISA
ISSMP-ISSAA, CITBCM, CPP, CSSLP,
ISSN 1944-1967 Brian Barnier, CRISC, CGEIT Nnamdi Nwosu, CISA, CRISC, CISM,
GCIA, GCIH, GSNA, PMP
Pascal A. Bizarro, CISA CGEIT, PfMP, PMP
Jerome Capirossi, CISA Anas Olateju Oyewole, CISA, CRISC, CISM, Director
Anand Choksi, CISA, CCSK, CISSP, PMP CISSP, CSOE, ITIL R. V. Raghu, CISA, CRISC
Joyce Chua, CISA, CISM, PMP, ITILv3 David Paula, CISA, CRISC, CISSP, PMP Director
Ashwin K. Chaudary, CISA, CRISC, CISM, Pak Lok Poon, Ph.D., CISA, CSQA, MIEEE Jo Stewart-Rattray, CISA, CRISC,
CGEIT John Pouey, CISA, CRISC, CISM, CIA CISM, CGEIT
Burhan Cimen, CISA, COBIT Foundation, Steve Primost, CISM
Parvathi Ramesh, CISA, CA Director
ISO 27001 LA, ITIL, PRINCE2
Antonio Ramos Garcia, CISA, CRISC, CISM, Ted Wolff, CISA
Ken Doughty, CISA, CRISC, CBCP
Nikesh L. Dubey, CISA, CRISC, CDPP, ITIL Director
CISM, CISSP Michael Ratemo, CISA, CRISC, CISM, Tichaona Zororo, CISA, CRISC, CISM,
Subscription Rates: CSXF, ACDA, CIA, CISSP, CRMA
Ross Dworman, CISM, GSLC CGEIT, COOBIT Assessor and Trainer,
Robert Findlay Ron Roy, CISA, CRP CIA, CRMA
US: John Flowers Louisa Saunier, CISSP, PMP, Six Sigma Director and Chief Executive Officer
one year (6 issues) $75.00 Jack Freund, CISA, CRISC, CISM, Green Belt Matthew S. Loeb, CGEIT, CAE, FASAE
CIPP, CISSP, PMP Daniel Schindler, CISA, CIA
All international orders: Sailesh Gadia, CISA Sandeep Sharma Director and Past Chair
Amgad Gamal, CISA, COBIT Foundation, Catherine Stevens, ITIL Christos Dimitriadis, Ph.D., CISA, CRISC,
one year (6 issues) $90.00.
CEH, CHFI, CISSP, ECSA, ISO 2000 Johannes Tekle, CISA, CFSA, CIA CISM, ISO 20000 LA
Remittance must be made LA/LP, ISO 27000 LA, MCDBA, MCITP, Robert W. Theriot Jr., CISA, CRISC Director and Past Chair
MCP, MCSE, MCT, PRINCE2 Nancy Thompson, CISA, CISM, Robert E Stroud, CRISC, CGEIT
in US funds. CGEIT, PMP
Robin Generous, CISA, CPA Director and Past Chair
Tony Hayes, CGEIT, AFCHSE, CHE, FACS,
FCPA, FIIA
ISACA BOOKSTORE
RESOURCES FOR YOUR
PROFESSIONAL DEVELOPMENT
www.isaca.org/bookstore

Enter JOURNAL20 at checkout and receive a 20% discount off your order

ISACA Privacy Principles and Program Management Guide by ISACA

The main purpose of ISACA Privacy Principles and Program Management Guide is to
provide readers with a harmonized privacy framework. The book offers a set of privacy
principles that align with the most commonly used privacy standards, frameworks and
PRINT good practices, as well as fill in the gaps that exist among these different standards.
Product Code: IPP This practical guide can support or be used in conjunction with other privacy frameworks,
Member / Nonmember: good practices, and standards to create, improve and evaluate a privacy program
$45.00 / $90.00 specific to the practitioner’s enterprise. Special guidance on how to use the COBIT 5
WEB DOWNLOAD framework to implement a more robust privacy program is included in this publication.
Product Code: WIPP
Member / Nonmember:
$35.00 / $70.00

Getting Started With GEIT: A Primer for Implementing Governance of Enterprise IT by ISACA

How do organizations know they are effectively utilizing enterprise technology resources to best realize business
goals? Do organizations know the extent to which their business goals are dependent on technology? How do
they know the technology they have in place is providing value and realizing the expected return on investment?

Governance of enterprise IT (GEIT) is the systematic process of answering these and other related questions.
Implementing a GEIT system can bring many benefits to an organization, including lower costs, greater control,
more efficient and effective use of resources, and overall better strategic alignment and risk management. The
primary purpose of adopting and using a GEIT system is to deliver value to stakeholders. This guide provides
the necessary steps to implement GEIT to help the enterprise achieve its goals and demonstrate value delivery.

This guide is intended for people who are new to GEIT or have recently been tasked with implementing a
GEIT structure. Whether the enterprise is already familiar with GEIT concepts and practices or is exploring
the possibilities, this guide will help provide an understanding of the steps to implement GEIT and examples
WEB DOWNLOAD
Product Code: WCGEIT of the benefits of GEIT, so that buy-in from senior leadership can be obtained and a framework to guide
Member / Nonmember: implementation efforts can be used.
FREE / $15

Browse a variety of publications featuring the latest research and expert thinking on standards,
S-1
best practices, emerging trends and more at https://support.isaca.org
FEATURED BOOKS
Privacy Means Profit: Prevent Identity Theft and Secure You and the Your Bottom Line

Bulletproof your organization against data breach, identity theft, and corporate espionage.

In this updated and revised edition of Privacy Means Profit, John Sileo demonstrates how to keep data theft from
destroying your bottom line, both personally and professionally. In addition to sharing his gripping tale of losing
$300,000 and his business to data breach, John writes about the risks posed by social media, travel theft, workplace
identity theft, and how to keep it from happening to you and your business.

By interlacing his personal experience with cutting-edge research and unforgettable stories, John not only inspires
change inside of your organization, but outlines a simple framework with which to build a Culture of Privacy. This
book is a must-read for any individual with a Social Security Number and any business leader who doesn't want the
negative publicity, customer flight, legal battles and stock depreciation resulting from data breach.

Protect your net worth and bottom line using the 7 Mindsets of a Spy
by John Sileo • Accumulate Layers of Privacy • Eliminate the Source
Product Code: • Destroy Data Risk • Lock Your Assets
1WPMP
• Evaluate the Offer • Interrogate the Enemy
Member / Nonmember:
$15.00 / $25.00 • Monitor the Signs

In this revised edition, John includes an 8th Mindset, Adaptation, which serves as an additional bridge between
personal protection and bulletproofing your organization. Privacy Means Profit offers a one-stop guide to protecting
what's most important and most at risk-your essential business and personal data. Please note that COBIT 5
Implementation Guide is also available as a complimentary web download to both ISACA members and nonmembers.

Securing Mobile Devices Security Strategies in Windows Platforms


and Applications, 2nd Edition
This publication is intended for several
audiences who use mobile devises directly Revised and updated to keep pace with
or indirectly. These include end users, IT this ever changing field, Security Strategies
administrators, information security in Windows Platforms and Applications,
managers, service providers for mobile Second Edition focuses on new risks,
devices and IT auditors. The main purpose threats, and vulnerabilities associated with
of applying COBIT 5 to mobile device the Microsoft Windows operating system.
security is to establish a uniform Particular emphasis is placed on Windows
management framework and to give XP, Vista, and 7 on the desktop, and
guidance on planning, implementing and Windows Server 2003 and 2008 versions.
maintaining comprehensive security for It highlights how to use tools and
mobile devices in the context of enterpris- techniques to decrease risks arising from
by ISACA es. The secondary purpose is to provide by Michael G Solomon vulnerabilities in Microsoft Windows
Product Code: guidance on how to embed security for Product Code: operating systems and applications. The
CB5SMD1 mobile devices in a corporate governance, 3JBSS2 book also includes a resource for readers
Member / Nonmember: risk management and compliance (GRC) Member / Nonmember: desiring more information on Microsoft
$35.00 / $75.00 strategy using COBIT 5 as the overarching $102.00 / $112.00 Windows OS hardening, application
framework for GRC. security, and incident management. With
its accessible writing style, and
step-by-step examples, this must-have
resource will ensure readers are educated
on the latest Windows security.

2 EASY WAYS TO ORDER:


1. Online—Access ISACA’s bookstore online anytime 24/7 at https://support.isaca.org
S-2
2. Phone—Contact us M–F between 8:00AM – 5:00PM Central Time (CT) at +1.847.660.5505
Cyber Threat!: How to Manage the Growing Risk of Cyber Attacks

Cyber Threat! How to Manage the Growing Risk of Cyber Attacks is an in-depth examination of the very real cyber
security risks facing all facets of government and industry, and the various factors that must align to maintain
information integrity. Written by one of the nation's most highly respected cyber risk analysts, the book describes how
businesses and government agencies must protect their most valuable assets to avoid potentially catastrophic
consequences. Much more than just cyber security, the necessary solutions require government and industry to work
cooperatively and intelligently. This resource reveals the extent of the problem, and provides a plan to change course
and better manage and protect critical information.

Recent news surrounding cyber hacking operations show how intellectual property theft is now a matter of national
security, as well as economic and commercial security. Consequences are far-reaching, and can have enormous
effects on national economies and international relations. Aggressive cyber forces in China, Russia, Eastern Europe
and elsewhere, the rise of global organized criminal networks, and inattention to vulnerabilities throughout critical
by MacDonnell Ulsch
infrastructures converge to represent an abundantly clear threat. Managing the threat and keeping information safe is
Product Code: now a top priority for global businesses and government agencies. Cyber Threat! breaks the issue down into real
108WCT
terms, and proposes an approach to effective defense. Topics include:
Member / Nonmember:
$33.00 / $43.00
• The information at risk
• The true extent of the threat
• The potential consequences across sectors
• The multifaceted approach to defense

The growing cyber threat is fundamentally changing the nation's economic, diplomatic, military, and intelligence
operations, and will extend into future technological, scientific, and geopolitical influence. The only effective solution
will be expansive and complex, encompassing every facet of government and industry. Cyber Threat! details the
situation at hand, and provides the information that can help keep the nation safe.

Advanced Persistent Threats: How to Manage the Risk to Your Business

Advanced Persistent Threats: How to Manage the Risk to your Business explains the nature of the security
phenomenon known as the advanced persistent threat (APT). It also provides helpful advice on how to assess
the risk of an APT to the organization and recommends practical measures that can be taken to prevent, detect
and respond to such an attack. In addition, it highlights key differences between the controls needed to counter
the risk of an APT attack and those commonly used to mitigate everyday information security risk.

This book is designed primarily for security managers, IT managers, IT auditors and students studying for
computer science or information security qualifications. It is written in clear, nontechnical language so it will
also be of value to business managers and government officials responsible for valuable intellectual assets
or critical services that might be the target of an APT attack.

by ISACA
Product Code:
APT
Member / Nonmember:
$35.00 / $60.00

Enter JOURNAL20 at checkout and receive a 20% discount off your order S-3
Enter JOURNAL20 at checkout and receive a 20% discount off your order

CRISC Review Manual, 6th Edition

The CRISC Review Manual 6th Edition is a comprehensive reference guide designed to help individuals prepare for
the CRISC exam and understand IT-related business risk management roles and responsibilities. The manual has
been enhanced over the past editions and represents the most current, comprehensive, peer-reviewed IT-related
business risk management resource available worldwide.

The 6th edition manual is organized to assist candidates in understanding essential concepts and studying the
following job practice areas:
• IT Risk Identification • IT Risk Assessment
• Risk Response and Mitigation • Risk and Control Monitoring and Reporting

The CRISC Review Manual 6th Edition offers an easy-to-navigate format. Each of the book’s four chapters has been
by ISACA divided into two sections for focused study. Section one of each chapter contains:
Print Product Code: • Definitions and objectives for the four areas
CRR6ED
• Task and knowledge statements
EBook Product Code:
EPUB_CRR6ED • Self-assessment questions, answers and explanations
Member / Nonmember: • Suggested resources for further study
$85.00 / $115.00
Section two of each chapter consists of reference material and content that support the knowledge statements. The
material enhances CRISC candidates’ knowledge and/or understanding when preparing for the CRISC certification
exam. Also included are definitions of terms most commonly found on the exam.

CRISC Review Questions, Answers & CRISC Review Questions, Answers &
Explanations, 4th Edition Explanations Database - 12 Month Subscription

The CRISC™ Review Questions, Answers & The CRISC™ Practice Question Database
Explanations Manual, 4th Edition is is a comprehensive 500-question pool of
designed to familiarize candidates with the items that contains the questions from the
question types and topics featured in the CRISC™ Review Questions, Answers &
CRISC exam. The 500 questions in this Explanations Manual, 4th Edition. The
manual have been consolidated from the database is available via the web, allowing
CRISC™ Review Questions, Answers & CRISC candidates to log in at home, at
Explanations Manual 2015 and the CRISC work or anywhere they have Internet
™ Review Questions, Answers & connectivity. The database is MAC and
Explanations Manual 2015 Supplement. Windows compatible.
by ISACA by ISACA
Many questions have been revised or Exam candidates can take sample exams
Product Code: completely rewritten to be more represen- Product Code: with randomly selected questions and view
CRQ4ED XMXCR14-12M
tative of the CRISC exam question format, the results by job practice domain, allowing
Member / Nonmember: and/or to provide further clarity or Member / Nonmember: for concentrated study in particular areas.
$72.00 / $96.00 $185.00 / $225.00
explanation of the correct answer. These Additionally, questions generated during a
questions are not actual exam items, but study session are sorted based on previous
are intended to provide CRISC candidates scoring history, allowing CRISC candidates
with an understanding of the type and to identify their strengths and weaknesses
structure of questions and content that and focus their study efforts accordingly.
have previously appeared on the exam.

2 EASY WAYS TO ORDER:


1. Online—Access ISACA’s bookstore online anytime 24/7 at https://support.isaca.org
S-4 2. Phone—Contact us M–F between 8:00AM – 5:00PM Central Time (CT) at +1.847.660.5505
Train Your
Employees.
Prep for
Enterprise
Success.

Competition, regulation, evolving technology—change is constant. As a global leader


in training, education and certification for information systems and business professionals,
ISACA® can provide enterprise employees with the knowledge and skills to take on the
challenges and build on the opportunities of an ever-changing world. Our Enterprise Training
and Continuing Professional Education (CPE) programs are:
• Customizable to your specific needs.
• Available at or near your location, reducing downtime and travel.
• Taught by expert trainers with real-world experience.

Learn more about ISACA Enterprise Training at: www.isaca.org/enterprisetraining

IS/IT AUDIT | RISK MANAGEMENT | COBIT/GOVERNANCE | CYBER SECURITY | I N F O R M AT I O N S E C U R I T Y


Does your audit software allow you to carry key facts
and insights to senior management meetings?

TM
R-CAP brings Audit Universe & KPIs to your fingertips.

Audit Life‐Cycle and Risk Management �olu�on


Observations Tracking

Risk and Controls Matrix

Regular Business Monitoring

Audit Timesheet Management

Efficient Work-Paper Documentation

Insightful Dashboards & Reports


Built by Auditors,
For Auditors. Resource Scheduling

For your free 30 day trial email at


contactus@rcap.online www.rcap.online
Copyright 2017, Tronix Software Solutions LTD, All Rights Reserved.