www.isaca.org Volume 6, 2017 Auditing Big DatainEnterprises Risk,Complianceanda BigDataCaseStudy Governance, Digital Identity—Willthe NewOilCreate FuelorFire inToday’s Economy? DATA TRANSFORMING 06 SEE WHAT’S NEXT, NOW GET CERTIFIED. GET AHEAD.
FAST-TRACK YOUR FUTURE WITH ISACA’S GLOBALLY RECOGNIZED CERTIFICATIONS.
No matter your role in IS/IT—audit, security, cyber security, risk, privacy or governance, these credentials are designed for forward-thinking professionals across a variety of industries. ISACA® certifications are not just any certification, they are the ones that can get you ahead!
Obtain certifications that bring value to your career now, and in the future. Choose your certification and get started today to secure your spot for the 1 November – 31 December exams!
Registration for the certification exams in 2018 opens in December! Once open, you may register for the upcoming exam period that starts 1 February 2018.
Register now for a 2017 exam at www.isaca.org/GetCertified-Jv6. SAVE THE DATE… or — REGISTER — th European6 Annual NOW Compliance & Ethics Institute 25–28 March 2018 | Frankfurt, Germany
• Hear from top compliance & ethics professionals from Europe and around the world • Learn the latest and best solutions for compliance & ethics challenges, including anti-corruption, data protection, and risk management • Build your professional network • Earn the continuing education units you need, and take the Certified Compliance & Ethics Professional - International (CCEP-I)® exam
europeancomplianceethicsinstitute.org | [email protected]
scce-2018-ecei-insert-cep-jul.indd 1 5/31/17 10:32 AM The ISACA® Journal seeks to enhance Journal the proficiency and competitive advantage of its international readership 3 42 by providing managerial Information Security Matters: Information Security Making the SoA an Information in Context Security Governance Tool and technical guidance Steven J. Ross, CISA, CISSP, MBCP Daniel Gnana, CISA, ISO/IEC 27001:2013 LA, PRINCE2 from experienced global 6 IS Audit Basics: Auditing Mobile Devices 48 authors. The Journal’s Ian Cooke, CISA, CGEIT, CRISC, COBIT Assessor Evasive Malware Tricks noncommercial, and Implementer, CFE, CPTE, DipFM, ITIL Clemens Kolbitsch Foundation, Six Sigma Green Belt peer-reviewed articles 52 12 The AICPA’s New Cybersecurity Attestation focus on topics critical to The Network Reporting Framework Will Benefit a Variety of Sarah Orton, CISA Key Stakeholders professionals involved Sandra Herrygers, Gaurav Kumar and Jeff Schaeffer 14 in IT audit, governance, The Practical Aspect: Challenges of Security security and assurance. Log Management PLUS Vasant Raval, DBA, CISA, ACMA, and Saloni Verma, CISA, CEH 54 Help Source Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, FEATURES AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP 19 Digital Identity—Will the New Oil Create Fuel or 56 Fire in Today’s Economy? Crossword Puzzle ( 亦 有 中 文 简体译 本 ) Myles Mellor Dan Blum, CISSP 57 22 CPE Quiz Governance, Risk, Compliance and a Big Data Prepared by Kamal Khan, CISA, CISSP, CITP, MBCS Case Study Guy Pearce 59 Standards, Guidelines, Tools and Techniques 29 Auditing Big Data in Enterprises S1-S4 ( 亦 有 中 文 简体译 本 ) ISACA Bookstore Supplement Read more from Abdullah Al-Mansour, Security+ these Journal 33 authors... A Risk-Based Management Approach to Third-Party Data Security, Risk and Compliance Robert Putrus, CISM, CFE, CMC, PE, PMP Journal authors are now blogging at www.isaca.org/journal/ blog. Visit the ISACA Journal blog, Practically Online-Exclusive Speaking, to gain Features practical knowledge from colleagues and to participate in the growing Do not miss out on the Journal’s online-exclusive content. With new content weekly through feature articles ® and blogs, the Journal is more than a static print publication. Use your unique member login credentials to ISACA community. access these articles at www.isaca.org/journal. Online Features The following is a sample of the upcoming features planned for November and December 2017.
Assurance Across the Creating and Defining a An IoT Control Audit Methodology Three Lines Culture of Security Marcin Jekot, CISSO, ISO 27001 LA, SSP Ability Takuva, CISA Pedro Alexandre de Freitas and Yiannis Pavlosoglou, Ph.D., CISSP Pereira, CCNA 3701 Algonquin Road, Suite 1010 Rolling Meadows, Illinois 60008 USA
Discuss topics in the ISACA® Knowledge Center: www.isaca.org/knowledgecenter Telephone Follow ISACA on Twitter: http://twitter.com/isacanews; Hashtag: #ISACA +1.847.660.5505 Follow ISACA on LinkedIn: www.linkedin.com/company/isaca Like ISACA on Facebook: www.facebook.com/ISACAHQ Fax +1.847.253.1755 www.isaca.org informationsecurity matters Information Security in Context
I do not believe in information security. Context Do you have I support information security. I exhort organizations This is not an argument in favor of compromise of something to implement and maintain information security. I have the basic principles of information security. I prefer to say about built my career around information security. But I do to think that it is recognition that security must be this article? not believe in it. Belief is black or white. It admits no placed in context. The requirements for security Visit the Journal shades of grey. Security is not an absolute. differ in all sorts of organizations based on size, risk, pages of the ISACA® resources and mission. So, for example, a company website (www.isaca. Beliefs and Causes that makes household products simply does not org/journal), find the have security needs as stringent as those of, for article and click on I do have beliefs—religious, moral and political— example, a large bank with billions that might be the Comments link to which I have absolutely no intention of addressing in lost or a hospital where lives are at stake. share your thoughts. this Journal or any other public forum. In fact, they http://bit.ly/2xmXwoM are not suited to discussion because, as beliefs, Moreover, information security is not a monolith. they are not subject to argument. One set of beliefs Data privacy is a major concern for those in health can only be confronted by another, not proven care or insurance, but less so for manufacturers, for right or wrong. In the past, and even in the present, whom trade secrets are a paramount issue. Fraud people have died for what they believe. I would like prevention is a focus of financial institutions, but to think that I have the strength of character to die less so for restauranteurs. So, someone pressing for my beliefs, but I am surely not prepared to die for across-the-board security can only be seen as for the sake of secure information in any corporation foolish if he or she presses too hard. or government agency. This applies even in this age of cyberattacks. Much I bring this up because I encounter many security as I disdain those who dismiss this threat as not professionals who act as though securing information applying to their organizations,1 it is true that some is, for them, a holy endeavor. Unlike typical belief industries are more tempting targets than others. A systems, security has no contradictory beliefs. No small company that makes, say, plastic toys2 is less one is against security. (Of course, that is not literally likely to be attacked than a giant global brokerage true. There are some really bad people who are firm. Once again, it is all a matter of context. against security or, more precisely, they are against your security, but not their own.) In the absence of a counterargument, some security professionals I have met treat information security as a Cause, not as an attribute of information systems.
So what? Why is this bad? What is wrong with a little professional fervor? My concern is that such zeal leads to intransigence. It not only isolates the person, but also creates an atmosphere that runs counter to the establishment of an effective security culture within organizations. If security is portrayed as the One True Way, its proponents lose sight of the fact that others have different incentives, such as cost reduction, mission achievement and profit. It is not that security is inimical to these, but close- mindedness crowds out the ability to understand what drives other people. Thus, security receives Steven J. Ross, CISA, CISSP, MBCP resistance rather than an understanding that could Is executive principal of Risk Masters International LLC. Ross has been lead people to accommodate security along with writing one of the Journal’s most popular columns since 1998. He can be their own motivators. reached at [email protected].
ISACA JOURNAL VOL 6 3 Persuasion, Not Proselytizing do all day long. They should make sales securely, Enjoying balance the books securely, hire and fire securely. In all organizations, information security needs At best, we want them to influence others to work this article? advocates, not fanatics. No one in any information securely as well. But we will not get them to be security department is going to achieve his/her fellow members of a campaign because it is not • Learn more about, goals acting alone. Security must be achieved their fight. discuss and through all the technicians and users in an collaborate on organization. This calls for persuasion, not information security proselytizing. Security must be conveyed as a management in the way of doing business that is beneficial for the Our objective is, Knowledge Center. organization, to be sure, but also for the individual. www.isaca.org/ The inherent goodness of secure information or should be, not to information-security- resources must be demonstrated, not just get other people to management presented as revealed truth. Information security professionals must be salespeople, teachers, do what we do, but leaders and exponents. I do not think the role of clergy fits very well. rather to incorporate appropriate security I have heard too many security professionals complain that their management just does not “get into what they do all it.” Rarely have I heard someone say, “I did not do a good enough job explaining to them the benefits day long. security would bring to them.” I suggest that the cause of management recalcitrance is not opposition to security, but an ability to see a certain degree of security as acceptable. A belief in information security I have discussed the matter of security as a belief does not allow degrees; less than 100 percent means with colleagues and have drawn two reactions. Some that there is a hole, which means that security is treat me as an apostate for even raising the question. incomplete, which means that there is no security How could I abandon “the faith”? Others say that at all. Effectiveness arises from comprehension that I am raising a straw man, that no one approaches security is a variable, not an absolute. information security as a religion or cause. In either case, I evidently have not explained my position Conferences and seminars are wonderful for well enough. By all means, be an advocate for learning, but they are not ideal venues for listening information security. Be creative and influential in the to different perspectives about security. If everyone communities of which you are a part. But temper the in the room is a fellow professional, there are not message so that information security is perceived as likely to be some more strongly in favor of secure beneficial to the individual and the enterprise, not an information resources and others less so. There are unalloyed virtue unto itself. shared assumptions and a common vocabulary that reinforce existing parochialisms. The presentations Endnotes made are about how to make security better, not good enough. It is easy to see how context could 1 Ross, S.; “Bear Acceptance,” ISACA® Journal, be lost and zeal could take over. If that mind-set vol. 4, 2014, www.isaca.org/Journal/Pages/ is carried back to the office, those not similarly default.aspx passionate are more likely to be turned off than to 2 Gurtke, C.; “No Business Too Small to Be be swept up in the resulting enthusiasm. Hacked,” The New York Times, 3 January 2016, www.nytimes.com/2016/01/14/business/ We who are in this profession “do” security all day. smallbusiness/no-business-too-small-to- It is the reason why we come to work and many be-hacked.html?_r=0. The example was not of us also take it home with us, in our heads if not chosen idly. In 2015, Rokenbok Education, a our briefcases. Our objective is, or should be, not toymaker with seven employees, was the victim to get other people to do what we do, but rather of not one, but two cyberattacks. to incorporate appropriate security into what they
4 ISACA JOURNAL VOL 6 CYBER SECURITY TRAINING JUST GOT REAL NOW YOUR STAFF CAN COMBAT REAL THREATS IN REAL TIME TO BUILD REAL TECHNICAL SKILLS.
Yesterday’s lecture-based cyber security training won’t protect your organization against tomorrow’s advanced cyberthreats. That’s why ISACA’s new Cybersecurity Nexus™ (CSX) Enterprise Training Platform offers your security team:
On-demand access to 200+ hours of training for less than the cost of one typical course
Practical, hands-on training labs performed in a live, dynamic network environment
Continually updated content based on the latest real-world threats and scenarios
Performance-based assessment of current and prospective employees’ technical skills
SCHEDULE A DEMO OF THE CSX TRAINING PLATFORM AT WWW.ISACA.ORG/CSXCYBERTRAINING
IS5ACA®, tISACAhe Cyb JOURNALersecurity N VOLexus ™6 (CSX) Mark, and ISACA's Cybersecurity Nexus™ (CSX) products, certifications, ISACA JOURNAL VOL 6 5 and services are not affiliated with CSX Corporation or its subsidiaries, including CSX Transportation, Inc. Auditing Mobile Devices
By the time this article is published, it will have been of the organization in question. This is a risk that Do you have about 20 months since the US Federal Bureau IT auditors can and should influence. So how can something of Investigation (FBI) unlocked the iPhone of the practitioners audit to help mitigate this and other to say about San Bernardino, California, gunman who killed 14 mobile device risk scenarios? this article? people.1 The request by the FBI for Apple to build Visit the Journal new software to unlock the mobile device resulted in In a previous column,6 I advocated the use of an ® pages of the ISACA strongly held opinions on encryption and backdoors ISACA® paper on creating audit programs.7 This website (www.isaca. on both sides2 that have yet to be resolved. I have process can be applied to build an audit program org/journal), find the sympathy for all involved, but, as a technologist, I for mobile devices for an organization. article and click on passionately believe that backdoors should not be the Comments link to developed. This conviction has been strengthened by share your thoughts. Determine Audit Subject the recent WannaCry3 and Petya4 attacks, which were The first thing to establish is the audit subject. What http://bit.ly/2gimJq5 developed using the leaked Shadow Brokers exploit, EternalBlue, which is generally believed to have been does a mobile device mean in the enterprise? If developed by the US National Security Agency (NSA). there are distinct types of mobiles devices in use, they should probably be recorded as separate audit Although a critical issue, this is not the focus of this universe items. ISACA categorized mobile devices 8 column, nor is it something that we, as IT auditors, (figure 1) in a 2012 white paper while an earlier 9 can influence on a day-to-day basis. However, white paper listed the type of mobile devices: an aspect of this case that received little or no • Full-featured mobile phones with personal coverage was the fact that San Bernardino County computer-like functionality, or smartphones owned mobile device management (MDM) software that was not installed on the device.5 This would • Laptops and netbooks have allowed its IT department to remotely unlock • Tablet computers the phone and, in my opinion, save the reputation • Portable digital assistants (PDAs) • Portable Universal Serial Bus (USB) devices for Ian Cooke, CISA, CGEIT, CRISC, COBIT Assessor and storage (such as thumb drives and MP3 devices) Implementer, CFE, CPTE, DipFM, ITIL Foundation, Six Sigma • Connectivity (such as Wi-Fi, Bluetooth and Green Belt HSDPA/UMTS/EDGE/GPRS modem cards) Is the group IT audit manager with An Post (the Irish Post Office based in Dublin, Ireland) and has 30 years of experience in all aspects of • Digital cameras information systems. Cooke has served on several ISACA committees ® • Radio frequency identification (RFID) and and is a current member of ISACA’s CGEIT Exam Item Development mobile RFID (M-RFID) devices for data storage, Working Group. He is the community leader for the Oracle Databases, identification and asset management SQL Server Databases, and Audit Tools and Techniques discussions in the ISACA Knowledge Center. Cooke supported the update of the CISA • Infrared-enabled (IrDA) devices such as printers Review Manual for the 2016 job practices and was a subject matter and smart cards expert for ISACA’s CISA and CRISC Online Review Courses. He is the recipient of the 2017 John W. Lainhart IV Common Body of Knowledge In 2017, wearables, including smart watches, can Award for contributions to the development and enhancement of ISACA certainly be added to that list. The key is to use the publications and certification training modules. He welcomes comments or suggestions for articles via email ([email protected]), guidance to consider mobile devices in use at an Twitter (@COOKEI), or on the Audit Tools and Techniques topic in the enterprise and determine the audit subject(s). One ISACA Knowledge Center. Opinions expressed are his own and do not needs to answer the key question: What is being necessarily represent the views of An Post. audited?
6 ISACA JOURNAL VOL 6 ISbasics audit
Define Audit Objective perspective, it is advisable to adopt a risk-based view and define the objectives accordingly.10 Once what is being audited has been determined, the objective of the audit needs to be established. • Identify the risk associated with the devices Why is it being audited? From an auditor’s (figure 2).
Figure 1—Mobile Device Categories Category Devices Examples 1 Data storage (limited), basic telephony and messaging services, proprietary • Traditional cell phones operating system (OS) (limited), no data processing capability 2 Data storage (including external) and data processing capabilities, • Smartphones standardized OS (configurable), extended services • Early pocket PC devices 3 Data storage, processing and transmission capabilities via alternative • Advanced smartphones channels, broadband Internet connectivity, standardized OS (configurable), • Tablet PCs PC-like capabilities
Source: ISACA, Securing Mobile Devices, USA, 2012
Figure 2—Mobile Device Vulnerabilities, Threats and Risk Vulnerability Threat Risk Information travels across wireless Malicious outsiders can do harm to Information interception resulting in a networks, which are often less secure the enterprise. breach of sensitive data, damage to than wired networks. enterprise reputation, nonadherence to regulation, legal action Mobility provides users with the Mobile devices cross boundaries and Malware propagation, which may result opportunity to leave enterprise network perimeters, carrying malware, in data leakage, data corruption and boundaries and, thereby, eliminates and can bring this malware into the unavailability of necessary data many security controls. enterprise network. Bluetooth technology is convenient Hackers can discover the device and Device corruption, lost data, call for many users to have hands-free launch an attack. interception, possible exposure of conversations; however, it is often left on sensitive information and then is discoverable. Unencrypted information is stored on In the event that a malicious outsider Exposure of sensitive data, resulting in the device. intercepts data in transit or steals a device, damage to the enterprise, customers or if the employee loses the device, the or employees data are readable and usable. Lost data may affect employee Mobile devices may be lost or stolen due Workers dependent on mobile devices productivity. to their portability. Data on these devices unable to work in the event of broken, are not always backed up. lost or stolen devices and data that are not backed up The device has no authentication In the event that the device is lost or Data exposure, resulting in damage to requirements applied. stolen, outsiders can access the device the enterprise and liability and regulation and all of its data. issues The enterprise is not managing If no mobile device strategy exists, Data leakage, malware propagation, the device. employees may choose to bring in their unknown data loss in the case of device own, unsecured devices. While these loss or theft devices may not connect to the virtual private network (VPN), they may interact with email or store sensitive documents. The device allows for installation of Applications may carry malware that Malware propagation, data leakage, unsigned third-party applications. propagates Trojans or viruses; the intrusion on the enterprise network applications may also transform the device into a gateway for malicious outsiders to enter the enterprise network.
Source: ISACA, Securing Mobile Devices, USA, 2012
ISACA JOURNAL VOL 6 7 Set Audit Scope
When the objectives of the audit have been defined, the scoping process should identify the actual mobile devices that need to be audited. In other words, what are the limits to the audit? This could include devices in a specific country, region or division; devices that are used for a specific purpose; or devices that contain especially sensitive data. Again, this should be risk based. Also, consider if personally owned devices (bring your own device [BYOD]) should be included.
When the objectives of • Define objectives for each category or type of the audit have selected device; refer to information value and information risk. This is key. been defined, the • Focus on a limited number of audit objectives for scoping process a reasonable scope. should identify It is worth noting that although ISACA’s Securing the actual mobile Mobile Devices white paper considered the vulnerability of the enterprise not managing the devices that need device, it did not consider a San Bernardino to be audited. County scenario. The lesson? Spend some time considering emerging risk scenarios.
Audit objectives should also correspond to security Perform Pre-Audit Planning and protection goals as defined by the enterprise (figure 3).11 Now that the risk has been identified figure( 2), it should be evaluated to determine its significance.
Figure 3—Organizational Security Goals and Audit Objectives Security Goal Audit Objective Mobile device security policies and procedures are adequate Obtain assurance over mobile device security policies and and effective. related controls at the entity level, general level and detailed control level. Access control and encryption for mobile devices are adequate Review mobile device access controls and encryption controls and comprehensive. in line with data and information risk as well as information classification. Data and information segregation in brought-in devices is Review concepts, methods and implementation of data and complete and effective. information segregation for all devices owned by and brought in by end users. Mobile device security incident management is fully Review mobile device incident management processes and implemented and effective. controls, and obtain assurance over the effective functioning of incident management.
Source: ISACA, Securing Mobile Devices, USA, 2012
8 ISACA JOURNAL VOL 6 Conducting a risk assessment is critical in setting The use of any mobile device encompasses several the final scope of a risk-based audit.12 The more legal relationships and obligations that must be significant the risk, the greater the need for considered when auditing or reviewing devices. In assurance. Assurance considerations for mobile partial or full BYOD scenarios, further legal obligations devices include:13 may arise from the fact that parts of the mobile device (and information) are considered beyond the • Policy—Does a security policy exist for mobile control of the enterprise.14 Furthermore, when the devices? Does it include rules for appropriate device is used for private purposes—even to a very physical and logical handling? The enterprise small extent—questions of personal data protection should have a policy addressing mobile device and privacy will inevitably arise. In most jurisdictions, use and specifying the type of information and privacy is protected by law and additional kinds of devices and information services that regulations.15 If any doubt exists, it is prudent to seek may be accessible through the devices. legal advice in the relevant jurisdiction. • Antivirus updates—Auditors should verify that the enterprise updates the mobile device antivirus software to prevent perpetuation of malware. Audit programs should be • Encryption—Auditors should verify that any data labeled as sensitive are properly secured while in considered a starting point and transit or at rest. adjusted based upon risk and • Secure transmission—Auditors should determine whether mobile device users are connecting to the criteria that are relevant to enterprise network via a secure connection. VPN, IP the organization that is being Security (IPsec) or Secure Sockets Layer (SSL) can offer some levels of assurance. audited.
• Device management—Auditors should determine whether there is an asset management process in place for tracking mobile devices. This Finally, the auditee should be interviewed to inquire asset management program should also detail about activities or areas of concern that should be procedures for lost and stolen devices as well included in the scope of the engagement. Once the as procedures for employees who have been subject, objective and scope are defined, the audit terminated or have resigned from the enterprise. team can identify the resources needed to perform • Access control—Auditors should verify that data the audit work.16 synchronization of mobile devices is not set to receive access to shared files or network drives Determine Audit Procedures and that contain data that are prohibited for mobile Steps for Data Gathering use by the policy. At this stage of the audit process, the audit team • Awareness training—The auditor should verify should have enough information to identify and select that the enterprise has an awareness program in the audit approach or strategy and start developing place that addresses the importance of securing the audit program.17 There is enough information to the mobile devices physically and logically. The decide what documents are expected to be seen, training should also make clear the types of what laws and regulations apply, the criteria and information that can and cannot be stored on whom the audit team is going to interview. However, such devices. the testing steps do need to be defined. • Risk—Mobile devices have the capability to store large amounts of data and present a high risk of In August 2017, ISACA released an updated data leakage and loss. As such, mobile device version of its Mobile Computing Audit/Assurance 18 policies should be created and enforced to ensure Program, which defines testing steps for mobile that information assets are not exposed. devices. Some readers may have just thought,
ISACA JOURNAL VOL 6 9 “Why did he not just state this at the beginning an audit/assurance program that is tailored to the of the article?” I refer those readers back to this individual enterprise. Failure to do so can result in Enjoying 19 this article? author’s first column. Audit programs should be a checklist approach, which can lead to a failure to considered a starting point and adjusted based mitigate key and emerging risk. upon risk and criteria that are relevant to the • Read Mobile organization that is being audited. Failure to do so Computing Audit/ can result in a checklist approach, which can lead Assurance Program. to the auditor recommending controls that are not As the uses, www.isaca.org/ applicable to the organization. This, in turn, can auditprograms damage the auditor’s reputation with the auditee storage capabilities, and, ultimately, with senior management.20 It is • Learn more about, worth spending the time considering the risk and power and discuss and the resulting need for assurance (figure 4). collaborate on proliferation of mobile computing mobile devices have in the Knowledge Figure 4—Assurance Consideration to Audit Program Mapping Center. increased, so has www.isaca.org/ Assurance the risk they pose to mobile-computing Consideration Audit Program Process Sub-Area Policy Mobile computing policy an enterprise. Antivirus updates Anti-malware protection Encryption Device protections Secure transmission Wireless access points Endnotes Device management Removable media/remote storage solutions/data recovery/asset 1 Burgess, M.; “FBI Unlocks Shooter’s iPhone management Without Apple’s Help,” Wired, 29 March 2016, Access control Secure access/identification and www.wired.co.uk/article/apple-fbi-unlock- authentication iphone-5c-court-order-dropped Awareness training User training 2 Elmer-DeWitt, P.; “Apple vs. FBI: What the Polls Risk Risk management Are Saying—Updated,” Fortune, 23 February 2016, http://fortune.com/2016/02/23/apple-fbi- Key testing steps in the audit program include poll-pew/ password controls and the configuration of the 3 Symantec Security Response, “What You Need selected MDM solution (if one is in place). Excellent to Know About the WannaCry Ransomware,” guidance is provided on these and other aspects 12 May 2017, https://www.symantec.com/ of mobility by the US Department of Defense connect/blogs/what-you-need-know-about- (DoD) information systems Security Technical wannacry-ransomware Implementation Guides (STIGs).21 4 Symantec Security Response, “Petya Ransomware Outbreak: Here’s What You Need Conclusion to Know,” 27 June 2017, https://www.symantec. com/connect/blogs/petya-ransomware- As the uses, storage capabilities, power and outbreak-here-s-what-you-need-know proliferation of mobile devices have increased, 5 Finkel, J.; “Exclusive: Common Mobile so has the risk they pose to an enterprise. As a Software Could Have Opened San Bernardino leading advocate for managing this risk, ISACA has Shooter’s iPhone,” Reuters, 19 February 2016, produced several white papers in this area. Each www.reuters.com/article/us-apple-encryption- of these documents is worth consulting to develop software-exclusive-idUSKCN0VS2QK
10 ISACA JOURNAL VOL 6 6 Cooke, I.; “Audit Programs,” ISACA® Journal, 12 ISACA, Audit Plan Activities: Step-By-Step, vol. 4, 2017, www.isaca.org/Journal/archives/ USA, 2016, www.isaca.org/Knowledge-Center/ Pages/default.aspx Research/Documents/Audit-Plan-Activities_res_ 7 ISACA, “Information Systems Auditing: Tools eng_0316.pdf and Techniques, Creating Audit Programs,” 13 Op cit, ISACA, 2010, p. 9 USA, 2016, www.isaca.org/Knowledge-Center/ 14 Ibid ., p. 91 Research/Documents/IS-auditing-creating- 15 Ibid ., p. 94 audit-programs_whp_eng_0316.PDF 16 Op cit, ISACA, 2016 8 ISACA, Securing Mobile Devices, USA, 2012, 17 Ibid . www.isaca.org/Knowledge-Center/Research/ 18 ISACA, Mobile Computing Audit/Assurance ResearchDeliverables/Pages/Securing-Mobile- Program, USA, 2017, www.isaca.org/ Devices-Using-COBIT-5-for-Information- Knowledge-Center/Research/ Security.aspx ResearchDeliverables/Pages/Mobile- 9 ISACA, Securing Mobile Devices, USA, 2010, Computing-Audit-Assurance-Program.aspx www.isaca.org/Knowledge-Center/Research/ 19 Op cit, Cooke Documents/SecureMobileDevices_whp_ 20 Ibid . Eng_0710.pdf 21 Department of Defense, Security Technical 10 Op cit, ISACA, 2012, p. 89 Implementation Guides (STIGs), USA, 11 Ibid . http://iase.disa.mil/stigs/mobility/Pages/ index.aspx
2017 MEMBER GET A MEMBER RECRUIT NEW MEMBERS TODAY— SHAPE THE FUTURE OF TECHNOLOGY The more members you recruit, the better reward you enjoy.
THE MORE MEMBERS YOU RECRUIT, THE MORE WE CAN HELP THE BUSINESS AND IS/IT COMMUNITIES IMPACT TECHNOLOGY’S FUTURE. When ISACA grows, members benefit. More recruits mean more connections, more opportunities to network—and now, more rewards you can use for work or fun! Get recruiting today. It’s easy. Learn more at www.isaca.org/GetMembers-Jv6
* Rules and restrictions apply and can be found at www.isaca.org/rules. Please be sure to read and understand these rules. If your friends or colleagues do not reference your ISACA member ID at the time they become ISACA members, you will not receive credit for recruiting them. Please remember to have them enter your ISACA member ID on the application form at the time they sign up. © 2017 ISACA. All Rights Reserved.
ISACA JOURNAL VOL 6 11 Q: How do you think idea! ISACA chapters good knowledge of the the role of IS auditor provide a forum for business. The ability is changing or has updating your technical to be able to translate changed? knowledge, but also for technical risk issues networking and meeting into a relevant business A: The role is changing some great people who context is highly valued from that of technical are experiencing similar by organizations. One IS auditor to that of challenges. cannot underestimate IS controls advisory the value of emotional consultant, and for that, Since joining intelligence as a the IS auditor needs AstraZeneca, I managed leadership tool, too. to both consolidate to connect with a great Being able to “read technical skills, but mentor. She is a woman between the lines” also develop their who is outside of my line of what is going on interpersonal skills of business who I meet and sense the mood and broader business with on a bimonthly is vital to creating Sarah Orton, CISA knowledge to be able basis. We discuss and sustaining an to provide value-added actions I have taken in environment where Is IT audit director at AstraZeneca. She has more than insights. With the advent the previous month to people do their best 20 years of IT assurance and advisory experience of data analytics and develop my career and work. Also, irrespective spanning financial services, utilities, professional continuous monitoring, she offers real gems of of gender, a vital services, central government and pharmaceuticals. the IS controls advisory She has worked in leadership roles during her time information for me to leadership trait is to in professional services and, more recently, in central consultant needs to either transform the level be authentic and true. government and pharmaceuticals. Her expertise is in recognize the value of my engagement or to These are critical to building strong relationships with key stakeholders both of leveraging the confront issues that may establishing the key from a business development context and in building messaging that is be perceived barriers to relationships to support credibility when engaging with senior stakeholders contained in the data. my progression. I really women in developing in a business context. Orton also has the knowledge value my bimonthly themselves as credible and experience to challenge businesses on complex discussions with her. leaders of technology. technical issues as well as explain technology in simple Q: What would be terms that can be understood by all. She is a member your best advice for IS of the ISACA Northern England Chapter board and she auditors as they plan Q: What leadership Q: What is the best leads the ISACA UK and Ireland chapterwide initiative their career paths and skills do you feel are way for someone to for SheLeadsTech. She also serves on the ISACA global look at the future of IS critical for a woman develop those skills? Women’s Leadership Advisory Council. auditing? to be successful in technology fields? A: Network, network A: Look for a good and network. If you mentor as you start out A: Key differentiators do not feel this is Do you have something on your journey and, for a woman to be something that comes to say about this article? while acquiring and successful in technology naturally to you, then ® Visit the Journal pages of the ISACA website (www. developing technical fields are to be both engage a mentor isaca.org/journal), find the article and click on the skills, ensure that you credible in her subject or support who can Comments link to share your thoughts. also start to build a matter (have the both coach you and network to support you credentials needed introduce you to others http://bit.ly/2gimWcR through your career. to be recognized as so the environment Joining ISACA is a great competent) and to have does not feel so alien.
12 ISACA JOURNAL VOL 6 the network www.sheleadsit.org She Leads IT What is the biggest security 1 challenge that will be faced in 2018? The EU General Data Protection Regulation (GDPR).
What are your three goals 2 for 2018? As mentioned earlier, Q: What do you think response, i.e., an Build my profile, explore the next opportunity ISACA provides a are the most effective organizationwide and be happy. perfect, safe forum for ways to address security culture and you to start to build the lack of women awareness campaign What is on your desk your confidence in in the technology supported by security 3 right now? networking. workspace? monitoring and reporting A5 pads with different information relating to the tailored to the business different subject matter I work on throughout the As part of my A: Women who are with cyber risk being day, in addition to two mobile phones, a Costa SheLeadsTech role, I already successful reported at the highest cup, a small handbag and, of course, the laptop encourage women to in the technology levels within the on which I am typing this. engage with the local workspace need to organization. ISACA chapter, offering sponsor and support What are your favorite myself as a contact qualified women coming benefits of your ISACA® point for them initially through and be role Q: What has 4 membership? until they build their models for them. Where been your biggest The ability to keep up to date with IS audit hot confidence to engage the environment is workplace or career topics and current and relevant methodologies, more broadly with predominantly male, challenge and how did the group. A recent male advocates can act you face it? the opportunity to network with great people new female member as mentors and support globally, and being able to give back to the attended the local women in leadership A: On numerous profession that has served me so well over ISACA chapter Annual roles to address the occasions, I have the years. General Meeting with underrepresentation worked with others the aim of building her of women in the in internal audit What is your number-one profile by increasing technology workspace. departments who have 5 piece of advice for other her contacts in the tended to have very information security local market. When different personality professionals, especially she arrived, she was Q: What do you types and styles than women? surprised to already see as the biggest mine. Over time this has Be bold and strong and use your network to know so many people risk factors being required a “chameleon- support any gaps you feel you have. in the room and was addressed by IS audit, style” approach to very comfortable risk and governance ensure that my opinions What do you do when you networking with new professionals? How are received in a way 6 are not at work? people. Her confidence can businesses that is valued and I am a mother, a yogini and a traveler. has grown so much that protect themselves? allows me to influence this month she is going others to deliver the to be a panelist for A: Currently, cyberrisk right outcomes for the the inaugural meeting is a key strategic risk business. of SheLeadsTech for organizations and in Manchester, UK, allows the IS auditor to It is important as a as a cyber security broaden their role more leader to recognize the specialist in her field. I into the business area value of learning lessons am absolutely delighted due to it being an issue from any mistakes made for her. that is broader than and adapt behavior, and IS. Businesses need to understand that “one a cross-organizational size does not fit all.”
ISACA JOURNAL VOL 6 13 Challenges of Security Log Management
In the world of information systems, data have possible manner. Thus, the operations and resulting Do you have gained the most influential position. Data are about operational data create the need for filtering data something entities—resource, agent or event—and among that warrant information security measures. to say about these, event data are probably the most pervasive this article? group. Even in a short period of time, a business It is important to differentiate between operational Visit the Journal may generate millions of data points about events, data and security-related data. Fitbit creates value ® pages of the ISACA for the business thrives on creating value through through operational data and, in the process, website (www.isaca. events such as marketing, sales, services and client has to have information protection measures, for , find the org/journal) support. Interestingly, wherever events occur, there example, to guard the privacy of its customers. In article and click on contrast to value creation using operational data, the Comments link to is room for logging the events. Logs are the lifeline share your thoughts. of the information systems value chain. Financial businesses could create value by protecting clients and managerial accounting, for example, depend from various information-related risk. LifeLock is an http://bit.ly/2xYShsK on logging all economic events of the entity and, example of such a business where the company in the process, creating audit trails to provide scans and monitors sensitive client identification support for assurance of such events and their data, provides alerts and, where necessary, helps consequences. restore the client’s compromised identity.
Some businesses, such as Fitbit, thrive on events Most businesses have both operational data and in the life of their customers. The Fitbit wearer security-related data, sometimes integrated into the generates continuous data in very large measure. Of same database. To manage security-related data course, the Fitbit user is not interested in individual within the operational logs and data in dedicated event data, but rather the aggregate information, security logs, a sophisticated technology called such as the number of steps walked in a day, or security information and event management (SIEM) trends. For this, Fitbit logs each event—literally has emerged. SIEM attempts to fulfill two separate each step walked by the user—and processes data needs: real-time monitoring, correlation and into information useful to the user. processing of security events (called security event management [SEM]) and the historical analysis As businesses capture and store high volumes of of log file information (called security information data in their operational logs every day, they also management [SIM]), for example, to support forensic create a challenge for themselves: ensuring that investigations. SEM is closely related to incident the data are accurate, the common data types response management when the incident may are standardized across all logs and the logs are concern information security. SEM represents a protected. For Fitbit, this becomes a question continuous, ongoing effort while SIM is undertaken of protecting the privacy of users by securing only as needed.1 A high-level overview of a log personally identifiable information (PII) in the best management scenario is presented in figure 1.
Vasant Raval, DBA, CISA, ACMA Saloni Verma, CISA, CEH Is a professor of accountancy at Creighton Has experience in cyber security strategies, University (Omaha, Nebraska, USA). The information security implementations, audits and coauthor of two books on information systems compliance. She has worked in India for advisory and security, his areas of teaching and research services at EY, PricewaterhouseCoopers, BDO interest include information security and and for multinational banks. She can be reached corporate governance. He can be reached at at [email protected]. [email protected].
14 ISACA JOURNAL VOL 6 practicalthe aspect
Figure 1—Overview of Log Management
Events
Logs of events
Operational events Security events
Filter/correlate security-relevant data
Operations and SIEM information resource management
Security Security Operational incident event information response and management management monitoring
It is important to recognize that logs of operational the FTC, Uber declared that, for a similar application events, while only incidentally involved in information now in use at Uber, it has limited access only to those security initiatives, may be of value to the with a critical need to access such data. As part of organization. For example, a real-time monitoring the settlement, Uber agreed that it will undergo third- of disk space utilization may be programmed to party audits every two years for the next 20 years send an alert once the disk space is 80 percent full. to seek assurance that it meets or exceeds the FTC Operational event logs should also be filtered for requirements for privacy protections.2 security-relevant data. An audit of operational logs to identify any deviations from the compliance of security log management policy should prove helpful in proactively addressing any emerging issues. An Organizations that do not example can be seen in Uber’s experience. value the importance of logging Organizations that do not value the importance of and monitoring may have to logging and monitoring may have to face issues in case of a breach or incident due to absence of face issues in case of a breach records and evidence, or lax data management practices. This may also lead to legal, contractual or incident due to absence of or regulatory noncompliance. For example, Uber records and evidence, or lax data used a program called “God View,” which allowed employees to monitor the locations of riders. The US management practices. Federal Trade Commission (FTC) alleged that this was an improper business practice. In a settlement with
ISACA JOURNAL VOL 6 15 1. Understand the drivers. • Prepare for log analysis. • Analyze business drivers and compliance requirements.
2. Develop policy and process. • Scope the solution and logging strategy. • Develop log analysis policy.
3. Select and implement a solution. • Develop solution evaluation criteria. • Evaluate the options. • Develop a proof of concept. • Deploy log analysis.
4. Maintain and utilize the logging solution. • Review and refine log solution deployment.
From Technology to Solution For security log SIEM is a technology, not a solution. A technology can provide the backbone, or infrastructure, to management to develop a solution, but by itself, it will not create an work effectively, optimal security log management for the business. So, the success of security log management in the staff should be a large, complex enterprise depends on two related decisions: experienced in the
1. Policy and strategy should drive the security business processes log management program. Top-down risk of the company and analysis should guide decisions regarding what data to collect, how to correlate them, be cognizant of the and how to produce and distribute information intelligence created from such logs. Staff should nature and sources be competent and motivated, and challenged of risk. to continuously innovate in an area that may be perceived as static and docile. 2. Invest the appropriate amount of resources to Challenges develop an SIEM infrastructure that meets the needs of the organization. Proper selection There are several challenges in creating value from of the SIEM technology and its customized, log management initiatives. Whether value creation risk-relevant implementation within the involves minimizing risk, improving efficiency of organization is important to achieve security log operations or increasing the information supply management objectives. chain effectiveness, significant challenges remain along the way. First, the task of log management may not be considered by tech-savvy staff as Visa Europe, within the context of Payment Card exciting or helpful in career building. This perception Industry Data Security Standard (PCI DSS) data, may hinder the cause of attracting talent to the task. has suggested the following steps for designing For security log management to work effectively, and deploying a logging solution:3
16 ISACA JOURNAL VOL 6 the staff should be experienced in the business business where technology-induced changes are processes of the company and be cognizant frequent and impactful. The log management team of the nature and sources of risk. Insights from should be aware of the business processes of the this experience could lead to major risk-related organization to effectively understand the technology decisions impacting what to log, how to correlate and business risk. With proper business knowledge, logged data, what to aggregate and how often to the team will be able to identify the type of necessary review the intelligence produced. This has a direct logs to be collected, determine the log aggregation bearing on the effectiveness of the security log criteria with respect to the business process, management policy. determine the threats related to the business, and efficiently store and analyze logs organizationwide. Because SIEM includes SEM, it is particularly important that the incident response staff embrace SIEM and work within its scope to leverage the incident reporting activities. Without the buy-in A security log of the incident response teams, SIEM may fail to yield the best possible results from an SIEM management infrastructure. The support of an established incident response program is a necessary element program, by its of an effective SIEM solution.4 nature, depends
A second challenge rests in “balancing a limited on filtering and quantity of log management resources with a correlating log continuous supply of log data.”5 Clearly, the volume, variety and complexity of data sources have data. increased. With limited resources, what logs to select and how to optimize the security log management function can prove to be difficult, especially at a time when there are more and more significant In 2016, hackers stole US $81 million from a changes that impact data sources. Examples of such Bangladesh bank by hacking into SWIFT. The changes include the Internet of Things (IoT), device incident remained undetected for months as proliferation (bring your own device [BYOD]) and the logs of the fraudulent activities were being cloud sourcing. Sure enough, the eyes should be cleared by the malware.7 Recently, hackers leaked set on where the risk is; however, this itself remains upcoming episodes of the popular US television a moving target in a dynamic, technology-leveraged series Games of Thrones and hacked the show’s organization. Under these circumstances, proving network, HBO. The breach included employees’ value received from security log management could personal data and emails. Hackers have demanded be a formidable challenge. US $6 million as ransomware.8 If such attacks had been identified at the right time, HBO would not A security log management program, by its nature, have to face these reputational and financial loss depends on filtering and correlating log data. Log issues. Visa Europe9 suggests that in many cases data sources must support business use cases; organizations are operating completely unaware of otherwise, they will be of little value. “Sending too a compromise because of: much data to a SIEM system will burden it with • Disabled logging correlating and processing data unnecessarily, thus leading to poor performance.”6 Inasmuch as there • Loss of trigger events due to overwritten logs is the risk of collecting too much log data, there is • Failure to monitor logs also the risk of not collecting enough risk-relevant data. This may be particularly critical in the life of a • Lack of awareness of events being logged
ISACA JOURNAL VOL 6 17 In the current state of information technology 4 Op cit, ISACA, p. 8 Enjoying deployment, it is even more crucial to return the 5 Kent, K.; M. Souppaya; Guide to Computer this article? priority to security logging. However, it must be Security Log Management, National Institute of done correctly to yield benefits from the significant Standards and Technology Special Publication effort involved and the other resources it would take SP 800-92, USA, 2006 • Learn more about, to implement and maintain an effective security log 6 Frye, D.; Effective Use Case Modeling for discuss and management program. Security Information and Event Management, collaborate on SANS Institute Reading Room, 21 September information security Endnotes 2009, p. 7, www.sans.org/reading-room/ management in the whitepapers/bestprac/effective-case-modeling- Knowledge Center. 1 ISACA ®, Security Information and Event security-information-event-management-33319 www.isaca.org/ Management: Business Benefits and Security, 7 Smith, M.; “Bangladesh Bank Cyber-Heist information-security- Governance and Assurance Perspectives, Hackers Used Custom Malware to Steal $81 management USA, 2010, www.isaca.org/Knowledge-Center/ Million,” CSO, 25 April 2016, www.csoonline. Research/ResearchDeliverables/Pages/Security- com/article/3060798/security/bangladesh-bank- Information-and-Event-Management-Business- cyber-heist-hackers-used-custom-malware-to- Benefits-and-Security-Governance-and- steal-81-million.html Assurance-Perspective.aspx 8 Associated Press, “Hackers Leak More Game 2 Bensinger, G.; “Uber Agrees to Decades of of Thrones Scripts and HBO Emails in Demand Audits to End FTC Probe,” The Wall Street for Millions in Ransom Money,” The Telegraph, Journal, 16 August 2017 8 August 2017, www.telegraph.co.uk/ 3 Visa Europe, “Planning for and Implementing technology/2017/08/08/hackers-leak-game- Security Logging,” fact sheet, www.visaeurope. thrones-scripts-hbo-emails-demand-millions/ com/media/images/security_logging_ 9 Op cit, Visa Europe factsheet-73-18417.pdf
NEW! STUDY ON YOUR SCHEDULE
CRISC™ ONLINE REVIEW COURSE www.isaca.org/crisconlinereview
CISM® ONLINE REVIEW COURSE www.isaca.org/cismonlinereview
18 ISACA JOURNAL VOL 6 feature Digital Identity—Will the feature New Oil Create Fuel or Fire in Today’s Economy?
practices evolve more slowly than technology. Citizen and consumer angst are behind the privacy- Do you have www.isaca.org/currentissue related risk. Human error is often the root cause of something data spills. to say about this article? Digital identity has the power to propel your IAM Innovation Is About Visit the Journal enterprise forward…or it can cause you to crash Relationship Management pages of the ISACA® and burn. How you govern and manage it will make website (www.isaca. all the difference. Organizations use IAM for internal control, to org/journal), find the achieve operational efficiencies and to launch new article and click on Think about your current state. Most in-place identity customer-facing products. Over the years, they the Comments link to share your thoughts. and access management (IAM) deployments are have extended IAM to business-to-business (B2B) outdated and do not scale to current volumes of partners and suppliers as well as individuals http://bit.ly/2yvidiN people, data and things—much less what is coming. or consumers. Few organizations have yet adapted to emerging regulatory risk and privacy issues in the global environment. However, those that optimize their IAM architectures now can improve operational effectiveness and reduce risk. They can leverage Like oil, personal transformative mobile, cloud, Internet of Things data can be toxic (IoT) and machine learning trends into innovative, identity-enabled capabilities for competitive advantage. when spilled.
The New Oil Today, IAM must cover relationships of people, To repurpose an old quote,1 personal data is the mobile devices, consumer devices, cloud services, new oil. Historically, companies have harvested that service providers and manufacturers. Privacy value by launching new online customer offerings compliance and consent management must and marketing campaigns with few constraints. operate across all domains. Handled safely, a But tightening privacy regulations are forcing business may claim a success story like one global companies to obtain and document consent in a manner compliant with jurisdiction-specific standards when leveraging personal data. Dan Blum, CISSP Is a principal consultant with Security Architects Partners. As an Like oil, personal data can be toxic when spilled. internationally-recognized expert in security, privacy, cloud computing Studies based on industry data show the costs of and identity management, he leads and delivers consulting projects spanning multiple industries. Formerly a Golden Quill award-winning vice a breach in the US can easily run into the 10s of president and distinguished analyst at Gartner, he has led or contributed millions of US dollars.2 Even higher consequences to projects such as cloud security and privacy assessments, security will arrive for companies storing European Union program assessments, risk management framework reviews, and (EU) citizens’ data once the General Data Protection identity management architectures. He has provided technical security Regulation (GDPR)3 comes into effect in May 2018. consulting engagements in all areas of data protection domains including encryption/key management, data loss prevention, privileged access Why so much friction in the brave new world management and enterprise authorization. Blum has participated in of digital identity? Facing disruptive change to industry groups such as ISACA, the CSA, Kantara Initiative, OASIS business practices and technologies, people and and others.
ISACA JOURNAL VOL 6 19 international airport that has leveraged identity in analytics. Externally, they should be building cloud delivery models to scale operations for more consistent customer relationship management than 40 million passengers annually amidst exacting processes across their various business units. security requirements.4 Identity as a Service (IDaaS) solutions are gaining favor by making it easier to integrate identity across Call to Action diverse IT ecosystems including Software as a Service (SaaS) environments. Handled unsafely, personal data breaches can put a company on a wall of shame.5 On the flip side, even Adopt Privacy Principles Into the avoiding breaches and complying with regulations Business Process does not guarantee profits. According to Ctrl-Shift’s Liz Brandt, a purely compliance-driven approach Australia, Canada, the European Union and to GDPR could deliver a Pyrrhic victory, resulting many other jurisdictions mandate strong privacy in compliance with 20 percent fewer customers rights that consider individuals to be the owners and loss of permission to market to a further 60 of personal data. In addition to compliance, percecnt.6 To avoid this: companies have other incentives to get privacy right. Adopting privacy-friendly principles and • Modernize the architecture communicating them clearly may encourage • Adopt privacy principles customers to share information they would otherwise hold back. • Take an identity and privacy engineering approach What principles? We can summarize GDPR Modernize the Architecture principles8 as an example: (Federate, Do Not Aggregate) • Provide fair, lawful and transparent processing of The rise of local area networks (LANs) and the personal data. commercial Internet in the ‘90s spawned waves of innovation that brought us Lightweight • Limit use to declared purposes. Directory Access Protocol (LDAP) and enterprise • Limit collection. identity-provisioning products designed to consolidate identity information into services • Ensure data quality. such as Microsoft’s Active Directory. Centralized • Limit retention periods. directories became a mainstay of internal control. Now, with data sovereignty regulations spreading • Allow persons to delete or remove records where globally, centralized directories are going away. possible or legally required. • Provide data security. Without them, what is next? In the second golden age of identity,7 directories will move into the cloud • Demonstrate compliance. and become much more distributed, virtualized and abstracted. OAuth, Open ID Connect and other Take an Identity and Privacy standards provide a “federated identity” capability Engineering Approach that supersedes LDAP by enabling cross-domain Companies that successfully “talk the talk” with single sign-on, attribute management, and privacy principles should also “walk the walk” access control. by giving customers easy-to-use tools to control their own data in ways appropriate to the service Successful businesses are integrating IAM with provided. Winning hearts and minds on privacy may applications via application programming interfaces win share amidst the coming GDPR churn. (APIs) leveraging OAuth and related standards. Internally, organizations should be integrating IAM The next challenge is to securely extend identity with human resources (HR), awareness/training, and privacy functionality across global partner supplier relationship management and security ecosystems. Online retail is converging with
20 ISACA JOURNAL VOL 6 brick-and-mortar retail, and both are converging Endnotes with media, mobile, financial services and business services. Using modernized federated architectures, 1 Rotella, P.; “Is Data the New Oil?,” Forbes. innovative IAM architectures can provide customers com, 2 April 2012, https://www.forbes.com/ with a convenient experience across these domains sites/perryrotella/2012/04/02/is-data-the-new- without the Yet Another User Password (YAUP) oil/#64ee40a57db3 drag. They can maintain brand consistency and 2 Blum, D.; “Security Business Case for Breach trust in the process. Risk Reduction (Part 1),” Security Architects Partners, 13 April 2016, http://security- Few have mastered the multidomain customer architect.com/security-business-case-part1/ experience challenge to date. Either the front-end 3 Karczewska, J.; “COBIT 5 and the customer authentication is too weak to be so GDPR,” COBIT Focus, 19 May 2017, widely trusted, trusted brokers are not available www.okta.com/customers/gatwick-airport to transfer attributes needed for authorization, or 4 Okta, Gatwick Airport Takes Flight With Okta, back-end business processes are not integrated https://www.okta.com/customers/gatwick- across domains. Further adoption of multifactor airport/ authentication and standards from groups such as 5 Information Is Beautiful, World’s Biggest FIDO Alliance9 for online authentication will help. Data Breaches, 5 January 2017, But organizations also need to develop or subscribe www.informationisbeautiful.net/visualizations/ to sophisticated identity provider (IDP) hub worlds-biggest-data-breaches-hacks/ architectures and interconnect them via APIs. 6 Brandt, L.; “GDPR: Spend It and Sink It or Spend It and Grow It,” LinkedIn, 23 February 2017, https://www.linkedin.com/pulse/gdpr- spend-sink-grow-liz-brandt-nee-brown- To fuel the 7 Blum, D.; “The Second Golden Age of Identity,” Security Architects Partners, 22 November business in the 2016, http://security-architect.com/second- second golden age golden-age-identity/ 8 Gabel, D.; Hickman, T.; “Chapter 6: Data of identity, we must Protection Principles—Unlocking the EU General Data Protection Regulation,” all be innovators. White & Case, 22 July 2016, https://www.whitecase.com/publications/ article/chapter-6-data-protection-principles- Unfortunately, regulations such as GDPR will unlocking-eu-general-data-protection increase the risk to companies interconnecting their 9 FIDO Alliance, https://fidoalliance.org/ online ecosystems and brands. The YAUP will not 10 Kantara Initiative, UMA, 14 March 2017, go away easily. But there are opportunities to add https://kantarainitiative.org/confluence/display/ privacy and consent machinery to the federated uma/Home identity environment. For example, new standards 11 Kantara Initiative, Consent Receipt such as User Managed Access (UMA)10 and the Specification, 8 May 2017, Consent Receipt Specification11 are emerging that https://kantarainitiative.org/confluence/display/ will make it easier to either put customers in control infosharing/Consent+Receipt+Specification of personal data and their usage and/or implement explicit consent processes.
To fuel the business in the second golden age of identity, we must all be innovators.
ISACA JOURNAL VOL 6 21 Governance, Risk, Compliance and a Big Data Case Study
By showing what would have changed if a previously Defining Governance, Risk, Do you have successful big data analytics project was performed Compliance and Big Data something given today’s governance, risk and compliance to say about (GRC) imperatives, this article highlights the GRC To ensure this article is interpreted as intended, the this article? considerations that should be incorporated by design following definitions are provided: Visit the Journal into any new big data project. pages of the ISACA® • Governance—”[S]tructures and processes that are designed to ensure accountability, transparency, website (www.isaca. This project did not begin with the intention of being , find the responsiveness, rule of law, [and] stability…”2 org/journal) based on big data at the outset. Rather, big data was article and click on found to be incidental to helping solve a business • Risk—”The effect of uncertainty on [business] the Comments link to objectives.”3 share your thoughts. problem for a Forbes Global Top 1000 bank. It is only in retrospect that the bank found it had met the • Compliance—Acting in accordance with a wish http://bit.ly/2hSTf5I definition of big data as part of its solution to achieve or command.4 data-driven customercentricity.1 • Big Data—High-volume, high-velocity and high-variety information assets that demand cost-effective, innovative forms of information processing for enhanced insight and decision making.5
A Business Summary of the Big Data Case Study
The market share of the bank was under pressure due to increasing competition. Data-driven customercentricity proved to be an effective solution to the problem, putting the bank on track to regain market share. The bank regained market share through the creation of US $94.95 million in incremental value for the bank within six months. The way the value was created for both the bank and its customers provided a peek into the power of a customercentric paradigm. Guy Pearce Has served on five boards of directors and two management boards in As part of the process of understanding the banking, financial services and retail over the last decade. He also served business problem, the outcome of multiple focus as chief executive officer of a multinational retail credit business that served group sessions with a representative sample of 100,000 customers in three countries, where he led the organization’s 700 customers showed that the bank was not meeting staff to profitability soon after the 2008 global financial meltdown. He has published numerous articles on cyberrisk, big data and various aspects of its customers’ expectations, a finding in parallel governance, and he currently consults in strategy, risk, governance, IT, big with the bank’s own market research (figure 1). data and analytics.
22 ISACA JOURNAL VOL 6 featurefeature
Figure 1—Parallels Between the Market utilization, channel utilization, wallet dilution, Research Findings and Customer economic insights, industry insights, and regional Expectations (Extract Shown) insights. The data needed as inputs for these insights—made up of both internal and external, and What the Market What the Bank’s Research Showed Customers Wanted structured and unstructured data—were identified. However, not knowing the quality and, therefore, The bank was second to Bank staff with good the eventual usability of the analytics posed its major competitor for knowledge of the bank’s having competent and products and services a considerable business risk. Processes were knowledgeable staff and thus created and executed to determine the for understanding its own completeness, uniqueness, validity and accuracy products and services. dimensions of data quality for the data elements The bank was third to its Staff that understand them identified. In one case, the findings of the data two major competitors for quality assessments were such that enterprisewide understanding its customers’ data restitution was performed to increase the needs. completeness attribute of a key data element. Corrective actions were then identified and After resolving data access, data integration, data prioritized according to their urgency and impact, quality, data cleansing and data fusion (structured and prospective solutions were filtered based on with unstructured, and internal with external) their risk-adjusted business cases and their ease issues, a portfolio of descriptive, behavioral and of implementation. predictive analytics initiatives were performed on the consolidated data source. The deep customer insights raised in figure 2 were categorized as products and services, product
Figure 2—The Path From the High-Priority Solution Requirements to Data-Driven Customercentricity