INTRODUCING COBIT 2019 The globally recognized COBIT® Framework has been updated with new information and guidance—COBIT 2019 extends its leading role in implementing and ensuring effective enterprise governance of information and technology (EGIT). COBIT 2019 is an evolution of COBIT 5, so this newly revised governance framework contains everything you love about COBIT 5, plus many new exciting features and focus areas. COBIT 2019 CORE PUBLICATIONS LEVERAGE COBIT 2019 TO GENERATE TREMENDOUS VALUE FOR YOUR ENTIRE ENTERPRISE BY CUSTOMIZING AND RIGHT-SIZING THE GOVERNANCE OF INFORMATION AND TECHNOLOGY. For more information on COBIT 2019, its publications and guidance, and new training opportunities, go to www.isaca.org/COBITjv6 Reg is ter b y 8 J AN — for — 7th Annu al Earl y Reg is tration Eur op ean Pr icin g Com pl ia nce & E thic s I nstitute 10–13 Ma rch 2019 | Berlin , G ermany Learn f rom t op c om pl iance a nd e thics pr ofession als a nd bu ild y ou r pr ofession al network a t t his c onference d edicated t o l earning a bout t he c hallenges f acing the g lobal c ompliance & e thics c ommunity. Th is i s t he p lace t o fi nd o ut a bout t he latest so lutions t o y our co mplianc e and e thics i ssues, i nc luding ant i-co rruption, data p rotection, and r isk man agement . European Complian ceEthi csInstitute.org Que stion s? b eckie.smith@cor por atecompliance.or g The ISACA ® Journal seeks to enhance the proficiency and competitive advantage of its international 3 28 readership by providing Information Security Matters: How We Effective Strategies for Creating and Can Succeed Maintaining a Diverse and Inclusive managerial and Steven J. Ross, CISA, CISSP, AFBCI, MBCP IT Audit Team technical guidance from Julie Balderas, Asim Fareeduddin, CISA, 6 experienced global CISM, CIPP, CPA, Femi Richards, CCEP, CIPP, IS Audit Basics: Affect What Is Next Now authors. The Journal’s Ruwel Sarmad and Jack Wall authors. The Journal’s Ian Cooke, CISA, CRISC, CGEIT, COBIT noncommercial, Assessor and Implementer, CFE, CPTE, 37 DipFM, ITIL Foundation, Six Sigma Growing a Cybersecurity Career peer-reviewed articles Green Belt, and Martin Cullen, CISA, CGEIT, Philip Casesa focus on topics critical to CRISC, COBIT Foundation, COBIT Assessor 41 professionals involved and Implementer, ISO 27001 LA Defining the Chief Digital Officer Using in IT audit, governance, 10 COBIT 5 security and assurance. The Practical Aspect: Why Worry About IoT? João Catarino, Isabel Rosa, Ph.D., and Miguel Vasant Raval, DBA, CISA, ACMA, and Mira da Silva, Ph.D. Ranjit D. Thaker, CISA, MCSM 49 14 A Heightened Sense of Awareness The Network Wade Cassels, CISA, CFE, CIA, CRMA, Kevin Glory Ninsiima, CISA, CompTIA Security+, Alvero, CFE, and Randy Pierson, CISA ISO 27005, ISO 31000, ITIL Foundation, PRINCE2 Foundation PLUS FEATURES 54 Tools: Skill Acquisition in a Rapidly 16 Evolving Workplace Future-Proofing a Career in Cybersecurity Robin Lyons, CISA, CIA ( ) 56 Mike Saurbaugh, CRISC, CISM, CISSP, MSIA Crossword Puzzle Read more from these 20 Myles Mellor Journal authors... Is Artificial Intelligence a Career Journal authors... 57 Path for You? CPE Quiz Journal authors are ( ) now blogging at Larry G. Wlosinski, CISA, CRISC, CISM, CAP, 59 www.isaca.org/journal/ Standards, Guidelines, Tools and Techniques CBCP, CCSP, CDP, CIPM, CISSP, ITIL V3, PMP blog . Visit the ISACA S1-S4 Journal blog, Practically ISACA Bookstore Supplement Speaking, to gain practical knowledge from colleagues and to participate in the growing Online-Exclusive ISACA ® community. Features Do not miss out on the Journal’s online-exclusive content. With new content weekly through feature articles and blogs, the Journal is more than a static print publication. Use your unique member login credentials to access these articles at www.isaca.org/journal . 1700 E. Golf Road, Online Features Suite 400 The following is a sample of the upcoming features planned for November and December The following is a sample of the upcoming features planned for _______________ and _________________. Schaumburg, IL 60173, USA The Age of PowerShell Automation, Governance and Launching a Value-Based Telephone Ignacio Marambio Catán, CISA, Security in a Software-Defined Analytics and RPA Program +1.847.660.5505 CRISC, CEH, CISSP, Security+ World Chris Sanders, CISA, COBIT 5 Julio Pontes, CISM, BS7799 LA, Foundation Fax: +1.847.253.1755 CCSK, CISSP www.isaca.org Discuss topics in the ISACA ® Knowledge Center: www.isaca.org/knowledgecenter Follow ISACA on Twitter: http://twitter.com/isacanews ; Hashtag: #ISACA Follow ISACA on LinkedIn: www.linkedin.com/company/isaca Like ISACA on Facebook: www.facebook.com/ISACAHQ 20TH ANNI VE RSA RY INFORMA TION SECU RI TY MA TTE RS How We Can Succeed In my last article, I excoriated the information Many core business functions are routinely being security community, of which I am a card-carrying performed or supported in the cloud and have been Do you have member, about the state of security today. for several years. For example, organizations something Moreover, I stated my opinion that the underlying increasingly turn to commercial services for to say about this architecture of distributed systems, the most customer relationship management (CRM), payroll, article? commonly implemented since the late 1980s, is human resources (HR), order entry, accounting, incapable of supporting a tolerable level of security. inventory, supply chain and many other automated Visit the Journal pages of the ISACA ® website Thus, we have suffered through viruses, worms, business functions. The economics of using cloud- (www.isaca.org/journal) , denial-of-service (DoS) attacks, botnets and based services just make sense. No single 1 find the article and click cyberattacks for more than a generation. organization can afford to have staffs of specialists on the Comments link to to develop and maintain software for each function share your thoughts. in the way that a vendor specializing in that function https://bit.ly/2pBRr1q can do. Recognition of the total cost of ownership (TCO) drives organizations toward the cloud. The RECOGNITION OF question of build vs. buy is passé; today, it makes THE TOTAL COST OF sense to rent. OWNERSHIP DRIVES Security in the Commercial SaaS ORGANIzATIONS TOWARD Environment THE CLOUD. THE qUESTION The same point, overwhelmingly, applies to OF BUILD VS. BUy IS PASSé; information security. No organization that I am aware of has a team of security professionals for TODAy, IT MAKES SENSE each application. But, for cloud-based service TO RENT. A New Era Just as the distributed model displaced the centralized (i.e., mainframe) one, I now believe that we are on the threshold of a new era, that of a multi- modal, utility, cloud-based, commercial, Software as a Service (SaaS) (choose any two terms at your pleasure) architecture. Both ownership and geography differentiate the “utility SaaS” architecture from those that went before. 2 In the centralized era, ownership of data and software rested within the organization, which kept both of them in one big room. In the distributed era, i.e., today, the organization still owns the data and software, but these may or may not all be in the same place. In the cloud-based multi-modal Steven J. Ross, CISA, CISSP, AFBCI, MBCP Is executive principal of Risk Masters International LLC. Ross has been environment that is now arriving, the organization writing one of the Journal’s most popular columns since 1998. He can be retains ownership of the data, but not the software, reached at [email protected]. nor does it house the computing. ISACA JOURNAL VOL 6 3 vendors, this is a commercial necessity. The The architecture that can be built on the zero Trust Enjoying incentives for a vendor’s security include not just Model is based on a segmented network with all this article? financial, legal, reputational and regulatory risk—as security-related controls established at a single though those were not enough—but existential risk point of entry and transfer. These controls as well. 3 The inability of a cloud-based software constitute a unified threat management gateway. In • Learn more vendor to implement and maintain security over its practice, this gateway is a “next-generation firewall” about, discuss 7 and collaborate products and services will likely put it out of (NGFW), sold by many equipment manufacturers. on information business. By itself, NGFWs are necessary but insufficient for security effective security. A secure architecture must be management in Zero Trust based on rigorous network segmentation such that ISACA’s Online a user authorized for one domain cannot traverse In fairness, using a variety of cloud-based services the network without returning to the access control Forums. does not an architecture make. And well-secured https://engage. mechanism. That mechanism must include what applications do not by themselves make the entire some have called “next-generation access” (NGA), isaca.org/online environment safe. More is required before we can forums with advanced functionality such as correlation of say that we have improved significantly on the users and uses, machine learning to identify shortcomings of the distributed era. anomalies, and technical integration with the security features at the network level. 8 The complete implementation of the zero Trust Model is being referred to as the zero Trust Extended AS INCREASING Ecosystem (zTX). 9 NUMBERS OF APPLICATIONS ARE BEING Getting to Success USED AS CLOUD-BASED This is all wonderful in theory, but organizations are not about to re-architect their entire IT environment SERVICES, ORGANIzATIONS around an enhanced security. But they are migrating ARE REALIzING THAT THEy to multi-modal environments as a pathway that can lead to zTX, if information security professionals ARE DEALING WITH TOO exert their influence now .