Professional Documents
Culture Documents
ISACA Journal-Volume-4-2020
ISACA Journal-Volume-4-2020
Prove you have the critical skills to defend your organization against
cyber threats with the only comprehensive, true-performance cyber
certification—ISACA®’s CSX® Cybersecurity Practitioner.*
www.isaca.org/OnlineLearning-jv4
*ISACA’s CSX® Cybersecurity Practitioner (CSX-P) certification was named 2016 Top Professional Certification program by the SC Magazine Awards.
ISACA®, the Cybersecurity Nexus™ (CSX) mark, and ISACA’s Cybersecurity Nexus™ (CSX) products, certifications, and services are not affiliated with CSX Corporation
or its subsidiaries, including CSX Transportation, Inc.
Keep Learning
Get the training (and CPEs) you want, anywhere you
want it, with ISACA®’s online training solutions. Choose
from training options for individuals and groups.
www.isaca.org/OnlineLearning-jv4
The ISACA® Journal
seeks to enhance
the proficiency and
competitive advantage
of its international
readership by providing
3 32 managerial and
Information Security Matters: Privacy by Privacy Risk Management
Implementation and Execution technical guidance from
Andrea Tang, CIPP/E, ISO 27001 LA
Steven J. Ross, CISA, AFBCI, CISSP, MBCP experienced global
43 authors. The Journal’s
6 Case Study: Building an Enterprise
IS Audit Basics: Enhancing the IT Audit Security Program
noncommercial,
noncommercial,
Report Using COBIT 2019 Katie Teitler peer-reviewed articles
peer-reviewed articles
Ian Cooke, CISA, CRISC, CGEIT, COBIT 5 focus on topics
topicscritical
critical to
Assessor and Implementer, CFE, CIPM, 49
to professionals
professionals involved in
involved
CIPP/E, CIPT, FIP, CPTE, DipFM, ITIL Cybersecurity Incident Response
Foundation, Six Sigma Green Belt Fabian Garzón, CISM, CRISC, GCIH, and IT IT
in audit, riskgovernance,
audit, management,
Gustavo Garzón, CISM, CRISC, PMP governance,
security andsecurity,
assurance.
11 privacy and assurance.
The Bleeding Edge: Nothing but Blue Skies
Dustin Brewer, CISM, CSX-P, CDPSE, CCSP, CEH PLUS
55
14 Helpsource Q&A
The Network Sunil Bakshi, CISA, CRISC, CISM, CGEIT,
Tracey Dedrick CDPSE, ABCI, AMIIB, BS 25999LI, CEH, CISSP,
ISO 27001 LA, MCA, PMP
16
Innovation Governance: Governance for 57
Better Innovation Crossword Puzzle
K. Brian Kelley, CISA, CSPO, MCSE, Security+ Myles Mellor
58
FEATURES CPE Quiz
19 59
Digital Governance Standards, Guidelines, Tools and Techniques Read more from these
Read more from these
Guy Pearce, CGEIT, and Tony Gaffney, ICD.D Journal authors...
(Disponible également en français) S1-S4 Journal authors...
ISACA Bookstore Supplement Journal authors are
Journal authors are
28 now blogging at
now blogging at
Connecting Good Governance With Key Risk www.isaca.org/blog.
www.isaca.org/journal/
Kevin M. Alvero, CISA, CFE Visit the ISACA Now
blog. Visit the ISACA
(Disponible également en français) blog to gain practical
Journal blog, Practically
knowledge from
Speaking, to gain
colleagues and to
practical knowledge
Online-Exclusive
participate in the growing
from colleagues and to
Features
ISACA® community.
participate in the growing
ISACA® community.
Do not miss out on the Journal’s online-exclusive content. With new content weekly through feature articles
Do not
and miss
blogs, out
the on theisJournal’s
Journal more thanonline-exclusive content. With
a static print publication. new
Use content
your uniqueweekly
memberthrough
login feature articles
credentials to
and blogs,
access thearticles
these Journalatiswww.isaca.org/journal.
more than a static print publication. Use your unique member login credentials to
access these articles at www.isaca.org/journal.
1700 E. Golf Road,
Online Features
Online
The Features
following is a sample of the upcoming features planned for July and August. Suite 400
The following is a sample of the upcoming features planned for _______________ and _________________. 1700 E. Golf Road,
Schaumburg, IL 60173, USA
Building a Privacy Culture Deploying a Data Security Potential Blind Spots for Suite 400
Muhammad Asif Qureshi, CISA, Defense Executives Embarking on a Telephone
Schaumburg, IL 60173, USA
CIA, CISSP, PMP Jason Jiao, Ph.D., CPA Digital Transformation Program +1.847.660.5505
Chris Ngiba and Mayank Naik, Telephone
Fax: +1.847.253.1755
CISA, CRISC +1.847.660.5505
www.isaca.org
Fax: +1.847.253.1755
www.isaca.org
Discuss topics in the ISACA® Online Forums: https://engage.isaca.org/onlineforums
Follow ISACA on Twitter: http://twitter.com/isacanews; Hashtag: #ISACA
Follow ISACA on LinkedIn: www.linkedin.com/company/isaca
Like ISACA on Facebook: www.facebook.com/ISACAGlobal
INFORMATION
SECURITY MATTERS
Replying to Comments
I had said that “data privacy laws should be focused
on cases of actual harm.”5 Mr. Cooke points out that
Facebook is accused of causing genuine harm by
“restricting who can view housing-related ads based
on their ‘race, colour, national origin, religion,’”6
which are sensitive personal data under GDPR. We
are in complete agreement, and that sort of misuse
of personally identifiable information (PII) is the
theme of my second article about organizations
that design un-privacy7 into their systems. I believe
and I have stated that we will achieve greater data
Steven J. Ross, CISA, AFBCI, CISSP, MBCP
Is executive principal of Risk Masters International LLC. Ross has been
privacy across society if we focus attention on writing one of the Journal’s most popular columns since 1998. He can be
breaches that hurt people and not on violations of reached at stross@riskmastersintl.com.
process and protocol.
”
could any organization be faulted for failing to
INFRASTRUCTURE IN WHICH FLAWS ARE anticipate and prevent it?
IDENTIFIED DAILY.
Even if perfect implementation were possible,
perfect execution cannot be, because execution
in the PII business could be so lax. But were their relies on fallible human beings. Security systems
systems poorly designed in terms of protecting the that undergird privacy will never be foolproof
information in their trust? According to press because the world contains too many fools. Yes, an
reports, a good case could be made, inasmuch as organization could design systems that anticipate
Equifax had experienced several successful dumb people doing dumb things, but too many
cyberattacks in the previous year.10 breaches are due to the failings of otherwise smart
people. And that is not to mention the unscrupulous
But without getting into the particulars of this case, and avaricious among us. Errors will occur and
about which I have no personal knowledge, let us ask personal information will be disclosed because of
the broader question: Are successful cyberattacks failures of trust as well as deficiencies of security.
indicative of poor privacy and security design? Based
on my experience, I think not. No organization that I Time Pressure
have dealt with sets out to have inadequate security.
The fact that their security proves to be deficient is As I wrote in the Un-Privacy article, it is the
often based on a shortfall in risk assessment. exigencies of the market that lead to poor privacy
over personal information. There is tremendous
It is well understood that organizations should pressure to get software to the market as quickly as
evaluate the risk to their information resources and possible. As it is, too much software is delivered
apply suitable controls consistent with their that does not do what it is supposed to do; it is
understanding of the potential for those resources to probably too much to ask that it not do what it is not
be misused. But sadly, there may be a gap between supposed to do, that is, disclose PII.
the assessment and the reality. Assessments are
extrapolations of known facts into potential It is not only commercial software that makes privacy
outcomes. To the extent that imprecision leads to by design difficult to implement and execute. Agile
error, these organizations find themselves exposed. development, so popular these days, creates
challenges in complying with GDPR and other privacy
Banks know that their information is valuable and at requirements. In my opinion, Agile undervalues
risk. So does the military. Yet banks have been documentation, which makes it difficult for auditors
severely attacked11 and so have military systems.12 and privacy specialists to determine whether
Surely no one thinks that organizations such as these and how privacy has been designed into a system.13
are incapable of designing security—and by extension While I am not saying that Agile is the enemy of
privacy—into their systems. Someone was simply privacy, I do believe that it is one more factor that
able to exploit a shortcoming that a risk assessment mitigates against implementing adequate privacy in
did not and could not identify in advance. system development.
Implementation and Execution So, Mr. Cooke, we both agree that privacy by design
is an admirable objective. Everybody ought to do it,
Ah, I can hear Mr. Cooke asking me, but how did but then everyone also ought to live in virtue and
those weaknesses get there? And I would answer, abhor sin. I am in favor of both privacy and virtue,
should he ask, that security was designed properly but I remain dubious about their achievement.
www.isaca.org/ca-jv4
assurance
ISACA’s Online Governance
Forums. and
Management
https://engage. Cascade to
Objectives
isaca.org/online
forums
Source: ISACA, COBIT® 2019 Introduction and Methodology, USA, 2018
www.isaca.org/COBITNIST-jv4
I have been a remote worker for approximately five It can be argued that the cloud is not an emerging
years. The transition was not an easy one. However, technology. Some argue that it has been here all
in the past two years I have come to a very “Zen” along or at least since the conception of ARPANET
place in my work-from-home routine…or lack in the 1960s,1 while others say that “true” cloud
thereof. Yes, it took me three years to acclimate to computing was first introduced in 2006 by Google’s
the change in work pace, peer socialization and, of chief executive officer (CEO) at the time, Eric
course, the technology that enables it. Most of the Schmidt. The cloud as we know it today is an
difficulty in acclimation was due to a psychological immense collection of interconnected systems with
shift on my part. The need to push my square- hundreds of petabytes of data being stored,
shaped idea of what a job was into the round hole processed and transferred. We have also seen
of remote work tested my mental flexibility. But this massive adoption of this technology within the last
is an understandable lack of fluidity. I have had a decade. Nearly 90 percent of enterprises have
job, at least on a part-time basis, since I was 14 already adopted cloud technologies in some form
years old and, once I started my full-time career, the according to Flexera’s 2019 State of Cloud
40-hour minimum, 9-to-5, Monday-through-Friday Computing.2 However, the capabilities and
ideology was firmly ingrained in my psyche.
Change takes time—unless you do not have the
luxury of time.
”
SECURITY RESPONSIBILITIES FALL ON THE Wrangling a Cloud
END USERS. One of my favorite quotes about the cloud is, “There
is no cloud, it’s just someone else’s computer.”
While I know this is not 100 percent accurate, it
technologies that host the cloud are in a constant does help my mind wrap around the immensity and
state of discovery and implementation and, in that complexity of cloud computing and makes the task
sense, I would postulate that the cloud will remain an of securing and governing such systems a little less
emerging technology until it is replaced or is rolled daunting. Following this train of thought, let’s look at
into the next “big thing.” Also, considering this what “someone else’s computer” looks like.
technology was/is a big player in saving a great
number of jobs and providing computing power and Numerous sources proclaim that Linux makes up
data infrastructure to researchers investigating the majority of the cloud (up to 90 percent). For
possible drugs and vaccines for COVID-19 treatment some reason, this skill set still eludes some IT and
and prevention, it deserves a second look. cybersecurity professionals. Possibly because a
large number of enterprises utilized Microsoft
The pre-existing elasticity and capabilities of cloud products. But Microsoft is changing its once
collaboration tools offered the perfect virtual negative tone on Linux and even embracing it with
environment to meet the sudden growth in need for Windows Subsystem for Linux and utilizing Android
remote productivity. Google initially reported a 60 for its upcoming smartphone. Microsoft also
percent increase in use of its Meet platform at the admits that almost half of its Azure instances are
start of the COVID-19 pandemic.3 In March, running Linux distributions.6 Depending on your
Microsoft saw a 775 percent increase in use of its cloud service type (i.e., Software as a Service
Teams meetings solution in Italy after the Italian [SaaS], Platform as a Service [PaaS], Infrastructure
government’s social distancing and shelter in place as a Service [IaaS]), you may not need to worry
guidelines were established.4 These are staggering about security and governance at this granular level,
numbers, and it is perhaps even more impressive but understanding the underlying operating system
that the service providers were able to handle that (OS) can still be key to understanding mitigation
kind of influx. Other service providers, such as and compliance. As an added bonus, it can also aid
Amazon Web Services (AWS), have not published in understanding some IoT security issues.
usage statistics as of the date of this writing. You
do not have to be a futurist to predict that this trend On a higher level, we can turn to frameworks.
will continue for the foreseeable future as more Current cloud-specific guidance can be found via
organizations discover the benefits of remote work. the US National Institute for Standards and
Technology (NIST) Special Publication (SP) SP 500
The cloud has been an enabler for other emerging series as well as International Organization for
technologies as well. The Internet of Things (IoT) and Standardization (ISO) ISO 27017, but guidance is
artificial intelligence (AI) utilize cloud services on the not limited to cloud-specific documents. Recently,
back end. Serverless functionality is an up-and- I collaborated on specific guidance for governing
coming player in a plethora of applications. Even and securing remote working already present in
some blockchain implementations utilize the cloud. If COBIT® 2019, which can be applied to certain
you read my column in the ISACA Journal vol. 3, aspects of cloud usage.7 The NIST Cybersecurity
2020,5 you would know that I have a particular Framework (CSF)8 is also a good place to start with
passion for the interoperability of emerging tech for any information technology system. However,
which the cloud is a paramount player. And, although
Responding to a Changing
Business Landscape
Q: As ISACA’s incoming decisions. We receive a these experiences are
chair of the Board of lot of data from the relevant to this
Directors, how do you see chapters, but truthfully, organization.
ISACA® growing and the majority of the
adapting to the constantly membership does not
Q: What do you see as
changing marketplace and engage in the chapter
the biggest risk factors
needs of its constituents model, so we are losing
being addressed by
over the next year? input from a great
ISACA constituents?
number of our
constituency. This
A: That is a good question.
means we have to find A: As a board member
Since I joined the board, we
ways to access the full listening at chapters’
have been focused on
membership for data. events, I can tell you that
putting ISACA in the best
Further, we need data I worry about the
position to continue to be a
from the people we wish seeming inability of the
leader in its space. We have
to engage with, such as membership to
been laying the groundwork
the younger generations. communicate effectively
that will enable us to react
Once we have the data, to the people above
more quickly to a constantly
we will figure out how we them about the needs
changing marketplace. We
can “win” in the and risk within the
have added a number of
marketplace and deliver organization. A large part
people to the board who
value to the organization. of what ISACA does is
have significant business
provide the technical
experience and experience
skills members need to
Tracey Dedrick in strategy; we have a new Q: What in your past
progress in their careers,
Is a C-suite executive experienced in risk, compliance, management team with experience has best
and most of our
treasury and investor relations. She was executive deep experience in learning prepared you for this
members are in middle
vice president (EVP) and head of enterprise risk and development; we are position on the ISACA
management for Santander Holdings US, where she management. They are
investing in our Board?
was responsible for enterprise risk, operational risk in areas that are critical
infrastructure in the form of
and market risk for the Americas. Prior to this role, to the organization but
new technology; we are
she was EVP, chief risk officer and a member of the A: I have C-suite are not revenue
conducting new training
executive team for Hudson City Bancorp, where she experience in taking producing, and they do
built regulatory compliant risk, compliance and internally and adopting an
organizations that are not have a seat at the
information security functions. Prior to that, Dedrick agile work environment.
operating suboptimally table with management.
spent nine years at MetLife, where she successively Next, we will be focusing on
and fixing them based As a result, they do not
built the capital markets function for the newly acquiring the data we need
upon a lifetime of feel that they get the
demutualized company as assistant treasurer; to determine where and
reinvented the investor relations function, helping to experience in strategy, time, attention and
what our membership and
double the share prices as head of investor relations; risk and compliance, resources they need to
the marketplace want and
and installed a market-consistent economic capital finance, capital markets, ensure the safety and
need. We have all talked
model as head of market risk, leading to the eventual investor relations, security of the
about how we can engage
disposition of the annuity business. Additionally, regulatory management, enterprise. I hear this
Dedrick serves on the boards of the Royal younger people in our
and crisis management. lament a lot. We all know
Shakespeare Company of America and the Royal Oak organization, gain more
My experience ranges information security can
Foundation. She previously served on the conference diversity and expand our
from working in Fortune be highly technical and
committee of the US State of New Jersey Women’s global footprint, but we have
50 companies to small the devil is in the details.
Banking Association and on the board of Children’s never had solid data from
Aid and Family Services. private institutions. All of Those at the top are not
which to make good
2
manner in which landscape and the risk broad education required
executive leadership can scenarios that are at institutions of higher What are your three goals for 2020?
understand and absorb. created as a result of learning, and making • Continue to improve governance and
Communicating that rapidly changing those affordable. I would accountability at the board and management levels
effectively is equally landscape. To do that, also like to see greater of ISACA
• Acquire the data we need to make solid, data-driven
as important as what they need to equip efforts to retool the skills
decisions regarding ISACA’s strategy on growing
you know. themselves with the of people who have lost relevant products, content and membership
ability to ask the right their jobs midcareer in • Continue to invest in and execute on ISACA’s
questions, whatever that an affordable and technology infrastructure
Q: You have extensive
3
entails. Two examples effective way.
experience in executive
are: not being afraid to What industry-related sources (blogs,
leadership. How do you
say “I do not understand, newsfeeds, etc.) do you read on a
see the role of Q: What has been your
explain it to me,” and regular basis?
executives changing to biggest workplace or I tend to read broader and more strategy-related
hiring the best people
meet the challenges of career challenge and content such as McKinsey, Arnold & Porter, EY and
you can who are experts
information security? how did you face it? just about anything fellow Board member Greg
in areas in which you Touhill recommends.
are not.
A: Carrying on a theme
that Brennan Baybeck
Q: What do you think are
A: There have been many
“biggest challenges” I 4 What is on your desk right now?
My taxes, board books of three institutions, a photo
put forward as incoming have had to face over the
the most effective ways of my parents, and a photo of Winston Churchill
Board Chair last year, years, each one seeming standing in the rubble of England’s Parliament
to address the skills,
having good information to be the “biggest” at the building after it was bombed during World War II.
gender and diversity
security is now table time it occurred. I would
5
gaps in the technology
stakes. Enough chief
space?
say that when you get to How has social media impacted
executive officers my age, there is little you you professionally?
(CEOs) have lost their have not faced, and it is I am not sure that it has. I have tended to avoid social
jobs and shareholder A: Ensure that women a matter of staying media, generally speaking. The one exception is
LinkedIn, but I can hardly call myself an active user.
value has been and other diverse focused and not letting
6
destroyed over candidates have role the problem overwhelm.
information security models at all levels My mantras are: 1. Keep
What is your favorite benefit of your
issues for executives to across the organization. perspective. The
ISACA membership?
The real benefit for me has been being on the Board
get the message. Organizations are good challenge may seem with such wonderful people who all care so much and
Executives are paid to at having diversity up to overwhelming at the work so hard to push this great organization forward.
identify, understand and a point but, as the outset, but “This, too, will
weigh risk and make
good choices that lead
to
pyramid narrows, diverse
candidates become very
scarce. I was surprised
pass”; 2. Get as much
information together as
soon as you can about
7 What is your number-one piece of
advice for IT risk professionals?
Since most of the membership is midcareer, I would
shareholder/stakeholder to learn how much it the issue; 3. Prioritize say listen to your organization’s earnings call. Find out
what is important to management and the investor
value creation. Today, meant to other women in and attack the issue in a
community and, if you do not understand what/why,
this often means the organization that I thoughtful and organized find someone to explain it to you. Then couch your
making significant had gotten this or that manner, and it will needs in terms of those objectives, and you may find it
changes in the business promotion. It gave them eventually lead to the easier to get time, attention and resources.
through digital hope that it was actually changes; 4. Galvanize
transformation, the use
of blockchain, robotic
possible for them as
well.
the troops and make the
goal clear so everyone is 8 What do you do when you are not
at work?
Spoil a nice walk by playing golf; do things for my
process automation aligned; and 5. Celebrate parents, whom I am still lucky to have; stare at my
(RPA), artificial all wins. garden and think about what I will have to move in
Another way to address
intelligence (AI), big data the fall; make order out of chaos by cooking; and
these gaps is to create entertain friends who do not mind my experimenting
on them. And read. I am a voracious reader.
“
and collaborate
Governance: Innovation for Other Areas on audit and
HAVING PROPER, of the Organization assurance in
What I have found in years of experience in IT and ISACA’s Online
UPDATED GOVERNANCE audit/security is that oftentimes we define a control Forums.
MEANS WE CAN FOCUS and, as long as it keeps on working for us, we do https://engage.
”
not spend time/effort trying to improve it. This is isaca.org/online
MORE ON THE INNOVATION logical, as we would rather spend our resources on forums
EFFORT ITSELF. moving the needle forward. Only when there is pain
around a control do we tend to revisit it.
Governance: The Freedom to Hyper Focus The great thing about innovation is we are often
By having proper governance, we know what the building new things or implementing things in a new
rules are in critical areas with respect to the way. In that effort, we get the opportunity to revisit
operating environment. We do not have to think controls. Perhaps a way we are building something
about what the rules should be as we are working in the innovation is applicable to an existing control.
on something to move the organization forward. For instance, we want to better parse web server log
The time we do not have to spend thinking about traffic to spot problems before an outage results. In
what the rules should be frees us up to be able to the effort to build this better web server log parser,
innovate. This is the core message behind Willink’s we also build something that might be applicable to
quote that “discipline equals freedom.” Having controls around web server monitoring for the
proper, updated governance means we can focus organization.
more on the innovation effort itself.
We could also realize something we build to meet
Often, when writing an article or preparing a talk, it governance requirements is applicable somewhere
is not unusual to have too much material. Writers else. For instance, if I need to build a better rights
and speakers must spend time trying to pare down tracking system for a particular application that is
the material to meet the requirements of the work. considered critical, in the process of building that
The general rule is the shorter the article or talk, the system I may reveal information that could be used
more time will have to be spent to do the cutting. to improve employee on-boarding processes, which
The reason to do the cutting is to ensure that the can be tossed over to innovation to flesh out.
”
complete moves. The difference is intent. TELL US WHERE WE SHOULD
Governance, when we understand the intent, gives BE SPENDING TIME.
us business value. It tells us what most needs
protecting. It reveals to us where the weak points what should be avoided. Knowing what to cut out of
are located. It lets us know on what we could be the picture helps tremendously. Second, efforts
working. That is valuable information to an from innovation can assist governance, but
innovation effort. governance efforts themselves can lead to insights
on expanding technology and processes outside of
Not only can governance tell us where we should the realm of meeting a control to bring more
not waste our time, it can tell us where we should efficiency elsewhere. Finally, by taking the time to
be spending time. If we are looking to maximize the understand the governance, the whys behind the
return on investment (ROI) of an innovation effort, controls, we can often better understand what is
that is exactly what we need. truly important to the organization and where there
are gaps that need filling. That gives us a better idea
Embracing Governance of where innovation can be put to use.
www.isaca.org/credentialing-jv4
Digital Governance
Closing the Digital Strategy Execution Gap
challenged in this, given that it begins with the end
Disponible également en français user crafting the stories, which are then
www.isaca.org/currentissue implemented and deployed either traditionally or in
a DevOps paradigm.
Never before has there been such an intense focus
on digital as during the COVID-19 pandemic. This A key question is whether reactive IT is sufficient
has been especially true for the business continuity for an organization to sustain its competitiveness
management (BCM) efforts needed to provide and whether strategically proactive IT is becoming a
work-from-home functionality to support social necessity in the interests of organizational
distancing. Organizations that struggled to action sustainability. This key question was introduced in
their business continuity plans (BCP) will, in effect, IT-business alignment work and the Strategic
have experienced a digital execution gap (i.e., the Alignment Model (SAM) of 1990.3 It remains
difference between the aspirations and the reality of foundational literature for any governance
effecting business continuity). professional, providing a qualified means to frame
IT oversight regarding the governance
In the same way that a digital gap is experienced in professional’s fiduciary duties on the board.
BCP, there is also an enterprise digital strategy
execution gap (which incorporates BCP). The The first reason for SAM’s continued relevance is in
following details how governance ensures that the the original article’s title, “Strategic Alignment: A
enterprise digital strategy execution gap is as Model for Organizational Transformation via
narrow as it can be, ultimately supporting Technology.” An evolution of the article was
organizational sustainability. published in 1999, where the article’s title had
become even more interesting: “Strategic
Reinforced by the waterfall model of software Alignment: Leveraging Information Technology for
development,1 IT has typically been a reactive Transforming Organizations.”4
enabler of business. The waterfall model begins
with business giving IT their requirements, which IT Both titles seem appropriate for today’s digital
then develops, tests and, ultimately, deploys into transformation texts because digital transformation
production—all in response to the business is instrumental in organizational transformation,
requirements. The Agile methodology2 can also be impacting the organization’s operating and
Figure 2—The 30-Year-Old SAM Domains Overlaid With Modern Digital Transformation Domains
Structural Changes
Strategic
Outcomes Strategy
execution
n ce gap
orma
ic Perf
at e g
re d S tr
Desi rman
ce
o
ic Perf
rateg
al St
Actu
Today Strategic
Time Planning
Horizon
and IT capabilities. Thus, the IT strategy should be being missed. The survey responses from 1,591
articulated both in terms of an external and internal senior business leaders in the United Kingdom and
domain,14 with a digital strategy being an element of the United States termed the extent of the gap “a
the IT strategy. In this context, two key areas exist digital strategy execution crisis.”16
where an execution gap can occur:
Of those organizations that do implement digital
1. Difficulties in translating the implications of the
strategies, only 38 percent of them being able to
external environment on an organization’s
determine the outcomes of their digital
competitiveness
transformation initiatives17 is a failure, not only to
2. Difficulties in the relationship between shareholders—an unknown return on investment
technology enablers and business execution (ROI) for the time, effort and money expended—but
also to customers who will subsequently be
While point one previously is an enterprise attracted to competitors where the digital
governance challenge, point two highlights the area investments produce a rich, seamless and
within which the digital strategy gap arises. The integrated customer experience. This speaks to the
greater the difficulties in aligning IT with business, value and value propositions and financial
the greater the extent of unmet expectations and outcomes of figure 1, again demonstrating poor
the greater the digital strategy gap. alignment between the SAM domains these engage
with shown in figure 2.
The digital strategy execution gap is serious, with
only 10 percent of enterprises from a sample of 340 Governance’s Role in Narrowing the
large global enterprise senior executives having a Digital Strategy Execution Gap
plan to deploy their digital strategies,15 something
akin to the finance gap in corporate strategy These issues should be better governed to reduce
execution mentioned earlier. the severity and impact of the digital strategy
execution gap. To minimize the strategy execution
Given that a digital strategy is an element of an gap, governance professionals can:
enterprise strategy and that digital transformation is • Ensure enterprise strategy efficacy, followed by
key to organizational resilience, sustainability and IT (and digital) strategy efficacy, the latter of
relevance, if only 10 percent is being executed, it is which may itself feed the enterprise strategy in a
no surprise that less than two-thirds of the financial proactive paradigm. Possibly an implied
objectives expressed in the enterprise strategy are
Figure 4—Board Focus for Narrowing the Digital Strategy Execution Gap
Strategy
Development
Execution
“
Done well, this addresses the previously mentioned
fact that two-thirds of CEOs and executives admit DIGITAL
that they lack the capabilities to create value and TRANSFORMATION QUITE
execute their strategies.25, 26
OFTEN REQUIRES
Execution DIFFERENT LEADERSHIP
To achieve target outcomes, boards include
strategy and digital transformation reports that SKILLS, BOTH DURING THE
provide a keen lens on transformation oversight and TRANSFORMATION AND
”
execution, focusing on progress against key
metrics, risk, opportunities and interventions to OPERATION OF THE
course correct where necessary at the quarterly BUSINESS AFTERWARD.
board meetings.
“Transition risk management” is also gaining Culture, too, needs to evolve as an important
acceptance as a risk management framework that element of digital transformation. Examples include
includes oversight of digital transformation risk, ensuring that leadership teams are instilling agility
with the goal of achieving greater levels of certainty and the mentality that it is “OK to make mistakes,
in the achievement of target outcomes. Transition but learn from them and fail fast.” While every
risk defines the point where something defined as a organization will face technological challenges in
risk begins to materialize.27 The top five transition their digital transformation journey, “transforming
risk factors include:28 an organization’s culture is more challenging.”30
1. Schedule delays
Compared to Waterfall, Agile is a methodology
2. Service costs better suited to achieving the desired agility
because it deals with uncertain and unpredictable
3. High-demand skill sets
environments and helps ensure prioritization of the
4. Service quality degradation right (sub)projects.31 However, accommodating
Agile and agility in a large organization steeped in a
5. Managing service provider effectiveness
Waterfall culture is challenging.
Moreover, boards also focus on ensuring that the
Given the recruitment cost, talent war and poor
right CEO and leadership team are in place, culture
employee engagement cost, the latter is high on many
is evolving the way it needs to and employees are
leaders’ agenda.32 Successful digital transformation
engaged in the strategy execution.
Organizations may not be able to control the Succession Challenges and Ability to
volatility of the economy, but good governance— Attract and Retain Top Talent (Number 3)
particularly the demonstration of good
Where there is an absence of good governance,
governance—can improve an organization’s position
there is an increased likelihood of fraud, bribery,
with regard to these three key factors.
corruption, waste, abuse, and unfair or unethical
practices. Additionally, there may be a lack of clarity
In the late 1990s, organizations such as RepRisk
about the enterprise’s mission and values. These
and RobecoSAM began publishing environmental,
concerns contribute to unhappy employees, who, in
sustainability and governance (ESG) ratings and, in
turn, are harder to retain and less productive. In a
1999, the Dow Jones Sustainability Index became
well-governed environment, the opposite is true,
the first global index to track sustainability-driven
making good governance essential to reduce the
public enterprises based on RobecoSAM’s ESG
risk of being unable to hire the right people, keep
analysis. Today, most international and domestic
them or maximize their potential.
public (and many private) enterprises are being
evaluated based on their ESG performance by
Employees want to be well compensated, but they
various third-party providers of reports and ratings.2
“
also want to understand the purpose and
Not everyone fully accepts the utility of corporate
governance rating systems. For example, some
have expressed skepticism that any governance GOVERNMENT DOES NOT
score based on a single set of value judgments
about what constitutes good governance practices
UNDERSTAND EMERGING
is a reliable measure of an enterprise’s governance. TECHNOLOGIES ENOUGH
”
Indeed, the Society for Corporate Governance’s
stated position is that “Many governance practice
TO REGULATE THEM
prescriptions tend to elevate form and appearance EFFECTIVELY.
”
they are receiving incomplete information with WILL FALL UNDER THE PURVIEW OF IT
regard to risk factors affecting the enterprise.
GOVERNANCE.
Customer Loyalty and Retention (Number 9)
It should be intuitive that commitment to customer 2 Huber, B. M.; M. Comstock; “ESG Reports and
loyalty drives profitability, and research provides Ratings: What They Are, Why They Matter,”
evidence that this is so.8 Nevertheless, incentive Harvard Law School Forum on Corporate
structures and a focus on short-term performance Governance, 27 July 2017, https://corpgov.law.
can sometimes motivate employees to make harvard.edu/2017/07/27/esg-reports-and-
decisions that destroy customer value and loyalty ratings-what-they-are-why-they-matter/
rather than build it up. If board members and senior 3 Society for Corporate Governance, “Statement
leaders want to mitigate risk related to customer on Governance,” https://www.societycorpgov.org/
loyalty and retention, they must empower their about76/statementongovernance34
employees to do whatever is needed to satisfy (or 4 Edelman, Edelman Trust Barometer Special
even delight) customers and reward them for doing Report: Investor Trust, USA, December 2019,
so. The organizations that do this best (the “loyalty https://www.edelman.com/sites/g/files/
leaders”) grow revenue roughly 2.5 times faster than aatuss191/files/2019-12/2019%20Edelman
their industry peers.9 As more and more interaction %20Trust%20Barometer%20Special
between organizations and their customers becomes %20Report%20-%20Investor%20Trust.pdf
technology-enabled, greater responsibility for the end- 5 Edelman, Edelman Trust Barometer: Global
to-end customer experience will fall under the purview Report, USA, 2020, https://cdn2.hubspot.net/
of IT governance. hubfs/440941/Trust%20Barometer%202020/
2020%20Edelman%20Trust%20Barometer
Conclusion %20Global%20Report.pdf?utm_campaign=
Global:%20Trust%20Barometer%202020&utm_
While striving to adapt to the continuously evolving
source=Website
landscape of top-level risk factors, leaders can
6 Committee of Sponsoring Organizations of the
understandably become focused on tactical
Treadway Commission (COSO), Improving
solutions and short-term objectives, which are
Organizational Performance and Governance,
necessary. But it is important to bear in mind that
USA, 10 February 2014, https://www.coso.org/
good corporate governance—and, as a microcosm,
Documents/2014-2-10-COSO-Thought-Paper.pdf
good IT governance—acts as the compass that
7 Capgemini Consulting, Governance: A Central
directs the enterprise’s perception of, and response
Component of Successful Digital Transformation,
to, risk—whatever that risk may be.
France, 2017, https://www.capgemini.com/
wp-content/uploads/2017/07/Governance__A_
Endnotes Central_Component_of_Successful_Digital_
1 Enterprise Risk Management Initiative Staff, Transformation.pdf
“Executive Perspectives on Top Risks for 2020,” 8 Markey, R.; “Are You Undervaluing Your
North Carolina State University, USA, 12 Customers?” Harvard Business Review,
December 2019, https://erm.ncsu.edu/library/ January–February 2020, https://hbr.org/
article/top-risks-report-2020-executive- 2020/01/the-loyalty-economy
perspectives 9 Ibid.
ARCHIVE/
PLAN/DESIGN BUILD/ACQUIRE STORE USE SHARE DESTROY
Do the technical
Is the data Are there any Is the data
Are the data measures taken
dictionary design Is this a paper technical sharing obtained
applied to for data
compatible with or electronic safeguard with explicit
automated destruction
different repository? measures for consent from
decision making? guarantee they are
systems? data storage? data subjects? irrecoverable?
”
consists of the following elements:
KEY TO OBTAINING SUPPORT FOR THE
• Purpose—Explain privacy governance goals
PRIVACY RISK MANAGEMENT PROGRAM. in detail.
• Scope—Define the personal data required to be
Stage 1: Establish Privacy Governance protected and the internal policies to be followed.
The US National Institute of Standards and
• Risk—Identify potential risk factors,
Technology’s (NIST) Privacy Framework is intended
vulnerabilities and threats related to data
to assist organizations in communicating and
processing activities.
organizing privacy risk and rationalizing privacy to
build or evaluate a privacy governance program. • Responsibilities—Set up a privacy committee
The NIST Privacy Framework defines privacy consisting of identified stakeholders, specify the
governance as govern/develop and implement the role of each department (e.g., which executives
organizational governance structure to enable an must approve funding for the privacy team),
ongoing understanding of the organization’s risk establish the role of the data protection officer,
management priorities that are informed by privacy support privacy initiatives such as training and
risk.7 In this stage, the enterprise could do the tasks awareness, and hold employees accountable for
outlined in figure 3. following all privacy policies and procedures.
• Processes—Establish privacy risk management
Stage 1-1: Define Privacy Governance Goals
processes.
The first step is for the enterprise to create a privacy
vision and mission statement. Stakeholders should
Stage 1-3: Realize the Benefits of Privacy Risk
take market expectations into consideration,
Management
establish an overall privacy risk management
A privacy risk management framework is intended to
strategy, define the scope of privacy governance by
help enterprises weigh the benefits of data
identifying applicable personal data protection laws
processing against the risk of doing so and determine
and regulations, structure a privacy team, and
which risk response measures should be adopted.
define a privacy risk tolerance level.
Stage 2: Conduct Privacy Risk Management
Specific and clear communication about the
Activities
enterprise’s approach is key to obtaining support for
NIST also states that a privacy risk management
the privacy risk management program. But it should
framework is intended to help enterprises weigh the
be noted that there is no one-size-fits-all strategy.
benefits of data processing against the risk of doing
The enterprise must consider its own
so and determine which risk response measures
circumstances and the business environment when
should be adopted.8 In this stage, enterprises could
adopting a privacy strategy.
conduct the tasks listed in figure 4.
Stage 2-1: Define Privacy Risk Assessment project, product or service.11 PIAs provide
Framework remediation measures to avoid or mitigate risk.
A privacy risk assessment determines whether an In addition to COBIT 2019, several others are
enterprise is in compliance with applicable laws and available to help enterprises address privacy risk:
regulations, industry standards, and internal policies
• NIST Privacy Framework—Version 1.0 of the
and procedures. Based on a survey by the
NIST Privacy Framework,12 released in January
International Association of Privacy Professionals
2020, is a tool to assess and mitigate privacy
(IAPP) and TrustArc,9 the vendor/third-party risk
risk, implement privacy engineering, and design
assessment is the most common type of
products and services to protect individuals’
assessment conducted (figures 5 and 6). Also
privacy by providing a set of activities and
common are data protection impact assessments
outcomes that enables enterprise stakeholders
(DPIAs), privacy impact assessments (PIAs) and
to discuss managing privacy risk (figure 7).
legitimate interest assessments (LIAs).
• International Organization for Standardization
A DPIA is designed to identify risk arising from the (ISO)/International Electrotechnical Commission
processing of personal data and to minimize this (IEC) standard ISO/IEC 27701—This first global
risk as much and as early as possible.10 DPIAs can privacy standard, released in August 2019,
help prioritize risk, allowing resources to be provides a risk-based framework for a privacy
concentrated on the domain with the highest risk risk management system.13 It helps enterprises
and the greatest potential damage in order to translate principles-based legal requirements
mitigate that risk. into technical privacy controls that can be
implemented in tandem with security controls
A PIA is an analysis of the risk factors associated (figure 8).
with processing personal information in relation to a
International
data transfer
assessments
Data protection
impact
assessments
Data breach
readiness
assessments
Source: Adapted from International Association of Privacy Professionals (IAPP) and TrustArc, Measuring Privacy Operations 2019: Cookies, Local vs.
Global Compliance, DSARs and More, USA, 2019
Significant Maximum
Maximum Risk
Significant Risk
Severity
Limited
Likelihood
• Review whether the third party has certifications • Level of risk of a data breach:
such as ISO/IEC 27001, Payment Card Industry – Considering the nature, scope, context and
Data Security Standard (PCI DSS) or other processing purpose of an incident, evaluate
information security-related certifications. the risk associated with an independent
event. If it affects large-scale data subjects or
• Review data sources, data types, data location,
has a greater impact on specific individuals,
local regulatory requirements, data retention
the risk is high.
period, minimum safeguards and additional
processing purposes, such as subcontracts to • Likelihood and severity of a personal data breach:
fourth or fifth parties. – Type and nature of personal data involved,
particularly special categories of personal data
• Review potential data combinations and
– Circumstances of a personal data breach
additional uses that may impact the level of risk
– Whether appropriate technical safeguards
for individuals (e.g., artificial intelligence [AI],
have been applied (e.g., encryption,
machine learning [ML], cloud computing
pseudonymization)
technology) and whether the third-party
– Whether the data subject will be directly or
possesses relevant qualifications.
indirectly affected
• Disclose to customers any use of subcontractors – Possibility that pseudonymization can be
to process personally identifiable information (PII). restored or that confidentiality fails
– Possibility that personal data can be
• Cooperate only with third parties who can prove
maliciously used
their compliance and provide adequate safeguards.
– Possibility of substantial damage on a
• In the case of general written authorization, physical level
inform customers of any intended changes – Nonsubstantial damage to the data subject
concerning the addition or replacement of
subcontractors. Several entities provide methodologies for
data breach readiness assessments, including
Stage 2-2-2: Data Breach Readiness Assessments the following:
To prepare for a data breach, assess the following:
“
programmatic concerns or insider threats?
= 1 (maximum).
”
For the second case:
SECURITY INCIDENT
• DPC—The information on the pay slips is financial
OCCURS. data, in particular, the kind of data that comes from
a bank and concerns the account balances of
clients for the last month, so DPC = 3.
In particular, enterprises should carry out incident
response reviews or post-incident evaluations after • EI—The combination of information on the pay
a security incident occurs. This includes reviewing slips, such as full name and Social Security
configurations of personnel and resources and number, makes it easy to identify the individual,
evaluating control approaches such as time so EI = 1 (maximum).
and procedures.
• CB—Although the circumstance is the same as in
the first case, the personal data have been sent
Privacy Risk Management in Practice to unauthorized recipients, which increases the
Two real-life examples are provided here. The first impact of the breach because of the unknown
focuses on performing a qualitative risk assessment number of recipients, so CB = +0.5 (higher than
based on an existing methodology. The second deals in the first case).
with one of the hottest privacy issues—employee
tracking and monitoring—and how to implement Therefore, SE = 3x1 + 0.5 = 3.5.
privacy risk management in this scenario.
By conducting this type of qualitative assessment,
an enterprise can evaluate the severity of breaches,
“
Professionals, “Privacy Program Management—
Tools for Managing Privacy Within Your
PRIVACY...IS ABOUT Organization,” https://iapp.org/store/books/
a191P0000035CgQQAU/
MANAGING CONSUMER 11 Ibid.
TRUST AND SAFEGUARDING 12 Op cit National Institute of Standards and
”
Technology
PERSONAL DATA DURING 13 International Organization for Standardization
THE DATA LIFE CYCLE. (ISO)/International Electrotechnical
Commission (IEC), ISO/IEC 27701 Security
techniques—Extension to ISO/IEC 27001 and
Endnotes ISO/IEC 27002 for privacy information
management—Requirements and guidelines,
1 International Association of Privacy 2019, https://www.iso.org/standard/71670.html
Professionals, “2020 Global Legislative 14 Commission Nationale de l’informatique et des
Predictions,” https://iapp.org/media/pdf/ Libertés (CNIL), “Methodology for Privacy Risk
resource_center/global_legislative_predictions_ Management: How to Implement the Data
2020.pdf Protection Act,” https://www.cnil.fr/sites/
2 RSA Conference 2020, “NIST Privacy default/files/typo/document/CNIL-Managing
Framework IRL: Use Cases From the Field,” PrivacyRisks-Methodology.pdf
https://published-prd.lanyonevents.com/ 15 Op cit International Association of Privacy
published/rsaus20/sessionsFiles/17967/2020_ Professionals, “Measuring Privacy Operations
USA20_PRV-W01_01_NIST%20Privacy 2019”
%20Framework%20IRL%20Use%20Cases 16 European Union Agency for Cybersecurity
%20from%20the%20Field.pdf (ENISA), “ENISA Recommendations for a
3 Intersoft Consulting, Art. 4: Definition, EU Methodology of the Assessment of Severity of
General Data Protection Regulation (GDPR), Personal Data Breaches,” November 2013,
Belgium, 2018, https://gdpr-info.eu/art-4-gdpr/ www.e-szbi.pl/files/Data-breach-severity-
4 ISACA®, COBIT® 5: Enabling Information, USA, methodology.pdf
2013, https://www.isaca.org/bookstore/ 17 Agencia Espanňola Protección Datos (AEPD),
cobit-5/cb5ei “Guide on Personal Data Breach Management
5 ISACA, Rethinking Data Governance and and Notification,” September 2019,
Management: A Practical Approach for https://www.aepd.es/sites/default/files/
Data-Driven Enterprise, USA, 2020, 2019-09/Guide-on-personal-data-breach.pdf
https://www.isaca.org/bookstore/ 18 Polonetsky, J.; E. Renieris; Privacy 2020:
bookstore-wht_papers-digital/whprdg 10 Privacy Risk and 10 Privacy Enhancing
6 ISACA, COBIT® 2019, USA, 2018, Technologies to Watch in the Next Decade,
https://www.isaca.org/resources/cobit Future of Privacy Forum, USA, January 2020,
7 National Institute of Standards and Technology https://fpf.org/wp-content/uploads/2020/01/
(NIST), NIST Privacy Framework Core Version FPF_Privacy2020_WhitePaper.pdf
1.0, USA, 16 January 2020, https://www.nist.gov/ 19 Op cit ENISA
privacy-framework
Building an Enterprise
Security Program
Mercury NZ, a US$2 billion renewable energy innovations and general security operations to uplift
generation and retail company, has the most NZ security capability maturity across the organization.
Stock Exchange shareholders of any New Zealand
company, serving more than 373,000 residential, The Mercury NZ executive team realized that the
commercial, industrial and spot customers across establishment of an effective enterprise security
New Zealand. The company employs 775 full-time management function was fundamental to the
employees (FTEs) plus an additional approximately business’s ability to maintain the trust and confidence
700 contractors. Founded in 1999, Mercury NZ has of its stakeholders—both internal and external.
grown organically over the last 21 years and has
transitioned over time to adopt increased use of The Solution
connected technologies. As an energy producer and
retailer, Mercury NZ manages operational By June 2018, Gabriel T. Akindeju, a seasoned
technology (OT) and information technology (IT) security industry professional, joined the employ of
infrastructures and networks. Mercury NZ as its first enterprise security manager.1
Akindeju’s charge was to annex, leverage and
As the business has evolved and new connected reorient various security activities within the
technologies have been deployed, structured business and build a strategic program that would
security at Mercury NZ, as with many growing enhance protection of the organization’s
organizations, was introduced post- infrastructure and data and instill a security culture.
operationalization of many systems, delivering This had to be accomplished despite the challenges
services to both internal and external customers
and other stakeholders.
The Challenge
Mercury NZ is an innovative technology-driven
business. The business realized that to be able to
take full advantage of technology, it must optimize
technology-related business risk and, in 2018,
began the journey to mature its security
management capabilities.
25 security
Five days for champions earned
security champions certificate
”
security governance over technology procurement
to avoid shadow IT and insecure implementation, CONFIDENTIALITY, INTEGRITY AND
and for healthy discussions on return on investment AVAILABILITY OF SYSTEMS AND DATA.
(ROI) on security investments.
4.5
COBIT Maturity
4.0 4 Quantitative The enterprise is
data driven, with quantitative
3.5 performance improvement.
3.0
2.5
2.0
1.5
It is foolish to wait until an enterprise is in the midst to prevent failures and overcome challenges has
of a data breach to test its cybersecurity incident been recognized. Cybersecurity professionals need
response plan (CSIRP). How likely is it that the to acknowledge these shortcomings and explore
enterprise will know that a cyberattack is underway new mechanisms to manage them. The LSP
and be able to react appropriately? Are the method has proved to be one mechanism that
enterprise’s current policies and procedures enriches and improves cybersecurity incident
sufficient to effectively detect, respond to and response TTEs and reduces the risk of failure.
mitigate sophisticated cybersecurity incidents?
The Value of Tabletop Exercises
The use of tabletop exercises (TTEs) can help
answer these and other questions. TTEs are A TTE presents a realistic cybersecurity incident
designed to prepare for real cybersecurity incidents. scenario to which an enterprise must respond.
By conducting TTEs, an incident response team Participants in the exercise describe how they
increases its confidence in the validity of the would react during the incident, what tools they
enterprise’s CSIRP and the team’s ability to would use and what procedures they would follow.
execute it.1 At the end of the exercise, the enterprise can
determine where its incident response plans and
The Lego Serious Play (LSP) method can support, policies are working well, where there is room for
improve and strengthen the design, execution and improvement, and how it can refine its CSIRP
outcomes of the TTEs an enterprise uses to assess
the capabilities, effectiveness and maturity of its
CSIRP. TTEs help determine whether the current
CSIRP is able to detect, respond to and mitigate
incidents in a timely and successful manner. They
can also ascertain whether the right people are in
place, whether they are aware of and committed to
their duties during a real cybersecurity incident, and
whether they can execute the procedures correctly.
”
RESULTS OF A TTE CAN SATISFY THESE • Assess the capabilities of existing resources and
identify needed resources.
REQUIREMENTS.
moving forward. Increasingly, clients, insurers,
Methodology for Planning and
auditors and regulators require evidence of Performing Tabletop Exercises
preparedness, and the results of a TTE can satisfy TTEs must follow some widely accepted
these requirements. methodology or guide. NIST SP 800-84, for
example, focuses on TTEs and functional
A variety of standards, regulations and guides exercises.10 It can help enterprises design, develop,
related to cybersecurity incident response conduct and evaluate testing, training and exercise
recommends the testing of CSIRPs. Figure 1 events in an effort to assist personnel in preparing
provides a sampling of standards from NIST,3, 4 the for adverse situations involving IT.
Payment Card Industry Security Standards Council
(PCI SSC),5 the SANS Institute,6 the International TTEs are discussion-based exercises. Personnel
Organization for Standardization (ISO)/International meet in a classroom setting or in breakout groups to
Electrotechnical Commission (IEC)7 and ISACA®.8 discuss their roles during an emergency and their
responses to a particular crisis situation. A facilitator
The US Department of Homeland Security’s Ready presents a scenario and asks the participants
Campaign,9 designed to educate and empower questions related to the scenario, which initiates a
US citizens to prepare for, respond to and mitigate discussion of roles, responsibilities, coordination and
emergencies, summarizes the benefits and decision making. Figure 2 outlines the NIST SP 800-
outcomes of exercises to test response plans. They 84 methodology for conducting a TTE.
include the following:
• Identify planning and procedural deficiencies. Failures and Challenges of Tabletop
• Clarify roles and responsibilities.
Exercises
TTEs are not exempt from weaknesses and
• Obtain participant feedback and
discouraging results.11 Disengaged staff, low
recommendations for program improvement.
attendance, inattention during the exercise and
• Measure improvement compared to other failures have been identified. They include
performance objectives. the following:
Conduct the
Because many of the failures of TTEs are related to
TTE event. interest, interaction, engagement and participation,
creative solutions are needed, and this is where
game-based learning and gamification can help.
• Lack of clear and achievable objectives—Do not An example of game-based learning applied to
overcomplicate the objectives of the TTE, and TTEs is Backdoors & Breaches, an incident
make sure they are achievable. response card game that is simple in concept,
easy to play and fun.13
• Irrelevance—The value of a TTE is the
opportunity to discuss individual interests Gamification is the craft of deriving fun and engaging
(related to areas or roles) and to explore new and elements found typically in games and thoughtfully
unforeseen issues. applying them to real-world or productive activities.
• Tedium—TTEs are a means to expand the scope Game mechanics such as points, challenges,
of an enterprise’s human, process and leaderboards, rules and incentives make game-play
technology assets. For some individuals, the enjoyable. Gamification applies these mechanics to
prospect of a TTE meeting may not be exciting, motivate the audience to achieve higher and more
so it is important to make the exercises meaningful levels of engagement.14
interesting.
Many enterprises have experimented with
• Boring scenarios—The TTE scenario should gamification to improve end-user awareness. The
ensure that all the participants are engaged. results have been remarkable.15 Games have the
Maintaining their interest in the conversation ability to disarm people, negating their natural
throughout the session can be difficult, but it can aversion to meetings because games make them fun,
be accomplished by including issues that are and most games are associated with the chance to
specific to the participants’ areas of responsibility. win. Although using games to increase people’s
• Lack of visual appeal—Pictures, short videos, engagement with work may seem counterintuitive,
manipulated images, simulated news and social game playing appears to be paying off in the areas of
media messages can create realism and keep cybersecurity awareness, incident response exercises
participants engaged. Failure to present a and cybersecurity skills development.
visually stimulating experience will result in less
interaction and more disengagement. Lego Serious Play Method
• Exercises that are too challenging or not In the search for innovative and proven methods of
challenging enough—Achieving the right balance game-based learning that can be used without any
can be difficult. If scenarios go too far, restrictions in the development and execution of TTEs
participants may be overwhelmed by the various and can mitigate the failures described previously,
problems presented to them. This can lead to a LSP is an obvious choice. In simple terms, LSP is a
reduction in active participation during the TTE. systematic method that enables people to use Lego
The same is true for a scenario that is too easy bricks to solve problems, explore ideas and achieve
to handle and does not test the team. objectives.16 Lego bricks are combined with animals,
”
BUSINESS PERFORMANCE, WITH THE FOCUS stake in the agenda.
Enterprises are strongly encouraged to adapt LSP is not just for incident response TTEs. Once
scenarios to use in their own incident response cybersecurity professionals understand and have
exercises. For TTEs executed with LSP, sample practiced and tested the LSP method, they can use
scenarios can be found in the Center for Internet it for other types of workshops, including security
Security (CIS) guide21 or appendix A of NIST SP 800- awareness, skill building, team building,
61.22 If an enterprise wants to simulate incidents cybersecurity program goal setting, cybersecurity
using cloud-based services, Amazon Web Services behavior modification and cultural activities within
(AWS) provides sample scenarios.23 the community, enterprise, workplace and home.
• Scalability—CSPs offer scalable computing 3. Lack of cloud security architecture and strategy
environments and often include pay-as-you-use
4. Insufficient identity, credential, access and
models, which help organizations handle
key management
increased volumes of data processing without
investing in nonproductive computing capacity 5. Account hijacking
and without impacting performance.
6. Insider threat
• Affordability—Organizations need not invest in
costly infrastructure and incur costs for
maintaining that infrastructure. CSPs offer the
required computing capability on a subscription
model and help save on capital expenditures,
particularly for small- and medium-sized
organizations.
• Lower capital costs—Organizations can provide
unique services using large-scale computing
resources from CSPs, and then nimbly add or
remove IT capacity to meet peak and fluctuating
service demands while only paying for actual
capacity used.
• Lower IT operating costs—Organizations can
rent added server space for a few hours at a time
rather than maintain proprietary servers without
Sunil Bakshi, CISA, CRISC, CISM, CGEIT, CDPSE, ABCI, AMIIB,
worrying about upgrading their resources
BS 25999LI, CEH, CISSP, ISO 27001 LA, MCA, PMP
Has worked in IT, IT governance, IS audit, information security and IT risk
whenever a new application version is available. management. He has 40 years of experience in various positions in
They also have the flexibility to host their virtual IT different industries. Currently, he is a freelance consultant in India.
infrastructure in locations offering the lowest cost.
7. Insecure interfaces and application getting assurance via periodic audits may be a
programming interfaces (APIs) challenging task for the organization.
8. Weak control plane
How to Proceed?
9. Meta-structure and appli-structure failures
Organizations that wish to subscribe to CSPs by
10. Limited cloud usage visibility third party need to consider the following:
11. Cloud services are also prone to attacks • Outsourcing decisions are strategic and, as such,
must be included in the overall outsourcing strategy.
These threats may result in any of the following
negative consequences for organizations using • An organization-level service provider management
cloud services: framework and policy need to be in place.
• Noncompliance and regulatory actions— • Selecting a CSP must be done carefully since it
Organizations need to comply with laws and may not be easy to switch the vendor in the future.
regulatory controls, for example the US Health • Each service provider has unique risk factors,
Insurance Portability and Accountability Act which means it is prudent to study the practices
(HIPAA) for private health information, the US followed by each service provider.
Family Educational Rights and Privacy Act (FERPA)
for confidential student records, and some • Organizations that wish to use cloud services
countries prohibit storing and processing resident need to have clearly defined functional and
information out of geographical boundaries. security requirements.
Organizations must be aware of the location of • The contract with a CSP must include a “right to
their data, who can access it and what is the level audit” clause, and the organization must have a
of protection. Although CSPs are responsible, mechanism to execute periodic audits of
organizations are accountable for compliance. vendors. Most CSPs may not agree to audits by
• Loss of control over end user actions—End users the organization’s auditor but may agree to a
need to access data in the cloud and, with bring shared audit report. The organization must insist
your own device (BYOD) and mobile workforces, on SOC reports using the SSAE 18 standard by
many organizations risk losing control over the approved auditors.
actions of authorized end users. • Define and monitor service level agreements.
• Malware infections that unleash a targeted
attack—Cloud services can be subject to targeted Cloud computing is here to stay. Organizations need
attacks resulting in data breaches. Successful to manage the risk associated with hosting sensitive
attacks diminish trust and can negatively impact data offsite, which will strengthen confidence with the
the reputation of an organization. service provider and allow the organization to reap
the benefits of using a cloud platform.
• Contractual breaches with customers or
business partners—Contracts between Endnotes
organizations and CSPs should control the data
flow, processing and dissemination to authorized 1 Cloud Security Alliance, “Top Threats to Cloud
users. Since it is another vendor relationship, Computing: The Egregious 11,” 6 August 2019,
contracts with CSPs must be carefully drafted https://cloudsecurityalliance.org/artifacts/top-
and agreed on in all cases. threats-to-cloud-computing-egregious-eleven/
2 Cloud Security Alliance, Security Guidance v4.0,
• Reduced level of security—Information security https://cloudsecurityalliance.org/research/
in the cloud may not be required by the guidance/
organization policy. Although the CSA has
defined security guidelines,2 monitoring and
By Myles Mellor
www.themecrosswords.com
ACROSS 1 2 3 4 5 6 7 8
15 Are situated 25 26 27
17 Center, abbr.
28 29 30 31
18 Speculate about a future result
19 Arena shout
20 Where many inspections are done, 2 words
32 33 34 35 36 37
22 Accountant
25 Large tree 38 39 40
32 Reveal
36 Gifted foresight 8 Kind of analysis
38 Net alternative 14 Setback
40 Web inventor, first name 16 ISACA's concern
41 Conclusion regarding the purpose of the 18 Zone
cyberattack on 1 Across
21 Kind of support
42 Type of software that advocates adaptive
22 One of the five attributes of an audit finding
planning and continual improvement
23 Transcendental number
43 Figure out
24 COBIT 2019 audit report component, _____ goals
44 Ordered reference standard
26 Lessen the seriousness or extent of a crime or
45 Web
disastrous event
30 .001 inch
DOWN 32 Early operating system
1 Secretly steal data 33 Push
2 Not protected by a fix for a security flaw 34 A, in Acapulco
3 Guaranteed against failure 35 Objectives
4 Programming language 37 Maintain, as some tools
5 Fort Knox bar 38 C-suite members
6 Physical fitness 39 Trial phase
7 Range or extent, of an IT audit, e.g.
Answers on page 58
TRUE/FALSE
ALVERO AND MCCARTHY ARTICLE
11. The CCPA’s requirements around third-party notification
1. One of the categories of common automation project pitfalls is
exactly mirror the requirements of HIPAA.
authentication of bots, which results from a lack of control
ensuring bot functionality and issue resolution. 12. Organizations should create a new privacy statement,
which would include a comprehensive list of the third parties
2. Although robotic process automation (RPA) is traditionally
to whom the organization sells personal information, to
considered an approach to handling repetitive, routine tasks—
comply with CCPA requirements that are over and above
often categorized as “low value”—internal audit’s role should be
HIPAA requirements.
to ensure that the organization does not invest in automating
tasks that are truly ineffective or of low value. SHARMA AND MUKHOPADHYAY ARTICLE
3. A survey of information workers revealed that one quarter of those 13. Assessing and mitigating the risk of a distributed denial-of-
employees believe their jobs could be replaced by automation. service (DDoS) attack in the gaming industry involves
computing the risk of not detecting a DDoS attack and the
PEARCE AND KETCHEN ARTICLE severity of such an attack, creating a risk and severity heat
4. Now more than ever, humans are desirable data subjects, map of undetected attacks, then considering options for
whether or not they know they are serving in that capacity—a reduction and transfer of risk.
situation the EU General Data Protection Regulation (GDPR)
14. The approach described in the article groups types of DDoS
addresses through its informed consent requirements.
attacks into five categories and suggests steps to produce
5. Four ethical principles should inform the standards of classification accuracy to at least 80 percent.
organizations that sell or leverage data: respect for autonomy,
15. Suggested risk mitigation strategies include adding stringent
beneficence, nonmaleficence and protection.
firewalls and intrusion detection systems (IDSs), diverting
6. Among the top-rated medical applications (apps) for Android, excess or illegitimate traffic to backup servers or content
46 percent shared user health data with third-party delivery networks (CDNs), and transferring residual risk to
organizations, and entities from 79 organizations used or cyberinsurance policies.
consumed the data in some way.
SEEDAT ARTICLE
QURESHI ARTICLE 16. One of the lessons learned from the software-defined
7. Auditors can use the Emerging Technology Analysis Canvas networking in a wide area network (SD-WAN) project
(ETAC), which focuses on four conditions—opportunity/trigger, described in the article is the need for a project charter that
impact, feasibility and future—to identify and assess the risk of includes, at the least, project objectives and deliverables, in-
emerging technologies. scope items, exclusions, assumptions, high-level timelines,
8. Artificial intelligence (AI) uses complex algorithms to propose and responsible parties.
decisions based on a pattern or learned over time. Because 17. Past project experience indicates that project teams should
those algorithms are invisible, auditors must focus on factors ensure that the latest stable and compatible version of the
such as the logical flow of processes, unintended bias and operating system (OS) is implemented. It is not necessary to
review/approval of algorithm output. update patches before adding apps or configuring services to
9. ISACA’s blockchain-oriented audit program focuses on six the system.
categories: pre-implementation, governance, development, 18. Although it will be necessary when the system goes live, it is
security, census and privacy. not critical to mask sensitive data and restrict/protect access
GOMEZ AND HINEY ARTICLE to sensitive data during the testing phase.
10. Nonmedical information attached to a medical file and 1 2 3 4 5 6 7 8
the gap between the US Health Insurance Portability and Myles Mellor.
9 10
F T P O B L I G A T I O N S
ISACA Member and Certification Holder Compliance IS Audit and Assurance Guidelines
The guidelines are designed to directly support the standards and help
The specialized nature of information systems (IS) audit and assurance practitioners achieve alignment with the standards. They follow the same
and the skills necessary to perform such engagements require standards categorization as the standards (also divided into three categories):
that apply specifically to IS audit and assurance. The development and
dissemination of the IS audit and assurance standards are a cornerstone
• General guidelines (2000 series)
of the ISACA® professional contribution to the audit community. • Performance guidelines (2200 series)
IS audit and assurance standards define mandatory requirements for • Reporting guidelines (2400 series)
IS auditing. They report and inform:
General
• IS audit and assurance professionals of the minimum level of 2001 Audit Charter
acceptable performance required to meet the professional 2002 Organizational Independence
responsibilities set out in the ISACA Code of Professional Ethics 2003 Professional Independence
2004 Reasonable Expectation
• Management and other interested parties of the profession’s 2005 Due Professional Care
expectations concerning the work of practitioners 2006 Proficiency
2007 Assertions
• Holders of the Certified Information Systems Auditor® (CISA®) 2008 Criteria
designation of requirements. Failure to comply with these standards
may result in an investigation into the CISA holder’s conduct by the
ISACA Board of Directors or appropriate committee and, ultimately, in Performance
disciplinary action. 2201 Engagement Planning
2202 Risk Assessment in Planning
2203 Performance and Supervision
ITAFTM, 3rd Edition (www.isaca.org/itaf) provides a framework for 2204 Materiality
multiple levels of guidance: 2205 Evidence
2206 Using the Work of Other Experts
IS Audit and Assurance Standards 2207 Irregularity and Illegal Acts
2208 Sampling
The standards are divided into three categories:
Reporting
• General standards (1000 series)—Are the guiding principles under 2401 Reporting
which the IS assurance profession operates. They apply to the 2402 Follow-Up Activities
conduct of all assignments and deal with the IS audit and assurance
professional’s ethics, independence, objectivity and due care as well IS Audit and Assurance Tools and Techniques
as knowledge, competency and skill. These documents provide additional guidance for IS audit and assurance
• Performance standards (1200 series)—Deal with the conduct of the professionals and consist, among other things, of white papers, IS
assignment, such as planning and supervision, scoping, risk and audit/assurance programs, reference books and the COBIT® 5 family of
materiality, resource mobilization, supervision and assignment products. Tools and techniques are listed under www.isaca.org/itaf.
management, audit and assurance evidence, and the exercising of
professional judgment and due care. An online glossary of terms used in ITAF is provided at www.isaca.org/glossary.
Please note that the guidelines are effective 1 September 2014. Comments may also be submitted to the attention of the Director,
Content Strategy, via email (standards@isaca.org); fax (+1.847.253.1755)
General or postal mail (ISACA International Headquarters, 1700 E. Golf Road,
1001 Audit Charter Suite 400, Schaumburg, IL 60173, USA).
1002 Organizational Independence
1003 Professional Independence Links to current and exposed ISACA Standards, Guidelines, and Tools
1004 Reasonable Expectation and Techniques are posted at www.isaca.org/standards.
1005 Due Professional Care
1006 Proficiency Disclaimer: ISACA has designed this guidance as the minimum
1007 Assertions level of acceptable performance required to meet the professional
1008 Criteria responsibilities set out in the ISACA Code of Professional Ethics.
ISACA makes no claim that use of these products will assure a
Performance successful outcome. The guidance should not be considered
1201 Engagement Planning inclusive of any proper procedures and tests or exclusive of other
1202 Risk Assessment in Planning procedures and tests that are reasonably directed to obtaining the
1203 Performance and Supervision same results. In determining the propriety of any specific procedure
1204 Materiality or test, the control professionals should apply their own professional
1205 Evidence judgment to the specific control circumstances presented by the
1206 Using the Work of Other Experts particular systems or IS environment.
1207 Irregularity and Illegal Acts
Reporting
1401 Reporting
1402 Follow-Up Activities
ISACA JOURNAL VOL 4 59
ISACA® Journal, formerly
Information Systems Control ADVERTISERS/
Journal, is published by the
Information Systems Audit WEBSITES
and Control Association®
(ISACA®), a nonprofit
organization created for the
public in 1969. Membership
in the association, a voluntary
leaders and
supporters
organization serving
IT governance professionals,
entitles one to receive an
annual subscription to the
ISACA Journal.
ISACA Resources
for guidance and professional development
S-1
F E AT U R E D R E S O U C E S
CGEIT Review Manual 8th Edition
CGEIT Print Product Code: CGM8ED | Member Price: $105 | Non-member Price: $135
eBook Product Code: EPUB_CGM8ED | Member price: $105 | Non-member price: $135
Review
Manual The CGEIT Review Manual 8th Edition is designed to help individuals prepare for
The Risk IT Framework Practitioners Guide, 2nd Edition
8nd Edition
the CGEIT exam and understand the responsibilities of those who implement or
manage governance of enterprise IT (GEIT) or have significant advisory or assurance
responsibilities in regards to GEIT. It is a detailed reference guide that has been
developed and reviewed by subject matter experts actively involved in GEIT worldwide.
The manual is organized to assist candidates in understanding essential concepts and
studying the following updated job practice areas:
• GOVERNANCE OF ENTERPRISE IT
• IT RESOURCES
• BENEFITS REALIZATION
• RISK OPTIMIZATION
The CGEIT Review Manual 8th Edition features an easy-to-use format. Each of the book’s
four chapters has been divided into two sections for focused study. Section one of each
chapter contains the definitions and objectives for each of the CGEIT® practice areas. It
also includes:
• Self-assessment questions and explanations of the answers
• Suggested resources for further study
Section two of each chapter consists of content and reference material that supports
the knowledge subdomains for each job practice area. The material enhances CGEIT
candidates’ knowledge and/or understanding when preparing for the CGEIT certification
exam. In addition, the CGEIT Review Manual 8th Edition includes definitions of terms
most commonly found on the exam.
The manual is excellent as a stand-alone document for individual study or as guide
or reference for study groups and chapters conducting local review courses, and it can
be used in conjunction with the:
• CGEIT Review Questions, Answers & Explanations Manual 5th Edition
• CGEIT Review Questions, Answers & Explanations Database –
12 Month Subscription
5nd Edition The manual consists of 300 practice items. These questions are not actual exam items
but are intended to provide CGEIT candidates with an understanding of the type and
structure of questions and content that has previously appeared on the exam. This
publication is ideal to use in conjunction with the CGEIT Review Manual 8th Edition.
To help candidates maximize—and customize—study efforts, questions are presented
in the following two ways:
• Sorted by job practice area—questions, answers and explanations are sorted
by the CGEIT job practice areas. This allows the CGEIT candidate to refer to
questions that focus on a particular area as well as to evaluate comprehension
of the topics covered within each practice area.
• Arranged as a sample 75-question exam—The 75 questions are arranged in
the same percentages as the current CGEIT job practice areas. Candidates
are urged to use this sample test to simulate an actual exam and to determine
their strengths and weaknesses in order to identify areas that require further
study. Answer sheets and an answer/reference key for the sample exam are also
included. All sample test questions have been cross-referenced to the questions
sorted by practice area, making it convenient for the user to refer back to the
explanations of the correct answers.
eBook Product Code: EPUB_CSXG2 | Member Price: $60 | Non-member Price: $65
Web Download Product Code: WCSXG2 | Member price: $50 | Non-member price: $55
FRAMEWORK
Print Product Code: CB19FGM | Member Price: $60 | Non-member Price: $75
Governance and Web Download Product Code: WCB19FGM | Member price/Non-member price: FREE
Management Objectives
COBIT is a framework for the governance and management of enterprise information
and technology, aimed at the whole enterprise. Enterprise I&T means all the technology
and information processing the enterprise puts in place to achieve its goals, regardless of
where this happens in the enterprise. In other words, enterprise I&T is not limited to the IT
department of an organization, but certainly includes it.
COBIT defines the components to build and sustain a governance system: processes,
organizational structures, policies and procedures, information flows, culture and
behaviors, skills, and infrastructure. This publication also includes detailed information
about each of the components relevant to each governance and management objective.
Please note: This COBIT 2019 framework publication also has another companion framework publication available as a
complimentary PDF download to both ISACA members and nonmembers.