NACACS2014-banner_ad-230x230While attending ISACA’s North America CACS 2014 Conference, I was impressed by insightful presentations on cloud security, big data, security GRC, security programs and frameworks, not to mention the opening and closing keynote presenters.

Likewise, I appreciated the diverse events at the conference (everything from breakout workshops to a professional photography station), the role of ISACA’s Young Professionals Subcommittee in promoting engagement among attendees, and the interactive communication opportunities for all.

As I look back at North America CACS, key messages stand out:

People—not computers—catch frauds
Harry Markopolos’ keynote presentation explored his exceptional work on Bernard Madoff’s fraud case, which demonstrated the whistleblower’s process of conducting holistic fraud examinations. Markopolos highlighted the red flags of potential frauds and answered the question, “How did one man lose $65 billion?”

As the presentation ended, I considered how we, as IT professionals, should rethink how IT is aligned with business objectives and strategies. Or, at least, how IT controls are designed and implemented for fraud-detection purposes.

Cloud and big data security
A major issue with cloud computing is data privacy, especially the data-residency problem, as most organizations worry about their business/customer data leaving the country or jurisdiction system. In some cases, your primary data might be stored within a geographic area as required, but the backups are loosely controlled by the cloud service provider (CSP). Organizations must perform due diligence to ensure their data is properly stored and protected. Government agencies will define which types of data can be put into the cloud and the FedRamp certification program can provide independent view on the CSP’s ability to clearly define and describe system boundaries.

Another key consideration discussed at CACS is having a proper notification process in case the CSP makes changes. Old data + old data=new data.

New cybersecurity programs and roles
Cybersecurity is drawing attention from organizations across sectors. Two cybersecurity initiatives were discussed at North America CACS. One is the NIST Cyber Security Program, which is expanding NIST’s main focus from government. I believe that the content overlaps with the existing NIST security risk-management program. Presenter Victoria Yan Pillitteri stated that NIST is planning to clarify the relationship between the new cybersecurity program and NIST SP800-53.

The other initiative is ISACA’s Cybersecurity Nexus (CSX), which will include a certification program (Cybersecurity Fundamentals Certificate) and resources such as webinars, mentoring programs, training courses and an online community.

Be situationally aware of risks
The concept of “risk management” is a constant, all while technologies advance and the context in which technology is used is in perpetual flux. According to presenter Hubert Glover, when people think about high-level risk management, such as technology risk, they must consider every aspect of organizations, as every aspect of organizations are enabled, powered by and supported by IT.

Executive teams are considering how to turn risk into results, especially as they encourage participants to do innovative things in innovative ways. During his “Turning Risk into Results” presentation, Dr. Glover illustrated ways to evaluate risks in the context of time, place and mass. He skillfully demonstrated how turn risk into results by leveraging a business mode and risk framework, focusing on addressing organizational, operational and strategic risks.

Another critical aspect around risk management, proposed by keynote presenter/astronaut Mike Mullane, is to be aware of your risks in diverse situations. Using the Challenger disaster as an example, Mullane explained the dangers of accepting—in a changing work environment—a “tolerance” that was previously defined as “intolerable.” The astronaut stressed that it is not uncommon for organizations to fall victim to a “normalization of deviance”—getting away with shortcuts from best practices until the shortcut becomes the norm, leading to problems.

A few more nuggets from North America CACS

  • Do not be a passenger. Everyone’s suggestion on how to manage (security) risks and improve processes counts. The executive team and managers should listen to various opinions—one might save the organization some day.
  • Information security should be integrated into business process and systems by design. The add-on approach will cause you more time, money and effort.
  • Do periodic resets to best practices standards. The fact that you’ve been successful previously doesn’t mean you will be successful again. To avoid predictable surprise, don’t let a “can do” attitude guide you into a shortcut.

Note: This blog was also recently published on the ISACA.org web site. For more relevant research on information security and risk management from Info-Tech see the following:

Share on FacebookShare on Google+Share on LinkedInTweet about this on Twitter

92737609Although huge amounts of data are being generated within organizations, few have formal strategies in place to effectively manage that data. There is a general lack of awareness of what types of data exist, where it’s housed, who uses it, and for what purposes. In addition, organizations don’t understand how poor their data quality really is.

Taking a proactive approach to data auditing is something every organization needs to do. Data is one of the organization’s largest assets. In order to utilize it effectively and benefit from it, data requires effective management in the form of policies, procedures, standards, and ownership. Audits will not only promote higher levels of data quality, they will also positively impact data security and compliance to regulatory laws and regulations.

Data audits will also identify where data owners and stewards may be required, any extraneous data sources that internal departments or lines of business’ may be using without IT’s knowledge, and the location of all data sources within the organization.

Audits don’t need to be a painful experience. Keeping things simple and sticking to a data audit framework is the secret to a successful audit. Organizations that perform audits on a regular basis will have a comprehensive inventory of all data assets, a clear understanding of any data issues that exist, and where data ownership and accountability may be lacking.  It’s in every organization’s best interest to perform regular data audits.

To complete your own data audit see Info-Tech’s Integrate a Data Audit into the Data Management Plan.

Share on FacebookShare on Google+Share on LinkedInTweet about this on Twitter

Endpoint protection has been the name of the security game for awhile now; but vendors have been late getting into encryption, and the endpoint encryption market has turned into a game of catch-up and consolidation.

The big-name security players such as Check Point, McAfee, Sophos, Symantec and Trend Micro all bought into the market. Few vendors are actually creating their own endpoint encryption solutions, except CREDANT and Canadian company, WinMagic. These vendors may find themselves with acquisition targets on their backs.

So which vendors ended up coming out on top?

Check Point and Sophos led the way with their endpoint encryption solutions, Full Disk Encryption and SafeGuard Enterprise respectively. Both vendors scored well for their advanced features and price – Check Point’s solution was the most affordable of the bunch with Sophos not far behind.

Up next was CREDANT as an Innovator. It scored well for its advanced features set, particularly due to its focus on policy-based encryption that allows for more flexibility, though can demand a higher management cost than traditional FDE solutions.  However, it’s one of the pricier options.

The Market Pillar division saw some of security’s most recognizable names: McAfee, Trend Micro and Symantec.

McAfee’s endpoint encryption solution was strong, especially with McAfee’s market differentiator, the ePolicy Orchestrator that allows seamless management of the entire McAfee stack via a single console. However, where the vendor scored less was in terms of pricing – McAfee’s solutions are among the most expensive.

Trend Micro offers competitive pricing with strong advanced features. But with its recent acquisition of Mobile Armour (Trend entered the encryption game late in 2010), integration issues could crop up. While Mobile Armour has been around for awhile, Trend does not have the experience in support for the product which would cause problems for customers needing help.

Symantec rounds out the Market Pillar category. Its PGP Line of products is broader than just endpoint encryption, encompassing email systems and fileservers in a broad encryption ecosystem. But Symantec will cost you – its solutions were the most expensive out of all the vendors evaluated.

Emerging Players were WinMagic and Trustwave. Independent, encryption-focused vendor WinMagic may be small but it’s growing with a key partnership with Lenovo with their SecureDoc solution. Trustwave offers full disk encryption as part of their managed services – the only vendor to offer managed services – which also includes a portfolio of security services for enterprises looking for a cost effective security option.

Trustwave also won the Innovator award for its unique Persistent File Encryption (PFE) feature that protects data in transit and at rest using Smart Tags. These tags protect only the data, not the devices it’s on, so data is protected no matter how it’s shared.

For more information on these Endpoint Encryption vendors, refer to Info-Tech’s Vendor Landscape: Endpoint Encryption.

Share on FacebookShare on Google+Share on LinkedInTweet about this on Twitter

The enterprise can’t be secure if it doesn’t know how – your documents need to get everyone on the same page.

Your Challenge

The organization has no formal documentation indicating how employees should act in order to maintain enterprise security.

Increasing regulatory pressure is upping the ante making the lack of policy a business inhibitor.

This research will guide you through the process of developing a policy, vetting it with the business, and getting implemented.

Critical Insight

Policy defines organizational security stance and forms the basis upon which all security decisions should be made. Studies show that developing and deploying a policy can reduce breach incidents by up to 93%.

The average cost in time and dollars to create a fully custom security policy is 12 months and $50,000. Upon completion of the work outlined in this solution set you will have created that policy without those expenditures.

Associated Research

1. Get a crash course in Security Policy.

Understand what Policy is, how it is constructed, and how to make best use of it.

2. Write the policies.

Develop the actual documents that will guide enterprise security compliance. Here are some examples:

3. Plan for implementation.

Determine the optimal order for the deployment of individual policies.

NOTE: Not an Info-Tech member? Register for a free trial to download up to three of the templates listed above.   Simply click one of the links to get started.

Share on FacebookShare on Google+Share on LinkedInTweet about this on Twitter