TEST YOUR SKILLS

A N D TA K E YO U R C A R E E R
TO THE NEXT LEVEL

SET YOURSELF APART

Join an elite group of top professionals with ISACA®’s certifications. Validate your
expertise and boost your earning potential and opportunities with industry-standard
certifications for IS/IT audit, control, risk, security and cybersecurity.

ASSESS YOURSELF AT NO COST

Take a free and quick 10-question assessment for the CISA, CRISC or CISM certifications
to gauge your readiness and plan your next steps toward becoming ISACA certified!

www.isaca.org/FREEQUIZ-Jv4
SCCE’s 18th Annual

Compliance & Ethics Institute

September 15-18, 2019 • Gaylord National • National Harbor, MD

The compliance and ethics industry is growing, with new regulations and strategies emerging on
a regular basis. The annual Compliance & Ethics Institute (CEI) can help you stay informed and
updated, allowing you to maintain an effective compliance program.

Discover the benefits of yearly attendance at the CEI.

• Understand new and emerging risks and

develop strategies for addressing them.
• Gain insights, skills, and tactics to help
develop and maintain a more effective
compliance program.
• Build connections with compliance
professionals at all levels and from
around the world.

1,800+ 150+ 10 learning 100+ 75+ solution

attendees speakers tracks sessions providers

Learn more and register at

complianceethicsinstitute.org
 The ISACA® Journal
seeks to enhance
the proficiency and
competitive advantage
3 33 of its international
Information Security Matters: Someone Else Rethinking Risk
Steven J. Ross, CISA, AFBCI, CISSP, MBCP Rajesh Srivastava, CISA, CGEIT, ISO 20000, readership by providing
ITIL Expert, PMP managerial and
5 technical guidance from
IS Audit Basics: Lessons From History 39
Ian Cooke, CISA, CRISC, CGEIT, COBIT Three Strategies for a Successful experienced global
Assessor and Implementer, CFE, CIPM, DevSecOps Implementation authors. The Journal’s
CIPP/E, CIPT, CPTE, DipFM, FIP, ITIL Taimur Ijlal, CISA, CISSP
Foundation, Six Sigma Green Belt noncommercial,
42 peer-reviewed articles
9 Bridging the Gap Between focus on topics critical to
Innovation Governance: The Balance of Policies and Execution in an Agile
Speed and Protection in Innovation Environment professionals involved
K. Brian Kelley, CISA, CSPO, MCSE, Security+ Mina Miri, Amir Pourafshar, CISSP, Pooya in IT audit, governance,
Mehregan, Ph.D., and Nathanael Mohammed
12 security and assurance.
The Network 48
Brennan P. Baybeck, CISA, CRISC, CISM, Analyst and Adversary
CISSP (Disponible también en español)
Jeimy J. Cano M., Ph.D., Ed.D., CFE, CICA

FEATURES
PLUS
14
The Pain of Automation 54
(Disponible également en français) HelpSource
Wade Cassels, CISA, CFE, CIA, Jane Traub, Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI,
CCSA, CIA, Kevin Alvero, CISA, CFE, and AMIIB, BS 25999LI, CEH, CISSP, ISO 27001 LA,
Jessica Fernandez, CISA MCA, PMP

19 56
Acknowledging Humanity in the Governance Crossword Puzzle
of Emerging Technology and Digital Myles Mellor
Transformation
(Disponible également en français) 57 Read more from these
Guy Pearce, CGEIT CPE Quiz Journal authors...

27 59 Journal authors are

The Internet of Medical Things—Anticipating Standards, Guidelines, Tools and Techniques now blogging at
the Risk www.isaca.org/journal/
Mohammed Khan S1-S4 blog. Visit the ISACA
ISACA Bookstore Supplement Journal blog, Practically
Speaking, to gain

Online-Exclusive practical knowledge

from colleagues and to

Features participate in the growing

ISACA® community.

Do not miss out on the Journal’s online-exclusive content. With new content weekly through feature articles
and blogs, the Journal is more than a static print publication. Use your unique member login credentials to
access these articles at www.isaca.org/journal.

Online Features
The following is a sample of the upcoming features planned for July and August.and _________________.
_______________ 1700 E. Golf Road,
Suite 400
Auditing Green IT Governance and Evolving From Qualitative to Understanding Compliance Risk
Management With COBIT 5 Quantitative Risk Assessment in Finance and Banking Schaumburg, IL 60173, USA
J. David Patón-Romero, CISA, Benoit Heynderickx, CISA, CRISC Muhammad Waheed Qureshi, Telephone
PMP, Maria Teresa Baldassarre, CISA, CIPP/IT, CISSP, GPEN, +1.847.660.5505
PMP, Moisés Rodríguez, CISA, ITIL v3, PCIP
and Mario Piattini, CISA, CRISC, Fax: +1.847.253.1755
CISM, CGEIT, PMP www.isaca.org

Discuss topics in the ISACA® Knowledge Center: www.isaca.org/knowledgecenter

Follow ISACA on Twitter: http://twitter.com/isacanews; Hashtag: #ISACA
Follow ISACA on LinkedIn: www.linkedin.com/company/isaca
Like ISACA on Facebook: www.facebook.com/ISACAHQ

Someone Else
Running an IT department used to be so simple. The
programmers wrote programs; the technicians
migrated the programs into production; and the
operators ran them. These days, programmers
implement systems purchased from a vendor. The
techs have their hands full just keeping the
infrastructure (or more likely, the infrastructures) up
and running. And, more often than not, the programs
are running in someone else’s data center.
Let me complicate that a bit more. If the operators are
running systems at all, they may be running them in
someone else’s data center, a colocation facility or
colo. Many of the applications and much of the
infrastructure are, or soon will be, rented from a third
party as a service (or, more likely, as-a-service). And
each of those services may well have been selected
by end-user management with little or no input from
IT personnel who specialize in security, reliability,
recoverability or interoperability with other systems.
So, organizations are facing problems, if not yet
crises, of IT governance, security, risk management
and control—the perfecta of ISACA’s certifications.1 If
you are a holder of any of these, you ought to be
concerned. Frankly, even without those certifications,
there is cause for concern. If you are a programmer,
technician or operator, you may already be seeing
jobs of some colleagues disappear from your
organization. Even though someone else is
experiencing a talent shortage,2 they seem to be on
the sell-side rather than the buy-side.3
Restructuring the Way IT Is Done
The concern is not—or at least, not only—vendor
management. It is a fundamental restructuring of
the way information technology has been done
since the dawn of commercial data processing in
the 1960s. An organization, whether a corporation
or a government agency, was viewed as an organic
whole with a consolidated set of information
resources. The objective, only imperfectly achieved,
but the goal nonetheless, was to have a single base
of information that would be apportioned to each
business and each authorized individual as needed
INFORMATION
SECURITY MATTERS
to carry out their business. Containing all of IT
within an organization gave management the
Do you have
(supposed) ability to secure all of it.
something
to say about this
The idea that all of IT could be contained was a article?
chimera. The computers in the data center were
powered by someone else (the electric company), Visit the Journal pages
of the ISACA® website
communicated via someone else (the
(www.isaca.org/journal),
telecommunications carriers) and were maintained
find the article and click
by someone else (the hardware vendors). Operating on the Comments link to
and database management systems were certainly share your thoughts.
not developed in-house. Purchased applications are
https://bit.ly/2X6cpVv
not new either. But, for the most part, there was
a certain degree of comfort knowing that all of
these systems were running in an access- and
climate-controlled room somewhere in
management’s own building.
Where Did the Data Center Go?
Today, the data center is everywhere from
someone’s pocket to the cloud. I am looking at my
smartphone and I find applications such as foreign
exchange calculation, medical benefits, voicemail
and encryption that used to run in data centers. I
know that these are applications running in a data
center somewhere that I can access through the
terminal in my pocket. The point is that both the
data center and the terminal used to be in the
building to which I had to travel in order to work.
The use of colos is recognition that computer
operations and real estate are separable. The
organization had a data center that was built around
Steven J. Ross,
CISA, AFBCI, 
many basic controls: who could enter, how fires
would be prevented, how power failures would be
CISSP, MBCP
Is executive principal
managed, how recovery would be carried out if of Risk Masters
there were a disaster. Now, those controls are International LLC.
someone else’s problem. Ross has been
writing one of the
And, when information and the systems that Journal’s most
support it disappear into the cloud, management’s popular columns
ability to exercise control over them becomes even since 1998. He can
more tenuous. Depending on what services for be reached at
stross@riskmasters
which a particular business function contracts,
intl.com.
someone else—the cloud vendor—may be
ISACA JOURNAL VOL 4 3
 producing the total environment: the application, the
Enjoying infrastructure and the data center. The cloud is,
after all, just a group of interlocked data centers.
this article?
With every business unit and, for that matter, every
individual, free to acquire its own whatever-as-a-
• Learn more about,
service, management’s ability to control the use of
discuss and
information within an organization just vanishes.
collaborate on
information and
Objections to the Argument
cybersecurity in
ISACA’s Online I am not deaf to the arguments that can be made to
Forums. what I am saying here. “That may be someone
https://engage. else’s problem, but it is not mine. My organization
isaca.org/online still has plenty of applications running in our data
forums center.” That may be the case today, but both
market trends and vendor decisions are moving
away from on-premises systems.4 In many cases,
cloud-based applications are already running
alongside older on-premises versions in a hybrid
configuration.5 If the movement out of the data
center is not occurring in your organization today, it
will be tomorrow.
THE USE OF COLOS IS
RECOGNITION THAT
COMPUTER OPERATIONS
AND REAL ESTATE ARE
SEPARABLE.
Another objection is that the trends that I am
describing are actually positive for security and
control. Maybe the colo or the cloud service
provider does a better job at a lower cost than your
organization could ever do, but there is still the
matter that the best way to make something
disappear is to declare it to be someone else’s
problem.6 There is also the opposite point of view,
that “Security will continue to be an issue with cloud
technology, especially now with the introduction of
the [EU] General Data Protection Regulation (GDPR).
Given the advantages of cloud computing, many
organizations will likely rush into it without serious
consideration of the security implications.”7
The issue as I see it is not whether the movement
away from in-house development and operation of
4 ISACA JOURNAL VOL 4
information systems is better or worse for
information security. It is different. Personally, I
think the positives outweigh the problems, but
those problems will not go away without addressing
them head-on. The challenge, I propose, is that
many of the verities that could be relied upon for
decades are no longer operative. You cannot build
security into applications or infrastructure if you do
not build applications or infrastructure. The walls of
the data center are no barrier if you have no data
center and, thus, no walls. You can assure yourself
that someone else’s security professionals are
taking care of things. But, in the end, your security is
not someone else’s problem; it is yours.
Endnotes
1 ISACA®, ISACA Certification, Certified
Information Systems Auditor® (CISA®), Certified
in Risk and Information Systems Control™
(CRISC™), Certified Information Security
Manager® (CISM®), and Certified in the
Governance of Enterprise IT® (CGEIT®),
www.isaca.org/certification/Pages/default.aspx
2 Manpower Group, “Solving the Talent Shortage,”
USA, 2018, https://go.manpowergroup.com/
hubfs/TalentShortage%202018%20(Global)%20
Assets/PDFs/MG_TalentShortage2018_lo%206_
25_18_FINAL.pdf
3 Hickey, A.; “Shortage in Cloud Talent as Cloud
Job Seekers Lag Employer Demand,” CIODive,
6 December 2018, https://www.ciodive.com/
news/shortage-in-cloud-talent-as-cloud-job-
seekers-lag-employer-demand/543674/
4 Samuels, M.; “Cloud Computing: Five Key
Business Trends to Look Out For,” ZDNet,
14 January 2019, https://www.zdnet.com/
article/cloud-computing-five-key-business-
trends-to-look-out-for/
5 Ashok, A.; “Four Trends in Cloud Computing
CIOs Should Prepare for in 2019,” Forbes,
5 July 2018, https://www.forbes.com/sites/
forbestechcouncil/2018/07/05/four-trends-in-
cloud-computing-cios-should-prepare-for-in-
2019/#35656e394dc2
6 For in-depth research on this phenomenon,
I recommend: Adams, D.; Life, the Universe and
Everything, Del Rey, USA, 1982, chapter 3.
7 Op cit Ashok

Lessons From History
So, in case you have been living in a cave
somewhere, ISACA® is 50—a significant historical
milestone. History, we are taught, can often be
better understood through artifacts, “An object
made by a human being, typically one of cultural or
historical interest.”1 One of the most significant
artifacts to have been created in ISACA’s history is,
undoubtedly, COBIT®. To me, it represents a large
part of the collective knowledge of ISACA
volunteers—knowledge that was acquired both
before and after its first release in 1996.
Of course, history is important because we can
learn from it. Certainly, that humans do not learn
very much from the lessons of history is the most
important of all the lessons that history has to
teach.2 In the world of IT audit, we learn from history
in the form of case studies such as data breaches.
In fact, in December 2018, the US House of
Representatives Committee on Oversight and
Government Reform produced a report on the
Equifax data breach.3 The report contains a section
titled, “Specific Points of Failure,” from which I
believe learning can be found. Could COBIT have
helped identify any of these issues?
Equifax IT Management Structure Lacked
Accountability and Coordination
In 2005, as working relationships between senior
executives became strained, Equifax reorganized its
IT organization structure (figure 1) so that the chief
security officer (CSO), who was responsible for IT
security, reported to the chief legal officer (CLO)
rather than the chief information officer (CIO). The
company did not revert the IT organizational
structure back to its original form (where the CSO
reported to the CIO) following new appointees
despite there being multiple discussions to do so.
The functional result of the CIO/CSO structure
meant IT operational and security responsibilities
were split, creating an accountability gap. At the
time of the breach, the organizational structure did
not facilitate a strong CIO and CSO partnership.4
Depending on the organizational reporting structure
an organization adopts, the CSO and CIO roles can
be conflicting or complementary. At Equifax, the IT
IS AUDIT
BASICS
and security organizations were siloed, meaning
information rarely flowed from one group to the
Do you have
other. Collaboration between IT and security mostly
something
occurred when required, such as when security to say about this
needed IT to authorize a change on the network. article?
Communication and coordination between these
groups was often inconsistent and ineffective. Visit the Journal pages
of the ISACA® website
(www.isaca.org/journal),
One example of the lack of IT-security coordination
find the article and click
was that multiple and incomplete software on the Comments link to
inventory lists were kept independently by each share your thoughts.
group. Both IT and security rely on accurate
https://bit.ly/2Wbf3Nb
inventory lists to operate, patch and monitor the
Figure 1—Equifax IT Organizational Structure
(2013 - September 2017)
Chief Executive
Officer
Chief Information Chief Legal
Officer Officer
Senior Vice Chief Security
President Officer
Ian Cooke, CISA, CRISC, CGEIT, COBIT Assessor and
Implementer, CFE, CIPM, CIPP/E, CIPT, CPTE, DipFM, FIP, ITIL
Foundation, Six Sigma Green Belt
Is the group IT audit manager with An Post (the Irish Post Office based in
Dublin, Ireland) and has 30 years of experience in all aspects of information
systems. Cooke has served on several ISACA® committees and is a past
member of ISACA’s CGEIT® Exam Item Development Working Group. He is
the topic leader for the Audit and Assurance discussions in the ISACA
Online Forums. Cooke supported the update of the CISA® Review Manual for
the 2016 job practices and was a subject matter expert for the development
of ISACA’s CISA® and CRISC™ Online Review Courses. He is the recipient of
the 2017 John W. Lainhart IV Common Body of Knowledge Award for
contributions to the development and enhancement of ISACA publications
and certification training modules. He welcomes comments or suggestions
for articles via email (Ian_J_Cooke@hotmail.com), Twitter (@COOKEI),
LinkedIn (www.linkedin.com/in/ian-cooke-80700510/), or on the Audit and
Assurance Online Forum (engage.isaca.org/home). Opinions expressed are
his own and do not necessarily represent the views of An Post.
ISACA JOURNAL VOL 4 5
 organization’s IT systems. In a more collaborative senior executive management,7 however, it also
Enjoying environment, these lists would be merged into a specifies the CISO as the liaison between executive
single master document with both teams working management and the information security
this article?
together to complete the inventory.5 program.8 This, in my opinion, can be done through
the CIO, however, ideally, the CISO should report to
• Read COBIT®
In addition, the organization did not prioritize the CEO.9 In February 2018, Equifax announced a
2019:
cybersecurity. Quarterly senior leadership team revised reporting structure elevating the (now
Introduction and
meetings were held where IT security was just one renamed) CISO to directly report to the CEO.10
Methodology.
of the many topics discussed. Further, the CSO did
https://www.
not regularly attend these meetings because the Equifax Had Serious Gaps Between IT
isaca.org/COBIT
CSO was not considered part of the senior Policy Development and Execution
• Learn more
leadership team. As a result of this, the chief
about, discuss At the time of the breach, Equifax’s internal IT
executive officer (CEO) was not receiving timely
and collaborate management process failed to establish clear lines
information on Equifax’s security posture. The
on COBIT® and of accountability for developing IT security policies
information he did receive was presented by the
frameworks in and executing these policies.11
chief legal officer (CLO), who did not have any
ISACA’s Online
background in IT or security.
Forums. The disconnect between policy development and
https://engage. execution was especially pronounced with respect
Clearly this was not a tenable situation, but how
isaca.org/ to the patch management policy. This policy defined
could COBIT have helped? COBIT has defined the
onlineforums roles and responsibilities, and established
mandate, operating principles, span of control and
authority level of the chief information security guidelines for the patching process. The policy
officer (CISO) (figure 2).6 COBIT does indicate that, designated two employees to lead
depending on a variety factors within the enterprise, implementation—a policy manager and a senior
the CISO may report to the CEO, chief operating leadership team owner. The responsibility of the
officer (COO), CIO, chief risk officer (CRO) or other policy manager was to ensure that all of the work

Figure 2—CISO: Mandate, Operating Principles, Span of Control and Authority Level
Area Characteristic
Mandate The overall responsibility of the enterprise information security programme
Operating principles Depending on a variety factors within the enterprise, the CISO may report to the CEO, COO, CIO,
CRO or other senior executive management.

The CISO is the liaison between executive management and the information security
programme. The CISO should also communicate and co-ordinate closely with key business
stakeholders to address information protection needs.

The CISO must:

• Have an accurate understanding of the business strategic vision
• Be an effective communicator
• Be adept at building effective relationships with business leaders
• Be able to translate business objectives into information security requirements
Span of control The CISO is responsible for:
• Establishing and maintaining an information security management system (ISMS)
• Defining and managing an information security risk treatment plan
• Monitoring and reviewing the ISMS
Authority level/decision rights The CISO is responsible for implementing and maintaining the information security strategy.

Accountability (and sign-off of important decisions) resides in the function to which the CISO
reports, for example, senior executive management team member or the ISSC.
Delegation rights The CISO should delegate tasks to information security managers and business people.
Escalation path The CISO should escalate key information risk-related issues to his/her direct supervisor and/
or the ISSC.
Source: ISACA®, COBIT® 5 for Information Security, USA, 2012. Reprinted with permission.

6 ISACA JOURNAL VOL 4

they needed to do was tracked, while the senior vulnerabilities in a timely manner. The lesson here is
leadership team owner’s role was to ensure that the clearly to follow up on audit recommendations
organization conformed to the policy. through to their implementation.13

The patch management policy also identified the
roles and responsibilities for various individuals
within their portfolios. The business owner was
informed of the need to patch and was responsible
for approving downtime so the patch could be
applied. The system owner was responsible for
applying the patch, and the application owner was
then responsible for ensuring the patch was applied
correctly. While roles and responsibilities were
defined in the policy, there were no official
designees for these roles. Again, this was not an
acceptable situation.
COBIT® 2019 process Deliver, Service and Support
(DSS) includes the management practice DSS05.01
Protect against malicious software, which requires
an organization to implement and maintain
preventive detective and corrective measures in
place (especially up-to-date security patches and
virus control) across the enterprise to protect
information systems and technology from
malicious software (e.g., ransomware, malware,
viruses, worms, spyware, spam).12
In addition, COBIT 2019 defines who is responsible
and accountable (figure 3) for each of its key
management practices. Clearly, the message here is
that these roles should be mapped to named
individuals in each of our enterprises.
Also noteworthy was the fact that internal audit had
reported issues with the patching process. These
included the failure to patch or remediate
Equifax Ran Business-Critical Systems
on Legacy IT With Documented
Security Risks
Equifax faced increased security risk due, in part, to
its complex legacy IT environment. Legacy
technology is both a security issue and a hindrance
to innovation, and legacy systems are tough to
secure because they are often extremely difficult to
patch, monitor or upgrade. Equifax ran a number of
its business-critical systems on legacy
infrastructure, including the system compromised
by attackers during the 2017 data breach.14
The use of legacy technologies and applications
resulted in a dwindling number of employees with
knowledge of how to operate and maintain the
aging system. For example, Equifax did not have a
comprehensive picture of the software used within
the application. This was a key issue, as the patch
management policy relied on its employees
knowing the source and version of all software
running on a certain application in order to manually
initiate the patching process.
Equifax recognized the risk posed by continued
operation of its legacy IT systems, had documented
some security risk factors and even planned an
upgrade, however, it failed to move quickly enough,
resulting in the breach of the system.
Again, COBIT has documented these risk scenarios.
Build, Acquire and Implement (BAI) BAI03.10

B. Component: Organizational Structures

Chief Information Security Officer

Information Security Manager

Business Process Owners
Chief Information Officer

Head Human Resources

Head IT Operations
Head Development

Privacy Officer

Key Management Practice

DSS05.01 Protect against malicious software. A R R R R R
Source: ISACA, COBIT® 2019 Framework: Governance and Management Objectives, USA, 2018. Reprinted with permission.

ISACA JOURNAL VOL 4 7

 Maintain solutions requires an enterprise to develop 3 US House of Representatives Committee on
and execute on a plan for the maintenance of Oversight and Government Reform, The Equifax
solution and infrastructure components, and to Data Breach, Majority Staff Report, 115th
include periodic reviews against business needs Congress, December 2018, https://republicans-
and operational requirements. Organizations should oversight.house.gov/wp-content/uploads/
also develop and execute on a plan for the 2018/12/Equifax-Report.pdf
maintenance of solution components that includes 4 Ibid., p. 58
periodic reviews against business needs and 5 Ibid., p. 61
operational requirements such as patch 6 ISACA®, COBIT® 5, USA, 2012, www.isaca.org/
management, upgrade strategies, risk, COBIT
vulnerabilities assessment and security 7 Ibid.
requirements (figure 4). 8 Ibid.
9 Putrus, R.; “The Role of the CISO and the Digital
Conclusion Security Landscape,” ISACA® Journal, vol. 2,
2019, https://www.isaca.org/Journal/archives
It has not been my intention to single out Equifax 10 Op cit The Equifax Data Breach, p. 60
and point fingers. Certainly, let he or she who is 11 Ibid., p. 61
without security vulnerabilities cast the first 12 ISACA, COBIT® 2019 Framework: Governance
aspersion. However, in this historical year for ISACA, and Management Objectives, USA, 2018,
I do believe that it is important that we learn from www.isaca.org/COBIT/Pages/COBIT-2019-
what is an excellent report from the US House of Framework-Governance-and-Management-
Representatives. ISACA’s artifacts, especially COBIT, Objectives.aspx
can aid us in doing so and ensure that, in turn, 13 Cooke, I.; “Enhancing the Audit Follow-up
history is kind to us. “Those who cannot remember Process Using COBIT 5,” ISACA Journal,
the past are condemned to repeat it.”15 vol. 6, 2016, https://www.isaca.org/archives
14 Op cit The Equifax Data Breach, p. 71
Endnotes 15 Santayana, G.; The Life of Reason: Reason in
1 Oxford Dictionary, “Artifact,” https://en.oxford Common Sense, Scribner’s, USA, 1905,
dictionaries.com/definition/artefact https://www.iep.utm.edu/santayan/
2 Huxley, A.; Collected Essays, Harper and
Brothers, USA, 1958

Figure 4—COBIT DSS05.01—Protect Against Malware, Organizational Structures

BAI03.10 Maintain solutions. a. Number of demands for maintenance that are not satisfied
Develop and execute a plan for the maintenance of solution and b. Duration of demands for maintenance that are satisfied and that go
infrastructure components. Include periodic reviews against business unsatisfied
needs and operational requirements.
Activities Capability Level
1. Develop and execute a plan for the maintenance of solution components. Include periodic reviews against business needs and 2
operational requirements such as patch management, upgrade strategies, risk, privacy, vulnerabilities assessment and security
requirements.
2. Assess the significance of a proposed maintenance activity on current solution design, functionality and/or business 3
processes. Consider risk, user impact and resource availability. Ensure that business process owners understand the effect of
designating changes as maintenance.
3. In the event of major changes to existing solutions that result in significant change in current designs and/or functionality
and/or business processes, follow the development process used for new systems. For maintenance updates, use the change
management process.
4. Ensure that the pattern and volume of maintenance activities are analyzed periodically for abnormal trends that indicate 4
underlying quality or performance problems, cost/benefit of major upgrade, or replacement in lieu of maintenance.
Source: ISACA, COBIT® 2019 Framework: Governance and Management Objectives, USA, 2018. Reprinted with permission.

8 ISACA JOURNAL VOL 4


The Balance of Speed and
Protection in Innovation
Organizations embrace innovation in order to
outcompete others in their space. The mission in
audit is to protect the business. This is done by
ensuring controls are in place to minimize the
impact of negligence, waste and malicious activity.
When processes begin to accelerate, as they should
with innovation, it is easy for people to focus on
getting the pressing needs accomplished. This may
mean that they do not think about the types of
controls that are in place.
Also, organizations embracing innovation efforts
will try to bring together experts across knowledge
areas. This collaboration often allows individuals to
understand challenges and opportunities in ways
they would not on their own. This can lead to that
competitive edge. However, it also means there will
be people who may not be familiar with important
controls in a specific area because they may not be
controls with which all stakeholders are used to
dealing. This is to be expected with innovation.
Auditors have to balance ensuring proper controls
and maintaining an effort’s momentum. These
types of trade-offs are common in audit and
security. One good example is the confidentiality,
integrity and availability (CIA) triad, where
confidentiality and integrity are often at odds with
availability.1 Innovation is no different.
Emerging Technologies and the
Accelerated Cycle
Part of what poses such a great challenge is that a
large part of innovation is looking at emerging
technologies. These differ in key ways from
traditional IT systems, and controls and processes
have to change accordingly. Emerging technologies
are a great enough concern, even outside of
innovation, that ISACA® has a dedicated community
forum for the topic on its Engage Online Forums
portal.2 It is worthwhile to look at two specific areas
INNOVATION
GOVERNANCE
that are causing this type of disruption:
virtualization and the cloud. There is quite a bit that
Do you have
is not covered herein. For instance, auditors are
something
discussing blockchain and the impact of the EU to say about this
General Data Protection Regulation (GDPR). There article?
is also potential risk in implementing the Internet of
Things (IoT) that normally would not be Visit the Journal pages
of the ISACA® website
considered.3 Whatever the emerging technology, the
(www.isaca.org/journal),
foundational questions need to be asked for each.
find the article and click
on the Comments link to
Virtualization share your thoughts.
When organizations had physical servers and
https://bit.ly/2-wptopU
components, they could maintain “physical” security
in a real sense. One had to get access to the data
center and then to the specific rack where the asset
was located. Stakeholders had to be able to touch
the hardware. With virtualization, this is no longer
the case. Physical hosts are still used, but,
depending on if it is an on-premises solution or a
cloud solution, the actual hardware may or may not
be in close proximity. However, one can be certain
that even if one cannot reach the real box, one can
touch the virtual machines that are on it.
Why does this matter for innovation? In an
innovation effort, teams are likely trying to do rapid
prototyping. They are looking to accelerate builds.
Virtualized hardware allows them to quickly stand
up and tear down computing environments. Those
computing environments have just as much risk as
K. Brian Kelley, CISA, CSPO, MCSE, Security+
Is an author and columnist focusing primarily on Microsoft SQL Server and
Windows security. He currently serves as a data architect and an
independent infrastructure/security architect concentrating on Active
Directory, SQL Server and Windows Server. He has served in a myriad of
other positions including senior database administrator, data warehouse
architect, web developer, incident response team lead and project manager.
Kelley has spoken at 24 Hours of PASS, IT/Dev Connections,
SQLConnections, the TechnoSecurity and Forensics Investigation
Conference, the IT GRC Forum, SyntaxCon, and at various SQL Saturdays,
Code Camps, and user groups.
ISACA JOURNAL VOL 4 9

normal, non-innovation effort-led environments. If
organizations are using production data sets, then
they must apply the same rules of protection. And
they must do so at the accelerated build-and-
destroy pace that innovation is likely to foster.
Cloud
Just about every major chief information officer
(CIO) publication touts the cloud as where
innovative organizations should be. As a result,
there is a huge push to explore cloud technologies.
This is reasonable. If someone else foots the bill for
maintaining the physical environment for
computing resources, and that someone can gain
economy of scale for having a large number of
customers, it should be cheaper. Also, most cloud
providers have a pay-as-you-go model, meaning
users only pay for the resources they actually use.
Therefore, enterprises are not overbuying hardware
ANALYSIS MUST BE
STREAMLINED AND THE
RESULTS MUST BE PUT IN A
COMMUNICABLE FORMAT
WHEN THEY ARE MOST
USABLE TO THE PEOPLE
DOING THE WORK.
10 ISACA JOURNAL VOL 4
to ensure that their systems will perform well, even
under unexpectedly heavy loads.
However, the cloud model changes controls in
fundamental ways. It goes beyond the fact that
organizational processes and data are running on
“someone else’s computer.” How to get audit
information back, what kind of assets can be
brought to bear, how to correlate between on-
premises and cloud information in the event of an
attack are all new challenges.
Then there is the financial side of things, which
does impact IS audit. After all, part of what makes
the cloud so attractive is the ability to spin up new
resources on demand. The traditional model says
one has to wait for a hardware vendor to have the
physical device ready. With the cloud, a request is
made through a portal or a programming interface
and, within minutes, the needed resource is
available. That also means the cloud provider
begins billing on that resource. Just as the
efficiency on projects is tracked, this should now be
looked at in cloud provisioning, especially given that
innovation efforts will most likely take advantage of
the ease and speed of cloud deployments.
High-Speed Risk Analysis
Because innovation efforts are moving more
quickly, everything has to speed up, including risk
analysis. When risk analysis is sped up, the
likelihood of making mistakes or missing
something increases as well. However,
organizations should already have the capability to
make these kinds of decisions quickly. For instance,
incidence response has to do this type of
consideration during an actual security incident.
The reality is that one can move quickly when one
needs to do so. With innovation, that need is real.
If risk analysis lags behind, it will either get skipped
altogether or the findings will be looked at and
someone will likely say, “We will get to this when we
can.” Too often, “when we can” is a euphemism for
never or until an external auditor or regulator forces
the issue. Therefore, analysis must be streamlined
and the results must be put in a communicable
format when they are most usable to the people
doing the work.
Concise Communications
Conciseness is also critical. If things are moving at
a higher rate of speed, there is less time available to
digest documents. Typical audit findings and risk
analyses have much in the way of explanations,
methodology, and the like because it is important to
show how the findings have been proven. However,
with an innovation effort, too much of this
additional documentation impairs the effort. Here is
where one can take a cue from Agile, which states
as one of its four values, “working software over
comprehensive documentation.”4 Here one would
say, “solid understanding of risk over lengthy
analysis documents.”
Prototyping Controls
Everything talked about so far leads to this: ensuring
that proper controls are baked into whatever product,
offering or process an innovation effort is developing.
Most of the team is going to be focused on what the
business wants to accomplish. Here is where an
auditor has to manage the team to ensure that, as the
team does work, the controls get included. They need
to be included as the team builds prototypes or
attempts quick builds or tests. Managing the team
requires an auditor to do the following:
• Provide documentation on the controls in a
timely manner
• Be available to discuss the “how” and “why” of
each control
• Have testing, preferably, automated testing,
ready to go as controls are built in to the product
or offering
• Give specific feedback to fix an issue if a control
is not being properly met
If one fails to do any of these things, one may hear
the same thing as if risk analysis is too slow, “We Enjoying
will get to it when we can.” The same rules tend to
this article?
apply. The earlier one is able to communicate the
controls and show the need, the more likely it is that
• Learn more
they will get implemented properly.
about, discuss
and collaborate
Remembering the Bottom Line on remerging
The bottom line is that an organization wants its technology in
innovation efforts to better identify real needs and ISACA’s Online
products of its market space or for those efforts to Forums.
forecast new needs and opportunities. Activity that https://engage.
slows down the achievement of these goals could isaca.org/online
result in the organization losing its momentum and forums
not achieving its goals ahead of its competitors.
Auditors must be mindful of this as they ensure that
the organization is protected. That means
considering the implications of new technologies
and processes, being able to identify and
communicate risk quickly to a wider audience than
they are used to, and being active participants in
ensuring that controls get implemented as testing
and experimentation happens. This is how speed is
balanced with protection.
Endnotes
1 Infosec, CIA Triad, https://resources.infosec
institute.com/cia-triad/
2 ISACA®, Engage Online Forums,
https://engage.isaca.org/communities/
onlineforums
3 Larson, S.; “A Smart Fish Tank Left a Casino
Vulnerable to Hackers,” CNN.com, 19 July 2017,
https://money.cnn.com/2017/07/19/technology/
fish-tank-hack-darktrace/index.html
4 Beedle, M. et al.; “Manifesto for Agile Software
Development,” Agile Manifesto, 2001,
https://agilemanifesto.org/
ISACA JOURNAL VOL 4 11
 THE NETWORK
Honoring Our Past.
Innovating Our Future.
Q: As ISACA’s incoming
chair of the Board of
Directors, how do you see
ISACA® growing and
adapting to the constantly
changing marketplace and
needs of its constituents
over the next year?
A: We have a number of
areas on which to focus,
including preparing ISACA
constituents for the future
and Industry 4.0. Engaging
more enterprises and
helping them understand the
value that ISACA brings to
the industry, their
businesses and their
employees, which will, in
turn, help our members, is
also a priority.
I believe ISACA has an
important role to play in
helping enterprises address
Brennan P. Baybeck, CISA, CRISC, CISM,
big challenges such as IT
CISSP governance, data governance
Is chair of ISACA’s Board of Directors and vice
and cybersecurity, which are
president of Security Risk Management for Global
more important than ever, as
Customer Support Services at Oracle Corporation.
organizations drive digital
In his role, Baybeck leads a global team that
transformation focused on
addresses IT security risk management for one of
adding value as quickly as
the largest lines of business at Oracle. He is also
possible to business using
responsible for leading security, privacy and
technology. We must also
availability for customer-facing services, as well as
embrace the future of
Global IT’s key enterprise IT services, including
learning and knowledge
cloud initiatives. He has more than 25 years of
experience in IT security, governance, risk, audit platforms.
and consulting, and has worked in various
industries designing, implementing and operating ISACA is in a unique position
enterprisewide programs to address global security to really make people aware
risk. He has held leadership positions at Sun of the diversity challenges
Microsystems, StorageTek and Qwest we have in the IT field. We
Communications, and served as an information have an opportunity to not
security risk consulting director for several years. only bring knowledge and
Baybeck also has been actively involved with understanding to this
ISACA® for more than 25 years, serving many years important challenge but also
as a chapter board leader and more than eight to be at the forefront of
years working at the international level as chair for addressing this issue while
various working groups and as a Board director. helping solve the real
business challenge of
12 ISACA JOURNAL VOL 4
capability and skill set management, and
gaps in our industry. governance—so I have a
very solid grasp of what
There also needs to be a provides value to our
focus on making ISACA existing and future
more relevant and membership and the
valuable than ever to the challenges that they face
constituents that we every day.
serve—members,
chapters, enterprises, Q: What do you see as
partners, government the biggest risk factors
and industry. being addressed by IT
security professionals?
How can organizations
Q: What in your past
protect themselves?
experience has best
prepared you for this
position on the ISACA® A: The speed at which
Board? our business customers
are operating because
A: My executive they must. The IT
experience at global organizations that we
technology, services and partner with are working
consulting companies with business partners
has provided me with the who are driving
significant and critical
opportunity to interface
digital transformation
with various industry
leaders, board members, activities to compete and,
in some cases, to survive.
executive teams and,
most importantly, When businesses are
aggressively looking to
thousands of customers
dominate or struggling to
across the world, giving
survive, they are willing to
me great perspective and
accept risk that they may
insight on how
not have in the past.
businesses strategize,
These decisions are
innovate and operate on
creating new and
a daily basis. These
significant security and IT
experiences have allowed
me to observe customer risk challenges and, many
times, these decisions
successes and how they
achieved those are not informed, risk-
successes, as well as based decisions.
their challenges and how
they have overcome them Many of us may have
(or not, which creates traditionally focused on
opportunities for ISACA). operational roles, which
are important, but a real
need of boards and
I have worked in roles
executives is in the area
directly related to the
of governance. In my
areas that we serve for
experience, a properly
almost my entire career—
informed board of
cyber and information
directors or teams of
security, IT audit, risk

senior executives always
make the right decision
for the business.
Q: You have extensive
experience in executive
leadership. How do you
see the role of executives
changing to meet the
challenges of
information security?
A: My experience has
shown that executives are
more informed about
information security than
ever, including at the board
level. However, even
though this is positive
progress, we still have a
long way to go. I am
starting to see that
security is no longer the
number-one priority,
mainly due to the various
business transformation
activities with which
security is competing.
When you think about it, it
makes sense. If the
business does not
transform, it will no longer
exist and its security will
not matter. However,
information security risk
factors continue to grow
due to those digital
transformation activities.
That being said, the
biggest challenge for
boards and executive
leadership will be
determining what is the
proper balance of security
risk vs. business risk. Yes,
this is a challenge that has
been around for a long
time, but I think it is
becoming more critical as
security risk factors
compete against business
risk. Executives need to
make sure the pendulum
does not swing too far one
way or the other.
Q: What do you think are
the most effective ways
to address the
cybersecurity skills gap?
A: Organizations need to
think out of the box. Many
are still hiring using
legacy models focused
on very specific skill sets
and capabilities. The truth
is that there are not
enough of those
“traditional” people to go
around, so the more
successful organizations
are looking at other skill
sets, capabilities and,
more important, other
demographic groups to
fulfill their cybersecurity
needs.
Organizations need to
strongly consider
leveraging partners.
Savvy organizations are
coming up with creative
ways to integrate
technology and services
partners into their
cybersecurity strategies
and better utilize
capabilities in those
technologies to do more
with less.
Automation, automation,
automation. This will be a
critical component of
addressing the
cybersecurity skills gap.
Emerging technologies
are already transforming
the way we handle
security risk and
operations management
today. These
1  What is the biggest security challenge being
faced in 2019? How should it be addressed?
Data governance and protection. It has always been
around, but some recent high-profile cases are
technologies will be a
bringing it to the forefront. Addressing it requires
critical component in
automating mundane but
a top-down, executive-sponsored approach vs.
necessary security tasks trying to solve it simply with technology or from the
and freeing up our most tactical level.
valuable security
resources to do the most
critical work. 2  What are your three goals for 2019?
• Capitalize and execute on strategic decisions and
Q: What has been your investments to expand ISACA’s presence into the
biggest workplace or enterprise, emerging markets and
career challenge and government/public affairs
how did you face it? • Support and drive diversity initiatives
• Help ISACA’s new chief executive officer (CEO)
A: A lesson that I learned and his executive team be successful while
a long time ago was
strategically preparing ISACA for the future
assuming that my
managers knew what my
professional goals and
objectives were and they 3  What industry-related sources do you read on a
regular basis?
were magically going to • ISACA’s knowledge resources
make those happen for • InformationWeek Dark Reading
me. It was a tough
lesson to learn, as it
caused me to miss a
great opportunity for a
4  What is your favorite benefit of your ISACA
membership?
The leadership, professional and personal
promotion, but I learned development opportunities that ISACA provides to
it early in my career.
its members
What I learned is that
those managers wanted
to help me, but they did
not know what I wanted 5  What is your number-one piece of advice for IT
security professionals?
Always be curious, ask a lot of questions and, most
or that I needed their
help. You have to be in important, be a life-long learner. The security field is
charge of your own constantly changing, so being a lifelong learner
destiny when it comes to drives new ways of thinking, fresh perspectives,
your career. There are a creativity, innovation, a solid grounding, and, of
lot of people out there course, helps keep your mind young.
who will help you and
more resources than you
could ever effectively use
in a lifetime, but it is up
6  What do you do when you are not at work?
I am an avid outdoorsman and love to do anything
to you to take the time to outdoors. I love to share my passion for the outdoors
plan your career by
with my wife and my two awesome kids. My favorite
creating professional and
activities are fly-fishing and bird hunting, both of which
personal objectives;
identifying the people,
involve being outdoors in some of the most rugged,
experiences and beautiful and peaceful places in the world.
resources that can help
meet those objectives;
and then proactively
executing on that plan.
ISACA JOURNAL VOL 4 13
 FEATURE
The Pain of Automation
Internal Audit Functions Face Real-World Challenges
Amid Optimistic Environment
Disponible également en français
Do you have
www.isaca.org/currentissue
something
to say about this
article? Internal audit leaders are looking at automation
technologies for many of the same reasons as
Visit the Journal pages
of the ISACA® website business management. Automated processes can run
in the background, allowing auditors to look at more
(www.isaca.org/journal),
things in less time than they could manually. Also,
find the article and click
on the Comments link to deviations from expected or acceptable results can be
share your thoughts. brought to auditors’ attention more quickly (in near-
real time) than with periodic manual review.
https://bit.ly/30MqZDL
Advantages such as continuous monitoring,
automation of repetitive processes and the ability to
audit large populations (as opposed to sampling) offer
internal audit departments the opportunity to expand
their view, do more with limited resources and, most
important, provide greater value to the enterprise.
In light of these possibilities, optimism around
automation in internal audit is understandably high.
In a recent survey, nearly half of US risk and
compliance professionals, internal auditors,
executives and board members surveyed said their
Wade Cassels, CISA, CFE, CIA
Is a senior IT auditor at Nielsen. He supports Nielsen’s IT general controls
external audit engagement and the audit reporting and communications
functions for Nielsen Internal Audit.
Jane Traub, CCSA, CIA
Is an internal audit director at Nielsen. She leads internal audit automation
initiatives, manages audit engagements for the Global Media team and
supports compliance with the code of conduct.
Kevin Alvero, CISA, CFE
Is a senior vice president of internal audit, compliance and governance at
Nielsen. He leads Nielsen’s internal quality audit program and its industry
standards compliance initiatives, spanning the company’s Global Media
products and services.
Jessica Fernandez, CISA
Is an internal audit vice president at Nielsen. She leads all internal and
external audit engagements around Nielsen’s Digital and Advanced TV
products and services.
14 ISACA JOURNAL VOL 4
organization planned to modernize its compliance
function in the year ahead.1However, according to
another study, just 14 percent of internal audit
functions could be considered advanced in their
technology adoption (including the use of robotic
process automation [RPA] to expand the expediency
and coverage of their audits), while 83 percent are
either adopting advanced technologies at a slower
pace or not at all.2
These findings suggest that, in spite of the
promised benefits of automation, internal audit
departments are encountering hurdles on the path
toward realizing those benefits. Three of the key
hurdles that almost any internal audit function will
come up against are choosing the right processes
to automate, getting the solution (i.e., software)
developed and navigating the complex ways in
which automated internal audit processes interact
with other areas of the business.
Process Identification and Selection
One of the fundamental challenges internal audit
departments face in implementing RPA is choosing
the process, or processes, to be automated. It is not
always obvious what the department should focus
on or prioritize.
For example, applying a risk-based approach might
point toward investing resources in developing RPA
based on the areas of greatest risk to the
organization. If the internal auditors are looking at
an area of critical risk, so the thinking goes, then
they want to maximize the effectiveness of the
audit processes they are using to perform that role.
On the other hand, some audit functions would rather
focus their automation efforts on those audit
processes that have the greatest potential for
efficiency within the internal audit function. In this line
of thinking, if automation efforts focus on automating
the least valuable and/or least efficient processes to
free up auditor capacity, it allows the department to
do more across the board with finite resources.
Further complicating the choices is the fact the
internal audit department may not be solely
responsible for making the selection. If the IF AUTOMATION EFFORTS FOCUS ON
department is participating in a larger, organization-
AUTOMATING THE LEAST VALUABLE AND/OR
scale automation initiative, people outside the
department may have a say in what processes are LEAST EFFICIENT PROCESSES TO FREE UP
chosen for automation.
AUDITOR CAPACITY, IT ALLOWS THE
Even if the organization has a well-conceived DEPARTMENT TO DO MORE ACROSS THE
system in place to select processes for automation,
BOARD WITH FINITE RESOURCES.
a good set of performance measures is also
needed to inform that system and accurately
assess which processes will have the greatest
return on investment (ROI). Many organizations do help them adopt new capabilities to deliver value to
not have sufficient performance data, and that can the organization that they could not previously.
lead to the risk of automating the wrong things.3
Most likely, though, the decision is going to come Whether looking at new or existing processes,
down to money saved. This is important for internal internal audit departments that are trying to build
audit departments seeking funding and support for momentum on the path toward automation should
automation efforts. The better they can make the look for a process that:
ROI case and quantify the benefits of automation in
• Has a clearly definable ROI
terms of cost savings, the easier it will be to justify
their selection of processes to automate. • Relates to an area of key business risk to the
organization
In addition to ROI potential, the process in question
• Has reliable, quality inputs
must have reliable, quality input. The quality and
reliability of the data input into an automated • Is labor intensive, subject to human error and
process is the single greatest determinant of generally inefficient
whether users will be able to trust its output.4
These are the areas internal audit should target first,
Many internal audit functions will look at the and formalized RPA projects should focus on a
processes they currently perform and choose limited number of high-impact targets to preserve
automation for those that RPA can help them do momentum.6
better. However, this is not necessarily the best
approach. Audit functions can fall into the trap of Solution Development
simply retrofitting old procedures with new
Even though a process may be an ideal candidate
technology to make them incrementally better.5
for RPA in theory, actually developing the
Ideally, audit functions should look at how RPA can
technology to automate it can present numerous

Speaking the Same Language

When it comes to artificial intelligence (AI) and robotic process automation (RPA), one of the key hurdles
for internal audit departments to overcome is simply making sure everyone is aligned in terms of what it
is they are talking about. AI, in simple terms, involves a program that takes data patterns and learns from
them to make informed decisions based on learned rules. An example would be suggestions for items to
buy from a website that is used regularly for purchases by a consumer. People may be prompted by a
message such as “You might also like…” This concept extends to the business world, where established
patterns of business processes can apply AI to predict future behavior and note exceptions to anticipated
behavior of systems or people. RPA, by contrast, is often used where a process does not need decision-
making to execute. It uses software programs, often called “bots,” that mimic a human’s behavior such as
sequential steps in data collection; report issuance; or any repetitive, systematic, rule-based process.

ISACA JOURNAL VOL 4 15


challenges and choices. Presuming the internal
audit staff typically does not retain the expertise to
write bots and develop software, these services will
have to come from within the organization’s
IT/engineering staff or from an external vendor.
Each presents its own challenges.
For example, when leveraging engineering
resources from within their own organization,
internal audit departments may find themselves at
the mercy of the enterprise’s larger technology
development pipeline. The way this pipeline is
prioritized can have a big impact on the progress of
internal audit’s automation initiatives, particularly if
the engineering resources are subject to top-down
pressure to push lower profile (or non-client-facing)
projects down the list.
Conversely, when the internal audit department
utilizes a vendor to create automation solutions, all
THROUGHOUT THE
SOLUTION DEVELOPMENT
PROCESS, INTERNAL AUDIT
AUTOMATION LEADERS
SHOULD ALSO REMAIN
AWARE OF THEIR
ALTERNATIVES.
16 ISACA JOURNAL VOL 4
of the aspects of third-party risk management,
including service level agreement (SLA) and
security/confidentiality, come into play. In particular,
ongoing updates and maintenance will be tied to
the vendor solution going forward, and it may not be
feasible to bring these in-house once a customized
automation process is established by the vendor; so
the internal audit department should understand the
ongoing requirements just as well as the upfront
ones. Plus, the internal audit department must
ensure that needs are accurately defined and scope
is carefully managed to avoid implementing a more
powerful and, thereby costly, solution than is
absolutely necessary. Weighing and balancing
these trade-offs is important to do prior to
committing to a course of action for automation.
RPA experts insist that robots do not make
mistakes and, if they are programmed correctly, RPA
technologies have great potential to save auditors’
time through the automation of routine, repetitive,
rule-based actions. However, if they are
programmed incorrectly or incompletely or are
altered, errors can be introduced during the
automated process. These process automation
errors can perpetuate larger, systematic errors to a
greater degree than similar manual processes.
Therefore, whether the solution is being developed
in-house or by a vendor, correct documentation of
each step and rule in the processes to be
automated and verification of bot functionality must
be performed before implementation of RPA, and it
is important to understand the demands this will
place on internal audit resources before the solution
development process begins.
Throughout the solution development process,
internal audit automation leaders should also
remain aware of their alternatives. A fully
customized, fully automated solution may, in fact,
not be the ideal solution for every automation
project. For example, if 80 percent of the process in
question can be automated fairly easily, but the
remaining 20 percent would come at a high relative
cost, then automating the 80 percent may be the
ideal solution for the department’s needs.7 Indeed,
full automation can be undesirable based on the
application. Processes that involve decisions that
humans need to make are not suited to total
automation.8 RPA is not the only mode of
automation, either. Replacing legacy systems or
building powerful application programming
interfaces (APIs) into legacy systems may allow
organizations to automate processes with less
effort than building RPA solutions, and those
leading automation efforts should avoid fixating on
RPA alone for automation.
Finally, the solution development process should
not be cordoned off from the internal audit staff and
restricted to the technology experts who are writing
software. It is critical that internal audit
departments integrate the intended users of the
solution into the development process and train
them because, for one thing, a person has to be
able to evaluate when an automated output is
wrong.9 The audit functions most advanced in their
use of technology are developing their people and
processes at the same time.10 Not only should
people be trained on how to utilize an RPA solution,
it is also critical that they understand the benefits
from a strategic perspective. If these are not
explained properly, the concept can generate
anxiety (e.g., Will these software robots be taking
away our jobs?). These concerns can contribute to
inertia for launching RPA projects. In any
automation effort, the benefits of less time spent on
tedious, repetitive tasks and freeing up staff time to
focus on more value-added activities should be
communicated early and often to all stakeholders.
Garbage In, Garbage Out
While internal audit departments generally do not
have the expertise to develop technology solutions
in-house, they still play a critical role in the ultimate
success of an automation solution based on how
well they educate the software developers about
their needs and objectives throughout the project,
not just at the beginning. The usefulness of a
technology solution will directly correlate to the
ability of the business process owners and subject
matter experts to explain, step-by-step, how a
process is conducted, from end to end. If the
internal audit department does not take care to
articulate its needs thoroughly and accurately, then
the resulting technology solution will not succeed.
Screenshots and/or screen video recordings of
staff performing the actions can be helpful in this
process. Templates and completed examples are
also useful ways to smooth the discovery and Enjoying
evaluation phases of potential automation projects.
this article?
Before coding, technical review by those
responsible for writing the actual programming
• Read Audit
code is also a necessary input. Having dedicated
Outlook: Intelligent
outreach staff for organizationwide automation
Automation.
initiatives is also helpful for disseminating
www.isaca.org/
information about what RPA can and cannot do for
audit-outlook-
enterprise teams.
intelligent-
automation
Process Interactions • Learn more about,
Evaluating a process for automation on its own discuss and
merits can be complex enough, but it is often collaborate on
compounded by interaction with other areas. Robots audit and
(in the RPA context) are entirely technology agnostic assurance ISACA’s
and can be used with any application, so they can Online Forums.
work across functions and across applications.11 https://engage.
isaca.org/online
forums
EVALUATING A
PROCESS FOR
AUTOMATION ON ITS OWN
MERITS CAN BE COMPLEX
ENOUGH, BUT IT IS OFTEN
COMPOUNDED BY
INTERACTION WITH OTHER
AREAS.
However, a process’s interactions may not be purely
technological. For example, considerations must be
made for legal and regulatory compliance. At one
internal audit shop, the team was motivated to work
toward automating a process that consisted of
collecting field audit data manually on paper forms.
As they set about developing an electronic form
that could be completed on a tablet device and then
uploaded to a cloud storage drive where the
structured data could be used for enhanced
analysis, they encountered a roadblock when they
discovered that their plan conflicted with the
organization’s policy prohibiting the transmission of
personally identifiable information (PII) on the cloud

ISACA JOURNAL VOL 4 17

 storage drive, and alternative approaches had to be
considered.
Another aspect of process interaction is that if
internal audit departments are seeking to automate
processes related to specific areas of the
enterprise’s business, then they must consider the
risk of those solutions becoming obsolete if the
business changes. When the business changes, the
people on the internal audit staff can be assigned to
go audit something else, but repurposing a
technology solution designed to perform one task
and having it perform another may not be as
straightforward. This means that internal audit
functions should have alignment with business
management regarding strategy before pursuing
automation initiatives that are tied to the internal
audit of a particular area of business.
Conclusion
The potential benefits of automation to internal
audit are real and well documented. Just as real, but
perhaps less well documented, are the hurdles
internal audit departments are facing on their way
to realizing the benefits of automation.
Success begins with choosing the right process to
automate and continues with the meticulous
documentation and mapping of the current process
and defining the requirements of the automation
technology to ensure that it works and meets the
needs of the users. Beyond basic user testing, users
should be integrated into the solution development
process so they not only understand how to use the
tool, but also its strategic benefits and the potential
impact of malfunction. Finally, the broader
interactions of the process to be automated should
be considered to avoid surprises down the road.
With careful planning and evaluation, automation
solutions using tools such as RPA have the
potential to streamline audit and business
processes and make monitoring of controls more
efficient. Decisions about what processes to
18 ISACA JOURNAL VOL 4
automate should carefully consider benefits, risk
and trade-offs. While many processes can be
automated, there must be a disciplined prioritization
process to choose which should be automated to
make these efforts worthwhile.
Endnotes
1 Salierno, D.; “Tech Adoption Falls Short,”
Internal Auditor, vol. 75, iss. 5, October 2018,
p.11-12
2 PricewaterhouseCoopers, “2018 State of the
Internal Audit Profession Study,”
https://www.pwc.com/sg/en/publications/
state-of-internal-audit-profession-study-2018.html
3 Ramamurthy, R.; “RPA—Five Biggest Hurdles
and How to Overcome Them,” LinkedIn.com,
17 April 2017, https://www.linkedin.com/
pulse/rpa-five-biggest-hurdles-how-overcome-
them-ravi-ramamurthy/
4 McCollum, T.; “Audit in an Age of Intelligent
Machines,” Internal Auditor, December 2017
5 PricewaterhouseCoopers, “Revolution Not
Evolution: Breaking Through Internal Audit
Analytics’ Arrested Development,” January
2018, https://www.pwc.com/us/en/services/
risk-assurance/library/internalauditanalytics
revolution.html
6 Applied AI Blog, “14 RPA Pitfalls and the
Checklist for Avoiding Them [2019 Update],”
31 December 2018, https://blog.appliedai.com/
rpa-pitfalls/
7 Ibid.
8 Shacklett, M.; “Business Process Automation:
Where It Works, and Where It Doesn’t,”
ZDnet.com, 3 August 2015, https://www.zdnet.
com/article/business-process-automation-
where-it-works-and-where-it-doesnt/
9 Op cit McCollum
10 Campbell, J.; “Intelligent Automation/RPA and
Use for Internal Controls,” IIA Florida West
Coast Chapter and West Florida ISACA Chapter
Fraud and Security Seminar, 6 December 2018
11 Ibid.
 FEATURE

Acknowledging Humanity in the

Governance of Emerging Technology
and Digital Transformation
Disponible également en français
www.isaca.org/currentissue
Artificial intelligence (AI) and robotics have
captured the imagination of humans. A quick
search for AI and robotics in pop culture finds that it
stretches back to Mary Shelley’s book, Frankenstein,
first published 201 years ago, and extends to cult
classics in television and film such as 2001:A Space
Odyssey, Star Trek, Wargames, Hitchhiker’s Guide to
the Galaxy, Tron, The Matrix, Ex Machina and more.
Depending on how one defines AI, it has certainly
had its ups and downs since 1956.1 Approximately
30 years ago, AI activity was at a peak, with a strong
interest in languages such as Prolog. Interest in AI
waned soon thereafter, only to come back stronger
in the 21st century. Prolog is still regarded as one of
the best languages for AI programming.2
The Risk Domain of IT Governance
The risk factors involved in the deployment of any Do you have
information technology are numerous. Concerns something
include navigating the complexity of the integration to say about this
demanded between the new technology and the article?
legacy systems, omnipresent data challenges, Visit the Journal pages
questions about the nature of the security of the of the ISACA® website
new system relative to the existing information (www.isaca.org/journal),
security paradigm, and the existence of operational find the article and click
gaps requiring the integration and development of on the Comments link to
new supporting IT and business processes. share your thoughts.
https://bit.ly/2I2R74J
There is also the variety of vendor risk, especially if
the vendor has a desirable technology, but either or
both the technology and the vendor are relatively

AI is, however, but one class of emerging

technologies that are being touted as instrumental
for digital transformation. However, many emerging
technologies are not IT-related (e.g., lab-grown
meat), and only a handful are expected to be
effective at enabling organizations to outperform
their peers. In this respect, the analysis of more
than 250 emerging technologies identified the eight
technologies most likely to change the way
Guy Pearce, CGEIT
Has served on various enterprise boards and as chief executive officer of a
organizations do business: AI, augmented reality,
multinational retail credit operation. This experience provides him with rich
blockchain, drones, Internet of Things (IoT), insights into the real-world expectations of governance, risk, IT and data.
robotics, virtual reality and 3D printing (figure 1).3 Capitalizing on two decades of corporate digital transformation experience,
he instructs a digital transformation course at the University of Toronto
Amid this excitement, the question for IT (Ontario, Canada) School of Continuing Studies, targeting boards and the C-
governance practitioners is whether they are well suite, based on a gap he identified while researching a recent article
enough prepared to appropriately govern emerging published in the ISACA® Journal. He serves as an independent consultant in
technologies and their contributions to digital enterprise digital transformation and is the recipient of the 2019 ISACA
Michael Cangemi Best Book/Author Award.
transformation. The short answer? Perhaps not.

ISACA JOURNAL VOL 4 19

 Figure 1—The Eight Emerging Technologies Most Likely to Change the Way Organizations
Enjoying Do Business Constitute but a Fraction of the Emerging Technology Landscape
this article?
• Read Enforcing
Data Privacy in
the Digital
World.
www.isaca.org/
enforcing-data-
privacy
• Learn more
about, discuss
and collaborate
on emerging
technology in
ISACA’s Online
Forums.
https://engage.
isaca.org/online
forums
unproven. And one should not forget the business
case risk, i.e., the uncertainty in terms of whether
the technology will eventually realize the business
benefits being proposed of it—a risk amplified by
emerging technology.
The accelerated rate of privacy concerns and privacy
regulations globally raises more compliance risk and
even more questions, with a further rapidly emerging
issue concerning the ethical use of technology and/or
its data, especially in AI applications.
These risk factors and issues are compounded for
emerging digital technologies because the
unknowns associated with emerging technologies
are greater than those of mature technologies. The
requirements for the appropriate oversight of digital
transformation and emerging technologies
intensifies the already demanding requirements for
good risk management knowledge, risk
management experience and risk management
instincts in today’s IT governance professionals.
Culture’s Role in Effective IT Governance
Has Been Established
As complex as the previously mentioned risk
factors are, they are still much easier to manage
than are any human factors. The human factors are
20 ISACA JOURNAL VOL 4
Al
Internet of Things
Drones
Robotics
3D Printing
Augmented/Virtual Reality
Blockchain
Other Emerging Technologies
so significant that the global financial services
regulatory agency, the Financial Stability Board
(FSB), has been explicit about the role of culture
(the set of human behaviors and norms that an
organization finds acceptable) in establishing
effective risk management, being the first regulatory
agency to do so. In particular, the FSB speaks of
setting the appropriate tone at the top; in other
words, that the organization’s leadership sets a
behavioral example for the organization to follow.
There is increasing recognition that culture is
integral to absolutely everything. Some have
referred to the tone at the top as “the first ingredient
in a world-class ethics and compliance program.”4 It
is little wonder that the concept is the subject of
international attention, even becoming the subject
of corporate governance codes such as South
Africa’s King IV.5 Without a determined tone at the
top, ethics and cultural initiatives lose their impact.
What is the impact of ethics and integrity programs
in organizations where “more and more CEOs [are]
leaving their role amid accusations of ethics
breaches and lack of integrity?”6
On a related note, corporate culture has been found
to be the most significant critical success factor
(CSF) for effective enterprise IT governance.7
Furthermore, International Organization for
Standardization (ISO)/International Electrotechnical
Commission (IEC) standard ISO/IEC 38500—a key
IT governance framework—specifically warns not to
underestimate the human element.8 Understanding
the organization’s personality traits—its culture—is
key to establishing IT effective governance.9
As critical as culture has been found to be, it is but
one important component of the human element of
both effective risk management and effective IT
governance. The other important component is
ethics, a field of study that assesses the morality of
the organization’s behaviors.
Where Culture and Ethics Collide
The difference between culture and ethics can be
demonstrated by means of the recent Volkswagen
emissions scandal, where the global automaker
deemed the behavior of designing software to cheat
the US’s diesel emission standards as being
acceptable.10 Ethics is concerned with the morality
of solving the diesel emissions problem by
cheating. That Volkswagen was consciously
unethical is the root of the scandal.
For an emerging information technology example,
Amazon has, since 2014, had a software tool that
analyzes job applicants’ résumés to facilitate the
identification of the best candidates for a role. So
far, so good, as pretty much all large-scale recruiters
scan résumés for keywords, even though their tools
might not be as sophisticated as having an AI
engine. A problem emerged when Amazon’s AI tool
was found to discriminate against women.11
The ethical issue for Amazon is not the culture and
behavior of algorithmically identifying potentially
the best candidates for a role, but rather that the
data used to train machine learning models
contains biases that humans may not even be
aware of, a matter of being unconsciously
unethical. In fact, a recent headline notes that AI is
plagued by human bias.12
The ethics question is, therefore, what needs to be
done to protect people against unconscious or
conscious biases as tomorrow’s thinking machines
are created, which may be the root of their own
ethical dilemma in some circles. The difference
between Volkswagen and Amazon in these
examples is that Volkswagen knew about and
supported its misguided endeavors (setting an
unethical tone at the top), while Amazon seems to
have suffered the problem plaguing many AI
initiatives, that of unconscious bias.13
ETHICS CAN EMERGE
AS AN ISSUE WHENEVER
TECHNOLOGY—NOT JUST
INFORMATION
TECHNOLOGY OR NEW
TECHNOLOGY—IS
INTRODUCED.
Volkswagen is not alone in being consciously
unethical. Companies like Facebook have been
implicated in fake and incendiary news designed to
be divisive, with its chief executive officer (CEO)
offering only that he would make it harder for such
manipulation to occur in the future. Other examples
of being consciously unethical include very large
organizations producing “unambiguously harmful
products” (Monsanto), fake bank accounts (Wells
Fargo) or inflating medical costs (Cigna).14 The
scale of these matters demonstrates the extent to
which the culture of the organization condoned
such activities.
There are growing concerns about the ethical
implications of developments of digital
transformation and emerging technologies such as
AI, not only from the public, but also from
technology organizations and lawmakers.15
Ethics: IT Governance’s Next Frontier?
Ethics can emerge as an issue whenever
technology—not just information technology or new
technology—is introduced. The conversation
extends beyond the technologies to the data they
produce, which raises all manner of security and
privacy concerns. The concerns involve not only
hardware, e.g., IoT visual sensors (cameras), but the
software, too, e.g., analytics practices. It has been
argued that the production, access to and control of
information will be at the heart of ethical issues in
IT.16 This is true not only in the private sector, but in
ISACA JOURNAL VOL 4 21

THERE ARE AN INCREASING NUMBER
OF IMPORTANT QUESTIONS BEING ASKED
ABOUT THE APPROPRIATENESS OF THE
USE OF EMERGING TECHNOLOGY IN
SOCIETY.
the public sector as well. In the case of the latter,
the challenge is managing the community
expectations and perceptions about fairness; in
other words, ethics by design.17
Ethics as a subject is growing in stature in IT because
emerging technologies have given people more
power to act, resulting in people having to make
choices that they did not have to make before. While
people were previously implicitly constrained by their
lack of knowledge or capability, they now have to be
voluntarily constrained by their ethics.18
The most significant of the many reasons cited for
the failure of the US$1,500 Google Glass earlier this
decade was privacy concerns,19, 20 where it was
feasible that someone could be the subject of a
wearer taking unwelcome video or photos.21 “Creepy”
was used as an adjective to describe the product.22
Of all the articles citing numerous reasons for the
failure of Google Glass, one of the most telling is an
article titled, “Google Glass Wasn’t a Failure. It
Raised Crucial Concerns,”23 where the author argued
that Glass’s failure was not so much a failure of the
product as it was a victory for human beings, who
are increasingly discovering that there are limits to
where technology should play a role in human lives.
Privacy was immediately raised as a serious
concern—not marketing, not value propositions, not
product design, etc.—but privacy.24 The other
reasons for failure discussed in marketing schools
today came only much later.
In Toronto, Canada, a current tech controversy
concerns what Sidewalk Labs—a subsidiary of
Alphabet, just like Google, YouTube and Google X
are—is really up to in its desire to create a
hyperefficient sensor (and, therefore, data-driven)
22 ISACA JOURNAL VOL 4
community on the Toronto waterfront,25 where the
development expects all vehicles to be autonomous
and shared, while robots will perform menial
chores.26 Controversy ignited when globally
renowned former Canadian privacy commissioner
Ann Cavoukian resigned from her role as a
consultant to Sidewalk Labs, “to make a strong
statement”27 on discovering that Sidewalk Labs
would not guarantee that everyone on the project
would de-identify the data at source as she had
originally been told, only that de-identification would
be encouraged, a state of affairs she described as
“not good enough.”28
While it is incidental that both these examples
involved Google or allied companies, the issue
illustrated by them is that there are an increasing
number of important questions being asked about
the appropriateness of the use of emerging
technology in society, exactly the kind of ethics
questions that those accountable for the oversight
of their organizations should be asking.
Just because new technologies—such as some
applications of AI—may be more efficient, it does not
necessarily make them morally better.29, 30 This idea—
potentially 500 years in the making—identifies that
while AI has the potential to increase productivity,
reduce poverty and boost affluence, it can also make
society worse off if the wrong choices are made.31
The World Economic Forum raises nine categories of
ethical and risk consequences related to the
efficiencies introduced by AI:32
• Unemployment brought about by increased
automation (efficiency)
• Inequality through a new form of the
concentration of power in AI organizations
• Humanity, specifically how machines affect
human behavior and interaction
• Artificial stupidity and guarding against
unintended consequences (risk)
• Racist robots and other biases
• Security and protecting against technologies
being used for bad
• The unforeseen consequences of AI-driven
automation
• Singularity, when humans are no longer the most
intelligent beings on Earth
• Robot rights and the growing conversation of the
legal status of intelligent robots
Privacy should also be a candidate for this list.
For now, the top ethical principles proposed for
digital transformation across a variety of
technologies are:33
• Explicitly designing for privacy, security and
integrity—Regulations such as the EU General
Data Protection Regulation (GDPR) have this
covered through clauses on data security and
data privacy by design, with a paragraph on
accuracy representing integrity.
• Promoting trust—There is quite a long way to go
based on the examples used in this section.
• Acknowledging and addressing the kinds of
biases raised earlier—The issue at stake is
individual or community confirmation bias,
subconscious frames-of-reference that influence
how people gather, interpret and act on data about
the world, as illustrated by the Amazon example.
Ultimately, those who interact with a digitally
transformed organizational ecosystem will expect
much more in terms of transparency and fairness
from those organizations.34
There is a call for the stronger oversight
(governance) of AI to protect against the unethical
uses of technology.35 Are IT governance
practitioners prepared for this level of oversight?
Again, perhaps not, because there do not seem to
be clear guidelines on what actually constitutes the
ethical governance of digital transformation and
emerging technologies such as AI, at least not in
the same way that the CGEIT Review Manual is
definitive about IT governance frameworks,
strategic alignment, business cases, risk and
resourcing. In particular, is there an IT governance
construct that guides people with respect to
assessing the impact of emerging technology such
as AI on, for example, the organization’s honesty,
transparency, accountability, responsibility,
independence, fairness and social responsibility?36
THERE DO NOT SEEM TO
BE CLEAR GUIDELINES ON
WHAT ACTUALLY
CONSTITUTES THE ETHICAL
GOVERNANCE OF DIGITAL
TRANSFORMATION AND
EMERGING TECHNOLOGIES
SUCH AS AI.
A Gap in GEIT Coverage?
Emerging technology and digital transformation
exert new pressures on IT while in pursuit of
(ethically) increasing organizational
competitiveness and sustainability. The ISACA®
CGEIT Review Manual speaks of five governance of
enterprise IT (GEIT) domains shown in figure 2.
The topics of ethics and culture contained within
GEIT’s resourcing domain are enterprise constructs,
as are GEIT’s other domains. Should they not,
therefore, constitute a domain in their own right?
Culture and ethics impact the entire organization,
just as strategic alignment, business cases, and risk
and resourcing do.
“Good governance is part of ethics.”37 In other
words, ethics does not apply to just a portion of
good governance, as suggested by the current
positioning of ethics and culture within the GEIT
resourcing domain, but to all governance. More so,
compliance ethics and culture were found to
empirically influence the level of IT governance (all
of IT governance),38 not the other way around.
Conclusion
Because ethical dilemmas exist wherever humans,
information and information systems interact,39
“[t]he future of the computing profession depends
on both technical and ethical excellence.”40
ISACA JOURNAL VOL 4 23
 In addition to the ethics concerns covered
previously, issues such as privacy, bias, lack of
transparency and biotechnology were only briefly
raised, and there are a host of other IT ethics issues
in areas such as cybersecurity, copyright
infringement and plagiarism, and even in terms of
the digital divide.
Ethics and culture are significant constructs in the
context of today’s information technology. Ethics
and culture, just like strategic alignment, business
case, and risk and resourcing are all enterprise-level
GEIT constructs that should, perhaps, be performed
with the same level of diligence. It seems that the
risk of seeing IT ethics and culture only through the
tiny lens of the resourcing domain are too great.
Endnotes
1 Crevier, D.; AI: The Tumultuous Search for
Artificial Intelligence, Basic Books, USA, 1993,
p. 47-49
2 RankRed, “Eight Best Artificial Intelligence
Programming Language in 2019,” 3 January
2019, https://www.rankred.com/best-artificial-
intelligence-programming-language/
3 PricewaterhouseCoopers, “The Essential
Eight: Your Guide to the Emerging
Technologies Revolutionizing Business Now,”
https://www.pwc.com/gx/en/issues/technology/
essential-eight-technologies.html
24 ISACA JOURNAL VOL 4
4 Mohlenkamp, M.; “The First Ingredient in a
World-Class Ethics and Compliance Program,”
Deloitte Perspectives, https://www2.deloitte.com/
us/en/pages/risk/articles/tone-at-the-top-the-
first-ingredient-in-a-world-class-ethics-and-
compliance-program.html
5 Ibid.
6 Atkins, B.; “Business Ethics and Integrity: It
Starts With the Tone at the Top,” 7 February
2019, Forbes, https://www.forbes.com/sites/
betsyatkins/2019/02/07/business-ethics-
and-integrity-it-starts-with-the-tone-at-the-
top/#3839d0a457c6
7 Pearce, G.; “The Sheer Gravity of Underestimating
Culture as an IT Governance Risk,” ISACA®
Journal, vol. 3, 2019, https://www.isaca.org/
archives
8 Robinson, N.; “Organizational Profiling:
A Path to Effective IT Governance,” Cutter IT
Journal, vol. 22, no. 12, January 2010,
https://nicholasrobinson.files.wordpress.com/
2010/01/itj0912_nr.pdf
9 Ibid.
10 Armstrong, R.; “The Volkswagen Scandal
Shows That Corporate Culture Matters,”
Financial Times, 13 January 2017,
https://www.ft.com/content/263c811c-
d8e4-11e6-944b-e7eb37a6aa8e
11 Dastin, J.; “Amazon Scraps Secret AI Recruiting
Tool That Showed Bias Against Women,”
Reuters, 9 October 2018, https://www.reuters.com/
article/us-amazon-com-jobs-automation-
insight/amazon-scraps-secret-ai-recruiting-
tool-that-showed-bias-against-women-
idUSKCN1MK08G
12 Bradley, S.; “All the Creepy, Crazy and Amazing
Things That Happened in AI in 2017,” Wired,
20 December 2017, https://www.wired.co.uk/
article/what-happened-in-ai-in-2017
13 Bloomberg, J.; “Bias Is AI’s Achilles Heel. Here’s
How to Fix It,” Forbes, 13 August 2018,
https://www.forbes.com/sites/jasonbloomberg/
2018/08/13/bias-is-ais-achilles-heel-heres-how-
to-fix-it/#5b7f67256e68
14 Stebbins, S.; E. Comen; M. B. Sauter; C.
Stockdale; “Bad Reputation: America’s Top
20 Most-Hated Companies,” USA Today,
1 February 2018, https://www.usatoday.com/
story/money/business/2018/02/01/bad-
reputation-americas-top-20-most-hated-
companies/1058718001/
15 Simonite, T.; “The AI Text Generator That’s Too
Dangerous to Make Public,” Wired, 14 February
2019, https://www.wired.com/story/ai-text-
generator-too-dangerous-to-make-public/
16 Stanford Encyclopedia of Philosophy,
“Information Technology and Moral Values,”
Stanford University, California, USA, 12 June
2012, https://plato.stanford.edu/entries/
it-moral-values/
17 Menachemson, D.; “The New Digital Ethics:
How to Survive and Prosper in Times of
Unprecedented Transformation,” The
Mandarin, 14 January 2019, https://www.the
mandarin.com.au/101779-the-new-digital-ethics/
18 Green, B. P.; “What Is Technology Ethics?”
Markkula Centre for Applied Ethics, Santa
Clara University, California, USA,
https://www.scu.edu/ethics/focus-areas/
technology-ethics/
19 Arthur, C.; “Google Glass: Is It a Threat to
Our Privacy?” The Guardian, 6 March 2013,
https://www.theguardian.com/technology/
2013/mar/06/google-glass-threat-to-our-privacy
20 Kelly, H.; “Google Glass Users Fight Privacy
Fears,” CNN Business, 12 December 2013,
https://www.cnn.com/2013/12/10/tech/mobile/
negative-google-glass-reactions/index.html
21 Doyle, B.; “Five Reasons Why Google Glass Was
a Miserable Failure,” Business 2 Community,
28 February 2016, https://www.business2
community.com/tech-gadgets/5-reasons-
google-glass-miserable-failure-01462398
22 Munarriz, R.; “Three Reasons Google
Glass Failed,” AOL, 19 January 2015,
https://www.aol.com/article/finance/2015/01/
19/why-google-glass-failed/21131761/
23 Eveleth, R.; “Google Glass Wasn’t a Failure. It
Raised Crucial Concerns,” Wired, 12 December
2018, https://www.wired.com/story/google-
glass-reasonable-expectation-of-privacy/
24 Makarechi, K.; “Google Executive Explains Why
Google Glass Didn’t Take Off,” Vanity Fair,
March 2015, https://www.vanityfair.com/
news/2015/03/google-glass-failures
25 Baron, J.; “Tech Ethics Issues We Should All
Be Thinking About In 2019,” Forbes,
27 December 2018, https://www.forbes.com/
sites/jessicabaron/2018/12/27/tech-ethics-
issues-we-should-all-be-thinking-about-in-2019/
#52cd52574b21
26 MIT Technology Review, “10 Breakthrough
Technologies 2018,” https://www.technology
review.com/lists/technologies/2018/
27 O’Shea, S.; “Ann Cavoukian, Former Ontario
Privacy Commissioner, Resigns From Sidewalk
Labs,” Global News, 21 October 2018,
https://globalnews.ca/news/4579265/
ann-cavoukian-resigns-sidewalk-labs/
28 CBC News, “‘Not Good Enough’: Toronto Privacy
Expert Resigns From Sidewalk Labs Over Data
Concerns,” CBC, 21 October 2018,
https://www.cbc.ca/news/canada/toronto/
ann-cavoukian-sidewalk-data-privacy-1.4872223
29 Op cit Green
30 Mullane, M.; “Tackling the Ethical Challenges
of AI,” IEC e-tech, 17 September 2018,
https://medium.com/e-tech/the-ethics-of-
artificial-intelligence-7a0cf0d9a2cf
31 Ibid.
32 Bossman, J.; “Top Nine Ethical Issues in
Artificial Intelligence,” World Economic Forum,
21 October 2016, https://www.weforum.org/
agenda/2016/10/top-10-ethical-issues-in-
artificial-intelligence/
ISACA JOURNAL VOL 4 25
 33 Yardley, D.; “Are You Making Ethical
Decisions During the Digital Transformation
Process?” Kogan Page, 29 March 2018,
https://www.koganpage.com/article/
essential-ethics-for-digital-transformation
34 Ibid.
35 SAS, “Three Essential Steps for AI Ethics,”
https://www.sas.com/en_us/insights/articles/
analytics/artificial-intelligence-ethics.html
36 Price, N. J.; “Achieving Strong Corporate
Governance Through Technology,”
Diligent Insights, 24 April 2018,
https://insights.diligent.com/corporate-
governance/achieving-strong-corporate-
governance-through-technology/
37 Herrod, C.; A. Parks; “Strong IT Governance:
Ethical Arguments and GRC Convergence
Strategies,” SCCE’s 7th Annual Compliance
and Ethics Institute, September 2008,
https://community.corporatecompliance.org/
HigherLogic/System/DownloadDocument
File.ashx?DocumentFileKey=738ccc29-
e5f0-4cf4-9ebf-065cc8da7b1c
38 Ibid.
39 Conway, P.; “Ethics, Information Technology
and Today’s Undergraduate Classroom,”
Proceedings of the Third Annual iConference,
University of Michigan, USA, 2008,
https://deepblue.lib.umich.edu/bitstream/
handle/2027.42/85225/C01%20Conway
%20Ethics%20IT%20Undergraduate%
202008.pdf;sequence=1
40 Association for Computing Machinery (ACM),
“ACM Code of Ethics and Professional
Conduct,” https://ethics.acm.org/code-of-ethics/

Ditch the Firewall.

Get DiOTa.
Low Cost
Fast Deployment
Minimal Maintenance
Unhackable Cybersecurity

Data Diodes
Disrupting old school firewalls

owlcyberdefense.com/diota @OwlCyberDefense

26 ISACA JOURNAL VOL 4

 FEATURE

The Internet of Medical Things—

Anticipating the Risk
The Internet of Medical Things (IoMT) is and has
been a driving force of the networked medical
device landscape ecosystem. The number of
medical devices in this space is growing at an
astonishing rate and with this comes growing risk
for the industry. Medical data breaches started well
before the use of electronic devices and systems,
but, naturally, with the increased use of electronic
personal health information (ePHI), there is a
growing trend of data breaches in the medical
space. Between 2009 and 2018, there have been
2,546 healthcare data breaches in which more than
500 records were compromised.1 Practitioners need
to realize that the growing trend of connected
devices creates many benefits, but also brings
enhanced risk to the medical device ecosystem.
health management, patient monitoring by
healthcare practitioners, activity trackers) and Do you have
nonwearable, which are hospital- and clinic-based something
connected devices. These connected medical to say about this
devices represent a large population of IoMT, and article?
they are prone to vulnerabilities. Properly securing
Visit the Journal pages
these medical devices helps strengthen the position
of the ISACA® website
large IoMT ecosystems play in the healthcare (www.isaca.org/journal),
environment. The industry is increasingly focusing find the article and click
on securing devices, and regulatory bodies are on the Comments link to
expecting security by design in medical device share your thoughts.
products that are connected.
https://bit.ly/2MdVrDw

The value proposition of connected medical devices

is clear—the benefits are for patients (consumers),
healthcare institutions and providers. IoMT is
clearly increasing the attack vectors and the risk of
cyberbreaches for the industry. This will continue to
increase over time as the demand for and
abundance of connected medical devices
increases. The connected health device market is
expected to reach an estimated US$36.1 billion
worldwide by 2023 and is forecasted to grow at a
rate of 21.1 percent from 2018 to 2023.2

The connected medical device space can be

segmented into two areas: wearable (e.g., home

Mohammed Khan
Is global head of digital health, IT, cyber and privacy audit at Baxter, a global medical device and healthcare organization. He
manages a global team responsible for enterprise risk management across the organization and conducting audits, assessments
and advisory engagements. He has spearheaded multinational global audits and assessments in several areas, including enterprise
resource planning systems, global data centers, cloud platforms (i.e., Amazon Web Services), third-party manufacturing and
outsourcing reviews, process re-engineering and improvement, global privacy assessments (EU Data Protection Directive, the US
Health Information Portability, and Accountability Act [HIPAA], the EU General Data Protection Regulation [GDPR]), and FDA guidance
specific to medical device cybersecurity over the past several years. Khan previously worked as an advisory consultant for leading
consulting firms and multinational organizations. He frequently speaks at national and international conferences on topics related to
data privacy, cybersecurity and risk advisory. He volunteers as an ISACA® Journal article reviewer and contributes actively to the
ISACA Journal and ISACA’s blogs. In 2019, Khan received the ISACA® John W. Lainhart IV Common Body of Knowledge Award.

ISACA JOURNAL VOL 4 27

 Regulatory Guidance and Frameworks
Enjoying
Regulatory guidance and requirements are
this article? fundamentally uniform when it pertains to patient
data security and privacy regulations. The following
• Read Networked regulations are related to patient data security and
Biomedical Device privacy regulations and standards:
Security.
www.isaca.org/ • EU General Data Protection Regulation (GDPR)—
Products and systems that collect EU patient
networked-
data must be considered from a privacy
biomedical-
perspective. GDPR went into effect on 25
device-security
May 2018.
• Learn more
about, discuss • US Health Insurance Portability and
and collaborate Accountability Act (HIPAA)—This US legislation
on information provides data privacy and security provisions for
and cybersecurity safeguarding medical information.
in ISACA’s Online
Forums. • US Health Information Technology for Economic
and Clinical Health (HITECH) Act—This US act
https://engage.
was signed into law on 17 February 2009 to
isaca.org/online
promote the adoption and meaningful use of
forums
health information technology.
• US National Institute of Standards and
Technology (NIST) Special Publication (SP)
800.53—This is a catalog of security controls for
all US federal information systems. It organizes
basic cybersecurity activities at their highest
level, known as functions.
There is no global regulation that requires medical
device security as of this writing. What exists,
however, are guiding principles and shifts in
landscape in terms of where regulations are going.
This can be seen by looking at the history of
regulation of medical devices. Starting in 1976 in
the United States, for example, medical device
manufacturers were required to ensure the
establishment of risk-based device classifications,
controls around general and special processes,
premarket notification, and approval. This resulted
in the US Safe Medical Device Act (SMDA), federal
legislation that was designed so that the US Food
and Drug Administration (FDA) could quickly be
informed of any medical product that had caused or
was suspected to have caused a serious illness,
injury or death.3
Subsequently, in 2014, the FDA—for the first time in
its history and as the first regulatory body in the
world—identified and addressed the cybersecurity
28 ISACA JOURNAL VOL 4
risk of medical devices.4 Its guidance specifically
highlighted recommendations to consider medical
device premarket submissions for effective
management of cybersecurity. This was the first
enhancement for safeguarding patients from a
medical device cybersecurity perspective after the
SMDA was issued. The most recent guidance was
the premarket for cybersecurity guidance and post-
market management of cybersecurity guidance
from the FDA (figure 1). Additionally, the FDA
prefers that medical device manufacturers share
cyberintelligence through Information Sharing and
Analysis Centers (ISACs) and Information Sharing
and Analysis Organizations (ISAOs).
Classes of Medical Devices and Risk
It is important to understand the basic parameters
of what makes a device a medical device. Due to
the authority of the FDA, not only in regulating
medical devices sold in the United States, but also
as an organization at the forefront of medical
device security as a forerunner of globally
respected government institutions, the focus here is
on an FDA-centric definition of medical device
classes. The regulatory classes of medical devices
are divided up by a classification mechanism called
Class I, Class II and Class III. Since the
classification of medical devices is based on risk, it
is important to understand the risk level and, more
important, what the device is medically going to be
used for and its intended purpose. The classes,
their risk range and example device classification
are shown in figure 2.
IoMT
Many people wake up in the morning to an alarm
set up on a watch that provides a report to a phone
on how the user’s sleep was the night before. Later,
those users can assess how fast and long they ran
on the treadmill, all while monitoring their heart rate
and cadence, which then gets reported to a daily
fitness monitoring chart.
A diabetic patient may have a wearable medical
device that continuously checks the user’s glucose
level, all while maintaining proper levels in the body
and alerting a healthcare practitioner not only of
anomalies, but general vitals of the patient for
active monitoring. An artificial pancreas device
 Figure 1—US Regulatory Guidance for Medical Device Cybersecurity

21 CFR Part 820.30

FDA guidance related to the design portion of the
medical device and medical device software.
21 CFR 21 CFR
21 CFR Part 11
Part 820.30 Part 11 Part 11 ensures the inspectability of electronic records.
It makes sure the electronic records and available for
the defined retention period, just like paper records.

Medical Device Safety Action Plan

FDA’s intended steps to address medical device safety—consideration
to new pre-market authorities to requiremanufacturers to build security
updates and patches into a product’s design. Post-market disclosure
of cybervulnerabilities, and Software Bill of Materials mandate.
Pre-market Medical Device
Post-market Safety Action Plan Pre and Post-Market Guidance
FDA recommendation and guidance for pre-market and post-market
medical device products, cybersecurity controls, and framework
including use of NIST framework for medical device manufacturers

Figure 2—Medical Device Classes and Risk

Medical Devices Examples

Risk Level

Premarket Approval CLASS Implanted devices such as

HIGH

General Controls pacemakers, implanted

Special Controls III cerebral stimulators
MODERATE

General Controls CLASS Ventilators, surgical

II clamps, bone grafts
Special Controls

CLASS
LOW

General Controls Lab equipment analyzers,

I chemical culture

system will not only monitor glucose levels in the
body, but also automatically adjust the delivery of
insulin to reduce high blood glucose levels
(hyperglycemia) and minimize the incidence of low
blood glucose (hypoglycemia) with little or no input
from the patient.5
If the patient goes to the hospital and checks into
the emergency room (ER), data from the wearable
device can be extracted and loaded into the
electronic medical records (EMR) system, which is
connected to the hospital network, which is further
connected with physicians’ tablet software so that,
when the patient is seen, all data are available for
the health practitioner.

ISACA JOURNAL VOL 4 29

 These are just some examples of how connected
the world of medical devices has become. Figure 3
shows an example. There are many device types
that make up the IoMT space, and they can be
divided into the following categories:
• Implantable devices (wireless)—There are
several types of implantable medical devices that
are considered Class III, and many of them can
be wireless. These include deep brain
neurotransmitters, cochlear implants, cardiac
defibrillators/pacemakers and insulin pumps,
just to name a few. These are normally multiyear
implants, where the physician administers and
manages the device through routine outpatient
service checks.
• Stationary medical devices—These devices are
generally used for outpatient and inpatient
services, whether it is an ER visit or a routine
operation. These devices are in the hospital-
connected ecosystem and include infusion
pumps, chemotherapy dispensaries and
homecare cardiovascular systems. These are
normally Wi-Fi-enabled and connect either to the
patient’s home network or the hospital networks.
• Wearable medical devices—The intent of these
devices is for monitoring purposes and collecting
data for further analysis by healthcare providers.
These include wireless-enabled proprietary
insulin pumps and electromechanical devices for
pain medication.
Figure 3—Implantable Medical Devices and Improving Patient Experience
Active Implantable Medical Devices
Cloud Service Provider
Connectivity
Monitoring of medical conditions of
the patient and collecting vital data
for multi-direction data feeds
30 ISACA JOURNAL VOL 4
• Health monitoring devices—These are normally
not regulated; however, they pose a great deal of
risk because the devices collect vitals (e.g., blood
pressure, body temperature, heart rate,
respiratory rate) and information about the
consumer and/or patient. Bluetooth or Wi-Fi is
enabled under the direction of the owner of the
device, and these devices monitor physical
activity and engage in significant communication
with the paired mobile devices.
Device Manufacturers—A Snapshot of
Guidance
Patient safety is the priority of all medical device
manufacturers, or at least it should be, as they think
about the medical device throughout its life cycle.
Although the FDA has issued guidance and there
are quite a few frameworks that help manufacturers
navigate complying with regulator, hospital and
patient needs and requirements, there is still room
for interpretation by device manufacturers. There
will always be risk and obligations to address when
there is a medical device that is connected to the
Internet of Things (IoT). Controls, including
mitigation controls manufacturers need to have in
place to avoid or eliminate patient risk, are critical.
Risk factors can include improper access to the
device or use of device data to exploit patient
information or, worse, impact patient health or life
due to device tampering or performance gaps
caused by a cyberhack. Due to the connected
Healthcare Professionls
Active monitoring of patient
data and treatment
Patients
Patient controls and
monitors health
Supply Chain
Ordering patient products and delivery to
healthcare systems and patient homes
device’s ecosystem, especially in a hospital
network, there is a likelihood the exploitability of the
device or the hospital network is quite high due to
the industry not being fully mature in the
cybersecurity space.6 Medical devices such as
pacemakers, insulin pumps and magnetic
resonance imaging (MRI) machines are increasingly
vulnerable to hacking. At the moment, however,
there is no US federal mandate for those devices to
have cybersecurity protections.7 Despite the lack of
mandates, there are some key areas for medical
device manufacturers to consider:
• Weak access controls—Limit access to the
medical device that is connected, specifically
focusing on ensuring devices have two-factor
authentication built in for proper authentication
techniques.
• Periodic updates—Apply security patches to the
medical device on a frequent basis as best
practice, per post-market guidance issued by the
FDA. Although the FDA does not require
approvals for patching medical device software
for cyber-related fixes, it is important to ensure
that the proper software development life cycle is
put in place for the device well before the product
is released in the market.
• Coding standards—Many successful
cyberattacks have exploited vulnerabilities in
code not rigorously tested prior to deployment in
a live environment.8 One of the important
standards in the industry is issued by the
International Electrotechnical Commission (IEC),
IEC 62304. This standard provides a robust
feature of how best to develop code from
development to post-production release code life
cycle management. In the European Union, it
satisfies key requirements in the Medical Devices
Directive (soon to be replaced by the EU Medical
Device Regulation). And, in the United States, the
FDA accepts IEC 62304 compliance as proof
that regulatory processes, such as Section
510(k) of the FDA, which requires device
manufacturers to notify the FDA of their intent to
market a medical device at least 90 days in
advance, have been fulfilled.9
• Security by design—Proper life cycle management
of all aspects of the medical device, i.e., hardware
and software bill of materials (BOM), to ensure
proper inventory of all third-party and in-house
MEDICAL DEVICES
SUCH AS PACEMAKERS,
INSULIN PUMPS AND
MAGNETIC RESONANCE
IMAGING (MRI) MACHINES
ARE INCREASINGLY
VULNERABLE TO
HACKING.
hardware and software is crucial. This can also be
enhanced further with the use of properly
encrypted channels of communication from the
device with the outside world.
Coming Full Circle With IoMT
The world of connected medical devices is here to
stay, and there is no turning back. Medical
technology ecosystems around the world are
increasing exponentially and will become the norm.
The IoT healthcare market will reach US$136.8
billion worldwide by 2021.10 Today, there are 3.7
million medical devices in use that are connected to
and monitor various parts of the body to inform
healthcare decisions.11 Medical device
manufacturers must ensure proper cybersecurity
controls are considered as they become more
vested in the safety of the patients and the
ecosystems to which the medical devices connect.
There continues to be a great deal of opportunity in
the space of connected devices and, over time, as
patients’ health is improved with the advancement
of technology, the industry and the vast number of
regulators monitoring this arena need to keep up
with the pace of advancement all while keeping
cybersecurity in mind.
Endnotes
1 HIPAA Journal, “Healthcare Data Breach
Statistics,” https://www.hipaajournal.com/
healthcare-data-breach-statistics/
2 24x7, “Global Connected Health Device Market
to Reach $36 Billion by 2023,” 16 July 2018,
www.24x7mag.com/2018/07/global-connected-
health-device-market-reach-36-billion-2023/
ISACA JOURNAL VOL 4 31
 3 US Congress, “H.R.3095—Safe Medical Devices
Act of 1990,” USA, 1990, http://thomas.loc.gov/
cgi-bin/bdquery/z?d101:HR03095:@@@
L&summ2=m&
4 US Food and Drug Administration, “Content of
Premarket Submissions for Management of
Cybersecurity in Medical Devices: Guidance for
Industry and Food and Drug Administration
Staff,” 2 October 2014, https://www.fda.gov/
downloads/medicaldevices/deviceregulationand
guidance/guidancedocuments/ucm356190.pdf
5 US Food and Drug Administration, “What Is the
Pancreas? What Is an Artificial Pancreas Device
System?” https://www.fda.gov/medicaldevices/
productsandmedicalprocedures/homehealth
andconsumer/consumerproducts/artificial
pancreas/ucm259548.htm
6 Zettter, K.; “Hospital Networks Are Leaking
Data, Leaving Critial Devices Vulnerable,” Wired,
25 June 2014, https://www.wired.com/
2014/06/hospital-networks-leaking-data/amp
7 Marks, J.; “The Cybersecurity 202: Medical
Devices Are Woefully Insecure. These Hospitals
and Manufacturers Want to Fix That,”
The Washington Post, 29 January 2019,
https://www.washingtonpost.com/news/
powerpost/paloma/the-cybersecurity-
202/2019/01/29/the-cybersecurity-202-
medical-devices-are-woefully-insecure-these-
hospitals-and-manufacturers-want-to-fix-that/
5c4f4a661b326b29c3778cef/?noredirect=
on&utm_term=.0a699b008196
8 Williams, P.; A. Woodward; “Cybersecurity
Vulnerabilities in Medical Devices: A Complex
Environment and Multifaceted Problem,”
Med Devices, 2015, p. 305-316, https://www.ncbi.
nlm.nih.gov/pmc/articles/PMC4516335/
9 Bellairs, R.; “What Is IEC 62304? Compliance
Tips for Medical Device Software
Developers,” Perforce, 7 February 2019,
https://www.perforce.com/blog/qac/
what-iec-62304-compliance-tips-medical-
device-software-developers#ssc
10 MarketWatch, “Internet of Things (IoT)
Healthcare Market Is Expected to Reach
$136.8 Billion Worldwide, by 2021,”
12 April 2016, https://www.marketwatch.com/
press-release/internet-of-things-iot-healthcare-
market-is-expected-to-reach-1368-billion-
worldwide-by-2021-2016-04-12-8203318
11 Marr, B.; “Why the Internet of Medical
Things (IoMT) Will Start to Transform
Healthcare in 2018,” Forbes, 25 January 2018,
https://www.forbes.com/sites/bernardmarr/201
8/01/25/why-the-internet-of-medical-things-
iomt-will-start-to-transform-healthcare-in-
2018/#4b9e610f4a3c

READY TO TAKE THE NEXT STEP

IN YOUR CYBERSECURITY CAREER?
INTRODUCING CYBERSECURITY CAREER PATHWAYS
In a recent survey, 58% of cybersecurity professionals indicated that they had unfilled
cybersecurity positions in their organization. Nearly one-third of them said that it takes
six months or more to fill those roles, often because applicants lack the qualifying skills.
With this in mind, ISACA has created three specific career-path training programs in
their state-of-the-art Cybersecurity Nexus® (CSX) online cyber academy. Take the
training you need today, to qualify for the job you want tomorrow.

Learn more at www.isaca.org/pathways-jv4

32 ISACA JOURNAL VOL 4

 FEATURE

Rethinking Risk
A New Ethics of Enterprise IT

Not all that long ago, getting the enterprise to invest impact analysis (BIA) exercise. The routine BIA may
in IT required some convincing. According to give moderately sophisticated organizations
Do you have
conventional wisdom, IT was a back-office sufficient information, awareness, lead time and
something
operation and no more. Today, the power and incentive to prepare and react. However, IT risk to say about this
potential business benefit of IT are accepted facts— management and prevention should go deeper than article?
indeed, in many industries, IT virtually has the same the average BIA—into the mind-set of organizations,
scope and boundaries of the organization itself, and their employees and leaders, both in IT and the Visit
Visit the
the Journal
Journal pages
pages
of
of the ISACA®® website
the ISACA website
alignment of IT with business strategy and goals is business. The scale of potential failure—running the
(www.isaca.org/journal),
(www.isaca.org/journal),
a key recommendation of IT governance gamut from public inconvenience to catastrophe—
find
find the
the article
article and
and click
click
frameworks. Cybersecurity and information security argues for the recognition of an ethics of IT as a risk on
on the
the Comments
Comments linklink to
to
threats increasingly force awareness of IT risk on domain in its own right. Ethics of enterprise IT share
share your
your thoughts.
thoughts.
boards of directors and senior management. (EEIT) could include organizational culture and
____________________
https://bit.ly/2YUiipm
Compliance requirements—and associated individual employee values, all of which profoundly
penalties—bring IT into board rooms and corner affect IT operations and delivery.
offices and necessitate investment in compliance
risk management. Governance, security and In the context of IT, ethics would address the risk to
compliance failures can be critical and deserve IT systems due to intentional or unintentional
attention at the highest organizational levels; subversion of existing controls and established
however, they do not represent the entire universe of means, where intentional does not necessarily
IT risk. ISACA’s Risk IT Framework asserts that “Risk mean malicious or criminal. Rather, intent would be
IT is not limited to information security. It covers all construed to encompass personal motives, like
IT-related risk,”1 including:2 convenience or expediency in the service of self-
promotion; ideals, like an orientation toward service;
• Late project delivery
and collective dynamics, including politics or
• Not achieving enough value from IT

• Compliance

• Misalignment

• Obsolete or inflexible IT architecture

• IT service delivery problems

So while cybersecurity failures can be catastrophic

and often draw intense scrutiny, especially as they
play out in public debates—for example, around
elections and foreign influence—they are not the
only IT system failures; in fact, the chance of
failures unrelated to cybersecurity may be higher.
Failure of IT systems can disrupt routines and daily
life, e.g., while people shop or bank online, travel, or
use social media. The failure of an airline
scheduling system or unexpected downtime on a Rajesh Srivastava, CISA, CGEIT, ISO 20000, ITIL Expert, PMP
retail shopping website may barely make the local Is a 35-year veteran of the IT industry, with expertise in—and a passion for—
news; however, considering the scope of public IT process improvement, strategy and architecture, and overall cultural
change. He currently leads infrastructure managed services in the United
dependency on these systems, the possibility of
Arab Emirates for a global healthcare IT service provider.
their failure demands more than a typical business

ISACA JOURNAL VOL 4 33

 competition, whether between or among whole
departments or local teams. Risk IT that accounts
for these factors, standards and norms comes
closer to an ideal coverage of “all IT-related risk.”
Taking Stock of Traditional Risk IT
Most relatively mature IT organizations have some
degree of IT governance and risk management—and
may have implemented a governance, risk
management and compliance (GRC) framework—to
mitigate conventionally recognized risk. However, in
the current IT ecosystem—often characterized by
multiple vendors, implementing diverse solutions,
sharing information, or transferring and processing
data across national boundaries—not all partners
will likely have the same level of maturity when it
comes to risk management and may diverge even
more with respect to the culture and values.
Traditional risk IT may prove insufficient to cover the
complexity and variety of the ecosystem (figure 1).
Figure 1—Traditional Risk IT Principles
Connect to
Business
Objectives
Align IT Risk
Function as
Part of Daily Management
Activities With ERM
Risk IT
Principles
Establish
Tone at the Balance
Top and Cost/Benefit
Accountability of IT Risk
Promote
Fair and Open
Communication
Even if risk is not managed aggressively, most IT
organizations have some level of service
management maturity (addressed in Information
Technology Infrastructure Library [ITIL] and
International Organization for Standardization
[ISO]/International Electrotechnical Commission
[IEC] ISO/IEC 20000, among other standards).3, 4
These enterprises generally accept the importance
of change management or incident management;
34 ISACA JOURNAL VOL 4
however, local adherence to principle usually
depends first on the tone of senior management
and, second, on the understanding and execution of
individuals in IT, all of which can vary across
contracting organizations and geographies.
Enterprises and vendors alike may cite key
performance indicators (KPIs), key risk indicators
(KRIs), the balanced scorecard (BSC), management
dashboards and so on to illustrate business
alignment along with IT service, change, incident
and/or risk management. However, the data and
controls that inform and mediate these metrics can
be sensitive to local dynamics of data capture and
reporting—hence their susceptibility to “intentional
or unintentional subversion.” Principles promoting
fair and open communication and accountability at
any level (especially at the top) depend upon
organizational culture and values in play wherever
data for critical indicators are collected, interpreted,
packaged and presented, whether internally or to
business partners. A whole range of IT behaviors
will condition the outcome(s) and call for an ethics
of IT, not only to articulate ideals, but also to assess
their realization.
Observations from industries as diverse as oil,
banking and insurance help to illustrate the point.
Despite heavy government oversight and regulation,
events like the Enron scandal or the US subprime
mortgage crisis leading to the 2008 US stock
market crash happened. Similarly, insurance fraud is
a reality that large organizations have been fighting
for years. Despite a host of traditional controls,
governance and formal risk management, IT
remains exposed to failures that may be averted by
ethical controls.
Traditional risk IT emphasizes the centrality of
people, processes and technology.5 People are
influential most constructively in terms of
innovation, creativity and spirit and least
constructively, or even destructively, in terms of
human error or bypassing defined controls and
processes (whether accidentally or deliberately). An
IT auditor with a view of the ethics of risk IT can
look beyond the surface, past the available
evidence, and detect the cultural assumptions,
values and dynamics, individual motives, and biases
or shortcomings working for or against the
subversion of controls. Although metrics present a
rosy picture, the organization may lack basic
awareness of IT ethics and might take a casual
attitude toward IT discipline. Intelligence and
measures around ethical practices in IT could
provide a new dimension of assurance on top of
typical risk management.
Organizations such as ISACA® and the Project
Management Institute (PMI) have clear guidelines on
ethics. Perhaps the whole idea of COBIT®, ITIL or ISO
and other frameworks—along with the organizations
that maintain and publish them—sufficiently articulate
IT ethics. However, there are many sizes and shapes
of organizations out there—and many are not mature
enough to adopt service management or governance
principles. Such an organization can easily purchase
a GRC application or help desk tool (and integrate the
tools with existing service management processes);
but appearances of compliance or assurance could
be misleading.
Among relatively mature enterprises, the use of
service management processes, controls, automation
and sophisticated tools is a good defense against
wrongdoing in IT; together, they make bypassing
controls and other processes difficult, especially in
the absence of deliberate intent. However, like any
hacker skilled in finding and eventually exploiting
weaknesses, an internal IT resource may subvert
controls with criminal intent. Others can bypass
established processes—nonetheless intentionally, but
without malice, in an effort just to get the work done—
without fully realizing the potential impact of control
failures. However, as the ethics of IT is more
integrated with IT, it improves consciousness and
reduces the temptation to bypass established
processes and controls.
Ethics of Enterprise IT in Practice
To implement ethics of enterprise IT, one might
start by looking within the organization, determining
how things actually get done in IT, and
acknowledging the reality with honesty and
transparency. For the most part, people do not have
malicious intent. However, because timelines and
delivery targets are often aggressive—and both
internal teams and external vendors work in all too
human contexts of shifting loyalties, internal
competition, career aspirations, tight budgets and
so on—corners are cut, and expedient development
decisions go unacknowledged or are hidden from
view, all of which, in turn, may compromise the
broad, long-term goal of IT to support business
growth and stability and to monitor and reduce risk.
AS THE ETHICS OF IT IS
MORE INTEGRATED WITH IT,
IT IMPROVES
CONSCIOUSNESS AND
REDUCES THE TEMPTATION
TO BYPASS ESTABLISHED
PROCESSES AND
CONTROLS.
Personal agendas, organizational politics, distorted
communication, weak vendor management,
department silos and sometimes even unrealistic
service level agreements/timelines/targets can
dilute the overall intention of IT: to serve business
users and customers.
The Risk IT principles “Promotes fair and open
communication of IT risk” and “Establishes the right
tone at the top and while defining and enforcing
personal accountability” encompass a range of
concrete activities where ethics of IT could set
higher standards, track their achievement, report
abuses and improve outcomes. The following is a
sample list of common and day-to-day IT
operations, where any gaps and deficiencies can
compromise the overall intent of IT:
• Metrics and dashboards—Data are often
gathered from multiple sources to assess and
report on the health of IT systems for upper
management and boards of directors. Tweaking
these metrics to put the best foot forward,
impress clients or meet service availability
targets can be common and may hurt enterprise
IT in the long run by obscuring opportunities for
process improvement.
Metrics and dashboards are usually a rollup from
several underlying data points and sub-metrics.
ISACA JOURNAL VOL 4 35
 While several of them can be automated, others
could be subjective and, hence, exposed to
misrepresentation. Even with automated data
collection, the tie to actual user experience or
service availability can be subjective. As an
example, infrastructure uptime statistics do not
• Incident management—Responses to IT
necessarily mean optimal user experience and
satisfaction. Therefore, resources responsible for
interpreting the metrics and related data must
see them from the ethical point of view, i.e., is the
end goal being met?
THE CULT OF THE IT
HERO CAN ENCOURAGE
COMPETITIVE HOARDING
OF KNOWLEDGE VS.
AUTHENTIC KNOWLEDGE
SHARING AND TEAM
LEARNING.
• Change management—To get the work done,
nudge a project over the finish line a little early or
satisfy an important stakeholder, routine
changes may be pushed as an emergency, in
• Vendor management—Favoritism in awarding
violation of change management policy.
Bypassing or overruling a change advisory board
(CAB) or other governance function, senior
management or executives may insist on an
emergency change to secure a major contract or
sale or ingratiate an important customer,
regardless of the underlying risk. Unauthorized
changes are one of the common underlying
causes of IT failures.
Unauthorized changes are, by nature, an ethical
issue. Also, unauthorized changes are more than
unapproved changes. Change management is also
about understanding the “seven R’s,” i.e., who
raised the change, what is the reason for
the change, what is the return required from the
change, what are the risk factors involved
in the change, what resources are required to
deliver the change and what is the relationship
between this change, and other changes,6
which can be easily lost among day-to-day
IT operational needs.
Considering change is a permanent reality of IT
operations, this is the area where awareness and
consciousness probably have the most direct
36 ISACA JOURNAL VOL 4
impact. Hence, while the change management
policies list the types of changes or criteria of a
change, it is critical to embed and track the
ethical behavior in this area.
incidents can be compromised by lack of
transparency or failure to complete appropriate
root cause analysis in order to protect individuals
and/or teams. The goal of incident management
is to return the system to its stable state in the
shortest possible time and minimize user impact,
especially for major incidents. However, for
complex IT architecture or fragile legacy
environments, a culture of the knight in shining
armor or hero often flourishes. One individual
knows all the shortcuts taken over time and,
thus, becomes virtually indispensable to fix
issues or apply the next temporary fix. The cult of
the IT hero can encourage competitive hoarding
of knowledge vs. authentic knowledge sharing
and team learning. This has a direct bearing on
the goal as mentioned previously; as an example,
incident closure does not eliminate the
dependency on individuals or their shortcuts. In
an ethics-rich IT environment, these tendencies
would be addressed by balance of knowledge
and transparency.
contracts—regardless of what is best from an
enterprise architecture perspective—can
compromise long-term efficiency and quality. IT
partners or vendors may oversell irrelevant data
and/or solutions to senior management.
It is a normal practice to have best-of-breed
technologies or pick technologies that align with
the current ecosystem and enterprise
architecture. However, pushy vendors offering
heavy discounts to get their foot in or senior
management bringing preconceived notions from
elsewhere can break the ecosystem and impacts
IT’s ability to support these technologies. A
recent ethics investigation at the Georgia
Institute of Technology (USA) examined a claim
that the university’s chief information officer
(CIO) had a personal relationship with a vendor’s
sales representative, resulting in the university
paying too much for equipment from the vendor.7
Unfortunately, many ethical violations go
unreported and uninvestigated. Vendor selection
should be driven by the vendor’s ability to support
the organization, the need for its services and
meeting business requirements. Anything else
could be a violation of IT ethical behavior.
• Consulting—Encouraging fluff consulting can
sometimes elevate the perceived importance or
criticality of teams or departments in the eyes of
senior management, especially when consultants
do not understand or command the necessary
technical experience or detailed history of the
enterprise’s IT. Additionally, consultants can pad
their billable hours and recommend more complex
options than what is practical or necessary.
External parties are expected to bring an
unbiased and trusted advisor perspective.
However, if not managed well, the aspects of
supportability and true need can potentially be
compromised with complex, unachievable and
long-term goals that may not meet the
organizational objectives. Therefore, to meet or
exceed the billable hours is an ethical behavior
risk that needs to be managed well.
• Service management—Enterprise architecture
and service management can favor certain tools
over others that might be better fit for purpose or
more cost-effective. Multiple platforms or
duplicative applications may be tolerated or
overlooked to please stakeholders in place of a
common platform or shared tools that could be
more easily maintained and documented.
Service management plays a vital role when it
comes to service quality and management.
However, simplicity is key; complex processes
may push the tendencies to bypass controls,
hence posing potential behavior risk. A common
example these days are the security controls that,
though absolutely essential, lack agility, which
could be seen as a hindrance to getting essential
critical work completed and could pose a
temptation to bypass the established controls.
• Continuous improvement—A culture of isolated,
disparate and/or organizationally misaligned
teams or individuals can encourage defensive
behaviors and resistance to change.
The terms “lessons learned,” “root cause
analysis” and “problem management” are talked
about generously in most IT organizations,
especially at senior management level. However,
depending on organizational maturity and local
political dynamics, the continuous-improvement
mind-set may vary. Considering that continuous
improvement is core to service quality (reference:
plan-do-check-act [PDCA] model),8 it needs to be
embedded into the organization’s IT ethics policy
and tracked for mind-set risk and roadblocks.
• Audit and assurance—Strong controls may be
avoided to increase agility. Conversely, controls Enjoying
may become so inflexible or autocratic in terms of
this article?
security and change that barely anything gets
done. Protection trumps innovation completely,
• Read Getting
and striking the right balance can require a highly
Started with Risk
developed judgment that considers business,
Management.
technical and ethical dimensions at the same time.
www.isaca.org/
A complex control does not necessarily translate getting-started-
into its effectiveness; it may, in fact, fuel the with-risk-
tendency to bypass it to get the work done, hence a management
risk to ethical behavior. As mentioned previously, • Learn more
the right balance of control effectiveness with about, discuss
agility and flexibility can have a positive influence and collaborate
on ethical behavior. The previous are some on risk
examples, where the existing technical or management in
organizational controls (however widely ISACA’s Online
recognized and well conceived), common best Forums.
practices, and qualitative measurements may not https://engage.
address the real underlying culture of IT. isaca.org/online
Organizations and auditors who begin to account forums
for the behavioral aspects of IT can understand—
and potentially address—the subtle tendencies for
or against subversion of common controls. Hence,
an ethics of IT becomes, if not yet a formal
discipline, then a soft skill or attitude to foster at all
levels, whether among boards of directors,
executives, managers, teams or individuals.
Conclusion
An ethical perspective can help the enterprise assess
behavioral aspects of IT and the human dynamics of
organizational culture. Senior management and their
values play an important role, as indicated by the key
Risk IT principle “Establishes the right tone at the top
and while defining and enforcing personal
accountability.” In organizations where transparency
and accountability seem especially lacking, a trusted
third party or unbiased partner should be established in
IT. Along with conventional KPIs and KRIs, there should
be an ethics indicator—not to police IT, but to ensure
that a barometer of IT ethics remains an integral part
of risk management. In addition, each IT employee
(including senior managers) should receive mandatory
IT ethics (part of an organization’s risk management
framework awareness) training every year, much like
security or change management training—in fact,
ethics training ideally should supersede and lead into
all other training, whether technical, risk, compliance,
etc. The goal is to raise awareness and foster an
ethical culture, to treat the topic of IT ethics seriously,
and establish ethics as a top metric when KPIs related
to risk management are measured and reported.
ISACA JOURNAL VOL 4 37
 If ethics of IT gains traction over time and garners
more attention, comments and developments,
perhaps a new type of GRC can become the norm—
one that looks beyond standards, best practices
and compliance. It would pay attention to the core
values engrained into IT strategy and operations
and bring ethics to bear not only on IT controls and
processes, but also on the behaviors of those who
interact with them.
Endnotes
1 ISACA®, The Risk IT Framework, USA, 2009,
www.isaca.org/Knowledge-Center/Research/
ResearchDeliverables/Pages/The-Risk-
IT-Framework.aspx
2 Fischer, U.; “Risk IT Based on COBIT®,” ISACA,
www.isaca.org/Knowledge-Center/Standards/
Documents/Risk-IT-Overview.ppt
3 Axelos, “ITIL—IT Service Management,”
https://www.axelos.com/best-practice-
solutions/itil
4 International Organization for Standardization,
“ISO/IEC 20000-1:2018,” September 2018,
https://www.iso.org/standard/70636.html
5 ITIL News, “ITIL: Back to Basics
(People, Process and Technology),”
https://www.itilnews.com/index.php?pagename=
ITIL__Back_to_basics_People_Process_and_
Technology
6 Information Technology Infrastructure Library
(ITIL), “ITIL V3 2011: Service Transition. Change
Management,” 2011
7 Horne, W.; M. Foxman; “Investigative Report:
The Georgia Institute of Technology Ethics Line
Report USGB-18-08-0018,” 15 April 2019,
https://www.news.gatech.edu/sites/default/
files/cio-final.pdf
8 International Organization for Standardization,
“ISO/IEC 20000-1:2011,” https://www.iso.org/
standard/51986.html

2019 VIRTUAL
INSTRUCTOR-LED
TRAINING
C Y B E R S E C U R I T Y A U D I T C E R T I F I C AT E
29–30 AUGUST

CISA EXAM PREP COURSE

9–12 SEPTEMBER

CRISC EXAM PREP COURSE

23–26 SEPTEMBER

CISM EXAM PREP COURSE

21–24 OCTOBER

C Y B E R S E C U R I T Y F U N D A M E N TA L S
5–6 NOVEMBER

www.isaca.org/VILT19jv4

38 ISACA JOURNAL VOL 4

 FEATURE

Three Strategies for a Successful

DevSecOps Implementation
The DevSecOps methodology movement began in professionals have concerns—vulnerable code, if
response to security concerns with the DevOps not checked, can also be deployed faster. For
Do
Do you
you have
have
methodology. DevOps revolutionized the software example, a developer who hardcodes an application
something
something
industry by enabling high-speed software releases program interface (API) key into code can to
to say
say about
about this
this
through technological and cultural changes. It potentially push this insecure piece of code into a article?
article?
focuses on automation and integration of remote repository and trigger testing and publishing
processes, but the manual information security to production in minutes. Information security Visit
Visit the
the Journal
Journal pages
pages
of
of the ISACA®® website
the ISACA website
processes that traditionally created security professionals traditionally relied on manual
(www.isaca.org/journal),
(www.isaca.org/journal),
assurance in a software release do not fit into this processes, such as change management, secure
find
find the
the article
article and
and click
click
new methodology. Hence, DevSecOps emerged to code reviews, scans and penetration tests, to inject on
on the
the Comments
Comments linklink to
to
address the security issues. The experience of security assurance into software release processes. share
share your
your thoughts.
thoughts.
applying this methodology resulted in the The traditional way of security assurance cannot
____________________
https://bit.ly/2JHR5md
identification of three key success factors for a keep up and does not work in a CI/CD world; as a
DevSecOps implementation. result, reengineering steps were needed.

The Path to DevSecOps These concerns led to the start of the DevSecOps
methodology movement, which applies the same
DevOps is defined as a “combination of cultural principles to cybersecurity that DevOps applies to
philosophies, practices, and tools that increases an traditional IT processes to improve efficiency and
organization’s ability to deliver applications and
services at high velocity.”1 DevOps does not treat
the development and operations teams as separate
entities. Instead, DevOps blurs the lines between the
two entities, resulting in greater harmony and
alignment, without compromising quality. Estimates
say the global market for DevOps will reach
US$12.85 billion by 2025.2

DevOps is simply the natural evolution of the Agile

methodology, which aims to counter the flaws in a
traditional waterfall software development life cycle
(SDLC) approach. The Agile movement focuses on
improving efficiency by releasing software
frequently, in feedback-focused iterative loops.
DevOps focuses on automation and integration of
the processes that happen before and after the
software release into production, such as Taimur Ijlal, CISA, CISSP
development, build, test, compilation and monitor. Is an information security professional with more than 16 years of
DevOps typically relies on popular open-source experience in cybersecurity and IT risk management. He manages the
information security portfolio for one of the largest payment solutions
tools for a continuous integration/continuous
providers in the Middle East. Previously, Ijlal was the head of information
development (CI/CD) pipeline that makes rapid
security at Dubai Bank, where he was responsible for the strategic oversight
feedback and deployment of code possible and of its cybersecurity framework and maintaining an information security
enables enterprises to achieve multiple high-speed management system (ISMS). He also set up IT audit and information
software deployments daily. security departments for leading Pakistan enterprises, including Bank
Alfalah and Bank AL Habib Ltd. Ijlal speaks in various information security
Although reduced time to market makes business forums and has written articles for the e-security section of the Pakistan
and product teams very happy, cybersecurity technology magazine Spider.

ISACA JOURNAL VOL 4 39

 removes manual intervention wherever possible.
Enjoying DevOps aims to shift security to the left by
incorporating security assurance at every stage of
this article?
the CI/CD pipeline and making it as essential a
success criterion as development and testing. This
• Read DevOps:
shift is achieved by building and automating
Process Maturity
security into the CI/CD pipeline and requires a
by Example.
cultural change that must be endorsed by top-level
www.isaca.org/
management to succeed.
devops-process-
maturity-by-
Lesson 1—Developers Are the Security
example
Team’s Friends
• Learn more about,
discuss and Traditionally, developers and cybersecurity
collaborate on professionals have been on the opposite ends of
information and the security spectrum and viewed each other with
cybersecurity in some suspicion. Developers have tended to believe
ISACA’s Online that information security professionals introduce
Forums. road blocks and delays at the last minute;
https://engage. cybersecurity professionals often have seen
isaca.org/online developers as the prime culprits who are
forums responsible for introducing software vulnerabilities,
due to their perceived tendency to take shortcuts
when writing code. For a successful DevSecOps
program, these relationships must be repaired.
DEVELOPMENT STAFF
SHOULD BE SEEN AS AN
EXTENSION OF
INFORMATION SECURITY
STAFF—NOT A SEPARATE
SILO WITHIN THE
ENTERPRISE.
Development staff should be seen as an extension
of information security staff—not a separate silo
within the enterprise. The information security team
should identify and train security champions on
good security practices and automation tools,
which can give them early feedback on security
weaknesses within their software. These local
security experts then become the voice of
information security and can solve common
security roadblocks quickly, recommend tools for
40 ISACA JOURNAL VOL 4
secure source code reviews and automated
vulnerabilities scanning, give advice on
vulnerabilities, and, when required, escalate matters
to the enterprise security team. As developers
become more comfortable sharing security
information within their team, a culture of
awareness and information sharing advances
within DevSecOps. A DevSecOps program may
include incentives to encourage buy-in to the new
culture, such as awards and prizes for the
developers who identify and fix the greatest number
of security bugs in a software release before it goes
into production. A spirit of teamwork can be
fostered further by setting up collaboration
channels for quick informal feedback chats
between the information security and development
teams and sharing a security knowledge base to
help demystify common security vulnerabilities.
Enterprises that are serious about DevSecOps must
invest in security training and development as
heavily for local security champions as for
cybersecurity staff.
Lesson 2—Continuous Integration Needs
Continuous Security
In a traditional software release, the information
security team is an independent entity that provides
objective feedback and runs security tools at
various stages in the life cycle to provide feedback
on vulnerabilities and insecure code. However,
these actions are done manually and must pass
multiple security clearance gates before software
can be deployed. The traditional tools cannot keep
up with the fast pace of DevOps software releases,
resulting in missed basic security hygiene checks
and vulnerabilities that are pushed into production.
For the traditional procedures and tools to be able
to work in a CI/CD world, the security team would
allow the DevOps team access to the security tools
to make the tools an integral part of the DevOps
pipeline, similar to the automated build, compilation
and testing tools. For example, every new code
check-in should immediately trigger a secure code
review API to give the development team immediate
feedback on any security vulnerabilities. Similarly, a
successful software build should trigger an
automated API job for application vulnerability
scanning and pass/fail the build based on
predefined criteria that are agreed on by the teams.
This scenario shows that the traditional way of
logging in to a console and initiating security
scans/code reviews is not feasible in DevOps; these
tasks must be transformed into consumable
services that can be called on demand via API calls
by the DevSecOps team.
Information security professionals need to ensure
that tools are compatible with CI/CD tools and can
be used in a DevSecOps environment. The policies,
procedures and service level agreements (SLAs) for
software security assurance should also be
reviewed to ensure that they can be adapted to
work in a high-speed CI/CD world.
A BUG BOUNTY
PROGRAM EXTENDS AND
COMPLEMENTS (BUT DOES
NOT REPLACE) THE
ENTERPRISE STANDARD
VULNERABILITY SCANNING
AND PENETRATION
TESTING EXERCISES.
Lesson 3—Bug Bounty Programs Must
Become Business as Usual
Many enterprises use continuous penetration
testing as a tool to assess the security of their
software products after major changes. Although
this tool works well in a traditional environment,
manual penetration tests do not scale well in a
DevOps environment and need to be supplemented
with bug bounty programs to be truly effective.
Every daily release of code can contain
vulnerabilities that may have been missed by
security tools and tests earlier in the pipeline. Bug
bounty programs crowdsource and incentivize the
discovery of software vulnerabilities and offer cash
rewards (bounties) to security researchers who find
and report vulnerabilities. Although bug bounty
programs are regularly used by large enterprises,
including Facebook and Microsoft, bug bounty
programs should become the new normal and a
standard tool for all enterprises invested in
DevSecOps. With a bug bounty program, enterprises
get the assurance that every change to their
software is subjected to a wide variety of intensive
tests by numerous security professionals with vast
and cumulative experience. A bug bounty program
extends and complements (but does not replace)
the enterprise standard vulnerability scanning and
penetration testing exercises.
DevOps Is Critical to Evolution
The previously mentioned strategies are a few of
the key success factors for a DevSecOps program,
but they only are a starting point and not an
exhaustive list. The era of high-speed software
deployments is here to stay. A quick fix to
implement DevSecOps does not exist. Enterprises
must invest significant time and effort in changing
their culture, tools and staff skill set to adapt and
get the best results from DevOps while remaining
secure. Information security professionals must
realize that, more than any tool or technology, their
mind-set must evolve to survive and remain relevant
in a DevOps world.
Endnotes
1 Amazon Web Services, “What Is DevOps?”
2019, https://aws.amazon.com/devops/
what-is-devops/
2 DEVOPSdigest, “DevOps Market Worth
$12.85 Billion by 2025,” 19 March 2018,
www.devopsdigest.com/devops-market-
worth-1285-billion-by-2025
ISACA JOURNAL VOL 4 41
 FEATURE

Bridging the Gap Between

Policies and Execution in an
Agile Environment
With the perpetual occurrence of high-profile attacks
and data breaches caused by software vulnerabilities,
Do you have
a new trend known as secure by design (“shifting
something
to say about this left”) has gradually shaped the software world.1, 2, 3 It is
article? easier today to convince strategic governance teams
that nonfunctional requirements such as security
Visit the Journal pages requirements, are equally as important as functional
of the ISACA® website
requirements. After-the-fact security activities such
(www.isaca.org/journal),
as patching and integrations have proven to be much
find the article and click
on the Comments link to more expensive and less effective than incorporating
share your thoughts. security requirements into the early stages of design.4
https://bit.ly/2JJcOKs
However, designing applications with security at the
forefront raises new challenges. Organizations
must comply with an array of regulations and
standards based on factors such as their sector,
location, whether they deal with personal data and
more. The cost of noncompliance can be much
higher than the cost of a proactive approach to
integrating standards and regulatory requirements
into design and development processes.5, 6
At the same time, development life cycles are
becoming shorter, and software releases are
becoming more frequent. Traditional and linear
software development processes (e.g., waterfall
models) are being replaced by Agile processes.
Moreover, with the advent of DevOps practices
where traditionally separate business units now
work closely together using Agile methods, the
boundary between development and operations has
become blurred. Practices such as continuous
integration/continuous development have grown
popular among software development teams.
Exacerbating this complex environment is the push
toward automation to minimize the latency of
releasing new software features.

Mina Miri
Is a security researcher at SD Elements/Security Compass. She is particularly attuned to the need for applications to have well-
developed security characteristics. In her current position, she researches various security and privacy contexts for securing
software all throughout its life cycle. Miri has published articles in the ISACA® Journal and IAPP Privacy Tech, and she has
presented at the Open Web Application Security Project (OWASP) AppSec conference.

Amir Pourafshar, CISSP

Is a senior security researcher at SD Elements/Security Compass. He has more than seven years of information security research
experience ranging from malware behavioral analysis to formulating secure software development life cycle practices. Pourafshar
contributes to global forums such as PCI Security Standards Council (PCI SSC) and SAFECode and presents at conferences such
as OWASP AppSec.

Pooya Mehregan, Ph.D.

Is a security researcher at SD Elements/Security Compass. He has more than a decade of academic and industry-related
experience in software and information security. His main areas of research are in application security, access control and privacy.
He has published and presented at academic venues such as the ACM Conference on Computer and Communications Security
(CCS), the ACM Symposium on Access Control Models and Technologies (SACMAT), and the IFIP WG 11.3. Conference on Data
and Applications Security and Privacy (DBSec).

Nathanael Mohammed
Is a technical writer at SD Elements/Security Compass. He specializes in communicating about technology, with a focus on
security and privacy. He has been involved with projects concerning EU General Data Protection Regulation requirements in Agile
software development, and he has published an article on a tagging approach to privacy impact assessments in IAPP Privacy Tech.

42 ISACA JOURNAL VOL 4

There is a dilemma that forms between these
security by design and Agile software development
and deployment phenomena: Security requirements
are considered disruptive to Agile practices by the
vast majority of the software community.7
Therefore, there needs to be a system of injecting
actionable security requirements into the short
development cycles of Agile processes. In addition
to this, this system needs to bridge the gap between
the policy space and the execution space. This gap
is created when the requirements of policies,
regulations and standards are too high level and
abstract, which causes the process of extracting
actionable tasks from them arduous, if not
impossible. Systems that provide these translations
are known in the security community as policy to
execution (P2E) platforms.8, 9, 10 At the moment, only
a handful of these platforms have been developed,
but their numbers are growing rapidly.
THERE NEEDS TO BE A
SYSTEM OF INJECTING
ACTIONABLE SECURITY
REQUIREMENTS INTO THE
SHORT DEVELOPMENT
CYCLES OF AGILE
PROCESSES.
Regulatory bodies continue to publish new security
and privacy regulations and standards, such as the
EU General Data Protection Regulation (GDPR) and
the recently published Payment Card Industry
Software Security Framework (PCI SSF), in an
attempt to accommodate the ever-changing
software landscape. The gap between policy and
execution is widening because policies mandated
by regulations and standards have become more
Figure 1—Overview of the Studied Approach
• Analyzing old and
new standards
Preliminary • Analyzing client
study best practices
• Interviewing SMEs
• Studying maturity
models
• Analyzing governance
frameworks
abstract by requiring secure processes around the
software development life cycle (SDLC), rather than
providing straightforward, actionable tasks. This
could be an attempt to render regulations and
standards persistent in the face of a changing
environment. Testing this hypothesis, however,
requires a separate study and falls outside the
scope of this work. Instead, the following is an
approach for staying compliant with new and ever-
changing regulations in an Agile SDLC environment
with minimal business disruption or slowdown.
Research Methodologies for
Consolidating Security Controls
Figure 1 provides a high-level overview of the
approach used in the study presented herein. After
a preliminary examination of sources and required
information, an extensive literature review was
conducted to gather information about existing
workflows for addressing the governance of
technologies in organizations.
Existing standards from external (e.g., compliance
regulation) and internal (e.g., internal policies)
sources and industry best practices were analyzed
to gain insight about current controls in tactical
governance. Subsequently, a set of interviews was
conducted with subject matter experts (SMEs) to
extract information about their experiences in
completed projects. The interviews consisted
largely of open-ended questions about existing
processes. The results from SME interviews were
then collected to verify consolidated controls from
the aforementioned sources. In the next step,
actionable controls were formulated from analyzing
all collected resources.
Principles for Addressing Business and
Security Needs
This study is based on three fundamental principles
for success. One is that the proposed process can
Formulating
Identifying actionable Mapping tasks to
gaps tasks their relevant
mandates and
generating reports
ISACA JOURNAL VOL 4 43

be repeated for existing and future standards
without slowing down the production pipeline. The
second is that the process should be minimally
disruptive to developer workflows and easily
integrated into their day-to-day activities. The third
is that the process should be seamlessly adaptable
to organizations of any maturity level and size
without changing the structure of production to
make the process functional. Taking these three
principles into account allows for a unique solution
in addressing the policy-to-execution gap.
Use Cases
In this study, PCI SSF is analyzed as a recently
published compliance regulation.11 In January 2019,
the PCI Security Standards Council (PCI SSC)
released two new PCI Software Security Standards
as part of the new PCI SSF. These standards are the
PCI SSC’s efforts to better address the integrity of
payment transactions and the confidentiality of all
sensitive data as new technologies and software
development practices emerge.
The Secure Software Life Cycle (Secure SLC or
SSLC) Requirements and Assessment Procedures
is a standard in the PCI SSF that offers security
assessment guidance for both the development and
operations life cycles. Secure SLC compliance
aligns with Agile and continuous deployment
methodologies to develop software faster and
without requiring an assessment from a qualified
assessor for each release.12
44 ISACA JOURNAL VOL 4
Historically, many organizations that handle credit
cards, such as payment software vendors and
payment providers, have been subject to PCI Data
Security Standard (PCI DSS) compliance. PCI DSS
requirements revolve around a product’s technical
security features and configurations for maintaining
data integrity and confidentiality such as cardholder
data encryption, strict access control and firewall
configuration. However, PCI SSLC focuses on
securing the software life cycle and building a
secure software production and maintenance
ecosystem regardless of the technology stack. This
new need for compliance encourages strategic
governance teams to recognize that, in addition to
data security, application life cycle security is a
business requirement. This business requirement
mandates that product teams at the tactical
governance level look for a new framework to build
secure software life cycle capabilities. However, due
to the widening gap between new requirements and
traditional technical practices, it is not trivial to
translate high-level strategic governance mandates
and policies into step-by-step guidelines for building
new practical processes for technical product
teams. Moreover, adding a variety of emergent
tools, frameworks and software development
techniques to the endeavor renders it
overwhelming.
In the first step of the proposed framework, PCI
SSLC guidelines are analyzed and compared to
existing best practices. This analysis helps identify
gaps in the currently implemented controls. For
example, section 4.1 of PCI SSLC requires a mature
process for security testing that aims to determine
the existence and emergence of vulnerabilities.
While existing best practices aligned with traditional
standards and business requirements advise
utilizing static application security testing (SAST),
they do not require a proper process for identifying
the appropriate tool, the practical integration of
those tools into the application development and
deployment pipelines, or the proper management of
vulnerabilities.
Although the new standard mandates the addition
and governance of more processes and activities to
an application’s life cycle, it does not provide a code
of practice or set of guidelines for implementation.
Therefore, tactical governance teams may choose with an example in figure 3, facilitates mapping
any of the decisions from figure 2 to address this policy-level requirements to execution-level tasks. Enjoying
gap. Each of these decisions leads to detrimental It also compiles a compliance report that lists
this article?
consequences. actionable steps required to comply with particular
sections.13
• Read Reasonable
Next, SMEs such as a development manager,
Software Security
application security (AppSec) advisor and security For example, PCI-SSLC section 4.2 requires
Engineering.
verification engineer are interviewed. Each of them establishing a mature process for identifying and
www.isaca.org/
provides their experience and perspective of the fixing software vulnerabilities.14 The proposed
reasonable-
secure SDLC in Agile environments. Having all approach is used to add a new execution-level task
software-security-
information from both the compliance and to the existing P2E platform. Figure 4 shows the
engineering
execution sides, an extensive analysis is completed content of this task.
• Learn more about,
to improve existing practices and is organized into
discuss and
actionable processes. At one end of the spectrum, As shown in figure 4, actionable steps are
collaborate on
these processes are aligned with high-level identified to establish and execute a process for
information and
compliance requirements and, on the other, they are finding vulnerabilities and fixing them using SAST
cybersecurity in
compatible with production technology stacks. The tools. This new task, as well as others, can now be
ISACA’s Online
outcome is imported to an existing P2E platform in mapped to the sections of PCI SSLC that have
Forums.
the form of tasks that prescribe actionable steps to been added to the P2E platform as a new
https://engage.
relevant roles for establishing and executing secure compliance report. Figure 5 shows an excerpt of
isaca.org/online
SDLC processes. The existing P2E platform, shown the compliance report.
forums
Figure 2—Unsystematic Approaches to Filling the Gap Between SSLC Policies and Executable Processes
Decision Consequence
Assuming existing practices are sufficient • Failing compliance audits
• Risking security incidents
Building new practices internally • Missing gaps in certain areas
• Incurring huge expenses
• Having a bias toward internal practices
• Engaging in conflicts of interest
Adapting practices developed by other teams • Dealing with inconsistencies
• Managing inapplicable controls

Figure 3—P2E Platform

(PCI-SSLC) 4.2: POLICY EXECUTION Task T1368:

Newly identified Establish a
or discovered P2E Agile process for
Security
vulnerabilities are PLATFORM Development performing
fixed in a timely security testing
manner. using SAS
Privacy An Expert System DevOps
Generating Actionable tools.
Tasks for
Technical Teams
Compliance IT Operations

ISACA JOURNAL VOL 4 45

 Figure 4—Section 4.2 of the PCI SSLC in the Form of a Task (Screenshot of the Task in the P2E Platform)
T1368: Perform security testing using SAST tools
Follow these guidelines for proper integration of a SAST tool into your SDLC:
• Choose a SAST tool appropriate for your software architecture (such as monolithic, service-oriented, micro-services,
and so on), programming language, and development frameworks.
– For example, configure and use OS/cloud configuration scanning, such as Microsoft Baseline Security Analyzer or
Evident.IO, for cloud environments.
• Configure the SAST tool to include:
– The entire code base
– Configuration files
– Third-party and open-source components
– Shared components and libraries
• Execute SAST routinely at least in one of the following phases based on the maturity of the existing security controls:
– Where applicable, add the SAST tool’s plug-in to the developer IDE (development team should be highly mature)
– Code commit
– Unit, integration and regression testing
– After staging release to scan static files and configurations of different components (development team is not very
security aware but a security team handles the scan)
• Triage results and update the scanner profiles to reduce the number of false positives of the next scans. The following
strategies help with reducing the false positives:
– Interviewing the development team to figure out how mature they are from security perspective.
– Suppressing certain low-level vulnerability categories if there are other means of proof. For example, if a team uses
certain framework or library to cover that category.
– Suppressing a false positive in a file as long as its hash value has not changed since the last scan.
– Communicating the true findings with developers.
• Properly document and maintain an inventory of the scanning results and the corresponding actions taken to address
the findings.
• Identify proper controls to permanently fix discovered vulnerabilities (true positives).

Figure 5—PCI SSLC Compliance Report for a Sample Payment Software

Section Regulation Description
Task ID Task Title Status
Section 4.2 Newly identified or discovered vulnerabilities are fixed in a timely manner. The reintroduction of
previously resolved vulnerabilities is prevented.
T1368 Establish a process for performing security testing using SAST tools Incomplete
T1369 Establish a process for performing security testing using DAST tools Complete
Section 5.1 All changes to payment software are identified, assessed, approved, and tracked.
T1372 Establish and follow a software change management process Complete
… … … …

Conclusion and Next Steps
This approach seeks to bridge the gap between
complying with requirements outlined in a
regulation and determining actionable tasks using a
policy-to-execution platform. This systematic
approach can be repeated in similar situations
where requirements in regulations are too high level
and do not provide sufficient guidance for
implementation. Though this example used the
newly published PCI SSF, a similar approach can be
adopted with other compliance regulations. The
utility of an existing policy-to-execution platform
was leveraged to mitigate the perceived disruption
of security requirements for Agile and DevOps
environments. Next, best practices with respect to
each requirement given in the PCI SSF were
compiled from the experience of organizations of
varying maturity levels. Then, SMEs were
interviewed to evaluate and augment the collected
best practices in the previous step. The entire
process led to a set of actionable tasks that
correspond to the original requirements of a
compliance regulation, which can be adapted to an
organization of a given maturity level.

46 ISACA JOURNAL VOL 4

An ongoing project designed to automate the
process of listing required tasks to reduce as much
manual work as possible is underway. A pattern for
designing such a method has already been created
and is also under development. In this method, the
P2E platform used in this study collects necessary
information from different sources such as code
scanner results and its own activity logs to assign a
task to the responsible role within the required time
frame. Once the undertaking is complete, the
process will be tested on a live project for a better
evaluation of the approach.
Endnotes
1 Lietz, S.; “<— Shifting Security to the Left,”
DevSecOps, 5 June 2016, https://www.devsecops.
org/blog/2016/5/20/-security
2 The Open Web Application Security Project
(OWASP) Foundation, Security by Design
Principles, https://www.owasp.org/
index.php/Security_by_Design_Principles
3 Schneier, B.; “Patching Is Failing as a Security
Paradigm,” Motherboard, 16 November 2018,
https://motherboard.vice.com/en_us/article/
439wbw/patching-is-failing-as-a-security-paradigm
4 Muresan, R.; “Costs of Non-Compliance Are
Getting Higher,” Bitdefender, 2 April 2018,
https://businessinsights.bitdefender.com/
costs-of-non-compliance-getting-higher
5 Merkulov, P.; “The Staggering Costs of
Non-Compliance,” SC Magazine, 1 May 2018,
https://www.scmagazine.com/home/opinion/
executive-insight/the-staggering-costs-of-
non-compliance/
6 Johansson, D.; “Agile vs. Security: Resolving
the Culture Clash,” Synopsys, 5 May 2016,
https://www.synopsys.com/blogs/software-
security/agile-vs-security/
7 National Institute of Standards and Technology,
Special Publication (SP) 800-55 Rev. 1,
Performance Measurement Guide for Information
Security, USA, July 2008, https://csrc.nist.gov/
publications/detail/sp/800-55/rev-1/final
8 Mohamed, S. I.; “DevOps Maturity Calculator
DMOC—Value Oriented Approach,” International
Journal of Engineering Research & Science,
vol. 2, iss. 2, February 2016, https://www.
academia.edu/32117015/DevOps_maturity_
calculator_Value_oriented_approach
9 Johnson, M. E.; E. Goetz; “Embedding
Information Security Into the Organization,”
IEEE Security & Privacy, May/June 2007,
www.ists.dartmouth.edu/library/352.pdf
10 Sultan, K.; A. En-Nouaary; A. Hamou-Lhadj;
“Catalog of Metrics for Assessing Security
Risks of Software Throughout the Software
Development Life Cycle,” 2008 International
Conference on Information Security and
Assurance, Busan, South Korea, April 2008,
https://ieeexplore.ieee.org/document/4511611/
11 Gray, L. K.; “Just Published: New PCI Software
Security Standards,” PCI Security Standards
Council, 16 January 2019, https://blog.pcisecurity
standards.org/just-published-new-pci-software-
security-standards
12 Security Compass, “How You Can Comply With
The New PCI Software Security Framework,”
17 January 2019, https://blog.security
compass.com/how-you-can-comply-with-the-new-
pci-software-security-framework-f1013d4df0b7
13 Miri, M.; F. H. Foomany; N. Mohammed;
“Complying With GDPR: An Agile Case
Study,” ISACA® Journal, vol. 2, 2018,
www.isaca.org/archives
14 Payment Card Industry Security Standards
Council, “Secure Software Lifecycle
(Secure SLC) Requirements and
Assessment Procedures,” January 2019,
https://www.pcisecuritystandards.org/
documents/PCI-Secure-SLC-Standard-v1_0.pdf
ISACA JOURNAL VOL 4 47
 FEATURE
Analyst and Adversary
Deconstructing the “Imaginary” of Security and
Cybersecurity Professionals
Disponible también en español
Do you have
Each year, reports of new threats and security
something
to say about this breaches reveal the ever-increasing sophistication
article? of attackers and their methods for outwitting
available control mechanisms.1, 2 These
Visit the Journal pages
of the ISACA® website developments reflect the evolution of an adversary
who constantly strives to find novel, surprising
(www.isaca.org/journal),
attack vectors and create instability across the
find the article and click
on the Comments link to corporate private sector, as well as the military and
share your thoughts. governments at national, state and local levels.
https://bit.ly/2HIdw8H
Security and cybersecurity researchers attempt to
study the mind-set of attackers—hoping to
understand how they think, reflect, develop
strategies and act. However, the field is generally
characterized by conflicts and adverse conditions
that few practitioners will find attractive; such
research is inherently prone to overstepping ethical
boundaries that security and cybersecurity
specialists should respect when carrying out their
professional duties.3 In this context, the attacker
becomes at once close and distant, occupying a
zone of contradiction that prohibits any advancing
Jeimy J. Cano M., Ph.D., Ed.D., CFE, CICA
Is professor at the school of law of the Universidad de los Andes, Colombia.
He has more than 22 years of experience as an executive, academic and
professional in the areas of information security, cybersecurity, forensic
computing, digital crime, critical infrastructures and IT auditing.
48 ISACA JOURNAL VOL 4
beyond certain ethical limits on security and
cybersecurity practice. Nonetheless, the study of
adversaries and their attack methods forms an
integral part of security and control practice—not
only because attacks create the very instability that
security professionals are dedicated to avoiding, but
also because studying and emulating attacks, in
controlled circumstances, can provide valuable
insight to business and security leaders.
Many security analysts advance the professional
vocabulary of threats, controls and impacts—that is,
those on the light side of the force, so to speak—
guided by ethics and adherence to regulations.
Other so-called analysts allow themselves to be
tempted by the dark side; however, recognizing
potential vulnerabilities in practice, their intentions
shift, and their capabilities become ambiguous. The
contrast captures certain unavoidable tensions that
arise in the security profession: tension between the
necessity to take chances and understand the
adversary, on the one hand, and risk aversion and
the duty to avoid exposure, on the other hand; and
tension between a mandate to achieve greater
reliability vs. an attitude of healthy skepticism and
imperfect trust4, 5 in a world that is ever more
hyperconnected, digitally transformed—and,
therefore, exploitable.
Certain conceptual foundations have remained
constant throughout the training and practice of
security and cybersecurity professionals—
foundations informing what might be called their
professional imaginary—that is, a certain inherited
perspective, received wisdom or set of assumptions
projected outward on a rapidly evolving world.
Comprehending and analyzing the security
imaginary can open a space for new options and
alternative considerations, making it possible to
reconstruct and validate previous knowledge and
experience, better protect and secure organizations
while advancing their digital strategies, and also
spark new debates on the way to defend and
preempt attacks in today’s asymmetrical and
uncertain world.
Education and Training: Forming the
Professional Imaginary
Constant change and adaption to the challenges of
the world increasingly require workers to become
life-long students.6 The traditional model of
education in which professors possess knowledge
and students passively receive and store their
teaching tends to reproduce a homogeneous
educational status quo; one that is becoming
steadily less relevant. In such circumstances,
students often essentially repeat or confirm the
accomplishments of their mentors in order to
obtain the highest grades, awards and recognition
from the institutions at which they study. This
educational model tends to assume—if not also re-
create—a mechanistic society in which it is possible
to forecast the behavior of the system and its
participants. It presupposes a context for work and
learning that treats all learners identically, frequently
ignoring any prior knowledge or individual
characteristics, and molding their vision of the
world according to currently accepted standards—
all in order to address issues or challenges with
solutions already known to the educators.
THE DIGITAL
ADVERSARY FEELS
COMFORTABLE WITH
UNCERTAINTY AND
INSTABILITY, IS NOT
AFRAID TO BE WRONG AND,
IN EACH OUTCOME, FINDS
AN OPPORTUNITY TO
CAPITALIZE AND UPDATE
KNOWLEDGE.
Education in security and cybersecurity was formed
in this mold. Its frameworks and approaches to
learning are all but unquestionable and dictate how
security specialists learn to make decisions.
Aversion to risk, a need to control actions and
consequences, and fear of failure perceived as
inevitable condition the ways that security
practitioners respond in the face of a reality that is
utterly different from the one which formed their
training—one that demands a different perspective
to recognize and understand new risk scenarios and Enjoying
emerging threats. Current professional frameworks
this article?
in both security and cybersecurity seek to create
certainties and a feeling of control with the
• Read Threat
understanding that, as good practices, the
Intelligence.
frameworks are sufficient to affect reality and
www.isaca.org/
preempt acts by adversaries. Standard practices
threat-intelligence
that currently inform the imaginary of security and
• Learn more about,
cybersecurity professionals must not become
discuss and
dogmas and unquestionable truths; rather, they
collaborate on
should be subject to review and analysis, constantly
information and
reevaluated in the context of emerging professional
cybersecurity in
experience and organizational dynamics.
ISACA’s Online
Forums.
Professionals responsible for security must break
https://engage.
away from the paradigm of known controls and
isaca.org/online
allow themselves to be questioned and interrogated
forums
by the volatile, uncertain, complex and ambiguous
experience of working in the field; in effect, they
need to uninstall the responses programmed and
validated by their education and applied within their
working contexts. They must invent alternatives
that are not simple reactions to unexpected events
but, instead, make it possible to anticipate, defend
and preempt the adversary’s moves, connecting the
disconnected dots in their environments and
creating an enriched vision for their
recommendations and actions. Practitioners must
remember that an analyst’s success poses a new
challenge to an adversary, i.e., an increase of the
attacker’s creativity to add tension to the new
security and control policies.
The Digital Adversary and the Capacity to
Surprise
To protect and advance the value promise of the
enterprise, security and cybersecurity specialists
seek to implement, secure, stabilize and protect
assets under their care. All the while, their adversary
is continually preoccupied with experimenting,
surprising, destabilizing and compromising (that is,
breaching or outwitting known standards and
protections), naturally creating instability and
spreading uncertainty.
The digital adversary feels comfortable with
uncertainty and instability, is not afraid to be wrong,
and, in each outcome, finds an opportunity to
capitalize and update knowledge. The digital
adversary accelerates learning, as well as
constructive unlearning, through permanent testing
ISACA JOURNAL VOL 4 49
 and experimentation and pursues or re-creates
contexts that, for others, may feel uncontrolled—all
with the goal of reaching new frontiers of
knowledge that customary security practices and
science have (so far) not attained. This mode of
thinking and acting emphasizes the development of
critical capacity and an ongoing strategy to
supersede known truths and conventional wisdom.
The adversary exposes the status quo to new test
cases to find new opportunities, uncover conditions
that lead to novel approaches and take the most
advanced digital protections by surprise. To
understand what happened in the case of a breach,
security professionals often head down a road that
adversaries have already traveled.
The attacker understands security not as a final
objective to achieve, but as an incomplete journey;
preliminary and partial responses are the norm,
vulnerabilities require adaptive goals, and security
demands lead to imperfect trust. The adversary’s
mind is restless; either it was never formed within
the mentality and framework of traditional
education, or it quickly outgrew them. Instead, the
adversary responds to the adrenaline rush produced
by breaking existing protection paradigms. He or
she relishes a sense of permanent inevitability of
security failure as the new normal in the education
of security and control specialists.
UNDERSTANDING THE
MIND OF THE ADVERSARY
CAN OPEN SPACE FOR
THE AUTHENTICALLY
ENLIGHTENED TRAINING
OF THE SECURITY
AND CONTROL
PROFESSIONALS.
Yet, understanding the mind of the adversary can
open space for the authentically enlightened
training of the security and control professionals. It
can teach them to understand the instability of the
50 ISACA JOURNAL VOL 4
present, the possibilities open in a hyperconnected
world and, above all, a systemic rationale that is not
based on fixed or mechanistic causality or an
immutable reality governed by known laws but
rather one that is relational and emerging; is
capable of unifying vision in the midst of oddities,
inconsistencies and contradictions;7 creates
synthesis between reality and imagination;
transforms uncertainty into opportunity; creates
incentives; ruptures the status quo; and reveals
what was heretofore impossible to see.
Practitioners should remember that an adversary’s
success represents a lesson learned to an analyst,
i.e., new motivations for the analyst to explore and
challenge previous knowledge.
Analyst and Adversary: Integrating Two
Opposing Visions
Finding value in the methodology of adversaries is
not intended to romanticize or promote illegal
activity. Rather, it illustrates how their methods,
mind-set and culture can be repurposed to enrich
the education and training of security and
cybersecurity professionals. The old, static
practices around controls (and their respective
verifications) will not be viable for 21st century
organizations as a source of imperfect trust. In fact,
improving security and cybersecurity today will
depend on consciously and selectively integrating
these historically opposing roles.
The analyst conventionally works across three
categories: threat, control and impact (i.e., a
common vocabulary, widely recognized and
accepted across enterprises). The adversary thinks
in terms of intention, capacity and vulnerability
(figure 1). The categories of the analyst generally
entail negative reactions to the open-ended,
dynamic terms of the adversary. The analyst closes
off (or at least reduces) attack surfaces; the
adversary emphasizes possibility, openness and
opportunity. Harmonizing these oppositions may
seem contradictory or counterintuitive, but for the
analyst, actually encourages a constructive
unlearning of existing assumptions and tactics that
may be inherently weak by virtue of their
standardization and ubiquity (i.e., their status as
best practice).
 Figure 1—Analyst and Adversary: Integrating Two Opposing Visions
Actors
Analyst Adversary
Mechanical view: Linear Threat Intention Relational view: Circular
Control Capacity
Impact Vulnerability
Stance: Implement, secure Stance: Experiment, surprise
<--OPPOSING VISIONS-->
and protect and compromise
Figure 1 offers a pedagogical model to harmonize • Suspension—Conditioned by existing knowledge,
opposing visions. It graphically invites the analyst to reality is challenged or contradicted by new
supplement defensive postures with the more experience, which disrupts the inertia of current,
offensive outlook and behavior of the adversary. The accumulated wisdom. This break, a rupture in what
model intentionally escapes the analyst’s formerly was considered “real” or true, requires
psychological safe zone,8 invites decisions in the face existing practice to be questioned and encourages
of uncertain conditions, and creates new opportunity the analyst to identify aspects of the situation that
for analysts to “study the situation, define the are unknown, unresolved or undefined, relative to
problems, come to their own conclusions about the current standards and/or contexts. Uncertainty
actions to undertake, compare ideas, defend them creates tension in prior knowledge.
and rework them with new contributions.”9
• Connection—Novel experience is associated with
previous experience; comparisons are made and
Concretely, the new pedagogy rests on four stages
interrogated or tested in light of prior knowledge.
for transforming learning and incorporating
Trial and error are grasped as a process, creating
constructive unlearning (figure 2):

Figure 2—The Learning and Unlearning Process

Suspension:
Break with reality
in new experience Learning/Unlearning

Incorporation: Connection:
Appropriate and
structure
Individual Compare new
experience with
knowledge prior knowledge

Transformation:
Deepen and
construct
new knowledge

Source: Adapted from Reyes, A.; R. Zarama; “The Process of Embodying Distinctions: A Reconstruction of the Process of Learning,” Cybernetics and Human Knowing, vol. 5,
no. 3, 1 March 1998, https://www.ingentaconnect.com/contentone/imp/chk/1998/00000005/00000003/14. Reprinted with permission.

ISACA JOURNAL VOL 4 51

 opportunities to learn and assimilate skills
that gradually become proven practice.
Successful resolution of prior conflicts or
difficulty is evaluated as a basis for action in
similar situations.
• Transformation—Uncertainty gradually yields to
the construction of new knowledge. Known
elements of practice, including current concepts
regarding threat and risk, are superseded and
discarded. New distinctions and categories lead
to an emerging hypothesis that responds to—or
accounts for—the anomalies, contradictions or
discontinuities of the new experience.
• Incorporation—A new information structure is
built from previous knowledge, codified and
disseminated. It incorporates new interpretations
and a renewed awareness of fragility and
asymmetry in the security field. While
acknowledging the inevitability of failure, the
analyst gains new perspectives on the practical
benefit of safeguarding the enterprise’s value
promise, which later assumes new urgency
and validity. The analyst’s responsibility and
purpose appear more evident, especially in
uncertain situations.
Rethinking education according to these principles
requires breaking with the current mechanistic
tradition, whose standards demand routine,
repeatable processes to measure levels of
protection—whether actual or aspirational—for the
organization. The goal is to complement or expand
current approaches, privilege openness, anticipate
the actions of adversaries (and assess
consequences), tolerate calculated risk, emphasize
initiative and experimentation, and revise or update
knowledge now and in the long term.10
Conclusions
As risk and emerging threats increase—along with
legal requirements for compliance11—the
mechanistic education of information security and
cybersecurity analysts reveals its inherent
limitations. Current approaches to security and
control should become more forecasting and
preemptive, expanding the current educational
framework, which generally ensures good practices
that create certainties and calmness in decision-
making. Forecasting means recognizing,
confronting, learning and unlearning, engaging the
52 ISACA JOURNAL VOL 4
uncertainty and instability of emerging risk,
internalizing the adversary’s mind-set, and updating
prior knowledge—and its conceptual foundation—to
include elements of experimentation, surprise and
even amazement.12
Security and control managers should be less afraid
that they will “lose sight of the shore” of
conventional standards and good practices and,
instead, commit themselves to reinventing
knowledge on the basis of present capacities and
demands. Although security managers will never
have everything they need to succeed in all
circumstances, they do have the ability to learn and
unlearn and, thus, to envision what they want to
achieve, to construct forecasts, and understand that
incidents are a natural part of the landscape for
modern organizations.
THE MECHANISTIC
EDUCATION OF
INFORMATION SECURITY
AND CYBERSECURITY
ANALYSTS REVEALS ITS
INHERENT LIMITATIONS.
Analysts and adversaries share a foundation of
knowledge and common challenges. Analysts
should adopt the adversary’s tools wherever it
makes sense; leave their comfort zones; explore
different points of view (perhaps even from other
disciplines or intellectual positions); develop habits,
attitudes, capacities and meanings to overcome
cognitive blindness;13 act preemptively; and,
especially, stay ahead of the curve: preempt,
challenge, interpret, decide, (re)align and learn.
Endnotes
1 Accenture, The Post-Digital Era Is Upon
Us: Are You Ready for What’s Next?
Accenture Technology Vision 2019,
https://www.accenture.com/t20190201
T224653Z__w__/us-en/_acnmedia/PDF-
94/Accenture-TechVision-2019-Tech-Trends-
Report.pdf
2 European Union Agency for Network and
Information Security (ENISA), ENISA
Threat Landscape Report 2018: 15 Top
Cyberthreats and Trends, January 2019,
https://www.enisa.europa.eu/publications/
enisa-threat-landscape-report-
2018/at_download/fullReport
3 Do, Q.; B. Martini; K. R. Choo; “The Role of the
Adversary Model in Applied Security Research,”
Computers & Security, vol. 81, March 2019,
https://eprint.iacr.org/2018/1189.pdf
4 In a hyperconnected world, all participants are
going to have some kind of failure and need to
act when this happens. Reliability is based on
the impact of adverse actions and how to
manage them.
5 Cano, J.; “Riesgo y seguridad. Un continuo de
confianza imperfecta,” in Dams, A.; H. Pagola;
L. Sánchez; J. Ramio; Actas IX Congreso
Iberoamericano de Seguridad de la Información,
Universidad de Buenos Aires–Universidad
Politécnica de Madrid, 2017, p. 34-39,
https://www.researchgate.net/publication/
321197873_Riesgo_y_seguridad_Un_continuo_
de_confianza_imperfecta
6 For example, two researchers note, “One of the
most urgent challenges facing higher education
is how to respond to the unavoidable need to
modernize and improve the competencies of an
ever-greater number of people throughout both
the length and breadth of their lives.”
Echeverría, B.; P. Martínez; “Revolución 4.0,
Competencias, Educación y Orientación,”
Revista Digital de Investigación en Docencia
Universitaria 12:2,
http://dx.doi.org/10.19083/ridu.2018.831
7 Charan, R.; The Attacker’s Advantage:
Turning Uncertainty Into Breakthrough
Opportunities, Public Affairs, USA, 2015,
https://www.publicaffairsbooks.com/titles/
ram-charan/the-attackers-advantage/
9781610394758/
8 The psychological safe zone is clearly
understandable reactions to the interests and
mandates of senior security and cybersecurity
management. See Edmondson, A.; The Fearless
Organization: Creating Psychological Safety in the
Workplace for Learning, Innovation, and Growth,
John Wiley & Sons, USA, 2018,
https://www.wiley.com/en-us/The+Fearless+
Organization:+Creating+Psychological+Safety+in+
the+Workplace+for+Learning,+Innovation,+and+
Growth-p-9781119477266
9 Acosta, S.; Pedagogía por competencias:
Aprender a pensar, Editorial Trillas, Mexico,
2012, p. 47, www.etrillas.com.mx/
detalle.php?isbn=9786071713025&estilo=
13&tema=0
10 Cano, J.; “La educación en seguridad de la
información. Reflexión pedagógicas desde el
pensamiento de sistemas,” Memorias 3er
Simposio Internacional en “Temas y problemas
de Investigación en Educación: Complejidad
y Escenarios para la Paz,” 2016,
http://soda.ustadistancia.edu.co/enlinea/
congreso/congresoedu/2%20Pedagogia%20y
%20dida%B4ctica/2%209%20LA%20
EDUCACION%20EN%20SEGURIDAD%20DE%20
LA%20INFORMACION.pdf
11 IT Governance, “Managing Cyber Risk:
Transform Your Security With Cyber Resilience,”
https://www.itgovernance.co.uk/managing-
cyber-risk
12 One author celebrates the quality of
amazement in discovering what lies concealed
behind everyday experience—of perceiving, for
the first time, what has been there all along.
See García, A.; Educar para el asombro.
Sencillez, confianza, paciencia y profundidad,
Mensajero, Spain, 2018, https://gcloyola.com/
es/educacion/3139-educar-para-el-asombro-
9788427141759.html?search_query=educar+
para+el+asombro&results=302&, p. 116.
13 Krupp, S.; P. Schoemaker; Winning the Long
Game: How Strategic Leaders Shape the Future,
Public Affairs, USA, 2014, https://www.public
affairsbooks.com/titles/steven-krupp/
winning-the-long-game/9781610394475/
ISACA JOURNAL VOL 4 53
 HELP
SOURCE
Q&A
Do you have
something
to say about this
article?
Visit the Journal pages
of the ISACA® website
(www.isaca.org/journal),
find the article and click
on the Comments link to
share your thoughts.
https://bit.ly/2I3pKYt
Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS
25999LI, CEH, CISSP, ISO 27001 LA, MCA, PMP
Has worked in IT, IT governance, IS audit, information security and IT risk
management. He has 40 years of experience in various positions in
different industries. Currently, he is a freelance consultant in India.
54 ISACA JOURNAL VOL 4
We are an organization providing IT-based
Q services, but we belong to the small and
medium enterprise (SME) sector. Is enterprise
governance of IT (EGIT) relevant for SME
organizations? Are the available frameworks,
particularly COBIT®, different for different
organizations?
A EGIT is relevant and, in today’s environment, a
must for all types and sizes of organizations.
That said, organizations must choose the framework
that they would like to adopt wisely. The decision to
adopt a framework itself is a great step forward.
Research on IT governance has typically been done
on large organizations. Research on smaller
organizations has been limited, and research that
does comes to mind indicates that IT governance
structures in SMEs is quite limited. SMEs tend to
have an idiographic profile with characteristics that
differ strongly from large enterprises.1
Broadly speaking, SMEs differ from large
organizations in many ways such as technology and
environment, organizational size, and structural
differentiation. These, in turn, influence the nature of
instituted decision-making processes and structures,
including IT. Governance structures in SMEs tend to
be characterized by centralized decision structures as
opposed to the hierarchical and institutionalized
decision structures of large organizations.
IT governance is necessary to ensure that the
business gains value through IT, which enhances
shareholder value. It enables value creation by
optimizing risk and the utilization of resources.
This paradigm is true for all organizations that
depend on IT for competitive advantage, efficiency,
effectiveness, compliance, security and reliability
of data.
International Organization for Standardization
(ISO)/International Electrotechnical Commission
(IEC)’s ISO/IEC 38500 Information technology —
Governance of IT for the organization2 is the
standard for IT governance, and COBIT® 20193 is
the framework for implementing IT governance
within the organization.
The challenges faced by SMEs can be broadly
viewed along two areas:
• The ability to ensure that management is
cognizant of the value IT brings to the table
• Adequate resources on the IT team that make it
capable to enable the previous point
Indeed, the primary focus of IT governance in COBIT
is value creation achieved by realizing benefits and
optimizing risk and resources.
SMEs generally face challenges in adopting COBIT
due to its generic nature. They are good at setting
business goals but find it difficult to set IT goals
since IT is a comparatively small function. But it is
interesting to see that many times their IT
investment as a percentage of overall investment is
the same as any large enterprise.
One COBIT user states that:
The organization must identify for itself
what it needs from IT and how expansion
can serve those needs. Within this
paradigm, however, COBIT® 5 offers a set of
structured processes to smooth the
transition and ensure that such growth is a
symptom of improvement, directed by a
knowledgeable and engaged board. In an
ongoing application of COBIT 5, in fact, this
should become a matter of course as the
framework develops and provides the
components of a continual improvement
life cycle. This enables the enterprise to
fully leverage COBIT’s strengths, thereby
developing a mature, flexible and effective
IT function.4
A blog post summarizes that, “It really is a
misperception that COBIT® 5 and IT governance is
only relevant to large organizations when, in reality,
it is an equally if not more essential ingredient for
the SME.”5
These suggestions should be considered while
implementing IT governance in SMEs:
• SME senior management should be involved in IT
governance interactions with a focus on
enhancing performance of IT efficiency,
effectiveness, reliability, security and compliance.
• Although SMEs, corporate executives and
operational executives are busy and small
in number, they should be involved in
IT governance processes.
• SMEs should develop and implement a
framework for risk management, defining
business goals and IT goals.
• Communication of IT governance policies,
guidelines and practices within the organization
should be established using a number of
accessible channels.
• SMEs should develop and implement a
mechanism for performance monitoring of
resources to optimize them.
• It is important to establish periodic review
meetings with corporate and operational
executives to make corrections in long-term
strategies based on risk and performance
monitoring.
SEE YOU NEXT YEAR IN
B A LT I M O R E , M D
12-14 MAY 2020
Save US$500 when you register before
5 August 2019 with promo code NAC20SUMR
W W W. I S A C A . O R G / N A C A C S - J V 4
Considering the current trend of start-ups that bring
innovative concepts and ideas to market, it is fair to
assume that more and more SMEs will be in
business. SMEs are essential for globalization and,
therefore, they should focus on IT governance.
Endnotes
1 Lee, M.; “IT Governance Implementation
Framework in Small and Medium Enterprise,”
International Journal of Management and
Enterprise Development, vol. 12, iss. 4-6, 2013,
https://www.inderscienceonline.com/doi/abs/
10.1504/IJMED.2013.056445
2 International Organization for Standardization/
International Electrotechnical Commission
ISO/IEC 38500 Information technology—
Governance of IT for the organization,
https://www.iso.org/standard/62816.html
3 ISACA®, COBIT® 2019, USA, 2018, www.isaca.
org/COBIT
4 Milner, L.; “COBIT 5 Advantages for Small
Enterprises,” COBIT Focus, 17 November 2014,
www.isaca.org/COBIT/focus/Pages/
COBIT-5-Advantages-for-Small-Enterprises.aspx
5 Lane, M.; “IT Governance for Small and Medium
Business,” Orbus Software, 5 September 2014,
https://www.orbussoftware.com/blog/
it-governance-for-small-and-medium-business/
ISACA JOURNAL VOL 4 55
 CROSSWORD
PUZZLE

by Myles Mellor
www.themecrosswords.com

ACROSS 1 2 3 4 5 6 7
1. Shared IT facility
8
3. IT base of operations that vendors are moving
away from, 2 words 9 10 11
9. Basic facilities and systems of operation in
an organization 12 13 14

12. View
15 16 17
13. Positioning app
15. Deep hole 18 19

17. Person of equal status or knowledge 20 21 22 23

18. London gardens
20. Consumer, 2 words 24 25

23. General rule intended to regulate activity 26 27 28 29 30

24. Test version
26. Internet for connection to remote servers, 31 32 33
used for storage purposes
34 35 36
28. EU law re: data protection, abbr.
30. Brit. leader 37 38 39
31. Phishing trick
40 41 42
32. Software program, briefly
34. Govern 43 44
35. Security executive whose role is well defined
45 46 47
in COBIT®
37. Choose for an executive position, say
39. Golden Rule conclusion 11. Old record
40. CV 14. Methods of operation
42. Equifax experienced a large and notorious one, 16. Merchandise ID
2 words
19. Berners-Lee creation
43. Separate out unwanted or malicious traffic
21. Twosome
45. Add, with up
22. Imposes rules
46. Legal thing, in Latin
23. ____less office
47. Key term for an IT audit
25. NFL stats
27. Words before "the minute" or "no good"
DOWN 29. Pixel density
1. ____ controlled 31. Turn
2. Like some goals 32. It should be securely protected
4. Using its own action or motion 33. Personality structure
5. Take advantage of 34. ISACA's good-practice framework
6. It IS above Shift, 2 words 36. Exclamation of surprise
7. Directed towards a certain organization, as in 38. State of being equal or equivalent
a cyberattack, for example 41. Poetic adverb for many times
8. Slips 42. The D in USD, abbr.
10. Start for COBIT, control and collaborate 44. Technical department

Answers on page 58

56 ISACA JOURNAL VOL 4

 Take the
CPE QUIZ
quiz online. #185

https://bit.ly/2HGVuDO

Based on Volume 2, 2019—Tomorrow’s Security Today

Value—1 Hour of CISA/CRISC/CISM/CGEIT Continuing Professional Education (CPE) Credit

TRUE/FALSE SERRES ARTICLE

11. The two most significant challenges most organizations face

SAURBAUGH ARTICLE now that the EU General Data Protection Regulation (GDPR) is in
effect are cultural transformation and documenting compliance.
1. Enterprises should hire for security practitioners based on skill,
with personality as only a distant second priority. 12. Cultural transformation related to privacy is the same as for
other corporate values: It cannot be handled via training alone,
2. Realistic simulations such as phishing simulations are more
but must be embedded in every decision, small and large.
effective in educating employees about security than long,
drawn-out computer-based training.
BRUNSWICK ARTICLE
3. The security team should be solely responsible for developing
the appropriate and meaningful security metrics. 13. The US California Consumer Privacy Act (CCPA) requires any
organization with an annual gross revenue of US$1 million or
PUTRUS ARTICLE more doing business in the US state of California to comply
with stricter approaches to online privacy and processing of
4. Among the issues to be considered in justifying the chief
personal data.
information security officer (CISO) role within an enterprise are
14. The CCPA’s requirement for organizations to disclose
the number and monetary impact of security incidents,
categories of data collected is intended to cause
compliance with laws and regulations, and protection of the
organizations to be more selective in the amount and type of
enterprise’s reputation.
personal data they collect.
5. It is more suitable for the CISO to report to the audit committee
15. The GDPR’s financial penalty for failure to comply is more
than to the chief executive officer (CEO).
severe than the CCPA’s, but the CCPA grants individuals the
6. The CISO plays a key role in designing critical controls for
opportunity to receive compensation for infractions.
selected business units within the enterprise. His or her
success in doing so calls on his or her status as a trusted NACHIN, TANGMANEE AND PIROMSOPA ARTICLE
advisor.
16. The study described in the article investigates five
KEEF ARTICLE approaches to raising security awareness, based on differing
delivery methods: conventional, instructor-led, online, pre- and
7. Because data are the foundation of security programs and the
post-testing, and simulation-based.
necessary data are likely to come from a variety of vendors, it is
17. Instructor-led delivery was identified as the most effective in
important to normalize and merge the data and make the
raising awareness, followed by simulation-based activities.
resulting database product agnostic.
18. Further testing specific to Thailand demonstrated that
8. As useful as modeling can be, it cannot reveal the relationship
simulation-based delivery is more effective than instructor-led
between an asset and an indicator of compromise (IOC) and
delivery, but the most effective approach overall is an
the surrounding network topology and controls.
integration of both.
LEE ARTICLE
DURMISEVIC-MUTAPCIC ARTICLE
9. Although filling a cybersecurity position may be difficult, once
19. In compliance audits, root cause analysis can help the auditor
a cybersecurity employee is on board, he or she is likely to
determine the reasons for noncompliance and develop
stay for a long tenure and not engage in “job hopping.”
appropriate recommendations for controls to prevent or
10. Organizations that require a degree in computer science for
detect and correct recurrence of the outcomes leading to
cybersecurity positions are ignoring the multidisciplinary
noncompliance.
nature of cybersecurity and may be missing out on huge
20. Root cause analysis in IT audits is comparatively simpler than
pools of suitable candidates.
in other types of audits because the analysis stops at the
technology level.
21. Risk-based auditing requires the auditor to prove that a risk
has materialized in order to identify a finding.

ISACA JOURNAL VOL 4 57

 THE ANSWER FORM CPE QUIZ
Based on Volume 2, 2019 #185

TRUE OR FALSE
SAURBAUGH ARTICLE BRUNSWICK ARTICLE Name
PLEASE PRINT OR TYPE
1.
13.
2.
14. Address
3.
15.

PUTRUS ARTICLE
NACHIN, TANGMANEE AND CISA, CRISC, CISM or CGEIT #
PIROMSOPA ARTICLE
4.

5. 16. Answers: Crossword by Myles Mellor

See page 56 for the puzzle.
6. 17.
1 2 3 4 5 6 7

18. C O L O
8
D A T A C E N T E R
L O L U B N A
KEEF ARTICLE 9
I N F R A S T R U
10
C T U R
11
E
12 13 14
M T P O S E E G P S
7. DURMISEVIC-MUTAPCIC 15 16 17
A B Y S S P E E R E Y
ARTICLE T
18
K E W
19
K T S
8. 20 21 22 23
E N D U S E R P R E C E P T
24 25
U B E T A Y D E
19. 26 27 28 29 30
C L O U D G D P R D P M
LEE ARTICLE P
31
R U S E
32
A P
33
P S
20. 34 35 36
C O N T R O L R C I S O
37 38 39
9. 21. 40
O
41
O
42
T A P C Y O U
B I O D A T A B R E A C H
43 44
10. 45
I F I
46
L T E R
47
S H I
T O T R E S I N S P E C T

Please confirm with other designation-granting professional bodies for their CPE qualification acceptance criteria. Quizzes may be submitted for grading
SERRES ARTICLE only by current Journal subscribers. An electronic version of the quiz is available at www.isaca.org/cpequiz; it is graded online and is available to all interested
parties. If choosing to submit using this print copy, please email, fax or mail your answers for grading. Return your answers and contact information by
email to info@isaca.org or by fax to +1.847.253.1755. If you prefer to mail your quiz, in the US, send your CPE Quiz along with a stamped, self-addressed
11. envelope, to ISACA International Headquarters, 1700 E. Golf Rd., Suite 400, Schaumburg, IL 60173 USA. Outside the US, ISACA will pay the postage to return
your graded quiz. You need only to include an envelope with your address. You will be responsible for submitting your credit hours at year-end for CPE
credits. A passing score of 75 percent will earn one hour of CISA, CRISC, CISM or CGEIT CPE credit.
12.

Get Noticed
Advertise in the ISACA® Journal

Journal
58 ISACA JOURNAL VOL 4
 STANDARDS GUIDELINES
TOOLS AND TECHNIQUES

ISACA Member and Certification Holder Compliance IS Audit and Assurance Guidelines
The guidelines are designed to directly support the standards and help
The specialized nature of information systems (IS) audit and assurance practitioners achieve alignment with the standards. They follow the same
and the skills necessary to perform such engagements require standards categorization as the standards (also divided into three categories):
that apply specifically to IS audit and assurance. The development and
dissemination of the IS audit and assurance standards are a cornerstone
• General guidelines (2000 series)
of the ISACA® professional contribution to the audit community. • Performance guidelines (2200 series)
IS audit and assurance standards define mandatory requirements for • Reporting guidelines (2400 series)
IS auditing. They report and inform:
General
• IS audit and assurance professionals of the minimum level of 2001 Audit Charter
acceptable performance required to meet the professional 2002 Organizational Independence
responsibilities set out in the ISACA Code of Professional Ethics 2003 Professional Independence
2004 Reasonable Expectation
• Management and other interested parties of the profession’s 2005 Due Professional Care
expectations concerning the work of practitioners 2006 Proficiency
2007 Assertions
• Holders of the Certified Information Systems Auditor® (CISA®) 2008 Criteria
designation of requirements. Failure to comply with these standards
may result in an investigation into the CISA holder’s conduct by the
ISACA Board of Directors or appropriate committee and, ultimately, in Performance
disciplinary action. 2201 Engagement Planning
2202 Risk Assessment in Planning
2203 Performance and Supervision
ITAFTM, 3rd Edition (www.isaca.org/itaf) provides a framework for 2204 Materiality
multiple levels of guidance: 2205 Evidence
2206 Using the Work of Other Experts
IS Audit and Assurance Standards 2207 Irregularity and Illegal Acts
2208 Sampling
The standards are divided into three categories:
Reporting
• General standards (1000 series)—Are the guiding principles under 2401 Reporting
which the IS assurance profession operates. They apply to the 2402 Follow-Up Activities
conduct of all assignments and deal with the IS audit and assurance
professional’s ethics, independence, objectivity and due care as well IS Audit and Assurance Tools and Techniques
as knowledge, competency and skill. These documents provide additional guidance for IS audit and assurance
• Performance standards (1200 series)—Deal with the conduct of the professionals and consist, among other things, of white papers, IS
assignment, such as planning and supervision, scoping, risk and audit/assurance programs, reference books and the COBIT® 5 family of
materiality, resource mobilization, supervision and assignment products. Tools and techniques are listed under www.isaca.org/itaf.
management, audit and assurance evidence, and the exercising of
professional judgment and due care. An online glossary of terms used in ITAF is provided at www.isaca.org/glossary.

• Reporting standards (1400 series)—Address the types of reports,

means of communication and the information communicated. Prior to issuing any new standard or guideline, an exposure draft is
issued internationally for general public comment.

Please note that the guidelines are effective 1 September 2014. Comments may also be submitted to the attention of the Director,
Content Strategy, via email (standards@isaca.org); fax (+1.847.253.1755)
General or postal mail (ISACA International Headquarters, 1700 E. Golf Road,
1001 Audit Charter Suite 400, Schaumburg, IL 60173, USA).
1002 Organizational Independence
1003 Professional Independence Links to current and exposed ISACA Standards, Guidelines, and Tools
1004 Reasonable Expectation and Techniques are posted at www.isaca.org/standards.
1005 Due Professional Care
1006 Proficiency Disclaimer: ISACA has designed this guidance as the minimum
1007 Assertions level of acceptable performance required to meet the professional
1008 Criteria responsibilities set out in the ISACA Code of Professional Ethics.
ISACA makes no claim that use of these products will assure a
Performance successful outcome. The guidance should not be considered
1201 Engagement Planning inclusive of any proper procedures and tests or exclusive of other
1202 Risk Assessment in Planning procedures and tests that are reasonably directed to obtaining the
1203 Performance and Supervision same results. In determining the propriety of any specific procedure
1204 Materiality or test, the control professionals should apply their own professional
1205 Evidence judgment to the specific control circumstances presented by the
1206 Using the Work of Other Experts particular systems or IS environment.
1207 Irregularity and Illegal Acts

Reporting
1401 Reporting
1402 Follow-Up Activities

ISACA JOURNAL VOL 4 59

 ISACA® Journal, formerly
Information Systems Control
Journal, is published by the
Information Systems Audit
and Control Association®
(ISACA®), a nonprofit
organization created for the
public in 1969. Membership
in the association, a voluntary
organization serving
IT governance professionals,
entitles one to receive an
annual subscription to the
ISACA Journal.
Opinions expressed in the
ISACA Journal represent the
views of the authors and
advertisers. They may differ
from policies and official
statements of ISACA and/or
the IT Governance Institute
and their committees, and
from opinions endorsed by
authors, employers or the
editors of the Journal. ISACA
Journal does not attest to the
originality of authors’ content.
© 2019 ISACA. All rights reserved.
Instructors are permitted to
photocopy isolated articles for
noncommercial classroom use
without fee. For other copying,
reprint or republication,
permission must be obtained
n writing from the association.
Where necessary, permission
is granted by the copyright
owners for those registered
with the Copyright Clearance
Center (CCC) (www.copyright.
com), 27 Congress St., Salem,
MA 01970, to photocopy
articles owned by ISACA,
for a flat fee of US $2.50 per
article plus 25¢ per page.
Send payment to the CCC
stating the ISSN (1944-1967),
date, volume, and first and
last page number of each
article. Copying for other than
personal use or internal
reference, or of articles or
columns not owned by the
association without express
permission of the association
or the copyright owner is
expressly prohibited.
ISSN 1944-1967
Subscription Rates:
US:
one year (6 issues) $85
All international orders:
one year (6 issues) $100
Remittance must be made
in US funds.
60 ISACA JOURNAL VOL 4
ADVERTISERS/
WEBSITES
Owl Cyber Defense
SCCE
leaders and
supporters
Editor
Jennifer Hajigeorgiou
publication@isaca.org
Managing Editor
Maurita Jasper
Assistant Editor
Safia Kazi
Contributing Editors
Sunil Bakshi, CISA, CRISC, CISM, CGEIT,
ABCI, AMIIB, BS 25999 LI, CEH, CISSP,
ISO 27001 LA, MCA, PMP
Ian Cooke, CISA, CRISC, CGEIT, COBIT
Assessor and Implementer, CFE,
CIPM, CIPP/E, CPTE, DipFM, FIP, ITIL
Foundation, Six Sigma Green Belt
K. Brian Kelly, CISA, CSPO, MCSE,
Security+
Vasant Raval, DBA, CISA
Steven J. Ross, CISA, CBCP, CISSP
Advertising
media@isaca.org
Media Relations
news@isaca.org
Reviewers
Matt Altman, CISA, CRISC, CISM, CGEIT
Sanjiv Agarwala, CISA, CISM, CGEIT, CISSP,
ITIL, MBCI
Vikrant Arora, CISM, CISSP
Sunil Bakshi, CISA, CRISC, CISM, CGEIT,
ABCI, AMIIB, BS 25999 LI, CEH, CISSP,
ISO 27001 LA, MCA, PMP
Brian Barnier, CRISC, CGEIT
Ronald Bas, CISSP
Pascal A. Bizarro, CISA
Jerome Capirossi, CISA
Anand Choksi, CISA, CCSK, CISSP, PMP
Joyce Chua, CISA, CISM, PMP, ITILv3
Ashwin K. Chaudary, CISA, CRISC, CISM,
CGEIT
Burhan Cimen, CISA, COBIT Foundation,
ISO 27001 LA, ITIL, PRINCE2
Ken Doughty, CISA, CRISC, CBCP
Nikesh L. Dubey, CISA, CRISC, CISM, CISSP
Robert Findlay
John Flowers, CISA, CRISC
Jack Freund, Ph.D., CISA, CRISC, CISM,
CIPP, CISSP, PMP
Sailesh Gadia, CISA
Amgad Gamal, CISA, COBIT Foundation,
CEH, CHFI, CISSP, ECSA, ISO 2000
LA/LP, ISO 27000 LA, MCDBA, MCITP,
MCP, MCSE, MCT, PRINCE2
Robin Generous, CISA, CPA
Tushar Gokhale, CISA, CISM, CISSP,
ISO 27001 LA
www.OWLcyberdefense.com/diota
Corporatecompliance.org/ethicsinstitute
Tanja Grivicic
Manish Gupta, Ph.D., CISA, CRISC,
CISM, CISSP
Mike Hansen, CISA, CFE
Jeffrey Hare, CISA, CPA, CIA
Sherry G. Holland
Jocelyn Howard, CISA, CISMP, CISSP
Francisco Igual, CISA, CGEIT, CISSP
Jennifer Inserro, CISA, CISSP
Khawaja Faisal Javed, CISA, CRISC, CBCP,
ISMS LA
Mohammed J. Khan, CISA, CRISC, CIPM
Farzan Kolini, GIAC
Shruti Kulkarni, CISA, CRISC, CCSK, ITIL
Bhanu Kumar
Hiu Sing (Vincent) Lam, CISA, CPIT(BA),
ITIL, PMP
Edward A. Lane, CISA, CCP, PMP
Romulo Lomparte, CISA, CRISC, CISM,
CGEIT, COBIT 5 Foundation, CRMA,
IATCA, IRCA, ISO 27002, PMP
Larry Marks, CISA, CRISC, CGEIT
Tamer Marzouk, CISA, ABCP, CBAP
Krysten McCabe, CISA
Brian McLaughlin, CISA, CRISC, CISM,
CIA, CISSP, CPA
Brian McSweeney
Irina Medvinskaya, CISM, CGEIT, FINRA,
Series 99
Mike Michlowski, CISA, CRISC, CISM,
CGEIT, CCSP, CFE, CIA, CIPM, CIPP/G,
CIPP/US, CIPT, CISSP, CRMA
David Earl Mills, CISA, CRISC, CGEIT, MCSE
Robert Moeller, CISA, CISSP, CPA, CSQE
David Moffatt, CISA, PCI-P
Ramu Muthiah, CISM, CRVPM, GSLC,
ITIL, PMP
Ezekiel Demetrio J. Navarro, CPA, CISA,
CRISC, CISM, CGEIT, CISSP
Jonathan Neel, CISA
Jacky Y. K. Ng, CISM, COBIT Assessor,
AgilePM, CEng, CMgr, FCMI, ISO 9001
and ISO/IEC 27001 LA, ITIL Expert,
MHKIE, MIET, PRINCE2, RPE
Nnamdi Nwosu, CISA, CRISC, CISM, CGEIT,
PfMP, PMP
Ganiyu Babatunde Oladimeji, CISA, CRISC,
CISM
Anas Olateju Oyewole, CISA, CRISC, CISM,
CISSP, CSOE, ITIL
David Paula, CISA, CRISC, CISSP, PMP
Pak Lok Poon, Ph.D., CISA, CSQA, MIEEE
John Pouey, CISA, CRISC, CISM, CIA
Steve Primost, CISM
Parvathi Ramesh, CISA, CA
Antonio Ramos Garcia, CISA, CRISC, CISM,
CDPP, ITIL
Sheri L. Rawlings, CGEIT
Ron Roy, CISA, CRP
Louisa Saunier, CISSP, PMP, Six Sigma
Green Belt
Daniel Schindler, CISA, CIA
Sandeep Sharma, CISA, BEPM, CQI, EFQM,
IRCA, ISO 27000 LA, ITIL, MCP(BI),
MLE, MSP, OSCJP, PRINCE2
Catherine Stevens, ITIL
26
1
Johannes Tekle, CISA, CFSA, CIA
Nancy Thompson, CISA, CISM,
CGEIT, PMP
Smita Totade, Ph.D., CISA, CRISC,
CISM, CGEIT
Jose Urbaez, CISA, CRISC, CISM, CGEIT,
CSXF, ITIL
Ilija Vadjon, CISA
Sadir Vanderloot Sr., CISA, CISM, CCNA,
CCSA, NCSA
Rajat Ravinder Varuni, CEH, DOP, DVA,
GPEN, SAA, SAP, SCS, SOA
Varun Vohra, CISA, CISM
Manoj Wadhwa, CISA, CISM, CISSP,
ISO 27000, SABSA
Kevin Wegryn, PMP, Security+, PfMP
Tashi Williamson
Ellis Wong, CISA, CRISC, CFE, CISSP
ISACA Board of Directors
(2019-2020)
Chair
Brennan P. Baybeck, CISA, CRISC,
CISM, CISSP
Vice-Chair
Rolf von Roessing, CISA, CISM, CGEIT,
CISSP, FBCI
Director
Tracey Dedrick
Director
Pam Nigro, CISA, CRISC, CGEIT, CRMA
Director
R. V. Raghu, CISA, CRISC
Director
Gabriela Reynaga, CISA, CRISC,
COBIT 5 Foundation, GRCP
Director
Gregory Touhill, CISM, CISSP, Brigadier
General United States Air Force (ret.)
Director
Asaf Weisberg, CISA, CRISC, CISM, CGEIT
Director
Tichaona Zororo, CISA, CRISC, CISM,
CGEIT, COBIT 5 Assessor, CIA, CRMA
Director and Chief Executive Officer
David Samuelson
Director and ISACA Board Chair 2018-2019
Rob Clyde, CISM
Director and ISACA Board Chair 2015-2017
Chris Dimitriadis, Ph.D., CISA, CRISC, CISM
 ISACA
BOOKSTORE
RESOURCES FOR YOUR PROFESSIONAL DEVELOPMENT

CISA JOB PR ACTICE

H AS CH A NGED!
AND SO HAS THE
E X A M P R E P.
We’ve got you covered—only official exam prep solutions from ISACA
reflect the most up-to-date training available and industry trends
impacting the IS/IT audit profession. Count on ISACA test prep
for all your study needs!

TR AINE D BY ISACA. CE RTIFIE D BY ISACA.

BROWSE A VARIETY OF PUBLICATIONS FEATURING THE LATEST RESEARCH AND

EXPERT THINKING ON STANDARDS, BEST PRACTICES, EMERGING TRENDS AND MORE AT
ISACA.ORG/BOOKSTORE

S-1
 FEATURED PUBLICATIONS
CISA Review Manual, 27th Edition CISA Review Questions, Answers & Explanations
This manual is an extensive reference guide designed to help Database—12-Month Subscription
individuals prep for the CISA exam and understand the roles and This online database subscription is a comprehensive
responsibilities of an information systems (IS) auditor. The CISA 1,000-question pool of items that contains the questions & answers
Review Manual, 27th Edition is the most current, comprehensive from the CISA Review Questions, Answers & Explanations Manual,
and peer-reviewed IS audit, assurance, security and control 12th Edition. CISA exam candidates can prep for the exam on
resource available worldwide. With an easy-to-navigate format their schedule and at their own pace with this online study tool.
designed to assist candidates in understanding essential Utilize the interactive planner to build a custom study plan. The
concepts and studying the new 2019 CISA job practice areas. personalized dashboard then serves as the primary method to
Also includes definitions of terms most commonly found on navigate candidate’s studies and track progress.
the exam.
Take sample exams with randomly selected questions and view the
Print Product Code: CRM27ED
Updated for
2019
results by job practice domain, this allows for concentrated study
eBook Product Code: EPUB_CRM27ED
CISA
Job Practice

Member: $109 in particular areas. Additionally, questions generated during a study

Review Manual
27th Edition
Non-member: $139 session are sorted based on previous scoring history, providing
CISA candidates insights to identify strengths and weaknesses
CISA® Review Manual 27th Edition

Exam Prep
by ISACA

Print and eBook available in which gives them the ability to customize and focus their study
additional languages! efforts even further.

Print Product Code: XMXCA16-12M

Member: $299
CISA Review Questions, Answers & Explanations Manual 11th Edition

Non-member: $349

CISA
3701 Algonquin Road | Suite 1010
Rolling Meadows, IL 60008 | USA ®

CISA Review Questions, Answers & Explanations

P: +1.847.660.5505
F: +1.847.253.1755
Support: support.isaca.org
Website: www.isaca.org

Manual, 12th Edition

Review Questions, Answers
& Explanations Database

Updated
with additional

This manual consists of 1,000 multiple-choice study questions

questions!

and are presented by the five CISA job practice areas as well as
in a 150-question sample exam. The questions, answers and
explanations are intended to introduce the CISA candidate to the
types of questions that appear on the CISA exam. The practice
test included helps individuals determine their strengths and
weaknesses to identify any areas that require further study. This
publication is ideal to use in conjunction with the CISA Review
Manual, 27th Edition. Also includes definitions of terms most
commonly found on the exam.

Print Product Code: QAE12ED

Member: $129
CISA Review Questions, Answers & Explanations Manual 11th Edition

Non-member: $159

Available in additional languages!

CISA
®

Review Questions, Answers & Explanations Manual

11th Edition

Updated
with additional
questions!

ORDER ONLINE AT WWW.ISACA.ORG/BOOKSTORE

S-2
 CISA Review Questions, Answers & Explanations
Database—6-Month Subscription
The CISA Review Questions, Answers & Explanations Database—
6-Month Extension should be purchased only as an extension to
the CISA Practice Question Database—12-Month Subscription.
Product Code: XMXCA16-EXT180
Member: $69
CISA Review Questions, Answers & Explanations Manual 11th Edition
CISA Virtual Instructor-led Training
Join an expert CISA-certified trainer and fellow exam candidates
for a unique, online exam-prep experience. This intensive virtual
instructor-led course will cover some of the more challenging
topics from the CISA job practice. Drill through sample exam
items, interact and ask your most pressing questions and get the
answers to build your confidence as you prepare for exam day.

Non-member: $89 Member: $995

Non-member: $1,195

CISA
®

Review Questions, Answers

& Explanations Database

Updated
with additional
questions!

CISA Online Review Course

This on-demand CISA prep course incorporates videos, narrated
interactive eLearning modules, interactive workbooks and job
aids, case study activities, and pre- and post-course assessments.
Exam candidates can navigate the online course at their own
pace, following a recommended structure, or target preferred job
practice areas. They also have the ability to start and stop the
course based on their study schedule, picking up exactly where
they left off the next time they access it. The course covers all five
of the CISA domains and each section corresponds directly to the
CISA job practice.
CISA Training Week Courses
ISACA’s CISA Training Week Courses are delivered by world-
renowned, expert practitioners and combine group discussion,
case studies and best practices to enhance your knowledge and
skills. Each feature four full 8-hour days of expert, relevant and
impactful training and education.
Member: $2,295
Non-member: $2,495

Member: $795
Non-member: $895

ORDER ONLINE AT WWW.ISACA.ORG/BOOKSTORE

S-3
 COBIT® 2019 Framework: Introduction and COBIT® 2019 Framework: Governance and
Methodology Management Objectives
Over the years, best-practice frameworks have been developed COBIT is a framework for the governance and management
and promoted to assist in the process of understanding, designing of enterprise information and technology, aimed at the whole
and implementing enterprise governance of IT (EGIT). COBIT 2019 enterprise. Enterprise I&T means all the technology and information
builds on and integrates more than 25 years of development in this processing the enterprise puts in place to achieve its goals,
field, not only incorporating new insights from science, but also regardless of where this happens in the enterprise. In other words,
operationalizing these insights as practice. enterprise I&T is not limited to the IT department of an organization,
• New concepts are introduced and terminology is explained— but certainly includes it.
the COBIT Core Model and its 40 governance and
COBIT 2019 Framework: Governance and Management Objectives,
management objectives provide the platform for establishing
contains a detailed description of the COBIT Core Model and its
your governance program
40 governance and management objectives. A description of
• The performance management system is updated and allows each objective, its purpose, and its connection with enterprise and
the flexibility to use maturity measurements as well as alignment goals along with sample metrics are provided. For each
capability measurements objective, the process, practices, activities, and related guidance to
• Introductions to design factors and focus areas offer other standards and frameworks are also provided.
additional practical guidance on flexible adoption of COBIT
2019, whether for specific projects or full implementation COBIT defines the components to build and sustain a governance
system: processes, organizational structures, policies and
Print Product Code: CB19FIM procedures, information flows, culture and behaviors, skills, and
COBIT® 2019 FRAMEWORK: Introduction and Methodology

Member Price: $60.00 infrastructure. This publication also includes detailed information
FRAMEWORK

Introduction and
Methodology Non-member Price: $75.00 about each of the components relevant to each governance and
management objective.
Web Download Product Code: WCB19FIM
Member price: Free
Print Product Code: CB19FGM
Non-member price: Free
COBIT® 2019 FRAMEWORK: Governance and Management Objectives

Member Price: $60.00

FRAMEWORK

Governance and
1700 E. Golf Road, Suite 400
Schaumburg, IL 60173, USA

P: +1.847.660.5505
F: +1.847.253.1755
Management Objectives Non-member Price: $75.00
Support: support.isaca.org
Website: www.isaca.org

Web Download Product Code: WCB19FGM

Member price: Free
Non-member price: Free
COBIT® 2019 Design Guide: Designing an
Information and Technology Governance Solution
This publication is a breakthrough publication for the COBIT
framework. Since there is no such thing as a one-size-fits-all
governance system for enterprise I&T, every organization must COBIT® 2019 Implementation Guide: Implementing
uniquely tailor its governance system in order to maximize value and Optimizing an Information and Technology
out of its uses of I&T. The COBIT 2019 Design Guide provides a
Governance Solution
blueprint for enterprises through the use of “design factors.”
COBIT 2019 Implementation Guide: Implementing and Optimizing
If you are a direct stakeholder in governance over enterprise I&T, an Information and Technology Governance Solution picks up
COBIT 2019 Design Guide and its insights can help you to create where the COBIT 2019 Design Guide ended—you have designed a
a governance program that generates tremendous value from customized governance system for your enterprise, now how do
information and technology, wherever these valuable assets may you effectively implement it? This publication is not intended to be
be located within your organization. a prescriptive approach or the complete solution, but rather a guide
to avoid pitfalls, leverage the latest good practices, and assist in
Print Product Code: CB19DGD the creation of successful governance and management outcomes
Member Price: $70.00
DESIGN GUIDE

Designing an Information over time. To an important extent, it works in conjunction with the
COBIT® 2019 DESIGN GUIDE

and Technology
Non-member Price: $100.00
Governance Solution
COBIT 2019 Design Guide, which helps every enterprise to identify
Web Download Product Code: WCB19DGD and apply its own specific plan or road map.
Member price: Free COBIT2019_ImplementGuide.pdf 1 10/1/18 10:53 AM

Non-member price: $90.00 IMPLEMENTATION GUIDE

Print Product Code: CB19IGIO
Member Price: $60.00
COBIT® 2019 IMPLEMENTATION GUIDE

Implementing and
Optimizing an Information
Non-member Price: $75.00
1700 E. Golf Road, Suite 400

and Technology
Schaumburg, IL 60173, USA

P: +1.847.660.5505

Governance Solution
F: +1.847.253.1755
Support: support.isaca.org
Website: www.isaca.org

Web Download Product Code: WCB19IGIO

CM

MY

CY

CMY

Member price: Free

Non-member price: $55.00

ORDER ONLINE AT WWW.ISACA.ORG/BOOKSTORE

S-4
 CHOOSE THE
C O U R S E S T H AT F I T Y O U R
CURRENT GOALS.
DEVELOP THE
E X P E RT I S E TO S H A P E YO U R
FUTURE ROLE.
DELOITTE/ISACA
TRAINING COURSES
Earn up to 32 CPEs for each
4-day course
ISACA Members: $2,495 USD
Non-Members: $2,695 USD
$200 USD Early Bird discount
rates available—visit
www.isaca.org/training2019jv4
ISACA
TRAINING COURSES
Earn up to 32 CPEs for each
4-day course
ISACA Members: $2,295 USD
Non-Members: $2,495 USD
$200 USD Early Bird discount
and group rates available—visit
www.isaca.org/training2019jv4
S E E W H AT’S N E X T N O W A N D R E G I S T E R AT
w w w. i s a c a . o r g / t r a i n i n g 2 019jv4
*Please see website for pricing and registration details. Information is subject to change.
Advanced IT Auditing: Taking the Next
Step in Accelerating Your Knowledge
Dallas, TX | 23 – 26 September 2019
Cloud Computing for Auditors: Seeing
Through the Clouds
Chicago, IL | 21 – 24 October 2019
IA Data Analytics & Automation:
Enabling the Internal Audit of the Future
Boston, MA | 19 – 22 August 2019
CISA® Bootcamp
Phoenix, AZ | 2 – 5 December 2019
CRISC™ Bootcamp
Chicago, IL | 5 – 8 August 2019
COBIT® 2019 Overview & Foundation
Exam Prep
Chicago, IL | 5 – 8 August 2019
Information Security Essentials:
Enhance Your Ability to Advise on
Information Security Decisions
Los Angeles, CA | 11 – 14 December 2019
Network Security Auditing: Step into
a Hacker’s Mindset
Seattle, WA | 12 – 15 August 2019
Privacy and Data Protection: An
Introduction to the Global Landscape
of Data Privacy
Costa Mesa, CA | 28 – 31 October 2019
Cybersecurity Fundamentals
Washington, DC | 23 – 26 September
Austin, TX | 4 – 7 November
Foundations of IT Risk Management
Chicago, IL | 5 – 8 August 2019
Fundamentals of IS Audit & Assurance
Chicago, IL | 5 – 8 August 2019
Phoenix, AZ | 2 – 5 December 2019
INTRODUCING
COBIT 2019
The globally recognized COBIT® Framework has been updated
with new information and guidance—COBIT 2019 extends its
leading role in implementing and ensuring effective enterprise
governance of information and technology (EGIT).

COBIT 2019 is an evolution of COBIT 5, so this newly revised

governance framework contains everything you love about
COBIT 5, plus many new exciting features and focus areas.

C O B I T 2 0 1 9 C O R E P U B L I C AT I O N S

LEVERAGE COBIT 2019 TO GENERATE TREMENDOUS VALUE FOR YOUR ENTIRE ENTERPRISE BY
CUSTOMIZING AND RIGHT-SIZING THE GOVERNANCE OF INFORMATION AND TECHNOLOGY.

For more information on COBIT 2019, its publications and guidance,

and new training opportunities, go to www.isaca.org/COBITjv4