ISACA Journal 2012 Vol3

V OL U M E 3 , 2012

Audit Process

Featured articles:SOC Progress Report

W WW . IS A C A. OR G

Audit Evidence RefresherCommunicationThe Missing PieceAnd more...

What Does Your Future Hold?Find Out at INSIGHTS 2012.An Exclusive Leadership Forum for Businessand Information Technology Professionals

25-27 June 2012 | San Francisco, CA

A unique opportunity to collaborate with fellowthought leaders on strategies for the effective integrationof business and technology.

Insights 2012 is the official launching pad of COBIT 5 for InformationSecurityeach attendee receives a free pdf copy, a US $175 value!

Limited seats available, register today at:

www.isaca.org/2012insights-Journal

KEEP YOUR CAREER ON TRACKRegis University offers a Graduate Certificate as well asa Masters Degree in Information Assurance. With bothprograms, you have the option to take classes online oron-campus. Regis University is also designated as aCenter of Academic Excellence in Information AssuranceEducation by the National Security Agency.

MASTERS DEGREE

GRADUATE CERTIFICATE

Two year program

Can be completed in less than a year

Specialize in cybersecurity or policy management

Four classes (12 credit hours)

The curriculum is modeled on the guidelines and recommendations provided by: The Committee on National Security Systems (CNSS) 4000 training standards The (ISC)2 Ten Domains of Knowledge ISACAOur Information Assurance programs are grounded in security but also focus on delivering the essentialcombination of IT and business acumen creating a link between the server room and the boardroom.

The program can be taken on campus or completely online

LEARN MORERegisDegrees.com/ISACA | 1-877-820-0581

Volume 3, 2012

Journal

ISACA

Columns

Features

4

19

Project Portfolio ManagementAarni Heiskanen, LJK

Information Security Matters:This Should Not Be HappeningSteven J. Ross, CISA, CISSP, MBCP

SOC Progress ReportBrian Vazzana, CISA, CITP, CPA

46

the proficiency and

HaruspexSimulation-drivenRisk Analysis for Complex SystemsFabrizio Baiardi, Claudio Telmon, CISA, CISSP,and Daniele Sgandurra, Ph.D.

of its international

6Cloud Computing: Cloud Computing as anIntegral Part of a Modern IT StrategyKai-Uwe Ruhse, CISA, PCI QSA, andMaria Baturova

10Information Ethics: Policy VacuumsVasant Raval, CISA, DBA

12

23A Primer on Nonrelational, DistributedDatabases for IS ProfessionalsSteve Markey

27CommunicationThe Missing PieceDanny M. Goldberg, CISA, CGEIT, CCSA,CIA, CPA

31

40

The ISACA Journalseeks to enhancecompetitive advantagereadership by providing

Plus

managerial and

52

experienced global

Crossword PuzzleMyles Mellor

authors. The Journals

53

peer-reviewed articles

technical guidance from

noncommercial,

IT Audit Basics: Auditing Applications,Part 1Tommie W. Singleton, Ph.D., CISA, CGEIT,CITP, CPA

Adopting Continuous Auditing/ContinuousMonitoring in Internal AuditMiklos A. Vasarhelyi, Ph.D., Silvia Romero,Ph.D., Siripan Kuenkaikaew, CISA, andJim Littley

CPE Quiz #142Based on Volume 1, 2012Prepared by Kamal Khan, CISA, CISSP,CITP, MBCS

focus on topics critical to

security and assurance.

17

36

55

Five Questions WithRobert Findlay, CISA

Audit Evidence RefresherOokeditse Kamau, CISA, CIA

Standards, Guidelines, Toolsand Techniques

professionals involvedin IT audit, governance,

S1-S8ISACA Bookstore Supplement

Journal OnlineWant more of the practical, peer-reviewed articles you have come to expect from the Journal? Additional online-only articles will be available on thefirst business day of each month in which no Journal is released, i.e., February, April, June, August, October and December. These articleswill be available exclusively to ISACA members during their first year of release. Use your unique member login credentials to access them atwww.isaca.org/journalonline.

Read more from theseJournal authorsJournal authors arenow blogging atwww.isaca.org/journal/blog.Visit the ISACA JournalAuthor Blog to gain moreinsight from colleagues andto participate in the growingISACA community.

Online FeaturesThe following articles will be available to ISACA members online on 1 June 2012.Book Review: Security, Audit and ControlFeatures Oracle PeopleSoft, 3rd EditionReviewed by Shasikanth Malipeddi, CISA

Book Review: The Operational RiskHandbook for Financial CompaniesReviewed by Horst Karin, Ph.D., CISA, CRISC,CISSP, ITIL

Transitioning From SAS 70 to SSAE 16Pritam Bankar, CISA, CISM, andHarmeet Kaur, CEH

Discuss topics in the ISACA Knowledge Center: www.isaca.org/knowledgecenterFollow ISACA on Twitter: http://twitter.com/isacanews; Hash tag: #ISACAJournalJoin ISACA LinkedIn: ISACA (Official), http://tinyurl.com/42vbrlzLike ISACA on Facebook: www.facebook.com/ISACAHQ

3701 Algonquin Road, Suite 1010Rolling Meadows, Illinois 60008 USATelephone +1.847.253.1545Fax +1.847.253.1443www.isaca.org

THE INSTITUTE OF INTERNAL AUDITORS

2012 INTERNATIONAL CONFERENCERevolutionizing Internal AuditJuly 811, 2012 / Boston, MAWith more than 2,500 delegates from 100+ countries, The IIAs 2012 International Conferencewill be the largest audit conference in the world with an unprecedented selection of speakers,sessions, and topics.Six keynote sessions and 77 concurrent sessions will be led by industry experts representingmany of the worlds most respected organizations including FutureWorld South Africa, RaytheonCo., MIT, The World Bank, Harvard University, Bose, Georgia-Pacific Corp., Houghton MifflinHarcourt, Citibank (USA), and more.Experience it!

Concurrent sessions focus on information technology; small audit shops; anti-fraud and ethics;GRC; financial services; tools and techniques; and more. Topics of interest to IS auditors areAuditing Cloud Computing; Geek to Street - Computer Technology Merges with Street SmartInvestigations; Using Scoring Technology to Detect Errors and Fraud; Security and Managementof Smart Devices; New Cyber Security Threats; and others.

Visit www.iia2012ic.org for program and pricing details and usesource code ISACA when registering.BS-2012-57

InformationSteven J. Ross, CISA, CISSP,MBCP, is executive principal

SecurityMattersThis Should Not Be Happening

of Risk Masters Inc. Ross hasbeen writing one of theJournals most popularcolumns since 1998.He can be reached [email protected].

I recently published my thoughts about hackingcyberattacks in this space, in a piece titled TheTrain of Danger.1 In it, I gave my paranoiafree rein and suggested that organizations areunprepared for the danger of such attacks andthat security professionals, in particular, are atrisk. I received a thoughtful series of messagesregarding that column from Stan Dormer ofCheshire in the UK. He led me to see the problemfrom a few other angles, which I would like toexplore here.The Problems PersistMr. Dormer wrote:

Do you havesomethingto say aboutthis article?Visit the Journalpages of the ISACAweb site (www.isaca.org/journal), find thearticle, and choosethe Comments tab toshare your thoughts.Go directly to the article:

IBM celebrated its centenary some monthsago; commercial security consultancies andanti-malware companies are ten a penny;every software vendor provides voluminousadvice on security; ISACA provides qualityadvice and highly qualified professionalsand has developed schemes such asCOBIT. More formal methodologies suchas SABSA accompanied by standards suchas ISO 2700x abound.We do pen testing, security certificationtesting, deploy unbreakable cryptographicschemesand we have the defense andother government agencies that employsome of the best security professionals onthe planet.And an individual or group permeatesthrough all of this stuff like a knife goingthrough butter!This should not be happening.Quite so, Mr. Dormer, quite so. If weunderstand the problem and have developed thesolutions, then why do we still have the problem?Stan goes on to suggest some reasons:

4

ISACA JOURNAL VOLUME 3, 2012

Employees may be leaking personaldata, security data and securitycredentials to outsiders for gain. Alleged cyberwar attacks arefewer than reported and are beingexaggerated for political reasons. Software vendors may still beleaving backdoors in theirsoftware just like they used to do inthe 1960s and 1970s and these arecommunicated to a select few whothen in turn leak the knowledge. Perhaps it is that we are patheticat deploying security and mostsecurity software achieves little. Dorothy Denning2 may havebeen rightAll software containsfatal weaknesses, and you cannotdevelop a formal system that issecureso we have to live with it. Software may be over-complex andtoo interconnected to be able tolock it down.The Culture We DeserveThese are all plausible specifics; putting themtogether leads me to think that there is a generalexplanation. I believe that cultural issues in oursociety and in our organizations are the greatestimpediment to true security despite, as Mr.Dormer says, all the countermeasures we havedeployed. Jacques Barzun said we get the culturewe deserve.3 Perhaps we get the security ourculture deserves, as well.It is safe to say that everyone is in favor ofsecurity. Who can be against it? However, we donot value security, or at least we do not value itas highly as other attributes. We do not applaudrisky business, but we do look up to peopledescribed as risk takers. There simply is not thesame cachet for a person to be really secure. Thepraise for risk taking is deserved because risk isrewarded with profit. But, I suggest, what wereally favor is prudent risk taking. That qualifier

Learn more about, discuss and collaborate oncybersecurity in the Knowledge Center.

www.isaca.org/topic-cybersecuritygets lost until markets crash, needless wars begin or a systemgets hacked.When bad things occur, or at least out-of-the-ordinarybad things, there is often a response that no one couldhave anticipated that it could occur.4 In the limited spaceof information security, we have had no lack of Cassandrastelling the world about potential dangers. But, they (aw,heck, we) cannot say specifically what will happen, nor whenit will occur.5 In the competition for budgets, it is easier todemonstrate that money invested in, say, a sales promotionwill lead to higher revenue than it is to show that funds spenton security will result in lower losses. Now, the vice president(VP) for sales can no more predict which sales will be madebecause of a promotion any more than the chief informationsecurity officer (CISO) can tell which hack would beprevented by a new firewall, but when the cash does come in,the VP has something to point to. The CISO can only claimthat something that might have happened failed to occuranimpossibly difficult position to defend.Is this, then, the answer to Mr. Dormers question, that wesimply do not care enough about security to pay for it? Thereis some truth to it, but I do not believe that that is entirelythe case. As a society, particularly in these parlous times,we pay quite a lot for security at the national, corporate andindividual levels. But, our willingness to spend almost alwaysoutruns the reality of the threats we face. We are only willingto pay for security when we are convinced that a bad thingwill indeed occur if we do not provide enhanced protection.Those bad things must happen often enough, big enough,close enough to spur us to action.Selling SecurityTo accelerate investments in security, we security professionalsmust do a better job of communicating the reality of thethreats that our organizations face. Straightforwardly, wemust sell security; we must do so rather than letting thehackers, the leakers and the forces of nature do it for us. I am

speaking of much more than a security awareness program,which merely points out that there are threats in the worldand that individuals need to do their part to combat them.I am suggesting a campaign that demonstrates the value ofsecurity not only to the company or agency but to individuals,their families and communities. This campaign should havespokespersons, a warm and fuzzy mascot, and a carefullycrafted message that makes security desirable, if not sexy.6Selling security calls for a different set of skills thanmanaging or auditing it. It is often the case that the peopleresponsible for security in any given organization arespecialists in implementing and maintaining technologies;they have been neither recruited nor rewarded for their abilityto sell a concept. This too is a manifestation of our societysperceptionour cultureof security. Until we get the rightsecurity professionals doing the right jobs in the right ways,Mr. Dormers last question to me will go unresolved:Are there other explanations [to poor security] that werenot exploring?Authors NoteISACA publishes my email address because I like to hearfrom you, as I did from Mr. Dormer. You can also leavecomments on the ISACA web site. I promise to read andrespond to those as well.EndnotesRoss, Steven J.; The Train of Danger, ISACA Journal, USA,vol. 5, 20112Dorothy Denning is a distinguished professor at the USDepartment of Defense Analysis Naval Postgraduate Schooland one of the most noted proponents of informationsecurity of our time.3Barzun, Jacques; The Culture We Deserve, WesleyanUniversity Press, 1989. Jacques Barzun is emeritus universityprofessor at Columbia University and one of the most notedcultural historians of our time.4See Taleb, Nassim Nicholas, The Black Swan, RandomHouse, 2011, p. xix (and the entire book, for that matter).5See Watts, Duncan J., Everything is Obvious: Once YouKnow the Answer, Crown Business, 2011, chapter 6, for anexplanation of the impossibility of prediction.6Ross, Steven J.; Creating a Culture of Security, ISACA, USA,2011, p. 7780. More shameless self-promotion.1


5

Kai-Uwe Ruhse, CISA, PCIQSA, is a senior managerat Protiviti Germany and isresponsible for the GermanIT consulting team. He canbe reached at

Cloud Computing as an IntegralPart of a Modern IT StrategyExamples and Project Case Studies

[email protected] Baturova is aconsultant in the IT consultingteam of Protiviti Germanywith experience ingovernance, risk andcompliance, and cloudcomputing. She can bereached [email protected].

Cloud computing is being labeled as a newInternet technology that provides cost-efficientand flexible infrastructure and applicationsto the business. However, there seems to be agap between the technical possibilities and thepractical usage of cloud services.This article describes real cloud computingproject case studies, which show that movingto the cloud is an important strategic decisionfor IT managers. The existing IT strategy mustbe reconsidered, and possible cloud computingscenarios must be deviated.Current cloud projects are still characterizedas being in the testing phase and are mostlyperformed for IT services that are considered tobe uncomplicated. Even these projects show thatchallenges persist in the area of data securityand compliance.

Starting PointsDifferent definitions and models of cloudcomputing exist and are often used as startingpoints for evaluations. Figure 1 was developedby the US National Institute of Standards andTechnology (NIST) and provides an overviewof typical characteristics, service models anddeployment models.The characteristics section summarizesrelations and differences to existing IT services.The service models section refers to software,platform and infrastructure decisions based onfunctional requirements and sourcing strategies.The deployment models section covers accessrights and responsibilities. A typical choice is theprivate cloud that runs solely for one organizationand can be organized and managed eitherby the organization itself or by a third party.Additionally, the cloud can be located in

Figure 1NIST Visual Model of Cloud Computing


CharacteristicsBroadNetworkAccess

RapidElasticity

ResourcePooling

MeasuredService

On-demandSelf-service

Service ModelsInfrastructureas a Service(IaaS)

Platformas a Service(PaaS)

Softwareas a Service(SaaS)

Deployment ModelsPrivate

Community

Public

Hybrid

Source: National Institute of Standards and Technology (NIST), http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf

6


Read the Cloud Principles white paper and othercloud-related resources.

www.isaca.org/cloud-principles Discuss and collaborate on cloud computing in theKnowledge Center.

www.isaca.org/topic-cloud-computingthe organizations own data center (on-premises) or in that ofa different institution (off-premises).Frameworks such as those provided by NIST, the EuropeanNetwork and Information Security Agency (ENISA)1, 2 orthe German Federal Office for Information Security (BSI)3provide a high-level overview, which should always beconsidered during the strategic planning of the usage ofcloud services. However, those frameworks cannot replacedetailed individual risk assessments and analysis of legal andcompliance requirements.Data Security and Legal AspectsThe majority of discussions about requirements specificationsin cloud computing projects refer to data security and legalaspects. Data security especially requires a clear and welldefined specification of both cloud customer and cloudprovider responsibilities. In general, the level of controland responsibilities varies depending on the provided cloudservice model. For example, in the case of Infrastructure asa Service (IaaS), a cloud customers responsibilities usuallycover the security platform configuration and maintenance,log collection, and security monitoring. Service models likeSoftware as a Service (SaaS) and Platform as a Service (PaaS)typically include those activities at the provider side.Internal and external data security requirements must beconsidered, depending on the classification of informationstored, transferred or processed. Standards such asISO 27001 usually lead to organizational and technicalchanges, whereas specific requirements such as the PaymentCard Industry Data Security Standard (PCI DSS) for creditcard data define very detailed requirements, which can lead tomore time- and cost-consuming efforts.

Different national and international data protection lawsdefine important requirements, which can lead to confusinglegal situations for clouds, especially in internationalorganizations. Questions such as where the cloud host is based,who has access to which data and how to react in case ofpossible security incidents are at the top of the agenda. Solutionscan often be found in very detailed definitions of controls andresponsibilities, user access rights, locations of service providers,contracts and service level agreements (SLAs).Strategic ConsiderationsStrategic alignment between business and IT has becomea key success factor to maximize value. To developand implement an appropriate IT strategy, differenttechnologies need to be identified, evaluated andonceacquiredintegrated with IT and business processes. Theimplementation decision for cloud computing must followa structured approach that considers pros and cons andincludes a comparison of the total cost of ownership.Cloud computing is an important part of modern strategicsourcing initiatives. In the case of outsourcing, the nature, riskand benefits of cloud computing require strong SLAs in placeto manage the interface among organizations, processes andresponsibilities to ensure control and accountability.The described considerations can be summarized in acloud computing strategy as part of the overall IT strategy todefine the used service and deployment models, integrationin processes and infrastructure, as well as the correspondingoperational and legal parameters.In addition to integrating the cloud computing strategywith the IT strategy, organizational IT governance aspectsshould be considered. IT not only enables new services andbusiness processes, but also business units may increasinglyuse IT and the cloud without involving the IT department.This can lead to miscommunication between business and IT.4Project Case Study: Cloud Computing StrategyThe following project case study illustrates the successfulintegration of cloud computing within the IT strategy. Thebasis for the project was an organizationwide strategicinitiative covering all business departments and IT. Within thisinitiative, the existing old IT strategy was analyzed, updatedand integrated with the other business strategies to ensureproper business IT alignment and to increase IT awareness.As a starting point of the IT strategy development project,benchmarking tools were deployed to analyze the currentISACA JOURNAL VOLUME 3, 2012

7

Figure 2IT Strategy Development Approach

Figure 3The Six Disciplines Approach

Mission and Values(10+ Years)

I. StrategyDecide what isimportant.

Vision and Strategic Position(510 Years)Strategic Cornerstoneand Objectives(35 Years)

II. Plan

VI. Learn

Set goalsthat lead.

Step back.

Strategic Programsand Initiatives( administrativetools > active directory users and computers > built in >select administrator > right click > select properties >select member.SamplingSampling is an audit procedure that tests less than 100percent of the population.7 There are different types ofsampling methods that an IS auditor can apply to gathersufficient evidence to address the audit objectives and therate of risk identified. Sampling methods can be statisticalor nonstatistical. Statistical sampling involves deriving thesample quantitatively. The statistical methods commonly usedare random sampling and systematic sampling. Nonstatisticalsampling involves deriving the sample qualitatively. Commonlyused nonstatistical methods are haphazard and judgmentalsampling.The sampling size applied depends on the type of controlbeing tested, the frequency of the control and the effectivenessof the design and implementation of the control.Type of Controls and Sample SizeThe following are the two types of controls: Automated controlsAutomated controls generally requireone sample.8 It is assumed that if a program can execute ataskfor example, successfully calculate a car allowancedue based on a base percentage of an employees salaryand the program coding has not been changed, the systemshould apply the same formula to the rest of the population.Therefore, testing one instance is sufficient for the restof the population. The same is true for the reverse; if thesystem incorrectly calculates the allowance, the error isextrapolated to the rest of the population. Manual controlsDepending on which sampling methodan IS auditor uses to calculate the sample size, the followingfactors should be taken into consideration to determine thesample size:9 1. Reliance placed on the control 2. The risk associated with control 3. The frequency of the control occurrenceExamples of manual controls include review of audit logmonitoring, review of user authorization access forms, andreview of daily IT procedures, server monitoring procedure

Figure 3Examples of Controls, Evidence-gathering Techniques, Evidence Collected and Sampling MethodControl

Evidence-gathering Technique

Evidence Collected

Sampling Method

Data owners authorize user accessand user rights on the systems.

Interview Extraction of system parameters(automated/manual)

User policy and procedure User listing report with usercreation dates User access request form/emailsshowing management approval

Random selection

Users have unique IDs.

Interviews of relevantIS personnel Extraction of system parameters Data interrogation

User policy and procedure User listing report fromthe system ACL/IDEA report showingresults obtainedM anual Excel sheet showingresults obtained

Random sampling or an IS auditorperforming a 100 percent review ofthe population by finding duplicateuser IDs using CAATs (ACL/IDEA)

Systems are protected throughstrong passwords.

Interviews Extraction of system parameters

User policy and procedure S ystem configuration/screenprints for the password policy

No sampling, as this is anautomated control (As notedpreviously, additional testing maybe required on some systems.)

Privileged roles (administrator)have been granted to appropriatepersonnel.

Extraction of system parameters

Policies and procedures User listing/role reports Job descriptions

A 100 percent review of thepopulation by extracting userswith administrator rights usingCAATs (ACL/IDEA) Random sampling

and help-desk functions. Figure 3 provides examples of ITcontrols, the technique that can be used to gather evidenceand the sampling method that can be used.ConclusionQuality evidence collected during the audit process enhancesthe overall quality of the work performed and significantlyreduces audit risk. Failure to collect quality evidence mayresult in the auditor or company facing litigation, loss ofreputation and loss of clientele. It is important to ensurethat the audit evidence obtained from the auditee is of highquality and supports the understanding of the IT controlenvironment.Endnotes1Cascarino, Richard E.; Auditors Guide to InformationSystem Auditing, John Wiley & Sons, 20072American Institute of Certified Public Accountants (AICPA),AU Section 326 Audit Evidence, www.aicpa.org/Research/Standards/AuditAttest/DownloadableDocuments/AU00326.pdf

asmund, Eilifsen; Auditing and Assurance Services,A2nd Internal Edition, Forlag: McGraw-Hill, p. 122-1274Gleim, Irvin N.; CIA Part 2, 13th Edition, 20095Holtby, Adam; The ITIL process maturity frameworkcan help identify improvement opportunities, Ovum, 3February 2012, http://ovum.com/2012/02/03/the-itilprocess-maturity-framework-can-help-identify-improvementopportunities/6ISACA, COBIT Assessment Programme, www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-AssessmentProgramme.aspx7ISACA, G10 Audit Sampling, IT Standards, Guidelines, andTools and Techniques for Audit and Assurance and ControlProfessionals, 2010, www.isaca.org/standards8Rajamani, Baskaran; Certifying Automated InformationTechnology Controls: Common Challenges andSuggested Solutions, Deloitte, www.deloitte.com/view/en_CA/ca/services/ceocfocertification/c1fcfa9d452fb110VgnVCM100000ba42f00aRCRD.htm9African Organization of English-speaking Supreme AuditInstitutions (AFROSAI-E), Regularity Audit Manual, 20103


39

FeatureAarni Heiskanen, LJK, is apartner at Thinking Business

Project Portfolio Management

Group. He has 10 yearsof experience in strategicportfolio management andhas consulted for severalglobal organizations.Heiskanen is a codeveloperof Thinking Portfolio, anonline tool for project andasset portfolio management.

A program or project portfolio explains howan organization is implementing its strategywith projects. If product management answersthe question Are we managing the projectscorrectly?, then project portfolio managementanswers the question Do we have theright projects?

Heiskanen can be reachedat [email protected].

Do you havesomethingto say aboutthis article?Visit the Journalpages of the ISACAweb site (www.isaca.org/journal), find thearticle, and choosethe Comments tab toshare your thoughts.

Development Projects Usually Fail,Except by ChanceAlthough an increasingly larger part oforganizational development takes place inprojects, only one out of four developmentprojects succeed. Projects are easy to start, buthard to finish.Project SelectionThe reasons for project failures can usually beascertained by determining what has happenedbefore, during and after a project. Unsuccessfulprojects are often caused by: Poor planning Lacking or fuzzy project ownership The lack of a business case No explanation of the projects affiliation with,and effect on, the corporate architecture Inadequate preparation, which leads to aproject that solves the wrong problem or solvesthe right problem in the wrong wayProject PreparationFor a project to succeed, the choices made at thenext phase are crucial. These choices include theselection of the project manager, project teamand steering group. However, if a project doesnot have sound starting points, even a good teamcould fail to save a project.

Go directly to the article:Implementation PlanAn inadequate implementation plan is the finalfactor that can sabotage an otherwise successfulproject performance. After a project has beencompleted, there is a tendency to focus on thenext project, neglecting to confirm the utilizationof the results. Proper subsequent appraisals40


that compare the results to the stated objectivesshould be included in development projects.This feedback is necessary to improve theproject portfolio management process and theproject evaluation criteria. Appraisals are a wayto educate management on how to set effectivegoals and how to ensure that those goals can beachieved through projects.Why Is it so Hard to Identify the Right Projects?Problematic project choices are often structural.Roles and rules are missing in the organization,making it impossible to render feasible decisions.Factors that can lead to bad decisions include: The organization sees the project as a solution forall challenges; there are too many projects goingon at once, and starting a new project is easy. Management lacks criteria to evaluate projects. Decision makers finance their own pet projects. Technology is an end in itself; there is a desireto implement new technologies quickly evenif they lead to incompatibilities with thecorporate architecture. Management lacks a coherent way to alignprojects with strategic objectives. Organizations are unable to manage thetotality; the lack of an overall grasp oftenresults in overlaps and inefficient scheduling.Project Portfolio Management as a Solutionto Program ProblemsProject portfolio management (PPM) is themanagement of an organizations developmentprojects as a totality that systematically andconsistently implements an organizationsstrategy. There are prerequisites for successfulprogram management, including: Unified concepts and a consistentmanagement model A management process in which the projectportfolio has a designated task Tools that enable the management and projectorganizations to communicate the status ofplanned, current and completed programs

Figure 1Principles of Project Portfolio Management

Read The Val IT Framework 2.0.

www.isaca.org/valitManage strategically.

Manage the totality.

Evaluate usingconsistent criteria.

Unified concepts Consistent management model Process and framework Tools 2011 Thinking Portfolio

Figure 1 shows what is required from the organization forsuccessful project portfolio management.ResultsOrganizations that have adopted project portfoliomanagement as a tool have been able to reduce the percentageof unsuccessful programs. Success happens when a projectsoperations have reached a sufficient level of maturitythroughout the entire organization, for example, in a group.Terms Related to Project Portfolio ManagementWhen an organization is considering using project portfoliomanagement, the first practical and necessary step is tostandardize the conceptual terminology to avoid any possiblemisunderstandings.The concepts and exemplary definitions associated withproject portfolio management include: StrategyA plan concerning long-term goals and choices,as well as the means for their implementation ProgramA coordinated group of projects generatingbenefits and operational efficiencies that could not beachieved if the projects were being managed separately ProjectA fixed-term endeavor undertaken to achieve aone-off product, service or result Project portfolioThe entity formed by the projects, inwhich the strategic objectives are common and the projectsshare the use of the same resourcesIn many organizations, the concepts of program andproject are identical in terms of their content. The termprogram presented here represents an aggregate consistingof several projects.

Discuss and collaborate on project portfoliomanagement in the Knowledge Center.

www.isaca.org/topicproject-program-portfoliomanagement-p3mThe Project Portfolios Administrative TasksThe project portfolios management consists of thespecification of the portfolio, the inclusion of programs in theportfolio and the balancing of the portfolio.Specification of Evaluation CriteriaPortfolio criteria are measured as expressed by anorganizations strategy or as estimated variables. Portfoliocriteria are suited to classification and evaluation; they canbe financial, strategic or tactical. Portfolio criteria changewith strategic changes. The criteria should be sufficientlycomprehensive, but at the same time universally applicable tofacilitate the satisfactory depiction of all types of programs.Massachusetts Institute of Technology (MIT)s Peter Weilllists four main criteria for IT programs imported to the projectportfolio, which are shown in figure 2:11. Infrastructure programs, which develop an organizationsinformation and communication technologies (ICT)infrastructure and target, for example, the advantages ofscale, standardization and integration2. Operational process/transactional programs, whichdevelop business processes and their informationmanagement while cutting costs and increasing productivity3. Informational programs, which generate solutions relatedto management and communications that also aim at, forexample, improved information quality and availability4. Strategic programs, which management has specifiedas a strategy and that create, for example, a competitiveadvantage or market growth


41

Figure 2Project Portfolio Based on Main Objectives Increased control Better information Better integration Improved quality

Cut costs Increased throughput

Informational

Strategic

Increased sales Competitive advantage Competitive necessity Market positioning Innovative services

InfrastructureTransactional Business integration Business flexibility and agility Reduced marginal cost of business units IT Reduced IT costs over time Standardization

2011 Thinking Portfolio

Many companies classify programs according to theirfocus by utilizing balanced scorecard (BSC) perspectives (i.e.,financial results, customers, processes, personneland growth).From the standpoint of ICT programs, an importantcriterion is the relationship of the program to variousarchitectures: corporate, informational, applications andtechnology. The program can rely on existing architectures,deviate from them or even require entirely new architectures.Financial criteria include, for example, payback period,return on investment (ROI) or turnover effect. Tacticalcriteria include assessment factors related to risk, quality orcustomer satisfaction.Specification of Other Descriptive InformationOther possible program-related descriptive information caninclude, for example: Basic program or project information, e.g., owner, timeschedule, budget, composition of steering group, projectskey personnel Decision-making situation Programs usersorganizations or processes Programs means of implementation Program results Tracking informationPortfolio InclusionPortfolio inclusion entails the programs description,classification and evaluation. The person submitting newprogram proposals describes and classifies the program42


according to the aforementioned criteria. After a program hasbeen described, a portion of its data remain unchanged, unlessmanagement decides otherwise. Information related to theprojects tracking, on the other hand, is updated regularly.Balancing the PortfolioThe owner of the project portfolio evaluates the programproposals. The organization can weigh the programs accordingto, for example, their risk, size or resource allocations.The number of proposed programs in an organizationgenerally exceeds the available resources that would haveto be deployed to manage them. Strategic criteria, theorganizations snapshot and the resource situation requireprioritization decisions that can be made for new and ongoingprograms (see figure 3).

Figure 3Prioritization Decisions

Terminate Suspend Mothball

Active Projects

Continue with changes Continue as planned

ProjectPortfolio

Discard Mothball

ProjectProposals 2011 Thinking Portfolio

Start with changes Start as proposed

One of the project portfolios success factors is that it offersthe possibility to suspend programs whose continuation wouldno longer be sensible as a result of, for example, a changingbusiness situation. Without the portfolio, the decision tosuspend a program can be extremely difficult because it is oftenbased on assumptions instead of knowledge.One or Many Portfolios?Project portfolio management sets no limits on the number ofportfolios. Some companies handle all programs in a singleportfolio, while others prefer to assemble the programs inseveral portfolios.One way to think about portfolios is to see them as viewsof the entire program and project stack. For example, an

ICT infrastructure development project is in the informationmanagement portfolio, but is simultaneously a part of acertain development program affecting the entire company.Project Portfolio Start-upThe project portfolios start-up is not just a managementtool for procurement and teaching. What is more importantis to bring the entire organization to a level of maturity atwhich the desired competence level for portfolio managementis possible. In a group, for example, this could mean themanagement of all common group projects and theirresources, according to the portfolio model.Start-up TasksThe start-up of the project portfolio entails the following fivemain tasks:1. Management commitment and targetsA clearjustification for the project portfolios start-up, targets andcommitment to them2. Planning of management modelThe way in whichportfolio management is linked to the organizationsmanagement processes, e.g., strategic planning, budgeting,the management of resources and decision making3. Specification of project portfolioPortfolio inclusioncriteria and other portfolio information4. Description of management processParties, roles, tasksand decisions5. OrganizationRequired tools, phased start-up, necessarysupport and instructionsMany companies have begun using the project portfolioin connection with ICT programs. In that case, informationmanagement functions as a pioneering operational model andexample to business operations. In any case, ICT upgrades arenow a part of almost all business development activities.Integration With the Organizations Planning SystemIn many organizations there is a planning cycle, a so-calledanniversary clock, that repeats annually. The project portfoliocan be joined to this planning system at various points.When planning strategic implementations, the projectportfolio is an essential tool because organizations oftendevelop their operations through projects. In budgetingprocesses, the project portfolio provides informationconcerning ongoing and planned programs. The project

portfolio also provides data on the use of key resources andstrategic implementation.Program ProcessDevelopment programs can originate from different startingpoints (see figure 4). Certain projects are discretionary, whileothers can be considered mandatory, such as projects arisingas a result of revised legislation. In any case, a documentedbusiness case should be required for any program whoseaddition to the project portfolio has been proposed.Although the writing of a business case is the task of theprograms future owner, the parties eventually benefitingfrom the results of the program should participate in itsformulation.

Figure 4Project Decision-making Process

Describe and evaluatethe project idea.

OK?

Evaluate thebusiness case, andadd to the portfolio.

Write a businesscase.

Stop developing the idea.Project is not addedto portfolio at thismoment.

Evaluate results.

Initiate the project,and report it to theportfolio/manage theportfolio.

OK?

OK?

Make aproject plan.Revisions


Program ProposalThe writer of the business case presents it to members ofthe organization (e.g., management team or steering group)so that they can make a decision concerning the projectportfolio. The business case must be evaluated accordingto the projects portfolio inclusion criteria, and a programdecision must be made. If the program is extremely significantand comprehensive, its approval may require a decision by theenterprises or a groups board of directors.In practice, the program decision can also mean apermission to draw up plans for projects associated with theprogram. If ongoing, program-related or independent projectsare being processed, the decision-making group can make thestart-up decision.ISACA JOURNAL VOLUME 3, 2012

43

Management of Approved Program or ProjectWhen the program or project has obtained start-uppermission, certain situational and predictive informationmust be reported in the project portfolio. These data typicallyrelate to budget and schedule realization, as well as the valuesof the selected quality indicators.Reporting during the project period is naturally the taskof the project manager or program manager. The reportingschedule matches the steering groups meeting times.The executive group tracking the progress of the entireportfolio can intervene in the progress of a project if itsimplementation begins to deviate from the original plan. Attimes, it may be necessary for the executive group to prioritizeprograms and suspend or terminate a program or projectbefore the date originally scheduled.

Figure 5Project Distribution by Strategic GoalsBest customerexperience inthe industryProductivity in 2012+20%

The Project Portfolio as a Communications ToolAt its best, the project portfolio promotes an open managementculture. Within a specified scope, program proposals, projectsituations and results can be open to the entire organization.The reports generated from the project portfolio are notjust lists of monetary amounts or person-workday quantities.The project portfolio depicts an organizations strategy. It tellswhere the organization is headed and how it will get there(see figure 5).Communications should be clear and understandable.Visual presentations provide a quick overall view of theportfolio from different viewpoints. Examples of overviewsare shown in figures 6 and 7.Tools for Managing the Project PortfolioThe project portfolios management is not solved with tools,but the project portfolios information must be communicatedto management in some way. Many begin using the projectportfolio by simply assembling it with a spreadsheet program.The tables row describes a single project and the columnsdescribe its classification, evaluation and basic information.The table is a flexible tool, but its simultaneous use by theuser and organization requires special arrangements.44


8 projects

900

Expansion todeveloping markets

450

2 projects

Most energyefficient operator

180

1 project

Learningorganization

175

2 projects

Project person-days and number of projectsby main strategic goal


CompletionA completed program or project is not deleted from the projectportfolio. It continues to be included, but with a different status.Within a certain specified time, its results must be evaluated andcompared with the targets stated in the project portfolio.

5 projects

1,250

Figure 6Example Annual Cash FlowEffect of Projects in Portfolio2010

+

2011

2012

2013

Returns + Savings

2014

Net Cash Flow

0Project + Investment + Maintenance Cost 2011 Thinking Portfolio

Figure 7Example Risk, Profitability andBudget of Projects ChartVerydemandingE1, 5

Risk Level

F0,2

C1, 5

Demanding

Normal

A2, 5Low


D0, 5

B1, 0Project/BudgetAverageProfitability

High

Many organizations have implemented a project portfolioaccording to their own specifications based on a modifieddatabase. In such cases, multiple users have the opportunityto edit, browse and report on the project portfolios contentsimultaneously and concentratedly.A few commercial project portfolio applicationsmostof them extensions of project management programsexist.There are only a few independent project portfolio programson the market.When selecting tools, one must keep in mind that they aremeant to be used by management and, thus, must be intuitiveand easy to use.

ConclusionPPM helps align projects with the strategy of the organization.It improves the success rate of projects because it introducesa managed process of turning ideas into projects and projectsinto business results. Organizations using PPM make good useof their resources and are able to invest in opportunities thatmatter the most in their future.EndnoteWeill, Peter; Managing the IT Portfolio: Getting MoreValue From IT Investments, Microsoft Solutions Forum,USA, 2004

1

What Does Your Future Hold?Find Out at INSIGHTS 2012.An Exclusive Leadership Forum for Business and Information Technology Professionals

25-27 June 2012 | San Francisco, CARegister today at:www.isaca.org/2012insights-Journal


45

FeatureFabrizio Baiardi is aprofessor in the Departmentof Computer Science at theUniversity of Pisa, Italy.Claudio Telmon, CISA,CISSP, is a freelanceconsultant in ICT security andrisk management. He alsocooperates with the Universityof Pisas Department ofComputer Science on thesame topics. He is a memberof the ISACA Milan Chapter.Daniele Sgandurra, Ph.D.,

HaruspexSimulation-drivenRisk Analysis for Complex SystemsHaruspex1 is a risk evaluation methodologydefined and implemented by the research groupon risk management in the Department ofComputer Science at the University of Pisa, Italy.It may be adopted in various risk assessmentand management frameworks to evaluate theprobability that an intelligent threat agent couldsuccessfully implement a multistep attack. Theframework should be paired with others todiscover these threats, the vulnerabilities they canexploit and the assets to be protected.

is a postdoctorate researcherat the Institute of Informaticsand Telematics, NationalResearch Council (CNR),Pisa, Italy.


46


The ProblemA well-known problem with risk evaluation in ITsecurity is that the estimation of the probabilisticcomponent of risk is currently very difficult andhighly subjective.2When dealing with IT security risk, intelligentthreats (or intelligent threat agents) trying toviolate the security policies of an organizationare usually considered. Each agent has somegoals to achieve (e.g., some system componentsto control) and aims to minimize the effort toachieve these goals. The risk posed by eachthreat agent is a monotone, increasing functionof both the impact of his/her attacks and theprobability that these attacks are successfullyimplemented. In other words, in general one canassume that the risk posed by a threat increaseswith the impact of an attack implemented by thethreat and/or the probability that the threat cansuccessfully implement the attack. The Haruspexmethodology is not focused on a detaileddefinition of risk; instead, it is a methodologicalframework with supporting tools intended toevaluate the probability that an intelligent threatcan select and implement an attack against asystem that results in an impact, e.g., a loss, forthe owner of the systems. Haruspex computesthis probability as a function of elementaryfactors that can be more easily evaluated in anassessment. The analyst can use the probabilityreturned by Haruspex to compute the resultingrisk, according to the adopted definition, and to

evaluate and select effective and cost-effectivecountermeasures to reduce this risk.The evaluation of the impact of an attackmay be difficult (consider, for example,the reputational damage), but it remains acommon practice for organizations, and propermethodologies are available.3 A rather morecomplex problem is the evaluation of thesuccess probability of an attack by an intelligentthreat agent. The agent implements complexattacks,4 each requiring several steps. Each stepcorresponds to a simple, or elementary, attackagainst a single system component; by composingall the simple attacks, the agent reaches itsfinal goal. Usually, an organization relies on theexpert performing the assessment to evaluatethe probability that the threat agent successfullyimplements a complex attack. However capablethis expert may be, this evaluation will besubjective and disputable, because the externaland internal factors that can affect the successprobability are too many and too difficult toevaluate in the case of IT systems.The problem of interest cannot be solved interms of experimental data. First of all, givenhow fast things change in IT, even large sets ofexperimental data on successful or attemptedattacks are of little use and often refer to atoo small and heterogeneous set of systems.Furthermore, experimental data for complexattacks are usually not available becauseorganizations are not willing to share them,as this may result in leaking information oninternal processes.Haruspex MethodologyHaruspex deals with the aforementioned problemby applying a divide-and-conquer approachthat decomposes the probability of interest inits components and deals with each of themseparately. While this decomposition simplifiesthe evaluation of the factors that influence thesuccess probability of attacks, it introduces aproblem: how to define and implement the

Figure 1Legitimate Interactions in the Haruspex ModelWebserver

DBMS

Read Risk IT.

www.isaca.org/riskit

DB2

Webapp

DB1escalation

Internet

Learn more about, discuss and collaborate onrisk assessment and risk management in theKnowledge Center.

www.isaca.org/knowledgecentercomplex procedure to evaluate the actual risk in terms of thelarge number of factors resulting from the decomposition.Haruspex deals with this problem by implementing asimulation of threat agents and the attacks they implementand by collecting the relevant statistical data from thesimulations. In this perspective, the system is modeled as a setof components interacting through channels.5These channels are also those the threat agents exploitwhen attacking one component from another, provided thatthey have gathered the required privileges. The level of detailin the representation of the system components can be easilyadapted to the analysis requirements, reducing the time andeffort to collect useful data. The proposed model can alsorepresent users as further components that can be attackedthrough such methods as spear phishing.6 After successfullyattacking a user, the user rights can be exploited to implementfurther attacks.Figure 1 further describes the system model of Haruspex.In this diagram, solid arrows represent legitimate interactionsbetween components. Dotted arrows represent the initial(legitimate) access rights for the threat agent. In the example,the threat agent can access the public web application and sendemail messages to the system users. Let us assume that thegoal for the threat agent is read access to DB2, the name of aninternal database. In figure 2, attack paths through the systemare represented with solid arrows. (For the sake of simplicity,just a few paths are shown.) The combination of many solidarrows represents the complex attacks that may lead the threatagent to DB2, which is the agents goal.

Mail

ThreatManager

Admin

User

The threat agent can acquire new access rights tocomponents in two ways: By attacking a componentThis requires the discoveryof a vulnerability in the component and enough resources,knowledge and time for the threat agent to take advantageof the vulnerability.7 By deploying the access rights of an already compromisedcomponent (e.g., a user or an application)For example,after successfully compromising an administrativecomponent through a spear-phishing attack, a threat canthen deploy administrative access rights to the databasemanagement system (DBMS).

Figure 2Attack Paths Against a SystemWebserverwebapp

DBMSDB2

DB1escalation

RemoteExploit

Weak Password/DBMS Exploit

InternetPhishingManager

Admin

User

Threat

Local LAN Exploit

In a complex attack, a threat exploits a vulnerability inthe web application and, from there, legitimately accessesDB1. From DB1, the threat can exploit a vulnerability in theDBMS for a privilege escalation, gaining legitimate accessto DB2. A second path, presumably easier to deploy, involvesattacking a manager component with spear phishing, and thenlegitimately accessing DB2.


47

Figure 3The Attack Graph With theAttack Paths Against the System From Figure 1InternetWebappWebServer

PC Admin

PhishingRemote Exploit

Admin

Local DBMSExploit

PC User

PC Manager

Admin

Admin

DBMSDB2

PrivilegeEscalation

DB1

All these attack paths can be represented in an attackgraph,8 shown in figure 3, where the dotted arrows representthe first of the two complex attacks previously outlined. Forthe sake of clarity, nodes are represented as components,whereas in the Haruspex methodology they represent sets ofprivileges. For a formal discussion of both the model and themethodology, please refer to the publication A Simulationdriven Approach for Assessing Risks of Complex Systems.9While an attack graph can represent all possible complexattacks a threat can implement, it does not allow one todetermine the complexity of each attack, the probability thatall the required vulnerabilities are actually present in thesystem or how easily the threat can exploit them. In short,an attack graph does not support the evaluation of whetherthe agent can successfully implement the attack described byeach path. Therefore, the Haruspex methodology introduces aprobabilistic component in the overall description: Eachvulnerability has a probability of existing and being discovered(by the threat) in a given time frame, and each attack has aprobability of being successfully implemented, dependingon many factors. For example, even if a weak passwordvulnerability exists in an authentication scheme, and the threathas the resources and knowledge required to deploy it, it stillmay be unable to recover a valid password in the definedtime frame. It may seem that nothing was gained, sinceprobabilities still need to be evaluated, and now the analysisof the attack graph is more complex due to the probabilitiesthat have been introduced. However, these probabilities canbe determined more easily than those of a complex attack. Inother words, it is easier to evaluate the success probabilityof one step in a path (e.g., a single attack), than the success48


probability of the entire path (e.g., a complex attack). This isalso confirmed by other approaches that define the variousfactors that influence the occurrence of an event.10For example, one can consider the path corresponding toa complex attack that includes a spear-phishing attack againsta user component, an attack on the local area network (LAN)to the managers personal computer (PC) and a legitimateaccess to DB2. The probability of a user being vulnerableto spear-phishing can be locally evaluated, e.g., through apenetration test simulating this specific attack. The probabilityof a PC being vulnerable to attacks from another PC onthe same LAN can be evaluated based on the frequency ofsecurity bulletins for the adopted operating system and relatedto this kind of vulnerability.These few examples show that in the proposed model, thesuccess probability of a complex attack is derived from theprobabilities of local and more measurable factors. However,the overall complexity cannot disappear, as confirmed by theincrease in the complexity of the analysis of an attack graphwith a probabilistic component. Haruspex faces this problemby applying the Monte Carlo11 method, a well-known andwidely applied strategy to collect statistical data on complexevents when no mathematical model of the event is available.The Monte Carlo method can be explained with a simpleexample. If one wants to know the probability of a specificsequence of cards in a game that is too complex to calculatethe result, one can play several hands of the game and counthow often the card sequence appears. Provided that one playsenough hands, the count will be a good approximation of theactual probability.Before explaining the role of the Monte Carlo method inthe Haruspex methodology, it is important to consider howthreats, or better threat agents, are modeled. Dealing withIT security, one focuses on intelligent threat agents (i.e.,agents with their own resources, a strategy and usually goalswith an impact). A nonintelligent threat can be modeled asa threat with a strategy based on random or fixed behavior.Intelligent threats will have the ability to select their actionsbased on many factors, including possible countermeasures.A key point is that, as already mentioned, Haruspex does notsupport an analysis to discover which threats may attack thesystem, or the frequency or reason why they will attack thesystem; this evaluation is left to other methodologies that theanalyst can freely select.12 But, if the analyst decides that agiven threat will attack the system, Haruspex will evaluate the

probability of that threat reaching some or all of its goals andimpacting the system. In this way, the selection of the threatsand their interest in the system can be dealt with separately inthe risk-evaluation process.To better explain how Haruspex uses the Monte Carlomethod, let us consider another application of the method:the computation of the area under a convex curve that liesin a finite rectangle. To compute the area of interest, onecan generate a number of independent random points (n)that are uniformly distributed within the rectanglethetwo coordinates, for example, are uniformly distributed foreach side of the rectangle. Then, the area delimited by thecurve can be approximated by the product of the area of therectangle multiplied by the percentage of generated points thathave fallen under the curve. As an example, a unit square andthe circle inscribed in this square have a ratio of areas thatis p/4. Hence, the value of p can be approximated with theMonte Carlo method previously described. The error in theapproximation can be reduced by increasing n, by improvingthe uniformity of the point distribution in the rectangle andby assuring that successive points are independent. Obviously,some proper deterministic algorithms have to be selected togenerate the points.The value that Haruspex tries to approximate is theprobability that a threat succeeds in implementing a complexattack. The adoption of the Monte Carlo method implies thatHaruspex simulates several times, in distinct experiments, theattacks implemented by the threat, and computes the successprobability according to the number of times the threat issuccessful. A single experiment would be useless, since it wouldbe biased by the specific values selected to generate the randomvalues in that experiment. Data are collected in each experimentto compute the relevant statistic values, and confidence in thesestatistics increases with the number of experiments.In each experiment, Haruspex simulates a set of agents,each trying to achieve some goals. Each threat agent startswith his/her set of privileges and has access to a set ofresources in the system (e.g., public resources or the onesavailable for an internal role).13 At each simulation step,corresponding to a time slice (e.g., one day): The simulator computes the vulnerabilities that the threatagent discovers in that time slice According to the resources, strategy, privileges and availablevulnerabilities, each threat tries to advance by selecting and

implementing an attack to acquire further privileges throughsome of the available vulnerabilities Based on the success probability of the selected attack, thesimulator computes whether the attack is successful andgrants to the threat agent the additional privileges it haspossibly acquired. The threat agent will deploy them in thenext time slice.It is assumed that the success probability of the attackmakes it possible to model the various factors, such as thetime when the attack is attempted or the existence of controlsthat may detect the attack, that influence the success of theattack. In each simulated time step, Haruspex repeats thediscovery of vulnerabilities and the implementation of attacksby the threats until the experiment endsbecause either allthe threat agents reached their goals or all the time sliceswere consumed.Provided the number of experiments is rather high, theanalyst can collect enough statistical data on successfulattacks to be able to answer, with confidence, the question:If this threat were to attack the system, what would be theprobability that the threat would achieve some goals andcause an impact? Or, given a proper definition of risk: Whatis the risk associated with an attack by the threat? Whatmakes Haruspex unique with respect to other methodologiesand other tools is its ability to join the Monte Carlo methodfor the probabilistic part of the model with the intelligentbehavior of threat agents.The ability to support accurate and specificcountermeasure selection, both in design and audit, issomething especially useful in Haruspex. First of all, severalother methodologies assume that countermeasures removevulnerabilities. This is seldom true; instead, countermeasuresusually reduce the success probability of attacks or theexistence probability of a vulnerability. On the other hand,Haruspex supports the evaluation of countermeasures in thegeneral case.To show how Haruspex can be used, let us take a case inwhich some procedure has been defined to select a properset of countermeasures according to their cost, the numberof agents they can stop or some proper combination of thesefactors. Haruspex is not involved in the selection process,but given a set of countermeasures that reduce the successprobability of some attacks, it can be used to implement anew simulation to evaluate the actual overall risk reductionISACA JOURNAL VOLUME 3, 2012

49

enabled by the selected countermeasures. In this way, theeffectiveness of alternative sets of countermeasures can beevaluated in distinct simulations to discover the mostcost-effective one.In the previous example, DBMS hardening, while probablymore expensive, may be less effective than a targetedtraining for managers against phishing and the activation ofsegregation controls on network devices for network traffic.UsabilityThe adoption of Haruspex to evaluate real systems posestwo main problems: the complexity of system modelingand the evaluation of the local probabilities for componentvulnerabilities and attack success.With respect to system modeling, Haruspex does not forcethe modeling of the entire system from the beginning at thesame detail level. For example, the analysis that has beenpreviously outlined represents the web server/web applicationcomponent as a single component.If a more in-depth analysis of this component is requiredto select the most effective countermeasures, this analysiscan decompose or zoom in on this component. Provided thatthe same relations with other components are maintained,the exploded subsystem can replace the original componentwithout changing the rest of the system model. In this way,a high-level analysis can be quickly performed, addingmore details afterward. Vulnerabilities, attacks and theirprobabilities must be assigned to the entire component;however, an additional feature of Haruspex is that probabilityranges can be tested with simulations to assess how much achange in a local probability affects the overall risk. In somecases, this may avoid a useless effort in defining a precisevalue for a not-so-relevant probability.Haruspex also encourages the creation of libraries ofpredefined components, each with its vulnerabilities andprobabilities that can be made available to analysts in aninterface for system modeling. For example, a Windows 7desktop with its typical applications is a component that isalmost the same in distinct organizations and can be definedwith its typical attack channels and the probability of therelated vulnerabilities (see figure 4). These probabilities canbe based on the frequency of bulletins and on the data sharedamong organizations, and could then be personalized by theanalyst for a specific organization (e.g., according to localconfiguration policies and patch management).50


Figure 4Vulnerabilities of a Standard ComponentRemovable MediaTrojan

Unpatched LocalBrowser Exploit

Unpatched LocalPrivilege EscalationPC AdminPhishing?

Unpatched LocalLAN Exploit

This, in turn, could encourage information sharing betweenorganizations (e.g., between computer security incident responseteams [CSIRTs] or in industry associations). It is easier toshare information on single components and their vulnerabilityfrequencies than on entire complex attacks that may expose toomuch information on the organization policies and on impacts.In fact, a lot of statistical data are already collected by manycompanies (e.g., antivirus vendors). Local information could becollected by vulnerability assessment tools.ConclusionThis article has presented the basic characteristics of Haruspex,but the potentialities of Haruspex are, by and large, still to beexplored. For example, Haruspex can also model defenders asadditional agents that try to close the vulnerabilities optimally(e.g., according to the information returned by sensors onthe progress of threat agents in the system). The authors arecurrently planning several simulations to validate and evaluatethe current prototype (see figure 5).By returning important parameters that describe the behaviorof threat agents, the attacks they can successfully implementand so on, Haruspex can also support the definition andevaluation of algorithms to select proper countermeasures. Infact, current strategies select countermeasures in terms of theattacks a threat may implement, rather than based on statisticsof the attacks that the threat will actually implement and reachits goal. More accurate information on the attacks of a threatcan result in a more realistic allocation of the limited resourcesof countermeasures to maximize the return on the investment.Further applications of Haruspex are the simulation of modernworms that patch components once they have been conquered,or the modeling of threat strategies to select attacks. Thesimulation produces a huge amount of data on the system, theattacks and the threats, which can be used for data mining,looking, for example, for correlations between attacks.

Figure 5Screenshot of theHaruspex Simulator Prototype

Authors NoteThe authors are interested in interacting with the ISACAcommunity to apply Haruspex to real-world complex systems,so that the most useful and promising research paths can beexplored. Another interesting open-source project that wewould like to undertake is the development of libraries todescribe standard system components. The authors can becontacted at [email protected] 1The name Haruspex was originally the name of ancientforecasters from Tuscany who predicted the future byinterpreting the entrails of sacrificed animalsmainly thelivers of sheep and poultry. 2Hubbard, Douglas W.; The Failure of Risk Management:Why Its Broken and How to Fix It, Wiley, USA, 2009 3Risk Management Insight LLC, An Introduction to FactorAnalysis of Information Risk (FAIR), November 2006 4Camtepe, Seyit; Bulent Yener; Modeling andDetection of Complex Attacks, Security and Privacy inCommunications Networks, 2007 5Baiardi, Fabrizio; Claudio Telmon; Daniele Sgandurra;Hierarchical, Model-based Risk Management of CriticalInfrastructures, Reliability Engineering & System Safety,September 2009 6A spear-phishing attack is a phishing attempt in which auser is invited to access some dangerous site that injectsmalware into the users machine. This attack is generallytargeted against a small group of select users who aremore likely to be attracted and behave as expected by theagent implementing the attack. For further references,refer to: Egelman, S.; L. Faith Cranor; J. Hong:. Youve

Been Warned: An Empirical Study of the Effectiveness ofWeb Browser Phishing Warnings, 26th annual SIGCHIConference on Human Factors in Computing Systems,ACM, USA. 7Baiardi, Fabrizio; Fabio Martinelli; Laura Ricci; ClaudioTelmon; Constrained Automata: A Formal Tool for ICTRisk Assessment, NATO Advanced Research Workshopon Information, Security and Assurance, June 2005 8Noel, Steven; Sushil Jajodia; Lingyu Wang; AnoopSinghal; Measuring Security Risk of Networks UsingAttack Graphs, International Journal of Next-GenerationComputing, July 2010 9Baiardi, Fabrizio; Claudio Telmon; Daniele Sgandurra;A Simulation-driven Approach for Assessing Risksof Complex Systems, 13th European Workshop onDependable Computing, May 201110Kim, Jae-n; Charles W. Mueller; Introduction toFactor Analysis: Why It Is and How to Do It,Sage Publication, 197811The Monte Carlo method takes its name from thewell-known casino. It was first invented by Enrico Fermiand later adopted at Los Alamos, New Mexico, USA duringthe Manhattan Project, which resulted in the building of thefirst atomic weapons. For further details on the genesis ofthe method, refer to: Metropolis, Nicolas; The Beginningof the Monte Carlo Method, Los Alamos Science, no. 15,p. 125. For a more complete reference,see: Kroese, D. P.; Taimre, T.; Botev, Z.I.; Handbook ofMonte Carlo Methods, John Wiley & Sons, USA, 2011.12Several methods and tools have been defined to discover andmodel the threat agents that may be interested in attackinga system. For a detailed analysis of these tools and thesemethods, refer to: European Network and InformationSecurity Agency (ENISA), Inventory of Risk Management/Risk Assessment Methods, www.enisa.europa.eu/act/rm/cr/risk-management-inventory/rm-ra-methods.13Each agent to be simulated is modeled in terms of goalsand resources it can access, which, in turn, determinethe attack the agent can implement. Due to the existenceof several threat agents, the resulting simulation can bedescribed by an agent-based oneeven if, in the currentimplementation, each threat agent is represented through adistinct data structure rather than by a distinct agent.


51

CrosswordPuzzleBy Myles Mellorwww.themecrosswords.com47 Life duration48 New, in a way50 Experimental area51Create

Across1 He said We get the culture we deserve, Jacques ____4 List of items to be taken up8Report evaluating the controls used in a third-party serviceorganizations systems, abbr.9 High profile10 Exaggerated the benefits of a software system11 Trademarks, abbr.13 Praised loudly14Internet systems using remote servers for storageand data processing15Field17Query18 Turn to the next page, abbr.19Cap22 One of the most effectual tools an IT auditor has for any audit25Salesperson26 Unit of information, abbr.27 Double, for short28 One of the six disciplines: set goals that lead30 Identifying markers33 Price ___36 One of the six disciplines: work the plan38 US currency, for short40 Hackers target41 Had an objective43All software contains fatal weaknesses, andyou cannot develop a formal system that is secure.Dorothy _____45He developed the work-around code along with Safari,allowing cookie installations: Anant _____46 Chemical suffix52


Down1 Standard for measurement of a system or process2 Take a fresh look at3 Cant be hacked into4 Takes measures5 Working toward doing what is right6 Strategic use of resources7Allied8 Fix conclusively12 Strict disciplinarian15 PC program16Ages20 Investment (abbr.)21 Type of address on the net22 Doctor, for short23Positioning24 Navigational system29 Core of an operating system31Security advocates have to sell security to get a higherallocation from it32 One part of the six disciplines approach; step back34 Dont be evil company35 Aka plug-in37Identify39Directed42 Big ___44 Organization that sets Internet standards49 Windows 7 is one

(Answers on page 54)

CPE QuizPrepared by Kamal Khan, CISA,CISSP, CITP, MBCS

Take the quiz online:

QUIZ #142

Based on Volume 1, 2012Value1 Hour of CISA/CISM/CGEIT/CRISC Continuing Professional Education (CPE) Credit

TRUE or FALSEOyemade ArticleAkhtar, Buchholts, Ryan and Setty Article 1.In many instances, IT auditors merely confirm whetherbackups are being performed either to disk or to tape, withoutconsidering the integrity or viability of the backup media. 2.A checklist for database backup and recovery includesensuring that there is sufficient budget to cover the cost ofbackup tapes. 3.Oracle and MS SQL Server databases can be backed up totape or disk. It is not a good idea to back up to disk firstbecause they are difficult for DBAs to monitor and control. 4.A backup and recovery SLA is an important mechanism inassisting in the recovery process. 5.IT auditors can assist data administration teams instrengthening their controls and data recovery processes byvalidating DBA operations.

11.IT has the potential for business transformation and alsorepresents a significant investment, typically from 1-8 percentof gross revenue.12.The three-lines-of-defense model consists of three keyelements: risk identification, risk assessment and riskmonitoring.13.The four types of risk response are risk avoidance, risksharing/transfer, risk acceptance and risk reduction/mitigation.Dutta and Sista Article14.The Basel II framework uses three pillars: (1) detailedmethods for calculating minimum regulatory capital, (2)supervisory review standards and (3) market disclosure.15.The Basel Committee classifies operational loss data in sevencategories including damage to physical assets and businessdisruption and system failures.

Tammineedi Article 6.Disaster recovery planning (DRP) involves planning andprocedural aspects, encompassing emergency reponse andcrisis communications. 7.BS 25999 Business continuity management establishes theprocess, principles and terminology of BCM and highlights thebenefits and outcomes of an effective BCM program.

Davis, Ferrell, Scranton and Millar Article16.Fraud impacted 97 percent of organizations in 2010, accordingto the Kroll Global Fraud Report.17.Prioritizing results according to specific red flags has cutreview times by more than 57 percent.

8.The main BCM assets are the six organizational resources:power, premises, technology, information, supplies andcabling. 9.Most business continuity and disaster recovery plans addressfailover to a hot site or alternate site. Very few address theneed to move operations back to a restored primary location.10.Many business continuity plans are built on assumptions thatmay not include all relevant assumptions and limiting factors.For example, one assumption is that employees will go longdistances to support operations, whereas local or regionaldisasters can make employees reluctant to go far from home.


53

ISACA JournalCPE Quiz

Based on Volume 1, 2012Critical ResourceManagementQuiz #142 Answer Form(Please print or type)Name________________________________________________________________________________________________Address_____________________________________________ __________________________________________________ __________________________________________________ CISA, CISM, CGEIT or CRISC#_____________________________

Quiz #142True or FalseAkhtar, Buchholts, Ryan andSetty Article1.___________2.___________3.___________

Oyemade Article11.__________12.__________13.__________

4.___________

Dutta and Sista Article

5.___________

14.__________

Tammineedi Article6.___________

15.__________

7.___________

Davis, Ferrell, Scranton andMillar Article

8.___________

16.__________

9.___________

17.__________

10.__________

Please confirm with other designation-granting professional bodies for theirCPE qualification acceptance criteria. Quizzes may be submitted for grading onlyby current Journal subscribers. An electronic version of the quiz is available atwww.isaca.org/cpequiz; it is graded online and is available to all interested parties.If choosing to submit using this print copy, please email, fax or mail youranswers for grading. Return your answers and contact information by email [email protected] or by fax to +1.847.253.1443. If you prefer to mail your quiz,in the US, send your CPE Quiz along with a stamped, self-addressed envelope,to ISACA International Headquarters, 3701 Algonquin Rd., #1010, RollingMeadows, IL60008 USA.Outside the US, ISACA will pay the postage to return your graded quiz.You need only to include an envelope with your address.You will be responsible for submitting your credit hours at year-end forCPE credits.A passing score of 75 percent will earn one hour of CISA, CISM, CGEIT orCRISC CPE credit.

54


AnswersCrossword by Myles MellorSee page 52 for the puzzle.

BENCHMARKADDIN

A R Z U NAENS O CTO T A B L EHRT M SAA I L E DNAA R ES KKP T OM A P P I NBD B LNKL A B E LE X E C U T EI DAL RE N N I N GRA G END EL A BT

G ETHICN ALGP LS

N DEY PLL OYI MR EA NTPI M E DG AE OTS H A

A SIE DEU DI TPA GOOR GLP E

StandardsGuidelinesTools and TechniquesISACA Member and Certification Holder Compliance

The specialised nature of IT audit and assurance and the skills necessary to perform such audits require standards that apply specifically to IT audit andassurance. One of the goals of ISACA is to advance globally applicable standards to meet its vision. The development and dissemination of the IT Audit andAssurance Standards are a cornerstone of the ISACA professional contribution to the audit and assurance community. The framework for the IT Audit andAssurance Standards provides multiple levels of guidance:n Standards define mandatory requirements for IT audit and assurance.They inform: IT audit and assurance professionals of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACACode of Professional Ethics Management and other interested parties of the professions expectations concerning the work of practitioners Holders of the Certified Information Systems Auditor (CISA) designation of requirements. Failure to comply with these standards may result in aninvestigation into the CISA holders conduct by the ISACA Board of Directors or appropriate ISACA committee and, ultimately, in disciplinary action.n Guidelines provide guidance in applying IT Audit and Assurance Standards. The IT audit and assurance professional should consider them in determininghow to achieve implementation of the standards, use professional judgement in their application and be prepared to justify any departure. The objective of theIT Audit and Assurance Guidelines is to provide further information on how to comply with the IT Audit and Assurance Standards.n Tools and Techniques provide examples of procedures an IT audit and assurance professional might follow in an audit engagement. The proceduredocuments provide information on how to meet the standards when performing IT auditing work, but do not set requirements. The objective of the IT Auditand Assurance Tools and Techniques is to provide further information on how to comply with the IT Audit and Assurance Standards.CobiT is an IT governance framework and supporting tool set that allows managers to bridge the gaps amongst control requirements, technical issues andbusiness risks. CobiT enables clear policy development and good practice for IT control throughout enterprises. It emphasises regulatory compliance, helpsenterprises increase the value attained from IT, enables alignment and simplifies implementation of the CobiT frameworks concepts. CobiT is intended foruse by business and IT management as well as IT audit and assurance professionals; therefore, its usage enables the understanding of business objectives andcommunication of good practices and recommendations to be made around a commonly understood and well-respected framework. CobiT is available fordownload on the ISACA web site, www.isaca.org/cobit.Links to current guidance are posted on the standards page, www.isaca.org/standards.The titles of issued standards documents are:IT Audit and Assurance StandardsS1 Audit Charter Effective 1 January 2005S2 Independence Effective 1 January 2005S3 Professional Ethics and Standards Effective 1 January 2005S4 Professional Competence Effective 1 January 2005S5 Planning Effective 1 January 2005S6 Performance of Audit Work Effective 1 January 2005S7 Reporting Effective 1 January 2005S8 Follow-up Activities Effective 1 January 2005S9 Irregularities and Illegal Acts Effective 1 September 2005S10 IT Governance Effective 1 September 2005S11 Use of Risk Assessment in Audit Planning Effective 1 November 2005S12 Audit Materiality Effective 1 July 2006S13 Using the Work of Other Experts Effective 1 July 2006S14 Audit Evidence Effective 1 July 2006S15 IT Controls Effective 1 February 2008S16 E-commerce Effective 1 February 2008IT Audit and Assurance GuidelinesG1 Using the Work of Other Experts Effective 1 March 2008G2 Audit Evidence Requirement Effective 1 May 2008G3 Use of Computer-assisted Audit Techniques (CAATs) Effective 1 March 2008G4 Outsourcing of IS Activities to Other Organisations Effective 1 May 2008G5 Audit Charter Effective 1 February 2008G6 Materiality Concepts for Auditing Information Systems Effective 1 May 2008G7 Due Professional Care Effective 1 March 2008G8 Audit Documentation Effective 1 March 2008G9 Audit Considerations for Irregularities Effective 1 September 2008G10 Audit Sampling Effective 1 August 2008G11 Effect of Pervasive IS Controls Effective 1 August 2008G12 Organisational Relationship and Independence Effective 1 August 2008G13 Use of Risk Assessment in Audit Planning Effective 1 August 2008G14 Application Systems Review Effective 1 October 2008G15 Audit Planning Revised Effective 1 Ma1 2010G16 Effect of Third Parties on an Organisations IT Controls Effective 1 March 2009G17 Effect of Non-audit Role on the IS Auditors Independence Effective 1 May 2010G18 IT Governance Effective 1 May 2010G19Withdrawn 1 September 2008G20 Reporting Effective Effective 16 September 2010G21 Enterprise Resource Planning (ERP) Systems Review Effective 16 September 2010G22 Business-to-consumer (B2C) E-commerce Reviews Effective 1 October 2008G23 System Development Life Cycle (SDLC) Reviews Effective 1 August 2003G24 Internet Banking Effective 1 August 2003G25 Review of Virtual Private Networks Effective 1 July 2004G26 Business Process Re-engineering (BPR) Project Reviews Effective 1 July 2004G27 Mobile Computing Effective 1 September 2004G28 Computer Forensics Effective 1 September 2004G29 Post-implementation Review Effective 1 January 2005G30Competence Effective 1 June 2005G31Privacy Effective 1 June 2005

G32 Business Continuity Plan (BCP) Review From IT Perspective Effective 1 September 2005G33 General Considerations for the Use of the Internet Effective 1 March 2006G34 Responsibility, Authority and Accountability Effective 1 March 2006G35 Follow-up Activities Effective 1 March 2006G36 Biometric Controls Effective 1 February 2007G37 Configuration and Release Management Effective 1 November 2007G38 Access Controls Effective 1 February 2008G39 IT Organisation Effective 1 May 2008G40 Review of Security Management Practices Effective 1 October 2008G41 Return on Security Investment (ROSI) Effective 1 May 2010G42 Continuous Assurance Effective 1 May 2010IT Audit and Assurance Tools and TechniquesP1 IS Risk Assessment Measurement Effective 1 July 2002P2 Digital Signatures and Key Management Effective 1 July 2002P3 Intrusion Detection Systems (IDS) Review Effective 1 August 2003P4 Malicious Logic Effective 1 August 2003P5 Control Risk Self-assessment Effective 1 August 2003P6Firewalls Effective 1 August 2003P7 Irregularities and Illegal Acts Effective 1 December 2003P8Security AssessmentPenetration Testing and Vulnerability AnalysisEffective 1 September 2004

P9Evaluation of Management Controls Over Encryption MethodologiesEffective 1 January 2005

P10Business Application Change Control Effective 1 October 2005P11Electronic Funds Transfer (EFT) Effective 1 May 2007Standards for Information System Control Professionals510 Statement of Scope .010 Responsibility, Authority and Accountability520 Independence .010 Professional Independence .020 Organisational Relationship530 Professional Ethics and Standards .010 Code of Professional Ethics .020 Due Professional Care540 Competence .010 Skills and Knowledge .020 Continuing Professional Education550 Planning .010 Control Planning560 Performance of Work .010 Supervision .020 Evidence .030 Effectiveness570 Reporting .010 Periodic Reporting580 Follow-up Activities .010 Follow-up

Effective 1 September 1999

Code of Professional Ethics Effective 1 January 2011ISACA JOURNAL VOLUME 3, 2012

55

Advertisers/Web SitesClients & FriendsExamMatrixIIALewis UniversityRegis University

www.candf.p1www.www.ExamMatrix.com/ISJwww.iia2012ic.orgwww. online.lewis.edu/ISACAwww. RegisDegrees.com/ISACA

Back Cover163181

Leaders and SupportersEditorDeborah Vohasek

ISACA Journal, formerly Information SystemsControl Journal, is published by ISACA, anonprofit organization created for the publicin 1969. Membership in the association, avoluntary organization serving ITgovernanceprofessionals, entitles one to receive an annualsubscription to the ISACA Journal.Opinions expressed in the ISACA Journalrepresent the views of the authors andadvertisers. They may differ from policies andofficial statements of ISACA and/or the ITGovernance Institute and their committees, andfrom opinions endorsed by authors, employers orthe editors of this Journal. ISACA Journal does notattest to the originality of authors content. 2012 ISACA. All rights reserved.Instructors are permitted to photocopy isolatedarticles for noncommercial classroom use withoutfee. For other copying, reprint or republication,permission must be obtained in writing fromthe association. Where necessary, permissionis granted by the copyright owners for thoseregistered with the Copyright Clearance Center(CCC) (www.copyright.com), 27 Congress St.,Salem, Mass. 01970, to photocopy articlesowned by ISACA, for a flat fee of US $2.50 perarticle plus 25 per page. Send payment tothe CCC stating the ISSN (1944-1967), date,volume, and first and last page number of eacharticle. Copying for other than personal useor internal reference, or of articles or columnsnot owned by the association without expresspermission of the association or the copyrightowner is expressly prohibited.Subscription Rates:US: one year (6 issues) $75.00All international orders: one year (6 issues)$90.00. Remittance must be made in US funds.

ISSN 1944-1967

Editorial Reviewers

Matt Altman, CISA, CISM, CGEIT, CRISCBrian Barnier, CGEIT, CRISCSenior Editorial ManagerLinda Betz, CISAPascal A. Bizarro, CISAJennifer HajigeorgiouJerome Capirossi, [email protected] Chasnis, CISAAshwin K. Chaudary, CISA, CISM, CGEIT, CRISCContributing EditorsJoao Coelho, CISA, CGEITSally Chan, CGEIT, CMA, ACISReynaldo J. de la Fuente, CISA, CISM, CGEITKamal Khan, CISA, CISSP, CITP, MBCSChristos Dimitriadis, Ph.D., CISA, CISMSteven J. Ross, CISA, CBCP, CISSPKen Doughty, CISA, CRISC, CBCPTommie Singlet

ISACA Journal 2012 Vol3

Documents

Transcript of ISACA Journal 2012 Vol3