Is Big Data A Risky Business in Isaca Journal
-
Upload
tushar-kale -
Category
Data & Analytics
-
view
131 -
download
2
Transcript of Is Big Data A Risky Business in Isaca Journal
We also know
There are known unknowns.
That is to say
We know there are some
things
We do not know.
But there are also unknown
unknowns,
The ones we don't know
We don't know.
Do we really know????????‖
Start by doing
what’s
necessary; then
do what’s
possible; and
suddenly you
are doing impossible… Great
words by Fransis of Assisi. I
truly believe in that.
Years before our past
chapter Presidents and the
Committee saw a dream of
Mumbai Chapter having its
own office in the Mumbai
Metropolis. Years went
passed without that dream
being fulfilled for varied
reasons. We did purchase
the premises and its
interiors were getting done
in the last year. But on
January 1, 2015, ISACA
Mumbai Chapter, your
chapter, has moved formerly
into its new and swankiest
address in VidyaVihar. I
would like to thank past
Presidents and every
member for their support in
fulfilling this dream.
We have taken a great leap
and not resting ourselves
now. We will need to
ensure sustenance and
continue to be self-sufficient
in our finances and stability.
We have now conducted
few chapter meetings and
workshops in the new
premises and everyone have
appreciated it. Our flagship
CISA Review Classes have
also started in the premises
from February.
The highlight of the quarter
was Mumbai hosted ISACA
International‘s Board of
Directors meeting. Debbie
Lew, Board Member visited
Chapter premises and
delivered a great session on
COBIT 5 to the attendees.
All Chapter Presidents from
India had a special session
with the Board where they
have highlighted challenges
faced in India with retention
of membership and other
relevant items. We are
hopeful that the suggestions
provided to the board have
some positive outcome in
the near future.
Information is floating
around the world in many
forms and accessible using
different kinds of medium
poses a question. Do we
really know where in the
world our information is
stored?
I would like to sign off with
an interesting quote from
Donald Rumsfeld
“As we know,
There are known knowns.
There are things we know we
know.
Message From The President
isaca @ mumbai E - J O U R N A L ( F O R I N T E R N A L C I R C U L A T I O N O N L Y )
V O L U M E 2 , I S S U E 2
INSIDE THIS
EDITION
Message From The
President
From The Editor’s
Desk
Get Connected To
ISACA Mumbai
Chapter
News Update
Interlude
Is Big Data A Risky
Business
Cyber-attack, a
looming business
Risks in Core Banking
Migration
The Case For Cyber
Insurance
Photo Gallery
Solution To Last
Edition’s Crossword
Puzzle
Crossword Puzzle
-Vaibhav Patkar
© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.
I S A C A @ M U M B A I
are getting together to combat the
menace of electronic crimes.
Following the visit of the US President
to India, the ISACA Headquarters had
their board meeting in Mumbai. The
Mumbai Chapter played hosts to the
ISACA Board Members and had
interesting exchanges with them along
with the India Growth Task Force
members. They had a lot of ideas
shared and would like to see ISACA
Mumbai chapter as a prominent chapter
across the world.
For any feedback/articles/criticism/
suggestions, please leave a message to
We are already in the
last month of the
Financial Year 2015.
Most companies have
finalised the budget
for the next financial
year in India. There is a need to
increase IT security budget going
forward given that we have had a lot
more data breaches and security
issues in the last one year. IT Security
has become a priority in many
organisations. There are a lot of
improvements needed, as Data needs
to be highly secure with the wide
spread use of SMAC technologies
being embraced. Internet of Things
and wearables may disrupt the work
life and social life.
Mobile Apps are now being used
widely and this changes the whole
paradigm and routine of our daily
lives. We have apps that set the
password or store our passwords
and create password etc. So apps
play an important role in our lives.
We are dependent on the mobile for
everything, including birthday
reminders of our near and dear ones,
our daily routines or even a simple
To-do list. This is why data security
becomes a high priority objective. On
the challenges front, 100,000 new
malware is being uploaded on a daily
basis. Corporate IT world is facing
the brunt of new virus and DOS
attacks. The Cyber Police world over
-Latha Sunderkrishnan
From the Editor’s Desk
P A G E 2
© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.
Get Connected to ISACA Mumbai Chapter Given that the entire focus is now shifted to the social media ISACA Mumbai Chapter has attempted to create its
presence in twitter, Facebook and LinkedIn. However, no such initiative would succeed without your cooperation and
participation. Please get connected!
Get socially connected with ISACA Mumbai Chapter in the following manner:
https://www.facebook.com/IsacaMumbaiChapter
https://twitter.com/ISACA_Mumbai
https://www.linkedin.com/ISACAMumbai
V O L U M E 2 , I S S U E 2
News Update Obama Declares Cyber Threats A National Emergency
Today, President Obama declared a national emergency and signed an executive order empowering the government to impose
sanctions against anyone viewed as a cyberthreat to the United States.
This is a rather historic day for our industry, where the importance of information security has evolved from the IT department, to
the boardroom, into politics and now, center stage as a critical component to our economy and way of life.
The primary objective of the order is to place sanctions on criminal hackers targeting American infrastructure and businesses from
outside the US. The order gives authority to freeze assets and more power to block potential threats from the US. The order not
only covers the harming of US infrastructure but also covers the stealing of intellectual property from American companies, as well as
committing fraud against citizens, all of which hurt the US economy.
With the plague of retail breaches that continue to hit US-based retailers, it‘s critical we look at these instances not just as individual
breaches, but as a wholesale attack against our financial system. Many of those involved in these activities are overseas and are able to
operate with impunity within borders of countries who shield them from US prosecution. Often times, many of these actors also
work within these governments.
We have seen robocallers from outside the US defraud people claiming to be from the IRS, successfully scaring people particularly
senior citizens into giving them credit card numbers using VOIP networks. The perpetrators of these acts have been able to get away
with it due to available technologies that make it easy to evade detection.
I believe it is the goal of the Obama administration with this order to give the US government more power to go after criminal
syndicates and fraudsters overseas.
The challenge, however, will still be attribution—you may be able to identify from what country an attack is routed through, but
identifying who is behind the keyboard or phone is a different story altogether.
One of the reasons cyber-attacks and technology-enabled fraud have been so prevalent is due to the ease of evading detection and
relative anonymity that a number of tools available provide.
It will be interesting to see how the Obama administration looks to enforce this act, and what resources will be applied to implement
it.
Source : http://www.tripwire.com/state-of-security/latest-security-news/obama-declares-cyber-threats-a-national-emergency/#.VRwmKotKln8.twitter
Supreme Court strikes down Section 66A of IT Act which allowed arrests for objectionable content online
NEW DELHI: The Supreme Court on Tuesday declared Section 66A of Information Technology Act as unconstitutional and struck it
down.
This section had been widely misused by police in various states to arrest innocent persons for
posting critical comments about social and political issues and political leaders on social networking
sites.
The court said such a law hit at the root of liberty and freedom of expression, two cardinal pillars
of democracy.
The court said such a law hit at the root of liberty and freedom of expression, the two cardinal pillars of democracy. The court said the section has to be erased from the law books as it has gone
much beyond the reasonable restrictions put by the Constitution on freedom of speech. The Supreme Court said section 66A was
vaguely worded and allowed its misuse by police.
The court, however, upheld the validity of section 69B and the 2011 guidelines for the implementation of the I-T Act that allowed the
government to block websites if their content had the potential to create communal disturbance, social disorder or affect India's
relationship with other countries.
However, the court watered down section 79 of the I-T Act making it further difficult for the police to harass innocent for their
comments on social network sites.
P A G E 3
© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.
I S A C A @ M U M B A I
The SC delivered its judgment on a bunch of petitions filed in the light of misuse of the penal provision by government authorities
against persons who allegedly uploaded offensive posts on social networking sites.
The petitioners, including NGOs, civil rights groups and a law student, had argued that Section 66A violated citizens' fundamental right
to freedom of speech and expression. The first petition was however filed by a law student Shreya Singhal.
The government had opposed the plea for quashing the provision saying it is meant to deter people from uploading grossly offensive
material which can lead to lawlessness by inciting public anger and violence.
Justifying the retention of the provision, the Centre had told the apex court that the impact of the internet is much wider and
restriction on this medium should be higher in comparison to print and TV.
It had said, unlike print and electronic media, the internet did not operate in an institutional form and there was need for some
mechanism to put checks and balances.
The government had said the provision could not be quashed just because of its potential misuse. Posting pictures and comments on
social networking sites which hurt religious sentiments could not be tolerated and people must be prosecuted, it said.
Former attorney general Soli J Sorabjee, who appeared for one of the petitioners, termed the judgment a 'glorious vindication' of right
to free speech. He spoke to the TOI after SC bench of Justices J Chelameswar and R F Nariman struck down section 66A as
unconstitutional. Sorabjee said: "The judgment is well researched, well reasoned and erudite in expression. It is a glorious vindication of
freedom of expression."
http://timesofindia.indiatimes.com/india/Supreme-Court-strikes-down-Section-66A-of-IT-Act-which-allowed-arrests-for-objectionable-
content-online/articleshow/46672244.cms
Insurance giant Anthem hit by massive data breach
Hackers have stolen information on tens of millions of Anthem Inc. customers, in a massive data breach that ranks
among the largest in corporate history
The information stolen from the insurance giant includes names, birthdays, medical IDs, social security numbers, street addresses, e-mail
addresses and employment information, including income data.
Anthem said there is no evidence that credit card or medical information was compromised. While damage is still being assessed, the
compromised database contained up to 80 million customer records
See http://money.cnn.com/2015/02/04/technology/anthem-insurance-hack-data-security/index.html for more details…….
Bank Hackers Steal Millions via Malware
Since late 2013, an unknown group of hackers has reportedly stolen $300 million — possibly as much as triple that amount — from
banks across the world, with the majority of the victims in Russia. The attacks continue, all using roughly the same modus operandi:
Hackers send email containing a malware program called Carbanak to hundreds of bank employees, hoping to infect a bank‘s
administrative computer.
Programs installed by the malware record keystrokes and take screen shots of the bank‘s computers, so that hackers can learn bank
procedures. They also enable hackers to control the banks‘ computers remotely.
By mimicking the bank procedures they have learned, hackers direct the banks‘ computers to steal money in a variety of ways:
See http://www.nytimes.com/2015/02/15/world/bank-hackers-steal-millions-via-malware.html?_r=0 for more details......
The GHOST vulnerability: what you need to know
What is GHOST?
GHOST is a serious vulnerability that has been discovered in the glibc library.
What is the glibc?
It's the GNU C Library, a key part of the Linux operating system. If you don't have glibc, your Linux system is not going to work.
P A G E 4
© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.
P A G E 5 V O L U M E 2 , I S S U E 2
© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.
So, what's the vulnerability?
Researchers at Qualys discovered a buffer overflow vulnerability in the __nss_hostname_digits_dots
() function of glibc, that can be triggered (locally or remotely) via the gethostbyname*() functions
used to resolve hostnames.
Okay, you're getting slightly nerdy... tell me what's the danger?
An attacker could exploit the vulnerability to remotely execute malicious code on a vulnerable
system, and gain complete control.
That sounds bad
It is. Qualys says it has developed a proof-of-concept attack in which sending a specially crafted email to a mail server can give them remote access to a Linux machine. They say that it bypasses all
existing protection systems on both 32-bit and 64-bit systems.
How old is the vulnerability?
Versions of glibc as far back as glibc-2.2, released way back in 2000, are affected by the vulnerability.
Hmm. So, what versions and operating systems are at risk from the GHOST vulnerability?
Here's what Qualys says in its blog post about the vulnerability:
The first vulnerable version of the GNU C Library affected by this is glibc-2.2, released on November 10, 2000. We identified a
number of factors that mitigate the impact of this bug. In particular, we discovered that it was fixed on May 21, 2013 (between the
releases of glibc-2.17 and glibc-2.18). Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-
support distributions were left exposed including Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04,
for example.
What needs to be done?
Fortunately, Qualys informed Linux distribution vendors in advance of going public, and patches are now available.
Will I have to reboot my servers to apply the patch?
Almost certainly, yes. Sorry.
Where can I find more information?
Qualys Advisory: https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt
RedHat: https://rhn.redhat.com/errata/RHSA-2015-0090.html
Ubuntu: https://launchpad.net/ubuntu/+source/eglibc
Debian: https://security-tracker.debian.org/tracker/CVE-2015-0235
GNU C Library: http://www.gnu.org/software/libc/
Mitre: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235
Have any bad guys exploited the GHOST vulnerability yet?
Not as far as we know. But now details of the vulnerability are emerging publicly, it may only be a matter of time.
Companies are busy patching themselves. For instance, WP Engine (which hosts this website) says it updated all of its servers last
night. Thanks guys!
Why is it called GHOST?
First answer: Because every vulnerability these days needs a sexy name. After all, no-one normal would ever call it CVE-2015-0235.
Second answer: The vulnerability can be triggered by the GetHOST functions. Geddit?
I like the logo. It's cute
Yes it is. You might find this technical analysis of the logo (not the vulnerability) amusing.
Password Practices at Businesses Fall Short of Secure
More than half (56 percent) of the survey respondents admitted to some level of daily password reuse for the corporate applications
they access. One in five U.S. employees would sell their passwords – some for as little as $150, according to a survey by security
specialist SailPoint. The global survey of 1,000 employees at large organizations also confirmed that employees are lax about
password management in general.
Today‘s end user has dozens of passwords they have to remember on a daily and even hourly basis. They compensate by choosing
easy-to-remember, and easy-to-guess, passwords, or reusing the same password across multiple applications, or writing them down
on sticky notes stuck to their computers.‖
Specifically, one in five employees routinely share login information for corporate applications with other members of their team,
which increases the potential that the passwords they sell might not even be their own.
Compounding the problem, 56 percent of respondents admitted to some level of daily password reuse for the corporate applications
I S A C A @ M U M B A I
P A G E 6
© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.
Interlude 7. What do you do when you
are not at work?
My personal time is usually spent
with the family, reading and
listening to music. I also enjoy
playing the bansuri (bamboo flute)
8. What are the challenges that
you face at your workplace?
Information Security initiatives
are equated with controls – and
employees have a natural
resentment towards controls.
The technology and the
processes eventually work – it is
the people that present the real
challenge. A good way to get
around this is to make the entire
Information Security initiative
relevant to business strategy.
9. How has social media
impacted you professionally?
The growth of social media has
its own pros and cons when it
comes to corporate information
handling. We have to maintain a
fine balance to use to for the
advantage of our organization i.e.
to use it to enhance employee
engagement or brand building, but
at the same time ensuring that we
have a well-defined policies in
place to prevent any breaches and
productivity losses.
10. How do you keep updated
with the latest security
news?
We subscribe to various
Information Security forums
such as Wipro Global Threat &
Risk Advisory Services, Gartner
Advisory services, Symantec
Risk Newsletters , SANS ,
Microsoft Security Advisories to
keep us abreast on latest
happening in and around the
world.
1. What are your top three
goals for 2015?
For 2015-16, we would be
focusing on –
Manufacturing excellence
through automation
Salesforce productivity through
digital initiatives
Harmonization of IT across the
Lupin Group
Enhancing Information Security
through ISO 27001:2013
certification
Deliver business applications
through the cloud
2. Did you achieve any ROI for
any security measure that
has been implemented in
your company?
It is difficult to quantify a direct
ROI when it comes to Security
Implementations. A better way
of viewing it is the downside to
not implementing a particular
measure. One assesses the risk,
and then implements the
correct measure. However,
rolling out Managed Security
Services & Privileged Identity
Management Solution in 2014
has yielded Lupin definite
benefits such as prevention of
access breaches, accountability
with privileged accounts, alerts
handling with appropriate
workflows, audit trails,
improved end-point compliance
and an overall reduction in
security incidents.
3. What's Your Number One
Piece of Advice for Other
Governance, Risk and
Compliance Professionals?
GRC professionals need to
work in closer alignment with
the business. That is necessary
to have to have an accurate
assessment and prioritization of
enterprise risk. In addition,
stringent Change Management
procedures are mandatory to
have a successful GRC
implementation.
4. What do you thing is the
bare minimum
compliances that need to
be followed to avoid any
security breaches?
One needs to ensure that
organization Security Policies
align with the requirements of
the business. Needless to say,
regulatory and statutory
compliance requirements are
mandatory in nature.
5. How do you think the role
of the information systems
(IS) auditor is changing or
has changed?
The role of the IS auditor has
changed and evolved to a great
extent considering the rapid
change witnessed in how
business is conducted.
Globalization has also brought
challenges related to privacy
and regulatory compliance
which needs to be taken into
consideration by Auditors. The
complexities of managing data
across continents has made the
IS auditor‘s job much more
demanding. Enhanced focus on
risks and advancement of
technological solutions have
also mandated a change in
Auditor approach.
6. Do you arrange for security
awareness trainings? How
often are they conducted in
your organizations?
Apart from communicating
periodic Security awareness
advisories in form of EDM,
Wallpapers, Posters, Class
Training sessions, we have now
rolled out an ongoing
mandatory online Information
Security training and awareness
module for all users. This has
helped us with
a) Refresher security awareness
sessions for all users.
b) Centralized management
for training records
c) Reduced dependency on
training personnel
d) Enhanced coverage
Brief Bio
About The
Interviewee
Mayur Danait is currently
Chief Information Officer
at Lupin, and has over 18
years of experience across
the consulting, IT,
consumer goods and
pharmaceutical domains.
His key role at Lupin is to
align the organization‘s IT
Strategy to its business
goals, and leverage
technology to deliver
superior business results.
With Lupin since 2010,
Mayur is driving an IT
Roadmap with a focus on
ERP, Manufacturing
Automation, Business
Intelligence, Information
Security, globalization and
productivity.
At Lupin, he has initiated
and program managed
various global initiatives in
the ERP, IT Infrastructure
and IT Security domains.
Prior to joining Lupin,
Mayur has several years of
cross-industry experience
with a spectrum of
organizations including
Eastman Kodak, SAP and
Asian Paints. He holds an
MBA in Operations from
IIM Lucknow and a
B.Tech. in Mechanical
Engg. from IIT Bombay.
P A G E 7 V O L U M E 2 , I S S U E 2
Is Big Data A Risky Business -Tushar Kale
Brief Bio
About The
Writer
Tushar Kale is a Big Data
Evangelist at IBM. Tushar
has more than 17 years
of diverse experience in
Information Technology,
specializing in Big Data
Technologies that
solution and implement
Real Time Enterprise
wide Data Warehousing
solutions. Tushar has
earned his Masters in
Management Studies in
Finance and Engineering
in Electronics and
Communications from
The University of
Mumbai. He can be
reached at
© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.
February 2012. That document
declared that, ―the consumer
privacy data framework in the
U.S. is, in fact, strong … (but it)
lacks two elements: a clear
statement of basic privacy
principles that apply to the
commercial world, and a
sustained commitment of all
stakeholders to address
consumer data privacy issues as
they arise from advances in
technologies and business
models.‖
As Susan Grant, director of
consumer privacy at the
Consumer Federation of
America (CFA), puts it, the
CPBR is, ―not a bill. It has never
been a piece of legislation. We
need to have something offered,
to talk about – at least
somewhere to start.‖
Risk #2: Discrimination
Organizations like the CFA and
Electronic Privacy Information
Center (EPIC), and individual
advocates like Rebecca Herold,
CEO of The Privacy Professor,
have enumerated multiple ways
in which Big Data analytics can
invade the personal privacy of
individuals. According to EPIC
comments last April to the U.S.
Office of Science and
Technology Policy, ―The use of
predictive analytics by the public
and private sector … can now
be used by the government and
companies to make
determinations about our ability
to fly, to obtain a job, a
clearance, or a credit card. The
use of our associations in
predictive analytics to make
decisions that have a negative
impact on individuals directly
inhibits freedom of association.‖
Herold, in a post on
SecureWorld, noted that while
overt discrimination has been
illegal for decades, Big Data
analytics can make it essentially
In 2014, on my return trip
from Dubai to India, at the
Dubai International airport I
observed 6 out of 8 passengers
connected to net and sharing
some information with either
their family or friends using a
mobile device. During my
travel to Singapore in 2013, I
observed that 7 out of 8
persons on a metro were
connected the net. I believe
staying connected is more of a
global trend than local, which
is undoubtedly on the rise.
As a Big Data Evangelist I have
developed Big Data
applications across industries
and for multiple customers.
Surprisingly most clients
implicitly assume that most of
customer demographic
information being available in
downloadable from net. If this
is true your next prospective
employer researches you and
knows quite a bit about you
even before you attend the
interview. Additionally, your
detailed information, in the
hands of marketers, financial
institutions and government,
can affect everything from
relationships to qualifying for a
loan or even getting on a
plane.
Today, I am connected more
with my school, college friends
and family than ever through
social sites. And I am glad to
post my recent picture,
location or even my feelings
without much hesitation. As
simple as it sounds, we need
not undermine the use of Big
Data technologies working in
the background having
capabilities to capture, store,
query and report each of our
post/events from the net. A
portion or all of your
information with or without
your knowledge is siphoned
and sold to your
telecommunications provider
who in turn sell it to either a
bank or marketing companies
who are prying for such
information.
As an example, a viral video
gets popular with multi-million
"likes" in just couple of days.
Hence, it is all the more
alarming for us to exercise
caution in posting content to
net. Use of Big Data has
matured over years especially
when it is promoted by Big
Brother by running campaigns
such as - "Big Data Initiative :
White House". There are lot
many use cases of Big Data
evolving ever after in areas
such as - Telecommunications,
Medical, Pharma, Politics,
Sports, Transportation and
Healthcare.
Big Data calls for new cyber
laws and associated risks as
follows:
Risk #1: Compliance
Laws are getting more
complex with regards to how
long companies need to retain
customer historical data,
method of retention not
limiting to place of retention -
on premise or cloud. Though
there are general guidelines
and regulations in place per
industry it is not uncommon
for regulators to perform
random audits to examine a
company‘s policy regarding
data and their actual
management of that data. A
big data compliance failure
may result in a significant fine
or damage to reputational
risk.
It has been almost three years
since the Obama
administration published what
it termed a Consumer Privacy
Bill of Rights (CPBR), in
P A G E 8
I S A C A @ M U M B A I
socially on net. How cool it
would be if my bank can create
a financial SOR of me and link it
to my social USOR to give me a
specific time driven campaign in
near real time using Big Data
technologies. The highest risk
here is to the banking business
who does not deploy Big Data
technologies to remain ahead in
the game.
Risk #4: An Embarrassment
of Breaches
By now, after catastrophic data
breaches at multiple retailers
like Target and Home Depot,
restaurant chains like P.F.
Chang‘s, online marketplaces
like eBay, government agencies,
universities, online media
corporations like AOL and the
recent hack of Sony that not
only put unreleased movies on
the web but exposed the
personal information of
thousands of employees, public
awareness about credit card
fraud and identity theft is
probably at an all-time high.
But in addition to that, there are
numerous reports of Big Data
analytics being used to expose
personal details, such as
beginning to market products to
a pregnant woman before she
had told others in her family.
The same can be true of things
like sexual orientation or an
illness like cancer.
Risk #5: Goodbye
Anonymity
Herold argues that without
rules for anonymized data files,
it is possible that combining data
sets, ―without first determining
if any other data items should be
removed prior to combining to
protect anonymity, it is possible
individuals could be re-
identified.‖
She adds that if data masking is
not done effectively, ―big data
analysis could easily reveal the
actual individuals whose data has
been masked.‖
―automated,‖ and therefore
more difficult to detect or
prove. In an interview, Herold
said current discrimination law
is, ―vague, narrowly defined, and
from the applications of it I‘ve
seen, depends upon very explicit
and obvious evidence. ―Big Data
analytics provides the ability for
discriminatory decisions to be
made without the need for that
explicit and obvious evidence,‖
she said. That can affect
everything from employment to
promotions to fair housing and
more.
Edward McNicholas, global co-
leader of the Privacy, Data
Security, and Information Law
Practice at Sidley Austin LLP,
said he thinks some of the
potential risks of Big Data are
overstated, but believes, ―the
most significant risk is that it is
used to conceal discrimination
based on illicit criteria, and to
justify the disparate impact of
decisions on vulnerable
populations.‖
Risk #3: Agility
Blockbuster (a movie rental
company) was shaken and
replaced by an internet company
Netflix in a matter of years due
to its very aggressive internet
model (underlying technology
being Big Data). Data resides in
several stove pipe applications in
enterprises and unless we have a
mechanism and necessary Big
Data tools in place to respond
in a timely manner may lead to
large business losses. Hence, a
mechanism to link and co-locate
your structured statement of
record (SSOR) with your Social
unstructured statement of
record (USOR) is important to
promote the right campaign to
right person at the right time.
E.g., I have my salary direct
deposit, home loan, credit card,
ATM card and internet facility
with a bank. However, currently
I am scouting for a car loan on
the net, chatting with my
friends, visiting other banks
websites and even discussing
Risk #6: Government
Exemptions
According to EPIC, ―Americans
are in more government
databases than ever,‖ including
that of the FBI, which collects
Personally Identifiable
Information (PII) including name,
any aliases, race, sex, date and
place of birth, Social Security
number, passport and driver‘s
license numbers, address,
telephone numbers,
photographs, fingerprints,
financial information like bank
accounts, employment and
business information and more.
Yet, ―incredibly, the agency has
exempted itself from Privacy Act
(of 1974) requirements that the
FBI maintain only, ‗accurate,
relevant, timely and complete‘
personal records,‖ along with
other safeguards of that
information required by the
Privacy Act.
Risk #7: Your Data Gets
Brokered
Numerous companies collect
and sell, ―consumer profiles that
are not clearly protected under
current legal frameworks,‖ EPIC
said. There is also little or no
accountability or even
guarantees that the information
is accurate. ―The data files used
for big data analysis can often
contain inaccurate data about
individuals, use data models that
are incorrect as they relate to
particular individuals, or simply
be flawed algorithms,‖ Herold
said.
© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.
V O L U M E 2 , I S S U E 2 P A G E 9
© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.
Cyber-attack, a looming business from top three States — Andhra
Pradesh, Karnataka and
Maharashtra contributing 70 per
cent to India‘s revenue from
information technology related
industries.
The key concern is that the
source of the attack is based
abroad from China, Pakistan,
Bangladesh and Algeria. Attacks
can target critical infrastructure
like power grids, transportation
networks, critical infrastructure
operational systems, espionage, as
a political retaliation tool on
defence and financial institutions.
Outsourcing malware production
and building out attacks are
becoming the order of cyber
warfare. Experts opine that
malware-as-a-service has been
there for some years, but attacks-
as-a-service are going to be a new
reality in 2015.
Nation-states and entities have no
escape but to be prepared for the
new trend in cyber terrorism and
re-invent endpoint security. It is
important to adopt adequate
measures for timely detection, deterrence and preventive
inspection to protect all
vulnerable key devices.
Increasing trends in cyber-crime
and experts‘ predictions should
caution us to heighten security
protocols on computers,
smartphones and other connected
devices. Adequately updated cyber
security should be ensured by
banks as online bank accounts are
exposed to phishing attacks and
other frauds.
As increasing use of mobile
banking through smartphones and
tablets for financial transactions
intensify the exposure. Keeping
information devices backed up
promptly on an independent drive
or by using a secure cloud back up
and updating software by getting
latest ‗patch‘ must become the
irreducible minimum security
preparedness.
The establishment of a National
Critical Information Infrastructure
Research estimates that in 2015,
there would be more havoc-
creating cyber terrorism. It is
important to adopt adequate
measures for timely detection,
deterrence and preventive
inspection to protect all
vulnerable key devices
As we get more and more
addicted to the information
highway, Internet and mobile
apps, cyber threat and security
issues loom significantly. The
latest trend in cyber terrorism is
beautifully narrated in the real
life story, ‗How my mom got
hacked‘, by Alina Simone in The
New York Times.
Cryptowall, the malware had
popped up on her mom‘s
computer locking all the files and
demanded a ransom amount of
$500 to get the key to decrypt
them and if not paid within the
time limit, the ransom amount
would go double and, thereafter,
the files would be destroyed
forever!
The victim had no way but to
pay the ransom to the unique Bitcoin ‗wallet‘ to get the key to
decrypt them. Cryptowall has
been in cyber terror business
for quite some time now and its
earlier version CryptoLocker
had demanded a high ransom of
$800,000 from Detroit
authorities.
The massive attack on Sony
Pictures happened only in
November, 2014. The skulls
showed up on its computer
systems threatening to expose
secrets actually forced Sony to
cancel the release of satirical
comedy, The Interview, about a
plot to assassinate North
Korean leader Kim Jong-un.
The hackers called themselves
‗Guardians of Peace‘ and
exposed embarrassing emails of
some film celebrities. The
Director of Federal Bureau of
Investigation, James Comey had
concluded that the hackers had
―failed on multiple occasions to
use the proxy servers that
bounce their Internet
connection through an
obfuscating computer
somewhere else in the world,
revealing IP addresses that tied
them to North Koreans‖.
Recent research on cyber-crime
estimates that in 2015, there
would be more sophisticated
and havoc-creating cyber
terrorism, with innovative
modus operandi targeting higher
infection rates aiming at more
income.
The emergence of new payment
methods through Bitcoin has
transformed Ransomware into a
money spinning business.
Attackers have varied motives,
like spreading terror, espionage
work, hacktivism, waging cyber
wars and of course making
money. Attackers may target
specific machines or platform or
set up, evading layers of
detection mechanisms,
launching attacks on computers.
Malware developed for
espionage could be used by
hired cyber-crime groups. The successful Ransomware attacks
will embolden attackers to
design more stealthy ‗time
bomb‘ attack on an enterprise,
threatening to cripple multiple
resources, forcing it to pay
ransom. Cyber-crimes getting
scot free, encourage more wild
hackers to experiment in the
terror landscape.
A recent study undertaken by
Associated Chambers of
Commerce and Industry of
India-Mahindra Special Services
Group, shows that cyber-crimes
in India is likely to cross
3,00,000 by 2015. India is the
third most affected country
after the US and Japan. Out of
560 million global average of cyber-crimes on smartphones in
2012, India had 46 million, more
than eight per cent of them.
Total Indian websites hacked in
2013 were 28,481 and are
expected to reach 85,000 in
2015 with increasing incidents
-K P Sashidharan Brief Bio
About The
Interviewee
K. P. SHASHIDHARAN
is former Director
General, CAG of India,
Member, Indian Audit &
Accounts Service, and an
alumnus from the
London School of
Economics. As an
established Freelance
Columnist he
contributes articles on
public finance and
current issues to leading
newspapers. He is
Visiting Professor to
premier professional,
academic and
administrative training
institutions
I S A C A @ M U M B A I
P A G E 1 0
© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.
Risks in Core Banking Migration -K K Mookhey
Brief Bio
About The
Writer
K. K. Mookhey is the
Principal Consultant at
Network Intelligence (I)
Pvt Ltd. and the Institute
of Information Security.
One of the pioneers in
the information security
space, he founded NII in
2001. What started as a
one-man show has
grown into a team of
200+ security
professionals working
across India and the
Middle East with the
who‘s-who of industry as
long-term clients. He is
the author of two books
on security – Linux
Security & Controls and
Metasploit Framework as
well as numerous
articles. He is one of the
first Indian security
researchers to have
presented at Blackhat
USA in 2004. His
experience and skillsets
encompass IT
Governance, Information
Security Strategy,
Forensics, Fraud Risk
Management, and
Business Continuity. He
holds the CISA, CISSP,
CISM, CRISC and PCI
QSA qualifications.
Summary
This article highlights some of the key risks in executing a successful core banking migration program. Many of
these risk elements also relate to any large IT project, but are more aligned towards a core banking migration.
Key Risks
A core banking migration project is typically one that involves hundreds of millions of dollars of investment,
along with serious levels of commitment from Business and IT. Such a large investment of time and money
requires proper risk management and strong governance to ensure that all stakeholders realize the
responsibilities they hold and work single-mindedly to fulfil them. At the same time, business as usual needs to
be addressed, as well as customer impact should be absolutely minimized.
The following is a listing of the key risks based on our experience of working with Banks engaged in large-scale
programs such as core banking implementation.
Program Management
Core banking implementation projects are not just about project management, but rather about program
management. A program is a collection of multiple projects each of which have their own timelines,
dependencies, RACI1 matrices, deliverables, and milestones.
Many banks are not geared up to handle a Program of this size, complexity, and duration. The fact that multiple
projects would be involved, and each of these projects would impact others in some way or the other is quite
often a rude awakening that comes somewhere during the business analysis phase. Just as an example, some of
the key projects streams that would need to run are:
Business Requirements Gathering – these would have multiple stages including demonstration of the
Model Bank by the vendor, business requirements gathering, functional specifications preparation, etc.
Data Migration – which would involve Data Quality Analysis, Data Clean-up, Data Mapping, and Data
Migration)
Interface Development – for existing and new applications to interface with the new system, as well as
implementation of the Enterprise Service Bus, if the Bank is adopting SOA – Service Oriented
Architecture
Module Development – no matter how much you wish, there will be customization involved, and this has
to be overseen properly by the Bank
UAT – quite often you will want to do this jointly with an outsourced entity
Business-as-usual impact management – more on this in a later section
IT operations readiness – this covers the readiness of infrastructure (servers, storage, network),
processes (backup, operations, monitoring, troubleshooting), and IT teams (organizational structure to
handle program-specific responsibilities)
Business operations readiness – this would cover the branches, learning and personnel development, and
other business units which would be impacted by the implementation
Rollout – the rollout strategy would need to be decided early on as it impacts the entire program in
multiple ways. More on this later.
Source: http://
www.dailypioneer.com/
columnists/oped/cyber-attack-a-
looming-business.html
Protection Centre, the Indian
Computer Emergency Response,
the Cyber Security mock drills,
the Information Sharing and
Analysis Centres and the
creation of a pool of 5,00,000
cyber security professionals in
five years, as envisaged in the
National Cyber Security Policy
of 2013, should be taken up.
Existing mechanisms should be
revamped.
1 - Responsible, Accountable, Consulted, Informed. A RACI Matrix helps identify who does what at each stage of the project.
P A G E 1 1 V O L U M E 2 , I S S U E 2
© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.
Program Governance
Once you realize the enormity of the task, a proper governance structure needs to be implemented. Some
Banks choose to outsource the Program Management office completely. Either ways, this has to be with senior
banking personnel embedded into the program governance structure. An outsourced vendor would bring in
expertise in the areas of project management, risk management, change management, vendor management, and
driving the program forward. Formal manuals may have to be prepared, which clearly spell out the governance
structure, along with roles and responsibilities for all key stakeholders, and also define the processes for critical
project management practices such as risk, issue, change, and communication management.
Business Commitment
With ongoing pressures of business-as-usual, the business teams may not be fully committed to a program of
this scale and complexity. This has multiple impacts right from product selection, scope definition, requirements
gathering, UAT, etc. Without the right level of business personnel involvement, the quality of inputs received by
the program would suffer. This often results in repeated iterations of deliverables such as the Business
Specification Documents (BSDs) and Functional Specifications Documents (FSDs), etc. Also, it may result in a
sub-standard product being delivered to the organization.
Vendor Management
The transformation program will typically involve multiple vendors – Core Banking Solution Provider, Project
Management, Testing, Data Migration, etc. Each of these vendors will bring to the table their own expertise, but
also their own challenges in terms of experience and expertise. The Bank should institute a dedicated vendor
management function (part of the Program management team), which deals with vendors on an equal footing
and does not get intimidated by their claims of boiler-plate contracts. Legal team should be heavily involved in
ensuring the contract is fair, but more tilted in the Bank‘s favor than the vendor‘s favor. Vendors should be
committed to provide ―named‖ personnel, who are available throughout the execution of key project
milestones and are based in UAE. No vendor should be allowed to execute a typical ―bait-and-switch‖ strategy
when it comes to project resources.
It is also recommended that the Bank should evaluate the role of ―System Integrator‖ to be played by a
specialist vendor and not leave this role to be done by the main solution provider who are experts in the Core
Banking system, but may not be able to deliver on the overall aspects of implementing the solution within the
Bank‘s existing environment.
Scope Management
The scoping exercise prior to contract finalization is one of the most important stages. Key stakeholders from
all the Bank‘s impacted departments should play a role in this. The program team should also institute a
challenging mechanism to avoid over-customization of the Core Banking (CB) solution. The requirements
gathering team should be encouraged to push people to accept the systems‘ way of doing things rather than
super-imposing outdated processes onto a state-of-the-art solution. Notes should be exchanged with other
banks in the region that have implemented the same solution and challenges that they faced.
Ensuring Quick Wins
A program such as this often leads to elongated project milestones and this can demotivate the team members
as well as raise doubts in the minds of the Board members as to whether this investment is really going to yield
any results or not. The transformation program team should ensure quick wins are adequately introduced
throughout the project delivery schedule and these are well-recognized throughout the Bank.
Financial Control
Programs such as these have a tendency to quickly escalate in terms of budgeted costs. It is extremely
important that the Bank institute a dedicated financial control function for the transformation program that
tracks capital and operational expenditure on a weekly basis, as well as ensures that payments are made on time
(in order not to demotivate vendors), as well as payments are made only when the deliverables are up to the
mark and delivered on time. This aspect may further be enhanced by keeping a bonus component for on-time
or before-time delivery of key milestones. Cost escalations should also be properly risk-managed through the
bid negotiation and contractual stages itself.
People Management
A core banking transformation project can only succeed when all stakeholders are fully committed to it. This
means, there would be certain key banking personnel who need to be dedicated to this enterprise, as well as
others who would be tapped at various stages of the program. Given typical attrition rates in the Banking
industry, the program should not suffer if key people leave. For this, the Bank should consider implementing an
incentivizing program that ensures key stakeholders remain committed to the Bank and to the transformation
program through the key stages of the program. A strong communications management process that includes
senior management – including the Board of Directors – overseeing the progress and appreciating key achievers
I S A C A @ M U M B A I
P A G E 1 2
© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.
in words and kind is mandatory for the eventual success of the Program.
Rollout Strategy
One of the aspects that must be addressed pretty much up front is the planned rollout strategy. There is no one
right way of doing this, and pain has to be suffered no matter what the strategy being adopted. Options are:
Big Bang: During a given weekend (say during a long holiday period) everyone switches over to the new
system
Parallel Run: Transactions are posted on both systems and data reconciliation is done end of day. All
errors are ironed out before date rollover
Hybrid: All new customers are created on the new system, while older customers are migrated in a
phased manner. GL reconciliation done end of day
Each approach has inherent risks and detailed mitigation measures that must be built in. This has impact
throughout the program in terms of interface preparation, reconciliation scripts, data migration approach,
and build delivery, as well as testing strategy. A detailed study must be carried out and an informed
decision must be taken on this aspect.
Data Migration
This is an aspect that a lot of Banks figure that they will deal with later. But it can spring a lot of rude surprises
just as the first build begins to get delivered. Legacy systems quite often not have the rigor for input validation
and data integrity controls that newer applications tend to have. Each CB solution has its own requirements in
terms of the data quality, necessary data fields, and data formats. Migrating legacy data is not just limited to
mapping of the fields, but also requires heavy lifting in terms of data clean-up, data conversion, and quality review
of the migrated data. Quite often this might also involve reaching out to branches who in turn would need to
reach out to individual customers to obtain missing KYC data.
Infrastructure and Sizing
The sizing requirements can change as the program progresses. Some factors that can influence this are
regulatory requirements for longer storage of customer and transaction data, increase in the fields associated
with customers (for instance, issuance of a national ID number), introduction of an Enterprise Service Bus (ESB),
etc. Not only must the hardware cater for the application requirements today, but also for 5 years down the
line when the system will be fully functional. Therefore, business growth plans must be taken into account for at
least a 5-year horizon when sizing is being done. Also, multiple factors would influence latency and the
responsiveness of the system should be mandated at the start of the program to avoid user rejection due to the
system being ―too slow‖.
Business As Usual (BAU)
While such a major transformation is going on – and a program of this nature would take anywhere from 3-5
years – the Bank has to continue operating as usual. During this time, the business will continue to come up with
new requirements for enhancements to the existing core banking system as well as other satellite systems that
interface with the core banking system. Now, the core banking system itself is going to get replaced. So these
changes reflect a moving target for the Program to achieve. A new requirements management or demand
management process needs to be put in place to analyze the impact of these change requests, rationalize them,
and only then approve them for implementation. Each such request will represent a scope increase in the CB
implementation and subsequent cost impact. Not to mention increase in timelines for further customization of
the system.
Conclusion
Multi-million dollar, multi-year programs such as Core Banking transformation require a different mind-set and
more mature program management capability than most Bank‘s possess in-house. Strong risk management
processes can help mitigate the risks from this lack of prior experience by implementing global best practices,
bringing the right people to the game, and managing vendors with an iron hand in velvet glove approach. The
risks enumerated above are generic and based on our experience. The Bank may use these to build a larger risk
register and enumerate strong risk mitigation measures to ensure that the investment of time and money is well
worth it, and such a large program helps deliver the benefits original envisaged – faster go-to-market, customer-
centric approach, and intelligent insights into consumer behaviour and product profitability.
P A G E 1 3 V O L U M E 2 , I S S U E 2
© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.
The Case For Cyber Insurance been mandated to do so by their
contracted customers.
Banking, Financial Services &
Insurance companies are also
aware of these risks; Arbor
Networks reports that last year
34% of Indian financial sector
companies reported cyber-attacks
& threats, up from 15% in the previous year. As a result, a few
large banks have bought cyber
insurance policies now with limits
ranging between US$ 5 to 10
million. Other industries such as
hospitality, retail and health-care
do not even have sophisticated
Professional Indemnities in place,
leaving their balance sheets very
vulnerable to the costs of a
breach.
But traditional policies such as
Professional Indemnity,
Commercial General Liability, etc.
are not really well geared towards
protecting against the extensive
and varied damages and costs of a
cyber-attack such as the many
third party costs related to hiring
forensics experts for investigation,
image managers to repair soiled
reputations or software & security
consultants to repair broken
firewalls & processes. Nor do
they cover the fines and penalties
that a breached business might
have to bear, that can be imposed
by a regulatory or quasi-
regulatory authority for
negligence.
Cyber-risk is different for different
industries so a one size fits all
cyber-insurance policy will prove
inadequate. Unlike in traditional
policies, adequate protection or
risk mitigation cannot be obtained
without a high degree of individual
customisation, perhaps the
primary reason why India Inc. is so under insured when it comes to
cyber-risk. But given the
exponential increase in attacks
over the years and the increasing
severity of damages & losses
caused by cyber-crime, specialised
individual policies are the need of
the hour. There are other benefits
too, which are not available with
traditional policies: having a cyber-
Traditional policies are not really
well geared towards protecting
against the extensive and varied
damages and costs of a cyber-
attack.
According to the National
Crime Records Bureau (NCRB),
cyber-crime zoomed 350% in
the three years between 2010 and 2013. In a 2014 survey of
170 plus Chief Information
Officers, Chief Information
Security Officers and the like
conducted by KPMG, 89% of the
respondents felt that cyber-
crime is a major threat, 51 % felt
that their companies were easy
targets for cyber-attacks and
49% had actually experienced
such attacks. In December 2014
an Economic Times article
quoting unnamed experts stated
that India Inc. had lost as much
as $ 4bn due to cyber-attacks of
all kinds during 2013 and
suggested that losses had
increased by 30% in 2014. Yet
Prudent Insurance Brokers
estimates there have been only
50 or so dedicated cyber-
insurance policies sold in India
so far. The gap between risk
perception and actual risk
mitigation cannot be starker
than this!
Cyber-crime is no longer the
domain of the relatively
harmless nerd seeking the thrill
and fame of the exquisite hack,
who damages little more than
the ego of his corporate victims.
Today the stakes are much
higher and can even put lives at
jeopardy. For instance, while the
world was transfixed by the
admittedly spectacular North
Korean hack of Sony, very few
people knew that a steel plant in Germany had lost control of its
blast furnace. For some time
hackers had sole control of
tonnes of molten ore and
thankfully disengaged without
causing a horrific industrial
accident that they were fully
capable of causing at that time.
Another very dangerous recent
trend is the increasing availability
of mercenary hackers or
hackers for hire. These services
make it disturbingly easy for
individuals and businesses to
sponsor attacks, steal data &
money, stop the operations and
services of another firm and
sabotage lives and businesses –
all by remote control. In a
recent report Gartner found that zero percent of large
enterprises have formal plans to
address aggressive cyber
security business disruption
attacks, probably lulled by the
low frequency of large scale
attacks. However, it foresees
that by 2018, 40% of big firms
will have such plans –
underscoring the high threat
perception for the immediate
future.
In India the largest number of
cyber-crimes for the year 2013
(later data is not yet available)
i.e. 2144 in total were classified
in the "others" category by
NCRB. That's probably because
these are crimes that are not
easily attributable in the
outdated lexicon of our penal
code. Even so, as many as 2061
were attributable to fraud,
illegal gain and money greed.
Most of these have been about
siphoning off anything between
a few lakhs to a couple of
crores from either bank
accounts or leaky government
schemes such as MNREGA.
Interestingly, according to
NCRB the bulk of cyber-crime
arrests in 2013 took place in
the 18 to 30 age group,
followed by the 30 to 45 age
group.
While Indian companies seem
to be aware of cyber-crime, they have been slow to
recognise its far-reaching impact
(such as denial of service for
days on end) and even slower
to adopt adequate protection
by way of proper insurance. Of
the 50 or so dedicated cyber-
risk policies that have been
bought in India, a majority have
been by technology and BPO
firms; mainly because they have
-Gurpal Dhingra Brief Bio
About The
Interviewee
Gurpal Singh Dhingra is a
Director at Prudent
Insurance Brokers
Private Limited, the
leading insurance broker
for Indian multinationals.
He has been with the
company for 13 years
and heads its southern
operations from
Bangalore.
I S A C A @ M U M B A I
P A G E 1 4
© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.
Photo Gallery 9th BSAS Seminar - Chapter Office
IndusInd CISO inaugurating the seminar BSAS participants
ISACA Board of Director Ms. Debbie Lew Delivering A Seminar At The Chapter Office
President providing token of appreciation to
Debbie Debbie with Mumbai Chapter past Presidents
Debbie with Mumbai Chapter Managing
Committee Members
Source: This article first appeared
on www.outlookindia.com
http://www.outlookindia.com/
article/The-Case-For-Cyber-
Insurance/293701
insurance policy does not only
mean financial protection for the
payment of post-breach bills but
the additional benefit of having
the broker and insurer
effectively managing the breach
situation. Also, these policies
usually come built in with the
services of various experts such
as forensics teams, credit monitoring firms, public
relations organisations, etc. who
will assist the insured in the
various aspects of breach
response which they would
otherwise find overwhelming on
their own.
In conclusion; while it may be
difficult or even impossible to
achieve total protection against
cyber-crime, it is eminently
possible to have total protection for the aftermath of
a cyber-attack.
P A G E 1 5 V O L U M E 2 , I S S U E 2
© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.
Certification Awareness Program At The Chapter Office
Managing committee members
explaining about ISACA Certifications
to the participants
Managing committee members
explaining about ISACA Certifications to the
participants
Acknowledging the role of Past Presidents of ISACA Mumbai Chapter
Past President Mr. Anand Shenoy
congratulating on behalf of all the past
presidents to current President
Mr. Vaibhav Patkar in the New Chapter office
Solution To Last Edition’s Crossword Puzzle
A B C D E F G H I J K L M
1 H A S H
2 A V L A N V A X
3 M P L S o
4 C B I
5 S T E G A N O G R A P H Y
6 X A T
7 T N O W A S P
8 3 D E S E P A
9 W T A T
10 C I S A 2 C
11 Y H
12 P A R I T Y
I S A C A @ M U M B A I
P A G E 1 6
© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.
A B C D E F G H I J K L M N
1 S P L I T K E Y
2 A P B S P I C E
3 A U D I T R I
4 M L H R O S P F
5 M L R O X H
6 I Z E R O D A Y E
7 S N A A T R
8 G R A T K P
9 C C I H P I I
10 R I F T T R
11 I D S Q S A T O R A
12 S P D P P C
13 C H A I N O F C U S T O D Y
ACROSS
A-2 Requires in wireless network
A-7 IBM developed protocol
A-11 Mechanism for checking of an attack
A-13
A process that tracks the movement of evidence
through its collection, safeguarding and analysis
lifecycle by appropriate documentation
B-1
A key that is divided into two or more separate data
items that individually convey no knowledge of the
whole key that results from combining the items
B-3 Independent review and examination of records and
activities to asses the adequacy of systems controls
D-8 Mechanism to check the network devices
configuration
E-11 PCI approved auditor
F-6 An attack for which no patch available yet
J-11 Used for enabling anonymous communication over
internet
K-4 A type of routing protocol
J-2 A protocol to take over remote systems
L-9 Information that shouldn‘t be shared
DOWN
A-9 Risk Management Certification from ISACA
B-1 Use of Electronic messaging system for sending
unsolicited message
C-9 A proposed law in USA for sharing internet traffic info
between US govt. and technology companies
D-3 A collection of small programs which can be called when
needed by a larger program
E-9 A server name with a hostname followed by the domain
name
G-2 Data unit
G-3 A potential for violation of security which exists when
there is a circumstance that could breach security
H-4 A collection of tools that a hacker uses to mask
intrusion and obtain admin level privileges
J-9 A secure protocol
K-2
A ____ server that acts as intermediary between
workstation user and the internet so that the enterprise
can ensure security, admin control and caching service
M-2 A cryptographic algorithm for encryption and decryption
M-11 The point in time to which data must be recovered after
an outage
N-8 ____ is the theft of software through illegal copying of
genuine programs or through counterfeiting
Crossword Puzzle