We also know

There are known unknowns.

That is to say

We know there are some

things

We do not know.

But there are also unknown

unknowns,

The ones we don't know

We don't know.

Do we really know????????‖

Start by doing

what’s

necessary; then

do what’s

possible; and

suddenly you

are doing impossible… Great

words by Fransis of Assisi. I

truly believe in that.

Years before our past

chapter Presidents and the

Committee saw a dream of

Mumbai Chapter having its

own office in the Mumbai

Metropolis. Years went

passed without that dream

being fulfilled for varied

reasons. We did purchase

the premises and its

interiors were getting done

in the last year. But on

January 1, 2015, ISACA

Mumbai Chapter, your

chapter, has moved formerly

into its new and swankiest

address in VidyaVihar. I

would like to thank past

Presidents and every

member for their support in

fulfilling this dream.

We have taken a great leap

and not resting ourselves

now. We will need to

ensure sustenance and

continue to be self-sufficient

in our finances and stability.

We have now conducted

few chapter meetings and

workshops in the new

premises and everyone have

appreciated it. Our flagship

CISA Review Classes have

also started in the premises

from February.

The highlight of the quarter

was Mumbai hosted ISACA

International‘s Board of

Directors meeting. Debbie

Lew, Board Member visited

Chapter premises and

delivered a great session on

COBIT 5 to the attendees.

All Chapter Presidents from

India had a special session

with the Board where they

have highlighted challenges

faced in India with retention

of membership and other

relevant items. We are

hopeful that the suggestions

provided to the board have

some positive outcome in

the near future.

Information is floating

around the world in many

forms and accessible using

different kinds of medium

poses a question. Do we

really know where in the

world our information is

stored?

I would like to sign off with

an interesting quote from

Donald Rumsfeld

“As we know,

There are known knowns.

There are things we know we

know.

Message From The President

isaca @ mumbai E - J O U R N A L ( F O R I N T E R N A L C I R C U L A T I O N O N L Y )

V O L U M E 2 , I S S U E 2

INSIDE THIS

EDITION

Message From The

President

From The Editor’s

Desk

Get Connected To

ISACA Mumbai

Chapter

News Update

Interlude

Is Big Data A Risky

Business

Cyber-attack, a

looming business

Risks in Core Banking

Migration

The Case For Cyber

Insurance

Photo Gallery

Solution To Last

Edition’s Crossword

Puzzle

Crossword Puzzle

-Vaibhav Patkar

© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.

I S A C A @ M U M B A I

are getting together to combat the

menace of electronic crimes.

Following the visit of the US President

to India, the ISACA Headquarters had

their board meeting in Mumbai. The

Mumbai Chapter played hosts to the

ISACA Board Members and had

interesting exchanges with them along

with the India Growth Task Force

members. They had a lot of ideas

shared and would like to see ISACA

Mumbai chapter as a prominent chapter

across the world.

For any feedback/articles/criticism/

suggestions, please leave a message to

lsunder@hotmail.com

We are already in the

last month of the

Financial Year 2015.

Most companies have

finalised the budget

for the next financial

year in India. There is a need to

increase IT security budget going

forward given that we have had a lot

more data breaches and security

issues in the last one year. IT Security

has become a priority in many

organisations. There are a lot of

improvements needed, as Data needs

to be highly secure with the wide

spread use of SMAC technologies

being embraced. Internet of Things

and wearables may disrupt the work

life and social life.

Mobile Apps are now being used

widely and this changes the whole

paradigm and routine of our daily

lives. We have apps that set the

password or store our passwords

and create password etc. So apps

play an important role in our lives.

We are dependent on the mobile for

everything, including birthday

reminders of our near and dear ones,

our daily routines or even a simple

To-do list. This is why data security

becomes a high priority objective. On

the challenges front, 100,000 new

malware is being uploaded on a daily

basis. Corporate IT world is facing

the brunt of new virus and DOS

attacks. The Cyber Police world over

-Latha Sunderkrishnan

From the Editor’s Desk

P A G E 2

© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.

Get Connected to ISACA Mumbai Chapter Given that the entire focus is now shifted to the social media ISACA Mumbai Chapter has attempted to create its

presence in twitter, Facebook and LinkedIn. However, no such initiative would succeed without your cooperation and

participation. Please get connected!

Get socially connected with ISACA Mumbai Chapter in the following manner:

https://www.facebook.com/IsacaMumbaiChapter

https://twitter.com/ISACA_Mumbai

https://www.linkedin.com/ISACAMumbai

V O L U M E 2 , I S S U E 2

News Update Obama Declares Cyber Threats A National Emergency

Today, President Obama declared a national emergency and signed an executive order empowering the government to impose

sanctions against anyone viewed as a cyberthreat to the United States.

This is a rather historic day for our industry, where the importance of information security has evolved from the IT department, to

the boardroom, into politics and now, center stage as a critical component to our economy and way of life.

The primary objective of the order is to place sanctions on criminal hackers targeting American infrastructure and businesses from

outside the US. The order gives authority to freeze assets and more power to block potential threats from the US. The order not

only covers the harming of US infrastructure but also covers the stealing of intellectual property from American companies, as well as

committing fraud against citizens, all of which hurt the US economy.

With the plague of retail breaches that continue to hit US-based retailers, it‘s critical we look at these instances not just as individual

breaches, but as a wholesale attack against our financial system. Many of those involved in these activities are overseas and are able to

operate with impunity within borders of countries who shield them from US prosecution. Often times, many of these actors also

work within these governments.

We have seen robocallers from outside the US defraud people claiming to be from the IRS, successfully scaring people particularly

senior citizens into giving them credit card numbers using VOIP networks. The perpetrators of these acts have been able to get away

with it due to available technologies that make it easy to evade detection.

I believe it is the goal of the Obama administration with this order to give the US government more power to go after criminal

syndicates and fraudsters overseas.

The challenge, however, will still be attribution—you may be able to identify from what country an attack is routed through, but

identifying who is behind the keyboard or phone is a different story altogether.

One of the reasons cyber-attacks and technology-enabled fraud have been so prevalent is due to the ease of evading detection and

relative anonymity that a number of tools available provide.

It will be interesting to see how the Obama administration looks to enforce this act, and what resources will be applied to implement

it.

Source : http://www.tripwire.com/state-of-security/latest-security-news/obama-declares-cyber-threats-a-national-emergency/#.VRwmKotKln8.twitter

Supreme Court strikes down Section 66A of IT Act which allowed arrests for objectionable content online

NEW DELHI: The Supreme Court on Tuesday declared Section 66A of Information Technology Act as unconstitutional and struck it

down.

This section had been widely misused by police in various states to arrest innocent persons for

posting critical comments about social and political issues and political leaders on social networking

sites.

The court said such a law hit at the root of liberty and freedom of expression, two cardinal pillars

of democracy.

The court said such a law hit at the root of liberty and freedom of expression, the two cardinal pillars of democracy. The court said the section has to be erased from the law books as it has gone

much beyond the reasonable restrictions put by the Constitution on freedom of speech. The Supreme Court said section 66A was

vaguely worded and allowed its misuse by police.

The court, however, upheld the validity of section 69B and the 2011 guidelines for the implementation of the I-T Act that allowed the

government to block websites if their content had the potential to create communal disturbance, social disorder or affect India's

relationship with other countries.

However, the court watered down section 79 of the I-T Act making it further difficult for the police to harass innocent for their

comments on social network sites.

P A G E 3

© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.

I S A C A @ M U M B A I

The SC delivered its judgment on a bunch of petitions filed in the light of misuse of the penal provision by government authorities

against persons who allegedly uploaded offensive posts on social networking sites.

The petitioners, including NGOs, civil rights groups and a law student, had argued that Section 66A violated citizens' fundamental right

to freedom of speech and expression. The first petition was however filed by a law student Shreya Singhal.

The government had opposed the plea for quashing the provision saying it is meant to deter people from uploading grossly offensive

material which can lead to lawlessness by inciting public anger and violence.

Justifying the retention of the provision, the Centre had told the apex court that the impact of the internet is much wider and

restriction on this medium should be higher in comparison to print and TV.

It had said, unlike print and electronic media, the internet did not operate in an institutional form and there was need for some

mechanism to put checks and balances.

The government had said the provision could not be quashed just because of its potential misuse. Posting pictures and comments on

social networking sites which hurt religious sentiments could not be tolerated and people must be prosecuted, it said.

Former attorney general Soli J Sorabjee, who appeared for one of the petitioners, termed the judgment a 'glorious vindication' of right

to free speech. He spoke to the TOI after SC bench of Justices J Chelameswar and R F Nariman struck down section 66A as

unconstitutional. Sorabjee said: "The judgment is well researched, well reasoned and erudite in expression. It is a glorious vindication of

freedom of expression."

http://timesofindia.indiatimes.com/india/Supreme-Court-strikes-down-Section-66A-of-IT-Act-which-allowed-arrests-for-objectionable-

content-online/articleshow/46672244.cms

Insurance giant Anthem hit by massive data breach

Hackers have stolen information on tens of millions of Anthem Inc. customers, in a massive data breach that ranks

among the largest in corporate history

The information stolen from the insurance giant includes names, birthdays, medical IDs, social security numbers, street addresses, e-mail

addresses and employment information, including income data.

Anthem said there is no evidence that credit card or medical information was compromised. While damage is still being assessed, the

compromised database contained up to 80 million customer records

See http://money.cnn.com/2015/02/04/technology/anthem-insurance-hack-data-security/index.html for more details…….

Bank Hackers Steal Millions via Malware

Since late 2013, an unknown group of hackers has reportedly stolen $300 million ­— possibly as much as triple that amount — from

banks across the world, with the majority of the victims in Russia. The attacks continue, all using roughly the same modus operandi:

Hackers send email containing a malware program called Carbanak to hundreds of bank employees, hoping to infect a bank‘s

administrative computer.

Programs installed by the malware record keystrokes and take screen shots of the bank‘s computers, so that hackers can learn bank

procedures. They also enable hackers to control the banks‘ computers remotely.

By mimicking the bank procedures they have learned, hackers direct the banks‘ computers to steal money in a variety of ways:

See http://www.nytimes.com/2015/02/15/world/bank-hackers-steal-millions-via-malware.html?_r=0 for more details......

The GHOST vulnerability: what you need to know

What is GHOST?

GHOST is a serious vulnerability that has been discovered in the glibc library.

What is the glibc?

It's the GNU C Library, a key part of the Linux operating system. If you don't have glibc, your Linux system is not going to work.

P A G E 4

© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.

P A G E 5 V O L U M E 2 , I S S U E 2

© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.

So, what's the vulnerability?

Researchers at Qualys discovered a buffer overflow vulnerability in the __nss_hostname_digits_dots

() function of glibc, that can be triggered (locally or remotely) via the gethostbyname*() functions

used to resolve hostnames.

Okay, you're getting slightly nerdy... tell me what's the danger?

An attacker could exploit the vulnerability to remotely execute malicious code on a vulnerable

system, and gain complete control.

That sounds bad

It is. Qualys says it has developed a proof-of-concept attack in which sending a specially crafted email to a mail server can give them remote access to a Linux machine. They say that it bypasses all

existing protection systems on both 32-bit and 64-bit systems.

How old is the vulnerability?

Versions of glibc as far back as glibc-2.2, released way back in 2000, are affected by the vulnerability.

Hmm. So, what versions and operating systems are at risk from the GHOST vulnerability?

Here's what Qualys says in its blog post about the vulnerability:

The first vulnerable version of the GNU C Library affected by this is glibc-2.2, released on November 10, 2000. We identified a

number of factors that mitigate the impact of this bug. In particular, we discovered that it was fixed on May 21, 2013 (between the

releases of glibc-2.17 and glibc-2.18). Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-

support distributions were left exposed including Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04,

for example.

What needs to be done?

Fortunately, Qualys informed Linux distribution vendors in advance of going public, and patches are now available.

Will I have to reboot my servers to apply the patch?

Almost certainly, yes. Sorry.

Where can I find more information?

Qualys Advisory: https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt

RedHat: https://rhn.redhat.com/errata/RHSA-2015-0090.html

Ubuntu: https://launchpad.net/ubuntu/+source/eglibc

Debian: https://security-tracker.debian.org/tracker/CVE-2015-0235

GNU C Library: http://www.gnu.org/software/libc/

Mitre: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235

Have any bad guys exploited the GHOST vulnerability yet?

Not as far as we know. But now details of the vulnerability are emerging publicly, it may only be a matter of time.

Companies are busy patching themselves. For instance, WP Engine (which hosts this website) says it updated all of its servers last

night. Thanks guys!

Why is it called GHOST?

First answer: Because every vulnerability these days needs a sexy name. After all, no-one normal would ever call it CVE-2015-0235.

Second answer: The vulnerability can be triggered by the GetHOST functions. Geddit?

I like the logo. It's cute

Yes it is. You might find this technical analysis of the logo (not the vulnerability) amusing.

Password Practices at Businesses Fall Short of Secure

More than half (56 percent) of the survey respondents admitted to some level of daily password reuse for the corporate applications

they access. One in five U.S. employees would sell their passwords – some for as little as $150, according to a survey by security

specialist SailPoint. The global survey of 1,000 employees at large organizations also confirmed that employees are lax about

password management in general.

Today‘s end user has dozens of passwords they have to remember on a daily and even hourly basis. They compensate by choosing

easy-to-remember, and easy-to-guess, passwords, or reusing the same password across multiple applications, or writing them down

on sticky notes stuck to their computers.‖

Specifically, one in five employees routinely share login information for corporate applications with other members of their team,

which increases the potential that the passwords they sell might not even be their own.

Compounding the problem, 56 percent of respondents admitted to some level of daily password reuse for the corporate applications

I S A C A @ M U M B A I

P A G E 6

© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.

Interlude 7. What do you do when you

are not at work?

My personal time is usually spent

with the family, reading and

listening to music. I also enjoy

playing the bansuri (bamboo flute)

8. What are the challenges that

you face at your workplace?

Information Security initiatives

are equated with controls – and

employees have a natural

resentment towards controls.

The technology and the

processes eventually work – it is

the people that present the real

challenge. A good way to get

around this is to make the entire

Information Security initiative

relevant to business strategy.

9. How has social media

impacted you professionally?

The growth of social media has

its own pros and cons when it

comes to corporate information

handling. We have to maintain a

fine balance to use to for the

advantage of our organization i.e.

to use it to enhance employee

engagement or brand building, but

at the same time ensuring that we

have a well-defined policies in

place to prevent any breaches and

productivity losses.

10. How do you keep updated

with the latest security

news?

We subscribe to various

Information Security forums

such as Wipro Global Threat &

Risk Advisory Services, Gartner

Advisory services, Symantec

Risk Newsletters , SANS ,

Microsoft Security Advisories to

keep us abreast on latest

happening in and around the

world.

1. What are your top three

goals for 2015?

For 2015-16, we would be

focusing on –

Manufacturing excellence

through automation

Salesforce productivity through

digital initiatives

Harmonization of IT across the

Lupin Group

Enhancing Information Security

through ISO 27001:2013

certification

Deliver business applications

through the cloud

2. Did you achieve any ROI for

any security measure that

has been implemented in

your company?

It is difficult to quantify a direct

ROI when it comes to Security

Implementations. A better way

of viewing it is the downside to

not implementing a particular

measure. One assesses the risk,

and then implements the

correct measure. However,

rolling out Managed Security

Services & Privileged Identity

Management Solution in 2014

has yielded Lupin definite

benefits such as prevention of

access breaches, accountability

with privileged accounts, alerts

handling with appropriate

workflows, audit trails,

improved end-point compliance

and an overall reduction in

security incidents.

3. What's Your Number One

Piece of Advice for Other

Governance, Risk and

Compliance Professionals?

GRC professionals need to

work in closer alignment with

the business. That is necessary

to have to have an accurate

assessment and prioritization of

enterprise risk. In addition,

stringent Change Management

procedures are mandatory to

have a successful GRC

implementation.

4. What do you thing is the

bare minimum

compliances that need to

be followed to avoid any

security breaches?

One needs to ensure that

organization Security Policies

align with the requirements of

the business. Needless to say,

regulatory and statutory

compliance requirements are

mandatory in nature.

5. How do you think the role

of the information systems

(IS) auditor is changing or

has changed?

The role of the IS auditor has

changed and evolved to a great

extent considering the rapid

change witnessed in how

business is conducted.

Globalization has also brought

challenges related to privacy

and regulatory compliance

which needs to be taken into

consideration by Auditors. The

complexities of managing data

across continents has made the

IS auditor‘s job much more

demanding. Enhanced focus on

risks and advancement of

technological solutions have

also mandated a change in

Auditor approach.

6. Do you arrange for security

awareness trainings? How

often are they conducted in

your organizations?

Apart from communicating

periodic Security awareness

advisories in form of EDM,

Wallpapers, Posters, Class

Training sessions, we have now

rolled out an ongoing

mandatory online Information

Security training and awareness

module for all users. This has

helped us with

a) Refresher security awareness

sessions for all users.

b) Centralized management

for training records

c) Reduced dependency on

training personnel

d) Enhanced coverage

Brief Bio

About The

Interviewee

Mayur Danait is currently

Chief Information Officer

at Lupin, and has over 18

years of experience across

the consulting, IT,

consumer goods and

pharmaceutical domains.

His key role at Lupin is to

align the organization‘s IT

Strategy to its business

goals, and leverage

technology to deliver

superior business results.

With Lupin since 2010,

Mayur is driving an IT

Roadmap with a focus on

ERP, Manufacturing

Automation, Business

Intelligence, Information

Security, globalization and

productivity.

At Lupin, he has initiated

and program managed

various global initiatives in

the ERP, IT Infrastructure

and IT Security domains.

Prior to joining Lupin,

Mayur has several years of

cross-industry experience

with a spectrum of

organizations including

Eastman Kodak, SAP and

Asian Paints. He holds an

MBA in Operations from

IIM Lucknow and a

B.Tech. in Mechanical

Engg. from IIT Bombay.

P A G E 7 V O L U M E 2 , I S S U E 2

Is Big Data A Risky Business -Tushar Kale

Brief Bio

About The

Writer

Tushar Kale is a Big Data

Evangelist at IBM. Tushar

has more than 17 years

of diverse experience in

Information Technology,

specializing in Big Data

Technologies that

solution and implement

Real Time Enterprise

wide Data Warehousing

solutions. Tushar has

earned his Masters in

Management Studies in

Finance and Engineering

in Electronics and

Communications from

The University of

Mumbai. He can be

reached at

tusharkale@tusharkale.com

© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.

February 2012. That document

declared that, ―the consumer

privacy data framework in the

U.S. is, in fact, strong … (but it)

lacks two elements: a clear

statement of basic privacy

principles that apply to the

commercial world, and a

sustained commitment of all

stakeholders to address

consumer data privacy issues as

they arise from advances in

technologies and business

models.‖

As Susan Grant, director of

consumer privacy at the

Consumer Federation of

America (CFA), puts it, the

CPBR is, ―not a bill. It has never

been a piece of legislation. We

need to have something offered,

to talk about – at least

somewhere to start.‖

Risk #2: Discrimination

Organizations like the CFA and

Electronic Privacy Information

Center (EPIC), and individual

advocates like Rebecca Herold,

CEO of The Privacy Professor,

have enumerated multiple ways

in which Big Data analytics can

invade the personal privacy of

individuals. According to EPIC

comments last April to the U.S.

Office of Science and

Technology Policy, ―The use of

predictive analytics by the public

and private sector … can now

be used by the government and

companies to make

determinations about our ability

to fly, to obtain a job, a

clearance, or a credit card. The

use of our associations in

predictive analytics to make

decisions that have a negative

impact on individuals directly

inhibits freedom of association.‖

Herold, in a post on

SecureWorld, noted that while

overt discrimination has been

illegal for decades, Big Data

analytics can make it essentially

In 2014, on my return trip

from Dubai to India, at the

Dubai International airport I

observed 6 out of 8 passengers

connected to net and sharing

some information with either

their family or friends using a

mobile device. During my

travel to Singapore in 2013, I

observed that 7 out of 8

persons on a metro were

connected the net. I believe

staying connected is more of a

global trend than local, which

is undoubtedly on the rise.

As a Big Data Evangelist I have

developed Big Data

applications across industries

and for multiple customers.

Surprisingly most clients

implicitly assume that most of

customer demographic

information being available in

downloadable from net. If this

is true your next prospective

employer researches you and

knows quite a bit about you

even before you attend the

interview. Additionally, your

detailed information, in the

hands of marketers, financial

institutions and government,

can affect everything from

relationships to qualifying for a

loan or even getting on a

plane.

Today, I am connected more

with my school, college friends

and family than ever through

social sites. And I am glad to

post my recent picture,

location or even my feelings

without much hesitation. As

simple as it sounds, we need

not undermine the use of Big

Data technologies working in

the background having

capabilities to capture, store,

query and report each of our

post/events from the net. A

portion or all of your

information with or without

your knowledge is siphoned

and sold to your

telecommunications provider

who in turn sell it to either a

bank or marketing companies

who are prying for such

information.

As an example, a viral video

gets popular with multi-million

"likes" in just couple of days.

Hence, it is all the more

alarming for us to exercise

caution in posting content to

net. Use of Big Data has

matured over years especially

when it is promoted by Big

Brother by running campaigns

such as - "Big Data Initiative :

White House". There are lot

many use cases of Big Data

evolving ever after in areas

such as - Telecommunications,

Medical, Pharma, Politics,

Sports, Transportation and

Healthcare.

Big Data calls for new cyber

laws and associated risks as

follows:

Risk #1: Compliance

Laws are getting more

complex with regards to how

long companies need to retain

customer historical data,

method of retention not

limiting to place of retention -

on premise or cloud. Though

there are general guidelines

and regulations in place per

industry it is not uncommon

for regulators to perform

random audits to examine a

company‘s policy regarding

data and their actual

management of that data. A

big data compliance failure

may result in a significant fine

or damage to reputational

risk.

It has been almost three years

since the Obama

administration published what

it termed a Consumer Privacy

Bill of Rights (CPBR), in

P A G E 8

I S A C A @ M U M B A I

socially on net. How cool it

would be if my bank can create

a financial SOR of me and link it

to my social USOR to give me a

specific time driven campaign in

near real time using Big Data

technologies. The highest risk

here is to the banking business

who does not deploy Big Data

technologies to remain ahead in

the game.

Risk #4: An Embarrassment

of Breaches

By now, after catastrophic data

breaches at multiple retailers

like Target and Home Depot,

restaurant chains like P.F.

Chang‘s, online marketplaces

like eBay, government agencies,

universities, online media

corporations like AOL and the

recent hack of Sony that not

only put unreleased movies on

the web but exposed the

personal information of

thousands of employees, public

awareness about credit card

fraud and identity theft is

probably at an all-time high.

But in addition to that, there are

numerous reports of Big Data

analytics being used to expose

personal details, such as

beginning to market products to

a pregnant woman before she

had told others in her family.

The same can be true of things

like sexual orientation or an

illness like cancer.

Risk #5: Goodbye

Anonymity

Herold argues that without

rules for anonymized data files,

it is possible that combining data

sets, ―without first determining

if any other data items should be

removed prior to combining to

protect anonymity, it is possible

individuals could be re-

identified.‖

She adds that if data masking is

not done effectively, ―big data

analysis could easily reveal the

actual individuals whose data has

been masked.‖

―automated,‖ and therefore

more difficult to detect or

prove. In an interview, Herold

said current discrimination law

is, ―vague, narrowly defined, and

from the applications of it I‘ve

seen, depends upon very explicit

and obvious evidence. ―Big Data

analytics provides the ability for

discriminatory decisions to be

made without the need for that

explicit and obvious evidence,‖

she said. That can affect

everything from employment to

promotions to fair housing and

more.

Edward McNicholas, global co-

leader of the Privacy, Data

Security, and Information Law

Practice at Sidley Austin LLP,

said he thinks some of the

potential risks of Big Data are

overstated, but believes, ―the

most significant risk is that it is

used to conceal discrimination

based on illicit criteria, and to

justify the disparate impact of

decisions on vulnerable

populations.‖

Risk #3: Agility

Blockbuster (a movie rental

company) was shaken and

replaced by an internet company

Netflix in a matter of years due

to its very aggressive internet

model (underlying technology

being Big Data). Data resides in

several stove pipe applications in

enterprises and unless we have a

mechanism and necessary Big

Data tools in place to respond

in a timely manner may lead to

large business losses. Hence, a

mechanism to link and co-locate

your structured statement of

record (SSOR) with your Social

unstructured statement of

record (USOR) is important to

promote the right campaign to

right person at the right time.

E.g., I have my salary direct

deposit, home loan, credit card,

ATM card and internet facility

with a bank. However, currently

I am scouting for a car loan on

the net, chatting with my

friends, visiting other banks

websites and even discussing

Risk #6: Government

Exemptions

According to EPIC, ―Americans

are in more government

databases than ever,‖ including

that of the FBI, which collects

Personally Identifiable

Information (PII) including name,

any aliases, race, sex, date and

place of birth, Social Security

number, passport and driver‘s

license numbers, address,

telephone numbers,

photographs, fingerprints,

financial information like bank

accounts, employment and

business information and more.

Yet, ―incredibly, the agency has

exempted itself from Privacy Act

(of 1974) requirements that the

FBI maintain only, ‗accurate,

relevant, timely and complete‘

personal records,‖ along with

other safeguards of that

information required by the

Privacy Act.

Risk #7: Your Data Gets

Brokered

Numerous companies collect

and sell, ―consumer profiles that

are not clearly protected under

current legal frameworks,‖ EPIC

said. There is also little or no

accountability or even

guarantees that the information

is accurate. ―The data files used

for big data analysis can often

contain inaccurate data about

individuals, use data models that

are incorrect as they relate to

particular individuals, or simply

be flawed algorithms,‖ Herold

said.

© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.

V O L U M E 2 , I S S U E 2 P A G E 9

© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.

Cyber-attack, a looming business from top three States — Andhra

Pradesh, Karnataka and

Maharashtra contributing 70 per

cent to India‘s revenue from

information technology related

industries.

The key concern is that the

source of the attack is based

abroad from China, Pakistan,

Bangladesh and Algeria. Attacks

can target critical infrastructure

like power grids, transportation

networks, critical infrastructure

operational systems, espionage, as

a political retaliation tool on

defence and financial institutions.

Outsourcing malware production

and building out attacks are

becoming the order of cyber

warfare. Experts opine that

malware-as-a-service has been

there for some years, but attacks-

as-a-service are going to be a new

reality in 2015.

Nation-states and entities have no

escape but to be prepared for the

new trend in cyber terrorism and

re-invent endpoint security. It is

important to adopt adequate

measures for timely detection, deterrence and preventive

inspection to protect all

vulnerable key devices.

Increasing trends in cyber-crime

and experts‘ predictions should

caution us to heighten security

protocols on computers,

smartphones and other connected

devices. Adequately updated cyber

security should be ensured by

banks as online bank accounts are

exposed to phishing attacks and

other frauds.

As increasing use of mobile

banking through smartphones and

tablets for financial transactions

intensify the exposure. Keeping

information devices backed up

promptly on an independent drive

or by using a secure cloud back up

and updating software by getting

latest ‗patch‘ must become the

irreducible minimum security

preparedness.

The establishment of a National

Critical Information Infrastructure

Research estimates that in 2015,

there would be more havoc-

creating cyber terrorism. It is

important to adopt adequate

measures for timely detection,

deterrence and preventive

inspection to protect all

vulnerable key devices

As we get more and more

addicted to the information

highway, Internet and mobile

apps, cyber threat and security

issues loom significantly. The

latest trend in cyber terrorism is

beautifully narrated in the real

life story, ‗How my mom got

hacked‘, by Alina Simone in The

New York Times.

Cryptowall, the malware had

popped up on her mom‘s

computer locking all the files and

demanded a ransom amount of

$500 to get the key to decrypt

them and if not paid within the

time limit, the ransom amount

would go double and, thereafter,

the files would be destroyed

forever!

The victim had no way but to

pay the ransom to the unique Bitcoin ‗wallet‘ to get the key to

decrypt them. Cryptowall has

been in cyber terror business

for quite some time now and its

earlier version CryptoLocker

had demanded a high ransom of

$800,000 from Detroit

authorities.

The massive attack on Sony

Pictures happened only in

November, 2014. The skulls

showed up on its computer

systems threatening to expose

secrets actually forced Sony to

cancel the release of satirical

comedy, The Interview, about a

plot to assassinate North

Korean leader Kim Jong-un.

The hackers called themselves

‗Guardians of Peace‘ and

exposed embarrassing emails of

some film celebrities. The

Director of Federal Bureau of

Investigation, James Comey had

concluded that the hackers had

―failed on multiple occasions to

use the proxy servers that

bounce their Internet

connection through an

obfuscating computer

somewhere else in the world,

revealing IP addresses that tied

them to North Koreans‖.

Recent research on cyber-crime

estimates that in 2015, there

would be more sophisticated

and havoc-creating cyber

terrorism, with innovative

modus operandi targeting higher

infection rates aiming at more

income.

The emergence of new payment

methods through Bitcoin has

transformed Ransomware into a

money spinning business.

Attackers have varied motives,

like spreading terror, espionage

work, hacktivism, waging cyber

wars and of course making

money. Attackers may target

specific machines or platform or

set up, evading layers of

detection mechanisms,

launching attacks on computers.

Malware developed for

espionage could be used by

hired cyber-crime groups. The successful Ransomware attacks

will embolden attackers to

design more stealthy ‗time

bomb‘ attack on an enterprise,

threatening to cripple multiple

resources, forcing it to pay

ransom. Cyber-crimes getting

scot free, encourage more wild

hackers to experiment in the

terror landscape.

A recent study undertaken by

Associated Chambers of

Commerce and Industry of

India-Mahindra Special Services

Group, shows that cyber-crimes

in India is likely to cross

3,00,000 by 2015. India is the

third most affected country

after the US and Japan. Out of

560 million global average of cyber-crimes on smartphones in

2012, India had 46 million, more

than eight per cent of them.

Total Indian websites hacked in

2013 were 28,481 and are

expected to reach 85,000 in

2015 with increasing incidents

-K P Sashidharan Brief Bio

About The

Interviewee

K. P. SHASHIDHARAN

is former Director

General, CAG of India,

Member, Indian Audit &

Accounts Service, and an

alumnus from the

London School of

Economics. As an

established Freelance

Columnist he

contributes articles on

public finance and

current issues to leading

newspapers. He is

Visiting Professor to

premier professional,

academic and

administrative training

institutions

I S A C A @ M U M B A I

P A G E 1 0

© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.

Risks in Core Banking Migration -K K Mookhey

Brief Bio

About The

Writer

K. K. Mookhey is the

Principal Consultant at

Network Intelligence (I)

Pvt Ltd. and the Institute

of Information Security.

One of the pioneers in

the information security

space, he founded NII in

2001. What started as a

one-man show has

grown into a team of

200+ security

professionals working

across India and the

Middle East with the

who‘s-who of industry as

long-term clients. He is

the author of two books

on security – Linux

Security & Controls and

Metasploit Framework as

well as numerous

articles. He is one of the

first Indian security

researchers to have

presented at Blackhat

USA in 2004. His

experience and skillsets

encompass IT

Governance, Information

Security Strategy,

Forensics, Fraud Risk

Management, and

Business Continuity. He

holds the CISA, CISSP,

CISM, CRISC and PCI

QSA qualifications.

Summary

This article highlights some of the key risks in executing a successful core banking migration program. Many of

these risk elements also relate to any large IT project, but are more aligned towards a core banking migration.

Key Risks

A core banking migration project is typically one that involves hundreds of millions of dollars of investment,

along with serious levels of commitment from Business and IT. Such a large investment of time and money

requires proper risk management and strong governance to ensure that all stakeholders realize the

responsibilities they hold and work single-mindedly to fulfil them. At the same time, business as usual needs to

be addressed, as well as customer impact should be absolutely minimized.

The following is a listing of the key risks based on our experience of working with Banks engaged in large-scale

programs such as core banking implementation.

Program Management

Core banking implementation projects are not just about project management, but rather about program

management. A program is a collection of multiple projects each of which have their own timelines,

dependencies, RACI1 matrices, deliverables, and milestones.

Many banks are not geared up to handle a Program of this size, complexity, and duration. The fact that multiple

projects would be involved, and each of these projects would impact others in some way or the other is quite

often a rude awakening that comes somewhere during the business analysis phase. Just as an example, some of

the key projects streams that would need to run are:

Business Requirements Gathering – these would have multiple stages including demonstration of the

Model Bank by the vendor, business requirements gathering, functional specifications preparation, etc.

Data Migration – which would involve Data Quality Analysis, Data Clean-up, Data Mapping, and Data

Migration)

Interface Development – for existing and new applications to interface with the new system, as well as

implementation of the Enterprise Service Bus, if the Bank is adopting SOA – Service Oriented

Architecture

Module Development – no matter how much you wish, there will be customization involved, and this has

to be overseen properly by the Bank

UAT – quite often you will want to do this jointly with an outsourced entity

Business-as-usual impact management – more on this in a later section

IT operations readiness – this covers the readiness of infrastructure (servers, storage, network),

processes (backup, operations, monitoring, troubleshooting), and IT teams (organizational structure to

handle program-specific responsibilities)

Business operations readiness – this would cover the branches, learning and personnel development, and

other business units which would be impacted by the implementation

Rollout – the rollout strategy would need to be decided early on as it impacts the entire program in

multiple ways. More on this later.

Source: http://

www.dailypioneer.com/

columnists/oped/cyber-attack-a-

looming-business.html

Protection Centre, the Indian

Computer Emergency Response,

the Cyber Security mock drills,

the Information Sharing and

Analysis Centres and the

creation of a pool of 5,00,000

cyber security professionals in

five years, as envisaged in the

National Cyber Security Policy

of 2013, should be taken up.

Existing mechanisms should be

revamped.

1 - Responsible, Accountable, Consulted, Informed. A RACI Matrix helps identify who does what at each stage of the project.

P A G E 1 1 V O L U M E 2 , I S S U E 2

© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.

Program Governance

Once you realize the enormity of the task, a proper governance structure needs to be implemented. Some

Banks choose to outsource the Program Management office completely. Either ways, this has to be with senior

banking personnel embedded into the program governance structure. An outsourced vendor would bring in

expertise in the areas of project management, risk management, change management, vendor management, and

driving the program forward. Formal manuals may have to be prepared, which clearly spell out the governance

structure, along with roles and responsibilities for all key stakeholders, and also define the processes for critical

project management practices such as risk, issue, change, and communication management.

Business Commitment

With ongoing pressures of business-as-usual, the business teams may not be fully committed to a program of

this scale and complexity. This has multiple impacts right from product selection, scope definition, requirements

gathering, UAT, etc. Without the right level of business personnel involvement, the quality of inputs received by

the program would suffer. This often results in repeated iterations of deliverables such as the Business

Specification Documents (BSDs) and Functional Specifications Documents (FSDs), etc. Also, it may result in a

sub-standard product being delivered to the organization.

Vendor Management

The transformation program will typically involve multiple vendors – Core Banking Solution Provider, Project

Management, Testing, Data Migration, etc. Each of these vendors will bring to the table their own expertise, but

also their own challenges in terms of experience and expertise. The Bank should institute a dedicated vendor

management function (part of the Program management team), which deals with vendors on an equal footing

and does not get intimidated by their claims of boiler-plate contracts. Legal team should be heavily involved in

ensuring the contract is fair, but more tilted in the Bank‘s favor than the vendor‘s favor. Vendors should be

committed to provide ―named‖ personnel, who are available throughout the execution of key project

milestones and are based in UAE. No vendor should be allowed to execute a typical ―bait-and-switch‖ strategy

when it comes to project resources.

It is also recommended that the Bank should evaluate the role of ―System Integrator‖ to be played by a

specialist vendor and not leave this role to be done by the main solution provider who are experts in the Core

Banking system, but may not be able to deliver on the overall aspects of implementing the solution within the

Bank‘s existing environment.

Scope Management

The scoping exercise prior to contract finalization is one of the most important stages. Key stakeholders from

all the Bank‘s impacted departments should play a role in this. The program team should also institute a

challenging mechanism to avoid over-customization of the Core Banking (CB) solution. The requirements

gathering team should be encouraged to push people to accept the systems‘ way of doing things rather than

super-imposing outdated processes onto a state-of-the-art solution. Notes should be exchanged with other

banks in the region that have implemented the same solution and challenges that they faced.

Ensuring Quick Wins

A program such as this often leads to elongated project milestones and this can demotivate the team members

as well as raise doubts in the minds of the Board members as to whether this investment is really going to yield

any results or not. The transformation program team should ensure quick wins are adequately introduced

throughout the project delivery schedule and these are well-recognized throughout the Bank.

Financial Control

Programs such as these have a tendency to quickly escalate in terms of budgeted costs. It is extremely

important that the Bank institute a dedicated financial control function for the transformation program that

tracks capital and operational expenditure on a weekly basis, as well as ensures that payments are made on time

(in order not to demotivate vendors), as well as payments are made only when the deliverables are up to the

mark and delivered on time. This aspect may further be enhanced by keeping a bonus component for on-time

or before-time delivery of key milestones. Cost escalations should also be properly risk-managed through the

bid negotiation and contractual stages itself.

People Management

A core banking transformation project can only succeed when all stakeholders are fully committed to it. This

means, there would be certain key banking personnel who need to be dedicated to this enterprise, as well as

others who would be tapped at various stages of the program. Given typical attrition rates in the Banking

industry, the program should not suffer if key people leave. For this, the Bank should consider implementing an

incentivizing program that ensures key stakeholders remain committed to the Bank and to the transformation

program through the key stages of the program. A strong communications management process that includes

senior management – including the Board of Directors – overseeing the progress and appreciating key achievers

I S A C A @ M U M B A I

P A G E 1 2

© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.

in words and kind is mandatory for the eventual success of the Program.

Rollout Strategy

One of the aspects that must be addressed pretty much up front is the planned rollout strategy. There is no one

right way of doing this, and pain has to be suffered no matter what the strategy being adopted. Options are:

Big Bang: During a given weekend (say during a long holiday period) everyone switches over to the new

system

Parallel Run: Transactions are posted on both systems and data reconciliation is done end of day. All

errors are ironed out before date rollover

Hybrid: All new customers are created on the new system, while older customers are migrated in a

phased manner. GL reconciliation done end of day

Each approach has inherent risks and detailed mitigation measures that must be built in. This has impact

throughout the program in terms of interface preparation, reconciliation scripts, data migration approach,

and build delivery, as well as testing strategy. A detailed study must be carried out and an informed

decision must be taken on this aspect.

Data Migration

This is an aspect that a lot of Banks figure that they will deal with later. But it can spring a lot of rude surprises

just as the first build begins to get delivered. Legacy systems quite often not have the rigor for input validation

and data integrity controls that newer applications tend to have. Each CB solution has its own requirements in

terms of the data quality, necessary data fields, and data formats. Migrating legacy data is not just limited to

mapping of the fields, but also requires heavy lifting in terms of data clean-up, data conversion, and quality review

of the migrated data. Quite often this might also involve reaching out to branches who in turn would need to

reach out to individual customers to obtain missing KYC data.

Infrastructure and Sizing

The sizing requirements can change as the program progresses. Some factors that can influence this are

regulatory requirements for longer storage of customer and transaction data, increase in the fields associated

with customers (for instance, issuance of a national ID number), introduction of an Enterprise Service Bus (ESB),

etc. Not only must the hardware cater for the application requirements today, but also for 5 years down the

line when the system will be fully functional. Therefore, business growth plans must be taken into account for at

least a 5-year horizon when sizing is being done. Also, multiple factors would influence latency and the

responsiveness of the system should be mandated at the start of the program to avoid user rejection due to the

system being ―too slow‖.

Business As Usual (BAU)

While such a major transformation is going on – and a program of this nature would take anywhere from 3-5

years – the Bank has to continue operating as usual. During this time, the business will continue to come up with

new requirements for enhancements to the existing core banking system as well as other satellite systems that

interface with the core banking system. Now, the core banking system itself is going to get replaced. So these

changes reflect a moving target for the Program to achieve. A new requirements management or demand

management process needs to be put in place to analyze the impact of these change requests, rationalize them,

and only then approve them for implementation. Each such request will represent a scope increase in the CB

implementation and subsequent cost impact. Not to mention increase in timelines for further customization of

the system.

Conclusion

Multi-million dollar, multi-year programs such as Core Banking transformation require a different mind-set and

more mature program management capability than most Bank‘s possess in-house. Strong risk management

processes can help mitigate the risks from this lack of prior experience by implementing global best practices,

bringing the right people to the game, and managing vendors with an iron hand in velvet glove approach. The

risks enumerated above are generic and based on our experience. The Bank may use these to build a larger risk

register and enumerate strong risk mitigation measures to ensure that the investment of time and money is well

worth it, and such a large program helps deliver the benefits original envisaged – faster go-to-market, customer-

centric approach, and intelligent insights into consumer behaviour and product profitability.

P A G E 1 3 V O L U M E 2 , I S S U E 2

© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.

The Case For Cyber Insurance been mandated to do so by their

contracted customers.

Banking, Financial Services &

Insurance companies are also

aware of these risks; Arbor

Networks reports that last year

34% of Indian financial sector

companies reported cyber-attacks

& threats, up from 15% in the previous year. As a result, a few

large banks have bought cyber

insurance policies now with limits

ranging between US$ 5 to 10

million. Other industries such as

hospitality, retail and health-care

do not even have sophisticated

Professional Indemnities in place,

leaving their balance sheets very

vulnerable to the costs of a

breach.

But traditional policies such as

Professional Indemnity,

Commercial General Liability, etc.

are not really well geared towards

protecting against the extensive

and varied damages and costs of a

cyber-attack such as the many

third party costs related to hiring

forensics experts for investigation,

image managers to repair soiled

reputations or software & security

consultants to repair broken

firewalls & processes. Nor do

they cover the fines and penalties

that a breached business might

have to bear, that can be imposed

by a regulatory or quasi-

regulatory authority for

negligence.

Cyber-risk is different for different

industries so a one size fits all

cyber-insurance policy will prove

inadequate. Unlike in traditional

policies, adequate protection or

risk mitigation cannot be obtained

without a high degree of individual

customisation, perhaps the

primary reason why India Inc. is so under insured when it comes to

cyber-risk. But given the

exponential increase in attacks

over the years and the increasing

severity of damages & losses

caused by cyber-crime, specialised

individual policies are the need of

the hour. There are other benefits

too, which are not available with

traditional policies: having a cyber-

Traditional policies are not really

well geared towards protecting

against the extensive and varied

damages and costs of a cyber-

attack.

According to the National

Crime Records Bureau (NCRB),

cyber-crime zoomed 350% in

the three years between 2010 and 2013. In a 2014 survey of

170 plus Chief Information

Officers, Chief Information

Security Officers and the like

conducted by KPMG, 89% of the

respondents felt that cyber-

crime is a major threat, 51 % felt

that their companies were easy

targets for cyber-attacks and

49% had actually experienced

such attacks. In December 2014

an Economic Times article

quoting unnamed experts stated

that India Inc. had lost as much

as $ 4bn due to cyber-attacks of

all kinds during 2013 and

suggested that losses had

increased by 30% in 2014. Yet

Prudent Insurance Brokers

estimates there have been only

50 or so dedicated cyber-

insurance policies sold in India

so far. The gap between risk

perception and actual risk

mitigation cannot be starker

than this!

Cyber-crime is no longer the

domain of the relatively

harmless nerd seeking the thrill

and fame of the exquisite hack,

who damages little more than

the ego of his corporate victims.

Today the stakes are much

higher and can even put lives at

jeopardy. For instance, while the

world was transfixed by the

admittedly spectacular North

Korean hack of Sony, very few

people knew that a steel plant in Germany had lost control of its

blast furnace. For some time

hackers had sole control of

tonnes of molten ore and

thankfully disengaged without

causing a horrific industrial

accident that they were fully

capable of causing at that time.

Another very dangerous recent

trend is the increasing availability

of mercenary hackers or

hackers for hire. These services

make it disturbingly easy for

individuals and businesses to

sponsor attacks, steal data &

money, stop the operations and

services of another firm and

sabotage lives and businesses –

all by remote control. In a

recent report Gartner found that zero percent of large

enterprises have formal plans to

address aggressive cyber

security business disruption

attacks, probably lulled by the

low frequency of large scale

attacks. However, it foresees

that by 2018, 40% of big firms

will have such plans –

underscoring the high threat

perception for the immediate

future.

In India the largest number of

cyber-crimes for the year 2013

(later data is not yet available)

i.e. 2144 in total were classified

in the "others" category by

NCRB. That's probably because

these are crimes that are not

easily attributable in the

outdated lexicon of our penal

code. Even so, as many as 2061

were attributable to fraud,

illegal gain and money greed.

Most of these have been about

siphoning off anything between

a few lakhs to a couple of

crores from either bank

accounts or leaky government

schemes such as MNREGA.

Interestingly, according to

NCRB the bulk of cyber-crime

arrests in 2013 took place in

the 18 to 30 age group,

followed by the 30 to 45 age

group.

While Indian companies seem

to be aware of cyber-crime, they have been slow to

recognise its far-reaching impact

(such as denial of service for

days on end) and even slower

to adopt adequate protection

by way of proper insurance. Of

the 50 or so dedicated cyber-

risk policies that have been

bought in India, a majority have

been by technology and BPO

firms; mainly because they have

-Gurpal Dhingra Brief Bio

About The

Interviewee

Gurpal Singh Dhingra is a

Director at Prudent

Insurance Brokers

Private Limited, the

leading insurance broker

for Indian multinationals.

He has been with the

company for 13 years

and heads its southern

operations from

Bangalore.

I S A C A @ M U M B A I

P A G E 1 4

© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.

Photo Gallery 9th BSAS Seminar - Chapter Office

IndusInd CISO inaugurating the seminar BSAS participants

ISACA Board of Director Ms. Debbie Lew Delivering A Seminar At The Chapter Office

President providing token of appreciation to

Debbie Debbie with Mumbai Chapter past Presidents

Debbie with Mumbai Chapter Managing

Committee Members

Source: This article first appeared

on www.outlookindia.com

http://www.outlookindia.com/

article/The-Case-For-Cyber-

Insurance/293701

insurance policy does not only

mean financial protection for the

payment of post-breach bills but

the additional benefit of having

the broker and insurer

effectively managing the breach

situation. Also, these policies

usually come built in with the

services of various experts such

as forensics teams, credit monitoring firms, public

relations organisations, etc. who

will assist the insured in the

various aspects of breach

response which they would

otherwise find overwhelming on

their own.

In conclusion; while it may be

difficult or even impossible to

achieve total protection against

cyber-crime, it is eminently

possible to have total protection for the aftermath of

a cyber-attack.

P A G E 1 5 V O L U M E 2 , I S S U E 2

© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.

Certification Awareness Program At The Chapter Office

Managing committee members

explaining about ISACA Certifications

to the participants

Managing committee members

explaining about ISACA Certifications to the

participants

Acknowledging the role of Past Presidents of ISACA Mumbai Chapter

Past President Mr. Anand Shenoy

congratulating on behalf of all the past

presidents to current President

Mr. Vaibhav Patkar in the New Chapter office

Solution To Last Edition’s Crossword Puzzle

A B C D E F G H I J K L M

1 H A S H

2 A V L A N V A X

3 M P L S o

4 C B I

5 S T E G A N O G R A P H Y

6 X A T

7 T N O W A S P

8 3 D E S E P A

9 W T A T

10 C I S A 2 C

11 Y H

12 P A R I T Y

I S A C A @ M U M B A I

P A G E 1 6

© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.

A B C D E F G H I J K L M N

1 S P L I T K E Y

2 A P B S P I C E

3 A U D I T R I

4 M L H R O S P F

5 M L R O X H

6 I Z E R O D A Y E

7 S N A A T R

8 G R A T K P

9 C C I H P I I

10 R I F T T R

11 I D S Q S A T O R A

12 S P D P P C

13 C H A I N O F C U S T O D Y

ACROSS

A-2 Requires in wireless network

A-7 IBM developed protocol

A-11 Mechanism for checking of an attack

A-13

A process that tracks the movement of evidence

through its collection, safeguarding and analysis

lifecycle by appropriate documentation

B-1

A key that is divided into two or more separate data

items that individually convey no knowledge of the

whole key that results from combining the items

B-3 Independent review and examination of records and

activities to asses the adequacy of systems controls

D-8 Mechanism to check the network devices

configuration

E-11 PCI approved auditor

F-6 An attack for which no patch available yet

J-11 Used for enabling anonymous communication over

internet

K-4 A type of routing protocol

J-2 A protocol to take over remote systems

L-9 Information that shouldn‘t be shared

DOWN

A-9 Risk Management Certification from ISACA

B-1 Use of Electronic messaging system for sending

unsolicited message

C-9 A proposed law in USA for sharing internet traffic info

between US govt. and technology companies

D-3 A collection of small programs which can be called when

needed by a larger program

E-9 A server name with a hostname followed by the domain

name

G-2 Data unit

G-3 A potential for violation of security which exists when

there is a circumstance that could breach security

H-4 A collection of tools that a hacker uses to mask

intrusion and obtain admin level privileges

J-9 A secure protocol

K-2

A ____ server that acts as intermediary between

workstation user and the internet so that the enterprise

can ensure security, admin control and caching service

M-2 A cryptographic algorithm for encryption and decryption

M-11 The point in time to which data must be recovered after

an outage

N-8 ____ is the theft of software through illegal copying of

genuine programs or through counterfeiting

Crossword Puzzle