In today’s digital world, technology disruption for even a few hours can result in significant financial consequences to your business. According to Gartner, the average cost of IT downtime is $5,600 per minute. (That’s more than $300,000 per hour!) For large organizations, that number tops half a million dollars.

It’s no wonder that having a well-designed and effectively maintained disaster recovery plan in place will substantially increase your ability to recover lost data and return to normal operations as quickly as possible.

So, let’s look at strategies for developing a disaster recovery plan that will protect your organization.

(This article is part of our Security & Compliance Guide. Use the right-hand menu to navigate.)

Business Continuity Planning vs Disaster Recovery Planning:

Business continuity planning (BCP) and disaster recovery planning (DRP) are sometimes used interchangeably. And while they are interconnected, the two are different concepts:

• Business continuity planning is the overarching strategy that covers the entire company to ensure that mission-critical functions can continue during and after unforeseen events. Such events could include natural disasters, death or illness of a company executive, a security breach, and more.
• Disaster recovery planning is actually a subset of overall business continuity that helps ensure organizational stability following an impact to IT only. Examples include disruption to servers, desktops, databases, applications and so on.

(Compare business continuity to business resiliency.)

Goals of disaster recovery planning

When crafting the right disaster recovery plan for your business, it’s important to first assess the goals you’d like the plan to accomplish. The purpose of the DR plan is to protect users and the business from financial, legal, privacy and security related repercussions of a disaster incident.

Let’s look at the key reasons to plan for disaster recovery.

Mitigating risk

To contain the extent and scope of the disaster impact. Conduct a thorough risk assessment and evaluate various targets. Design the DR plan to isolate mission-critical systems and streamline the risk mitigation and remediation pipeline.

Reducing disruptions

Service availability is critical to business success. A primary goal of a DR plan is to ensure that systems return to normal and optimal performance soon after downtime. Metrics such as Mean Time to Recovery (MTTR) should be optimized within disaster recovery planning.

Reducing economic impact

Prioritize MTTR of IT assets based on the perceived business value. An optimal disaster recovery strategy is focused on:

• Systems that directly impact the cost of downtime
• Critical services such as infrastructure and healthcare applications
• The wide extent of the user base

Preparing for disasters

Getting ready for disasters waiting to happen. Cyberattacks are getting more sophisticated by the day—which means you can always improve your ability to handle the next wave of security threats.

Understanding cybersecurity posture

Cybersecurity is hard. It is time and resource intensive. You need to:

• Get started with the right cybersecurity strategy
• Secure the most important IT assets
• Identify new vulnerabilities
• Patch zero-day exploits as soon as they are found

It’s also important to neither overestimate nor underestimate your cybersecurity strength. Understanding your cybersecurity posture helps optimally allocate resources to prepare for and respond to disaster incidents when needed.

Achieving regulatory compliance

Organizations should be well prepared in adapting to the changing regulatory environment. A disaster recovery plan should be a part of the compliance strategy as it alleviates risk and provides a systematic approach to recover from disaster situations. Critically, compliance is mandatory for organizations in certain industries, including:

• Healthcare
• Finance
• Defense
• Infrastructure

(Understand governance, risk & compliance, known as GRC.)

Maintaining brand loyalty, reputation & user trust

Internet users today are increasingly aware of their rights to data security, privacy, and control. A DR plan ensures that your users maintain access to their data even when disaster strikes.

As a result, service providers maintain trust and brand loyalty necessary to survive the competitive Internet market landscape.

Who creates the Disaster Recovery Plan?

Now let’s look at creating the plan itself.

Before you begin mapping out your DRP, it’s important to have the right people in place to lead the charge. To this end, establish a disaster recovery plan committee which includes key decision makers from across the entire organization:

• Top management
• IT management
• Human resources
• Finance
• Security
• Vendor management

Collectively, these individuals will be responsible for outlining, implementing, testing, and maintaining the disaster recovery plan.

How to create a Disaster Recovery Plan

A disaster recovery plan can include an exhaustive set of actionable guidelines for all employees responding to a disaster situation that may impact corporate IT networks and systems. The Disaster Recovery Planning (DRP) document is your roadmap to implementation—as such, you should update it regularly and store it a safe, accessible storage location in event of emergency. (If it’s in the cloud, but your internet is down, how can you access it?)

You can follow a Disaster Recovery Planning document template given below to ensure that your workforce can easily understand and adopt the systematic actionable guidelines to protect against disasters:

Step 1: Define goals

Identify your business goals. Associate a business value to your services, systems, departments and organizational functions, and how IT availability impacts various business operations.

Step 2: Define responsibilities

Who is in charge of what? Develop an organizational chart and define the responsibility of each individual involved in executing a DR plan.

Step 3: Prioritize application assets

Identify critical applications and assets. Focus your DR efforts in order of priority based on business value, user impact, legal requirements, ease of recovery, and other applicable factors.

Step 4: Describe asset details

Maintain an exhaustive directory providing details on every asset including vendor details, models and serial number, cost, number, and other relevant details.

Step 5: Define backup plan

Describe the frequency and schedule of backups. Different libraries and directory objects may be processed for backup at different schedules and volumes based on data storage and transfer cost, speed, business, and legal value.

Step 6: Define recovery procedure

Define actionable guidelines focused on three key elements:

• Physical damages: emergency response to fire incidents or natural disasters.
• Data backup: Execution guidelines of the data backup plan.
• Recovery: Restoration of data assets from backup storage locations.

Step 7: Plan for mobile & hot sites

Establish alternative (hot) and mobile facilities to handle the DR operations while the home site is reestablished. This is particularly useful when physical disasters are involved.

Step 8: Establish restoration guidelines & framework

As the data is recovered from backup sites, how to reestablish the original site, systems, and operations to an optimal state.

Step 9: Test, test, test

Thoroughly test and evaluate your DR plan. Perform DR drills and training sessions to prepare your workforce for potential emergency situations.

Step 10: Continual Improvement

Continuously assess, improve and update your DR plan. Keep your records and procedure up to date with respect to risks and resources available to the organization.

Time is critical for disaster recovery

If your organization hasn’t created a disaster recovery plan or hasn’t made it a priority to maintain or improve upon it, then time is of the essence. No business can afford to have an ineffective response to unforeseen circumstances, and once a disaster occurs it’s too late. A disaster recovery plan can be the difference between the survival of your business or becoming another statistic.

To avoid costly delays in service, plan your disaster strategy by thinking about goals, performing necessary audits, planning for contingencies and partnering with a third-party vendor, if needed.

Related reading

• BMC IT Operations Blog
• BMC Security & Compliance Blog
• Disaster Recovery for the Cloud
• What Is Threat Remediation? Best Practices for Remediating Threats
• Worst Data Breaches Today: Critical Examples
• The Basics of Business Continuity Management (BCM)

Consumers rely on businesses to deliver customized services in exchange for their personally identifiable information. Consumers participate in this exchange through trust and reliance upon the service provider to protect their sensitive information.

This information—in the wrong hands—has the potential to inflict tangible losses to both parties.

Business organizations therefore invest significant resources to protect consumer data as part of regulatory compliance objectives and a defense mechanism against growing security threats. The threats, however, are growing in sophistication, defeating some of the most technologically advanced enterprises to compromise valuable consumer data.

(This article is part of our Security & Compliance Guide. Use the right-hand menu to navigate.)

What is a data breach?

A data breach occurs when information is accessed and taken from a system without the consent of the operator. Bad actors seek to obtain sensitive data, and once acquired, they can often sell it to the highest bidder. Usually, the target is personal identification information (PII).

There are many ways for a data breach to happen, from old-fashioned hardware theft to cleverly engineered AI phishing scams. Information theft is so profitable, in fact, that it is worth the time for criminals to continue to innovate new ways to steal that data. This is why every year we see an uptick in data breaches, especially targeting well-known and otherwise trusted organizations.

(Understand information security in detail.)

4 Major Data Breaches from 2020-2021

This year was no different: a diverse range of organizations with a vast pool of end-users fell prey to cybersecurity incidents.

The following list contains some of the top data breaches of the past year or so, in terms of number of consumers affected, impact in the industry, criticality, and nature of consumer data compromised as well as the acknowledged security stature of the affected business organization.

SolarWinds

Impact: Thousands of large private companies and high-security governmental departments were left vulnerable to Russian hackers.

Revealed: December 2020

Story: SolarWinds is a major US company that provides IT software to 33,000 customers, including large corporations and government entities. Hackers added malicious code to one of their software systems, which then transferred to every customer during a regular system update. The malicious code allowed hackers to install even more malware and ultimately spy on companies and organizations, including the U.S. Department of Homeland Security and the Treasury Department.

SITA

Impact: Frequent flyer data from numerous airlines worldwide were exposed.

Revealed: March 2021

Story: Hackers accessed data through the company SITA’s Horizon Passenger Service System. Not all affected airlines utilize SITA’s system, but their frequent flyer information was accessible due to their connection through the Star and Oneworld Alliance.

Facebook

Impact: The personal information of 533 million Facebook users was found posted online by a hacker, including names, birthdays, phone numbers, locations, and email addresses.

Revealed: April 2021

Story: According to Facebook, the stolen data had been originally scraped a few years ago due to a vulnerability that the company patched in 2019. Cybercriminals could use the exposed data to impersonate people to both:

• Gain access to even more sensitive information
• Convince people to hand over login information, orchestrating very convincing phishing scams

The data was posted on a hacking forum for free, allowing almost anyone to access it. The breach affected people from 106 different countries.

T-Mobile

Impact: Compromised the personally identifiable information of more than 50 million previous and current customers.

Revealed: August 2021

Story: A 21-year-old hacker by the name of John Binns accessed T-Mobile’s servers and pulled the personal data from millions of previous and current customers. A breach of this magnitude at a phone company is particularly troubling—so, so many two-factor authentication checks for other services go through one’s mobile phone.

What to do in the event of a data breach?

The way things are going, the question is not if a breach will happen, but when. Data theft is incredibly lucrative and that makes it a worthwhile endeavor for bad actors to continue to innovate how it is done.

Of course, there are many things an organization should do if there is a breach on their end, including:

• Informing your customers of the breach and its included risks
• Providing some harm mitigation, such as free credit monitoring

As an individual, once you catch wind of a breach that may have affected you, there are a few things you can do to protect yourself from further risk.

Monitor your correspondence

When a company’s data is compromised, they might reach out to inform users of the situation. Be sure to verify via the organization’s secure website or a direct telephone call that the information in the email is correct and not a phishing scam.

It is also important to monitor any unfamiliar communications or unexpected bills that might come your way. Be extra wary when responding to requests for information or password resets.

Confirm what data was stolen

All data breaches expose users to potential hazards, but some data is more sensitive than others. For example:

• Email addresses and telephone numbers can open the victim to phishing scams and access to login information.
• A stolen social security number can cause a lot more damage—loans and mortgages could be taken out in your name, without your knowledge.

Verify what information was stolen so you can take the correct measures to protect yourself.

Keep an eye on your financial accounts

Pay attention to your bank and credit card statements to make sure there are no unfamiliar charges posted to them. Many providers allow you to set up alerts to new activity, which will help you stay on top of things as they occur.

Activate fraud alerts

A fraud alert can let lenders know that you are a potential victim of fraudulent activity. This will put a note on your credit reports and ensure that lenders contact you before any line of credit is opened in your name. If you initiate an alert with any of the big three credit reporting agencies (TransUnion, Experian, or Equifax) it will translate to the other two and stay active for 90 days.

Regularly check your credit report

Whether you do so through one of the big three, or if you utilize Annualcreditreport.com for free, it is a good idea to monitor your credit report on a regular basis. This is especially true if you know you may have been the victim of a breach so you can keep an eye out for any unusual activity.

From an Internet consumer perspective, it is important to understand the risks associated with performing transactions, sharing information, or even browsing social media online. It is recommended not to rely on the Internet companies as your last line of defense, but to personally walk the extra mile in protecting your online presence and watching out for any suspicious activity associated with your online or financial accounts.

Related reading

• BMC Security & Compliance Blog
• DataOps Explained: Understand how DataOps leverages analytics to drive actionable business insights
• What Is Threat Remediation? Threat Remediation Explained
• DevSecOps: Combining Development, Security & Operations
• Data Ethics for Companies
• Top IT Security, InfoSec & CyberSecurity Conferences To Attend

The need to secure your organization’s information has gone from an operational job to a strategic imperative. After all, the digital age has anchored data as the most important asset for any entity, no matter your industry.

Because of this, many bad actors want to get their hands on your data, through hacking, social engineering, and other techniques. And with Cybersecurity Ventures expecting that the cost of cybercrime will reach $10.5 trillion annually by 2025, there is little wonder that the World Economic Forum reported cybersecurity threats and IT infrastructure breakdown as some of the highest impact global risks in this decade.

On top of that, there are the regulations on personal data protection coming with hefty fines for violations, leaving very limited options for organizations who don’t see information security as a top priority.

(This article is part of our Security & Compliance Guide. Use the right-hand menu to navigate.)

What is Information Security?

The ISO/IEC 27000:2018 standard defines information security as the preservation of confidentiality, integrity, and availability of information. Often known as the CIA triad, these are the foundational elements of any information security effort.

It also considers other properties, such as authenticity, non-repudiation, and reliability.

The InfoSec CIA Triad

Let’s take a brief look at each property:

• Confidentiality. The property that information is not made available or disclosed to unauthorized individuals, entities, or processes. Here, we consider that data that should only be seen by those who have the right authorization; those who don’t are restricted. Think about your health records, HR payroll, or a company’s strategies falling in the wrong hands.
• Integrity. The property of accuracy and completeness of information. Here, we do not want to find our data is different from what we expect. For example, someone adding several zeros to their bank account balance, or changing the delivery address in your e-commerce account.
• Availability. The property of being accessible and usable on demand by an authorized entity. If information isn’t available, then the organization or its customers are hindered from achieving their objectives. For example, if you can’t access your emails, or a hospital cannot access patient health records.
• Authenticity. The property that an entity is what it claims to be. Here, we expect a person, application, or process is exactly who or what it identifies itself to be. For example, the user Michael has logged in with his username and password or token—and it is actually Michael.
• Non-repudiation. The ability to prove the occurrence of a claimed event or action and its originating entities. This involves providing undeniable proof that someone did something, or something happened. This property is useful particularly for assigning responsibility for actions for instance who created or approved a transaction.
• Reliability. The property of consistent intended behavior and results. Here, we expect our information systems to work as they should and be able to process the data in the right way over an expected period of time. Nobody likes a system that crashes when you need it most or is too slow to suit our needs.

Implementing Information Security

The following steps can help you effectively implement information security in your organization.

1. Identifying your assets

An asset is anything that is of value to an organization, such as people, systems, processes, office buildings etc.

In information security, asset identification is all about figuring out which assets handle the data and information that is critical to the success of the organization. Of course, in the digital age, the prime assets will be computing devices, whether on-premise or cloud based.

A formal asset management process will ensure that assets are identified, documented, and ownership assigned for purposes of accountability. Identifying assets is the first point in information security management. A business impact analysis exercise can be used to identify criticality of assets and hence prioritize security efforts.

2. Assessing risk & vulnerability

Once you’ve identified the assets, you can then identify threats to the information contained in them. A risk and vulnerability assessment exercise will go a long way towards this effort:

• Risks are any effect of uncertainty on objectives and can be considered opportunities if positive or threats if negative.
• A vulnerability is defined as a weakness that can be exploited by one or more threats.

Risks would generally be documented in a risk register along with information such as:

• Likelihood and impact if the risk materializes
• Priority of the risk based on an agreed evaluation criteria
• Owner of the risk
• Proposed risk treatment plan
• Residual risk following the treatment

You would also document where risks are accepted by the organization in the risk register.

Vulnerabilities would be included as part of asset risk registers and would include information on how to address or contain any exploitative threats. To find public information on well-known vulnerabilities, refer to the Common Vulnerabilities and Exposures (CVE) references online.

(Learn more about risk and vulnerability assessments.)

3. Implementing controls

Once you’ve assessed your risks and vulnerabilities, treating the risks is the logical next step. You want to ensure the properties listed earlier are maintained.

There are three categories of InfoSec controls:

• Physical controls. These address risks that impact physical locations such as offices and data centers. They include gates, locks, guards, mantraps, CCTV, and biometric access passes, among others.
• Technical controls. These are technology centric controls that address vulnerabilities or contain risks. They include Intrusion Detection and/or Prevention Systems (IDS/IPS), firewalls, encryption, anti-malware software, and Security Information and Event Management (SIEM) solutions.
• Administrative controls. These are the people-centric controls which include information security policies, access rights reviews, segregation of duties, and business continuity plans, among others.

A different approach to looking at InfoSec controls is based on their position in dealing with threats that materialize. For instance:

• Preventive controls try to stop the threat from materializing. Examples are firewalls, access control and acceptable use policies, fences, etc.
• Detective controls spot a threat immediately it materializes such as CCTV, IDS/IPS and SIEM.
• Corrective controls reverse the impact of the materialized threats such as anti-malware software.

Organizations usually deploy multiple types of controls to cover all bases. This approach is called defense-in-depth, where layers upon layers of controls are used to limit the impact of a materialized threats or exploited vulnerabilities.

For instance, firewalls block access by malicious actors, but if penetrated, then you have a segregated network and encrypted information which is backed up in an alternate location.

4. Testing & training

Once the controls are in place, there must be a mechanism to regularly test the controls to ensure they remain effective in the face of evolving threats. This can include:

• Audit tests
• Penetration tests
• Disaster recovery tests

Results of these tests should be documented. Following review, you’ll want to agree on remedial or improvement actions and then track these through to implementation.

The human firewall remains the best form of defense, and failure to keep one’s staff and customers aware of information security can render the best security controls useless. A regular program to educate users on threats to information security is critical. A variety of means can be employed, such as:

• Workshops
• Online training
• Security bulletins
• Phishing tests
• And more

InfoSec is a critical policy

For any business or organization, there are a few IT policies that are absolutely critical—and InfoSec is one. Don’t wait until it’s too late to protect your data and information assets.

Related reading

• BMC Security & Compliance Blog
• IT Security Policy: Key Components & Best Practices for Every Business
• Introduction To Data Security
• What Is DevSecOps? Combining Development, Security & Operations
• IT Security Certifications: An Introduction
• Top IT Security, InfoSec & CyberSecurity Conferences

Back in 2017, The Economist declared that the world’s most valuable resource is data. And a cursory look at the 2020 Forbes most valuable brands most valuable brands reveals that indeed tech runs the world now.

The downside of this is significant. There’s now great pressure on companies to secure the information in their custody. Recent hacks involving SolarWinds, Twitter, and Garmin indicate that threats to information security continue to evolve, and all organizations have no option but to put in the legwork to establish and maintain required cybersecurity controls, whether their IT is on-premise, on cloud or outsourced.

From a governance perspective, an IT Security Policy is at the heart of this effort.

(This article is part of our Security & Compliance Guide. Use the right-hand menu to navigate.)

Why do we need an IT security policy?

According to the ISO 27001:2013 standard, the objective of information security (InfoSec) policies is to provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.

An IT security policy is a type of administrative control that communicates to all stakeholders involved in IT so that they understand what is expected of them in reducing the risks associated with information security. (It is not limited only to the security team.)

It also demonstrates the commitment by the highest level of leadership within the organization to the ideals of the policy, therefore providing direction for the rest of the employees, suppliers, and other stakeholders.

(Explore the roles of Chief Information Security Officer and the security team.)

Whether at a strategic or tactical level, the IT security policy states ‘why’ the organization has taken a position to secure its IT systems. Most times, the rationale comes from:

• The value that the information held brings to the organization
• The need for trust from customers and stakeholders
• The obligation to comply with applicable laws

This is crucial from a governance perspective as it sets the tone for the design and implementation of IT security controls, and also institutes the relevant roles and responsibilities required for IT security to be managed effectively.

What’s in an IT security policy?

At the core of any IT security policy is understanding and managing the risks to IT systems and data.

How the organization does this is by defining their chosen approach to achieving the required security posture or characteristics through relevant administrative, physical, and technical controls.

The ITIL® 4 Information Security Management practice spells out some of these security characteristics as follows:

• Confidentiality: The prevention of information being disclosed or made available to unauthorized entities.
• Availability: A characteristic of information that ensures it is able to be used when needed.
• Integrity: An assurance that information is accurate and can only be modified by authorized personnel and activities.
• Authentication: Verification that a characteristic or attribute which appears or is claimed to be true is in fact true.
• Non-repudiation: Providing undeniable proof that an alleged event happened, or an alleged action was performed, and that this event or action was performed by a particular entity.

(Learn more about the CIA triad and additional security characteristics.)

The structure and size of an IT security policy varies from one organization to another, depending on their context:

• Some organizations deploy a large document with a lot of information on the controls.
• Others go for the simpler one-pager that references and points to other supporting documentation.

In terms of content, we can borrow from the CMMC model on what to include in your security policy:

• Purpose and scope
• Roles and responsibilities
• Establishment of procedures to meet the policy’s intent
• Regulatory guidelines addressed
• Endorsement by management and dissemination to appropriate stakeholders
• Framework for periodic review and updating
• Reference to applicable sub-policies, procedures and controls

IT security policy best practices

Regardless of the structure, what matters in an IT security policy is that you’re sending out a clear message to the entire organization and its stakeholders on what is required from an IT security standpoint.

The policy must be clear and unambiguous, with the right level of detail for the audience, and made easy to read and understand, especially for non-security experts.

Like other organizational-wide policies, you should create the IT security policy with the input of all relevant stakeholders. It would be imprudent for the IT management to develop a policy by themselves, without the buy-in of business users and external suppliers who they would expect to comply with it. Getting the input of stakeholders ensures broad based support in its implementation and compliance.

Alongside this is the need to communicate the policy to users and suppliers. The best bet for entrenching the IT security policy as the first line of defense against cybersecurity risks are these activities:

• Holding regular security awareness sessions for existing users.
• Establishing onboarding sessions for new users.
• Embedding policy requirements in supplier contracts.

A risk-based approach should be used for maintaining the IT security policy.

As your organization monitors and assesses the evolving risks to your IT infrastructure and data, you’ll need to update this policy to ensure its relevance to the changing context.

In addition, measuring compliance to the IT security policy provides feedback to management on whether the policy itself is still effective and relevant. According to COBIT, some sample metrics related to policy compliance include:

• Number of incidents related to noncompliance with policy
• Percentage of stakeholders who understand policies
• Percentage of policies supported by effective standards and working practices

IT security policies aren’t optional

An IT security policy that addresses, in particular, information security, is one of your most critical business policies. Without one, you risk your entire business.

Related reading

• BMC Security & Compliance Blog
• Introduction to Information Security Management Systems (ISMS)
• Cybersecurity: A Beginner’s Guide
• Top IT Security, InfoSec & Cybersecurity Conferences

It’s easy to protect some data that is valuable to you only. You could store your pictures or ideas or notes on an encrypted thumb drive, locked away in a spot where only you have the key.

But companies and organizations have to deal with this on a vast scale. After all, it’s the company data—products, customer and employee details, ideas, research, experiments—that make your company useful and valuable. (The “assets” we normally think of, like hardware and software, are simply the tools that allow you to work with and save your company data.)

So, how does an organization go about protecting this data? Certainly, there’s security strategies and technology solutions that can help, but one concept underscores them all: The CIA Security Triad.

This concept combines three components—confidentiality, integrity, and availability—to help guide security measures, controls, and overall strategy. Let’s take a look.

(This article is part of our Security & Compliance Guide. Use the right-hand menu to navigate.)

Defining CIA in security

The CIA triad represents the functions of your information systems. Your information system encompasses both your computer systems and your data. Ben Dynkin, Co-Founder & CEO of Atlas Cybersecurity, explains that these are the functions that can be attacked—which means these are the functions you must defend.

The CIA security triad is comprised of three functions:

• Confidentiality. A system’s ability to ensure that only the correct, authorized user/system/resource can view, access, change, or otherwise use data.
• Integrity. A system’s ability to ensure that the system and information is accurate and correct.
• Availability. A system’s ability to ensure that systems, information, and services are available the vast majority of time.

Let’s look at each in more details.

Confidentiality

In a non-security sense, confidentiality is your ability to keep something secret. In the real world, we might hang up blinds or put curtains on our windows. We might ask a friend to keep a secret. Confidentiality also comes into play with technology. It can play out differently on a personal-use level, where we use VPNs or encryption for our own privacy-seeking sake. We might turn off in-home devices that are always listening.

But in enterprise security, confidentiality is breached when an unauthorized person can view, take, and/or change your files. Confidentiality is significant because your company wants to protect its competitive edge—the intangible assets that make your company stand out from your competition.

Integrity

In computer systems, integrity means that the results of that system are precise and factual. In the data world, it’s known as data trustworthiness—can you trust the results of your data, of your computer systems?

When securing any information system, integrity is one function that you’re trying to protect. You don’t want bad actors or human error to, on purpose or accidentally, ruin the integrity of your computer systems and their results.

Availability

Availability is a term widely used in IT—the availability of resources to support your services. In security, availability means that the right people have access to your information systems. If a user with privilege access has no access to her dedicated computer, then there is no availability.

Availability is a large issue in security because it can be attacked. An attack on your availability could limit user access to some or all of your services, leaving your scrambling to clean up the mess and limit the downtime.

The CIA triad in enterprise security

OK, so we have the concepts down, but what do we do with the triad?

At its core, the CIA triad is a security model that you can—should—follow in order to protect information stored in on-premises computer systems or in the cloud. It helps you:

• Keep information secret (Confidentiality)
• Maintain the expected, accurate state of that information (Integrity)
• Ensure your information and services are up and running (Availability)

It’s a balance: no security team can 100% ensure that confidentiality, integrity, and availability can never be breached, no matter the cause.

Instead, security professionals use the CIA triad to understand and assess your organizational risks. Dynkin suggests breaking down every potential threat, attack, and vulnerability into any one function of the triad. For example:

• A data breach attacks the confidentiality of your data.
• A ransomware incident attacks the availability of your information systems.

Understanding what is being attacked is how you can build protection against that attack. Take the case of ransomware—all security professionals want to stop ransomware. Where we tend to view ransomware broadly, as some “esoteric malware attack”, Dynkin says we should view it as an attack designed specifically to limit your availability.

When you think of this as an attempt to limit availability, he told me, you can take additional mitigation steps than you might have if you were only trying to “stop ransomware”.

The triad can help you drill down into specific controls. It also applies at a strategy and policy level. Dynkin continues: When you understand the CIA triad, you can expand your view of security “beyond the specific minutiae (which is still critically important) and focus on an organizational approach to information security.”

Prioritize each thing you need to protect based on how severe the consequences would be if confidentiality, integrity, or availability were breached. For example, how might each event here breach one part or more of the CIA triad:

• A service interruption: An attacker could interrupt your access as a bargaining chip for something else.
• Interception: An attacker could block or hijack your emails to learn about company activity.
• Modification or fabrication: An attacker could modify or fake your information.

What if some incident can breach two functions at once? Consider, plan for, and take actions in order to improve each security feature as much as possible. For example, having backups—redundancy—improves overall availability. If some system’s availability is attacked, you already have a backup ready to go.

CIA triad in action

You’ll know that your security team is putting forth some security for the CIA triad when you see things like:

• Limits on administrator rights
• Inability to use your own, unknown devices
• The use of VPN to access certain sensitive company information

Anything that is an asset—tangible hardware and software, intangible knowledge and talent—should in some way be protected by your security team. And that is the work of the security team: to protect any asset that the company deems valuable. And it’s clearly not an easy project.

Additional security properties

Security professionals already know that computer security doesn’t stop with the CIA triad. ISO-7498-2 also includes additional properties for computer security:

• Authentication: The ability of your systems to confirm an identity.
• Non-repudiation or accountability: The ability of your systems to confirm the validity of something that occurs over the system. It is an assurance about data’s origins and integrity.

Confidentiality, integrity, availability

These three components are the cornerstone for any security professional, the purpose of any security team. John Svazic, Founder of EliteSec, says that the CIA triad “acts as touchpoints for any type of security work being performed”. That is, it’s a way for SecOps professionals to answer:

How is the work we’re doing actively improving one of these factors?

When your company builds out a security program, or adds a security control, you can use the CIA triad to justify the need for controls you’re implementing. Always draw your security actions back to one or more of the CIA components.

That’s why Svazic considers the CIA triad “a useful ‘yardstick’” that helps you ensure the controls you are implementing are actually useful and necessary—not a placebo.

Related reading

• BMC Security & Compliance Blog
• Risk vs Threat vs Vulnerability: What’re The Differences?
• Top 8 Ways Hackers Will Exfiltrate Data From Your Mainframe
• IT Asset Management: 10 Best Practices for Successful ITAM

You probably wouldn’t think of leaving your house with the door unlocked, or even open. If you have an alarm, I imagine you set it each time you leave the house. Maybe you have a dog who you trust to warn of anything untoward happening at your home.

You protect your physical assets as a matter of course. But are you putting as much thought into protecting your business’s digital assets?

Let’s take a look at the current security challenges for any organization. Then, I’ll share the six actions to take—regularly, often—to protect your data and your business as best as possible.

(This article is part of our Security & Compliance Guide. Use the right-hand menu to navigate.)

Cybercrime & enterprise security

You probably think you are doing enough. But chances are that your enterprise is still at risk of attack from cyber criminals. This means that the information you safeguard for your customers is also exposed to the same dangers.

Every year we see:

• An increase in data breach events globally.
• Phishing attacks become more sophisticated and believable.
• Identity theft occurrences grow at a worrisome rate.
• Digital criminals come up with innovative ways to profit from any business with a digital presence that is not protecting itself adequately.

And this year proved that there’s plenty more opportunity for cybercrime.

2020: A new world of criminal opportunity

The COVID-19 pandemic has caused many issues for businesses and individuals throughout the world. One group that has benefitted from the pandemic? Cyber criminals. As more and more people moved into remote working situations, businesses were unwittingly exposing themselves to increased vulnerability to incursion by cyber criminals.

Our new ways of working and shopping have created a perfect storm for those in our society who are willing to exploit security holes. As more and more retail transactions are conducted online there are greater opportunities for credit card data to be hacked. With workers moving to their home offices and connecting remotely to working environments, hackers have found new ways to exploit previously unknown security flaws.

Not only has there been a surge in the number of attacks—in the first quarter of 2020 cyber attacks against financial institutions were reported to have risen more than 230%. The techniques being used have improved and become harder to fight effectively. Hackers are using social engineering and increasingly advanced tactics to exploit:

• The human factor
• Weak links caused by processes and technologies in use by the supply chain

Luckily, there are steps you can take to increase your security, at least as much as possible.

Six steps to protect your business from cybercrime

Here’s the bottom line: Every organization will always be exposed to risk. But these steps will help limit that risk.

1. Educate

More workers are connecting remotely to business systems. Proactively and routinely inform your employees about the ways criminals are likely to try to exploit their isolation to gain access to business systems.

Sophisticated and believable phishing attacks have increased exponentially and can be hard to spot, particularly when workers can’t easily discuss suspect emails or messages with colleagues, as they would in the office. Regularly reminding your organization about phishing techniques will keep staff alert.

2. Patch ASAP

Promptly applying security patches is more important than ever. New ways of working have exposed previously unnoticed security flaws and you can be certain that criminal elements will try to exploit these before enterprises have time to apply the appropriate patches.

Act swiftly to block these holes as soon as you identify them.

3. Block fake websites

Act quickly to block fake websites identified in phishing attacks. Previously, we were used to seeing phishing emails, often attempting to harvest login details for banks and financial institutions.

This year brings a new criminal opportunity: Many fake donation websites have been set up, targeting people who are willing to help others affected by the pandemic. Reports of company employees receiving emails, purportedly from their own CEO, directing them to fake charity sites have been reported.

Block these fake websites for your enterprise users, but don’t stop there. Alert your national cybercrime agency of the fake websites as well.

4. Secure mobile devices

Ensure that mobile devices and other endpoints are adequately secured. With an increasing amount of business being conducted on tablets and smartphones, you must ensure that these, whether personal or organization-owned devices, are kept up to date with all applicable security patches.

Deny access to any unpatched devices that try to access company applications and networks. Create a policy for physically securing devices that can connect to company data—and ensure all staff agree and comply. Zero trust network access could be the way to do both.

5. Control all apps

Understand and control all applications in use in your organization. Many organizations saw an upsurge in the use of non-approved collaboration platforms as the result of the rapid move to home working—something known as shadow IT. The proliferation of these platforms was understandable, and in many cases essential to enable staff to remain productive.

With the dust now settled and a new normal being accepted, now is the time to review and rationalise the ways your teams collaborate internally and externally. Check the security credentials of all services in use and remove those that don’t meet your requirements for security, privacy, and data integrity. A healthy and routine asset management practice will help you do this.

6. Review your SecOps practices

2020 has been a year of change. You need to make certain that the security and operations practices you have in place are adequate to:

• Keep your organizational data safe
• Protect you from incursion by the bad actors of the cyber world

I recommend these ongoing practices you can adopt to bolster security:

• Deploy automation that constantly checks the integrity of your systems.
• Conduct regular penetration testing so that you understand your vulnerabilities.
• Use the four components of security analytics.

Stay vigilant, stay aware

Protection against cybercrime is one area where organizations cannot afford to let down their guard. Recovering from cybercrime costs $200,000 on average, for companies of any size. Whether that’s a sizable chunk of change or a drop in the bucket, there are better ways for you to invest your dollars.

Unfortunately, cybercrime protection is not a set and forget capability—criminals are constantly changing their methods, finding new ways to exploit your vulnerabilities, and harvesting your confidential data.

You must remain vigilant. Keep abreast of new methods of attack and protect your business from harm. The financial and reputational future of the organization depends on you.

Additional resources

For reading on related topics, explore these resources:

• BMC Security & Compliance Blog
• SecOps Trends of 2020
• Risk Assessment vs Vulnerability Assessment: How To Use Both
• What is Security Orchestration, Automation, and Response (SOAR)?
• 8 Ways Hackers Will Exfiltrate Data from Your Mainframe
• Cybersecurity: A Beginner’s Guide

With cyber breaches becoming increasingly prevalent, there is an increased need for cybersecurity professionals. According to the Cyber Risk Analytics 2019 Midyear Report, there were 3,800 reported breaches in the first half of the year, up by more than 50% from the previous year. Notably, of the breaches reported, more than 60% were the result of human error.

What this means is that there is an ever-increasing need for skilled and well-trained cybersecurity professionals. When looking to hire and promote employees, many companies look for professionals with highly-regarded certifications. For IT professionals, certifications are a good way to develop skills, gain a competitive edge, and to be eligible for higher salaries than peers without the certification.

While there are many benefits to having IT security certifications, with so many different certifications available, it can be hard to know which ones are worth the time, effort, and expense. To help navigate this saturated area, here is a list of some of the most sought after and highly-regard IT security certifications.

(This article is part of our Security & Compliance Guide. Use the right-hand menu to navigate.)

CompTIA Security+

The CompTIA Security+ certification is a good place to start with IT security certifications and is geared towards entry-level security professionals. This certification has the basic goal of building a strong IT security foundation. To earn this certification, professionals need two years of IT experience and then need to pass an exam that covers a range of topics including network attack strategies and defenses; components of strong security policies; best practices for security; disaster recovery and continuity; and encryption products and standards.

This general cybersecurity certification is good for anyone that is interested in getting a good entry into IT security, and earning this certification will demonstrate expertise with some important security topics, including threat management, cryptography, identity management, security systems, security risk identification, and security infrastructure. Notably, because all IT professionals need some security experience, the CompTIA Security+ is a beneficial certification for individuals in roles outside of security, for example, developers and support analysts.

Certified Information Systems Security Professional (CISSP)

CISSP is another general security certification that is not vendor-specific. Referred to by some as the “crown jewel” of security certification, it’s a high-level certification that is universally recognized and highly sought after by many employers. Offered by the International Information Systems Security Certification Consortium (ISC2), CISSP covers some key cybersecurity categories like access control, cryptography, telecommunications, and networking. Professionals with this certification have the skill sets needed to effectively design, implement, and manage cybersecurity systems.

To be eligible for this certification, individuals must have 3-5 years of relevant experience prior to taking the exam. This certification is essential for individuals wanting to move into a chief information security officer (CISO) role and is helpful for IT managers, analysts, system engineers, and consultants.

Certified Information Security Manager (CISM)

Another advanced and highly sought after certification is CISM, which requires applicants to have at least five years of relevant experience. Having this certification demonstrates skills in the areas of security risk management; program development and management; governance; and crisis management. It’s geared toward higher-level IT professionals, specifically those that manage, develop, or oversee systems.

To earn this certification, professionals must commit to the Information Systems Audit and Control Association (ISACA) code of ethics, pass an exam, have five years of IT security experience with at least three years in job practice analysis areas, and submit a written application. Topics covered in this examination and corresponding prep courses include information security program development and management; incident management; risk management; and compliance. It’s an ideal certification for individuals that are interested in enterprise-level information security or for individuals that have or want managerial-level roles in information security.

GIAC Security Essentials (GSEC)

Another entry-level general security certification is the Global Information Assurance Security Essentials Certification (GSEC). This tests professionals in security administration, forensics, audits, software security, management, and a variety of security best practices. With no prerequisites required, this is a good certification for IT professionals interested in security, especially since it’s broadly focused on security best practices and ensures expertise in areas of preventing attacks, identifying threats, networking concepts, and secure communication.

Certified Ethical Hacker (CEH)

As many IT security professionals have learned, to effectively protect systems, they need to learn to think like hackers. In an effort to do this, there has been a rise in white hat hackers or ethical hackers working to gain the necessary hacking skills to beat hackers at their own game.

With this goal in mind, the CEH designation teaches IT professionals to think like a hacker. Individuals with this certification have developed skills in the five phases of ethical hacking, which are reconnaissance, enumeration, gaining access, maintaining access, and covering tracks. To teach these skills, it deals with topics like hacking that targets cloud computing, mobile platforms, and operating systems.

To earn this certification, professionals must pass an exam and have either attended the training or have two years of verified, IT-security experience. This is a good certification for security officers, auditors, and site administrators and is ideal preparation for individuals interested in penetration testing.

Computer Hacking Forensic Investigator (CHFI)

Forensic investigators play an important role in cybersecurity by analyzing attacks, pulling the necessary information to formally report an attack, and working to prevent future attacks. These professionals have the skills to investigate a wide range of crimes including theft of intellectual property, IT usage violations, and system fraud.

The Computer Hacking Forensic Investigator (CHFI) certification is an advanced certification that is geared towards forensic investigators and demonstrates their skill sets in key areas, including gathering evidence and helping to prosecute offenders. This EC-Council certification covers incident response, forensics, recovering information, examination, analysis, and reporting computer-based evidence. This certification is used and sought after by corporations as well as police and government investigators.

Certified Information Systems Auditor (CISA)

CISA is the best certification available for individuals that want to do audit control and assurance. Earning this certification provides evidence of skills in the CISA job practice areas of auditing, governance and management, acquisition, development and implementation, maintenance and service management, and asset protection.

This is a globally recognized certification that is necessary for professionals in high-level audit, assurance, and control roles. In addition, it’s helpful for those responsible for auditors and those with roles that involve controlling, monitoring, and assessing IT systems. To earn this certification, individuals must have at least five years of experience working in information systems, pass an exam, submit an application, agree to the ISACA code of ethics, and agree to the ISACA’s information systems standards.

Certified Cloud Security Professional (CCSP)

Traditional IT security practices don’t work well for cloud services. As a result, those IT professionals tasked with cloud security need unique skill sets and training. The Certified Cloud Security Professional (CCSP) certification offers that expertise and ensures that IT professionals are knowledgeable about cloud security, architecture, design, services, operations, data security, infrastructure, and compliance.

This is not an entry-level designation but instead is designed for IT professionals that already have a solid foundation in IT security and extensive IT experience. It’s a good certification for systems architects, engineers, security managers, enterprise architects, and security administrators. Given the unique needs of cloud security and how quickly this area changes, the CCSP certification can be particularly beneficial to IT professionals. To earn this designation, professionals must have at least five years of IT experience, including three years in IT security and one year in one of CCSP’s common body of knowledge areas.

Conclusion

Cybersecurity is a field that is constantly growing and changing. As a result, there are a lot of security opportunities for IT professionals with the necessary skills and expertise. Security certifications are an effective way to develop skills, offer evidence of skills, and gain a competitive edge.

In any and every industry, becoming a top-ranked professional within a field requires reaching objectives like a certain number of years worked, elite training, and commitment to continuously learn new skills. As professionals advance in their careers, gaining globally recognized certifications that prove capabilities, as well as the three above mentioned objectives, will provide a reference for individuals, peers, and employers to measure competence and achievements.

For System Security professionals, one of the most coveted certifications is CISSP. In this article, we will discuss the ins and outs of this certification, skills covered in the examination process, prepping for the exam, and the advantages of hiring a CISSP employee.

(This article is part of our Security & Compliance Guide. Use the right-hand menu to navigate.)

What Is CISSP and Who Is It For?

As countless businesses move operations online and the use of technology expands, the need for highly skilled professionals in the systems security industry is growing. As a matter of fact, protecting classified information that is stored digitally from cyberattacks or technology breaches is one of the hottest global topics these days.

And, with that, as information system security professionals are the first line of defense, according to Business News Daily, in 2018 North America was lacking 500,000 security professionals with a projection of that number reaching 4 million by 2021. To top it off, more than 10,000 positions in the US are available daily asking for CISSP hires.

Defined by Wedopedia as “a vendor-neutral certification reflecting the qualifications of information security professionals with an objective measurement of competence as well as a globally recognized standard of achievement. CISSP certification means the information security professional demonstrates a working knowledge of information security, confirms commitment to the profession, and establishes a standard of best practices.” Essentially, this certification assures that an employee is qualified to protect even the most sensitive systems.

Established in 1989, this certification is backed by (ISC)2 and is recognized as the global standard for Information Systems Security excellence. It is an ideal certification for Chief Information Security Officers, Director of Security, IT Director/Manager, Security Systems Engineers, Security Analysts, Security Auditors, and more. However, keep in mind, it is not for everyone. For those in Cloud Security, IT/ICT Security Administration, Security Assessment, Secure Software Development, and Healthcare Security, there are other certification options available.

Why Hire A CISSP Employee?

A certification not for the faint of heart, the CISSP, as explained by Simplilearn is for “recipients [who] are part of a pretty exclusive club. Only 94,000 professionals hold the CISSP certification worldwide (149 countries). The exam itself has an 80% failure rate.” Those that hold this certification are dedicated, seasoned individuals that meet rigorous requirements and have extensive knowledge in the field.

The advantage of hiring this type of employee and paying the average yearly salary of 100K is significant. From better risk management to organization reputation improvement and higher quality standards, with a CISSP employee on the team, clients are more likely to work with a business, employees are exposed to more knowledge, and insurance demands are easily met.

The 5 Requirements

Beyond passing the in-depth examination and proving knowledge within all domains, the CISSP certification also requires the individual to have five years of full-time work experience in two of the eight domains. However, if the candidate has a 4-year degree, they may qualify for a 1-year waiver that reduces the work experience to four years. The exam may be taken any time, if passed before meeting the work experience requirements, the individual may become an associate of (ISC)2 and apply for certification after full-time employment. After six years have lapsed and work requirements are not met, the exam must be retaken. Once passing and proving full-time work history, the individual must agree to the organizational code of ethics, become endorsed, pass a background qualification, and recertify every three years.

To recap, the five requirements are:

1. Real-World Work Experience (5 years or 4-year degree + 4 years)

This work must be paid, full-time, and be within the fields of Security and Risk Management, Asset Security, Security Engineering, Communications and Network Security, Identity and Access Management, Security Assessment and Testing, Security Operations, and Software Development Security.

2. A score of 700 out of 1,000 on the CISSP exam 

Candidates are given six hours to complete the multichoice and innovative questions. The exam itself costs $699 USD, but it is advised to take prep classes that cost anywhere from free to $3K. Obtaining third party study assistance is highly suggested.

3. Background Qualifications 

According to the (ISC)2 website, it is expected that “certified members [should] be of the highest ethical and professional caliber. To that end, the organization has standards that candidates must acknowledge as part of the certification criteria.” Before sitting for the exam everyone must carefully answer questions, such as have you ever been involved with hacking, do you have an alias, has a professional license ever been revoked, as well as others.

4. Agreement to code of Ethics and endorsement process 

After passing the work and exam requirements, the individual must acknowledge that this high level of guidance is not to be taken lightly. Professionals with this certification agree to uphold the safety, welfare, and common good of society. Among many other agreements, within the code of ethics, they honorably vow to advance and protect the profession. On top of that, another CISSP must endorse the candidate’s work experience.

5. Candidates must maintain certification every 3 years  

As stated above, this certification is not for the faint of heart Information Systems Security Professional. Once tackling the above four requirements, the certification must be maintained. At a cost of $85 USD every year, certified professionals must complete 40 continuing professional education credits yearly for a total of 120 every three years.

8 Examination Domains

After understanding the requirements and deciding to go for the exam, it is now time to focus on the eight domains.

1. Security And Risk Management 

The biggest portion of the exam taking up 15% of the questions, this section covers confidentiality, integrity, availability, governance principles, compliance, legal issues, IT policies, and risk-based management concepts.

2. Asset Security 

Boasting a range of questions that tackle the classification of assets, privacy, retention periods, data security controls, and handling requirements, this section is 10% of the exam.

3. Security Architecture And Engineering 

Taking up 13% of the total exam, this section looks at secure design principles, security model fundamentals, security capabilities, vulnerability assessment, cryptography, implementation of physical security, and more.

4. Communications And Network Security 

Focused on the network, this domain takes 14% of the questions to cover secure network architecture principles, components, and communication channels.

5. Identify And Access Management 

Used to assure a candidate’s ability to control user access to data, 13% of the exam is dedicated to this domain. These questions cover physical access to assets, logical access to assets, identification, authentication, third-party ID services, authorization mechanisms, and associated lifecycle.

6. Security Assessment And Testing 

Twelve percent of the exam encompasses assessment and testing strategies for design and performance of security. It covers control testing, security process data collection, outputs, as well as internal and third-party audits.

7. Security Operations 

The creation and action of security plans, this domain uses 13% of the questions to test understanding, requirements, and types of investigations, as well as monitoring activities, provision resources, operation concepts, application of techniques, incident management, recovery, business continuity, and more.

8. Software Development Security 

Finally, taking up 10% of the questions, this domain deep-dives into software security lifecycle development, controls of the environment, the effectiveness of software security, and coding standards.

Embarking On The CISSP Journey

The choice to take on the CISSP certification comes with a lot of hard work as well as many open doors into an interesting and ever-growing industry. Becoming part of a global community of professionals that fortifies a safe and secure digital world, this certification is a rewarding experience that countless people admire. Advancing into the elite of the Information Systems Security Professionals starts with this certification.

For top-level IT and IS auditors that work with information systems to identify potential security threats within an organization, a Certified Information Systems Auditor (CISA) certification helps to validate the knowledge you possess, gain globally recognized professional standing, display continual growth of learning, and accelerate your career.

As stated on the ISACA site, this certification “is world-renowned as the standard of achievement for those who audit, control, monitor, and assess an organization’s information technology and business systems.” Those who have this certification are top qualified professionals who exhibit proficiency in and create IT/IS audit industry standards. With this certification, auditors earn an average salary of around 110K+ a year and have the ability to leverage their expertise. With that said, it must be understood that this certification is not for just any IT or IS auditor; it comes with requirements and preparations.

A high level of achievement, in this article, we will take a look at the CISA difference, who should take the exam, and preparing for certification.

(This article is part of our Security & Compliance Guide. Use the right-hand menu to navigate.)

Advantages Of Having An Employee With A CISA Certification

The ultimate goal of any organization is to become successful and, part of that success is achieving a “good image” through gold-standard operations. By hiring employees that improve the standards of operations via validation within their field, this ultimately leads to higher standards for entire teams and growth throughout the whole organization. A rule that can be applied to any expert, certifications always add positive value to the employee and the organization.

Back to Auditors and a CISA certification, confirming the knowledge of an individual person regarding skill in system auditing, assurance, control security, cybersecurity, and governance opens up countless doors for growth. An article from Business First Family states that “with a CISA certified employee on board, you are more likely to attract new clients. The ISACA is a globally recognized association, and their CISA certification is coveted by many potential customers. In fact, some customers may exclusively work with businesses who have CISA certified individuals on board.” The advantages of hiring a certified employee offers a unique return for which most organizations strive.

Who should take CISA

As a “world-renowned” certification, there are two parts to gaining the coveted CISA title.

First are the pre-requirements, as explained in an article from CIO:  all candidates “need at least five years of professional information systems auditing, control or security work experience within the past 10 years. You can receive a waiver for up to three years of experience if you have the following:

• Maximum of one year of IS experience or one year of non-IS auditing experience
• The equivalent of a two- or four-year degree, which can be substituted for one to two years of experience
• A bachelor’s degree or master’s degree from a university that teaches the ISACA-sponsored curriculum, which can be substituted for one year of experience
• A master’s degree in IS or IT from any accredited university, which is equivalent to one year of experience

ISACA also offers exceptions for those who have spent two years as a full-time university instructor in a related field, which can be substituted for one year of experience.
Second, following the pre-requirements is the examination. The examination may be taken before the experience requirements are achieved; however, the candidate will have to wait to be awarded certification until all experience requirements are met.
With that, the people who should seek to achieve this certification must be able to agree to the time constraints and the Code Of Professional Ethics in addition to actively wanting to develop within the auditor industry. With a requirement after certification to finish 120 hours of CPE every 3 years with at least 20 hours every year, maintaining and achieving this certification is a commitment in and of itself.

The Examination

Separated into five domains spanning 150 multiple choice questions that cover the main job practices of IT and IS audit, control, and security, this exam is graded based on a scale of 200 to 800 points. A candidate must get a score of 450 or higher, within 4 hours, to pass.

The Domains

1. 21% – The Process Of Auditing Information Systems
   The information included in this domain set covers IT audit basics as well as how to plan for audits, administer audits, show the results, and activate a plan.
2. 16% – Governance And Management Of IT
   From the above mentioned CIO article, within this domain, the questions cover “IT strategies, governance, organizational structures, resource management, portfolio management, risk management, control monitoring, reporting of KPIs, and organization’s business continuity plan.”
3. 18% – Information Systems Acquisition, Development, and Implementation
   Added to ensure that the certified candidates understand how to run IT systems that meet organization goals, this domain covers enhanced IT investments, management processing, IT supplier usage, evaluation process, and post-implementation assessment.
4. 20% – Information Systems Operations, Maintenance, and Service Management
   In this domain, an understanding of overall IT operations and maintenance is assessed. It reviews frameworks and best practices, as well as data quality.
5. 25% – Protection Of Information Assets
   Finally, in this domain, everything that keeps a system secure is reviewed. According to an article from Cyber Security Education, this domain is used to “assure the organization that its information will maintain its integrity, confidentiality, and accessibility.”

Before Taking The Exam

Designed to ensure that the IS and IT audit specialist is well versed in all topics and skills, it is ideal to prepare for the official CISA exam with a training series and pre-tests. To achieve this, ISACA offers online, visual, or on-demand instructor-led courses. With these offerings, printable or downloadable manuals are available as well as access to a Q&A database for one year. On top of that, they also offer 4-day, in-person training with options for organizations that want employee groups trained.

To also help prepare there are several third party prep companies For example, Udemy offers extensive 900 question prep exams that are renewed yearly. This will ensure that the candidate is ready for the June, September, or December test dates.

When prepared properly, the candidate may easily register on the ISACA site. After registering, there is a 365-day eligibility period; however, always ensure preparedness before registering. The test costs 575 USD for members or 760 USD for non-members, and no deferrals or extensions are allowed.

Final Steps and Thoughts

After passing the exam and completing the experience requirements, it is now time to apply for certification. It is a three-step process that is again made easy by the ISACA site.

1. The application costs a one-time, non-refundable 50 USD fee.
2. Certification application must occur within five years of passing the exam with proof.
3. Then, it will take three to four weeks to process.

Once certification is achieved, an IT or IS auditor is instantly boosted in ranks within their field. Their resume becomes more appealing to organizations and peers, which ultimately displays a commitment to staying on top of systems auditing skills. Not for the faint of heart auditors, the CISA certification is for only the industry’s best, most elite professionals.

SecOps, the fusion of both the security team and operations team, is no longer a far-fetched idea; in fact, it’s now the norm. With companies bringing SecOps into their Security Operations Centers (SOCs), it’s crucial to be able to understand the roles and responsibilities of the SecOps team.

We’ve put together this list of common roles you can expect to include when outlining your SecOps team, including what responsibilities each position owns. Of course, these positions will vary depending on the size of your organization and the maturity of your SecOps team.

(This article is part of our Security & Compliance Guide. Use the right-hand menu to navigate.)

Chief Information Security Officer (CISO)

One of the most crucial members of the SecOps team is the person who is responsible for defining the entire organization’s security position. Whether this is the CISO or the more general Chief Information Officer (CIO), they should be the one who establishes the security strategy and policies, as well as any procedures necessary to ensure the company’s infrastructure and data is protected. This role might also include compliance, which requires additional policies, strategies, and procedures.

CISO responsibilities:

• Develop the entire security strategy
• Communicate interests and activities to the C-suite
• Oversee any compliance needs
• Ensure security strategy covers prevention along with detection and response
• Deeply know and understand the threat landscape

Security Manager

No matter the official title, often the Security Manager but not always, this individual oversees the security operations center as a whole. If your company doesn’t have a dedicated SOC, then this would be the person who is responsible for managing the security team, such as the Security Director or SecOps Lead.

The security manager creates a vision for developing the technology stack, hiring new members, and building updated processes. They should have significant experience with leading a security team and be able to offer both managerial supervision and technical guidance. For companies who do not have a designated CISO, the security manager would also have the responsibilities that are typically under the CISO umbrella.

Security Manager responsibilities:

• Oversee the SOC
• Create the vision for hiring strategies, technology, and security processes
• Establish the incident response plan
• Establish a vulnerability management program
• Hire necessary security personnel
• Communicate security and technology needs to the CISO
• Analyze and optimize orchestration and automation 

Security Engineer

The type and amount of security engineers or architects on your SecOps team will greatly vary, depending on the size and needs of your organization. While the most general title for this role is Security Engineer, many other titles fall under this category, including

• Security Architect
• Security Device Engineer
• SIEM Engineer
• Those who specialize in endpoint security

Security engineers are responsible for building both engineering security systems and security architecture, along with working closely with developers to ensure both the speed and continuity of releases. This role also requires the engineer to be able to define and document any protocols or procedures of the security systems they create.

Security Engineer responsibilities:

• Create, implement, and monitor all security systems
• Develop orchestration and automation between security tools
• Troubleshoot infrastructure 
• Develop solutions to mitigate security vulnerabilities
• Communicate any security incidents with the team and necessary staff
• Report on evaluations and recommendations for improvement

Security Analyst

When you think of the security team, the role that probably comes to mind is that of the security analyst. Security Analysts are the ones who detect, investigate, and respond to any types of security incidents, from malware infections to full-blown breaches. They are also usually involved in the decision-making process of what preventative security measures to put into place, implementing them, and creating disaster recovery plans.

Many companies organize security analysts according to different levels according to skill level or experience, ensuring that more skilled analysts are the ones handling more complex incidents.

Security Analyst responsibilities:

• Plan preventative measures and procedures
• Create a plan for how to respond to threats
• Establish and implement security measures
• Monitor alerts
• Investigate and respond to any security incidents
• Provide training on information security and network security procedures

IT Operations Manager

An IT Operations Manager oversees the general daily activities within the IT department and maintains control over IT services and any of the connected infrastructure. They will make sure that all networks, servers, and computer systems are regularly monitored for performance issues and irregularities, and they will also assess error logs and system data to determine areas that need repaired or improved.

The IT operations manager will direct IT staff on general day-to-day tasks, including regular maintenance, workload scheduling, restoring systems should there be outages, and creating data back-ups. They will also support the end-user side of things, resolving any specific user issues that may arise and continually monitoring the performance of business-critical systems.

IT Operations Manager responsibilities:

• Manage and guide IT technicians
• Monitor IT systems and servers
• Develop department procedures and policies
• Oversee installations and upgrades
• Negotiate vendor contracts
• Resolve help desk escalations

System Administrator

System administrators, or sysadmins, are in charge of maintaining and configuring servers and computer systems, ensuring efficient, reliable operations. Sysadmins are responsible for installing any needed software and hardware, and continuously researching the newest technologies and strategies to keep the IT business needs of the organization up to date. System administrators also actively resolve issues with servers or computer systems to limit potential disruptions.

System Administrator responsibilities:

• Install and update hardware and software
• Maintain and configure network servers and computer systems
• Integrate automation procedures and processes
• Run diagnostics and troubleshoot errors
• Lead help desk efforts
• Provide training and documentation to staff regarding new IT infrastructure

System Analysts

While system administrators usually focus on daily user performance, system analysts perform more research-based work, determining how IT systems are incorporated in the organization and how they can be optimized. They are typically at the forefront of researching emerging technologies and putting together documentation on the benefits and costs of these new systems. System analysts may also decide on the hardware and software for these new systems, overseeing the installation, configuration, and any necessary training.

System analyst responsibilities:

• Install, maintain, and troubleshoot information and computer systems
• Research innovative technologies and make recommendations for the organization
• Monitor current systems and analyze automation
• Review and backup systems regularly

Building a SecOps team

Sharing company responsibilities across teams is always beneficial, but especially so when it concerns security. When silos are broken down, processes are completed more efficiently, and teams can collaborate more effectively. By building a strong SecOps team with all of the critical team members, you will be putting your organization ahead of the game, ensuring security is never an after-thought again.

SecOps Solutions from BMC

BMC SecOps solutions enable your teams to prioritize and remediate critical vulnerabilities, and systematically address compliance violations through an integrated and automated approach across your multi-cloud environment.

Additional resources

For more on this topic, explore these resources:

• BMC Security & Compliance Blog
• Top 21 IT Security, InfoSec, & CyberSecurity Conferences of 2020
• SecOps vs DevSecOps: What’s The Difference?
• SecOps in Action: How To Benefit from SecOps