ISACA Tackles EU Cybersecurity RisksNew Governance Program Builds On COBIT
To help organizations get a better handle on rules and regulations in Europe that have information security ramifications, ISACA is launching an audit and assurance program for EU cybersecurity, focusing on risks and threats facing organizations, as well as related governance, compliance, resilience and assurance concerns.
ISACA is an independent, not-for-profit association that develops industry practices and guidance to manage, secure and govern information systems. Already, the association has begun releasing a related European Cybersecurity Implementation Series of free best practice guides, which provides an overview of cybersecurity standards, regulations and related concerns.
Come October, the association plans to release the audit and assurance program - available for free to its members - which will be based on ISACA's IT Assurance Framework, or ITAF, and will align with the association's COBIT 5 framework for IT management and governance.
Building on COBIT
Many organizations have adopted the COBIT framework - an acronym for Control Objectives for Information and Related Technology - as the foundation for their governance, risk and compliance programs. Thus, tapping ISACA's cybersecurity guidance gives them a way to build on their existing GRC practices.
"The COBIT framework has been very popular and very successful over the years in European countries, and obviously that begs the question: Now that we've put money on COBIT and are using it in audit, in process management ... what have you got for us in terms of cybersecurity, and how can we bring these two sides of the equation together?" says Rolf von Roessing, president of information security and GRC consultancy firm Forfa in Switzerland.
"So eventually we proceeded to developing a European view on cybersecurity, using COBIT 5 and other resources that we've developed over the years, to make sure that for the European users, we have an answer to the new questions that have arisen as part of legislation, regulation and the general landscape," says von Roessing, who previously served as the international vice president of ISACA.
Von Roessing is also the lead author behind the new ISACA cybersecurity guidance, which was been developed in collaboration with the International Standards Organization, the European Union's cybersecurity agency ENISA, and various other government agencies, think tanks, working groups, consulting firms and ISACA volunteers.
One of the chief takeaways from the guidance is that boards of directors cannot afford to ignore cybersecurity. "In Europe, cybersecurity is a part of directors' and officers' fiduciary duties, and should be treated as such," cautions ISACA's European Cybersecurity Implementation: Overview report.
Europe Seeks Resilience
Beyond detailing cybersecurity risks and governance requirements, ISACA's new audit and assurance program also focuses on resilience - "a much belabored word," von Roessing says. Resilience refers to the concepts of business continuity and disaster recovery - which for many European organizations have only recently become part of the IT agenda.
"In the days before we were talking cybercrime and cybersecurity, many companies in Europe did not address business continuity and recovery as a major concern, simply because the risk concern was so much more favorable than in the United States, where you have all these natural hazards," von Roessing says. But in recent years, resilience as a business concern has expanded beyond physical risks a business faces - such as a flood, hurricane or bombing - to include information security concerns. "Therefore in most countries, including the United States and most of Europe, we're seeing a massive catching-up exercise."
Focusing on resilience also reflects the fact that even the best IT governance framework won't stop every breach, meaning that no matter how much organizations prepare, there's still a chance they could be hacked, as the suspected JP Morgan Chase breach demonstrates. "When someone really targets one of the big firms, and they do an APT attack, then it is still quite difficult - and it [requires] a lot of resources - to make sure that you either repel the attack, or at least detect it, and you're in a position to do forensics and prosecute eventually," von Roessing says.
Building on the EU cybersecurity guidance, Von Roessing says the next goal will be to better map COBIT and ITAF with individual European countries' cybersecurity rules and regulations. To make that happen, the association is hoping to work with local subject-matter experts to develop guidance for particular European countries, von Roessing says.
"Take Germany, as one place, and then take a tiny place like Lichtenstein, next to Switzerland: They obviously have different requirements, a different outlook, and then they will shape their cybersecurity strategies accordingly," von Roessing says (see Germany's Cybersecurity Law: EU Impact). "They will follow the EU strategy, in broad terms, but they will obviously put a bit more detail into it to reflect the situation and what's happening in their countries."