eduardo ritegnobBy Eduardo Ritegno
Buenos Aires, ARGENTINA
(TaboraARGA Global Network)

Our note:

Eduardo Ritegno, based in Buenos Aires, Argentina, is a senior IT Manager at BNA (Argentinian National Bank). He is a specialist in Systems Development, Project Management, Audit, Governance, Risk & Compliance, mainly in the vertical finance market. He has been working across the American continent & Spain. He also held position as Director of the Argentinian Clearing House, and has been member and Chair of the CRISC Certification Committee at ISACA (Information Systems and Control Association) based in Chicago US, for consultancy work, and member of the Certification Board. Mr. Ritegno participated as a Team member in writing/reviewing COBIT5 professional series, and holds two professional ISACA certifications (CISA & CRISC), and is accredited as Quality Evaluator of the internal Audit (QAR – IIA).

One of Mr. Ritegno’s main concerns is on how we, in the corporate world, shall manage the data risk and keep the information/ data secured at the highest level. Mahendra K. Datu, Chairman of TaboraARGA, was able to interview him during their meeting in the US recently.

The Interview:

Q: Mr. Ritegno, as far as we have learned, you’ve been in the IT industry for quite some time, and you have been witnessing the ups and downs of the companies due to their IT security standard practices in terms of security. What is your opinion in regard to the awareness of the industry players globally on the importance of putting more attention to their information security?

A: Independently of the kind on industry or country, I think that the main issues we must never disregard are the following:

  • Confidentiality—ensure that transmitted and stored data cannot be read by unauthorized parties
  • Integrity—detect any intentional or unintentional changes to transmitted and stored data
  • Availability—ensure that users can access resources using all available channels and mobile devices whenever needed.
These are universal concepts that must be always taken into account, no matter what is the technology adopted and the cost of implementation. Today many international regulations and frameworks valid for different industries are putting emphasis in these concepts.

 

“Information is a key resource for all enterprises, and from the time that information is created to the moment that it is destroyed, technology plays a significant role. Information technology is increasingly advanced and has become pervasive in enterprises and in social, public and business environments.” (Cobit 5 introduction excerpt)

 

Q: Having learned from NSA case in the United States that triggers much of the global concern on privacy and data security (and that’s included the Big Data), what is your recommendation to handle such issues – both individually and in the corporate level?

 

A:Individually: Awareness. There is a maxim that says that a person is a “slave of its words (written or spoken) and the owner of his silence (or thoughts)” but given the need to use electronic media/tools to communicate between ourselves, my advice is to be always cautious when we express ourselves with due respect and to be trustworthy.

 

At the corporate level: Training. Human resources are the most important asset of the company. We usually oversee this aspect not giving the proper training to our employees, to help them counter-attack the threats that they are being subject to. On the other hand, employees who are not trained in security best practices, and for example have weak passwords, visit unauthorized websites and/or click on links in suspicious emails or open email attachments are an open gate for receiving all kind of attacks. Regarding corporate data (also historical bulk data or Big data  stored in Data-Warehouse systems), companies must carefully evaluate, making a Risk assessment, what kind of information/reports is going to be kept on-premises and what is going to be transmitted electronically to third parties or external sites.

 

Data privacy is better kept, with good regulations (internal and external), internal training, and complying with those regulations. Thus, solid internal policies, revised and updated regularly are one of the key factor to counter attack those risks.

 

Q: Most companies, especially small and medium-scale enterprises are heavily dependent on the role of social media (Facebook, Twitter, Path, etc.) to increase the impact of their marketing strategy. What do you say about this trend? And, what are the safest ways in using social media to do so?

 

A:  No doubt that nowadays the use of social media is a very powerful marketing, and social relationship tool for companies, and are also part of the myriad of electronic channels available. Besides the technology needed to support social media, the most important factor is to set up an internal area and arrange a team of employees having a good knowledge of the mission and vision of the company, products, corporate/reputational Risk and compliance.

 

This training must also include writing skills, in one or more languages, to help them to answering and communicate properly. Also establishing at least one authorization level before approving and releasing answers/news to the public. Companies can outsource the technology, but must never outsource this specific area. On the other hand will never be able to transfer the risk, for anything that is improperly communicated on behalf the company through this channels. In other words, they will be always accountable.

 

Finally, this electronic channels, being part of the sort of electronic channels available, must keep the look and feel of the corporate image, colors, and products, as shown on other electronic or classic channels of the company.

 

Q: Big Data is currently as big as the issues it brings about, especially when it relates to privacy and security. Some companies make more money by selling customers’ data involuntarily, or without full customers consent. Each country has different policy and regulations globally on this matter, so it is more difficult to tackle such case individually country by country. For instance, you can sell millions of banks’ customers’ information/ personal particulars in one country to another without hassle, on done through advanced digital avenues. What’s your recommendation – or rather opinion – for corporate world to avoid such case to occur in their ‘households’?

 

A: You are right, today the more a business knows about an individual, the more can personalize all kind of services. And people love personalized services, they feel important, they want targeted offers according to their tastes and customs. The sad reality is that in the backend, they are collecting data from many online sources, analyzing and reselling this information.  Of course customers’ fears that this information is going to be lost or misused has also increased.

 

In the particular case of Banks, that are highly regulated entities, they usually have very strong security systems in place and regular monitoring that can prevent external attacks. Many concerns about Banking customers data privacy, is related to customer education to help them identify the low tech threats that can pose a high risk, like phishing (counterfeit sites  linked in an email asking data to the customer that a Bank never asks online) or Social engineering. Also when adding new customers, Banks are very careful to comply with AML/BSA regulation having strong processes and watch lists along with the KYC policy.

 

I think that sometimes the enemy is inside, like in the case of disgruntled employees, also considered one of the main 6 Risks for companies today. Internal attacks are one of the biggest threats facing your data and systems, especially members of the IT team with knowledge of and access to networks and data centers and admin accounts, can cause serious damage. Regular review of the privileged account and credentials, “need to know basis” access rights management, logging and tracking account activities, and employee termination are policies that must be carefully followed.

 

Also as a standard practice, implementing DLP (Data Loss preventions) tools are good technical solutions available for controlling sensitive information leaving the company.

 

Q: The trend of letting employees to subscribe BYOD policy (Bring Your Own Device) for the same of efficiency has invited another challenge in data/ information security. Companies embarking on this kind of policy will need extra caution on keeping some sensitive data secured. Any suggestion about this remark?

 

A: One of the highest risks in the BYOD is data leaking, when subscribing that policy, the boundaries between work and personal technology are dissolved. Even though the use of personal technology can considerably enhance the business, it also creates a more fragmented technological environment.

Currently Mobile devices (BYOD) is one of the top 6 security Risks for companies. And data theft is one of the highest vulnerabilities of portable devices. Moreover, it turns very hard work for the IS areas at companies to apply consistent security policies and to manage those devices when we admit multiplatform (multi-brand, multi-OS) with a single team of agents.

 

Some companies do not allow the BYOD policy and instead of that, they distribute their own portable devices configured with the necessary security according to the policy.  Besides the technical implications, if BYOD is accepted in a company, they must be sure to have a carefully written BYOD policy. With a good BYOD policy in place, employees are better educated on how to use devices and the companies can better monitor the documents that are being downloaded to employee-owned devices.

 

Q: What is likely the trend of data insecurity in the years to come, and how shall we get prepared?

 

A: Technology is continually evolving, and the online information systems are getting more sophisticated bringing the customer a better user experience. This is a continuous race, where the hackers are also getting more sophisticated. In this context, data security is and always will be one of the main issues.  Notwithstanding how sophisticated are the counter measures adopted by companies to protect their own information systems against any attack, the weakest link is still the human being.

 

Again, awareness and training are necessary ways to prepare ourselves to mitigate data insecurity. Careless or uninformed employees that are not trained in security best practices are also on the top 6 biggest risks for companies today. Training our customers and internal staff is basic, starting internally with the Human Resources, and having solid policies in place and enforce compliance.  To train employees on cyber security best practices and offer ongoing support is a need. For example some employees may not know how to protect themselves online, which can put sensitive data in danger.

 

Q: About the ‘Cloud Computing’ trend, what is your opinion?

 

A:  Cloud Computing is also considered one of the main 6 risks for Companies nowadays. Cloud computing is going to grow in certain industry verticals, but will go much slower in others, for example the finance industry. When adopting Cloud Computing, service level and data breaches or data losses are the main concerns. We are talking about security and privacy, thus what information systems are going to be outsourced and what kind of information (sensitive or not sensitive) is going to be posted in the cloud must be carefully evaluated. Risk Assessments and BIA analyses, along with processes maturity are the best ways to make the right decision on Cloud Computing.

 

Regarding the decision to adopt this technology, depending on their size and complexity, some companies opt for using different architectures, such as private or hybrid clouds. Companies must keep in mind that Cloud computing poses new risks, and the must be able to manage and to mitigate some of the inherent risks of Cloud Computing. This new risk scenario, that is inherent to the cloud model, in some way forces security and risk practitioners to rethink their data security practices and solutions.

 

One of the best technical defense against a cloud-based threat, is to defend at the data level using strong encryption. For example AES 256-bit, recognized by experts as the crypto gold standard. Also to retain the keys exclusively to prevent any third party from accessing the data even if it resides on a public cloud is a good measure.

 


 

My final recommendation for any company is to adopt recognized frameworks, standards and good practices for the daily work. A good control environment and control practices must be in place for any company along with solid internal policies, training and compliance. Internal and commercial processes must be evaluated in terms of process maturity, to verify their effectiveness.

 

In the case of IT COBIT 5 (A business framework for the Governance and Management of Enterprise IT – ISACA) is an integrated framework to take into account that maps to any available IT standard in the market and allows to be used as an enterprise integrator to manage several frameworks. Also the professional series for Information Security, Risk and Audit provide useful practices and activities for those specific purposes.

 

Overall the COBIT 5 framework provides a sound and comprehensive reference for good practices. In the case of human resources, professional certifications (Like CISA, CISM, CGEIT and CRISC) are the best way to have well prepared professionals that can add value to their companies, and ensure continuous education.

 

Please visit www.isaca.org

 

Be Sociable, Share!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

clear formSubmit