ISACA UW Handbook 2016

Information Security & Risk Managment
Handbook 2016
ABOUT ISACA UW
Such is the growth that the digital world has experienced during the last few years that diverse global
institutions have even declared connectivity as a basic right. Access to the web and its services allows
individuals to become part of the so-called knowledge society, providing them with equal opportunities to
enter the labor market, receive quality education and broadly share their ideas.
In a world where information technologies have become basic to fulfill many of our daily tasks, there is no
doubt that these new tools are great mechanisms for fostering economic growth, promoting better
equality and expanding our horizons. Nevertheless, all of these benefits are currently at risk. At the same
time that the web and its adoption in our daily lives continues to grow, there are increasing threats that
continue to turn the digital world into an unsafe location where it is necessary to keep a high guard.
At this point, the field of information security is gaining each time more importance as a counter measure
to prevent our data from being stolen, modified, deleted or misused. The ideal of an internet that truly
promotes free speech, exchange of ideas and more opportunities for everyone will never be real unless
stronger efforts are placed into securing our networks.
This is precisely the context in which the ISACA UW student chapter was born. Coming from the
University of Washington Information School - one of the pioneer institutions that has for many years
promoted the study of the relationship between information, technology and people – the members of
the team are mostly concerned with raising awareness about the importance of Information Security and
Risk Management.
The new chapter will provide opportunities for students to learn more about information security, get
involved with professionals and gain hands-on experience. By this means, ISACA UW expects to
increase students’ engagement in the field, thus attracting diverse workforce with different backgrounds
to collaborate for solving one of the most complex contemporary challenges: keeping our networks safe.
For more information, visit ISACA UW Webpage or follow our social media channels: ISACA Sudent
Group UW Chapter and @ISACA_UW

ISACA UW

Handbook 2016
General Editor
Copy Editors
Designer
Columnists
Infographics
Design Support
Daniel Kapellmann Zafra
Beth Levin
Ian Durra
Jamie Heeyun Byun
Colin Andrade
Pamela Chakrabarty
Andy Herman
Daniel Kapellmann
Divya Kothari
Jay Liu
BK Sarthak Das
Julieta Sánchez
Estefania Leyva
ISACA UW
CREDITS
Special thanks to: UW Faculty Member, Annie Searle, for providing ISACA UW with continuous guidance since the beginning of the
project. The faculty of the University of Washington Information School and ISACA International for supporting ISACA UW Student Chapter
to attract students to the engaging ﬁeld of Information Security and Risk Management. Our peers for their engagement and participation in
ISACA UW activities.
Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)
You are free to share and adapt upon the material. As long as you provide appropriate attribution or credit, provide a link to the license,
and indicate if changes were made. You may do so in a reasonable manner, but not in any way that suggests the licensor endorses you or
your use. You may not use the material for commercial purposes. You may not apply legal terms or technological measures that legally
restrict others from doing anything the license permits. For more information visit https://creativecommons.org/licenses/by-nc/4.0/

ISACA HANDBOOK 2016
THE ECONOMICS OF CYBERCRIME 6
9FITTING INFORMATION SECURITY IN BUSINESS
12SECURING OPERATIONS IN THE CLOUD SPACE
16IMPORTANCE OF CYBERSECURITY: UNDERSTANDING PREVENTIVE
"MEDICINE" TO MAINTAIN CYBER HEALTH
19MODERN CYBERSECURITY FROM A GLOBAL PERSPECTIVE
23CYBERSECURITY & RISK MANAGEMENT CHALLENGES IN
WATER AND WASTEWATER UTILITIES
27GOTTA SUE ‘EM ALL!
TABLE OF
CONTENTS
ISACA UW
By Colin Andrade
By Pamela Chakrabarty
By BK Sarthak Das
By Divya Kothari
By Andy Herman
By Jay Liu
By Daniel Kapellmann

Handbook 2016
PRESIDENT’S LETTER

ISACA UW
Dear ISACA Student Group Members,
Welcome to the ISACA Student Handbook to commemorate the 2016 National Cybersecurity
Awareness Month. Through a series of documents and short publications, ISACA University of
Washington Chapter aims to provide students an opportunity to share their views related to
information security and access valuable resources to continue to expand on their passion and interest in
information security and risk management. Our quarterly contents will cover topics written by the
students at the University of Washington undergraduate and graduate programs. They will be available
online through our website and social media.
The ISACA Student Group was established in the University of Washington in April 2016. Although
we are a young organization, our membership has already reached 150+ members before the start of the
Fall Quarter of 2016. Our leadership team is very humbled by the sudden growth and interest by the
students and recognize that information security is a subject that is continuing to generate interest to
lots of students. Furthermore, to meet the increasing demands of our active members, the leadership
team will continue to plan regular events for the upcoming academic year over a wide range of
information security and risk management topics.
We have a lot of exciting events with high profile professionals in the information security field that will
be joining the student group to hold panels and networking opportunities for our members.
Throughout the next year, our team’s main efforts will be directed to: networking and growth. We hope
to encourage our student members to network with professionals in the information security field and
advance in their careers as they learn more about the challenges of information security.
I sincerely hope that you find this handbook interesting and that it will help us express our passion in
information security. If you would like to contribute to ISACA University of Washington Chapter via
you articles or as a member, please send us an email with your questions to isacauw@uw.edu.
Respectfully,
Andy Herman
Founder/ President, ISACA Student Group University of Washington Chapter

6ISACA UW
Handbook 2016
The Economics of Cybercrime
By Colin Andrade
Source: World Bank, CSIS/McAfee, Allianz
Global Cost of Cybercrime
6ISACA UW
Handbook 2016
By Colin Andrade
Source: World Bank, CSIS/McAfee, Allianz
Global Cost of Cybercrime
4
5
1
2
As the modern world increasingly gets measured in bits and bytes, the opportunity to take
advantage of this new order grows alongside. Technological innovation continues to expand at
unfathomable rates thanks to the exponential growth of processing power in accordance with Moore’s
Law. This advancement provides humans access to data, information, and worldly knowledge in a
way our ancestors could not possibly have imagined.
Not all of this innovation is positive however. With all of the amazing and potentially life changing
opportunities available, this new norm may bring, for both consumers and corporations, more sinister
repercussions in the form of those willing to use technology for bad deeds. Cybercrime is not a new
phenomenon, but it continues to grow rapidly across the globe. The basis for cybercrime actually
began in the hacking of computerized telephone systems by individuals who called themselves
“phreakers”. Less than two decades later, an entire cohort of digital youth began inﬁltrating early
versions of the internet.

7ISACA UW
Handbook 2016
7
6
4
Fast forward to the 21st century and we see well over 1.5 million cyberattacks every year on
businesses and individuals according to IBM and the Ponemon Institute. The World Bank and McAfee
have estimated that cybercrime costs the global economy roughly $445 billion per year.
Cybercrime has far surpassed physical crime in frequency and cost to society despite an
estimated 80% of cybercrimes failing to be reported. It allows for criminals to make a large impact
without putting themselves in harm’s way. Historically, criminals robbing a bank would have a handful
of chances in their lifetime to break into a physical vault, all while running the risk of authorities with
weapons being called to the scene. Cybercrime now allows criminals to instigate thousands of attacks
on thousands of potential victims all from the relative comfort of their homes.
Cybercriminals are no longer operating out of basements or targeting second-tier corporations
either. In the modern version of cybercrime, there exist well-funded and organized criminal
organizations that focus their efforts on Fortune 500 companies. In a recent survey of their global
clients, the consulting firm PwC found that 18% of respondents had dealt with a cyberattack in 2015
and cybercrime in general had become the 2nd most reported (up from 4th in 2014) type of economic
crime for these organizations. The same survey found that approximately 50 organizations had
suffered losses of at least $5 million, and nearly a third of those respondents had lost over $100
million due to cybercrime.
It isn’t simply stolen money with which these organizations must contend. Much of the cost from
cybercrime comes from legal and reputational loss. Breaches at large organizations, such as Target
and Sony Pictures, resulted in irreparable damages to the brands both companies worked hard to
curate over the years. In both cases, the results of the cyberattacks included C-level executives losing
their jobs, public embarrassment, and loss of revenue. At Target, customer retention was harder to
maintain as loyal shoppers worried that more credit card data (beyond the 40 million credit card
numbers already taken) would be stolen by hackers. In Sony’s case, multiple big name actors and
actresses refused to work with the studio due to leaked employee emails, financial documents, and
medical information. They were also forced to cancel the theatrical release of an expensive and widely
promoted movie (The Dictator).
8
3

8ISACA UW
Handbook 2016
Cybercrime will only continue to grow as more and more aspects of our day-to-day lives
become digitized. Wearable technologies, the Internet of Things, and the consumer’s growing virtual
presence via social media (both at home and at work) will only increase the opportunities for malicious
cyber actors to take advantage of poorly protected technology and data.
With increased digitization will inevitably come increased financial loss. Criminals will continue to
take advantage of the relative comfort of cybercrime until we find a way to accurately and efficiently
shut them down. Unfortunately for the good guys, cyber criminals tend to be one, two, or even five
steps ahead of law enforcement, and we are a long way from mitigating the substantial economic
impact of cybercrime.

9ISACA UW
Handbook 2016
1
Fitting Information Security in Business
By BK Sarthak Das
When the words “information security” are placed together, people usually think about fancy
technology concepts such as stateful packet inspection, firewalls, threat intelligence, and so on.
However, if we break it down to the simplest dictionary meaning, information security basically means:
“to keep the information secure”. If you put all your information on a stone tablet and bury it
somewhere in the Sahara, then it is definitely secure. Unfortunately, businesses cannot function with
such unreasonable security standards. They have to keep their information confidential, reliable and
available while taking care of their profit margins.
It is important to consider that these tools come at a hefty price. If a company wants to utilize
them, it is necessary to make an investment and keep some budget aside for their implementation
and operation. In fact, considering no two businesses are exactly the same, adapting processes to
security tools requires businesses to either hire external consultants or knowledgeable employees that
are able to configure them. In other words, security tools imply two layers of investment: 1. buying the
applications or hardware and 2. hiring or training highly skilled personnel. For this reason, businesses
need a strategy for their investment decisions on information security.
According to a recent study by the Ponemon Institute, the cost of data breaches has increased
by 23% over the last 2 years further strengthening the need for an efficient business thought process
towards information security. As more and more businesses are relying on the latest technologies to
make their portfolios stand out in the market, they are also (consciously or unconsciously) increasing
their attack surface and thus becoming more vulnerable. Cybercriminals continue to target firms to
achieve monetary gain, thus driving companies to quantify the losses and explore how different
security measures can mitigate the risks of being affected by cyberattacks.
Cybersecurity requires constant monitoring of business operations to generate baselines that
allow companies to make comparisons and find any deviations that are vulnerable to, or have already
generated, security incidents. Furthermore, methods such as the Annual Loss Expectancy and Annual
Rate of Occurrence may also be used to estimate possible losses and quantify the impacts of
breaches. Keeping track of this information is useful for measuring the impact of any implemented
controls and gauge the effectiveness of efforts to protect systems and information.

10ISACA UW
Handbook 2016
2
This type of monitoring is certainly necessary to make sure that organizations obtain a return on their
security investments.
Another relevant measurement criterion is the likelihood of events. The implementation of
methods such as the Monte Carlo simulation allow companies to better follow up on the effectiveness
of their controls by knowing how likely it is that an incident will happen in a given period of time.
Depending on the nature of the company, other metrics can include the number of bugs in their
applications or the number of code rework tickets.
Associating the security numbers with different business endeavors provides a reason for
stakeholders to consider the implementation of potential solutions and make educated decisions
around it. This is of great relevance considering that business decisions always have a level of risk and
it is up to the decision makers to embrace or avoid the potential consequences. In the field of IT, it is
also imperative to implement a strong risk management strategy to maintain a robust security
program.
In the world of risk management, three elements are always kept in sync to provide the most
holistic solution – people, processes and technology:
- The people of the organization should be trained to think about security as part of their daily
operations. The right talent with the right attitude to integrate security into the business
operations and strategy will help in decision making.
3D Data Security – Picture by www.ccPixs.com3D Data Security – Picture by www.ccPixs.com

11ISACA UW
Handbook 2016
- Processes need to be in place to check the integrity and accountability of actions being carried
out in and around the business. For example, if an employee accidentally deletes a database
entry, is there a process to approve changes?
- Technology acts as the augmenting factor between people and processes to make management
more efficient. Technology can act as an aid by having automated integrity checks or change
management tools to keep track of such human errors.
Once these three elements are identified and maintained diligently, the organization’s
information assets will be safer and the business will be most likely to function smoothly.
The most important part for information security is to provide concise numbers that show how
investment in controls will ultimately benefit the firm. When a security project or action is presented to
decision makers, it should include clear data that informs them about the return on investment. If the
data points for the numbers are not available, then the first step should be (as mentioned earlier) to
define a baseline. Security, just like business is a cyclic process, so learning from history and the
external environment is what provides improvement in the next iterations.
The growing threats towards companies and their data cannot be avoided any longer and have
to be taken seriously. Although it is easier said than done, success can be achieved only through
adapting information security as part of the main business procedures and culture. The more
synergized they both are, the better the outcome will be.
It is also important to mention that the methods mentioned above are not the only ways to
measure metrics, but it is a start. The advent of data mining and data science opens new doors to
automated collection and analysis of data that may potentially lead to more complex security tools
during the next few years. However, it is important to not to lose the main business goals in the glitz
and glamor of newer technologies. Be aware that if certain security controls represent barriers for the
growth of the business, it will drive stakeholder investments away and mean an untimely end to your
InfoSec adventure. Thus, all information security efforts should be aligned to the main organizational
goals and help stakeholders in the process.

12
Handbook 2016
Securing Operations in the Cloud Space
By Pamela Chakrabarty
1
Managing cyber risks is not only a good practice for organizations, but also an essential aspect
of enabling optimal business performance. With cloud computing gaining relevance as a game-
changing innovation, firms are increasingly adapting their operational procedures to fit into the cloud
space. According to information from the Global State of Information Security PwC in 2016, about
60% of organizations across all industries are resorting to cloud solutions due to their flexibility,
stability and diverse benefits. The cloud enables enterprises to function with greater agility, scalability,
reduced IT costs and allows high-bandwidth connectivity across global data centers.
However, many organizations express security concerns when deciding to adopt cloud services.
Some examples are the potential loss of highly sensitive business and customer information as well as
data security and availability in case of a disaster. In other words, placing sensitive data in the hands
of external cloud service providers is still perceived as a dangerous practice that could lead to
compromising control, access and security of information assets. The question is, how can
enterprises harness the power of cloud while implementing a balance between security investment
and effectiveness, such that it outweighs the risks and leverages the benefits of adopting this type of
solution?
In order to address this challenge, organizations must perform thorough analyses on cloud
technologies before adopting them. This exercise will allow companies to pick the cloud model that
best suits their business and security needs. There are primarily three different cloud service models
and four cloud deployment models that should be considered:
ISACA UW

Handbook 2016
13
Each type of service and deployment model brings its own risks and benefits and different
combinations will be useful depending on the needs of the organization. For example, smaller
organizations with non-mature security programs may utilize cloud services from established vendors
to keep their information safer. However, companies storing sensitive information (such as the case of
utilities) may not be able to do this unless several compliance and security requirements are met by
both parties.
It is possible to infer that there is no one-size-fits-all approach for addressing every threat and
the final solution has to be designed based on the business needs. For this to happen, it is suggested
that a risk-assessment is performed in order to provide the best solution. As a first step, organizations
should perform a risk-assessment that provides (a) a clear understanding of the organization’s risk
tolerance and appetite and (b) a solid analysis of business needs. Developing a good idea of the cloud
usage environment as well as the associated risks, threats and vulnerabilities will no doubt enhance
the decision of a company when selecting to utilize cloud services.
Understanding controls to enforce security in Cloud
A security control is a “technical or administrative safeguard or countermeasure to avoid,
counteract or minimize loss of unavailability due to threats acting on their matching vulnerability, i.e.,
security risk” (Security Laboratory, SANS Technology Institute) to an organization’s assets. In the case
of cloud services, security controls must be integrated in the existing IT environment of both provider
and user organizations. Areas to consider while enabling security controls are:
2
ISACA UW

Handbook 2016
ISACA UW 14
4
3
It is important both for cloud users and providers to adopt security controls that satisfy the
needs of both parties, otherwise several problems may arise. For instance, in the case of regulatory
controls or data privacy, non-compliance with a particular law could lead to significant fines and
compromised data. In a similar way, a lack of adequate disaster recovery actions could lead to
organizations losing valuable information due to lack of availability.
Cloud Security Frameworks and Industry Designed Resources
In order to promote more secure cloud practices, several security frameworks and industry
designed resources are available to guide organizations. For example, ISO 27000 is a broad
information security standard, published by the International Standard of Organization (ISO) that can
be applied to companies of different sizes and types. It comprises of ISO 27001, which is a list of
requirements to consider for organizations intending to establish an Information Security program and
the ISO 27002, which defines the operational requirements of a security program.
Another popular framework is the NIST Special Publications 800 series, published by the U.S.
National Institute of Standards and Technology.

Handbook 2016
15
Although it is targeted towards federal information systems, it is a great framework that could be
incorporated into an organization’s security program as it deﬁnes security controls as part of a risk
assessment program, covering 17 key areas that include access controls, incident response, and
disaster recovery.
Planned Security Management
A planned approach to managing security can enable organizations to perform optimally without
disrupting the business continuity. A 2016 PwC survey report showed that 59% of businesses
adopting cloud services reported to have enhanced their information security program recently. This
means that they are both aware of beneﬁts and risks of the cloud, and have decided to align risks,
strategies and performance to enhance their productivity.
It is necessary to remember that managing and securing information assets is a business
responsibility. It should be in the best interest of organizations’ leaders to work closely with their IT
and security teams to identify relevant data and applications that should or should not be moved to
the cloud space. By utilizing existent frameworks and adapting them to their organizations,
businesses can design solutions and controls that clearly support their growth either through internal
resources or external cloud support.
Global Cloud - Global Cyber Security – Pictre by www.bluecoat.com
5
ISACA UW

Handbook 2016
Importance of Cybersecurity: Understanding Preventive
“Medicine” to Maintain Cyber Health
By Andy Herman
16
Merrill College of Journalism Press Releases’s Photostream - CC BY-NC 2.0
Take a moment to think about all of the information that surrounds you. From the moment you
open your eyes to squint at the bright LED display on your iPhone, to when you shuﬄe home after a
long day at work, millions and millions of bytes of data about you are constantly being shared. With so
much information readily available, it is possible for malicious hackers to gather and sell that
information. Imagine the information you put into a "secure" site being accessed without your
knowledge. Naturally, you would feel betrayed because there is a subconscious trust that is
established between you and the site that you shared your information with. That feeling of betrayal is
the reason why organizations need to keep cybersecurity at the top of their agenda. Cyber security is
important in order to maintain the trust between consumers and organizations, while demonstrating
that organizations understand that privacy of data is important.
In what seems like a unique combination, healthcare and cybersecurity have some important
crossovers that all information security professionals should pay attention to. The crossover between
preventive measures is a lesson from healthcare that can and should be transferred to the information
security profession. Preventive medicine is "a practice by all physicians to keep their patients
healthy".
ISACA UW
1

Handbook 2016
18ISACA UW
6
5
4
3
2
healthy". Common "best practice" for preventive medicine includes developing awareness and
maintaining proper hygiene. Moreover, it can stop diseases before they become an issue.
Similar to the maintenance of health, the maintenance of "cyber health" for organizations is
critically important. Proper security hygiene is especially significant because just like when people get
a virus, "infected devices have a way of infecting other devices and compromised systems can make
everyone vulnerable". Proper risk management in organizations should always begin with preventive
measures. Business leaders should use preventive medicine in healthcare as a model to demonstrate
the necessity of preventive cybersecurity measures in businesses as an important investment.
There is so much in common between preventive medicine in healthcare and preventive
measures in cybersecurity in both good and bad ways. First of all, there is often the false perception
that preventive measures cost more than the treatment itself. A report from the New England Journal
of Medicine stated that "sweeping statements about the cost-saving potential of prevention, are
overarching". Most notably, there is the notion that screening costs for illnesses that are only present
in a small percentage of the population will only increase overall healthcare costs. In cybersecurity,
this fear of preventative costs may be true as well. The cost of establishing, implementing, and
maintaining a cybersecurity framework is a continuous operational expense. There are still business-
minded CEO's who would be willing to invest that money in business development and would prefer
to deal with the after-effects of data breaches as they arise.
However, the report in the New England Journal of Medicine further stated that "researchers
have found that although high-technology treatments for existing conditions can be expensive, such
measures may, in certain circumstances, also represent efficient use of resources". Adequate
resource spending and use of resources should become the focal points for organizations
contemplating whether or not they should invest in a cybersecurity program.
"Cyber health" should become a new measure of an organization’s preparedness for threats.
With efficient use of resources (i.e. investment in a proper cybersecurity framework), organizations will
have the opportunity to keep pace with and prepare for the continuously changing cyber threat
environment. Incorporating best practice frameworks and controls to not only prepare for attacks but
also to identify any vulnerabilities that are happening, will be a continuously important topic in
business.
7

Handbook 2016
Cybersecurity & Risk Management Challenges in Water
and Wastewater Utilities
By Jay Liu
1ISACA UW
19ISACA UW
Handbook 2016
Modern Cybersecurity from a Global Perspective
By Daniel Kapellmann
The growing adoption and relevance of
information technologies worldwide has
turned signals intelligence into a vital
asset for states due to the potential
threats present for both organizations
and citizens. In 2007, the world saw the
first publicly known political cyberattack
targeting a government. A group of
Russian hackers launched a Denial of
A Dangerous Landscape
Service Attack (DDoS) against a diverse range of Estonian organizations, thus disabling the websites
of the National Parliament, banks, ministries, police and fire departments for hours.
Image retrieved from Pixabay - CC0 Public Domain
What is known today as Information Security has its origins during the Second World War,
when the first long distance communication systems were widely adopted to share information from
one place to another. Given that the technology utilized in the early 1940s did not allow for the secure
transferring of signals, the first popular mechanism for encrypting information was created by the
German government under the Enigma Project. A couple of years later, British intelligence deciphered
their code thus being able to intercept their army’s secret communications and giving birth to the
military concept of Signals Intelligence.
In 1946 after the end of the war, and in a context of distrust among nations, the United States of
America and the United Kingdom signed the UKUSA agreement to share capabilities for signals
interception. However, due to the most recent technological innovations, advanced information
systems have become democratized and available for most of the population. Today, society depends
on information technologies to oversee values of international finances, flights from airports,
operations for critical infrastructures, transportation, operations of healthcare devices and many other
things.
2
3
1

Handbook 2016
ISACA UW 20
7
As explained by Toomas Hendrik Ilves, Estonia’s former President: “In a modern digitalized
world it is possible to paralyze a country without attacking its defenses, the country may fall in ruins
with just stopping its SCADA systems. To generate an economic crisis you can erase its banking
records and the most sophisticated military technology can be irrelevant. In cyberspace, no country is
an island.”
This argument states two of the main dangers that cybercrime represents for nation states:
economic and physical damages. First, cybercrime and espionage cause enormous economic burden
on organizations and governments worldwide. According to MacAfee’s “Estimating the Global Cost of
Cybercrime” report, each year the global economy loses more than $400 billion dollars to cybercrime
and cyberespionage.
Second, cyberattacks may lead to physical damages when targeting, for example, Critical
Infrastructure and Utilities. In 2010 the Stuxnet virus – allegedly created by the US and Israeli
governments – spoiled Iranian nuclear facilities and halted their program for years. Furthermore, in
December 2015 the BlackEnergy malware - allegedly triggered by Russian hackers- got into the
systems of a Ukrainian energy provider and left more than 200,000 customers without access to its
services. Further attacks may lead to such scenarios that include sabotaging nuclear facilities,
damaging electric utilities and other critical infrastructure.
Given the lack of geopolitical boundaries in networks, and the difficulty of both locating and
enforcing regulation on criminals, cyberattacks against governments will continue to rise during the
upcoming years. New mechanisms need to take place in order to protect national infrastructure not
only from rival states, but also from criminal organizations and individuals who are now able to
potentially initiate cybercrime from a keyboard.
Geopolitics and Cybersecurity
For more than 10 years, different attempts have been made to homogenize cybersecurity
regulation among countries and negotiate the consolidation of a safer internet. In 2004 the Budapest
Convention on Cybercrime obtained the signatures from 37 countries (including Japan and USA)
committing to standardize regulation against cyberattacks. In 2011 China and Russia promoted a
Code of Conduct for Information Security, where countries agreed to target their ICT efforts to
economic development while respecting the basic UN principles of cooperation and peaceful dispute
acks against governments will continue to rise during the upcoming years. New mechanisms need to t
6
5
4

Handbook 2016
ISACA UW
11
10
Handbook 2016
ISACA UW 21
economic development while respecting the basic UN principles of cooperation and peaceful dispute
solutions.
The international community again discussed strategies for information security during the 2013
World Summit on the Information Society (WSIS) organized by the International Telecommunication
Union. The most recent attempt to make a change on the global security scenario is currently
happening at the European Union, where a new Network and Information Security Directive was
approved in May 2016, following the consolidation of a specialized authority to take care of the issue.
However, in spite of the numerous collaboration attempts to build mutual confidence and support, few
tangible results have been achieved while the number of attacks and breaches keeps increasing.
In 2014, the Sony Hack that stopped Sony Entertainment from releasing the movie “The
Interview”, got attention not only from the international press but also from the highest government
authorities. After tracing the attack back to North Korea, a new set of economic sanctions were
imposed by the U.S. government to retaliate. This particular case showed the global community the
deep interdependence that currently exists between governments and organizations to protect
against cyberattacks.
However, the Sony Hack was just a sample of what is really going on behind the eyes of the
public. Cyberattacks between countries and different criminal organizations are something common
nowadays even though there are no clear mechanisms to stop it. Some examples of this are the
constant confrontations and distrust between USA and China, or Russia’s aggressive cyber strategy
targeting countries such as Finland and Sweden that seem prone to join the North America Treaty
Organization. Even well-known software security companies such as Russian Kaspersky and US
FireEye have become controversial players involved in the geopolitical sphere and currently
challenged to demonstrate they do not favor any country over the other.
Painting a general picture of the complex geopolitical landscape that exists today due to the
growing amount of cyber threats would require a larger text. However, it is clear that with the
increasing adoption of information technologies, keeping a secure cyberspace will become each day
more important in order for countries to keep their citizens safe. As the world keeps experiencing a
decrease in geographical barriers, and the markets become more interrelated, it will be necessary for
states to adopt multi-stakeholder regulation schemes that protect their information assets with the
collaboration of private organizations and individuals. Only an integrated approach that adapts to the
continuous patterns of innovation will support governments to prepare for the coming threats, thus
preventing numerous economic, financial and social dangers that will most likely keep escalating
8
9

Handbook 2016
ISACA UW
Handbook 2016
22
collaboration of private organizations and individuals. Only an integrated approach that adapts to the
continuous patterns of innovation will support governments to prepare for the coming threats, thus
preventing numerous economic, ﬁnancial and social dangers that will most likely keep escalating
during the next few years.
ISACA UW

Handbook 2016
By Jay Liu
1ISACA UW
Handbook 2016
By Jay Liu
23
Water and wastewater systems are made up of networks of pipelines, roads, conduits and
facilities that rely on each other to deliver water to the public. Due to the relevance of this basic
resource for daily use and economic development, national adversaries are prone to target water
systems for personal or political gains. For this reason, it is critical to operate water systems in a
secure manner through multi-layered security programs that protect this critical infrastructure from
emerging cyber-threats. In this article the main challenges of the Water and Wastewater System
Sector (WWS) will be discussed, followed by the recommendation of a high level strategy to manage
security and risks of involved Industrial Control Systems (ICS).
Cybersecurity Challenges in Water Sector ICS:
Design. Since the system is designed for maximum functionality, and not for security, it is
difficult to keep information assets entirely secure. Limited computing resources have prevented these
control systems from performing additional security functions. In fact, it is possible for attackers to
find open source tools on the internet to disrupt ICS. This causes concerns for the storage of sensitive
information such as vulnerability assessments, site security plans, incident response plans, as well as
water system and asset specifications.
More open environment. The movement to standardize the interoperability, architectures and
software packages by using commercial technologies has increased the system accessibility to
internal and external personnel.
Increased connectivity. Between enterprise networks and ICS relying on a common operating
system and the Internet has created new vulnerabilities, due to lack of concurrent improvement in
security features in ICS.
System complexity and access control. The demand for real-time business information has
increased system complexity. More users are granted access to ICS while business and control
systems are increasingly interconnected. The degree of interdependencies among infrastructure has
increased, but IT and business staff are still falling behind to meet those new challenges.
ISACA UW
5
3
4
2
1

Handbook 2016
ISACA UW
Limited number of manufacturers in water sector. This creates a single point of failure. Any
disruptions to the supply chain could limit WWE sector’s coordination with software, hardware, and
ICS, in response to emergency situations.
Recommended Cybersecurity & Risk Management Practices:
A sound information security & risk management strategy should align with organization’s
strategy and business objectives. Existing security measures that ensure the availability of safe
drinking water, wastewater treatment plan, and the delivery of water services should be carefully
implemented. In addition to current practices in securing WWE sector, a comprehensive security &
risk management plan should be outlined to address challenges faced by Water Sector ICS and
decrease the potential impact of successf ul incidents.
Based on ICS security recommendations from American Water Works Association, a modiﬁed
framework that bears four key goals is suggested:
Figure 1. ICS suggested security framework
As shown in the diagram, the suggested security framework consists in four main steps. First an
ICS Security Program is developed, and then an ICS risk assessment takes place as part of the overall
enterprise risk management program. As a third step, there should be risk mitigation taking place and
ﬁnally a process of outreach or continual improvement should take place to keep the program
updated and dynamic based on the organization’s present needs and capabilities. More detail for
each of the phases is explained in the next lines:
1. Develop an ICS Security Program:
a. Executives in Water Sector should recognize ICS as a mission-critical asset.
b. Establish a cross-functional ICS Security team that involves IT, engineers,
24

6
Handbook 2016
ISACA UW
manufacturers, security experts, and business partners.
It should work collaboratively to reduce vulnerabilities, and establish policies that
address changes in operation, technology, standards and regulations, and external
threat environment.
2. Risk Assessment:
a. Asses and update inventory of critical information assets.
b. Evaluate the effectiveness of current controls.
c. Prioritize controls based on the consequence of each risk and organization’s risk
appetite.
3. Risk Mitigation:
a. Apply appropriate controls to new vulnerabilities, such as the risk of network failure,
by adding redundant components.
b. Develop cost-effective security solutions for legacy systems, new architecture
designs, and secured communication networks.
c. Implement on-boarding and off-boarding process for internal staff and third-party
vendors.
d. Promote security awareness training programs that focus on ICS.
4. Outreach and Continual Improvement
a. Encourage close collaboration with stakeholders in public and private sectors.
b. Develop information sharing program with other critical infrastructure
stakeholders.
c. Regular assessment of security control effectiveness such as conducting
disaster drills and tabletop exercises.
25
7
6

8
Handbook 2016
In conclusion, securing ICS in Water Sector requires cross-functional and cross-sector eﬀorts to
meet the changing threat landscape. The proposed framework attempts to provide a high level
information security and risk management strategy that water services executives can leverage in their
commitments to reduce risks of critical ICS assets.
26
8
ISACA UW

27
Handbook 2016
Gotta sue ‘em all!!
By Divya Kothari
With Information Security becoming ever so vital with each passing day, it is pertinent to keep
yourself abreast of the latest security updates irrespective of your past expertise or existing
knowledge base. In fact you would be surprised by how different sciences can blend in with the field
of security. As a law school graduate, let me share how the realm of jurisprudence, despite being
connected with all walks of life, is especially significant in the world of information and cyber security.
Information Security ensures that within the enterprise, information is protected against
disclosure to unauthorized users (confidentiality), improper modification (integrity), and non‐access
when required (availability). And what we use to ensure this, takes the flavor of law. It may be in the
form of industry standards (eg. PCI DSS) or enforceable compliance (eg. GLBA) or a hybrid of the two
(eg. HIPAA). The fact remains that you need a formalized structure to regulate systems and processes,
which is where legal knowledge steps in.
Let’s take the example of Pokémon Go. Since its release in July 2016, this augmented reality
game has become a worldwide phenomenon. If you were a victim to falling down this rabbit hole, the
symptoms surely included – eyes glued to your phone, distracted walks, constant upward finger flicks
and screen tapping, frustration at not being able to catch that Diglett peeking out of the toilet, or even
accidentally discovering dead bodies! In a nutshell, “unlike the original Nintendo series and most
video games, Pokémon Go requires physical exploration…The combined effect is part bird-watching,
part geocaching, part trophy hunting, with a heavy dose of mid-1990s nostalgia.” And naturally
several law suits. At another extreme, Gerry Beyer, Professor of Law at Texas Tech University warns
that “death by Pokémon is coming…Pokémon users will have all sorts of accidents as they use the
program while walking, biking, driving, etc…”
With Niantic assigning private property as Pokestops and Gyms, there have been several class
action law suits claiming nuisance and a claim in the profit share amongst other things. Another
controversial aspect is embedded within their Terms of Service. “In order to opt out [of the arbitration
clause] users must send an email within 30 days of their agreement to the terms, with “Arbitration
Opt-out Notice” in the subject line. Failure to do so “…will be deemed to have knowingly and
intentionally waived your right to litigate…”
3
4
5
1
2
6
ISACA UW

Handbook 2016
ISACA UW
Handbook 2016
ISACA UW
iPhone Digital - CC BY-SA 2.0
28
9
8
However, circling back from other aspects of security, let’s look at the grave cyber security issue
at hand. While traversing this space keep in mind that security and privacy go hand in hand. When the
game was initially launched, using it was equivalent to granting full access to the individual’s Google
accounts. This meant accessing email, pictures, documents and any other data associated with the
login, as well as that stored in the player’s smartphone including camera and location data, which is
usually the trend seen with other apps. Once made aware of this situation, Niantic resolved the issue
by reducing access to the person’s basic Google account profile information.
Needless to say, Niantic does not explain why, how and from where all it scoops out this
information. The Company’s Privacy Policy makes it clear that it will store location information along
with other resources shared by the user in the App without any limitation on the period of retention of
this data. In addition, Niantic grants itself a “nonexclusive, perpetual, irrevocable, transferable, sub
licensable, worldwide, royalty-free license to ‘User Content’” with the terms neither defining what
‘User Content’ is, what it comprises of and the different external parties it may share this information
with. On the contrary, it deems personally identifiable information to be a business asset! This
precisely opens up a new challenge for today’s technologists and law professionals: where does
reality merge with cyberspace and where do our laws stand? For instance, does trespassing in the
real world apply to augmented reality? Do we have regulations that may normalize these situations?
And can cases like these even be reasonably foreseen?
I would like to end this article with a quote by Lord Denning :
However, with law having to constantly play catch-up with technology, the exactness of Lord
Denning’s statement seems dubious. For now let us stick to the “spirit of the law” instead of the “letter
of the law”, agreeing to place it above us for all times to come.
“Be you ever so high, the law is above you”
7

@Infographic by Julieta Sanchez

Handbook 2016
ISACA UW
Handbook 2016
ISACA UW
Sincerely,
Daniel Kapellmann
Editor in Chief - ISACA Student Group University of Washington Chapter
Final Editor’s Note
The most amazing characteristic of the Information Security field
is that it requires multidisciplinary professionals that dare to learn skills
from different fields and find out efficient ways to protect organizations
from evolving and dynamic threats. It is a discipline that requires
passion, dedication, continuing education, and lots of hands-on
practice.
As the adoption of ICTs continue to increase worldwide, the
importance of being prepared to protect the assets that we value the
most also grows. Information today is no longer a privilege, but rather a
need. It is a force that drives countries, industries, communities and
even people’s most basic interactions.
Taking this into consideration, we presented to you the first
ISACA UW Student Chapter Handbook 2016, which showed a broad
picture of some of the disciplines that are related to Information
Security. We expect that these texts are useful to attract more students
to the field and share our passion from different perspectives.
Of course, we did not present a full assessment, that would take
much more time and a longer document with specialists from many
different disciplines. However, we believe this will serve to build a
strong basis for new ISACA UW students that will continue our efforts
into the future.
To conclude, I would like to thank all the students that made this
publication possible as well as the professors and professionals that
have supported our organization since its origins. We hope that you
found this material interesting and we look forward for your feedback
which guides the selection of the information security content in our
future publications.
Daniel Kapellmann
Editor-in-Chief
Daniel Kapellmann is an Information
Management Graduate student at the
University of Washington, specializing
in Information Security. He currently
works as a remote consultant for the
International Telecommunication Union.

MEET OUR TEAM!
is the Founder and President of the ISACA Student Group. He completed
his undergraduate studies at the University of Washington with a Bachelor’s
Degree in Microbiology. Prior to attending the iSchool, Andy attended
medical school where he developed his interest in healthcare
cybersecurity. Andy is currently pursuing specializations in Information
Management and Consulting & Information Security. Andy’s interests
outside of school include playing musical instruments, football, boxing,
and travelling.
is Chief Editor for the ISACA Student Group. He holds a Bachelor’s Degree
in International Affairs from ITAM University in Mexico City and is an
Information Management graduate student at the University of
Washington specializing in Information Security & Business Intelligence
(Fulbright and Conacyt scholarships). He also works as a consultant in
Digital Inclusion for the International Telecommunication Union (ITU). His
journalistic articles have been published in several international media
channels including Deutsche Welle, LSE Blog, World Policy, OECD
Insights, Bertelsmann SGI, Future Challenges and Fair Observer. Outside
of school, Daniel is interested in Latin dancing, singing and traveling.
@Kapellmann
is the Director of Public Relations of ISACA Student Group and a second
year MSIM student. Jay started his master's at the iSchool after receiving
his Bachelor´s degree in Linguistics at University of Washington. Jay is
active in the non-profit sector and has played several leadership roles in
local non-profit organizations. He is also an advocate for civic technology.
Currently he is involved with Seattle Technology Advisory Board and Open
Seattle. Jay is specializing in Information Security & Business Intelligence.
Outside of school, Jay's interests include tennis and pencil sketching.
is the Vice President of the ISACA Student Group and a first year MSIM
student. Colin came to the UW iSchool after spending four years working
for a German Investment Bank in Boston and New York City. Prior to
starting his career, Colin received his Bachelor’s Degree in History from The
College of the Holy Cross in Worcester, MA. Colin is specializing in
Management & Consulting as well as Information Security . Outside of
school, Colin's interests include golf, basketball, and cycling.
Daniel Kapellmann Jay Liu
Colin AndradeAndy Herman
ISACA UW

MEET OUR TEAM!
ISACA UW
Dawon Go
is the Director of Special Events for the ISACA Student Group. He holds a
Bachelor of Engineering Degree in Information Technology from the
University of Mumbai, India and is a second year Information Management
graduate student at the University of Washington specializing in
Information Security, Information Consulting & Business Intelligence. He
has been a national level under-15 Cricketer in India. Akshay’s interests
outside of school and work include traveling, reading, listening to music,
soccer, hiking and kayaking.
Akshay Ajgaonkar
is the Director of Marketing of the ISACA Student Group. She is pursuing
her degree in Informatics (HCI) or HCDE at the University of Washington as
an international student from South Korea. Jamie is interested in diverse
cultures and she has lived in Malaysia, United States, and South Korea.
Before joining ISACA UWC, Jamie was participating in KOJOBS (Korean
Job searches) UWC as a Director of Planning for two years. She also
completed a summer UX design internship at Indian Mobile App Startup,
True Balance, located in Seoul. Jamie’s interests include baking products
for her online bakery shop, rock-climbing, meditation, and travelling.
Check out her personal mobile design projects at www.heeyunbyun.info!
is the Treasurer of the ISACA Student Group. She is pursuing her degree
in Informatics (Information Security or HCI) at the University of Washington.
Dawon has accumulated her experience through summer internship in
Ucanfunding, Paygate and The National Assembly of the Republic of
Korea. As an international student from South Korea, she also works as
public relation team in Korean Student Union (KSU). Dawon’s interests
outside of school include baking, swimming, skiing, snowboarding and
traveling.
is the Director of Special Events for the ISACA Student Group. She holds a
Law Degree from University of Mumbai, India along with a Bachelor of
Business Administration from Manipal University. She is a second year
Information Management graduate student at UW, Seattle specializing in
Consulting, Information Security and Business Intelligence. Divya is
fascinated with different cultures, is passionate about exploring new places
and loves graphic novels.
HeeYun Jamie Byun
Divya Kothari

MEET OUR TEAM!
ISACA UW
Mary Tong
is the Secretary of the ISACA Student Group. She is also pursuing her
degree in Informatics (Information Security or Data Science) at the
University of Washington. She is also interested in Business and strategies
as well as Information, so she participated in Economy and Business
Management Forum for STEM Major as a team leader. She is also working
as a leading team member in financial engineering club. Her interests
outside of school are listening EDM, playing drum, and viewing exhibition
and artworks.
Claire Hae Won Chung
is the Webmaster for the ISACA Student Group. He is pursuing his degree
in Informatics (Cybersecurity), Data Science and Statistics at the University
of Washington. He has been part of the US national youth orchestra hosted
by National Association for Music Education as a violinist and participated
at the 4A league of WA state competition as a pole vaulter during high
school. Taehyun’s interests outside of school includes bouldering, top-
roping, playing guitar and football soccer.
Taehyun Kwon
is the Historian of the ISACA Student Group. Mary is currently a senior at
the University of Washington, studying Interactive Media Design. She is
interested in human-computer interaction, video production,
entrepreneurship, security, storytelling, and community involvement. She
has developed an affinity for understanding how users interact with and
are affected by different interfaces. Her goal is to understand user
challenges and create a better experience that caters to everyone. She
hopes through her storytelling craft, she can showcase individuals’ stories
and help people be inspired, motivated and grateful.

References
1. Moore’s Law is a now famous observation from Gordon Moore, co-founder of Intel, that says the
number of transistors in a circuit board will double every 18 months and therefore make processing
power grow exponentially every few years.
2. University Alliance. “A Brief History of Cyber Crime,” Florida Tech, 2015. Retrieved from:
www.ﬂoridatechonline.com
3. CBS. “These Cybercrime Statistics Will Make You Think Twice about your Password,” CBS,
2015. Retrieved from: www.cbs.com
4. Center for Strategic and International Studies. “Net Losses: Estimating the Global Cost of
Cybercrime,” Intel Security. Retrieved from: http://www.mcafee.com/us/resources/reports/rp-
economic-impact-cybercrime2.pdf?clickid=Qc92v2ySg3YiQ6rTbYxA9U%3AyUkSX
%3AkXSQzYJUU0&lqmcat=Afﬁliate:IR:null:74047:10078:10078:null&sharedid
5. Collin, Stuart. “A Guide to Cyber Risk,” Allianz, 2015. Retrieved from: www.agcs.allianz.com
6. Burg, David. “Global Economic Crime Survey 2016,” PwC, 2016. Retrieved from: www.pwc.com
7. For more information about the details of the Target hack, access: http://www.bloomberg.com/
news/articles/2014-03-13/target-missed-warnings-in-epic-hack-of-credit-card-data
8. For more information about the details of the Sony hack, access: http://www.slate.com/articles/
technology/users/2015/11/sony_employees_on_the_hack_one_year_later.html
Fitting Information Security in Business
1. Ponemon, Larry. “Cost of Data Breaches Rising Globally, Says ‘2015 Cost of a Data Breach
Study: Global Analysis’”, in Security Intelligence, May 27, 2015. Retrieved from: https://
securityintelligence.com/cost-of-a-data-breach-2015/
2. Palisade, Monte Carlo Simulation. Retrieved from: http://www.palisade.com/risk/
monte_carlo_simulation.asp.
ISACA UW

References
Securing Operations in the Cloud Space
1. How Cloud Enabled Cybersecurity will transform your business. Pwc. Retrieved from: https://
www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/cloud-enabled-cybersecurity.pdf
2. Navigating Security in the Cloud, PwC Advisory Services. Retrieved from: https://www.pwc.com/
us/en/it-risk-security/assets/pwc-navigating-security-in-cloud.pdf
3. Granneman, Joseph. “IT Security Frameworks and Standards: Choosing the right one,” in
TechTarget. Retrieved from: http://searchsecurity.techtarget.com/tip/IT-security-frameworks-and-
standards-Choosing-the-right-one
4. ISO/IEC 27000:2014. Retrieved from: http://www.iso.org/iso/catalogue_detail?csnumber=63411
5. “NIST SP 800 series” in Network Information Security and Technology News. Retrieved from:
http://www.nist.org/nist_plugins/content/content.php?cat.17
Importance of : Understanding Preventive "Medicine" to Maintain Cyber Health
1. Herman, Andy. “Importance of Cybersecurity: Understanding Preventive “Medicine” to Maintain
Cyber Health,” West Monroe, 2016.
2. ACPM. “Preventive Medicine,” in American College of Preventive Medicine, 2016.
3. WRF Staff. “Preventive Health Care Helps Everyone,” in World Research Foundation, 2016.
4. Magid, Larry. “Why Cyber Security Matters to Everyone” in Forbes, October 1, 2014.
5. Cohen, Joshua, Ph.D, Peter Neumann, Sc.D, and Milton Weinstein, Ph.D. “Does Preventive Care
Save Money? Health Economics and the Presidential Candidates” in New England Journal of
Medicine, February 14, 2008.
6. Op. Cit. Cohen, 2008.
7. Op. Cit. Herman, 2016. 7. One way to define control: physical, operational, and technical.
Depending on the nature of the control, it could be detective, preventive, or corrective.
8. This figure provides an overview of risks faced in the Water Sector in general. However, many of
those risks do apply to securing ICS efforts, and will prove valuable to understand where risks related
to ICS fit in an enterprise risk profile.
ISACA UW

References
Modern Cybersecurity from a Global Perspective
1. Andrew Lycett. “Breaking Germany´s Enigma Code,” in BBC History, 17 February 2001. Retrieved
from: http://www.bbc.co.uk/history/worldwars/wwtwo/enigma_01.shtml
2. Thomas R. Johnson. “American Cryptology During the Cold War,” 1945-1989, in United States
Cryptologic History, Series VI, Vol. 5, Center for Cryptologic History, 1995, pp.101-112.
3. Toomas Hendrik Ilves. “Cybersecurity: a view from the front,” in Co:llaboratory Discussion Paper
Series, Berlin-Bali, October 2013, no.1, vol. 6, pp.14-15. Retrieved from: http://en.collaboratory.de/
images/b/bb/Mind_06berlin.pdf
4. Ibidem.
5. Center for Strategic and International Studies. “Net Losses: Estimating the Global Cost of
Cybercrime,” Intel Security. Retrieved from: http://www.mcafee.com/us/resources/reports/rp-
economic-impact-cybercrime2.pdf?clickid=Qc92v2ySg3YiQ6rTbYxA9U%3AyUkSX
%3AkXSQzYJUU0&lqmcat=Affiliate:IR:null:74047:10078:10078:null&sharedid
6. Fox-Brewster, Thomas. “Ukraine Claims Hackers Caused Christmas Power Outage,” in Forbes,
January 4, 2016. Retrieved from: http://www.forbes.com/sites/thomasbrewster/2016/01/04/ukraine-
power-out-cyber-attack/#268ecf085e6f
7. European Council. “Convention on Cybercrime”, 1 July 2004. Retrieved from: http://
conventions.coe.int/Treaty/Commun/QueVoulezVous.asp?CL=ENG&NT=185 (Consulted: 25 January
2015).
8. Chinese Embassy. “China, Russia and Other Countries Submit the Document of International
Code of Conduct for Information Security to the United Nations,” 13 September 2011. Retrieved
from: http://nz.chineseembassy.org/eng/zgyw/t858978.htm
9. Unión Internacional de Telecomunicaciones, “Foro sobre la sociedad de la información: la
ciberseguridad en la agenda mundial,” Geneva, 16 May 2013. Retrieved from: http://www.itu.int/net/
pressoffice/press_releases/2013/23-es.aspx#.VJGhC8BZ
10. Cuthbertson, Anthony. “Russia: 7-year cyberwar against Nato, EU and US by Kremlin-
sponsored hackers T he Dukes exposed” in International Business Times, September 17, 2015.
Retrieved from: http://www.ibtimes.co.uk/russia-7-year-cyberwar-against-nato-eu-us-by-kremlin-
sponsored-hackers-dukes-exposed-1520065
11. Menn, Joseph. “Politics intrude as cybersecurity firms hunt foreign spies,” in MSN News, 12
March 2015. Retrieved from: http://www.msn.com/en-us/news/politics/politics-intrude-as-
cybersecurity-firms-hunt-foreign-spies/ar-AA9Fz2w
ISACA UW

References
Cybersecurity & Risk Management Challenges in Water and Wastewater Utilities
1. Department of Homeland Security. “Water and Wastewater System Sector-Specific Plan”,
2015. Retrieved from https://www.dhs.gov/sites/default/files/publications/nipp-ssp-
water-2015-508.pdf
2. Encompasses several types of control systems used in industrial production, including
supervisory control and data acquisition systems (SCADA), distributed control systems (DCS),
and other smaller control system configurations such as programmable logic controllers (PLC)
often found in the industrial sectors and critical infrastructure.
3. Water Sector Coordinating Council Cyber Security Working Group. “Roadmap to Secure
Control Systems in the Water Sector,” March 2008. Retrieved from: http://www.awwa.org/
Portals/0/files/legreg/Security/SecurityRoadmap.pdf
4. Ibidem
5. Ibidem
6. See figure 2 for an example of risks within the Water Sector.
7. One way to define control: physical, operational, and technical. Depending on the nature of
the control, it could be detective, preventive, or corrective.
8. This figure provides an overview of risks faced in the Water Sector in general. However, many
of those risks do apply to securing ICS efforts, and will prove valuable to understand where risks
related to ICS fit in an enterprise risk profile.
Gotta sue ‘em all!
1. ISACA Glossary of Terms. Retrieved from: https://www.isaca.org/Knowledge-Center/
Documents/Glossary/glossary.pdf
2. In Wyoming, a 19 year old woman, Shayla Wiggins, found a body while out searching for
Pokemon. Wiggins found the man lying face down in the Wind River while she was looking
specifically for water Pokemon. Read more at http://lawnewz.com/high-profile/string-of-crime-
linked-to-pokemon-go-phone-game/
3. Guarino B., “Pokémon Go craze sweeps nation: Players find monsters — and injuries,
robberies and worse,” in The Washington Post, July 11, 2016. Retrieved from: https://
www.washingtonpost.com/news/morning-mix/wp/2016/07/11/pokemon-go-craze-sweeps-
nation-players-find-monsters-and-injuries-robberies-and-worse/
ISACA UW

References
4. Rubino, K., “Pokemon Go Could Kill You, Warns Law Professor,” in Above the Law, July 18,
2016. Retrieved from: http://above thelaw.com/2016/07/pokemon-go-could-kill-you-warns-law-
professor/?rf=1
5. RT Question more, August 17, 2016. Retrieved from: https://www.rt.com/usa/356204-
pokemon-go-away-homeowners-sue/
6. Ha-Redeye, O., “Preserving Your Legal Rights Against Pokemon Go,” in Slaw CA, July 17,
2016. Retrieved from: http://www.slaw.ca/2016/07/17/preserving-your-legal-rights-against-
pokemon-go/
7. Schlossberg J. & Gavejian J., “Next Stop for Pokemon Go: Regulation & Litigation?,” in
Jackson|Lewis, August 1, 2016. Retrieved from: http://www.jacksonlewis.com/publication/next-
stop-pok-mon-go-regulation-litigation
8. Ibidem
9. Gouriet v Union of Post Oﬃce Workers and Others [1977] CA
ISACA UW

ISACA UW Handbook 2016

More Related Content

What's hot

Viewers also liked

Similar to ISACA UW Handbook 2016

ISACA UW Handbook 2016