@ISACA Volume 1  14 January 2015

Visit the Redesigned @ISACA and ISACA Journal Web Pages


Visit the Redesigned @ISACA and ISACA JournalThis year, @ISACA and the ISACA Journal have a new, updated look. These user-friendly redesigns aim to increase reader engagement. @ISACA will continue its biweekly publication schedule. You can get up-to-date industry news, tips from subject-matter experts and learn about new ISACA resources by reading @ISACA.

The ISACA Journal, in addition to having a redesigned web page and email notification, has a new publication schedule. Online-exclusive Journal articles are now released biweekly on Wednesdays, instead of the previous bimonthly publication schedule. And with an ISACA Journal blog posted each Monday, there is new Journal content available every week. Additionally, each volume of the Journal will be accompanied by a podcast interview with a Journal author or columnist. To listen to the podcast or read the current Journal issue, visit the ISACA Journal page of the ISACA web site. To submit an article for consideration in the Journal, visit the Submit an Article page of the ISACA web site.


Effective Approaches to “Bringing the Pain” With Risk Management

By Jack Freund, Ph.D., CISA, CISM, CRISC

Jack FreundLong gone are the days of the door-to-door salesperson. Today (at least in the US) if anyone shows up at your door to sell you something, it is probably a child working on a fundraiser for their school. There is a lost art to aggressive salesmanship. Years ago, when selling items, such as vacuum cleaners, door to door, a salesperson had only a few seconds to grab the audience's attention before the door closed (literally). Many an enterprising salesperson figured out that in order to convince people to hear their pitch, they had to make consumers “feel the pain.” So, instead of beginning their pitch by talking about the product, they would dump dirt on the carpet just inside the door. This created an excuse for the salesperson to demonstrate how good their product was at cleaning up the mess (that they created).

I do not advocate releasing malware into your organization to gain the attention of upper management (that would go against the ISACA Code of Professional Ethics). However, there are much more subtle ways to “bring the pain” in order to advance a more risk-aware agenda in your organization.

In many organizations, risk management is not responsible for the implementation and operation of controls. Instead, it has an obligation to assess, analyze, advise, challenge and report on the activities of control owners. It is sometimes easy to step over the bounds and confuse “report on” with compel, force, coerce and berate, but there is a better way to “bring the pain” than these negative approaches.

"In many organizations, risk management is not responsible for the implementation and operation of controls."

Focus on staying closer to the original obligations of the 2nd line of defense. Begin making regular, repeatable and consistent reporting artifacts on control states. Use metrics, charts and graphs that show trending. Gain an audience in staff meetings or risk and control meetings to display these results. When this function becomes a regular service of your risk function, people will start to take notice. If you have 4 executives who have control responsibilities, and their results are each graphed on the same chart, invariably 1 or more will show up unfavorably. You may not even need to actively invite comparison and explanations on deviations; most people will make that logical connection on their own. However, what is most important is that you keep reporting on these metrics and the trending of control states and risk rankings. Once your work product is fully established as the new normal in the organization, you will have built a communication channel for driving risk-based action in your firm from the ground up.

Jack Freund, Ph.D., CISA, CISM, CRISC, is lead IT risk manager for TIAA-CREF and coauthor of Measuring and Managing Information Risk.


Privacy Approaches Are the Focus of Upcoming Data Protection Webinar


Data protection and privacy are necessary components of a mature governance and risk management process. ISACA will offer the “Data Protection and Privacy: How What You Don’t Know Can Hurt You” webinar to help you and your organization better understand data protection and privacy. The webinar will take place on 22 January at 11AM CST (UTC -6 hours). As an ISACA member, you can earn 1 continuing professional education (CPE) hour by attending the webinar and completing the related quiz.

In this webinar, Frank Cindrich, CGEIT, director at PricewaterhouseCoopers, will discuss the 3 main regional approaches to privacy. Looking at the differences among these approaches, we will assess the challenges those differences can present. You will also learn about the symptoms of weak privacy programs and how to build more responsive privacy programs.

To learn more about the webinar or to register for it, visit the Data Protection and Privacy: How What You Don’t Know Can Hurt You page of the ISACA web site.


Influence More—Nominate an ISACA Colleague to a Volunteer Body


Do you know someone who would be an asset to an ISACA volunteer body such as a committee or task force? If so, nominate him/her for the 2015-16 volunteer term.

You may nominate a member or members for volunteer service by completing the Volunteer Nomination Form or emailing the candidate’s name, email address, recommended volunteer body and any additional information in support of the nomination to participate@isaca.org. ISACA will inform candidates of their nomination, provide information on volunteering and request additional information as needed. Please ensure that nominations are submitted well in advance of the 12 February deadline to allow nominees time to submit additional application information prior to that date.

Are you the member you know who would be an asset? If you are interested in volunteering with ISACA, visit the Join an ISACA Volunteer Body page of the ISACA web site. From this page, you will have access to the online application and the Invitation to Participate brochure. In addition to the application, ISACA requests applicants also provide résumé/curriculum vitae, which may be submitted upon completion of the online application.

Questions? Contact participate@isaca.org.


ISACA Supports and Advances Your Profession


Whether it is supporting organizations that serve developing communities or producing globally recognized standards, ISACA is dedicated to advancing the profession.

In 2014, ISACA, as part of its corporate social responsibility program, supported 2 organizations that align with our mission: Enactus and Unesco. Enactus is an international, nonprofit organization of student, academic and business leaders who help develop entrepreneurial skills and community development projects. UNESCO’s Building Knowledge Societies program works globally to create inclusive knowledge societies that increase access to and sharing of information and knowledge.

"ISACA is committed to supporting your profession now and in the future."

In addition to giving back to the community, ISACA produced the tools you need to comply with international policy. ISACA produced the Guidance to Validate Internal Control Assertions in Indian Financial Reporting. This important document provides assistance with the new Companies Act, 2013. Plus, ISACA’s certifications receive global recognition. The Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM) and Certified in Risk and Information Systems Control (CRISC) are endorsed by the Australian government to sanction information security specialists who can then provide cybersecurity services to the government.

ISACA is committed to supporting your profession now and in the future. Renew your membership today, and to get more involved with ISACA’s impact on policy, consider volunteering for ISACA.


How to Benefit From ISACA’s On-site Training


ISACA’s On-site Training program is a flexible, global and cost-effective solution that allows you to train many employees at a minimal expense to your organization. On-site training is optimal if you have a group of people needing training, would like to customize the content or need a consistent message across a global team.

Your organization can benefit from on-site training in a number of ways, including:
  • Developing skills in disciplines including cybersecurity, audit/assurance, risk, security, governance and COBIT
  • Training programs customized to your specific business initiative
  • Providing your employees a consistent, unified learning experience
  • Realizing an immediate return on investment (ROI) by providing your employees with skills that can be applied on the job right away

Camille Marbury, who attended the COBIT 5 Foundation course, found the course to be worthwhile. “This has been the most rewarding and valuable training course that I have taken all year,” she says. “I look forward to taking more ISACA training courses, especially with this instructor/presenter.”

"This has been the most rewarding and valuable training course that I have taken all year."

Our trainers are trusted industry experts who hold multiple industry certifications. Currently practicing in their related fields, they bring their unique, real-world experiences to the courses they facilitate. Each trainer delivers proven strategies, techniques and best practices to the classroom. These skilled facilitators are ISACA members who contribute regularly to ISACA research and the IT profession.

For more information about the ISACA On-site Training program, email onsitetraining@isaca.org and one of our dedicated on-site training team members will contact you.


2015 CISA, CISM, CGEIT and CRISC Exam Updates


ISACA continues to grow and improve its certifications. Beginning in June 2015, the Certified Information Systems Auditor (CISA) exam will be offered in Turkish, and the Certified in Risk and Information Systems Control (CRISC) exam will be offered in Spanish, for the first time. To help prepare for these exams, translated exam terminology lists are now available for CISA in Turkish and CRISC in Spanish.

Further, the CISA Chinese Mandarin Traditional-, German-, Hebrew- and Italian-language exams and the CISM Japanese- and Korean-language exams will only be offered at the June 2015 exam. Individuals who wish to test in these languages should register for the June 2015 exam.

The new CRISC job practice has been finalized and is effective with the June 2015 CRISC exam administration. Requirements to become CRISC-certified will also change for those who pass the exam in June 2015 and thereafter. Those candidates will need to submit evidence of 3 years cumulative work experience performing the tasks of a CRISC professional across at least 2 of the 4 new domains. Of these 2 required domains, 1 must be in either domain 1 or 2. You can view the new job practice on the CRISC Job Practice Areas page of the ISACA web site.

To learn more about ISACA certifications, visit the Certification page of the ISACA web site.