@ISACA Volume 27  31 December 2014

Explore Endpoint Vulnerabilities at Cyberprotection Webinar

Cyberattacks have been taking place at the endpoint, and attacks are becoming more sophisticated. Current endpoint security tools may not be able to prevent or detect attacks, and waiting for detection may leave an organization vulnerable. To help organizations better understand the weaknesses of existing endpoint security and the risk this can lead to, ISACA has partnered with Palo Alto Networks to create “The Harsh Reality of Cyber Protection” webinar. This webinar will take place on 8 January at 11 a.m. CST (UTC -6 hours). Members can earn 1 continuing professional education (CPE) hour by attending the webinar and passing a related quiz.

“The Harsh Reality of Cyber Protection” webinar will be led by Sebastian Goodwin, director of product marketing/IT security leader at Palo Alto Networks. He has more than a decade of experience in the field. Goodwin is also the author of 2 books on Windows server security and is coauthor of the Security+ certification exam. In the webinar, he will walk attendees through the weaknesses of existing endpoint security in order to explore and better understand how organizations are vulnerable.

"Members can earn 1 continuing professional education (CPE) hour by attending the webinar and passing a related quiz."

To learn more about the webinar or to register for it, visit the Harsh Reality of Cyber Protection web page of the ISACA web site.



Time Is Running Out to Submit VP Nominations

The nomination period for the position of vice president on the ISACA Board of Directors for the 2015-16 term is ending soon. Nominations close at 5:00PM CST (UTC –6 hours) on 6 January 2015. This is the date by which all candidate materials must be received by ISACA International Headquarters. If you wait until this deadline to submit a nomination form, the candidate may not have enough time to provide the committee all information required.

Members may submit nominations for themselves or for others (or both). All candidates will be required to complete a candidate profile form that confirms his/her willingness to serve if selected and provides the Nominating Committee information about the candidate. Self-nominating candidates will also be asked to submit a letter of recommendation from an ISACA member, outlining how the candidate demonstrates the attributes for office. Information on candidates will be gathered in other ways as well, including review of public web sites (e.g., Google, Facebook, LinkedIn) and interviews with the candidates.

Information about serving on the board, the attributes for office and the nomination form are available on the Board Nominations page of the ISACA web site. Questions? Contact nominate@isaca.org.


Assessing Inherent Risk


To help ensure effective governance of enterprise IT (GEIT), organizations should first implement a process for optimizing IT risk. COBIT 5 is a resource used globally to achieve effective these ends.

A typical IT risk management process consists of the following:

  1. Risk identification
  2. Risk assessment
  3. Risk prioritization
  4. Risk response selection
  5. Control evaluation and gap assessment
  6. Response implementation
  7. Monitoring and periodic review

The identified and assessed risk factors are recorded in the risk register. Management should review the risk profile periodically. A risk practitioner prepares different views of the risk profile for management, and these are presented as:

  • Inherent risk, i.e., a risk profile that has not implemented risk response options
  • Residual risk, i.e., a risk profile that has implemented risk response options

A comparative review of the risk profile helps justify the investment in implementing risk response options. While presenting the risk profile, a risk practitioner must prepare both of the risk profiles for each periodic review, to account for changes in the risk environment.

Generally, a risk practitioner faces challenges when assessing inherent risk, since many organizations have implemented some controls to mitigate risk based on previous experience and best practices. A risk owner may find it difficult to assess inherent risk since the risk response options are already part of operational procedures.

To address this problem, a risk practitioner can:

  1. Request the risk owner to assess the current risk exposure based on available data, including the risk response option (e.g., consider insurance coverage, controls implemented to reduce likelihood and/or impact)
  2. Have risk owners assess the effect of response options
  3. Add the risk response option assessment to assessed risk exposure. This will generally provide an estimate of inherent risk.

Following these steps can help optimize any judgmental skews.

Sunil Bakshi, CISA, CISM, CGEIT, CRISC, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP, is a consultant and trainer in IT governance and information security.


Raise Awareness of Data Privacy, Participate in Data Privacy Day

Data Privacy Day is celebrated on 28 January to raise awareness and create a conversation about data privacy. Canada, 27 European countries and the United States recognize Data Privacy Day, which commemorates the 1981 signing of Convention 108, the first legally binding treaty relating to data privacy and data protection.

ISACA offers many resources to help you learn about privacy, and there are many events taking place in the upcoming weeks that you can participate in to learn more about data privacy and protection. On 14 January at 2PM CST (UTC -6 hours), a data privacy Twitter chat will take place. Use the hashtag #ChatDPD to participate. On 22 January at 11AM CST (UTC -6 hours), ISACA will host a complimentary privacy webinar.

More information on Data Privacy Day can be found on the Data Privacy Day web site.


Develop Your Career and Pursue Your Interests With a CISM Certification

Jason Yakencheck, CISA, CISM, CISSP-ISSAP, IEEE Certified Biometric Professional, Shares His Experience as a CISM

Jason YakencheckJason Yakencheck initially pursued the Certified Information Security Manager (CISM) certification to help his career progression. “Many of the leaders I worked with on a regular basis touted the certification and its importance in the market place,” he says. “CISM has helped give me the knowledge needed to take on new career challenges and move into more leadership roles.”

Obtaining the CISM certification has allowed Yakencheck to try new things in his professional and personal life, as well. In addition to developing an interest in traveling, his CISM certification has enabled him to give back to the profession. Yakencheck is the Young Professionals Subcommittee Chair, a Communities Committee member, and the director of outreach and professional development for his local ISACA chapter. “I have seen the value of certifications like the CISM, the value of professional organizations and how these can help facilitate career success,” he says. “I have helped others through mentoring and exam study preparation, and, eventually, I became highly involved in ISACA both internationally and within my local community.”

Professionally, the CISM certification has helped Yakencheck engage in critical conversations with leadership about security. “One of the biggest challenges that other IT security professionals and I face is getting senior leadership to buy into and support security with the necessary resources, tools and controls. Even with the attention that data breaches are receiving these days, it can be quite a challenging task,” he says. “The CISM certification helps prepare practitioners to have those discussions and to effectively convey the level of risk to key stakeholders and corporate leadership.”

For anyone interested in pursuing the CISM certification, Yakencheck recommends beginning the process as soon as possible. “Do not put it off for a better time, as the credential is very beneficial to furthering your career. Start preparing for the exam with a lot of lead time so you can study in smaller, manageable and more consistent increments,” he says. “Take advantage of the support system offered in the ISACA Knowledge Center Exam Study Communities. They are a great way to learn and stay focused.”

To learn more about CISM and ISACA’s other certifications, visit the Certification page of the ISACA web site.


Book Review:  Business Continuity Management

Reviewed by Ibe Etea, CISA, CRISC, CA, CFE, CIA, CRMA

Business Continuity Management: Choosing to SurviveBusiness Continuity Management: Choosing to Survive goes beyond the boundaries of IT-focused business continuity and disaster recovery guidelines. It provides a hands-on and in-depth do-it-yourself (DIY) reference guide to equip the reader with modern techniques for handling disaster management.

Heavy reliance on modern infrastructures and constantly evolving IT systems requires a comprehensive approach to setting up damage control mechanisms. More important, ensuring that such capabilities are widely dispersed and understood is no longer solely an IT concern. As business continuity management has evolved into a separate area of study with proven, practical guidance driven by standards such as ISO/IEC 24752:2008, ISO/IEC 27031 and ASIS SPC. 1-2009, it is important that IT professionals understand these standards and the importance of business continuity management. Business Continuity Management: Choosing to Survive helps readers better understand this important business issue.

The greatest strength of this book is that even novice security professionals can understand it. Another of its strengths is that it does not dwell on theory alone. It covers the essentials, but it further discusses the practical details within the 10 appendices.

The inclusion of actual questionnaires, reporting formats, illustrations and plans makes reviewing this book as fast as an Internet search. Readers can apply what they have learned quickly and easily to their everyday business continuity processes.

Business Continuity Management: Choosing to Survive is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or email bookstore@isaca.org.

Ibe Kalu Etea, CISA, CRISC, ACA, CFE, CRMA, ISO 9001:2008 QMS, is a corporate governance, internal controls, fraud and enterprise risk assurance professional. He also serves as a member on the advisory council of the Association of Certified Fraud Examiners (ACFE).