@ISACA Volume 11  1 June 2016

Five Measures of Security Effectiveness

By Leighton Johnson, CISA, CISM, CIFI, CISSP

During assessments and audits, there are several areas of reference and documentation that an auditor/assessor need to refer to and check. The referenced documentation is required for the auditor/assessor to properly gauge the security effectiveness of an organization’s security posture, processes and component implementation. The 5 levels of security effectiveness (figure 1) are defined as:

Figure 1—Five Levels of Security Effectiveness

  • Level 1: Policies—The policies of the organization form the foundation of the organization’s security and its applications, systems and information. All security components are installed to support a security policy, so this area is addressed first and foremost since it is the singular starting point for security.
  • Level 2: Procedures—The procedures drafted by the organization must follow and correspond with the policies identified in level 1. These procedures are the actual documents that prescribe the security actions, processes and implementation of security in the organization.
  • Level 3: Implementation of procedures—The actual implementation of the security procedures is critical to the safety and security of each system, application and organizational component in the department or division. These implementation guidance actions and activities are where the security theory meets the security installation inside the organization.
  • Level 4: Testing security controls—All security controls need to be measured to ensure their proper functioning. Therefore, every control needs to be evaluated and tested on a periodic basis or whenever there is a security event or change. This testing provides the organization’s senior leadership with proof that the installed security components are working as expected.
  • Level 5: Integrating security components into the organization—All security across the organization needs a road map to provide the integrated, holistic security necessary in today’s operating environments. This full picture provides an overview to all managers and security personnel so they can best determine the security posture of the organization.

Leighton Johnson, CISA, CISM, CIFI, CISSP, is a senior security consultant for the Information Security and Forensics Management Team of Bath, South Carolina, USA.


ISACA Annual General Meeting to Take Place in Chicago


Source: ©iStock.
com/Bojan Senjur

The ISACA Annual General Meeting (AGM) takes place to instate the Board of Directors. Those who attend this meeting will also be able to review fiscal information from the past year. Attendees will have the opportunity to receive ISACA’s annual report, which will be posted on the ISACA web site after the meeting. The AGM will take place on 25 June at the Langham Hotel in Chicago, Illinois, USA. This meeting will begin at 8AM CDT (UTC -5 hours).

To register to attend the meeting, email your name and member number to agm@isaca.org. To learn more about the meeting, visit the ISACA Annual General Meeting page of the ISACA web site.



The Growth of the CRISC Certification


ISACA is proud to announce that it has certified more than 20,000 Certified in Risk and Information Systems Control (CRISC) professionals since the certification’s inception in 2010. The CRISC designation is for those who identify and manage risk through the development, implementation and maintenance of information systems controls. The CRISC certification exam is the most current and rigorous assessment available to evaluate the risk management proficiency of IT professionals. Those who hold the CRISC certification have the technical knowledge to help enterprises understand IT risk and implement appropriate IS controls.

Learn more about what it takes to obtain the CRISC certification on the How to Become CRISC Certified page of the ISACA web site. Registration for the December CRISC exam will open on 7 June 2016. Be a step ahead of the others by obtaining your CRISC certification today.


Promoting Governance and Risk Management With CGEIT and CRISC Certifications

Geetha Murugesan, CISA, CGEIT, CRISC, COBIT 5 Implementer, ISO 27001 LA, Shares Her Experience as a CGEIT and CRISC

For Geetha Murugesan, one of the most valuable benefits of the Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC) certifications has been the international recognition. Earning the CGEIT and CRISC certifications has given Murugesan the opportunity to collaborate with colleagues from all over the world. “ISACA certifications have worldwide recognition,” she says. “When I have the chance to interact with the information security and risk management community in other countries, there is a great feeling of being a part of a larger community that has worldwide acceptance and recognition.”

The collaborative nature of Murugesan’s job as an information risk management consultant is the most enjoyable part of her career. She works closely with c-suite executives, and the CGEIT and CRISC certification helps her in this role. “The holistic IT perspective of meeting the organization’s business objective has to be strategized and delivered,” she says. “CGEIT and CRISC provide a very holistic and detailed approach to addressing how IT meets the organization’s goals and objectives. My certifications help me convey how to manage risk effectively and achieve compliance.”

Conveying this holistic and detailed approach requires an effective understanding of how IT and the business align, and Murugesan says the CGEIT certification can help practitioners work with the c-suite. “The biggest challenge when working with senior management is to communicate effectively so that senior management understands and makes appropriate decisions where risk is optimized, which leads to benefit realization,” she says. “Specifically, the CGEIT certification deals a lot with strategic IT and business alignment, which is useful when working closely with the senior management team.”

Murugesan knows that to earn these certifications, dedication is required. Her advice for anyone interested in pursuing them is to develop strong time management skills. “Planning and utilizing time appropriately for a working professional is the key to passing,” she says. “Understanding the different domains relating the task and knowledge statements allows for comprehensive approach to solving questions. My advice: While taking the exam, read every question before writing down the answer. You will have enough time if you understand the questions well.”

To learn more about ISACA certifications, visit the Certification page of the ISACA web site.