@ISACA Volume 19  23 September 2015

Using Assessments for Varied Purposes

By Leighton Johnson, CISA, CISM, CIFI, CISSP

The object of any evaluation or testing event or activity is to consider the item being tested against some set of external criteria to verify and validate that the item being tested meets the defined criteria. The requirements for running today’s complex and disparate systems safely and securely are numerous and varied. Evaluations can be conducted for the following areas:

  1. Risk analysis—The evaluations for risk often require the identified risk factors to be rated according to impact and potential harm they could cause to the organization. These evaluations often include controls and their methodology of implementation, which can be determined by analyzing the effectiveness of the installed controls through the use of automated tool sets and scanners.
  2. Assessment—Federal requirements may require that some systems be tested for their functionality and their operations. These assessments include testing after repairs have been completed to the system, testing when some major event or incident that calls into question the security of the system has occurred, and testing the system subsequent to an external analysis that indicates some anomalous component. An examination of the system is also warranted by a reported condition or when requested by a senior leadership.
  3. Authorization—In the US, each system that is projected to be on or is already on a federal backbone or network is required, under the US Federal Information Security Management Act (FISMA), to be reviewed and analyzed for risk, evaluated and tested to ensure that security controls are working correctly, and then assessed to verify that the system is functioning at an acceptable level of risk to operate relatively securely. These authorization efforts are the basis for the Risk Management Framework criteria for federal Automated Information Systems (AIS) and are closely adhered to by US federal agencies and authorizing officials. The independent testing requirements for authorization on both major applications and general support systems, such as networks and data centers, provide many opportunities for testing with various methods and techniques as required by the type of system being evaluated.
  4. Security architecture validation—Within each network are the various components, pieces of hardware, appliances and software applications that comprise the network-based and system-based security controls. Each of these items is designed to provide some level of security for the protection of the system or network. However, there are often areas of interface and interconnections between or among components. In these areas, protection is also needed and required. Security architecture documents include the reference models for the technical and business processes, the conceptual and actual drawings of the security processes for the network or system under review, and the various defined information types used within the system or network.
  5. Policy development support—One of the starting points for any assessment is to verify and validate the security policies. Each organization needs to have a policy document that covers the security, privacy and liability needs of the organization with respect to the legal and privacy requirements of the people and the information the organization uses and retains. There are a multitude of privacy and legal requirements, regulations and industry standards that provide guidance for use, retention, transmittal and storage of these types of data and actions. Assessors need to review the policy documents for the organization to ensure compliance to these various statutory and regulatory needs.

Leighton Johnson, CISA, CISM, CIFI, CISSP, is a senior security consultant for the Information Security and Forensics Management Team of Bath, South Carolina, USA.


COBIT Conference Europe Provides Actionable Insights and Training for All



COBIT is an important foundation for good governance and management of enterprise IT (GEIT). To learn more about COBIT 5, earn the COBIT Foundation certificate, or gain actionable and practical guidance on using the COBIT 5 framework, attend COBIT Conference Europe. The conference will be held on 7-8 November 2015 in Copenhagen, Denmark, immediately before the 2015 European Computer Audit, Control and Security and Information Security and Risk Management Conference (EuroCACS/ISRM).

Building upon the success of a similar conference held in March in the US, COBIT Conference Europe offers an unrivaled opportunity to expand your network and build your COBIT knowledge and skills. Attendees can earn up to 14 hours of continuing professional education (CPE) credit.

The conference features 2 tracks to meet the needs of attendees representing a wide range of experience levels, from COBIT novices to experienced COBIT practitioners. The COBIT 5 Foundation track is designed for anyone interested in learning the fundamentals of COBIT 5. Those who participate in this track can take the COBIT 5 Foundation Exam the day after the conference for an additional fee.

The Actionable Insights, Tools and Practical Guidance Track provides 10 educational sessions for those wanting to learn more about COBIT 5 and how to apply it within their organizations. The track will conclude with an opportunity for conference attendees to ask the experts specific questions about COBIT and their experience in implementing the framework.

To register for the conference or learn more about it, visit the COBIT Conference Europe page of the ISACA web site.


ISACA Congratulates CSX Scholarship Winners


ISACA would like to thank all those who participated in the 2015 Cybersecurity Nexus (CSX) Student Scholarship Essay competition. Winners received complimentary admission to the second day of events at the inaugural CSX 2015 North America. The conference will take place in Washington DC, and it will be held on 20 October 2015.

Congratulations to the winners:


College or University

Ahmed Ahmed George Mason University (Virginia, USA)
Raunaq Baveja University of Utah (USA)
Joseph Beasley University of South Carolina (USA)
Nicolas Gengo Northeastern University (Massachusetts, USA)
Joseph Gombos Palomar College (California, USA)
Tony Granillo Washington University in St. Louis (Missouri, USA)
John Haslup University of South Carolina (USA)
Jim Iwersen Bay Path University (Massachusetts, USA)
Demetria Jackson Georgia Southern University (USA)
Patrick Kiriposki University of South Florida (USA)
Phil Krnjeu University of South Florida (USA)
Derick Lindo University of Tennessee (USA)
Monika Lnu Concordia University of Edmonton (Alberta, Canada)
Su-Yu (Eleanor) Lu-Maples Madison Area Technical College (Wisconsin, USA)
Satish Malla Pace University (New York, USA)
Brendan McDermott University of Arizona (USA)
Natalya Pastoukh DePaul University (Illinois, USA)
Elizabeth Pereira Nova Southeastern University (Florida, USA)
Srigopikrishma Prabakaran MNM Jain Engineering College (Chennai, India)
Andrea Sanchez St. Cloud State University (Minnesota, USA)
Jared Schuster Drexel University (Pennsylvania, USA)
Hanhan (Michael) Song San Diego State University (California, USA)
Andrew Sullivan University of Utah (USA)
Felipe Tellez DeVry University (Illinois, USA)
Natalie Lamm Indiana University (USA)

There Is Still Time to Accomplish Your 2015 Professional Goals!


Jane Waissman

ISACA’s research department has produced more than 10 white papers so far this year. How many have you read? Use your ISACA member resources and commit to reading at least 3 papers before 2016 to expand your cybersecurity, COBIT and cloud skills.

New cybersecurity threats are uncovered every day. Use ISACA’s Cybersecurity Nexus (CSX) to stay ahead of these threats and secure your enterprise. Review the CSX road map to help you choose your next certification goal. During this quarter, outline your plan to acquire a new cybersecurity certification.

To increase your networking skills, attend the next chapter meeting and talk to someone new. If your chapter is too far away, log in to your ISACA profile and join a discussion group in the Knowledge Center. Or join ISACA’s LinkedIn page and send a message to someone who focuses in your area.

There are still more than 3 months left in 2015 to meet your professional development goals. Do not let another year pass you by. Invest in yourself. Use your ISACA membership today to accomplish your professional goals.

Join/renew your membership through your myISACA profile.


Annual Audit of 2014 CPE Hours


Each year, an audit of continuing professional education (CPE) hours is performed for the Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM) Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC) certifications. The 2014 CPE audit is still underway. Letters and emails have been sent to individuals selected for the 2014 CPE audit. Those selected will need to supply ISACA headquarters with copies of CPE documentation for the CPE hours reported for 2014. Once documentation has been reviewed and approved, a letter confirming compliance will be sent via postal mail. If documentation is incomplete, an email will be sent with details on what else is needed to bring the audit to completion.

As per each ISACA CPE policy, a certified individual must obtain and maintain documentation supporting reported CPE activities. Documentation should be retained for 12 months following the end of each 3-year reporting cycle. Documentation should be in the form of a letter, certificate of completion, attendance roster, Verification of Attendance form or other independent attestation of completion. At a minimum, each record should include the name of the attendee, name of the sponsoring organization, activity title, activity description, activity date and the number of CPE hours awarded or claimed.

As a friendly reminder, documentation such as calendar appointments, Excel spreadsheets, invitations to attend an event and the like do not qualify as sufficient documentation because these documents do not confirm attendance at the specific event.

For more information, visit the Maintain Your CISA, CISM, CGEIT or CRISC pages of the ISACA web site.


ISACA Certification and 2015 CPE Requirements



With the last quarter of 2015 just around the corner, individuals are encouraged to review their ISACA continuing professional education (CPE) record in light of the CPE activities they have participated in and recorded for 2015 and make note of any additional CPE hours needed to meet either the yearly or 3-year cycle requirement.

The CPE policy requires the attainment of CPE hours over an annual and 3-year certification period. Once certified, the individual is put on a 3-year CPE reporting cycle and this 3-year cycle aligns with the calendar year. CPE policies require Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC) individuals to comply with the following requirements to retain certification each year:

  1. Attain and report an annual minimum of 20 CPE hours. These hours must be appropriate to the currency or advancement of the certified individual’s knowledge or ability to perform his/her certification-related tasks. The use of these hours toward meeting the CPE requirements for multiple ISACA certifications is permissible when the professional activity is applicable to satisfying the job-related knowledge of each certification.
  2. Attain and report a minimum of 120 CPE hours for a 3-year reporting period.

Details on where one stands on the attainment of these goals can be found in the certified individual’s record on the MyISACA > MyCertifications and Manage My CPE page of the ISACA web site. Reviewing this information in September gives you ample time to schedule or plan your CPE activities for 2015 to ensure the requirement(s) are met before the end of this year.


Leveraging the Human Component of the CISA Certification

Pushkar Dhole, CISA, COBIT Foundation, CIA, ISO27001LA, ITIL(F), PMP, Shares His Experience as a CISA

Working in the financial services industry helps Pushkar Dhole understand the importance of good governance, risk and compliance (GRC) practices. His interest in GRC is what initially led him to pursue the Certified Information Systems Auditor (CISA) certification. “It was important to understand the GRC requirements in the industry and endorse my knowledge by a professional organization that is well respected globally,” he says. “CISA offered the advantage of its knowledge pool, opening doors to global opportunities and managing challenges in a work environment where change is the only constant.”

Because of the ever-changing nature of his profession, Dhole finds value in the resources ISACA provides, including the Knowledge Center and various ISACA publications. “The continuous learning CISA mandates, through its continuing professional education (CPE) requirements and the various learning programs provided through ISACA have kept me up to date with the latest developments in the arena of risk.”

And while Dhole uses the technical resources provided by ISACA, he also recognizes the networking value his ISACA certification and membership afford. “Fellow chapter members extended a warm welcome and they gave me the pleasure of being part of the ISACA family,” he says. “Being a CISA has helped me connect with professionals and make friends across the globe.”

The human element of the CISA certification has helped Dhole overcome one of the greatest challenges in his job—bringing together diverse stakeholders to drive the GRC program. “Being a CISA has helped me understand the different perspectives and priorities of these stakeholders,” he says. “It has helped in gaining support from and providing assurance to management during the course of identifying, monitoring and managing risk while taking the business to the next level.”

Dhole has also applied his CISA certification skills to his personal benefit. He notes that these skills have “influenced me in planning, executing and reviewing all my personal and professional activities independently with a holistic thought process.”

To anyone thinking about pursuing a CISA certification, Dhole advises, “Go and get it!”

To learn more about ISACA certifications, visit the Certification page of the ISACA web site.


Book Review:  Handbook of Research on Digital Crime, Cyberspace Security, and Information Assurance

Reviewed by Maria Patricia Prandini, CISA, CRISC

Academic institutions and industry are 2 of the most reliable indicators of how technology is going to evolve in the future. This is also true for the discipline of information security.

The power that technology brings to humanity in the digital age is humongous. But so are the concerns and challenges in term of data protection, privacy, individual rights and crime in cyberspace.

The Handbook of Research on Digital Crime, Cyberspace Security, and Information Assurance discusses the convergence of these ideas. This book contains the most recent research on cyberspace security developments, and it is written by academics and industry representatives from institutions across Europe, Asia, Africa, Australia, and North and South America.

The book is well organized, covering a diverse set of topics arranged around 4 sections, the 1st being cybercrime examples, risk and threats. This section contains articles on cyberattacks on critical infrastructures, network attacks, online violence and other types of harassment performed through the Internet. This section also covers Android malware, DNA databases for criminal investigation, different types of online attacks, and the relationship between top management composition and security breaches.

The 2nd part covers cybersecurity approaches and developments and contains 12 chapters on topics such as privacy compliance requirements, forensics, cybercrime technologies, indirect attribution in cyberspace, crypto systems, cyberbullying, browser attacks and total quality in cybersecurity.

The 3rd part relates to legal aspects and information and communication technology laws. It gathers research related to the Brazilian Civil Rights Framework for the Internet; surveillance, privacy and due diligence in cybersecurity; the Internet of Things; the role of European Union law in dealing with cyberbullying; and other related topics.

The book concludes with 4 case studies on honeypots and honeynets, an analysis of cybercrime with spatial econometrics, a cybersecurity model of Artificial Social System Man-Machine, and an exploratory survey of factors impacting user behavior on Facebook.

Although this is a complex book gathering articles on a varied set of topics related to cybersecurity, it is useful because in addition to a table of contents, it has a detailed table that includes the abstracts of each article. This allows readers to go directly to the chapter that piques their interest.

At the end of the book, a compilation of references and a short biography of every contributor lets the reader evaluate the backgrounds of the 62 contributors. As mentioned in the preface, this includes “many internationally renowned and experienced authors in the field and a set of younger authors, showing a promising potential for research and development.”

As IT professionals, daily routines typically prevent looking ahead and seeing where the future may affect security professionals, in terms of avoiding risk and protecting information and individual rights while maximizing the benefits of the digital age. The Handbook of Research on Digital Crime, Cyberspace Security, and Information Assurance is an opportunity to take a break and, as professionals, scholars or academics, get in touch with recent research on digital crime, cyberspace security and information assurance.

Handbook of Research on Digital Crime, Cyberspace Security, and Information Assurance is available from the ISACA Bookstore. For information, visit the ISACA Bookstore online or email bookstore@isaca.org.

Maria Patricia Prandini, CISA, CRISC, has a long career as a public official in different positions related to information technology in the Argentine government. Prandini was involved in the development of the National PKI and the foundation of ARCERT, the first governmental computer security incident response team (CSIRT) in Argentina. She is the immediate past president of the ISACA Buenos Aires (Argentina) Chapter.