@ISACA Volume 21  21 October 2015

Tips for Understanding the COBIT 5 Process Enabler

By Lisa Young, CISA, CISM

Processes and the associated detailed procedures are what we develop, document and then use to enable people to perform their work in a consistent and repeatable manner. Processes are often thought of as the “what to do” and generally define the roles required to perform the process. A procedure is often the “how to do it” and generally defines the single role that will perform the procedure. While process is often described as 1 leg of the people-process-technology triad, it may also be considered the glue that unifies the other aspects to achieve organizational objectives.

Processes may include tools, methods, technology, people and practices to achieve goals in an ordered way. ISACA defines process as an interrelated set of cross-functional activities or events that result in the delivery of a specific product or service to a customer. The activities defined in a process are generally aided by a reference model such as COBIT 5, ITIL or the CERT Resilience Management Model (RMM) and may also reference the appropriate compliance guidelines, standards or regulations that have to be considered when performing the process.

As you think about the time and effort needed to develop a process, ask yourself the following questions: Is the process important to the achievement of business goals or committed service level agreements (SLAs) with customers? Is there only 1 person who knows how to do the task? Do many people perform the task or is the task a shared responsibility? If the answer to any of these questions is yes, then you need a defined process. The benefits of using processes, especially for information security, incident handling and risk management activities are:

  • Showing someone the path of personally identifiable information (PII) as it flows through a third-party cloud in a visual process map is invaluable in demonstrating and communicating the risk that needs to be managed. This can enhance organizational agility to respond to changing business circumstances.
  • Having a defined process for a shared task means that all who perform the activity do so in a consistent and high-quality way. This is especially important for tasks that need to be performed by staff with different experience levels to deliver a consistent and superior level of customer service or product.
  • A defined process provides the means to control the variation in the delivery of a service or product. Policies or standards that are important to the organization can be designed into the process so that conformance is inherent in the delivery of the process. This is especially important to enhance knowledge transfer and integrate new members of the team faster.
  • Productivity is increased when all who perform the process have a standard way of doing so. This avoids rework and can be especially critical if you are considering outsourcing some of your current processes to a supplier or expanding organizational services in another geographic region.

However, before you can use processes to achieve the stated benefits, the process must be defined, documented and available in a process asset library for all to use. Here are some tips for getting started with defining a process:

  • What is the reason for performing the process? The process definition should be defined along with the scope and activities that occur in the process. It should also define the roles responsible for performing the tasks.
  • What are the inputs needed to perform the process and what are the outputs, or work products, that are generated by the process? This is where a common language and taxonomy of terms can be used to standardize the descriptors and provide a common understanding across the organization.
  • What does the process look like? A graphical depiction of the process activities is critical. The graphic may also include a map of the roles, both internal and external, that are required to perform the process.
  • What are the controls, policies, standards or guidelines that must be considered when performing the process? This can be used to determine if the process is as efficient as it could be or can demonstrate an excessive buildup of controls that has occurred over time. It will also help in understanding if the process is aligned with the organizational policies that are expected to be carried out by the process.
  • What conditions or dependencies must be performed before beginning a process? What requirements must be met before ending the process? This provides a double check that the process as defined matches the process as performed in practice.

A defined process provides a means to establish a baseline from which to measure the implementation or institutionalization of the current process. Once the processes are repeatable, they can be measured. Once they are measureable, they can be assessed for improvement. The defined process provides a road map for specific areas of improvement in the context of the organization’s business objectives and unique risk environment.

Lisa Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.


Learn to Balance Innovation With Risk Management


Source: ©iStock.com/

While risk controls are essential to organizations, legacy risk controls may limit an enterprise’s potential to innovate. To help enterprises manage risk while remaining innovative, ISACA will present the “Managing Innovation Risk” webinar. This webinar will take place on 22 October at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and passing a related quiz.

Enterprises should employ a new kind of risk manager—an innovation risk manager. This webinar will outline the hard and soft skills someone in this new position would need to have. These skills include aligning risk analysis with product releases, mediating disagreements between product experts and risk professionals, developing key risk indicators, and the role of formal governance and approvals. David Fraser, CISA, CISM, CISSP, risk manager at Visa, Inc., will lead this webinar. Fraser has worked as a risk manager for more than a decade.

To learn more about this webinar or to register for it, visit the Managing Innovation Risk page of the ISACA web site.


The Nexus:  The Latest Cybersecurity News in One Place


The Nexus, part of ISACA’s Cybersecurity Nexus (CSX) program, is a monthly newsletter where all things cybersecurity converge. The Nexus contains valuable information on cybersecurity, including original CSX thought leadership and knowledge, news and updates on CSX, and a collection of the best cybersecurity articles from a variety of sources.

This newsletter provides you with the latest cybersecurity information from CSX leaders and key cybersecurity innovators around the world. The Nexus also contains information on the newest CSX resources available for your use and cybersecurity events occurring worldwide.

You must sign up to receive this newsletter. Visit The Nexus subscription page of the ISACA web site to subscribe now.


IoT Security:  Wide Perception Gap Between Consumers and IT Professionals


ISACA’s global 2015 IT Risk/Reward Barometer survey suggests consumers may feel over-confident about Internet of Things (IoT) security. According to the consumer segment of the survey, 64% of respondents are confident they can control security on the IoT devices they own. Yet according to more than 7,000 global IT and cybersecurity professionals who are members of ISACA, only 21% share this confidence and 70% say IoT device manufacturers are not implementing sufficient security measures.

The Hidden Internet of Things
The survey results depict an IoT that flies below the radar of many IT organizations—an invisible risk that many survey respondents believe is underestimated and undersecured:

  • 49% believe their IT department is not aware of all of their organization’s connected devices (e.g., connected thermostats, TVs, fire alarms, cars)
  • 73% estimate the likelihood of an organization being hacked through an IoT device is medium or high
  • 63% think that IoT use in the workplace has reduced employee privacy

That said, survey respondents also report numerous benefits from IoT, with the highest-ranked being better access to information. To take advantage of the many benefits IoT offers, while also managing the risk and maintaining a cybersecure workplace, organizations should:

  • Safely embrace IoT devices in the workplace to maintain a competitive advantage.
  • Ensure all workplace devices owned by the organization are updated regularly with security upgrades.
  • Require all devices to be wirelessly connected through the workplace guest network rather than the internal network.
  • Provide cybersecurity training for all employees to demonstrate their awareness of best practices of cybersecurity and the different types of cyberattacks.

To see the full results, visit the 2015 IT Risk/Reward Barometer page of the ISACA web site.


Certification Renewals and CPE


Source: ©iStock.com/

With the 2016 renewal year now open, it is the perfect time to review your continuing professional education (CPE) status for your certification. The CPE policy requires earning 20 CPE hours annually and 120 hours over the 3-year cycle. Please remember that CPE hours need to be earned in each cycle year and cannot be carried over from 1 year or 1 cycle to another. Certified individuals have until 31 December 2015 to earn any needed CPE to remain compliant with the CPE policy.

The MyCertifications page provides valuable information and a bird’s-eye view of where you stand for your CPE for both the yearly and 3-year cycle requirements. The Manage My CPE page provides detailed information on the CPE that you have already reported for your current cycle. Take a moment to assess where you stand with regard to CPE for your certification. Plan ahead now and schedule time for your CPE activities so you can earn your CPE prior to the end of the year when time is limited.

To add CPE:

  • Log in at www.isaca.org/reportcpe
  • Click on the “Manage My CPE” button
  • Scroll down, then click on the “Add CPE” button
  • Enter your CPE activity information and click “Save”

CSX Channel Partner Program Hits the Ground Running


To facilitate training globally and meet the urgent demand to train cybersecurity professionals, ISACA has implemented the Cybersecurity Nexus (CSX) channel partner program. The program was implemented to help ISACA establish relationships with training partners who have global client bases and reach. Formulating these partnerships allows ISACA to provide the resources and talent necessary to help close the cybersecurity skills gap while attracting newcomers interested in cybersecurity training and certifications.

Individuals or organizations looking for CSX training options currently have the following options:

  • Global Knowledge is a leading IT and business skills training provider. It offers thousands of courses spanning foundational training to specialized certification.
  • Firebrand Training is one of the fastest ways to learn. Choose from more than 200 accelerated IT, security and project management certification courses in purpose-built training centers across the globe.
  • University of South Florida offers a cybersecurity training and certification program, focused on preparing students for a specific, high-demand job role.
  • Anna Arundel Community College’s Cyber and Technology Training department offers noncredit courses designed for working professionals looking to upgrade skills or specializations, students preparing for industry certifications, those looking to begin or change careers, and individuals who have personal goals to learn more about technology.
  • TeleCommunications Systems offers current and hands-on training—onsite or online—as taught by the organization responsible for the CSX Practitioner’s core tenets.
  • BlueKaizen is dedicated to providing leading-edge knowledge in information security related to education, awareness and training. SKLABS, Blue Kaizen’s training division, provides high-quality education in the Middle East and North Africa region on information security and cybersecurity.

For more information on CSX training options, visit the Authorized Training Partners page of the new ISACA CSX web site or contact CSXtraining@isaca.org.


Promote the Importance of Governance With a CGEIT Certification

Laura Hitchcock, CISA, CISM, CGEIT, CCM, CFSA, CIA, FLMI, Shares Her Experience as a CGEIT

Laura Hitchcock knows the importance of governance. “The right level of governance can elevate and propel an organization. Likewise, burdensome governance practices can have the opposite effect,” she says. “It is finding the right level that intrigues me.” Hitchcock pursued the Certified in the Governance of Enterprise IT (CGEIT) certification because of its holistic IT perspective and its detail on how IT supports an organization’s strategy, goals and objectives. And Hitchcock says, “Everyone who knows me professionally knows I love governance.”

In addition to allowing her to further pursue her interests, the CGEIT certification has benefited Hitchcock professionally. “The CGEIT designation shows my commitment to my profession, that I have the knowledge and experience to do what I do,” she says. “My advice is sought out and valued by senior IT management. The CGEIT certification has taught me to look across multiple processes/functions and identify synergies or redundancies that others may not see.”

And while Hitchcock experiences the common job constraints of lack of time and resources, the rewarding aspects of her job outweigh any challenges. “It is very rewarding to watch governance practices become embedded in everyday processes, in people’s behaviors and in an organization’s culture,” she says. “When it runs like a well-oiled machine, I am so proud of all of the people involved in making it happen that I brag about their accomplishment to everyone and anyone who will listen.”

Passing the CGEIT exam requires diligence, Hitchcock says. “As with any exam, approach it with confidence and commitment, utilize the study aids, the CGEIT exam course and/or study groups, and expect to devote a significant amount of time to studying,” she says. “When sitting for the exam, read every question fully before putting your pen to paper. You have enough time to complete it and if you have studied hard, you will do just fine.”

To learn more about ISACA certifications, visit the Certification page of the ISACA web site.


Book Review:  Security Metrics: Replacing Fear, Uncertainty, and Doubt

Reviewed by Upesh Parekh, CISA

“If the numbers are boring, then you’ve got the wrong numbers,” said Edward Tufte, as quoted in Security Metrics: Replacing Fear, Uncertainty, and Doubt. This quotation summarizes the main purpose of this book.

There is no shortage of metrics in the world of information risk and security, and there is no shortage of executives arguing about the most effective measurement and monitoring of information risk and security.

Security Metrics: Replacing Fear, Uncertainty, and Doubt begins by discussing some of the common shortcomings of security metrics, which pushes readers to understand what the author describes as the “defect-fix-patch-pray cycle of the Hamster Wheel of Pain.” The author goes on to discuss the characteristics of good and bad metrics in the second chapter. Any chief information officer, chief technology officer or chief executive officer should know what constitutes good and bad metrics. The author defines what makes metrics useful and reliable by using real-life examples.

Chapters 3 and 4 discuss some of the technical and program-level security metrics that cover a large area of security management. There is commentary on each of the categories of metrics before the author dives into specific metrics, their definitions and sources.

The numbers themselves do not make any sense unless they are put in context. The real skill of a security analyst is to present an objective analysis of numbers. Chapter 5 discusses analysis techniques. Chapter 6 discusses visualization of metrics. The author says “a picture is worth a thousand words and it follows that an ugly picture is worth ten thousand ugly words” while he is discussing some of the most practical tips on presenting metrics. The author covers automation and security scorecards in the next 2 chapters.

Security managers who want some real-life examples of security metrics and tips to improve reporting in their world will find the book useful. By reflecting on lessons from his life, the author is able to provide strong advice for readers. Security Metrics: Replacing Fear, Uncertainty, and Doubt has many examples, graphs and tables to emphasize the points being made. While the author spends a lot of time criticizing some concepts, the value of the innovative ideas presented is the book’s strength.

Security Metrics: Replacing Fear, Uncertainty, and Doubt is available from the ISACA Bookstore. For information, visit the ISACA Bookstore online or email bookstore@isaca.org.

Upesh Parekh, CISA, is a risk and governance professional with more than 10 years of experience in the banking and finance industry. He is based in Pune, India.