@ISACA Volume 7  8 April 2015

Risk Palimpsest

By Jack Freund, Ph.D., CISA, CISM, CRISC

Centuries ago, scholars did not publish their works in a format suitable for e-readers, tablets or the web. In fact, they did not publish in physical books the way we know them now (on bleached paper). Instead, they published their work on parchment, usually the kind made from animal hides. These were expensive to make and, as such, they were often reused. The previous writing was removed and the page was repurposed for another work. Sometimes this was due to the original writing fading over time and becoming illegible or because the work was in a foreign or ancient language that was not useful to the owner of the parchment. This reused document is called a palimpsest.

This quick history lesson is not an anachronism. Today, there are palimpsests in digital media. The classic example of this is the hard drive. A quick format of a drive does not overwrite the data, just the index. New data are stored alongside the old data. This concept is one of the enablers of IT forensics technology. But this article is specifically about risk palimpsests. The metaphor here is useful in diagnosing what happens when a new IT risk professional takes up residence in a new firm. The interaction with this palimpsest may be prefaced by phrases such as, “How we used to do it…” or “We never did it that way where I come from…”

The truth is that when coming to a new organization, risk professionals often try to relate to the new environment by thinking about it in terms of the previous environment. They likely are still fighting battles from the past (for good or for bad). Generally, cumulative experience is helpful (which is why organizations hire senior people to begin with). However, it can be harmful if it prevents risk personnel from seeing the new environment for what it is (i.e., allowing previous experiences to negatively color the view of the new one). It is important to have an open mind about the new environment. Yes, many principles of risk are universal and readily applied in new places. However, different organizations have different risk profiles that can substantially affect how basic risk concepts are related to a new problem. Further aggravating the problem may be that the new workplace may not have the same view of risk as the previous workplace (or even the same view between internal departments). Risk professionals can choose to implement risk the right way (their way, ideally based on a standard view of risk).

In the best case, their work can then become an exemplar for the rest of the organization to imitate. In the worst case, they may get ostracized for not coordinating, partnering or integrating with the existing view of risk. The other alternative is to begin an educational campaign to ignite change from within. This could go well or may also be viewed as being overzealous.

This advice is not one-size-fits-all. In many ways, it is part of what makes risk work exciting: The people and the different environments are dynamic and challenging. The approach (or even approaches) taken must be tailored to the specific environment. It may even change over time as a risk professional’s tenure with the firm grows. Whatever strategy is embarked upon, be mindful of previous experiences as well as the experiences of others. Make any palimpsest a benefit to the work, not a liability.

Jack Freund, Ph.D., CISA, CISM, CRISC, is lead IT risk manager for TIAA-CREF, member of the CRISC Certification Committee and coauthor of Measuring and Managing Information Risk.


Nominating Committee Selects 2015-16 International President


The ISACA Nominating Committee has selected Christos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, ISO 20000 LA, as international president for the 2015-16 Board of Directors slate. Dimitriadis is group director of information security at INTRALOT in Athens, Greece. INTRALOT is a leading international supplier of integrated gaming and transaction processing systems, with a presence in more than 50 countries.

Dimitriadis has been working in the area of information security for 14 years and has more than 110 publications in the field. In addition to leading information security, information compliance and intellectual property protection at a group level, Dimitriadis designed INTRALOT’s innovation program in 2013 and heads the office of the chief technology officer (CTO), managing technology transformation activities.

Dimitriadis has served ISACA as a member of its International Strategic Advisory Council, past international vice president for 3 terms, international board member for 4 terms, chair of the Knowledge Board, chair of the External Relations Committee, chair of the COBIT for Security Taskforce, and member of the Relations Board, Academic Relations Committee, ISACA Journal Review Team and Business Model for Information Security Workgroup. Dimitriadis served as a member of the Permanent Stakeholders Group (PSG) of the European Network and Information Security Agency (ENISA) from 2012 to 2015.

In selecting the president, the committee considered input and guidance from a variety of sources: the committee’s own discussion, an evaluation of each candidate as compared to the board-approved attributes for office, ISACA’s strategy and direction, and the board-approved guiding principles and expectations for the position.

If no additional candidates arise from the membership (by petition), the slate is declared elected by acclamation and those individuals will be installed at the Annual Meeting of the Membership to be held in June 2015 in Brussels, Belgium.


ISACA Webinar: Learn to Detect Data Breaches


According to the Verizon Data Breach Investigations Report, less than 1% of data breaches are detected by organizations’ antivirus, intrusion detection system or log review, which means that many data breaches are detected by someone other than the organization that has been breached. To help enterprises better detect data breaches, ISACA has partnered with Oracle to create the “86% of Data Breaches Miss Detection, How Do You Beat The Odds?” webinar. This webinar will take place on 9 April. Members can earn 1 continuing professional education (CPE) hour for attending the webinar and passing a related quiz.

Data breaches typically take less than a day to carry out, but nearly 70% of organizations take longer than 1 day to detect and correct an unauthorized database access or change. And only 35% of organizations audit to determine if privileged users are putting systems at risk. This webinar will help attendees better learn how to conduct privileged user auditing, suspicious activity alerting, and security and compliance reporting.

To register and learn more about this webinar, visit the 86% of Data Breaches Miss Detection, How Do You Beat The Odds? page of the ISACA web site.


2015-16 Board of Directors Slate and Report of the Nominating Committee

By Ken Vander Wal, CISA, Nominating Committee Chair

The charge of the ISACA Nominating Committee, as described in sections 7.02 and 9.01 of the ISACA bylaws, is to prepare a slate of candidates for the ISACA Board of Directors, consisting of an international president and up to 7 vice presidents, for review by the association membership. The Nominating Committee is chaired by a past international president of ISACA, and its members include 2 additional past international presidents and 4 other members with significant ISACA experience and diverse geographic representation.

ISACA will hold its Annual Meeting of the Membership on 6 June 2015, in Brussels, Belgium, where it will install the 2015-16 Board of Directors. In accordance with the association’s bylaws, the Nominating Committee submits the following slate as the proposed 2015-16 Board of Directors:

  • Christos Dimitriadis, CISA, CISM, CRISC, ISO 20000 LA, international president
  • Rosemary Amato, CISA, CMA, CPA, international vice president
  • Garry Barnes, CISA, CISM, CGEIT, CRISC, international vice president
  • Rob Clyde, CISM, international vice president
  • Theresa Grafenstine, CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA, international vice president
  • Leonard Ong, CISA, CISM, CGEIT, CRISC, CPP, CFE, CIPM, CIPT, CISSP, CSSLP, PMP, international vice president
  • Andre Pitkowski, CGEIT, CRISC, CRMA, OCTAVE, international vice president
  • Edward Schwartz, CISA, CISM, CAP, CISSP, ISSEP, NSA-IAM, PMP, SSCP, international vice president
  • Robert Stroud, CGEIT, CRISC, past international president
  • Greg Grocholski, CISA, past international president
  • Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, past international president
  • Matt Loeb, CEO and secretary

The bylaws grant the international president the authority to augment the board by a limited number of appointments if desired. Dimitriadis has proposed the appointment of the following individuals to serve as directors on the 2015-16 Board of Directors, subject to approval by the board: Zubin Chagpar, CISA, CISM; Jo Stewart Rattray, CISA, CISM, CGEIT, CRISC; and Raghu Iyer, CISA, CRISC.

The committee takes very seriously its obligation to prepare the best possible slate of individuals who will work together as a team to lead the association. Its evaluation of candidates takes into account their intent to reflect the organization’s diversity in terms of geography, skills, experience and other relevant factors, while also balancing continuity and new viewpoints.

The selection process is managed with attention to detail. Deadlines are strictly adhered to, nominations are treated with unbiased consideration, candidates are interviewed and strict confidentiality is maintained throughout the process. The Governance Advisory Council (GAC) provides oversight to the committee’s processes and the committee reports to the Board of Directors and the membership of ISACA.

As chair of the 2014-15 committee, I affirm that the committee’s deliberations were carried out in accordance with the bylaws and good governance principles.

2014-15 Nominating Committee Members:

  • Ken Vander Wal, Chair. CISA, CPA, USA (past international president)
  • Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Australia (past international president)
  • Greg Grocholski, CISA, USA (past international president)
  • John Ho Chi, CISA, CISM, CRISC, CBCP, MBCP, Singapore
  • Urs Fischer, CISA, CRISC, CIA, CPA, Switzerland
  • Gloria Cardenas, CISA, CGEIT, Colombia
  • Vernon Poole, CISM, CGEIT, CRISC, CIPFA, United Kingdom

All ISACA members are invited to attend the Annual Meeting of the Membership.


Ballots for Bylaws Vote to Be Distributed 27 April 2015


The ISACA Governance Advisory Council, at the request of the Board of Directors and with the assistance of ISACA staff and legal counsel, undertook a comprehensive review of ISACA’s bylaws. This review provided the basis for a full refresh of the bylaws to align to best practices and embed applicable law in the bylaws.

The new bylaws version that will be offered for ISACA membership adoption was approved unanimously by the Board of Directors on 28 February 2015 at the board meeting in Mumbai, India. ISACA membership will have the opportunity to vote to approve the new bylaws beginning 23 April 2015 at 9AM CDT (UTC -5 hours) until 6 June 2015 at 9AM CDT (UTC -5 hours). Members can vote through electronic ballot or in person at the ISACA Annual Meeting of the Membership in Brussels, Belgium, on 6 June. Check back to www.isaca.org/bylaws2015 on 13 April 2015 for more information on the voting process, accessing the ballot and to view the revised bylaws.

Ballots will be distributed by Votenet, ISACA’s vendor for this election, via email on 27 April to ISACA members in good standing so you may vote electronically on the revised bylaws. Once you receive the ballot email from Votenet, you will be asked to create a username and activation code in order to access a ballot. The deadline to request a paper ballot will be 1 May and additional information on the voting process and ballot access will be provided on the Bylaws 2015 page of the ISACA web site on 13 April 2015.

Questions? Contact bylaws@isaca.org.


Develop Leadership Skills With a CISA Certification

Handikin Setiawan, CISA, Director of Risk and Controls Solutions at PricewaterhouseCoopers Indonesia, Shares His Experience as a CISA

Handikin Setiawan began his career as a financial auditor, but found that his passion was IT auditing and consulting. Because of this desire to modify his career path, Setiawan decided to pursue the Certified Information Systems Auditor (CISA) certification. “Being a CISA puts you in the same league with other IS audit professionals all over the world,” he says. “The professional community acknowledges your professional skills as the CISA certification sets the highest standard in the field.”

One of the biggest challenges in his job is scoping the clients’ needs and designing an appropriate project approach. But the CISA certification helps Setiawan work through this challenge. “Being a CISA, I am able to apply the knowledge to do those tasks,” he says. “The knowledge makes it easier for me to understand the issues and design a project approach with proven methodology and standards.”

But the CISA certification has given Setiawan more than just technical knowledge; it has also helped him grow as a leader. “Moving up the ranks requires not only technical, but also nontechnical skills,” he says. “For me, leadership skills are very important in both personal and professional goals. Leadership transcends work and personal environments.”

Setiawan, certification director for his local ISACA chapter, believes that while earning the CISA certification takes hard work, it is worthwhile. Studying is key for CISA exam takers. “Prepare, prepare, prepare,” he says. “It is not easy, yet it is worth every bit of effort. It will make a difference in your career.”

To learn more about ISACA certifications, visit the Certification page of the ISACA web site.


Book Review:  Information Security: The Complete Reference 2nd Edition

Reviewed by Upesh Parekh, CISA

The security of information assets started as a very small area of concern limited to keeping IT assets under lock and key to prevent physical theft and sabotage. In the last couple of decades, information security has grown due to developments in information technology and an explosion in the size and scale of information assets.

It is easy to get overwhelmed when thinking about how to go about securing the information assets of any organization. So how do you climb this mountain of a task? The answer is simple—one step at a time.

This approach is recommended and illustrated in the book Information Security: The Complete Reference 2nd Edition. The book has been divided into sections that cover 1 area of security specialization in detail. Each section explores different layers of security and also presents an integrated picture for the reader.

The book follows a top-down approach. It is divided into 8 parts. Part 1 of the book lays the foundation. It contains an overview and a discussion of risk analysis, security standards and security policy.

Once the foundation is laid, readers are free to jump to any part of the book focusing on their area of interest. The remaining chapters cover data security, network security, computer security (including operating system security), application security, security operations and physical security. To remain neutral, the book does not cover any specific security technology or product.

This book is a valuable reference for security professionals and students studying information security. It can serve as a textbook for readers who want a comprehensive resource in the field of security.

Information Security: The Complete Reference is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or email bookstore@isaca.org.

Upesh Parekh, CISA, is a governance and risk professional with more than 10 years of experience in the fields of IT risk management and audit. He is based in Pune, India, and works for Barclays Technology Centre, India.