@ISACA Volume 8  20 April 2016

Tips for Standardizing a Common Language Between IT and the Business

Lisa Young, CISA, CISM

COBIT 5 enablers are factors that, individually and collectively, influence the outcomes we seek to achieve in the governance and management of enterprise IT (GEIT). My previous column was about the COBIT 5 enabler of Process. This month, I want to address the topic of using a common language between IT and the business. While not an explicit enabler in COBIT 5, a common language is a basic building block that is needed as a foundational first step toward improved communication in any organization.

Characteristics that may indicate lack of a common language include:
  • The words risk, threat and vulnerability are used interchangeably. Or perhaps, the organization has deployed a real-time tool that calculates a “risk score” based on vulnerability ratings such as the Common Vulnerability Scoring System (CVSS) or a commercial tool’s priority rank for the vulnerability. This clearly indicates that there is no common understanding of the language components needed to identify and describe the real risk that could have the most impact on the enterprise, should it be realized.
  • Risk assessment and risk analysis are both used to describe the process of risk identification and prioritization. Again, without a clear description of the activities involved in risk identification, risk assessment, risk analysis, risk disposition and risk response, the organization is not able to understand the benefit of taking appropriate risk to exploit opportunities and avoid those consequences that can most impact the enterprise, should the risk be realized.
  • The organizational culture does not drive behavior to ensure that policies are followed and effective, result in positive outcomes, and involve consequences for disregarding or circumventing policies. One example is misalignment between real risk appetite and translation into policies. Management’s real approach toward risk may be aggressive and risk-taking, whereas the policies that are created reflect a much more conservative attitude. There is a mismatch between values and the means to realize the values, inevitably leading to conflict.
  • The value chain of the organization is not defined, and people do not know the role of their work in delivering the products and services of the enterprise. Tracing a clear path from the products and services that the organization delivers (e.g., its reason for being in business) to the underlying assets (including the people assets) that support such products and services fosters the ownership and personal responsibility needed to effectively manage risk.
  • Compliance initiatives are discrete projects with no other business value than to demonstrate that obligations are met. In other words, the compliance function is managed as if the risk of noncompliance is the most important risk to the organization.
  • There are repeat audit findings that continue to show up year after year. Within an individual enterprise, different business units, departments or audit groups may be utilizing similar controls, but each call them something different and no one looks deeper to find the reasons for the repeat findings. Take a look at the root cause of the audit finding, rather than the symptom.
  • Shadow IT projects, also known as stealth IT projects, continue to bypass internal IT and deploy unique solutions. For example, an organization may experience serious quality problems with new applications. Despite the fact there is a sound software development process, operational problems continue to plague the day-to-day operations. A root-cause investigation shows that the software development team is evaluated and rewarded based only on the timely delivery, within budget, of their projects. They are not measured against business benefit criteria.

The underlying cause of many of the items on this list is that there is no standard way of describing, in a common language, the critical business outcomes desired. Culture, ethics and behavior of individuals and of the enterprise are often underestimated as a critical success factor in governance and management activities. A common language is at the root of what makes the human culture distinctive. I was reminded of this recently on a trip to London when I was speaking English but was quickly reminded that words do not have the same meaning when used in different cultures.

The COBIT 5 enabler of Culture, Ethics and Behavior provides additional thoughts on how important a common language between the business and IT, clear communication of organizational values, appropriate incentives and a demonstration of good behavior by senior leaders are to effective and efficient GEIT.

Lisa Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.


Preventing Attacks During Testing and Development


Source: ©iStock.com/

Testing and development environments may not be as protected as production, which may make them a target for attackers. To help organizations learn how to protect data during application development and testing, ISACA and Oracle have partnered to present the “Mitigate Attacks on Test and Development by Masking Sensitive Data” webinar. This webinar will take place on 26 April at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and passing a related quiz.

Access to copies of production data is usually required during development and testing, but this can lead to vulnerabilities. Dinesh Rajasekharan, senior product manager for Oracle Database Security, will show webinar attendees how masking and subsetting sensitive information can prevent attacks during testing and development.

To learn more about this webinar or to register for it, visit the Mitigate Attacks on Test and Development by Masking Sensitive Data page of the ISACA web site.


Developing an Audit/Assurance Program


The audit/assurance program is an important part of the audit process as it sets out what will be audited and how it will be audited. To create an audit program, it is essential to gather enough information to identify risk areas and develop sufficient testing. ISACA’s new publication IS Audit Tools and Techniques: Creating Audit Programs provides readers with information on how to develop an IS audit/assurance program.

By considering the audit process at a high level, IS Audit Tools and Techniques: Creating Audit Programs shows how audit and assurance programs can add value and achieve their objectives. Intended for IS audit professionals new to the field, this white paper provides a step-by-step guide on how to develop an IS audit/assurance program.

To download this white paper, visit the IS Audit Tools and Techniques: Creating Audit Programs page of the ISACA web site.


EuroCACS 2016: Learn to Prepare for Change


With rapid technology innovation, there are new opportunities and threats facing all types of businesses. The opening keynote speech “How Disruptive Technology Rewrites the Rules of Business” at ISACA’s European Computer Audit, Control and Security Conference (EuroCACS) will help attendees prepare for the rapidly changing technology environment. EuroCACS will take place from 30 May-1 June in Dublin, Ireland.

The pace at which technology is evolving is accelerating, so audit, governance and risk management professionals must be prepared for constant change. David Rowan, consumer trends expert and editor-in-chief of WIRED UK, will give the opening keynote. In it, he will help attendees understand which innovations may have a significant impact and how to better understand risk and control in this rapidly changing environment.

To attend this conference or learn more about the other sessions offered at EuroCACS, visit the EuroCACS 2016 page of the ISACA web site.


COBIT Celebrates 20th Anniversary


COBIT—now in its 5th version—turns 20 this year. In a new survey of the framework’s users, more than 9 in 10 say they would recommend COBIT 5 to others.

More than 3 in 4 survey respondents to ISACA’s 2016 survey of COBIT users indicate that COBIT 5 helps them address practical business issues beyond governance of enterprise IT (GEIT). The majority of respondents believe that their enterprises have a need for improvement in integrating business and IT, improving risk management, and improving cybersecurity, and those 3 areas were also identified as the top benefits enterprises can achieve through a framework such as COBIT.

To learn more about COBIT’s 20-year history, access infographics and testimonials, submit your own COBIT story, or participate in the #COBITturns20 social media conversation, visit www.isaca.org/cobit-turns-20.


Connect With ISACA on Instagram


To help us keep our global community of more than 140,000 business and information systems professionals connected, ISACA has added Instagram to our social media channels. Our Instagram account will give you a sneak peek into what goes on at the ISACA office, local chapter events and ISACA’s global conferences.

Visit ISACA’s Instagram account to see what exciting events and innovations we have already shared and add your likes, comments and insights. When you go to ISACA events, take photos and post them from your own account. Do not forget to tag @isacanews or use #ISACA in the caption.

Do you want your chapter’s events to be featured on ISACA’s Instagram page? Email your photos to socialmedia@isaca.org with a brief description of the event and photo caption for a chance to be featured.

Connect with ISACA on Instagram today!


Resolving Certification Revocation


Individuals who did not complete the 2016 certification renewal process by either not paying the annual maintenance fee or not reporting the required continuing professional education (CPE) hours had their certification revoked on 31 March 2016 for failure to comply with the certification maintenance policy.

Revoked individuals are notified of revocation by email and hard copy letter and have 60 days from the revocation date to address the revocation of their certification. If there is a balance due for the 2016 certification maintenance fee, payment can be made online at www.isaca.org/reinstate. CPE hours for 2015 can be entered at www.isaca.org/reportCPE. If the required actions to satisfy the 2016 renewal are taken within the first 60 days after revocation, individuals will be able to view their renewed status in their record upon completion. All appeal requests received after 60 days must include a detailed explanation for the appeal along with CPE documentation. Appeals accepted after 60 days will incur a US $50 reinstatement fee. If you believe that an error has been made and you are in compliance with the CPE policy, contact the certification department at +1.847.660.5660 or at certification@isaca.org.

When you log into your MyISACA page, your certification dashboard will provide an overview of your certification status, including what was needed to complete the renewal for the 2016 year. If the renewal was not complete for 2016, ask yourself:

  • Did I pay my annual maintenance fee?
  • Did I report the minimum yearly requirement of 20 CPE for the 2015 cycle year?
  • If 2015 is the 3rd year in my CPE cycle, did I report the minimum requirement of 120 CPE for the 3-year cycle ending on 31 December 2015?

CPE policies can be viewed on the Maintain Your CISA, CISM, CGEIT and CRISC page of the ISACA web site. If you are unsure if a particular activity qualifies for CPE, pages 4 and 5 of the CPE policy define the qualifying CPE activities. It is important to note that some of the qualifying activities have annual limits. For those activities with qualifying limits, any hours over what is allowed will not be included in the CPE total.

Questions? Contact certification@isaca.org.