@ISACA Volume 1: 7 January 2010 

@ISACA Relevant, Timely News


What Is ISACA?

Learn the Answer in 58 Words
Although ISACA is now in its 41st year of existence with a worldwide membership, there still are times when members and other constituents are asked, “What exactly is ISACA?” After review and comments from ISACA’s leadership, staff and an external consultant, the following paragraph was developed to clearly describe what ISACA is and what our vibrant association does. Click here to access a page with this key message, along with five supporting messages.

ISACA key message:
As an independent, nonprofit global membership association, ISACA engages in the development, adoption and use of globally accepted, industry-leading knowledge and practices for information systems. ISACA helps its members achieve individual and organizational success, resulting in greater trust in, and value from, information systems. Its members and certification holders are qualified and skilled professionals who make a difference.


How Can the Cloud Impact Your Business?
A Conversation With Jeff Spivey, CPP, Development Team Chair

Question To whom is the Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives white paper written? What titles, roles will benefit the most from the publication and how?

Answer The white paper was written for people who are currently hearing about or considering cloud computing. It is appropriate for people at all levels who are interested in a brief overview regarding benefits and risks of the cloud. As stakeholders who have a vested interest, the chief executive officer (CEO), chief information officer (CIO), chief risk officer (CRO), chief administrative officer (CAO), chief information security officer (CISO) and chief security officer (CSO) will all find value in the white paper.

Readers will come away from the publication with a solid understanding of how the cloud can impact their business. They will also have an idea of what type of issues need to be considered when evaluating whether the cloud can propel or hinder business.

Question Why and how was the book developed?

Answer Understanding the potential benefits and risks of cloud computing is essential as the service offering has become ubiquitous. To develop the publication, ISACA worked with industry experts as well as members of the Cloud Security Alliance to identify business benefits and risks as well as governance, assurance and security initiatives.

Question Please describe the goals and aims of the publication. How do you anticipate the reader benefiting from the content?

Answer Readers will gain a business perspective on this emergent technology while better understanding existing and new risks. The main goals of the paper are to introduce the reader to cloud computing services and the potential business benefits and risks. While many publications have identified different service offerings that may be considered within the enterprise or as an outsourced service from a cloud provider, this whitepaper identifies specific areas to consider in governance, assurance and security in cloud computing.

Click here to download the complimentary white paper.


10 Tips for Risk Management
By Victor Chapela

  1. Use “intent” to separate intentional risks (hacking or fraud) from unintentional risks (availability). The types of risk are completely different to manage and each requires different types of controls to mitigate.
  2. For unintentional risks, most of which are availability incidents, use a standard business impact analysis (BIA) to assess risks and business continuity plan (BCP) to mitigate them.
  3. For intentional risks, however, determine impact as the external value of your information. How much is it worth to an employee, to the press, to your competition or to organized crime?
  4. Classify your information based on this external value, and define policies and standards to protect high-risk information.
  5. From the universe of possible risks, prioritize by focusing on those that have occurred and have been published. Out of those, determine which are applicable to your organization. Finally, establish which have a higher, recurrent long-term value to an attacker. The latter group should have the highest priority in the risk management plan.
  6. In protecting intentional risks, determine which assets store, process or transmit high-risk information. But most important, create an inventory of the accounts, groups and privileges that have access to it.
  7. Evaluating, filtering, restricting and monitoring the accounts with access to highrisk information are the most efficient ways to mitigate intentional risk.
  8. If a specific risk cannot be mitigated, have the data owners sign a temporal risk acceptance statement. Always include an expiration date, after which the risk should be addressed.
  9. Implement a risk management process that can periodically reassess risk, recommend mitigation controls, collect risk acceptance statements, manage mitigation projects and maintain a risk inventory.
  10. Senior management sponsorship is essential for risk management to be efficient and effective. Fortunately, it tends to be easier for them to understand risk management than other security-related disciplines.

For more information on IT risk management, download ISACA’s new Risk IT framework publications.

Victor Chapela is founder and CEO of Sm4rt Security Services. He is coauthoring a book on the evolution of risk and is a frequent speaker at conferences around the world.


Renovated Web Site to Provide a Personalized Experience

Driven by your personal interests and settings, the new site’s customizable “MyISACA” home page will be your source for all new happenings throughout the association.

“MyISACA” will make it easy to utilize all of the thought-leading publication, event and update benefits included with your ISACA membership, including:
  • Local and topical events—Quickly view events in your local area or focused on your interests.
  • Local chapter updates—Stay current with your local chapter through upcoming events, news and professional networking.
  • Individual notifications—Get personalized updates on the status of your certifications, your continuing professional education (CPE) credits and your membership status.
  • Relevant suggestions—Based on your interests and activity, see applicable ISACA research, news, events and more—personalized specifically for you.

Launching in mid-2010, the new ISACA web site is an exciting advancement. Learn more about the new features in upcoming issues of @ISACA.


Submit Your BoD Nominations Now

Do not miss your chance to make a nomination for the 2010-2011 ISACA Board of Directors (BoD). The Call for Nominations will close on 28 January 2010 and the Nominating Committee wants to hear from you.

By nominating a colleague—or yourself—to serve on the board, you can influence the future direction of ISACA.


Award to Honor Information and Communications Achievement

Information and communications is one of the two fields of study eligible for the 2011 Japan Prizes, one of the most prestigious international awards in science and technology, from the Science and Technology Foundation of Japan. The other eligible field of study is bioscience and medical science.

The Foundation is encouraging prominent scientists and researchers worldwide to nominate candidates in these two fields whose original and outstanding achievements in science and technology have advanced the frontiers of knowledge and served the cause of peace and prosperity for mankind. In the field of information and communications, the 2011 Japan Prize will honor the recipient for achievements that have brought about remarkable progress in information and communications and made outstanding contributions to society by improving the safety and convenience of the lives of people through the creation of new industries and improvement in productivity, among other innovations.

The 2010 winners will be announced in mid-January 2011. Each Japan Prize laureate will receive a certificate of merit and a commemorative gold medal. A monetary award of ¥50 million will be presented for each prize category.

Visit the Foundation’s web site to learn more about the awards and how to provide nominations.


Practical Issues Drive Topics at Upcoming Conference

Information Security and Risk Management Conference • Bogota, Colombia •
1-2 March 2010

Julio Ardita, CISM, program committee chair and CTO at CYBSEC, offers his thoughts on this year’s conference.

Question What can we expect from the tracks and topics of the 2010 Information Security and Risk Management Conference in Latin America? What makes this conference stand out from its peers?

Answer The topics chosen for this conference make an ideal combination that will attract experts at the technical as well as management levels. The conference is unique as its goal is to help attendees deal with practical issues. That is, it will delve into our own user experiences, showing us how to solve problems that we are finding in the region.

The conference will have two tracks, one at the management level and the other focusing on the implementation of practical aspects. In the first track, the main issues will be governance and risk, which are priorities in Latin America. The practical aspects track will include several solutions to problems shared by those in charge of security in the region.

Question Please describe the speakers for this year’s conference and how they were chosen.

Answer Speakers for this year’s conference were selected through an analysis process. First, the Program Committee selected the priority issues for the conference at both management and practical levels. Next, an internal call for papers was carried out. And, finally, the potential speakers’ proposals, expertise and experience were assessed by the members of the Program Committee. Ultimately, an interesting mix of speakers was chosen.

Question What do you find to be the greatest benefit of volunteering on the Program Committee?

Answer Having worked on several conferences for ISACA and other international organizations, I find that the main benefit of volunteering on the ISACA program committees is the opportunity to network with other colleagues, members of ISACA, in Latin America. These networking opportunities allow us to work together to analyze and bring forward solutions that apply to our countries specifically. I consider volunteering to be a very positive experience, as it enables creating a network beyond company colleagues.


GAPP Updated Due to Security Concerns

In response to a spike in identity theft and increasing storage of personal information on portable devices, Generally Accepted Privacy Principles (GAPP) has been updated to include protocols for securing personal information. This internationally recognized privacy framework is available in two versions, one for business management and one for professionals who work in public practice and provide consulting and attestation/audit services. Copies of the principles and additional privacy resources are available from AICPA and CICA.

“Safeguarding personal information is one of the most challenging responsibilities facing an organization, whether that information pertains to employees or customers,” said Everett C. Johnson, CPA, past international president of ISACA and chair of the AICPA/CICA Privacy Task Force. “We’ve updated the criteria of our privacy principles to minimize the risks to personal information.”

Several organizations—including ISACA—worked with the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) on the update, providing subject matter expert review and input.


Read More Articles in Our Archives