@ISACA Volume 11: 26 May 2010 

@ISACA Relevant, Timely News

Career Guide Offers Advice to Prospective Assurance Professionals
A Conversation With Author Derek J. Oliver, Ph.D., CISA, CISM, CEO, Ravenswood Consultants Ltd.

Question Why and how was Career Seeker’s Guide to Information Security and Assurance Opportunities developed?

Answer The publication was produced at the request of ISACA’s Young Professionals Subcommittee. As a former member of the CISA Certification Board, the founding chair of the CISM Test Enhancement Committee and a current co-chair of the COBIT 5 Task Force, I worked with ISACA staff and volunteers to develop the publication on behalf of ISACA. Development took place in both the UK and US, but with a mind to the types of work involved in the assurance profession across the globe.

We geared the publication toward students who may be considering a career in the assurance profession. Young people currently studying at school or college, undertaking basic qualifications and considering what further education and training courses they should undertake will most benefit from it.

It can act as a guide regarding the direction their studies should take—technical courses in IT or more business-related courses—depending on their technical competence, interests and where they see their longer-term path going.

Question Please describe the goals and aims of the publication. How do you anticipate the reader benefiting from the content?

Answer The primary goal is to inform and advise young persons, especially those at school or college, on what opportunities exist at the “entry level” in the information security and IS audit professions.

The publication identifies the types of entry-level jobs in each profession, the nature of the work involved, the type of organization (e.g., government, commerce, consultancy) that is most likely to welcome entry-level staff, to what extent a detailed technical knowledge is necessary, and the professional certifications that would be most useful.

Question What makes this publication unique and valuable to the reader?

Answer No other publication simplifies the entry-level positions that may be available in both information security and IS audit with such a comprehensive review of the work involved, technical competence required and suggested qualifications and certifications.

The publication is scheduled to be available in the ISACA Bookstore in the third quarter of 2010. Click here to learn more about recently released ISACA research publications.


Retired Status Policy Changes for ISACA Certifications

ISACA® greatly appreciates the dedication of its constituents and specifically wishes to recognize the commitment to the profession of ISACA certified professionals who are in permanent retired certification status (independent of retired membership status).

Beginning 1 May 2010, those who apply and qualify for “permanent retired” certification status will be provided a certificate of appreciation in the year they retire (or 2010 if currently in retired certification status) and will not be required to pay an annual fee to remain in permanent retired certification status.

To qualify for permanent retired certification status, an individual must have been certified in good standing for a minimum of five years, be 55 years of age or older, and be permanently retired from the profession covered by their certification(s) or unable to perform their duties by reason of permanent disability. This is a permanent status and passage of the corresponding exam and reapplying for certification would be required to return to active status.

For more information, click the respective link for CISA, CISM, CGEIT and CRISC.

Please contact the ISACA certification department at certification@isaca.org with any questions.


10 Tips for IT Supply Chain Security and Risk Management

  1. If clients or partners ask you to fill out a questionnaire that includes sensitive information about how you secure their data, make sure you ask them for the same or allow them to view the information onsite only, at your premises. This ensures that your sensitive security information is cared for properly in its environment.
  2. Always include a right-to-audit statement in your contracts with vendors and partners that allows you to perform security audits of their environments with limited or no notice.
  3. When utilizing custom-code development services, make sure you have the source code reviewed by a reputable third party or use source-code scanning tools to ensure that bugs and security vulnerabilities are exposed and remediated prior to acceptance and implementation.
  4. Ensure you have at least two vendors who can provide the same quality and quantity of IT services for critical IT functions that you outsource to ensure redundancy in the case of a failure of any one vendor.
  5. Develop and maintain business process maps, which detail all IT supply chain dependencies and requirements for key business processes.
  6. Conduct random security audits of vendor’s facilities and capabilities at least once per year.
  7. Categorize your vendors based on the level of access to sensitive materials they work with or access, and apply controls and oversight based on this categorization.
  8. Meet with vendors in your IT supply chain at least once per year to brief them on your policies, requirements and expectations of how they will secure your information.
  9. Develop an information security intelligence sharing network among the vendors in your IT supply chain to share insights and information on a regular basis.
  10. Establish and monitor key performance indicators and thresholds for these indicators for key IT business processes that utilize third-party capabilities to provide intelligence about the health and safety of your IT supply chain.

John P. Pironti, CISA, CISM, CGEIT, ISSAP, ISSMP, is the president of IP Architects LLC.


ISRM Focuses on Cloud Computing, Offering a Conference Within a Conference
Information Security and Risk Management Conference • Las Vegas, Nevada, USA • 13-15 September

Ramses Gallego, CISM, CGEIT, CISSP, SCPM, ITIL, Six Sigma Black Belt, chairman of the Information Security and Risk Management Conference Committee and general manager with Entel Security & Risk Management, offers his thoughts on this year’s conference.

Question Please describe the theme and the reasons that it was chosen for this year’s conference.

Answer This year’s Information Security and Risk Management (ISRM) Conference is well designed to fit ISACA’s new vision statement: trust in, and value from, information systems. There are four tracks, each with one discipline in mind, that will provide attendees a detailed perspective on security governance, standards and compliance, security technology, and risk management. The development of this year’s ISRM Conference has included input resulting from feedback from previous conferences as well as surveys of the constituencies.

Question Will this conference include any new or unique features or session formats (e.g., roundtables, webinar broadcasts, social networking)?

Answer Following feedback from previous years and industry developments, this year’s conference will offer a cloud computing “conference within a conference.” Attendees can choose from seven sessions on the topic of cloud computing that will address issues such as audit and access control, the assurance framework, identity management, and security challenges.

Additionally, the ISRM Conference will include a summary session at the beginning of each day that will cover what was discussed the previous day and prepare you for the current day of sessions. The aim is to provide you with additional information on sessions you were not able to attend and details on what your options are for the current day, so you can be sure to attend the sessions that are most relevant to you.

Question What industry trend(s) will be addressed at the conference?

Answer The ISRM Conference welcomes a new type of security conversation in which many worlds meet: auditing, managing and governing. Attendees will be able to discover a new way of thinking about their information security and risk management initiatives. The ISRM Conference has been designed with an eye on the cloud computing environment, as well as the importance of a proper process for evidence gathering, forensics and security outsourcing. The sessions have been tailored to go deep into the field, with subject matter experts who will share their knowledge and visions on that topic.

The conference will address what needs to be considered in a service-oriented architecture (SOA) environment from the security perspective, as well as cover disciplines such as ediscovery, modern cyberthreats and the need to consider risk mitigation in social networking sites in-depth.

Question What is an example of practical content available at the conference that attendees will be able to implement when they get back to the office?

Answer Lessons learned will come from experiences that are shared. When creating the conference, we understood that the world is changing and that we, in the security arena, need to expect the unexpected. Therefore, the agenda and sessions were created so that attendees can learn from experiences in the field, what is really happening out there and how security professionals are addressing their needs when it comes to protecting one of the most important assets of a company: its information. The preconference workshops are designed to be very practical and many sessions will show real-life environments, experiences and solutions.

Click here to learn more about the ISRM Conference and to register.


Book Review: Information Technology Governance and Service Management: Frameworks and Adaptations
Reviewed by Sarathy BSP Emani, CISA, CISM

Information Technology Governance and Service Management: Frameworks and Adaptations, edited by Aileen Cater-Steel, is a rich source of information and an asset for CIOs or any board representative responsible for analyzing and implementing IT governance. This book is a compilation of the latest research outcomes in the areas of IT governance and service management.

Fifty-four authors and researchers from various countries, including Australia, Germany, Israel, Korea, Mexico, New Zealand, The Netherlands, Norway, the UK and the US, have submitted their findings in a research report format. The individual and comparative studies included, but were not limited to, large service-sector firms, higher education environments and publicsector audit offices.

This book is organized in four sections comprising 24 chapters:
  • Section one provides a review of IT governance research.
  • Section two includes several IT governance case studies.
  • Section three examines IT governance and its relationship to business and other frameworks.
  • Section four provides a look at IT service management frameworks.
The strengths of this book include its:
  • Coverage of most of the frameworks for IT governance and service management, discussed individually and comparatively
  • Up-to-date reviews of literature
  • Case studies, which provide empirical evidence of experiences of various organizations in various countries
  • Coverage of IT governance as part of corporate governance
  • Comparisons of maturity levels among organizations in several COBIT® IT processes

Information Technology Governance and Service Management: Frameworks and Adaptations is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore or e-mail bookstore@isaca.org.

Sarathy BSP Emani, CISA, CISM, has more than 25 years of experience and is the proprietor of MEQPRIMA Advisory Services, an organization doing research in software process and quality improvement. He is a member of the ISACA Publications Subcommittee.


Read More Articles in Our Archives