The “Plaid-ing” of Business and IT
Emil D’Angelo, CISA, CISM, 2009-2010 ISACA International President
My daughter recently showed me a new clothing purchase and told me that “plaid is the new black.” When I looked blankly at her, she further explained that her phrase means that plaid—which has become the general term for cloth with crisscrossed lines of different colors—is now “cool” and has become a staple in her wardrobe.
Looking at her purchase made me think of how business objectives and IT objectives in the past often operated as parallel lines. IT was often considered as an afterthought and as separate from business strategy. Over the last years, though, this has changed dramatically. Business and IT objectives are now more like plaid—with many intersections and reliance on each other for the complete picture.
The material for plaid can be used anywhere that cloth is needed, just as the COBIT®, Val IT™: Based on COBIT® and Risk IT: Based on COBIT® frameworks can be customized for any enterprise, regardless of size, industry, geographic location or other factors. ISACA has long been a leader in this area, especially starting with the introduction of COBIT nearly 15 years ago.
As we continually revise and update all three frameworks, I would like to send a sincere thank you to the thousands of professionals around the world who have contributed to these frameworks and all of their related materials. I may never understand the inner workings of fashion, but I do know that ISACA knows how to keep up with—and more often be a leader in—the “plaid-ing” of business and IT.
ISACA Announces New CRISC Certification
ISACA will be offering a new risk-related certification in April 2010. The Certified in Risk and Information Systems Control™ (CRISC™) designation is designed for IT professionals who identify and manage risks through the development, implementation and maintenance of appropriate information systems (IS) controls to help enterprises accomplish business objectives, such as effective and efficient operations, reliable financial reporting, and compliance with relevant regulatory and legislative requirements.The CRISC (pronounced see-risk) certification focuses on:
The new credential complements ISACA’s existing certifications:
- Risk identification, assessment and evaluation
- Risk response
- Risk monitoring
- IS control design and implementation
- IS control monitoring and maintenance
- While CISA is designed for IT professionals who perform independent reviews of control design and operational effectiveness, CRISC is for IT and business professionals who design, implement and maintain IS controls.
- While CISM is for individuals who manage, design, oversee and/or assess an enterprise’s information security, including the identification and management of information security risks, CRISC is for IT professionals whose roles also encompass operational and compliance considerations.
- While CGEIT is for IT and business professionals who have a significant management, advisory or assurance role relating to the governance of IT, including risk management, CRISC is for the IT and business professionals who are engaged at an operational level to mitigate risk.
A grandfathering program, through which experienced professionals can obtain the certification without taking the exam, will open in April. The first CRISC exam will be held in 2011.
Click here to learn more about this latest certification from ISACA.
Conference to Offer Real-life, Hands-on Content
North America CACS • Chicago, Illinois, USA • 18-22 April 2010
Jeff Krull, CISA, CPA, North America CACS program selection committee chair and senior manager with PricewaterhouseCoopers, offers his thoughts on this year’s conference.
What industry trend(s) will be addressed at the conference?
The North America Computer Audit, Control and Security (CACSSM) conference is a unique conference in that the size and attendance levels allow it to cover core topics that would be of interest to newer professionals, emerging topics that those in the middle of their career would find valuable and interesting, and more executive topics, such as governance, that senior management and executives would find useful. This year, we have sessions covering everything from auditing databases to enterprise resource planning (ERP) security to fraud and governance.
Will any new sessions or products be introduced at the conference?
The selection committee is always looking for topics that would be interesting and new. In addition to the audit tracks (which remain the same), many of this year’s track themes have been revised. Two new tracks have been developed:
- Track 3, Techniques for Evaluating Business Practices and for Evaluating Professional Development, will guide the IT auditor to translate IT risk and issues into overall business risk and exposures that the organization’s management and audit committees can understand and address.
- Track 4, Emerging Issues and ISACA Research, will explore the concepts and terminology of emerging issues related to IT governance, IT frameworks and IT risk management. Sessions include discussions of ISACA’s new models and frameworks, such as the Business Model for Information Security (BMIS) and Risk IT: Based on COBIT®. Each session in this track combines practical business knowledge, using examples and cases to illustrate best practices for today’s IT assurance professional.
What is an example of practical content available at the conference that attendees will be able to implement when they get back to the office?
Based on the feedback we have received in prior years, we are really striving this year to include more case studies and real-life examples in the sessions. Presenters have been requested to provide sessions that are practical and interactive. There are many interactive panel discussions and case studies.
The IT Audit Core Competencies track will provide participants real and hands-on ways to audit different technologies and platforms, including Active Directory, UNIX, and Linux. Through the other tracks, we cover topics such as auditing SAP and Oracle.
Is there any notable topic of industry or regional significance that might come up during the conference?
Some sessions will focus on the hot topics of the health care industry and related privacy issues as well as social media privacy concerns.
Tell us about the keynote speaker?
This year’s keynote speaker, Cynthia Cooper, is well known for unraveling the fraud at WorldCom in 2002, one of the largest corporate frauds in history. She is an internationally recognized speaker on ethical leadership, the current economic crises and recent scandals. One of Time Magazine’s 2002 Persons of the Year, she is also a recipient, along with US Senator Sarbanes and Representative Oxley, of the Maria & Sidney E. Rolfe Award for contributions to educating the public about economics, business and finance. She was inducted into the AICPA Hall of Fame in 2004 and is the first woman to receive this distinction. We are looking forward to her unique presentation, titled Ethical Leadership in the 21st Century.
Six Tips for Incident Response
By Leighton Johnson, CISA, CISM, CISSP, CIFI
- Be prepared for incident response. You must have tools, techniques, team members and training all completed before you respond to the computer incident. Also, corporate policies, procedures and guidelines for response need to be in place.
- Properly identify the incident. Is the event simply an unusual activity, or can you identify it as suspicious? If so, what are the surrounding activities? Are there multiple reports of issues on the network, or is it confined to one machine or location? Some of the areas to check include suspicious entries in system or network accounting, unexplained new user accounts and unexplained new files.
- Contain the incident and its effects. Change passwords for elevated privilege accounts and review computer trust relationships as fast as possible when an incident is identified. Protect and, where possible, keep the critical information resources available to the primary users.
- Remove the issue as soon as is realistically possible. Possibly ensure and run your antivirus and antispamware programs. Review and potentially rebuild the operating system software. Remove the infected software utilizing approved removal software.
- Return the infected system to operational use as soon as feasible. Remember there are two areas of focus for incident response: recovery and, potentially, prosecution.
- Follow up with responders for improvements to the process. Check with the operational staff in areas where data or information was compromised.
Leighton Johnson, CISA, CISM, CISSP, CIFI, is a senior security consultant for the Information Security & Forensics Management Team.
Volunteer Opportunities Closing Soon
Do not miss your chance to volunteer to work with ISACA on one of the subcommittees, committees or boards during the 2010-2011 term. The Invitation to Participate will close on 25 February 2010 and ISACA leadership is eager to have members involved.
Volunteering with ISACA offers many rewards, including networking opportunities and a chance to learn more about ISACA operations. Furthermore, volunteerism is looked upon favorably by many employers, as it provides hands-on experience and job-related skills training for current and future industry leaders, including communication and interpersonal skills.
Global Industry Leaders to Share IT Audit Solutions
Asia-Pacific CACS • Mumbai, India • 22-23 February 2010
The Asia-Pacific Computer Audit, Control and Security (CACSSM) conference is returning to Mumbai, India, with a host of industry leaders from around the world as featured presenters. The ISACA chapters in India are renowned for their active education calendar. The 2010 Asia-Pacific CACS complements local efforts by bringing an international perspective on universal issues.
The event offers real-world examples and practical solutions presented in a collaborative environment where the presenters engage the audience with case studies, group exercises and open discussions. The presenters are from companies and organizations recognized around the world as leaders in information technology, audit, security and governance; companies such as Citigroup, Chevron and eBay.
Attendees will learn about traps IT governance professionals should avoid and how to make IT audit more relevant for the enterprise. Sessions will discuss auditing wireless networks as well as preserving digital evidence. Presenters will share their experiences with service-oriented architecture, cyberwarfare and digital rights management.
The conference hotel is near the airport to avoid the congestion of Mumbai’s financial district and to make it as easy as possible for those traveling from abroad.
Attend the 2010 Asia-Pacific CACS conference on 21 and 22 February in Mumbai. Click here for additional information and to register.