@ISACA Volume 4: 17 February 2010 

@ISACA Relevant, Timely News


The Value of ISACA Membership

At business meetings, in blogs, at industry conferences and even in social situations, the topic of ISACA and its value to members has arisen. The following paragraph was developed to clearly describe how ISACA serves its members and helps them provide added value to their enterprises. Click here for a page with this member value message, along with an overarching key message for the association and four other supporting messages.

ISACA message on member value:
Members rely on ISACA for resources that enhance their skills, expand their professional knowledge and connect them with a vibrant community of peers. Many professionals worldwide consider membership in ISACA essential to their ongoing education, career progression and value delivery to their enterprises.


Tips for the IT Auditor—Securing Web Applications

Web applications are very commonly used in organizations today and are subjected to regular exploitation by potential intruders. In addition, web languages are being used extensively to facilitate internal processes, such as access requests, change control and management reporting. Most web applications are accessible externally by clients and can be connected to back-end systems to access sensitive customer information.

Securing web applications is critical in safeguarding an organization’s environment and data. Here are a few tips for the IT auditor when ensuring that web applications have appropriate security controls:
  1. Ensure secure coding practices are implemented by developers, including:
    • Safeguarding against commonly known web application vulnerabilities (Open Web Application Security Project [OWASP] is a useful resource.)
    • Conducting application source-code reviews
    • Independently assessing the web application security
  2. Include security within each phase of the application life cycle:
    • Requirements gathering phase—Includes encryption, application privileges and input validation
    • Design phase—Includes access controls and auditing
    • Implementation phase—Includes security testing and software development
    • Installation and configuration—Includes securing custom code, libraries and applicable systems (e.g., web, application, database)
  3. Implement application-level firewalls to enforce security policies between the web application and the client.
  4. Regularly test the web application. Automated scans include:
    • An application source-code analyzer
    • Web application security vulnerability assessment
    • External and internal penetration testing
  5. Regularly conduct web application audits to ensure that the software meets current industry standards for securing a web application.

Tara Kissoon, CISA, CISSP, is a director at Visa Inc. Her expertise is focused in developing and implementing information security and risk management controls across global payment systems.


Need CPEs? New Opportunities Available

Get off to a good start this new year—begin earning your continuing professional education (CPE) credits for 2010 now.

ISACA has taken the top educational sessions and bundled them into three areas of focus: security, governance and audit. Each series includes three live, recorded sessions from ISACA’s North America or European Computer Audit, Control and Security (CACSSM) conferences.

If your area of interest is audit, check out the Audit Series, which includes “The Top Ten Audit Issues,” presented by Michael Juergens, among its sessions. Is security your focus? Then why not try the Security Series which includes “The Hunt for Fraud,” presented by Al Marcella? Governance is a hot topic! Check out Robert Stroud’s presentation, “Five Traps of IT Governance,” included in the Governance Series.

The CACS Conference Live Capture Series are easy to access and affordable. Each series is worth 4.5 CPE credits and ISACA members receive a discount. For more information and details about each series, click here for the ISACA® eLearning Campus and then click the Go to Campus link.


EuroCACS to Provide Valuable Takeaways
EuroCACS · Budapest, Hungary · 21-24 March 2010

The European Computer Audit, Control and Security (EuroCACSSM) conference is returning to Budapest, Hungary, with a value-packed program full of practical knowledge, shared experiences and a collaborative environment from which even the presenters are looking forward to learning something new.

The 2010 series of CACS conferences marks ISACA’s renewed effort to develop the highest quality, most valuable learning experiences possible to satisfy the professional development needs of its members and certified professionals. All the presenters for the 2010 EuroCACS conference were required to identify exactly how they intend to engage the audience and extend the learning opportunity well after the sessions end.

Attendees can expect to participate in open discussions, group exercises and case studies, along with appropriate lecture and other educational delivery methods, to gain the most from the event. The conference will feature sessions on the latest ISACA thought leadership on IT risk, how to determine the value of IT, cloud computing, the new business model for information security and COBIT®. Other topics will include developing various metrics, establishing an information security culture, making IT audit more relevant for the enterprise, the roles and responsibilities of top executives, and providing IT governance in a turbulent world.

Plan your trip to beautiful Budapest. Click here for information and to register for the 2010 EuroCACS conference.


New Assurance Standard on Controls at Service Organizations

The international use of outsourcing has become widespread. In response, the International Auditing and Assurance Standards Board (IAASB) recently released International Standard on Assurance Engagements (ISAE) 3402, Assurance Reports on Controls at a Service Organization. This new standard addresses reports on the controls relating to the broad range of services that today’s service organizations provide. Such services can range from assisting with processing transactions to performing one or more business functions.

“A single service provided by a service organization can have direct relevance to the quality of financial reports prepared by entities around the globe. Effective controls for delivering the service are therefore essential,” said Arnold Schilder, IAASB chair, adding, “This new standard sets a global benchmark for reporting on controls at a service organization, thereby helping to fulfill the needs of those who use such services and their auditors under International Standards on Auditing (ISAs).”

ISAE 3402 is effective for service auditors’ reports covering periods ending on or after 15 June 2011. Click here for an overview of this new standard.


What Can a Certification Do for You?
Nicky Tiesenga, CISA, CISM, CGEIT, ITIL Foundation, IBM Global Business Services Partner

Nicky Tiesenga sought the Certified Information Systems Auditor™ (CISA®), Certified Information Security Manager® (CISM®) and Certified in the Governance of Enterprise IT® (CGEIT®) certifications for recognition and to pursue her passion for professional growth, but also found them in demand in the industry. Certifications can be a requirement in some organizations, whether in recruiting or replying to a client request for proposal (RFP). As Tiesenga grew her career from working in major corporations to consulting, she found that ISACA certifications are part of the qualifications that some clients request.

“My IBM Practice supports the US Department of Defense (DOD) and the US DOD now requires the consultants we bring in to have one of the certifications on the DOD list. The CISA and CISM are on that list.”

ISACA certifications and membership also have been helpful to Tiesenga in networking internationally; something she feels is critical in today’s global economy. “The current times are interesting and we are all looking for ways to brand ourselves on the Internet,” explained Tiesenga. “So, I am building my knowledge, skills, experiences, ISACA volunteer opportunities and conference speaking opportunities. And, the certifications are a part of my own personal brand within my profession.”

To maintain her ISACA certifications, Tiesenga has earned continuing professional education credits by attending conferences, being a speaker, being an officer/member of an ISACA chapter committee, writing and reviewing examination questions, and taking online webinars. “There is always a great deal to do to be involved with ISACA to grow as an individual while contributing to our profession and building your own personal brand,” Tiesenga said.

She strongly urges those thinking about pursuing the CISA, CISM and/or CGEIT credentials to pursue these goals. “Continue to learn and grow within your profession and get certifications incrementally throughout your career,” said Tiesenga. “I originally got my Certified Internal Auditor (CIA) back in the early 1980s, then CISA, then CISM and now my CGEIT. And, the certifications are recognized globally now more than ever. I recommend continuing to add certifications as the profession continues to advance.”

Nicky Tiesenga is a member of and has held officer positions with ISACA’s Nashville, Tennessee (USA) Chapter. She has been a CGEIT Certification Board Member and currently is committee chair for the CGEIT Certification Committee and a Credentialing Board member.


ISACA’s New Web Site Will Foster Networking

The new ISACA web site will help you create networking opportunities with other ISACA members, through the MyProfile functionality. The MyProfile feature will allow you to share as little or as much information with other ISACA members as you choose.

Networking opportunities will include the ability to:
  • Establish professional interests—Quickly view web site content that interests you.
  • Connect to other ISACA members—Add members to your personal connections; send members messages via an ISACA private e-mail address; and view members with shared interests, language or region.
  • Create your own ISACA blog.


Read More Articles in Our Archives