@ISACA Volume 5: 3 March 2010 

@ISACA Relevant, Timely News

IT Spending to Increase in 2010, Predicts Gartner

Researchers at Gartner Inc. predict that the IT industry will see a 4.6 percent growth in global IT spending, to US $3.4 trillion, in 2010. This is quite a contrast to 2009, when IT spending fell 4.6 percent.

Gartner predicts that spending will increase:
  • 1.8 percent in Japan
  • 2.5 percent in the US
  • 5.2 percent in Western Europe
  • 7.7 percent in the Middle East and Africa
  • 7 percent in the Asia-Pacific region
  • 9.3 percent in Latin America

Although Gartner predicts the economic condition will gradually improve, it says the low growth in IT spending in the US this year will be due to the recession and economic uncertainty.

Gartner surveyed more than 1,000 IT professionals with budget responsibility worldwide to determine their budget-planning expectations for 2010. Click here for additional information on Gartner’s report, “Security Software and Services Spending Will Outpace Other IT Spending Areas in 2010.”


Honoring ISACA Members: 2010 Award Nominations Now Being Accepted

Nominations for two of ISACA’s annual awards—the Harold Weiss and John Lainhart awards—are now being accepted.

The Harold Weiss Award was initiated by ISACA in 1985 to honor individuals for outstanding achievement in the field of audit, audit education and/or audit research. In November 1996, the John Lainhart Common Body of Knowledge Award was created by then-president Akira Matsuo, to recognize contributions to the development and enhancement of the common body of knowledge used by professionals in the field of information systems audit, security and control, certification, or standards.

As an ISACA member, please nominate qualified and deserving candidates for each of these awards by sending a nomination in letter form via e-mail or fax to +1.847.253.1443. Nominations must include:
  • Description of accomplishments relating to the award
  • Professional affiliations
  • Other honors and awards achieved
  • Publications or articles published
  • References

The deadline for submissions is 18 March 2010.


Learn to Assess the Security of a DB in a Distributed Environment
A Q&A With Igor Oreper and Phillip Wainwright, Members of the Publication’s Development Team

Question Does Security, Audit and Control Features Oracle Database, 3rd Edition, replace or complement another publication?

Answer In 1993, ISACA issued Security & Control in an Oracle Environment. This highly successful publication was updated in 2004 and issued as Oracle Database Security, Audit and Control Features, a publication which continues to be in high demand. Since 2004, the database software market continues to experience a significant shift and Oracle has contributed to this shift in the form of significant changes to their flagship product.

This book is the third edition and focuses on the attributes and incremental functionality in the most recent Oracle relational database management system (RDBMS), software releases 10g and 11g (with focus on 11g). Although the outline remained similar to the previous edition, major operational and security and control differences are highlighted and further examined in this edition.

Question Please describe the goals and aims of the publication. How do you anticipate readers benefiting from the content?

Answer Security, Audit and Control Features Oracle Database, 3rd Edition, provides readers with a general understanding of database security and a more detailed understanding of Oracle security and control functions as well as a comprehensive work plan to assess the database.

This book also provides readers with the approach, knowledge and tools to effectively plan and execute an Oracle database security assessment. It can be used as a field reference for the assessor or a book that someone interested in learning more about Oracle security could read cover to cover. The assessor is expected to review and integrate other related audit/assurance program documents, in relation to the requirements of the project/assignment; specific scope; IT/enterprise architecture; availability of the time, budget and resources; and other relevant factors.

Question To whom is the book written? What titles, roles will benefit the most from the publication and how?

Answer The primary audience of this book is any practitioner who reviews and assesses the security of environments that include an Oracle database component. The practitioner must combine his/her technical database experience with the knowledge gleaned from this book to most effectively assess the security of a database in a distributed environment.

Other audiences such as information security practitioners, database administrators (DBAs), database security administrators, database application developers and system administrators will also find this book useful to understand and assess Oracle security risks. These practitioners should already have a high-level understanding of Oracle database technologies, as well as general auditing and security concepts.

This book’s goal is not to be an all-inclusive instruction manual for the everyday database administrator. It is intended to guide a security practitioner through the comprehensive evaluation of security for an Oracle database, based on business objectives and realistic risks.

Members can click here to download excerpts of the publication. Members and nonmembers can click here to purchase a print copy of the publication from the ISACA Bookstore.


10 Tips for Developing an Information Security and Risk Management Strategy

Developing an information security and risk management strategy can be a challenging activity even for the most seasoned leader. Consider these 10 tips on what to account for in your development activities:

  1. Understand the enterprise’s current business conditions, risk profile and appetite before you begin to develop capabilities. An enterprise’s financial status is a key performance indicator (KPI) of its current business conditions. If the enterprise is conservative, delay the implementation of enhanced capabilities. If it is in a growth state, demonstrate the business value of introducing robust capabilities.
  2. Develop a prescriptive annual strategy, followed by a rolling, three-year plan that includes frameworks, goals and objectives.
  3. Clearly identify the point of arrival for the strategy based on management guidance and input at the onset of the strategy development.
  4. Ensure both the availability and capabilities of staff necessary for the execution of your proposed strategy. Do not assume you will be able to add staff or use part-time staff from other organizations for baseline capabilities.
  5. Develop KPIs based on points of arrival for your strategy and program that you have agreed upon with the enterprise’s leadership team.
  6. Make sure you have acceptable and unacceptable thresholds established for KPIs that include enforceable consequence management. A laddered approach to consequence management often is the most successful and should be based on risk and business impact.
  7. Convene oversight boards that include business leadership and key stakeholders, to meet on a monthly or quarterly basis. Key metrics and requests for approval of program activities should be presented at these meetings.
  8. Be aware that threats and risks can vary significantly based on geography. Physical threats to information tend to be less probable in developed nations and environments, due to the intention to steal data instead of infrastructure.
  9. Examine socioeconomic data for regions within which the enterprise operates to understand cultural and economic considerations that can impact strategy development and execution.
  10. Utilize capability maturity assessments and benchmarks of processes and capabilities to identify areas that need more focus than others for future strategy development and investment.

Developing an information security and risk management strategy is a fluid process that needs to constantly adapt to business conditions and requirements. The most successful strategies are those that can quickly adapt to change and align with adjustments in business activities and changing business conditions.

John P. Pironti, CISA, CISM, CGEIT, ISSAP, ISSMP, is the president of IP Architects LLC.


ISACA Training Week Offers Hands-on, Intense Training

Training Week offers intense training that outside of this event could only be obtained by attending several different events. The week is full of relevant content that has been developed for IT professionals who need the latest information and training to apply in their careers. Topics include:

  • Fundamentals of IT Audit and Assurance
  • IT Audit and Assurance Practices
  • Information Security Management
  • COBIT: Strategies for Implementing IT Governance

Training Week’s greatest benefit is that you are immersed in a topic with a top-level trainer. All of the instructors for Training Week have more than 25 years of experience in information security, auditing, management and IT governance. They are global lecturers who bring their professional experiences to the classroom with current, real-world examples and case studies. The hands-on experience they bring from the field provides opportunities for you to apply proven best practices in your own enterprises when you return from Training Week.

Click here for more information on ISACA’s Training Week courses, trainers and upcoming scheduled events.


Is Progress the True “Carrot” for Employee Motivation?
Emil D’Angelo, CISA, CISM, 2009-2010 ISACA International President

“Recognition for good work (either public or private)” was the factor that makes their employees most enthusiastic about work, according to a survey of 600 managers, as reported in the Harvard Business Review (“What Really Motivates Workers,” January-February 2010). When the article’s authors tracked the daily activities of employees, though, they found that employees named “progress” as their top motivator. Surprisingly, “support for making progress” had actually come in last in the managers’ survey.

According to the article, “On days when workers have the sense they’re making headway in their jobs, or when they receive support that helps them overcome obstacles, their emotions are most positive and their drive to succeed is at its peak.”

This study brings to mind the popular “Fish” philosophy that has made the Pike Place Fish Market in Seattle, Washington, USA, a world-famous workplace and model management system. It puts forth four important concepts that many organizations, including my workplace, are adopting: Play, Make Their Day, Be There (give undivided attention to a job or another person) and Choose Your Attitude.

They sound like basic ideas, but all too often we get caught up in the rush of a project and begin to forget that, to paraphrase www.pikeplacefish.com, through our work it is possible for us to improve the quality of life for everyone.

One of ISACA’s main goals is to provide the support its members and constituents need to interact with each other and make a positive impact at their place of employment. By utilizing ISACA’s resources, and following the wise advice of Pike Place, we can continue to add value to our enterprises and “make their day.”


ISACA to Participate in SecureCloud 2010

As part of several cloud computing initiatives, ISACA is playing an integral part in presenting SecureCloud 2010, an educational and networking event designed to help IT professionals adopt and share best practices related to secure cloud computing. ISACA’s Barcelona Chapter, led by Ramses Gallego, CISM, CGEIT, Barcelona Chapter board member; along with ISACA staff, has been involved in all aspects of planning the event, including identifying speakers, setting the conference agenda and selecting the site for the conference. The conference will be held 16-17 March at the Majestic Hotel and Spa in Barcelona, Spain.

ISACA’s involvement came as a result of an ongoing focus on cloud computing security issues and its involvement with the Cloud Security Alliance (CSA) and the European Network and Information Security Agency (ENISA).

The two-day, dual-track event is being hosted by ISACA, CSA, ENISA, and the IEEE Standards Association, four of the leading organizations shaping the future of cloud computing security. SecureCloud 2010 is the first European event to focus specifically on state-of-the-art practices designed to promote security, privacy, and trust within cloud computing environments.

Click here for more information on SecureCloud 2010.


Third Edition Addresses New Business Environment and Latest Software

ISACA has a current research project in progress to update the popular Security, Audit and Control Features Oracle® E-Business Suite to its third edition.

Since issuing the second edition in 2006, there have been significant changes in the business environment and the Oracle E-Business Suite 12.1, released in 2009, provides several updates and improvements. There has also been an increased awareness and growth in the software market known broadly as governance, risk and compliance (GRC). Oracle Corporation has continued to boost its GRC offerings and strengthen the Oracle Fusion Middleware suite, identity management and service-oriented architecture (SOA). Oracle’s Enterprise Performance Management applications and Business Intelligence tools to assist customers with carbon reporting obligations and sustainability also have been improved.

The questions that were addressed in Security, Audit and Control Features Oracle® E-Business Suite, 2nd Edition, will be updated in the third edition to provide a current view toward:
  • Identifying and understanding how business processes impact an enterprise resource planning (ERP) implementation and operation
  • Application functionality
  • Strategic-level business risk
  • Technical architecture of the system
  • Key security and control criteria/drivers for key functional areas, including:
    – Financial accounting
    – Expenditure
    – Web-enabled security
  • IT resource and IT management requirements
  • Professional services and support
  • IT integration with other enterprise systems
  • Organizational and audit department challenges with Oracle
  • Oracle E-Business audit framework audit programs
  • Using Oracle to assist with the regulatory requirements of financial reporting and other compliance issues
  • How Oracle’s GRC offering integrates with the E-Business Suite
  • Future developments from Oracle and upcoming trends

The third edition of Security, Audit and Control Features Oracle® E-Business Suite, part of ISACA’s Technical and Risk Management Reference Guide series, is scheduled to be available in the ISACA Bookstore in the second quarter of 2010.


Read More Articles in Our Archives