@ISACA Volume 6: 17 March 2010 

@ISACA Relevant, Timely News

Report of the Nominating Committee
By Marios Damianides, CISA, CISM, CA, CPA, Nominating Committee Chair

The charge of the ISACA® Nominating Committee, as described in sections 7.02 and 9.01 of the ISACA bylaws, is to prepare a slate of candidates for the ISACA Board of Directors, for review and approval by the association membership at the Annual Meeting of the Membership. The Nominating Committee is chaired by a past international president of ISACA, and its members include two additional past international presidents and three to four members with significant ISACA experience and diverse geographic representation.

The committee takes very seriously its obligation to prepare a slate that represents ISACA’s geographic distribution; its professional areas of interest; and a diversity of job titles, professional experience levels and ISACA involvement. Both the immediate needs and future requirements of the association are taken into account. One of the committee’s goals is to populate the board with creative individuals committed to serve (and, if asked, for several years) so that ISACA gains the benefit of their growing expertise and knowledge.

The process is managed with attention to detail: the proper information and documentation must be submitted with sufficient detail and backing and by the published deadline. Nominations are treated with unbiased consideration, and strict confidentiality is maintained throughout the process. The Governance Advisory Council (GAC) provides oversight to the committee’s processes and the committee reports to the Board of Directors and the membership of ISACA.

The 2009-2010 Nominating Committee is pleased to present the slate for the 2010-2011 ISACA Board of Directors. As chair of the committee, I affirm that the committee’s deliberations were carried out in accordance with the bylaws and good governance principles.

2009-2010 Nominating Committee members:
  • Marios Damianides, CISA, CISM, CA, CPA, USA, Chair
  • Everett C. Johnson Jr., CPA (past international president)
  • Lynn Lawton, CISA, FBCS CITP, FCA, FIIA (past international president)
  • Sushil Chatterji, CGEIT, Singapore
  • Leo Anzola, CISA, CGEIT, Panama
  • Hugh Penri-Williams, CISA, CISM, CGEIT, France
  • Jo Stewart-Rattray, CISA, CISM, CGEIT, Australia


Proposed Slate of 2010-2011 Board of Directors

ISACA® will hold its Annual Meeting on 7 June 2010, at the JW Marriott Cancun Resort & Spa in Cancun, Mexico, during the International Conference, where it will announce the 2010-2011 Board of Directors. In accordance with the association’s bylaws, the Nominating Committee submits the following slate as the proposed 2010-2011 Board of Directors.

Emil D’Angelo, CISA, CISM International President
Hitoshi Ota, CISA, CISM, CGEIT, CIA Vice President
Jose Angel Pena, CGEIT Vice President
Christos Dimitriadis, CISA, CISM Vice President
Rolf von Roessing, CISA, CISM, CGEIT Vice President
Robert Stroud, CGEIT Vice President
Kenneth Vander Wal, CISA, CPA Vice President
Ria Lucas, CISA, CGEIT Vice President
Everett C. Johnson Jr., CPA Past International President
Lynn Lawton, CISA, FBCS CITP, FCA, FIIA Past International President

Included on the agenda will be the president’s annual report, the treasurer’s report, ratification of significant board actions from the 2009-2010 administrative year and comments from the international president.

All ISACA members are invited to attend. Click here for more information about the International Conference.


Taking Governance Forward Web Site Launch

The new Taking Governance Forward web site is being launched to help pull all the pieces of the governance, management frameworks, principles and structures together. Originally, IT was implemented to automate processes of enterprises and enable gains in productivity. As IT became more strategic, more risky, and a critical enabler for business transformation and value creation, new governance issues appeared.

It became apparent that to move forward in governance it was necessary to put all the pieces of the governance maze together, including governance frameworks, principles, structures, processes, practices, views, activities, relationships, roles and responsibilities, and objectives. And, then determine how all of this fits together as well as how it fits with management frameworks, principles and structures.

To help respond to this need, ISACA® has led an initiative, Taking Governance Forward, to provide an integrated high-level overview of enterprise governance. Taking Governance Forward is designed to take a high-level look at the complex and layered world of governance, identify and define the components of a governance system, and conceptualize how the many views of governance overlap and interact. The project was undertaken by a task force of ISACA members, led by Patrick Stachtchenko, CISA, CA.

The Taking Governance Forward initiative developed the enterprise governance overview as a diagram—Governance on a Page—to illustrate the various components and relationships involved. Supporting descriptions were developed to explain them.

ISACA felt that the results would best be delivered as an interactive web site, presenting the materials in a dynamic way to ease review and understanding and, importantly, to provide the ability for everyone to contribute to the current market debate on what governance is and how it works. To facilitate and encourage this involvement, community interaction with the diagram, maps and term definitions is supported through discussion forums and wikis.

The web site is being tested during the first quarter of 2010 and will be available for full public interaction in the second quarter of 2010. The site content will be viewable by all, and a simple registration is required to make a contribution or to start or enter a discussion. Watch the ISACA home page for details of when and where to find the Taking Governance Forward site.

Editor’s Note
Refer to “Taking Governance Forward” by Stachtchenko in Volume 6, 2008, and “In Summary: The Taking Governance Forward Mapping Initiative” in Volume 1, 2009, of the ISACA Journal for more information on the basis for the initiative.


Six Tips for Improving the Overall Information Security Program
By Lisa Young, CISA

Improving the overall information security program can be achieved by taking a “service” perspective to improve how risks are managed and assets are protected. The word “service” is defined as a product that is intangible and nonstorable. Most organizations, regardless of their size or line of business, deliver products and services to their customers. These services are comprised of tasks, activities and processes for which people, technology, information and facility assets are placed into production to support. The insight gained by viewing the business through a service lens will enable your organization to effectively improve its information security operations over time, without being unpleasantly surprised or wasting resources on an incompletely addressed problem. Here are six tips:

  1. Assess risks to the delivery of the service. Risks can then be defined in terms of service delivery. This creates a common view of risks for both management and practitioners responsible for information security and technology management.
  2. Inventory technology, information and facility assets, and understand the link between assets and organizational services they support. Define how the assets support the core competencies of the organization. Reporting to management that “server x” is down does not have the same impact as reporting “server x is down, which affects our ability to accept orders and payments.”
  3. Identify the interdependencies between assets, services and external suppliers. When assets are managed in a manner that isolates them from their services, it is possible that the organization might miss identifying these interdependencies. The consequence of missing relationships can lead to inadequate protection and sustainability of the assets. This creates a weakness in the reliability of the delivery of the services, leaving the organization’s mission at risk. Once the interdependencies are identified, informed decisions about the need to reduce dependencies or the application of additional resources to the dependant relationship can be made to continue reliable delivery of the service.
  4. Map out all tasks, activities and processes that support a given service, and then define and document the controls in place. Understand the controls in place and the risks to the service they are designed to mitigate. This provides a defensible position for the most effective controls instead of the most numerous controls.
  5. Develop an integrated risk mitigation strategy. This allows the organization to focus on what is important to control (protection and sustainability of service delivery) vs. what is easy to control (compliance to a prescribed set of practices or regulations).
  6. Monitor the operating environment for changes to ensure that new risks are not introduced to service delivery. Management must recognize the need for crossoperational, business and technical views to decide how to apply appropriate resources to mitigate risks.

Lisa R. Young is the past president of the West Florida ISACA chapter in Tampa, Florida, USA, and a frequent speaker at information security conferences worldwide. Young was also a member of the ISACA task force for the new Risk IT: Based on COBIT® framework publications.


CISA Certification Wins Two Hong Kong ICT Awards

CISA Certification Wins Two Hong Kong ICT AwardsRaymond Chan, China Hong Kong Chapter vice president, and Michael Yung, chapter president, accepted the Hong Kong ICT Grand Award for the CISA certification.

On 19 January 2010, ISACA’s Certified Information Systems Auditor™ (CISA®) designation was awarded the Best Professional Development Grand Award and the Best Professional Development (Scheme) Gold Award at the Hong Kong ICT Awards 2009 presentation ceremony. The Hong Kong ICT Awards were established in 2006 under a collaborative effort among the information technology industry, academia and the Hong Kong government.

“CISA has become a preferred qualification for professionals working in the fields of information systems audit, control and security, especially in the finance and the government fields…,” according to the judging panel. “The China Hong Kong Chapter has placed good efforts in promoting the qualification and organizing monthly sharing seminars for the professionals to update their knowledge, in turn uplifting the standard of IT governance in different business sectors in Hong Kong.”

Click here for additional information about the awards. Click here for more information about the CISA certification.


New Val IT Guide Enhances, Expands on Earlier Version
A Q&A With Steven de Haes, Ph.D., University of Antwerp Management School, Belgium, and Peter Harrison, CGEIT, FCPA, Members of the Publication’s Development Team

Question Why was the book developed? Does it replace or complement other publications?

Answer The Business Case Guide: Using Val IT™ 2.0 replaces the previous Enterprise Value: Governance of IT Investments, The Business Case (published in 2006), based on the initial edition of Val IT™: Based on COBIT®. The intention of this publication is to position the business case for IT-enabled investments as a valuable management tool—an operational tool—and to provide an easy-to-follow guide, based on Val IT™ 2.0, to create, maintain and use a business case for IT-enabled investments.

The objective of this publication is to build on and enhance the earlier version. This new publication is fully aligned with Val IT 2.0 and provides how-to tips, maturity models, examples and references to other materials on using and implementing the processes provided in the business case.

Question To whom is the book written? What titles, roles will benefit the most from the publication and how?

Answer This document is applicable and scalable to all enterprises, regardless of industry sector or size, and whether they are public or private, for profit, or not-for-profit. Understanding the relevance of business cases is of primary importance to all management levels across both the business and IT parts of an organization—from the chief executive officer (CEO) and others in the C-suite, to those directly involved and responsible for the selection, procurement, development, implementation, deployment and benefits realization processes.

Question What would you identify as the single most important takeaway from the book? In other words, how will the reader benefit from the publication?

Answer This publication is intended to provide business and IT executives and organizational leaders, business sponsors and program managers with an easy-tofollow guide to getting from “why” through “what” to “how” in creating, maintaining and using a business case as an operational tool.

Question What makes this publication unique and valuable to the reader?

Answer What is unique about this guide is that it is not just a guide for IT, but is a business guide on how best to manage the business case through the investment life cycle at the program level. Even though, many projects contain business cases, Val IT proposes that more value is delivered from an enterprise perspective in managing the business case at the program level.

It should also be noted that, although this publication is focused on business cases for IT-enabled investments, its content is applicable to all types of investment in business change.

The Business Case Guide: Using Val IT™ 2.0 is scheduled to be available in April 2010. Click here to visit the ISACA Bookstore.


Advanced Search on the New Web Site

You spoke and we listened. Finding what you need quickly is something that everyone wants, and with the new ISACA® web site, you will be able to do just that. Further, the new web site will not be simply about finding content; it will be about connecting with other ISACA members. ISACA has more than 86,000 constituents, each facing similar issues within the profession. On the new web site, you will be able to leverage fellow members’ knowledge.

Using the new ISACA search functionality, searching for people who share the same interests, industry, language or location will be possible. The faceted search functionality will allow you to locate ISACA members worldwide. Of course, you will be able control the amount of information that is shared about you on the ISACA site.

Launching in 2010, the renovated ISACA web site is an exciting advancement. Leading up to launch, click here for additional information available online.


Book Review: The Failure of Risk Management: Why It’s Broken and How to Fix It
Reviewed by Gail Michaelson, CISA, PMP, SSGB

The Failure of Risk Management: Why It’s Broken and How to Fix It is a critical analysis of some of the most popular risk analysis and management methods used within large prominent business and government settings. Through detailed and clear objective analysis, these best practices are exposed to provide little added value in actually assessing risks. According to author Douglas W. Hubbard, “If risks cannot be properly evaluated, risk management itself becomes the biggest risk.”

Hubbard analyzes standard methods and elements of risk management analysis and existing tools presumed to measure risks—all of which are subsequently shown to be built upon underlying flaws, incorrectly or incompletely applied, or generally ignored. As critical questions are asked and answered surrounding the use of popular risk management techniques—techniques utilized to make major corporate and government decisions—these soft qualitative techniques are shown to be lacking support by theoretical or empirical analysis and to not be based upon more sophisticated scientific and mathematical techniques in existence and applied by actuaries, engineers and financial analysts.

The Failure of Risk Management transcends the 2008 financial market crisis. It dissects reallife, major risk management case studies involving national disasters, industrial accidents, outsourcing, computer security and other major risk management case studies, where risk was consistently underestimated or proven to be woefully unrealistic. Hubbard then explains how these major failures of risk management can be corrected.

An appropriate amount of documentation, such as checklists and practice examples, is included within the book. Other excellent tools demonstrated and cited are available on Hubbard’s web site, which is well referenced throughout the book.

The Failure of Risk Management is an enlightening guide that focuses on IT governance and assurance, and should be a worthwhile read by basic, intermediate and advanced readers across all industries, not only the financial, banking and government industries. As a recommended reference for the business library with an unlimited shelf-life, the target audience includes anyone who makes critical business decisions and all levels of management, consultants and academics interested in general corporate business management, government, economics, statistics, information technology, corporate finance and mathematics, within all geographic areas.

Click here to order The Failure of Risk Management: Why It’s Broken and How to Fix It from the ISACA Bookstore.

Gail Michaelson, CISA, PMP, SSGB, is an IT professional from Cincinnati, Ohio, USA, with more than 10 years of expertise in business process optimization and continuous improvement, program and project management, portfolio management, strategic planning and budgeting, and IT auditing.


Read More Articles in Our Archives