@ISACA Volume 7: 31 March 2010 

@ISACA Relevant, Timely News

Study Finds IT Innovation Critical, Yet Shrinking From IT Budgets

A.T. Kearney, a global management consulting firm, conducted a study of investments in IT innovation in the US and Europe. The study, “Delivering Technology Innovations,” finds that industry leaders overwhelmingly acknowledge the value of IT as strategically important, but investment in IT innovation misses target levels more than 75 percent of the time. And, while innovation accounted for about a third of the average IT budget in 1999, that amount has decreased to about 14 percent in the last 10 years.

Authors of the A.T. Kearney study found that corporate decision makers understand the role IT innovation can play—and the healthier the company, the better the understanding. Of the companies that achieved a greater than 10 percent annual sales growth, nearly 90 percent reported benefiting from IT innovation.

The study also found the greatest IT growth obstacles to be complexity, inconsistent data and excessive time spent on daily activities. The two most important reasons IT innovation projects fail were reported to be lack of effective enterprise integration and a limited incubator environment.

Studying the companies that had the best results with IT innovation revealed six common approaches that A.T. Kearney calls “Six Mandates for IT Innovation”:

  1. Ensure executive commitment to develop world-class IT delivery and innovation capabilities.
  2. Establish targets and execute dedicated and consistent investments in innovation.
  3. Create integrated IT leadership and business partnerships.
  4. Leverage technologies to integrate products and services with traditional back-office IT.
  5. Collaborate outside as well as within the organization (i.e., with customers and suppliers in addition to employees) to deliver IT innovation.
  6. Make sound business decisions on emerging technologies.


Monitoring Internal Controls
A Conversation With Ken Vander Wal, Partner (retired) Ernst & Young LLP, Chair of ISACA’s IT Monitoring Task Force

Question Why and how was Monitoring of Internal Controls and IT developed? Does it replace or complement another publication?

Answer The IT Monitoring Task Force developed the draft of Monitoring of Internal Controls and IT to complement and expand on the 2009 COSO Guidance on Internal Control Systems. Since more and more technology has been integrated into business processes, the task force particularly wanted to emphasize two areas:

  • Special considerations around the monitoring of IT controls
  • How to use automation to enhance the monitoring of controls

The objective of this publication is to enable professionals to understand the purpose and (potential) benefits of monitoring, provide practical guidance on how to design and execute an IT monitoring process, and explain how automated monitoring tools may add value to the process. The publication also provides references that help assess risk, implement a monitoring program, and integrate monitoring into daily operations (e.g., COBIT®, Risk IT and Val IT™).

The publication is scheduled for public exposure through April 2010 (click here).

Question Please describe the goals and aims of the publication. How do you anticipate the reader benefiting from the content?

Answer The main aims of the publication are to expand the 2009 COSO Guidance on Internal Control Systems by bringing emphasis to the monitoring of application and IT general controls, and to discuss the use of automation (tools) for increased efficiency and effectiveness of monitoring processes. While the authors understand that information technology is not a business goal and, only rarely, a business process, there are important opportunities that can be provided by focusing on the risks related to IT control failures and the opportunities created by automated controls and automated monitoring processes. The authors also move away from a mere conceptual elaboration on the concepts and applications for monitoring and move toward providing multiple examples, case studies and practical tools that can help the professional and the enterprise implement monitoring.

Question To whom is the book written? What titles, roles will benefit the most from the publication and how?

Answer The book is written with executives/senior management, business process owners and IT professionals in mind. The publication opens with an executive overview of the subject matter and suggests questions that senior management should ask to determine whether the monitoring of internal controls is adequately addressed within their enterprise. For the business process owners it describes how to monitor key IT application controls and how to automate monitoring processes. And, for the IT professional, it goes beyond theory by providing templates and tools that can be leveraged when developing and implementing a monitoring project.

Question What would you identify as the single most important takeaway from the book? In other words, how will the reader benefit from the publication?

Answer There has been a lot written about how the COSO Internal Control—Integrated Framework can be applied to multiple objectives (e.g., financial reporting, operations, compliance) and to multiple dimensions of an organization (e.g., department, business unit, IT). This publication is unique in that it not only deals with the importance of identifying and monitoring the key IT controls that mitigate an enterprise’s financial reporting and compliance risks, it also expands the concepts of monitoring internal controls to operational objectives (e.g., performance, capacity). These are important aspects that have not been addressed previously in a comprehensive manner within one publication.


Studying for the CISA Exam?
Take the CISA Online Review Course

Are you registered for the June 2010 Certified Information Systems Auditor™ (CISA®) exam? Are you looking for a comprehensive review course that will fit around your schedule? ISACA® has the perfect solution in its CISA® Online Review Course. This interactive, self-paced, web-based course was developed to provide CISA exam candidates and ISACA members with an efficient and cost-effective tool for exam preparation and for performing information systems audits and reviews.

Because the course is completely web-based, you should be able to access the course from any computer with an Internet connection. While it is significantly different in terms of how the information is delivered, the course is based on the CISA® Review Manual 2010. The course includes more than 160 practice questions, as well as interactive activities and exercises, and an online glossary to reinforce content comprehension.

In addition to helping you prepare for the CISA exam, you can earn up to 26 continuing professional education credits by successfully completing the entire course. To better evaluate whether this is an appropriate study tool for you, click here to view a demo.

Click here to register for the course or e-mail eLearning@isaca.org for more information.


12 Tips for Pen Testers
By Victor Chapela

There are important things to keep in mind regarding pen testing, including some steps to take to reach business goals:

  1. Define business objectives, not technical objectives. For example, test if the credit card database or the central enterprise resource planning (ERP) system is reachable and vulnerable. Pen testing firewalls is a lot less useful.
  2. The creation and use of pen testing checklists will allow you to test more thoroughly and find more vulnerabilities.
  3. Google hacking is a very quick way to query your web presence and find easy-to-exploit vulnerabilities and misconfigurations.
  4. Structured Query Language (SQL) injection vulnerabilities and misconfigured wireless networks continue to be the most common external perimeter breaching vectors.
  5. Cross-site scripting (XSS) is a common web vulnerability, but it poses different risk levels for different industries or systems. It almost never allows external access or system control.
  6. Create application and network diagrams; by understanding the underlying structure, you will be far better at reaching objectives.
  7. Always try easy-to-guess or default passwords, especially on shared users and system accounts; they are still very common.
  8. Sniffing is a great way to understand network traffic and can almost always obtain cleartext or easy-to-break passwords. Commonly used protocols, such as Simple Mail Transfer Protocol (SMTP), Simple Network Management Protocol (SNMP) or File Transfer Protocol (FTP), send cleartext passwords.
  9. Certain hacking techniques commonly disrupt system stability or network communications; in particular, man-in-the-middle techniques and buffer-overflow exploits should be avoided or tested only in controlled environments.
  10. In general, the more connected an application is, the easier it will be to hack. Databases, domain controllers and web sites are frequently easy targets.
  11. Always convert vulnerabilities into risks by determining asset value and probability of attack. There are many ways to scan for vulnerabilities. A pen tester is better poised to determine risk by understanding the complexity of the attack and the access level obtained.
  12. One of the main benefits of pen testing is creating a sense of urgency in the organization. Always take screenshots, screen videos or give live demonstrations of the findings. This will help advance the security awareness of everyone involved.

Victor Chapela is founder and CEO of Sm4rt Security Services. He is coauthoring a book on the evolution of risk and is a frequent speaker at conferences around the world.


COBIT, CISA, CISM and Related Subject Matters Addressed in Industry Regulations Worldwide

The Government and Regulatory Agencies (GRA) subcommittees (ISACA has one for each of its five regions worldwide) have provided the following updates on relevant regulations worldwide:

  • In May 2009, the Colombian Banking Regulator, La Superintendencia Financiera de Colombia, published a new regulation impacting Colombian banks. The regulation requires obligatory compliance by the country banks and states that “corporate governance is to be based on international accepted standards such as COBIT®, Sarbanes-Oxley (Section 404), Basel II, COSO and standards of the IIA.”
  • The Securities and Exchange Board of India (SEBI) recently mandated IS audits mandatory for mutual funds. Systems audits are to be conducted by an independent Certified Information Systems Auditor™ CISA®)/Certified Information Security Manager® (CISM®) or equivalent auditor.
  • The US House of Representatives passed the Data Accountability and Trust Act (H.R. 2221). The legislation requires the Federal Trade Commission (FTC) to promulgate regulations requiring each person engaged in interstate commerce that owns or possesses electronic data containing personal information to establish security policies and procedures. The measure has been sent to the US Senate.
  • In 2009, the US Congress passed the Health Information Technology for Economic and Clinical Health Act (HITECH Act). This Act covers health care providers, insurers, clearinghouses and businesses handling patient information. In 2010, new rules at the US federal and state levels will require IT managers to deploy protective technologies, such as encryption to achieve compliance.
  • The Malaysia Chapter worked with Multimedia Development Corporation (Mdec) to make CISA and CISM part of the Professional Development Program for the government initiative, Media Super Corridor (MSC).


Certifications Help Professionals Stand Out
Ramses Gallego, CISM, CGEIT, General Manager at Entel Security & Risk Management in Spain

Ramses Gallego, CISM, CGEITBusinesses run on IT and there is a high demand for process-oriented, security-driven, business-focused professionals who understand the need of meeting the compliance requirements as well as enabling companies to perform as expected. “The audit field is enjoyable because you get to know a process in detail; the security field is where you minimize the inherent risk of any activity while you enable the business to move forward; and the governance arena facilitates the way you drive a whole corporation to its goals,” said Ramses Gallego, CISM, CGEIT. “These areas are here to stay and, for sure, are areas where a highly motivated professional can enjoy his/her work.”

To differentiate and stand out in the industry, Gallego advises pursuing certifications. “First, look for the credentials that best fit your professional needs,” said Gallego. “Second, follow a consistent studying routine and, if possible, consider attending a training program at a local ISACA® chapter. They provide real value and deep expertise with subject matter experts as teachers.”

Gallego feels that ISACA’s certifications provide a great value by giving a variety of ways to grow as a professional and enhancing the educational and human dimension as a part of day-to-day tasks. “ISACA’s certifications allow me to get in contact with many other people with the same interests as I have, as well as provide me with access to specific information from research, security and governance guidelines,” he said. “I have no doubt that the certifications I hold differentiate my profile from others, setting a baseline not only for me, but also for colleagues. The team I am managing, as well as the clients I interact with, benefit from the knowledge available to me through my certifications.”

When not working, Gallego enjoys being with his family, playing with his kids and taking long walks around beautiful Barcelona. “As a music lover, I have thought about starting to play the guitar,” he said. If he weren’t working in the audit/security/governance field, his real dream would be to be a rock star.

Gallego is a member of the CISM Certification Committee, the ISACA Barcelona Chapter Board as CISM director, the International Conference Program Committee and the Information Security and Risk Management (ISRM) Conference Committee, of which he is the cochair.


Book Review: Security, Audit and Control Features Oracle Database, 3rd Edition
Reviewed by Kamal Khan, CISA, CISSP, CITP

Security, Audit and Control Features, Oracle Database, 3rd Edition, is a welcome resource for anyone with an interest in assessing and evaluating IT environments that include an Oracle database component, such as information security practitioners and database administrators. It is also an excellent reference for experienced auditors, other experts and anyone responsible for the security and control of Oracle databases.

The book is well laid out, using a tried and tested format common to most ISACA® publications. Diagrams and tables are used extensively throughout the book to explain key concepts. Each chapter starts with an overview, and there are case studies and examples provided in gray boxes to illustrate different concepts. In addition to the main text, there are also several appendices, such as an audit and assurance program, a glossary and list of acronyms.

The book was co-authored by a renowned team of authors, researchers and reviewers. They collectively have vast experience and knowledge of Oracle control and security, as well as IT governance and compliance, systems security, project management, IT general controls, security policy, and technical control standards. This is clearly reflected in the quality of the book.

Taken in conjunction with the audit and control programs, the book provides all the essential information for the intended audience of audit and control professionals. However, it tries to cover a lot of ground, and should not be relied on exclusively, for example, by someone who needs to cover operating system (OS) security in detail or to manage an Oracle database environment. In addition, the content of appendix IV, Recommendations for the Professional, may have been better if included in chapter two, Security and Control Approach/Framework. It contains useful information and guidance, but may be overlooked as it is placed near the end of the book.

Overall, the book is well structured, well presented and readable. It is written from the perspective of the intended audience, so the level of technical detail is not overwhelming.

The audit/assurance program includes a comprehensive audit plan that covers planning, access and authorization, monitoring, and backup and recovery.

In conclusion, the third edition of this popular book contains everything needed by the audit, control or security professional in one convenient package. It competently presents a fairly complicated and technical subject and can enhance the understanding of the Oracle database environment. Click here to download an excerpt of the Audit/Assurance Program and internal control questionnaires (ICQs) (members only). Click here to purchase Security, Audit and Control Features, Oracle Database, 3rd Edition from the ISACA Bookstore.

Kamal Khan, CISA, CISSP, CITP, is an IS auditor at the Saudi Arabian Oil Company, Saudi Aramco. He has 20-plus years of audit experience.


Read More Articles in Our Archives