@ISACA Volume 8: 14 April 2010 

@ISACA Relevant, Timely News

Five Tips for Transitioning Your Career From IT/Information Security to IT Risk
By Brian Barnier, CGEIT

With the release of Risk IT: Based on COBIT and the announcement of the new Certified in Risk and Information Systems Control (CRISC, pronounced see-risk) certification, ISACA is giving you more tools to add business benefit and transition your career from security to broader risk management. Here are five tips:

  1. Broaden the “all-hazards” view of threats beyond malicious threats. Also, evaluate natural, accidental and business-volume-related threats to smooth business operations.
  2. Broaden the view of assets/resources/targets beyond switches, servers and even data. Also, evaluate business process, applications, middleware, IT management process, people and facilities.
  3. Broaden the use of techniques. To capture insight from the first two tips, use standard techniques, such as scenario analysis, more broadly and powerfully. Also, introduce new techniques (and automation) to more effectively and efficiently address the range of threats to the range of operations.
  4. Broaden the view of organization and governance. Security is just one silo in IT-related business risk. Look across more IT functions and make stronger use of governance to align decision making.
  5. Broaden the business view. In understanding IT-related business risk, move beyond downtime or cost to remediate an intrusion. Focus on how better risk management enables more revenue.

If you aspire to IT risk management leadership or have just been given the job, you need to act to be successful. This requires change in your perceptions, techniques, tools and organization interactions. Track your progress against each of these areas so you have balanced professional growth. To learn more on this subject, click here for information on the North America Computer Audit, Control and Security (CACS) conference to be held on 18-22 April 2010 in Chicago, Illinois, USA, where Brian Barnier, Jeffrey M. Krull, CISA, and others will present on this and other related topics.

Brian Barnier, CGEIT, is a principal at ValueBridge Advisors. For ISACA, he served on the task force that created Risk IT and the IT Governance, Risk and Compliance and North America CACS program committees. He teaches, speaks and researches widely.


Learn From Real-world Experiences—Successes and Failures
International Conference • Cancun, Mexico • 6-9 June 2010

Alexander Zapata Lenis, CISA, CGEIT, chairman of the International Conference Task Force and IT governance and assurance manager with Grupo Cynthus S.A. de C.V., offers his thoughts on this year’s International Conference.

Question Is there an overarching theme to this year’s International Conference?

Answer The overarching theme is innovation with a focus on global perspectives on common IT challenges, practical knowledge and governance in the areas of leadership, IT governance, cloud computing, IT audit, information security, risk management, virtualization and business continuity for pandemics.

Question What are the key takeaways that attendees can anticipate gaining from the conference? Will any new concepts or products be introduced?

Answer Attendees of this year’s conference will gain new practical knowledge, relationships with new contacts, new and exciting ideas to share with colleagues, real-world examples, tools and working papers, and insights on emerging issues. There are several conference sessions and workshops that will provide interesting tips on IT governance, risk management, information security and Val IT™ implementation for professionals to take back to the office.

Some of the new concepts and sessions that will be discussed during this conference include governance, IT audit and security related to cloud computing; ethics and IT audit; auditing green; and emerging challenges for digital forensic investigators.

There will also be an interesting roundtable for which the focus will be practical experiences using COBIT as a tool to achieve business goals and comply with regulations.

Question What makes this location special? Why was it chosen for this conference?

Answer This is the first International Conference held in Latin America. Cancun is located on the southeast coast of Mexico, in the state of Quintana Roo, in the Yucatan Peninsula. Warm, white, powdery, sand beaches and turquoise, crystal-clear waters, together with the famous Mexican hospitality, make this a place like no other.

Cancun is the home to many world-class luxury hotels, dotting the edge of the beautiful Caribbean Sea. Add a full range of water sports, including some of the world’s most exquisite snorkeling and scuba diving, and Cancun is a location that will delight even the most discerning traveler.

Click here for more information and to register for the International Conference.


Study Finds GRC Is Key Priority to Economic Recovery

Nearly two-thirds of executives globally say they are focused on converging their company’s many governance, risk and compliance (GRC) initiatives, to improve risk management and reduce costs, according to a global survey by KPMG International. Some 64 percent of 542 executives surveyed called the convergence of GRC projects a priority, driven in part by the complexity of business.

“Typical responses to new regulations have been to add layer after layer of compliance processes, resulting in bloated corporate bureaucracy that can make an organization sluggish,” said John M. Farrell, the GRC Service Network Leader for KPMG LLP, the US member firm of KPMG International. “The answer for some leading companies is implementation of a converged GRC program as a strategic and practical approach that promotes flexibility in a risk-aware culture.”

The KPMG survey respondents listed the top reasons why they implemented their GRC program as:
  • To simplify overall business complexity (44 percent)
  • To reduce organizational risk exposure (37 percent)
  • To improve corporate performance (32 percent)

Click here for a copy of the KPMG International survey.


CISA and CISM Among 10 Most Sought-after Certifications

ISACA’s Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) are among the top 10 most sought-after certifications for 2010, according to a recent Information Security Media Group (ISMG) survey. ISMG’s first annual Information Security Today Career Trends Survey benchmarked 2010 trends in information security careers across industries.

Survey results show that professionals are committed to investing in certifications in 2010. In fact, the survey found CISA and CISM to be among the top three most sought-after certifications for security professionals. According to ISMG, these certifications are becoming “minimum standards in the profession.”

Click the respective links to learn more about CISA and CISM.


New ISACA Strategy Results in Growth and Expansion of COBIT

The ISACA® strategy adopted in 2009 was built on the results of considerable market research. One of the surveys conducted for that research—among members, prospects and certification holders—revealed a significantly high take-up of COBIT. This is supported by the ISACA web site download figures, which tend to show a marked bias toward documents with COBIT in the title.

Because of that success, and the fact that COBIT provides a common language in the industry, the new strategy includes an objective to grow and expand COBIT through the addition of various new and ancillary products. The appropriate volunteer bodies were put in place for the 2009-2010 term and progress has begun. Here is where things stand now on each of the COBIT-related initiatives:
  •  COBIT5—Planning for this initiative is well advanced. The underlying concepts that the new framework will need to support have been documented and an action plan has been developed to deliver the required results to support them. Initial thinking about the design of the framework and its supporting contents is underway and includes wide discussion to ensure that broad input is obtained from all parties involved.
  • COBITIRM—The initial design and development of a COBIT Information Reference Model (IRM) will be completed as part of the initial framework development activities, to ensure consistency of the development results with the other COBIT models. Future development of COBIT IRM products, deliverables and other constituency uses of this model will follow from that work.
  • Level 3 and 4 controls—This initiative will use the ISACA collaboration and community-building Web 2.0 capabilities introduced by the new web site (mid-2010) to provide the opportunity for constituents to collaborate and exchange knowledge on control objectives and control practices that are relevant to specific technologies, geographies, enterprise sizes, industry types, etc. The structure of this collaborative environment will be based on the existing COBIT framework structure—control objectives and control practices (conceived as the generic level 1 and 2 controls).
  •  COBITSecurity and COBIT Applications—These initiatives will follow from the design and development of the overallCOBIT 5 framework.


Auditing Your Organization’s Value Management Processes?
A Conversation With Kris Budnik, Partner at Deloitte & Touche Enterprise Risk Services, South Africa, and Codeveloper of Value Management Guidance for Assurance Professionals: Using Val IT 2.0

Question Why and how was Value Management Guidance for Assurance Professionals: Using Val IT 2.0 developed? Does it complement other publications?

Answer This new publication provides guidance to assurance professionals on how to audit the value management practices required for good governance of IT-enabled investments. It is based on the Val IT: Based on COBIT framework and complements the IT Assurance Guide: Using COBIT. The publication was developed in response to feedback from select ISACA chapters and Val IT (pronounced Val eye-tee) webinar sessions held in 2008.

Question Please describe the goals and aims of the publication. How do you anticipate the reader benefiting from the content?

Answer The publication provides guidance on how to use Val IT to support an assurance review focused on the governance of IT-enabled business investments for each of the three Val IT domains—Value Governance, Portfolio Management and Investment Management. It increases the assurance professional’s focus on IT value and, through resulting assurance reviews, raises management’s awareness and understanding of the importance of IT value management.

This publication focuses on the business and IT processes of managing investments in IT. It enables auditors to focus on this specific scope and shows assurance practitioners how to do it. This publication will influence organizations—explaining the need for value management practices and controls, which may not exist in current business and IT management processes.

Question To whom is the book written? What titles and roles will benefit the most from the publication and how?

Answer This guide was written to assist IT audit and assurance professionals, but will also benefit business management. It complements and supports assurance activities based on COBIT and enables leveraging of COBIT and Val IT when planning and performing assurance reviews and audits, so that the business, IT and assurance professionals are aligned with a common framework and common objectives.

Members can click here to download the complimentary PDF of the publication.

Nonmembers, as well as members, can click here to purchase a print copy of the publication from the ISACA Bookstore.


Read More Articles in Our Archives