@ISACA Volume 9: 28 April 2010 

@ISACA Relevant, Timely News

CRISC Grandfathering Program Now Open

Grandfathering applications for the new Certified in Risk and Information Systems Control™ (CRISC™, pronounced “see-risk”) designation are now being accepted. CRISC is a new certification designed for IT and business professionals who identify and manage risks through the development, implementation and maintenance of appropriate information systems (IS) controls. CRISC is intended to recognize a wide range of professionals for their knowledge of enterprise risk and their ability to design, implement, monitor and maintain IS controls to mitigate such risks.

Professionals with eight or more years of IT and business experience can now earn ISACA’s new CRISC designation under its grandfathering program. Certification through the grandfathering program is open from April 2010 through March 2011 to highly experienced individuals. Click here for specific details regarding the grandfathering program, specific requirements and an application.

CRISC is intended to complement ISACA’s three existing certifications as follows:
  • CRISC is for IT and business professionals who are engaged at an operational level to mitigate risk, while CGEIT is for IT and business-related professionals who have a significant management, advisory or assurance role relating to the governance of IT including risk management.
  • CRISC is for IT and business professionals who design, implement and maintain IS controls, while CISA is designed for IT professionals who perform independent reviews of control design and operational effectiveness.
  • CRISC is for IT professionals whose roles encompass security, operational and compliance considerations, while CISM is for individuals who manage, design, oversee and/or assess an enterprise’s information security, including the identification and management of information security risks.

Set yourself apart from your peers; apply for the CRISC certification today.


Top Eight Tips for Forensics
By Leighton Johnson, CISA, CISM, CIFI, CISSP

Digital forensics is the process for any forensics scene activity or investigation involving computer-based or network-based digital data in a system and/or network. This activity is usually in response to some incident, event or activity that resulted in an incident response action. Digital forensics is the detailed process invoked during incident response when the event is found to have some legal, criminal or civil component or potential result for the organization. The acronym PIPSECAP (“pips-ecap”) will help you to remember how to conduct the forensics investigation:

  1. Prepare—Specific forensics training, overarching corporate policies and procedures, and practice investigations and examinations will prepare you for an “event.” Specialized forensics or incident handling certifications are considered of great value for forensics investigators.
  2. Identify—When approaching an incident scene, review what is occurring on the computer screen. If data are being deleted, pull the power plug from the wall; otherwise, perform real-time capture of system “volatile” data first.
  3. Preserve—Once the system-specific “volatile” data are retrieved, turn off the machine, remove it from the scene and power it up in an isolated environment. Perform a full-system, bit-stream image capture of the data on the machine, remembering to “hash” the image with the original data for verification purposes.
  4. Select—Once you have a verified copy of the available data, start the investigation of data by selecting potential evidence files, data sets and locations where data could be stored. Isolate event-specific data from normal system data for further examination.
  5. Examine—Look for potential hidden storage locations of data, such as slack space, unallocated space and in front of file allocation table (FAT) space on hard drives. Remember to look in registry entries or root directories for additional potential indicators of data storage activity.
  6. Classify—Evaluate data in potential locations for relevance to the current investigation. Are the data directly related to the case? Does the data support events of the case? Or, are the data unrelated to the case?
  7. Analyze—Review data from relevant locations. Ensure data are readable, legible and relevant to the investigation. Evaluate the data for type of evidence: Is the data direct evidence of the alleged issue or are they related to the issue?
  8. Present—Correlate all data reviewed to investigation papers (e.g., warrants, corporate documents). Prepare a data report for presentation—either in a court of law or to corporate officers.

Leighton Johnson, CISA, CISM, CIFI, CISSP, is a senior security consultant for the Information Security & Forensics Management Team (ISFMT) of Bath, South Carolina, USA.


New Blog to Debut on Revamped Web Site
By Emil D’Angelo, CISA, CISM, 2009-2010 ISACA International President

When ISACA’s new web site is introduced in late May, one of the many enhancements will be the debut of a new blog, ISACA Now. The blog is designed with member needs in mind, and will feature posts from ISACA’s current international president (that’s me, for now) as well as from Susan Caldwell, ISACA’s chief executive officer. Comments to the posts are welcomed and encouraged.

The blog will also host a variety of questions from members and other constituents. ISACA® leaders will serve as guest bloggers to provide timely responses. Submissions are being accepted now, in advance of the blog, so start sending questions about ISACA, IT, careers, certifications or business in general to news@isaca.org. Please put “Blog Question” in the subject line. We also encourage you to keep up with the latest ISACA-related news via ISACA’s official Twitter account, @ISACANews.

In addition, the new web site will feature:
  • A Knowledge Center—A single location where users can view all ISACA resources, including publications, ISACA Journal articles, events, links and news, around a specific topic
  • Networking among users and the ability to post documents within communities. These communities will have topic leaders and moderators, and most will be accessible only to ISACA members.

One of the greatest benefits of belonging to a global association such as ISACA is the tremendous opportunity to learn from, and interact with, members from all over the world. We hope these new capabilities will provide another effective outlet for that valuable sharing of knowledge and expertise.


Read About the Latest Changes in Oracle E-Business and ERP
A Conversation With Najeeba Hossain, Member of Deloitte Touche Tohmatsu’s Primary Research Team

Question Why and how was the book developed? Does it replace or complement other publications?

Answer This third edition of the technical reference guide on Oracle® E-Business was developed to provide an update to readers on current industry standards and to identify future trends in risks and control related to Oracle E-Business. The objective of Security, Audit and Control Features Oracle® E-Business, 3rd Edition, is to enable professionals to evaluate risks and controls in existing enterprise resource planning (ERP) implementations, and to facilitate the design and implementation of better practice controls into system upgrades and enhancements. The book references ISACA’s COBIT® 4.1, which provides guidance across a domain and process risk framework.

The book is currently being developed by risk and audit professionals from Deloitte, on behalf of ISACA®, with input also being provided by Oracle Corp. and subject matter experts from around the world.

The Oracle E-Business book is one in a series of three that provides information relating to the world’s three major ERP systems. The other guides in the Security, Audit and Control Features series focus on SAP and PeopleSoft.

Question Please describe the goals and aims of the publication. How do you anticipate the reader benefiting from the content?

Answer The main aim of the publication is to notify readers of the key changes in the most recent release of Oracle E-Business Suite R12.1; the advent of governance, risk and compliance (GRC) solutions; and the impact that these have had on Oracle E-Business’s security, risks and audit techniques. Not only does this guide provide readers with an understanding of Oracle E-Business, but it also focuses on the enhancements in the latest release, which offer significant improvements to audit quality and efficiency. In particular, the guide discusses how the advent of Oracle’s GRC solution can assist with continuous compliance over an Oracle E-Business environment.

The publication also provides information around the upcoming trends and directions for ERP systems in general and for Oracle E-Business, which is aimed to prepare readers for future changes that may arise.

Question To whom is the book written? What titles, roles will benefit the most from the publication and how?

Answer The book has been written with IT and business professionals in mind. Assurance professionals, as well as security and risk management professionals will find this publication to be highly informative and helpful. This book also aims to assist system architects, business analysts and business process owners who are implementing Oracle EBusiness, and people responsible for running the system in live production, to maintain an appropriate level of control and security according to business needs and industry standards.

Parts of the publication are written for those looking to learn more about how Oracle EBusiness generally works, while the focus of the book is on the key strategic/risk management issues and audit tools/techniques that should be considered for an Oracle EBusiness environment.

Question What would you identify as the single most important takeaway from the book? In other words, how will the reader benefit from the publication?

Answer This book outlines the importance of identifying the key specific risks inherent in an Oracle E-Business environment, and, in particular, focuses on the expenditure and financial accounting business cycles, as well as Oracle E-Business security administration. The book provides the reader with suggested tools and techniques available to assist with controlling and auditing such risks.

Question What makes this publication unique and valuable to the reader?

Answer Although there are many books that have been written on Oracle, most of them are focused narrowly on the implementation, the business aspects, or on how a specific Oracle module works. This publication is unique, in that it deals with aspects of risk management, audit, security and control over the most recent release of Oracle E-Business. These are important aspects that have not been dealt with previously in a comprehensive manner within one publication. The book is also unique in that it contains audit programs, audit suggestions and internal control questionnaires for the business cycles addressed within the publication.

The publication is scheduled to be available in the ISACA Bookstore in June. Click here to learn more about recently released ISACA research publications.


Finding Career Variety and Stability Through Certification
Mark Petterson, CISA, CPA, Audit Manager, Arizona Board of Regents, Shares His Experience As a CISA

Mark Petterson, CISA, CPAMark Petterson’s first civilian job after his military service was as a bank internal auditor. Eventually, as he considered IS auditing, he became more and more interested in it and thought it would be a good fit with his accounting and computer science degrees.

“I pursued the Certified Information Systems Auditor® (CISA™) certification to demonstrate my proficiency in the field of IS audit and to demonstrate my suitability for jobs requiring a CISA,” explained Petterson. “Having the CISA has given me confidence that I possess the body of knowledge necessary to do my job proficiently. The CISA certificate doesn't always mean you'll get the job you want, but it opens the door to interviews.”

Earning CISA and pursuing a career path with the certification has provided Petterson with variety in his work and the opportunity to effect significant change. “Information technology is so ingrained in organizations, and so critical, that CISAs get to look at a lot of different things,” said Petterson. “It is rewarding to go into an area, such as systems development, and identify significant problems that are dragging down the organization and have not been recognized by management, and recommend ways to solve them. And, continually changing technology helps keep the job interesting.”

As in most industries, the current economic climate has been tough on public university systems, and university employees are being asked to do more with less. Petterson finds there is pressure on both IT and audit staffing and it is a challenge to keep up with new technology—especially in the area of information security.

“It’s difficult to find a way to get management to embrace a control framework and a sound IT governance framework,” he explained. “It’s not that they don’t appreciate the concepts; it’s that they prefer to operate within their own comfort levels.”

To remain current and knowledgeable on new technology and maintain the requirements of his certifications, Petterson prefers in-person training; however, he feels webinars and other forms of distance learning are frequently worthwhile. “The continuing professional education (CPE) hours available from participating in ISACA committees have been helpful,” he added.

For those considering pursuing an ISACA credential, such as CISA, Petterson recommends beginning the process immediately. “Pick the certification that is most appropriate to your job or career goals, register for the exam, and start studying in a structured manner,” he suggests. “The exams are designed to be challenging, but fair. I wouldn’t be concerned with the experience requirement at this point—if you are working in the right field, time will pass and then you will be eligible for the certification.”

For those looking to work in the audit, security and/or governance field after graduation, Petterson suggests, “Network through participation in professional meetings and training, and pursue worthwhile professional development to keep up with changing technology and concepts.” He continued, “Avoid training that meets CPE requirements but is not challenging or useful. Be alert for opportunities brought by the changing technological landscape. Technological innovations, such as end-user computing, relational databases and the Internet, to name a few, have brought opportunities.”

Petterson added that becoming involved with ISACA can be very beneficial professionally. “Earning my CISA certification has enabled me to participate on ISACA committees,” he said. “My friendship and interaction with CISAs from all over the world and with ISACA International Headquarters’ staff has been extraordinarily fulfilling and educational.”

When not busy with his position as an audit manager, Petterson likes to run, hike, play tennis and read, especially the novels of Patrick O'Brian. He would also like to travel. “Having spent three years in Germany with the military, I feel at home in Europe and love to go back,” he said. If he wasn’t working in the audit field, Petterson says he would like to be teaching in a university setting or writing novels.

Mark Petterson is a member of the CISA Test Enhancement Subcommittee and the ISACA Credentialing Board. He also has been a member (including holding the chair position) of the CISA Certification Committee.


Enhanced Chapter Integration on New Web Site

Chapters play a pivotal role at ISACA®, giving support to members at the local level. Some of the chapter-related offerings planned for the soon-to-launch, renovated ISACA web site include:

  • Relevant chapter information presented to you on your My ISACA page
  • Chapter events and announcements listed on the ISACA web site and personalized to members
  • A chapter map to quickly and easily locate chapters around the world
  • Unified login—use your ISACA login credentials on chapter web sites

The renovated ISACA web site is launching next month with important upgrades and useful advancements. Learn more in upcoming issues of @ISACA. Click here for additional information available online.


Book Review: Information Technology for Management—Improving Performance in the Digital Economy, 7th Edition
Reviewed by Vishnu Kanhere, Ph.D., CISA, CISM, AICWA, CFE, FCA

In today’s competitive business world, IT is a major driver, medium, tool and enabler for organizations to transform and leverage a competitive advantage on their path to success. Information Technology for Management—Improving Performance in the Digital Economy, 7th Edition, highlights the role IT plays in changing the business environment and how information systems can be leveraged to gain strategic advantage by facilitating problem solving, increasing productivity and quality, increasing speed, and improving service and product delivery through better communication, collaboration and business processes.

The book, written by Efraim Turban and Linda Volonino, is primarily aimed at managers and will help improve their understanding of IT or information systems (IS) as an enabler and an effective tool for management.

It is a good business reference and an excellent resource for the beginner. However, it is an intermediate book, appropriate for understanding and appreciating cutting-edge IT and IS solutions, and will prove useful for the IS professional to understand business management’s perspective of IT/IS.

With appropriate documentation and features, including a chapter online, learning objectives, cases, work boxes and highlights, the book has added strengths in the form of a presentation that takes a closer look at relevant issues, and is supplemented by chapter highlights, assignments, web-based resources and a glossary.

The presentation is in textbook style, but is worth the effort due to the content and information that is made available. And, the number of diagrams, figures, illustrations, tables, pictures and cases make the book interesting and appropriate as a business reference.

The book, if appropriately referenced and used, will provide enough resources and material to serve the current and future needs of business managers in the acquisition, implementation and effective deployment, operation and use of information technology and systems for managing their organizations.

Click here to order Information Technology for Management—Improving Performance in the Digital Economy, 7th Edition, or e-mail bookstore@isaca.org.

Vishnu Kanhere, Ph.D., CISA, CISM, AICWA, CFE, FCA, is an expert in software valuation, IS security and IS audit. He is a renowned faculty member at several management institutes, government academies and corporate training programs. He is a member of the ISACA Mumbai (India) Chapter and the ISACA Publications Subcommittee.


Read More Articles in Our Archives