@ISACA Volume 1: 10 January 2011 

@ISACA Relevant, Timely News

ISACA Nominating Committee Selects Next President

Kenneth L. Vander Wal, CISA, CPA,The ISACA® Nominating Committee has identified its selection of international president for the 2011-2012 Board of Directors slate. Kenneth L. Vander Wal, CISA, CPA, has served on the ISACA board as international vice president since 2007. He is a coauthor of IT Control Objectives for Sarbanes-Oxley, 2nd Edition, and serves on ISACA’s Guidance and Practices Committee, Knowledge Board, Professional Issues and Advocacy Task Force, and Strategic Advisory Council. Professionally, he is a retired national partner in the Technology and Security Risk Services (TSRS) practice of Ernst & Young, where he was responsible for the firm’s global TSRS quality and risk management program.

This year, the Nominating Committee is using an accelerated schedule for identifying the international president. In past years, the president was selected at the same time as the rest of the board slate—typically in January or February—and the slate was announced to the membership in early April (in keeping with the bylaws requirement that notification be provided 60 to 90 days before the Annual Meeting of the Membership). This year, the Board of Directors approved the accelerated schedule to enable two outcomes:

  • The incoming president has more time to orient him/herself to the responsibilities of the office before actually stepping into the position.
  • The incoming president can identify some key appointments before the remainder of the slate is identified so that the Nominating Committee can factor those appointments into their deliberations in building the slate.

The remainder of the slate—the international vice presidents—will be selected by the Nominating Committee by mid-February 2011 and will be announced to the membership by mid-April 2011. If no candidates arise from the membership (by petition), the slate is declared elected by acclamation, and those individuals will be installed at the Annual Meeting of the Membership, to be held on 27 June 2011 in Washington DC, USA (in conjunction with the World Congress).

Vander Wal will also serve as president of the IT Governance Institute.


New Webinar Program Provides More Educational Opportunities
First Event to Be on the Importance of Database Audits

ISACA® is pleased to offer a new online event program in 2011. Each month, ISACA will be hosting a live, 60-minute webinar featuring relevant presentations on industry hot topics. This new program expands ISACA’s online event offerings, providing constituents with additional educational opportunities that are free and convenient.

The new program launches with the 20 January 2011 webinar at 11:00 a.m. CST (UTC/GMT -6 hours). This in-depth discussion will address the importance of database audits. With two-thirds of sensitive and regulated information stored in databases, it is amazing that few organizations conduct database auditing on a regular basis as part of a defense-in-depth approach to database security. Tanya Baccam, CISA, CISM, CISSP, CPA, GCFW, GCIH, OCP (Oracle) DBA, an information security consultant and SANS analyst, will provide insights on what database activity you should audit and on how you can streamline or automate database audits by consolidating audit trails using software tools such as Oracle Audit Vault.

For more information and to register, please visit the Webinar page of the eLearning area of the ISACA web site. The webinars will be archived and available for on-demand viewing for 12 months on the eLearning page for a period of 12 months.


Tips on Implementing Identity and Access Management
By Tara Kissoon, CISA, CISSP

The purpose of identity and access management (IAM) is to identify and manage information used by systems to provide access to enterprise resources. Here are tips, broken into three categories, on implementing IAM within your organization:

  1. Evaluate:
    • Determine the benefits and return on investment (ROI) of the proposed IAM solution.
    • Ensure that the scope takes into consideration an integrated security solution that meets the needs of your organization.
    • Take into account nuances that may require unique considerations, e.g., business processes may vary across the organization.
  2. Plan:
    • Gain senior management support on the proposed solution before starting any implementation activities.
    • Ensure resources are well planned and are aligned with the needs of the project.
    • Ensure that the business case allocates an appropriate budget, i.e., financial considerations, to address leveraging specialized resources.
  3. Implement:
    • Know which IAM capabilities will be implemented through a staged approach.
    • Ensure that the solution chosen can be managed by current resources and has the flexibility to expand with organizational growth.
    • Gain user adoption through training and awareness sessions, e.g., lunch-and-learns.

Tara Kissoon, CISA, CISSP, is a director at Visa Inc. Her expertise is focused in developing and implementing information security and risk management controls across global payment systems.


Board of Directors Convenes in Chicago

The ISACA® Board of Directors held a joint meeting with the IT Governance Institute Board of Trustees in early November 2010 in Chicago, Illinois, USA. While many topics were covered during the course of the day-and-a-half meeting, a considerable amount of emphasis was spent on the following:

  • Cloud computing—It was agreed that cloud computing is a topic deserving more of ISACA’s attention. Some activities have already been undertaken (e.g., a cloud-computing-related white paper, webcast and Journal articles), but there is much more that could be done. A volunteer task force will be created to outline a strategy for addressing the opportunities in this area.
  • ISACA’s role as a global organization—ISACA is truly global; it is amply represented around the world and functions as a unified whole, rather than a loosely connected confederation of stand-alone bodies. While this provides the association a layer of strength, it also offers some challenges, notably in speaking to national governments or other official entities with one voice. The role of chapters in this undertaking was discussed, and a maturity model for chapters’ use in interacting with governmental and regulatory agencies was suggested as a possible form of guidance.
  • Translation—A translation policy was adopted on a trial basis for the next three years that will provide more financial assistance to chapters wishing to translate a document and will enable ISACA to exercise more flexibility in the selection of documents to be translated and languages in which to translate them. In addition, further support to Certified Information Systems Auditor® (CISA®) exam preparation will be offered via additional translations of study materials based on the number of individuals taking the exam in the language over the previous three years.
  • GEIT—A Governance of Enterprise IT (GEIT) Within ISACA Task Force will be created on a short-term basis to devise a structure for governing ISACA’s IT in the future. The task force will present its plan to the board for approval in March 2011.
  • COBIT 5—The COBIT 5 Task Force reported that it was on track to release COBIT 5 in first quarter of 2012.
  • Code of Professional Ethics—The Code of Professional Ethics was revised slightly, and the new version will take effect in January 2011.

The next joint meeting of the boards will take place in March 2011.


ISACA Helping Chapters Build New Web Sites

As the new ISACA® web site enjoys its six-month anniversary, ISACA is reaching out to chapters across the globe to help them create their own, unique, ISACA-branded local web sites.

In the first phase of this project, four chapters volunteered to take part and now have live web sites posted at unique URLs off the main ISACA site. Working closely with these local chapter leaders, the ISACA web team provided chapter leaders the ability to infuse ISACA International Headquarters’ information with local chapter-specific news, events, features and other information.

When each web site is completed, members will be able to sign in to their chapter site using their ISACA login credentials, and chapter events, news and announcements posted on the chapter site will also appear on a member’s MyISACA page on the ISACA web site.

The second phase involves 12 chapters and is currently underway. Remaining chapter web sites will go live during 2011, as well. To view examples of live sites, visit the Detroit, Quad Cities or Indonesia chapter web sites.


Meaningful Certifications Provide an Edge in Job Competition
Jack Jones, CISA, CISM, CRISC, CISSP, Shares His Experiences as a CISA, CISM and CRISC

Jack Jones, CISA, CISM, CRISC, CISSPJack Jones was working as an information security consultant for a large accounting and consulting organization, surrounded by many auditors. At that time, he pursued the Certified Information Systems Auditor® (CISA®) certification to gain a better understanding of auditors’ needs and perspectives. Later, he earned the Certified Information Security Manager® (CISM®), followed most recently by the Certified in Risk and Information Systems Control™ (CRISC™).

“The CISM certification did a nice job of characterizing my background in managing security vs. just being a security subject matter expert,” Jones explained. “Obtaining the CRISC certification was actually a byproduct of my desire to contribute to our profession’s understanding of risk and play a significant role in helping to evolve and manage the certification.”

Jones finds that having the ISACA® certifications has benefited him in terms of credibility and relationships with colleagues and counterparts in the profession. “In fact, as it turned out, having the CISA credential helped me become ‘one of the gang’ and more accepted within that crowd, even though I was security-focused,” Jones said. “The certifications also have been helpful in competing for jobs. Everything else being equal, the person with meaningful certifications—which is not the same as having the most certifications—will have an advantage.”

Risk is widely misunderstood, according to Jones. He enjoys providing training on the subject and his CRISC certification demonstrates his knowledge in this area. He often presents at seminars, ISACA chapter meetings and conferences, which, in turn, help him earn continuing professional education (CPE) hours. “The best part of my job is training people about risk—what it is and is not and how to analyze and measure it,” he said. “When you see those light bulbs go on and someone really understands risk for the first time, their enthusiasm and recognition of the implications are exceptionally rewarding.”

Jones advises that regardless of which ISACA certification(s) someone pursues, he/she needs to understand more than just the material in the bodies of knowledge or other references. “It is equally important to understand the perspective of that profession or discipline. For example, when I was first studying for the CISA exam, I scored miserably on the practice exams until someone told me to quit thinking like a security geek and, instead, approach the questions as if I was an auditor. As soon as I was able to make the mental switch in perspective, the questions became much easier,” he explained. “Further, it forced me to recognize the fact that we all approach a problem with different perspectives—it is critical to recognize that in our professional relationships.”

Jack Jones, CISA, CISM, CRISC, CISSP, is the founder of Risk Management Insight LLC and chair of ISACA’s CRISC Test Enhancement Subcommittee and has been a member of the Risk IT and CRISC task forces.


Read More Articles in Our Archives