@ISACA Volume 1: 2 January 2014 

@ISACA Relevant, Timely News

Nominating Committee Selects 2014-2015 President

Robert E. StroudThe ISACA Nominating Committee has selected Robert E. Stroud, CGEIT, CRISC, as international president for the 2014-2015 Board of Directors slate. Stroud is vice president of strategy and innovation at CA Technologies (New York, USA). Earlier in his career he spent more than 15 years in the finance industry successfully managing multiple initiatives in both the IT and retail banking sectors related to IT service management and process governance. He joined CA Technologies from the Australian computer security company Cybec, where he was responsible for the company’s successful global expansion, including entry into the North American market.

Stroud is the chair of ISACA’s ISO Liaison Subcommittee and the COBIT Market Growth Task Force and a member of ISACA’s Professional Influence/Advocacy Committee. He has served as an international vice president of ISACA, member of ISACA’s Strategic Advisory Council, chair of the COBIT Steering Committee and member of the ISACA Framework Committee. He earned the 2013 President’s Award from ISACA, which is given to recognize extraordinary service to the association. Stroud will also serve as president of the IT Governance Institute for 2014-2015.

In selecting the president, the committee considered input and guidance from a variety of sources: the committee’s own discussion, an evaluation of each candidate as compared to the board-approved attributes for office, the association’s own strategy and direction, and the board-approved guiding principles and expectations for the position.

The remainder of the slate—the international vice presidents—will be selected by the Nominating Committee in the first quarter of 2014 and will be announced to the membership by mid-April 2014. If no additional candidates arise from the membership (by petition), the slate is declared elected by acclamation and those individuals will be installed at the Annual Meeting of the Membership to be held in June 2014 in Chicago, Illinois, USA.


ISACA Celebrates 45 Years of Success

2014 marks the 45th anniversary of ISACA. This milestone is the direct result of the hard work and dedication of hundreds of thousands of professionals around the world who have given so much of their time and knowledge to benefit and advance the profession.

Founded in 1969 as the EDP Auditor’s Association, the organization’s name was changed to Information Systems Audit and Control Association in 1994, which was then shortened to ISACA in 2005. The association held its first major conference in 1971. This conference is still ISACA’s most well-attended conference and is now known as the North America Computer Audit, Control and Security Conference (North America CACS). ISACA now offers numerous conferences and education opportunities worldwide.

Early on, the association experienced rapid growth as it branched out beyond the US with chapters in all five of its current geographic areas (Asia-Pacific, Europe/Africa, Latin America, North America and Oceania) before 1982. Membership increased accordingly, and in the early 1990s ISACA was proud to reach 10,000 members. In 2012, ISACA grew to 200 chapters, exceeding that number in 2013. By the end of 2013, ISACA was serving more than 110,000 constituents in more than 180 countries.

In 1981, the first Certified Information Systems Auditor (CISA) exam was held, and in January 2013, while celebrating its 35th anniversary, ISACA certified the 100,000th CISA since inception, reaching more than 106,000 by the end of 2013. As the association grew, so did its certification program. With the changes in industry and the growth of the membership’s focus, ISACA initiated the Certified Information Security Manager (CISM) certification, which held its first exam in 2003. As members’ areas of professional concentration continued to evolve, the association launched the Certified in the Governance of Enterprise IT (CGEIT) in 2008 and the Certified in Risk and Information Systems Control (CRISC) in 2010. In 2013, ISACA had certified more than 23,000 CISMs, 5,000 CGEITs and 17,000 CRISCs since each certification’s respective inception. In just its 4th year, CRISC won the 2013 Best Professional Certification Program Award from SC Magazine.

In 1996, ISACA’s affiliate, Information Systems Audit and Control Foundation, first issued COBIT, formerly known as Control Objectives for Information and related Technology. Some may even recall that this publication took its roots from the Control Objectives publication from 1976. Now in its latest version, COBIT 5 integrates other major frameworks, standards and resources, including ISACA’s Val IT and Risk IT frameworks, Information Technology Infrastructure Library (ITIL), and related standards from the International Organization for Standardization (ISO). ISACA’s 2012 release of COBIT 5 has been closely followed by the release of supporting content including COBIT 5: Enabling Processes (2012), COBIT 5: Enabling Information (2013), COBIT 5 Implementation (2012), COBIT 5 for Information Security (2012), COBIT 5 for Assurance (2013) and COBIT 5 for Risk (2013).

ISACA released exposure of its first general standards in 1987 and first issued the IS Auditing Standards, Guidelines and Procedures (the latter now referred to as tools and techniques), in 1997. In 2013, the IT Assurance Framework (ITAF) (first issued in 2008), which incorporates the standards, guidelines, and tools and techniques, was updated with revised IS Audit and Assurance Standards and work on updating the IS Audit and Assurance Guidelines was underway, with drafts released for exposure in late 2013.

Much has changed in the field in the 45 years since ISACA opened its doors as the EDP Auditor’s Association. ISACA’s history has prepared it for the many twists and turns it will encounter in the next 45 years.


Data Protection and Challenges in Automation

Organizations considering protecting data using automated tools often find it difficult to get appropriate information due to confusion in the marketplace (vendor) regarding data loss/leakage prevention (DLP) controls. Although there are many contributing factors, most notable are a general lack of understanding among the vendor community about what constitutes risk to a business and bottlenecks due to impractical processes.

Organizations want to protect confidential data and also comply with laws and regulations. They look for technology to offer a quick solution. However, it is not the technology, but the methodology and execution strategy that govern the results.

An organization’s requirements for data protection can be categorized as:

  1. Protecting data from leaking out of the organization through mail and the Internet (network)
  2. Controlling leakage of data using removable media (end point)
  3. Protecting data stored on storage networks (NAS/SAN)

When considering these requirements, organizations may have to look for multiple technological solutions. DLP solutions provide few capabilities that can be implemented independently. That is, there are solutions that focus on protecting data passing through networks based on the rule set and classification, solutions that focus on end-point controls based on rules and classification, digital rights management (DRM) solutions, and digital access management (DAM) solutions, to name a few.

A prerequisite for successful implementation of these tools is appropriate rule set and data classification based on the impact of risk associated with a data leak. The following steps are useful when creating or updating data protection processes:

  • Create an information risk profile based on impact severity.
  • Create awareness about risk associated with a data leak.
  • Define and establish processes for data classification.
  • Identify information resources and determine classification.
  • Determine a rule set for data usage and movement based on the class of data.
  • Identify solutions that meet the organization’s requirements.
  • Integrate controls into the rest of the organization.

ISACA offers a number of resources available for more information on this topic, including An Introduction to Privacy and Data Protection 2014 Training Weeks; Where Do You Draw the Creepy Line? Privacy, Big Data Analytics and the Internet of Things (webinar); Best Practices for Implementing Data Loss Prevention (webinar); Data Leak Prevention (white paper); Privacy/Data Protection online community; plus nine Information Security online communities.

Sunil Bakshi, CISA, CISM, CGEIT, CRISC, AMIIB, ABCI, CEH, CISSP, ISO 27001 LA, BS 25999 LI, MCA, PMP, is a consultant and trainer in IT governance and information security.


Global Search for New ISACA CEO Underway

ISACA has begun the search process for a new chief executive officer (CEO). The association has retained Korn/Ferry International to conduct the search for an executive to succeed Susan M. Caldwell, who retired in September after 21 years of service. Korn/Ferry International has been a leader in executive recruitment for more than 44 years. The firm has 80 offices across North America, Europe, Asia/Pacific, Latin America, the Middle East and South Africa.

ISACA International President Tony Hayes, who is leading the search panel, said, “ISACA’s CEO search panel engaged in a rigorous process to find the right executive recruitment team that we feel best matches the association’s needs for this global search.”

The next step in the recruitment process is for the search panel members and the Korn/Ferry team to finalize the job description and qualifications. The ISACA search panel includes:

  • Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, ISACA international president
  • Everett Johnson, CPA, chair of ISACA’s Strategic Advisory Council and past international president
  • Terry Grafenstine, CISA, CGEIT, CRISC, CIA, CGAP, CGMA, CPA, chair of ISACA’s Finance Committee and international vice president
  • Jon Singleton, FCA, chair of ISACA’s Governance Advisory Council and past international president

“ISACA celebrates its 45th year in 2014, and this is an exciting time for the association,” said Hayes. “We are engaging in a rigorous global search to find a chief executive officer who will lead the association as we execute on our 10-year strategy and deliver an increasing number of timely and practical resources and benefits for our members.”

Interested candidates can submit résumés and cover letters, as well as any questions, directly to Korn/Ferry at ISACA@kornferry.com.


ISACA Gives Back Through Its Corporate Social Responsibility Program

In the first half of 2013, the ISACA Board of Directors approved the establishment of a formal corporate social responsibility (CSR) program for ISACA. The program will begin in January 2014 and will be conducted on a 3-year pilot basis. A volunteer body (working group) consisting of representatives from the Chapter Support Committee, the Finance Committee and the Relations Board has spent the past several months developing criteria for the various types of giving to be undertaken by the program.

Contributions will take four forms:

  • ISACA will donate funds to one or more international organizations selected by the working group; organizations selected must meet the criteria established by the group. Two organizations have been identified for 2014. Those organizations will be announced once contact has been made and the details surrounding the donations have been finalized.
  • Chapters, volunteers, members and staff can apply for funding from ISACA to be donated to local/regional organizations meeting specific criteria. The working group will review all submissions and determine whether funding will be granted.
  • ISACA will donate funds to relief agencies in areas significantly impacted by natural or man-made disasters. (ISACA has been doing this for several years; the CSR program formalizes the process.)
  • ISACA staff will be provided a limited number of paid hours off per year to participate in approved volunteer activities.

Details on the criteria for the different types of donations and a link to the form that chapters, members, volunteers and staff may use to request funding are available on the Corporate Social Responsibility Program page of the ISACA web site. Questions? Please contact csr@isaca.org.


Influence More—Nominate an ISACA Colleague to Volunteer

Do you know of someone who would be an asset to an ISACA volunteer body such as a committee or task force? If so, nominate him/her for the 2014-2015 volunteer term.

You may nominate a member or members for volunteer service by completing the Volunteer Nomination Form or emailing the candidate’s name, email address, recommended volunteer body and any additional information in support of the nomination to participate@isaca.org.

ISACA will inform candidates of their nomination, provide information on volunteering and request additional information, as needed.

Please ensure that nominations are submitted well in advance of the 13 February 2014 deadline to allow nominees time to submit additional application information prior to that date.

Are you the member you know who would be an asset? If you are interested in volunteering with ISACA, visit the Join an ISACA Volunteer Body page of the ISACA web site. From this page, you will have access to the online application and the Invitation to Participate brochure. In addition to the application, we request applicants also provide a résumé/curriculum vitae, which may be submitted upon completion of the online application.

Questions? Contact participate@isaca.org.


Book Review: The Definitive Guide to IT Service Metrics
Reviewed by Upesh Parekh, CISA

Today’s chief executive officers (CEOs) are worried about rising expenses with no apparent incremental return to the business. It appears to them to be a ride on the tiger, where once you have started the ride, you do not have any option but to continue. This scenario can be very difficult for chief information officers (CIOs) who are unable to articulate the value added by IT to the business.

Effective IT service management metrics can be useful to help the CIO clearly communicate the value of service provided by IT to the business.

The usefulness to IT service management metrics does not end there. There are 3 main benefits of using IT service management metrics:

  1. The metrics help to introduce the use of common terminology across the organization when discussing complex issues of IT services.
  2. They clearly demonstrate where the organization is in terms of IT services.
  3. They highlight the areas of improvement for IT services.

The utility of using IT service management metrics is beyond doubt today. However, the real challenge for a service manager is to select the right metrics and measure and monitor those regularly.

The Definitive Guide to IT Service Metrics, by Kurt McWhirter and Ted Gaughan, helps the IT service manager select the right metrics for measuring the performance of IT. The authors have based the book on the industry-standard IT services framework, ITIL® 2011 Service Lifecycle, and they also draw upon the Project Management Body of Knowledge (PMBOK™) and ISO/IEC 2011.

The book offers a menu of relevant metrics of IT services management. It covers all of the processes of ITIL 2011 Service Lifecycle. It is written in a simple manner, and it is easy to determine the metrics available for any particular process. The menu includes well-known and widely used metrics as well as well some of the more innovative and less-used options.

This book is written to meet the service manager’s need to have a comprehensive list of metrics covering different processes of IT service management. The Definitive Guide to IT Service Metrics meets and exceeds that purpose.

The Definitive Guide to IT Service Metrics is available from the ISACA Bookstore. For information, see the ISACA Bookstore supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or email bookstore@isaca.org.

Upesh Parekh, CISA, is a governance and risk professional with more than 10 years of experience in the fields of IT risk management and audit. He is based in Pune, India, and works for Barclays Technology Centre, India.


Read More Articles in Our Archives