@ISACA Volume 1: 4 January 2012 

@ISACA Relevant, Timely News

Nominating Committee Selects 2012-2013 President

The ISACA Nominating Committee has selected Greg Grocholski, CISA, as international president for the 2012-2013 Board of Directors slate. Grocholski, currently serving as an ISACA vice president, is chief audit executive at The Dow Chemical Company, where he is responsible for independently assessing the adequacy of accounting, financial and operating controls of Dow’s global operations. In this role, Grocholski has responsibility for corporate auditing, fraud investigative services and contract auditing. In addition, he is a standing ad hoc member of Dow’s global and regional ethics and compliance committees. Grocholski is also chair of ISACA’s Finance Committee and member of ISACA’s Audit Committee and Professional Influence and Advocacy Committee, and is a past chair of ISACA’s Assurance Committee and Knowledge Board. He is a board member of the Bay Area (Michigan, USA) Chamber of Commerce, vice president of Michigan (USA) Baseball Operations and a member of Northwood University’s (Michigan, USA) Accounting Advisory Council.

2011 marked the second year the Nominating Committee has used an accelerated schedule for identifying the international president. Previously, the president was selected at the same time as the rest of the board slate—typically in February or March—and the slate was announced to the membership in early April (in keeping with the bylaws requirement that notification be provided 60 to 90 days before the Annual Meeting of the Membership). The accelerated schedule was developed to enable two outcomes: (1) the incoming president has more time to orient him/herself to the responsibilities of the office before actually stepping into the position, and (2) the incoming president can identify some key appointments before the remainder of the slate is identified so that the Nominating Committee can factor those appointments into their deliberations in building the slate.

In selecting the president, the committees considered input and guidance from a variety of sources: the committees’ own discussion, phone interviews with the candidates, an evaluation of each candidate as compared to the board-approved attributes for office, the association’s own strategy and direction, and the guiding principles and expectations for the position, also approved by the board. The guiding principles, approved by the board in November 2010, are designed to help the committee make selections among equal options and ensure that fresh viewpoints are brought to bear on board matters. As such, they provide guidance on length of term, rotation, and geographic and demographic representation.

The remainder of the slate—the international vice presidents—will be selected by the Nominating Committee in first quarter 2012 and will be announced to the membership by mid-April 2012. If no additional candidates arise from the membership (by petition), the slate is declared elected by acclamation and those individuals will be installed at the Annual Meeting of the Membership, to be held on 24 June 2012 in San Francisco, California, USA (in conjunction with the World Congress).

Grocholski will also serve as president of the IT Governance Institute.


Five Things You Can Do to Increase the Security of Your Mobile Device

  1. Enable device password and associated data wiping. Enabling a device password on your mobile device helps to ensure that unauthorized users cannot gain access without your knowledge or consent. Avoid using easily guessable dates, patterns or passphrases. It is also recommended that you enable the data wipe capabilities that are often available on modern mobile devices. These capabilities erase the data on the device after a selected number of bad password attempts. This will ensure that an adversary would have limited success using brute-force or password-guessing attacks.
  2. Enable device auto-lock functionality for shorter windows of time. The auto-lock features that are available on many mobile devices require a password to be reentered after a period of inactivity or if triggered by a user action (i.e., closure of cover on a tablet), similar to the way screen savers work on traditional computers. This security feature is most effective when its enable time is set for the shortest possible period of inactivity. This time should be no more then 10 minutes and shorter, if possible. This reduces the window of opportunity during which an attacker has unrestricted device access if the device is out of your control.
  3. Enable device encryption capabilities. Data encryption is a useful control for securing data at rest and data in motion, if implemented properly. Many mobile devices have the ability to enable data encryption capabilities with little impact to the user experience after the initial enciphering of the data for data at rest and limited network overhead for data in transit. The use of encryption limits an attacker’s ability to obtain usable data from the device’s storage without the encryption key material and also prevents the attacker from being able to easily capture sensitive data (such as usernames and passwords) over the airwaves during network data transmissions.
  4. Regularly create encrypted and password-protected backups of your mobile device. Mobile devices often contain large amounts of critical data and applications because users leverage them for computing activities. It is important to create and maintain encrypted backups of these devices on a regular basis to ensure resiliency if a device ever malfunctions, is lost or is replaced. Cloud-based mobile device backup solutions can be an attractive option because they typically provide geographic separation between the device and the backup. Regardless of the physical location of the backup, the device should be encrypted and password-protected, when possible. This is especially important in cloud-based offsite backup solutions in which the user has limited visibility into and control over how the data are stored and accessed. If the backup is encrypted and password-protected, there is a higher likelihood of maintaining the confidentiality and integrity of the data, even when the device is out of the direct control of the user.
  5. Use the same risk-aware and security-conscious web-browsing techniques on your mobile device. Web browsers on mobile devices can be exploited and used to enable attacks just as easily as those on dedicated computers. Mobile devices often contain sensitive information and are used to access secure environments that make them an attractive target to motivated and capable adversaries. Risk-aware and security-conscious web-browsing behaviors should be universally employed, regardless of the technology platform being utilized.

John P. Pironti, CISA, CISM, CGEIT, CRISC, CISSP, ISSAP, ISSMP, is the president of IP Architects LLC.


Help Shape Your Profession, Volunteer With ISACA

The 2012-2013 Invitation to Participate application period will be coming to a close on 16 February 2012. Now is the time to apply and help shape your profession by serving as an ISACA volunteer. Volunteering provides you with an opportunity to collaborate with peers around the world, ensuring successful certification programs, insightful research and guidance, comprehensive and timely education programs, and representative professional standards.

The selection of volunteers is based on the resources needed in support of ISACA’s strategy and the responsibilities of its volunteer bodies, the relevant professional background of the candidates, and ISACA’s desire to reflect a global perspective. All appointments are for a one-year term and are ratified by the Board of Directors.

To apply to be an ISACA volunteer, visit the Volunteering page of the ISACA web site. From this page, you can access the 2012-2013 Invitation to Participate brochure (sent to all members in volume 6 of the ISACA Journal) and the online application. In addition to the application, applicants must provide a résumé/curriculum vitae, which may be submitted upon completion of the online application.


Membership Renewals Due 15 January 2012!

Thank you for your commitment to the growing global field of IT and information systems audit, security, risk and control through your membership and participation with ISACA. As 2011 comes to a close, we want to ensure that you continue receiving the many benefits we currently offer and will be offering in 2012.

As a professional membership association, ISACA’s greatest resource is our members—and, as a member of ISACA, your greatest resource is the knowledge, networking and professional development opportunities that we offer you. Renew your membership before the 15 January deadline and ensure that you will continue receiving your member benefits:

  • ISACA membership and certification programs are accepted and recognized on a global scale. ISACA members receive discounts off ISACA exam registration rates, study materials and study sessions. Once you pass the exam and become certified, ISACA membership gives you a discount on the certification maintenance fee and offers you the opportunity to earn more than 70 free continuing professional education (CPE) credits each year.
  • ISACA members have access to exclusive information and materials. Through the Knowledge Center, ISACA members can access the latest research deliverables; explore nearly all ISACA/ITGI-published books and more than 425 third-party books at no cost in the ISACA eLibrary; and be the first to use COBIT 5, set for release in early 2012.
  • ISACA membership provides opportunities to network and promote yourself in the field. Become a topic leader and exchange ideas through online topic communities, discussions and document sharing. Attend global, local and online events where you can meet with other professionals, make connections and earn CPEs. Post your résumé/curriculum vitae at no charge on the ISACA Career Centre and search career opportunities in your town or around the world.

Ensure that your member benefits continue throughout 2012—renew today.


Participate Now in NIST Cybersecurity Survey

US industries spend billions of dollars each year securing their IT assets. Despite this investment, organizations still suffer significant economic losses from cybersecurity incidents. The possibility of catastrophic attacks on utilities or financial systems is a concern for governments and organizations worldwide.

The National Institute for Standards and Technology (NIST) commissioned RTI International (RTI), a not-for-profit research institute, to conduct an economic analysis of the cybersecurity technology infrastructure needs of US industries. The objective of the study is to identify which gaps in the cybersecurity technology infrastructure impose the largest costs on the US economy and to quantify those costs. While the primary focus of the research is on US industries, international responses are encouraged and will be reported in the survey results.

To participate in the study, you will need to be able to estimate the percent of your IT budget that was allocated to IT security activities in 2010, how many IT security staff were employed in your organization, and the number of security incidents and breaches that your organization experienced. Specific budget and incident information is not required. No individual organization information will be reported in the survey.

As an ISACA member, you are encouraged to take part in this short, 15-minute survey this month. ISACA has contributed to other NIST research projects and is supporting this important research, offering our members an opportunity to participate in the survey.

Those participating in the survey will help both the public and private sectors identify inadequacies in the technology-based cybersecurity infrastructure and quantify the economic benefits of improvements in these areas. Survey results will be used to estimate the economic impact of specific improvements to the cybersecurity infrastructure. Survey results will be made public by NIST at the conclusion of the project.

Those who participate in the survey will be entered into a raffle to win one of 10 Apple iPad 2s. Winners will be notified by RTI via e-mail or telephone in January 2012.


Read More Articles in Our Archives