@ISACA Volume 10: 12 May 2010 

@ISACA Relevant, Timely News

Election of 2010-2011 ISACA Officers

According to section 9.01.g, if the Nominating Committee makes only one nomination for each office and no further nominations (by petition) are received from members (by 120 days before election), the Nominating Committee’s slate is declared elected by acclamation.

The following members have been elected by acclamation to the 2010-2011 ISACA Board of Directors:
  • Emil D’Angelo, CISA, CISM, International President
  • Hitoshi Ota, CISA, CISM, CGEIT, CIA, Vice President
  • Jose Angel Pena, CGEIT, Vice President
  • Christos Dimitriadis, CISA, CISM, Vice President
  • Rolf von Roessing, CISA, CISM, CGEIT, Vice President
  • Robert Stroud, CGEIT, Vice President
  • Kenneth Vander Wal, CISA, CPA, Vice President
  • Ria Lucas, CISA, CGEIT, Vice President
  • Everett C. Johnson Jr., CPA, Past International President
  • Lynn Lawton, CISA, FBCS CITP, FCA, FIIA, Past International President

All members are encouraged to attend the Annual Meeting on Monday, 7 June 2010, at the JW Marriott Cancun Resort & Spa in Cancun, Mexico, where the Board of Directors will be officially installed.

In addition to the board installation, the agenda for the meeting will include the 2009- 2010 international president’s annual report, the treasurer’s report, ratification of significant board actions from the 2009-2010 administrative year and comments from the 2010-2011 international president.


Tips on Maintaining an Effective Information Security Management Framework
By Tara Kissoon, CISA, CISSP

  1. Establish corporate information security policies, standards and procedures:
    • Assign ownership at a senior management level.
    • Manage the approval and exception process.
  2. Define the organization security structure:
    • Assign information security roles and responsibilities.
    • Manage third-party access and outsourced security services.
  3. Implement human resources security:
    • Conduct employee due diligence prior to and during employment.
  4. Implement asset and data management controls to include:
    • Data classification
    • Asset categorization
    • Allocation of data owners/custodians
  5. Implement a baseline security plan to include:
    • Physical and environmental security
    • Communications and operations security
    • System access controls
    • System development and maintenance
    • Business continuity
    • IT and security staff
  6. Conduct formal security awareness and training to include:
    • New employee orientation
    • Ongoing awareness through newsletters, staff meetings and small group sessions
  7. Implement and manage information security incidents to include:
    • Reporting requirements
    • Detection, response and escalation procedures
    • Protection of evidence and chain of custody
  8. Monitor compliance:
    • Ensure compliance with legal requirements and corporate policies.
    • Conduct audits of information system.

Tara Kissoon, CISA, CISSP, is a business leader at Visa Inc. Her expertise is focused in developing and implementing information security and risk management controls across global payment systems.


COBIT® 5 to Consolidate and Integrate COBIT, Val IT and Risk IT

COBIT® 5 will be a major strategic improvement, providing the next generation of ISACA’s guidance on the enterprise governance of IT. Building on the more than 15 years of practical usage and application of COBIT by many enterprises and users from the business, IT, security and assurance communities, COBIT 5 will be designed to meet the current needs of stakeholders and align with the most up-to-date thinking in enterprise governance and IT management techniques.

COBIT 5 will consolidate and integrate the COBIT® 4.1, Val IT™ 2.0 and Risk IT: Based on COBIT® frameworks and also draw significantly from the Business Model for Information Security™ (BMIS™) and the Information Technology Assurance Framework™ (ITAF™).

COBIT® 5 Design Paper Exposure Draft was posted for feedback through 12 April. The primary objective was to obtain comments regarding the assumption of requirements, the proposed strategic approach and the high-level design. Thank you to all those constituents who submitted comments. All feedback received will be considered by the development team.

The exposure draft describes the proposed development of the next version, outlines the proposed approach, and includes a high-level description of the main development objectives and improvements, as well as a short description of the background and assumptions regarding stakeholder requirements. While comments are no longer being accepted, click here to access the exposure draft to learn more about the plans for COBIT 5.

Periodic updates about the progress of the COBIT update project will be posted on the COBIT home page. When development has been completed, COBIT 5 will be posted for exposure and constituents will again be provided with an opportunity to influence the content of the final product.


Whether Starting Out or Established, Certifications Help Careers
Debbie Lew, CISA, CRISC, Senior Manager, Advisory Services, Ernst & Young LLP, Shares Her Experience As a CRISC

Debbie LewDebbie Lew pursued ISACA® certifications to demonstrate her knowledge and experience in specific areas of IT. “These certifications are recognized by my profession and my clients,” she explained. “They benefit you whether you are starting out in your career or established and changing directions. They are also a great way to validate strengths that you have in certain domains and to determine if there are areas that you need to refresh.”

Lew has experience in a variety of careers. She started out as a dance therapist with a degree in fine arts, and then went back to school to study computer science, majoring in electronic data process (EDP) auditing. Besides working in auditing/governance, she has worked in business process reengineering, strategic planning, project management and market development for a forensics/enterprise investigations technology company. “I have learned that skills are transferable and it is important to be agile and continually re-create and redefine yourself,” Lew said.

Lew has found that having a certification can support someone who is just starting out or someone who is interested in a career change. “It can be a common denominator when having career discussions, and, in some cases, a certification can qualify you for promotion,” she said. “I am currently an IT risk transformation champion for the west region for Ernst & Young, and the Certified in Risk and Information Systems Control™ (CRISC™, pronounced see-risk) certification is a good fit for this role. The clients who I work with also have these certifications; therefore, the domains, tasks and knowledge areas provide a common language when discussing IS risk and controls.”

For those thinking about pursuing the CRISC credential, Lew urges, “Go for it! Whether starting out or established in your career, ISACA certifications are recognized globally and will credential you as having the baseline knowledge and experience.” Click here to learn more about the CRISC designation.

Upon graduation, Lew cautions that the skills that were developed to be successful as a student may not be the same skills needed to be successful in a career. She advises recent graduates, “Understand what skills are required and the success criteria for your chosen career, including certification. Networking is also key to finding opportunities. Attending events and volunteering for a professional organization will help you develop a network, provide you with opportunities to develop leadership skills and allow perspective employers to get to know you as a volunteer. I also have great mentoring/coaching relationships with past international presidents. I have made many friends globally and had career opportunities opened to me as a result of my involvement with ISACA—including my current position at Ernst & Young.”

Lew continued, “I am living proof that the statement, ‘I can’t do that’ should not be in your vocabulary; it should be, ‘I haven’t done that yet...’ For example, I really enjoy coaching/mentoring and training. If I was not in my current career, I might like to be an executive coach.”

Debbie Lew, CISA, CRISC, is on the CRISC Task Force. She has been a member of ISACA’s COBIT Steering Committee, the Audit Committee, the Membership Board, the Education Committee and various conference committees. She is a past president of the ISACA Los Angeles Chapter, which is the founding chapter of ISACA.


Knowledge Center to Be Valuable Resource on New Web Site

A feature of the new ISACA® web site, the Knowledge Center, is a single location where you can obtain a holistic view into all ISACA resources, including publications, ISACA® Journal articles and events, as well as external links and news around a specific topic. In addition, you will have the capability to network with other users through discussions, posting documents and sharing links within communities located in the Knowledge Center.

The new ISACA web site is scheduled to launch later this month. Please keep an eye on the web site to begin using these new advancements.


2009 IT Internal Audit Capabilities and Needs Survey

IT internal auditors continue to emerge as integral parts of an organization’s internal audit plan and ongoing activities. Like others in the internal audit profession, IT internal auditors must be innovative thinkers, ready to meet challenges. They must explore new technologies, identify and help to mitigate emerging risks, and develop creative solutions to business and technology challenges. It is important that they encourage their organizations to embrace best practices that can enhance all business and IT functions.

In order to achieve these objectives, IT audit professionals must demonstrate a strong level of competency in key knowledge areas. To gauge how these professionals perceive their present capabilities, Protiviti recently conducted a survey of IT internal auditors. They were asked to answer questions focused on general technical knowledge, IT audit process knowledge and personal skills and capabilities. This survey was adapted from Protiviti’s 2009 Internal Audit Capabilities and Needs Survey and captured more than 200 responses.

Participants’ responses underscore the areas of competency they believe require the most improvement and reveal how they prioritize those needs. The findings show that automated and continuous monitoring, security and privacy, and fraud identification and prevention are top priorities for auditors. The survey results are consistent with the results of the recent Internal Audit Capabilities and Needs Survey.

Click here to access the full article on the KnowledgeLeader web site.

Editor’s Note: © 2010 Protiviti Inc. All rights reserved. This article was reprinted with permission from Protiviti’s KnowledgeLeader. KnowledgeLeader is a subscription-based web site that provides audit programs, checklists, tools, resources and best practices to help internal auditors and risk management professionals save time, manage risk and add value. ISACA members receive a discount on an annual subscription to the service.


Read More Articles in Our Archives