@ISACA Volume 10: 11 May 2011 

@ISACA Relevant, Timely News

New Event Features Innovative Ways to Learn and Network
Register Today for ISACA’s World Congress:  INSIGHTS 2011

ISACA’s new event—World Congress: INSIGHTS 2011—will feature an exciting and innovative format to engage attendees in discussions, instead of traditional lectures and one-way presentations, with business and technology leaders. A team of fighter pilots known as Afterburner will share experiences on how to flawlessly execute on business plans, and in-depth interviews with sought-after C-level executives will provide the insights you need to effectively integrate business and technology.

Held 27-29 June in the Washington DC, USA, area, World Congress:  INSIGHTS 2011 features a dynamic program that will deliver learning in a completely new way. Closing speaker Bob Treadway is a highly respected futurist and strategy advisor who can help attendees understand that what is happening around the world now is setting the stage for future areas of growth. His insights and examples will help attendees and their enterprises anticipate and prepare for new developments and changes in the future.

Another unique facet of the event is the Hub, a meeting room that has been transformed into a nontraditional learning environment and hub of activity, including live news networks, Twitter feeds and the latest info from all areas of the conference.

In addition, ISACA’s Annual Meeting of the Membership will be held 26 June 2011, in conjunction with World Congress:  INSIGHTS 2011. This is a great opportunity to interact with past and newly elected board members and attend the installation of the 2011-2012 ISACA international president and vice presidents.

Full details on World Congress are available on the Conferences page of the ISACA® web site. Register soon to secure your place at, and share details of, this unique new event with business and IT colleagues.


Tips to Manage the Risks From Mobile Devices
By Lisa Young, CISA, CISM

Mobile devices are changing the business landscape. Deployment of mobile devices can present a significant amount of risk to the overall enterprise security posture. Ironically, many of the risks associated with mobile devices exist because of their biggest benefit: portability.

Deploying mobile devices cannot be addressed solely as a technical activity, as they affect the organizational information flow and the business processes of the enterprise from many perspectives. Some special considerations that organizations should bear in mind when considering deployment of mobile devices include:

  • Policy—Does a security policy exist for mobile devices? Does it include rules for appropriate physical and logical handling? The enterprise should have a policy addressing mobile device use and specifying the type of information and kind of devices and information services that may be accessible through the devices. The policy should also cover devices that are owned by the organization as well as devices that are owned by staff, contractors or other external entities.
  • Network access control—How do you know if the mobile device meets the appropriate software standards before allowing access to the network? If the device is an organization-owned device, there should be regular updates to the antivirus software, or other protection, before allowing a connection to the organizational network to prevent perpetuation of malware. Verify that data synchronization of mobile devices is not set to receive access to shared files or network drives that contain data that are prohibited for mobile use by the policy.
  • Encryption—Verify that any sensitive information is properly secured while in transit or at rest.
  • Secure transmission—Determine whether mobile device users are connecting to the enterprise network via a secure connection. Virtual private network (VPN), Internet Protocol Security (IPsec) or Secure Sockets Layer (SSL) can offer some protection.
  • Device and information management—Is there is an asset management process in place for tracking mobile devices? This asset management program should detail procedures for lost and stolen devices as well as procedures for employees who have been terminated or have resigned from the enterprise. If the device is owned by a staff member, contractor or other external entity, the organization should provide procedures for protecting the information to which it is allowed access.
  • Awareness training—As a part of a regular awareness program, make clear the importance of securing mobile devices physically and logically. The awareness and training should also make clear the types of information that can and cannot be stored on such devices.
  • Risk—Mobile devices have the capability to store large amounts of data and present a high risk of data leakage and loss. As such, mobile device policies should be created and enforced to ensure that information assets are not exposed. At the time of the writing of this article, there were no publicly available standards specific to mobile device management; however, frameworks such as COBIT® and Risk IT:  Based on COBIT® can provide a strong foundation for mobile device management.

To find additional resources related to mobile devices, visit the Securing Mobile Devices page of the ISACA web site.

Lisa R. Young, CISA, CISM, is the past president of the ISACA West Florida Chapter in Tampa, Florida, USA, and a frequent speaker at information security conferences worldwide. Young was also a member of the ISACA task force that helped to develop the Risk IT publications.


CRISC Grandfathering Program Deadline Nears

There is still time left to apply for ISACA’s newest certification, Certified in Risk and Information Systems Control™ (CRISC™) under the CRISC Grandfathering Program, as the deadline has been extended to 30 June 2011. More than 10,000 grandfathering applications have been received to date. This strong demand signifies the value employers place on this certification, as some are now recommending or requiring attainment of a CRISC certification for specific job positions.

CRISC is designed to recognize experienced professionals who are responsible for:

  • Risk identification, assessment and evaluation
  • Risk response
  • Risk monitoring
  • Information systems control design and implementation
  • Information systems control monitoring and maintenance

Once the CRISC grandfathering period ends 30 June 2011, obtaining the CRISC certification will require passage of the CRISC exam. Do not miss out on this important opportunity—apply today. For more information and qualifying criteria, visit the CRISC Grandfathering page of the ISACA web site.


Free Webinar Features Guidance on Anti-Money Laundering

Join the Association of Certified Anti-Money Laundering Specialists (ACAMS), The Institute of Internal Auditors (The IIA) and ISACA® on 24 May for a complimentary members-only webinar on anti-money laundering. The webinar, titled “Connecting the Compliance Dots: The Role of Audit, Anti-Money-Laundering (AML) and the Business Unit,” will be held from 12:00 p.m. to 1:30 p.m. EDT (UTC/GMT -4 hours). Attendees can earn 1.5 continuing professional education (CPE) credits.

Participants will learn:
  • The critical connection points among audit, IT, the business and AML
  • How legally mandated independent testing is crucial to the entire AML program
  • The importance of proper communication protocol among departments to ensure that any deficiencies are addressed
  • The newest trends in corruption and international sanctions, and how to correctly address them

Maintaining open and candid lines of communications among anti-money laundering, audit and business unit team members is crucial to the overall vitality of the institution’s compliance program. If auditors and compliance do not work in cooperation, enforcement actions could arise from inadequate or improper audits. The webinar will help attendees understand the roles and responsibilities of each group, which can lead to greater efficiency gains for the institution; create an environment for a marriage that can thrive; and reduce the risk of unwanted and unnecessary negative attention from regulators.

The webinar will feature a panel discussion moderated by John Byrne, CAMS, executive vice president of ACAMS. Panelists include:
  • Peter Fitzgerald, principal, forensic and dispute services, AML consulting, Deloitte Financial Advisory Services LLP
  • Jack Sonnenschein, vice president of enterprise compliance risk management, American Express
  • Christopher Westerman, CISA, MBCS CITP, director of IT audit for the Americas, Bank of Tokyo-Mitsubishi

Visit the eLearning page of the ISACA web site to register.


Volume 3 Content Now in the ISACA Journal App

The recently launched ISACA Journal App now includes the content from volume 3. The app is available now for member-only access in the Apple App Store. Visit the Apple App Store today and search “ISACA Journal” to download the free app from your iPhone, iTouch or iPad or click here to download the ISACA Journal app from the Apple App Store.

In addition to content from the ISACA® Journal, the app also includes weekly updates from the ISACA Journal Author Blog and ISACA Now blog.

With the ISACA Journal App, you’ll be able to:
  • Download available issues and access them offline at any time
  • Read topical industry-related content on the go
  • Read and search archived issues (beginning with volume 2, 2011) for the information you need as you need it
  • Read articles in magazine-page or text formats
  • Bookmark and share articles
  • Keep up on the latest news from ISACA.org
  • Access the latest blogs from ISACA.org
  • Download the app completely free

This same functionality will soon be available on the Droid as well. Please watch for the ISACA Journal Droid app later this year.


New ISACA Research Available on Sustainability

ISACA® has added a Sustainability white paper to its library of research deliverables. ISACA white papers provide guidance on current topics that are top-of-mind in the IT arena. This and other white papers are available as complimentary PDFs on the White Papers page of the ISACA web site.

As IT energy needs increase it has become evident that enterprises need to consider how they will continue to increase their technology use while considering environmental limitations. This white paper provides an understanding of the ramifications of current and future IT energy consumptions and the questions that should be asked to ensure sustainability in the future. It provides practical guidance for those with IT management interests as well as audit and governance professionals looking to provide assurance or determine future requirements.

Learn more about the ongoing ISACA research projects and upcoming deliverables by visiting the Current Projects page of the ISACA web site.


The Value of a PMO in Delivering Strategic Initiatives
By Tom Andreesen, John Folk, Nick Kula and Andrew Smith

Organizations tend to overlook critical planning, organizational and process requirements when pursuing technology initiatives or other strategic programs. Such initiatives can be extraordinarily complex, involving interrelated projects that need to be well planned and executed as an integrated program. Many organizations assume that by establishing a program management office (PMO) to oversee an initiative, they can ensure that the project will be completed on time, on budget and to the satisfaction of all stakeholders. However, by failing to consider the requirements for operating a PMO successfully or identifying individuals with the appropriate skill sets and experience to manage it, the PMO is unlikely to be effective in helping the organization achieve the desired outcome.

A PMO needs to do much more than aggregate and report status. Pain around strategic initiatives typically develops due to lack of a shared vision, inability to articulate direction, lack of alignment as to what the true vision is or all of the above. Also, the scope, and ultimately the business value, may not be defined clearly and may prove difficult to manage effectively as other challenges and priorities emerge.

A PMO is responsible for the centralized control of a group of projects essential to the success of an initiative. The PMO’s leadership defines, plans, implements and integrates a master project plan for these streams of work, identifying all interdependencies as well as critical risks and issues related to the project. The PMO also ensures that processes and tools are in place for keeping project-related communication accessible and up to date.

With an effective and well-organized PMO, organizations are better positioned to achieve project objectives, reduce risk, realize cost savings and avoid budget overruns. They can also identify opportunities to more quickly improve efficiency and communication among project groups, and ultimately can help to facilitate learning and knowledge transfer throughout the organization. And, just as important, a successfully run PMO can instill in management the confidence to undertake other important strategic initiatives that may otherwise be viewed as risky due to time and resource constraints.

Without question, a well-planned and organized PMO can drive key initiatives to successful completion, on time and within budget, without overly taxing organizational resources. PMOs that are effective in procuring, mobilizing and ramping up project resources to full productivity can get out of the gate fast and increase their likelihood for success.

Access the full article on the KnowledgeLeader web site.

Editor’s Note:  © 2011 Protiviti Inc. All rights reserved. This article was reprinted with permission from Protiviti’s KnowledgeLeader. KnowledgeLeader is a subscription-based web site that provides audit programs, checklists, tools, resources and best practices to help internal auditors and risk management professionals save time, manage risk and add value. ISACA® members receive a discount on an annual subscription to the service.


Read More Articles in Our Archives