@ISACA Volume 11: 21 May 2014 

@ISACA Relevant, Timely News

ISACA 2014-2015 Board Elected by Acclamation

The following slate, selected by the ISACA Nominating Committee to serve as the Board of Directors for 2014-2015, was published in @ISACA, volume 8, issued on 9 April 2014:

  • Robert Stroud, CGEIT, CRISC, international president
  • James Ambrosini, CISA, CRISC, CFE, CISSP, CRMA, international vice president
  • Steven Babb, CGEIT, CRISC, ITIL, international vice president
  • Garry Barnes, CISA, CISM, CGEIT, CRISC, international vice president
  • Rob Clyde, CISM, international vice president
  • Ramses Gallego, CISM, CGEIT, CISSP, SCPM, Six Sigma Black Belt, international vice president
  • Theresa Grafenstine, CISA, CGEIT, CRISC, CPA, CIA, CGAP, CGMA, international vice president
  • Vittal Raj, CISA, CISM, CGEIT, CRISC, CIA, CISSP, CFE, FCA, international vice president
  • Greg Grocholski, CISA, past international president
  • Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, past international president

Per Article IX, Section 9.01.g of the ISACA bylaws, if no additional nominations are received by petition from the membership, the slate selected by the Nominating Committee is considered elected by acclamation. No additional nominations have been received; therefore, this slate is elected. The 2014-2015 Board of Directors will be installed at the Annual Meeting of the Membership on 13 June 2014 in Chicago, Illinois, USA.


Internal Audit Priorities for 2014
By Dan Swanson

Internal audit departments should evaluate their organizations’ efforts in specific areas and provide their opinions and recommendations to management and the board. These areas include:

  1. The top 3-5 most significant business initiatives—Internal audit should assess the critical business initiatives that the organization is implementing as part of its long-term strategic plan.
  2. The enterprise risk management (ERM) program—Risk management is key to achieving cost-effective operations over the long term. For most organizations, the risk of fraud needs to be closely monitored and regularly evaluated.
  3. The business continuity program (BCP) and the disaster recovery (DR) program—Operational resiliency is becoming an overarching organizational priority, and auditing BCP and DR efforts will help ensure that the organization is better prepared for the inevitable business interruptions.
  4. The information security and privacy program efforts—Protection of an organization’s assets is a critical activity; for some organizations, it is the most critical activity. Most security is all about protecting data that has to be kept private, but the actual privacy efforts have not been audited well enough.
  5. The overall governance regime—Internal auditing provides assurances to management and the board regarding an organization’s governance, risk management and controls processes. Internal audit should provide an opinion regarding the overall governance regime.
  6. The compliance and ethics program efforts—Depending on the internal audit department’s past efforts, audits of compliance and ethics programs should either drill down into specific areas or be high level to provide the board and senior management an overview of improvement priorities.
  7. Records management—An audit of the records management program will assist in determining what opportunities for improvement exist. Having a policy and not following it poses additional, significant risk.
  8. The quality of the enterprise’s information for decision making—The quality of the organization’s information will directly affect organizational results and, therefore, should be assessed regularly both by management and internal audit. It is likely that information management will become more critical every year.
  9. The IT function’s efforts to meet business needs—Evaluating the IT function’s efforts to meet business needs is a core audit requirement. Assessing IT’s effectiveness, efficiency and customer service are the 3 main criteria used to determine the effectiveness of IT.
  10. Board and executive management service requests (consulting and assurance projects)—This audit activity is an important catchall to assist with the specific or unique needs of the organization. These special audit projects should be of significant value to the organization, and they should not distract from the delivery of the overall audit commitment.
  11. Process management, including continuous process improvement—This audit priority is focused on encouraging and confirming that there is an organizational process-improvement program in place. If the organization has not established an organizational program to improve its performance on a sustainable basis, it is at risk.
  12. The internal audit quality assurance and improvement program—Internal audit should assess its performance and identify key improvement opportunities. The board and management need to know that internal audit meets audit standards and applies best practices to its own work.

Read the full article on the KnowledgeLeader web site.

Editor’s Note: © 2014 Protiviti Inc. All rights reserved. This article was excerpted with permission from Protiviti’s KnowledgeLeader, a subscription-based web site that provides audit programs, checklists, tools, resources and best practices to help internal auditors and risk management professionals save time, manage risk and add value. ISACA members receive a discount on an annual subscription to the service.


Strategy 2022: Expanding ISACA’s Breadth and Depth

In November 2011, the ISACA Board of Directors approved an extension to the strategy adopted in 2009. This extension—called Strategy 2022 (S22)—was designed to “take ISACA to a new level” by expanding the breadth and depth of the audiences it serves.

The first-in-focus initiatives under S22 address 4 key areas—cybersecurity, emerging trends, privacy and COBIT growth—and a volunteer body was assigned to each area to develop recommended activities. In addition to these 4 areas, volunteer groups were assembled to study the supporting enablers, such as career management and academia, and an Assurance Task Force was added to the mix to ensure that the association continues to provide value to its core members.

In the cybersecurity area, certificate and certification programs are in development, as are new knowledge products. ISACA is especially proud to be a cosponsor, with the International Council of Electronic Commerce Consultants (EC-Council), of the CyberLympics competition, which will occur in conjunction with the European Computer Audit, Control and Security and Information Security and Risk Management Conference (Euro CACS/ISRM) in Barcelona, Spain, in September 2014. And in April 2014, ISACA introduced a new brand—Cybersecurity Nexus (CSX)—under which all cybersecurity activity will be positioned.

In the emerging trends area, the Emerging Business and Technology Committee has created a rigorous structure for gathering and validating trends and will begin issuing periodic update reports. The trend reports, which are expected to be of special interest to enterprises, will also serve as the basis for white papers, articles and other knowledge products.

In the privacy initiative, 3 knowledge products are planned for 2014 and relationships are being actively and productively pursued.

Many activities are planned to address COBIT market growth, but primary among them will be the newly revised COBIT online, which will include COBIT-related news, case studies and articles; enable browsing through COBIT publications using a variety of lenses; and allow the user to develop a customized version of COBIT for his or her own enterprise. The full release is expected in the third quarter of 2014.

While much progress has been made, much more remains to be accomplished. ISACA is grateful to the many volunteers whose work on task forces, subcommittees, committees and boards has been integral to moving S22 forward.


ISACA Congratulates CSO40 Award Winners

CSO Magazine recently issued the second annual CSO40 Awards recognizing 40 security projects that delivered outstanding business value. ISACA congratulates the following ISACA members who were involved in leadership roles on these projects for their award-winning work:

  • Joachim Bohnert, CISA, CISM, CRISC, head of global information security at Roche Diagnostics, recognized for its security awareness campaign: “SEC¬_RITY, it’s not complete without U!”
  • Devon Bryan, CISA, CISSP, vice president of global trust assurance for ADP Client Security, recognized for its client security and privacy advisory board
  • Tonya Byers, CISM, CRISC, PMP, director of information security at Blue Cross Blue Shield (BCBS) of Michigan, recognized for its vendor risk management program
  • Mario Chiock, CISA, CISM, CISSP, chief information security officer at Schlumberger, recognized for its data-centric security initiative
  • Robert Dalrymple, CISA, CISSP, manager of information security at Children’s Healthcare of Atlanta, recognized for its mobile device policy implementation
  • Stoddard Manikin, CISM, CISSP, director of information security at Children’s Healthcare of Atlanta, recognized for its mobile device policy implementation
  • Audrey Mydosh, CISA, CGEIT, CRISC, director of IT risk and security at MetLife, recognized for its integrating business risk into IT risk assessment processes
  • Emma Smith, CISA, chief information security officer at Royal Bank of Scotland, recognized for its data loss prevention (DLP) global web and email monitoring program
  • Damon Stokes, CISA, CISM, manager of governance and risk at BCBS of Michigan, recognized for its vendor risk management program
  • Paul Tucker, CISA, CISSP, information security manager at Williams Energy, recognized for its replacement of Williams’ 9-year-old custom identity- and access-management application

If you have recently won an award, let us know! Contact news@isaca.org with details.


Quoting Posts in Knowledge Center Discussions

Members of ISACA’s Knowledge Center can now quote a previous discussion in their posts. This new feature is particularly useful when there are multiple posts in the discussion and you would like to address a statement that may not be the most recent.

To quote a post, click on the speech bubble image in the post you wish to quote:

Click on the speech bubble image

The page will then reload with a message verifying that the quote will be included:

The page will then reload

The quote will appear at the beginning of your post. Your message will appear below the quote:

The quote will appear at the beginning of your post

Quoting can also provide a reminder of the discussion topic, especially in alerts.

Join other IT professionals in the Knowledge Center to discuss a variety of industry-related topics. The Knowledge Center gives you the chance to network and collaborate with others, share your experiences, and participate in discussions. It does not matter if the discussion is 1 day old or 1 year old; there is always an opportunity to add your voice to a conversation.


Achieve Professional Goals and Derive Value With ISACA Membership

Being a member of ISACA gives you the tools you need to expand your knowledge and advance your career. Whether you are a member who downloads white papers, a member who attends almost every chapter meeting, or a member who actively posts in the Knowledge Center, your ISACA membership is customizable to your needs.

For those of you who are avid learners, ISACA produces research that can help you avoid big data blunders, increase asset protection, respond to cyberattacks and more. COBIT 5, the only business framework for the governance and management of enterprise IT (GEIT), can help you achieve operational excellence through reliable, efficient application of technology.

For those of you who joined ISACA for networking opportunities, your ISACA membership helps you learn more by connecting you with other professionals in your field. The ISACA Knowledge Center is a meeting place for IT professionals to exchange experiences and expertise, build new relationships through collaboration, and lead discussions on various topics that relate to their everyday tasks.

“While access to extensive knowledge in the areas of risk, security, governance and audit had been my key driver at the time of joining, I discovered how powerful an international network of outstanding people has helped me achieve professional goals and derive value for my career,” explains Kaushal Kumar Sharma, CISA, CISM, CGEIT, CRISC.

For those of you who joined for the certification program, your ISACA membership supports you throughout your career. If you are taking the exam in June, your membership provides you with a discount on the exam and review materials. The eLibrary may have additional study materials for the upcoming exam. After you pass the exam, apply for certification and are certified, your ISACA membership provides you with more than enough free CPE hours to meet your annual and 3-year requirements. You also receive the member rate for the certification maintenance fee.

Your ISACA membership will continue to help you fill the knowledge and experience gaps in throughout your career. Questions about your membership? Contact membership@isaca.org.


CGEIT: Helping the IT Professional Reach the Corporate Strategy Level
Andre Regazzini, CISA, CISM, CGEIT, COBIT Foundation, CSO, MCP, MCTS, Partner/Corporate and IT Governance Consultant at IPLC do Brasil Ltda, Shares His Experience as a CGEIT

Andre RegazziniWhen he was asked to create a presentation about security, IT and corporate metric trends, Andre Regazzini knew he had to turn to Certified in the Governance of Enterprise IT (CGEIT) resources. “I started using CGEIT concepts, and they really helped me to better understand and show my clients and company coworkers, in a very structured way, how each decision and action executed in IT, or in any other company subject, could be traced and related to an impact in business results and/or in business performance.”

Having the CGEIT certification provided Regazzini with myriad opportunities. In December 2013, he was invited to speak about governance controls at an international security conference. He believes that being knowledgeable about IT governance is what helped him become a partner at his company. “CGEIT concepts and the CGEIT roles and responsibilities have opened my IT management mind to an upper level. CGEIT certification brought me to the corporate strategy level with an IT and business view together.”

But as time passed, Regazzini began seeing his CGEIT certification affect much more than his career. “I started to have a better view of why I do the things I do,” he says. “Things that did not make sense to the objectives I had for life, after applying CGEIT main concepts to it, I decided to cut, change or replace, using the governance change management process that CGEIT certification uses to make changes in company culture, company architecture and company resources.”

Regazzini, who conducts Certified Information Systems Auditor (CISA) and CGEIT certification training courses, says that his involvement with ISACA has also enabled him to meet like-minded professionals. “Most of my CGEIT students are young professionals looking for ways of changing their companies and/or their areas, and after the course we became friends, with some of them telling me how the CGEIT way of doing things changed their way of thinking.”

To learn more about ISACA certifications, visit the Certification page of the ISACA web site.


Book Review: ITIL Foundation Essentials
Reviewed by Horst Karin, Ph.D., CISA, CRISC, CISSP, ITIL

It is very difficult—if not impossible—to roll back and make IT optional. The capabilities of IT enable us to live how we live and do business today. As a result, the modern world has become dependent on IT. Businesses, organizations, governments, research institutes, military and individuals cannot imagine a world without IT.

IT must be run as a critical part of a business, like a purchasing or sales department. As a consequence, IT is to be considered and managed as an essential service to the business. Because of this approach, it is important to have useful guidelines, standards and ways to determine achievements and areas for improvement.

This need for a concept and structure was recognized and a framework was developed with the Information Technology Infrastructure Library (ITIL). Still, ITIL is complex and requires much study for a novice who wants to get an ITIL overview or for an experienced IT manager who would like to prepare for the ITIL exam. Claire Agutter’s ITIL Foundation Essentials focuses on ITIL’s key concepts and summarizes the facts, which are important for understanding the framework’s core values and guidelines. This book can be used as a refresher before introducing ITIL to an organization or as a study guide when preparing for the ITIL Foundation exam.

The book was published in 2012 and follows the 2011 ITIL core volumes. The content is well structured in 16 chapters and the book contains useful graphics and summarizing tables. The final chapter contains a reference to sample exams, which can be useful for readers interested in taking the foundation exam.

At just 148 pages, this book delivers a comprehensive overview of ITIL. The subjects covered include services, management skills and training, the ITIL qualification scheme, the foundation exam, and IT governance resources.

Horst Karin, Ph.D., CISA, CRISC, CISSP, ITIL, is president of DELTA Information Security Consulting Inc. He has been working in SAP/IT security and risk management for 16 years. He served as chair of the ISACA publishing committee for 3 years, has authored several book reviews for the ISACA Journal and is co-author of SAP Security and Risk Management.

ITIL Foundation Essentials is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or email bookstore@isaca.org.


Read More Articles in Our Archives