@ISACA Volume 11: 22 May 2013 

@ISACA Relevant, Timely News

Versatility With ISACA Mobile Web Site

ISACA’s mobile web site is available. The new user-friendly mobile web site designed specifically for mobile devices (such as the iPhone and Android smartphones) provides easy access to ISACA’s valuable content, research and knowledge—anytime, anywhere. The mobile web site offers maximum content, usability and flexibility. At the push of a button you can access the Knowledge Center, ISACA Journal, COBIT, Bookstore, MyISACA, hosted chapter sites, and the membership, education and certification sections on your mobile device.

The mobile web site does not require the user to install any additional software and is accessible via iPhone and Android mobile device browsers. Incorporating all the content, research and knowledge from the full main web site, this mobile version is automatically detected by your iPhone and Android smartphones. To access ISACA’s mobile web site, simply enter www.isaca.org into the browser on your iPhone or Android smartphone.


Take the COBIT 5 Foundation Course and Exam Through an Accredited Training Partner

Members who are looking to take the COBIT 5 Foundation course and exam have several options available. The COBIT 5 Foundation course and exam can be taken through ISACA or via an accredited training organization (ATO), as part of an accredited training course.

Only ATOs or their affiliates can offer COBIT 5 courses and exams. The full list of COBIT 5 ATOs can be found on the APMG-International Accrediting Professionals web site or on the COBIT 5 Training & Accreditation page of the ISACA web site. More than 200 organizations and individual trainers have started the accreditation process to be COBIT trainers.

For self-study, candidates outside of the US can take the exam through one of APMG’s public exam centers and US candidates can contact examinations@apmg-us.com to arrange to sit for the exam. To speed up the process, provide your name, address, contact telephone number and email address in your correspondence to APMG.

Visit the COBIT 5 Training & Accreditation page for more information.


ISACA On-Site Training Can Be Customized to Your Needs

The ISACA On-Site Training program is a flexible and cost-effective solution that allows you to train the maximum number of employees at minimal expense to your organization. ISACA On-Site Training is ideal if you have a group of people, would like to customize the content or need a consistent message delivered to a global team.

ISACA has several course offerings in IT audit, security, risk, assurance and governance. Training can consist of one course or incorporate topics spanning multiple courses. Each course can be delivered as a standard off-the-shelf offering or customized by eliminating or adding to selected content.

You work directly with a dedicated On-Site Training representative to select the right courses and topics to align with your specific business needs. In addition, the On-Site Training team facilitates program development and works with your trainer and curriculum development team to ensure that the training is on target and focused on your goals.

As a participant, you and your colleagues benefit from a consistent, unified learning experience and have the opportunity to learn with real-world examples delivered by highly skilled trainers.

On-Site Training trainers are dedicated professionals who hold multiple industry certifications. Currently practicing in their related fields, they bring their unique, real-world experience to the courses. Each trainer delivers proven strategies, techniques and best practices to the classroom.

For more information about the ISACA On-Site Training program, visit the On-Site Training page of the ISACA web site or email onsitetraining@isaca.org.


Applying Data Mining and Analytics to Efficiently Audit Vendors and Contractors

Each year, companies spend billions of dollars to start, operate and maintain their businesses using outside vendors and contractors. Of this spending, it is estimated that hundreds of millions are paid out for erroneous or duplicative charges or for services outside the original contract. To prevent such massive waste and seek cost recoveries, auditors need to learn to apply more data analytics techniques—what we might call “data mining” for auditors.

Applying Data Analytics to Labor Charges
A multitude of data analytics can be performed on labor charges to validate their accuracy. Ideally, you need to have on hand 4 data sets in electronic format (preferably as a spreadsheet or from a database management system) from each vendor or contractor to attain the widest range of analysis:

  1. The original contract including the list of personnel staffed and their individual job classification, labor rate and burden
  2. All invoices showing what was billed to the company during the contract period
  3. The vendor’s job cost data, indicating their incurred costs for the project
  4. The payroll files indicating the names of each worker and the amount paid to them, including fringe benefits.

Armed with these data, you can perform a variety of comparative queries among the 4 sets of data to confirm the validity of every payment.

Applying Data Analytics to Equipment
Equipment is another major area where auditors can benefit from running extensive data analytics. To validate these charges, you need to have an electronic list of:

  • All equipment used
  • Each equipment identification number
  • Whether the equipment was purchased or rented
  • How it was charged to the company (hourly, daily, weekly or monthly) and at what rate
  • If there was an operator associated with it
  • How long the equipment was used
  • Whether it was located onsite or offsite
  • Whether the equipment consumed fuel and how much

Armed with this information, auditors can perform insightful comparative queries to verify a wide range of equipment charges. At the simplest level, data analytics can confirm if the equipment was billed at the correct contract rate and if all equipment billed was actually used on the job site for the amount of time billed by the contractor.

Challenges of Data Analytics
The biggest challenge in learning to do comprehensive data analytics is arranging in advance to get all the raw data against which you can run comprehensive queries. Without the 4 data sets discussed here, auditors are limited in their ability to match up data to validate accuracy and root out errors and mistakes. This means that it is vital to work with vendors and contractors to obtain their job costs, labor burdens, invoices and payroll data in electronic formats.

Access the full white paper on the KnowledgeLeader web site.

Editor’s Note: © 2013 Protiviti Inc. All rights reserved. The white paper was excerpted with permission from Protiviti’s KnowledgeLeader, a subscription-based web site that provides audit programs, checklists, tools, resources and best practices to help internal auditors and risk management professionals save time, manage risk and add value. ISACA members receive a discount on an annual subscription to the service.


4 Tips for Malware Detection
By Leighton Johnson, CISA, CISM, CIFI, CISSP

Malware infection has become one of the major areas for incident response within the past several years. Various industry reports and surveys have projected that the proliferation of malware has reached epidemic proportions with some reports citing more than 1 million infections per month. Identifying machines and hosts that are infected by malware is part of every malware incident response. While often complicated by the dynamic nature of computing, here are some tips for identifying infected machines:

  1. Begin by utilizing the automated security tools available within the computing environment. Security incident and event management (SIEM) systems correlate the various reporting activities for security activities. These tools often offer a robust mechanism to identify systems, host machines and network devices that could be infected with malware.
  2. Log reports from unmonitored network devices or systems. These logs can come from applications within the environment, the Domain Name System (DNS) logs or network device logs. These logs record the traffic patterns and protocol actions that are consistent with certain malware activities.
  3. Develop a highly effective custom-based intrusion detection system (IDS)/intrusion prevention system (IPS) signature that identifies infected hosts. Some organizations have separate IPS or IDS sensors with strong signature-writing capabilities, which can be dedicated to identifying malware infections. This provides a high-quality source of information while keeping other sensors from becoming overloaded with malware alerts.
  4. Use protocol analyzers and packet sniffers. Configuring protocol analyzers and packet sniffers to look only for network traffic matching the characteristics of a particular malware threat can be effective at identifying infected hosts, such as command and controls traffic for a botnet over a particular port or service. These packet examination techniques are most helpful if most or all malware-generated network traffic attempts to pass through the same network device or a few devices.

These techniques can be highly accurate for malware detection and identification. However, they require constant updating and review as the threat environment is constantly changing, the malware development process is dynamic and the data are gathered over a period of time.

Leighton Johnson, CISA, CISM, CIFI, CISSP, is a senior security consultant for the Information Security & Forensics Management Team of Bath, South Carolina, USA.


Harmony at Work and in Life With Risk Management
Bronislovas Balvocius, CISA, CRISC, OCP, PMP, Lithuania Chapter, Shares His Experience as a CRISC

Bronislovas BalvociusBronislovas Balvocius believes that life and work should be in harmony with each other. “I like to be balanced within my professional development goals and these goals are also part of my personal goals. Being CRISC-certified plays an important role and a big part in my continuous development.”

Balvocius decided to pursue the Certified in Risk and Information Systems Control (CRISC) certification because of his work experience in IT risk management and his experiences as deputy director of internal audit at AB Ukio Bankas. “Attaining CRISC has helped me to see and understand the emerging change in risk management. Being CRISC-certified has helped me to understand these tools to manage IT risk at the operational level.”

In addition, Balvocius has found that people recognize the CRISC certification and when such skills are needed at his company, he gets a knock on the door.

“I think that many internal auditors face big challenges in understanding IT risk and recommending implementation of rational controls. The CRISC certification and ISACA’s professional community has helped face these challenges.”

Balvocius is also grateful that he pursued the CRISC certification so that he could provide professional development support to IT risk professionals. “It is absolutely clear that my professional life has led me to seek out and pursue new avenues that I would not otherwise try. I understand now that giving back to the profession is as important as my self-development. Teaching, giving speeches and writing blogs about the IT profession help to develop others—and help me to develop, too.”

To learn more about CRISC and other ISACA certifications, visit the Certification page of the ISACA web site.


Read More Articles in Our Archives