@ISACA Volume 11: 23 May 2012 

@ISACA Relevant, Timely News

ISACA On-site Training Now Presents Customized Training at Your Location

ISACA has expanded its resources to provide ISACA On-site Training globally. Enterprises now have the option to receive On-site Training in any location worldwide.

Group training offers a flexible, unified training experience. It allows all participants to obtain the desired skills and knowledge and provides them with the ability to immediately apply what they learn on the job.

Courses are offered either off-the-shelf or tailored to meet specific business objectives. ISACA has a dedicated team to assist your enterprise in the development and delivery of a customized training program. For additional information, contact onsitetraining@isaca.org.


Internal Audit’s Role in Cloud Computing

Cloud computing has transformed the way businesses approach the consumption and delivery of IT services.

There are numerous risk factors that must be managed to ensure the availability of a public, private, hybrid or community cloud solution. But if the key risk to the business is understood and planned from the outset, it can be managed.

Internal audit is well positioned through its role as an assurance function of the organization to help management and the board identify and consider the key risk of leveraging cloud computing technology. Internal audit also can help the business determine whether this risk is being appropriately mitigated.

Internal audit may be able to assist management in this process by helping to address the following questions:

  • What is the business risk for moving to the cloud?
  • Would this decision align with the business needs?
  • Do we understand the current state of systems and data to be moved to the cloud?
  • Who will manage the vendor relationship?
  • How are assets protected?
  • How is responsibility divided?
  • How will moving to the cloud impact disaster recovery (DR) planning?
  • How does the vendor manage multiple tenants?
  • How would this change the technology environment?
  • Where is data physically stored?
  • How do the company’s risk and controls align with the prospective vendor’s?

Once due-diligence activities are completed, and a cloud service provider that aligns with the company’s strategy, objectives and control framework has been selected, internal audit may shift to evaluating the implementation process. Internal audit can be integral in determining whether the level of planning was adequate to reduce project risk, while also providing independent feedback about the migration process.

Once your company integrates the planned systems and data into a cloud environment, internal audit may evaluate whether the defined owner is adequately monitoring and controlling the vendor relationship.

Cloud computing will continue to transform the way organizations manage IT—increasing efficiencies while reducing costs—but there is risk. Proactively identifying and understanding relevant risk before signing a contract and committing to a cloud hosting implementation is essential for success and for ensuring both data security and adherence to compliance demands.

Organizations should establish processes to routinely reevaluate and monitor risk once the business is working in the cloud.

Access the full white paper on the KnowledgeLeader web site.

Editor’s Note:  © 2012 Protiviti Inc. All rights reserved. This content was reprinted with permission from Protiviti’s Knowledge Leader, a subscription-based web site that provides audit programs, checklists, tools, resources and best practices to help internal auditors and risk management professionals save time, manage risk and add value. ISACA members receive a discount on an annual subscription to the service. Free trials are available.


Trust Is Key—Tips From a Security Expert
Sanjiv Agarwala, CISA, CISM, CGEIT, CISSP, Shares His Experiences

As a security consultant you are expected to provide expert advice. You should be well informed and able to provide viable solutions. In return, you will gain your client’s trust and the satisfaction that he/she will probably accept and implement your ideas.

“Information security consulting and security management are challenging just like any other kind of management,” according to Sanjiv Agarwala. Achieving the Certified Information Security Manager (CISM) certification “provided me with more insights into information security management, principles and standards that are generally used in most scenarios and are not limited to any industry in particular,” he continued.

In Agarwala’s experience a trustworthy information security consultant has to step up to the plate and give the clients clear solutions to their specific problems. When Agarwala decided to become an information security consultant, he discovered that “if you are helping your clients to become high-performance businesses and generate growth, you have to be able to explain to them in detail what they need and assist them to understand the big picture.”

Acquiring more knowledge and principles in information security management “has been of great help in my current consulting firm, as my clients value my credentials and feel more confident working with us,” Agarwala says about his consulting firm’s efforts to help its clients dissipate their doubts and achieve their specific goals.

Nothing has been more thrilling to Agarwala than to see a client trusting his advice and working with his consulting team. The trust received from clients is a final indicator that the consultation has helped them to navigate in the right direction and when it occurs, Agarwala finds that “it certainly comes with many rewards and satisfactions.”


New Virtual Desktop Resource Available

ISACA has issued the Virtualized Desktop Infrastructure (VDI) white paper, which discusses a new phase of virtualization that allows for simpler provision of new desktops and applications and reduces downtime in the event of a desktop hardware failure. This white paper focuses on risk, governance and assurance considerations for VDI.

Information on current research projects is posted on the Current Projects page of the ISACA web site.


Book Review:  Securing the Clicks: Network Security in the Age of Social Media
Reviewed by Jeimy J. Cano M., Ph.D., CFC, CFE, CMAS

Just 10 years ago the Internet was a place where a few people generated content and decided what stayed and what was deleted. Now, after an impressive evolution of Web 2.0, users develop and update content on the Internet without limitation. That is, the Internet has gone from a few controlled participants, to innumerable participants empowered and able to convene and mobilize through social networks and other forms of expression online.

According to a recent Strategy+Business article1, generation C, a group that stays connected, is content-centered and is highly oriented to digital communities, is on the rise. Given that this generation is beginning to join the workforce, it is even more necessary to begin the required risk analysis related to the use of digital social media in a business context.

Securing the Clicks:  Network Security in the Age of Social Media, by Gary Bahadur, Jason Inasi and Alex de Carvalho, presents a practical methodology for evaluating the social media risk that arises from the use of social networks, so that enterprises become aware of the impact and practices required to enable them to mitigate their exposure to this risk. This approach details a matrix based on the acronym HUMOR: human resources, utilization of resources, monetary spending, operations management and reputation management.

Following the HUMOR analysis matrix, the authors break the book into five parts: assessing social media security; assessing social media threats; operations, policies and processes; monitoring and reporting; and social media 3.0.

This book, comprised of 18 chapters and an appendix, describes its model using a fictitious company called JAG Consumer Electronics, which establishes the conditions and actions that companies must consider to understand and review their exposures to the reality of social networks and other digital media.

The publication is particularly useful and recommended for professionals in information security, IT governance, IT audit and IT management in general, as a basic body of knowledge on security in social networks. Additionally, the book offers a set of practices and lessons learned for corporate executives to understand the use of digital social media as a natural element of 21st century corporations.

Finally, if you are not yet convinced that we live in times of information overload, instantaneous interactions and online relationships, this book recognizes generation C and the reality of empowerment of individuals who are creating a new world through web content.

Securing the Clicks:  Network Security in the Age of Social Media is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or email bookstore@isaca.org.

Jeimy J. Cano M., Ph.D., CFC, CFE, CMAS, is a distinguished professor in the law department of the Universidad de los Andes, Colombia. He has been a practitioner and researcher in information and computer security and in computer forensics for more than 15 years in different industries. Cano holds the COBIT Foundation Certificate and is a member of the ISACA Publications Subcommittee.

1 Friedrich, Roman; Michael Peterson; Alex Koster; “The Rise of Generation C: How to Prepare for the Connected Generation’s Transformation of the Consumer and Business Landscape,” Strategy+Business, Booz & Company Inc., iss. 62, Spring 2011, www.strategy-business.com/article/11110


Read More Articles in Our Archives