@ISACA Volume 11: 25 May 2011 

@ISACA Relevant, Timely News

Election of 2011-2012 ISACA Officers

According to section 9.01.g of the ISACA® bylaws, if the Nominating Committee makes only one nomination for each office and no further nominations (by petition) are received from members (by 120 days before election), the Nominating Committee’s slate is declared elected by acclamation.

The following members have been elected by acclamation to the 2011-2012 ISACA Board of Directors:

Kenneth Vander Wal, CISA, CPA International President
Christos Dimitriadis, Ph.D., CISA, CISM Vice President
Greg Grocholski, CISA Vice President
Tony Hayes, CGEIT Vice President
Niraj Kapasi, CISA Vice President
Jeff Spivey Vice President
Jo Stewart-Rattray, CISA, CISM, CGEIT Vice President
Lynn Lawton, CISA, FBCS CITP, FCA, FIIA Past International President
Emil D’Angelo, CISA, CISM Past International President

All members are encouraged to attend the Annual Meeting of the Membership on Sunday, 26 June 2011, from 8:00–8:45 a.m. EDT (UTC/GMT -4 hours) at the Gaylord National Hotel and Convention Center, near Washington DC, USA, during the World Congress, where the Board of Directors will be officially installed. This meeting also will be broadcast live, available on the World Congress page of the ISACA web site.

In addition to the board installation, the agenda for the meeting will include the 2010-2011 annual report, the treasurer’s report, ratification of significant board actions from the 2010-2011 administrative year and comments from the 2011-2012 international president.


Tips for Managing Intentional Risk
By Victor Chapela

Intentional risk is present when someone, such as an employee, supplier, hacker, competitor or foreign government, stands to profit from gaining access to information or functionality. Here are tips for managing intentional risk:

  1. Intentional risk differs from opportunistic risk in that it is directed to a specific type of data or to a particular functionality. Opportunistic risk is not directed toward a specific goal. As a result, it can be mitigated by the sum of all efforts, by increasing our external wall’s height, so to speak. Whereas intentional risk requires a focused approach, our worst effort defines our security stance—the weakest link analogy applies to intentional risk. Consequently, it requires us to enclose our valuable information within a digital equivalent of a monitored safe box. It demands a comprehensive security approach. This could be summarized as treating opportunistic risk by raising your fence and intentional risk by isolating your valuable information in a safe box.
  2. Intentional risk is better prioritized by considering the external threat. This threat can be evaluated by taking into consideration three independent risk vectors that increase intentional risk:
    • Access—The easier it is for the attacker to access valuable information or functionality through any type of vulnerability, the higher the risk will be.
    • Value—The higher the value of the information (because of the data’s intrinsic value or because of the aggregated value of many individual pieces of data), the higher the risk.
    • Anonymity—Higher anonymity translates into reducing the risk of negative consequences for the attacker and, therefore, also increases intentional risk.
  3. To manage intentional risk, each vector mentioned has a set of controls that effectively reduce and mitigate this type of risk:
    • Access can be reduced by filtering, isolating, authenticating and authorizing. This is generally attained by implementing well-understood security controls that range from firewalls and antivirus to access controls and data-leak-prevention technologies.
    • Value is reduced by dissociating, separating and obfuscating information, as well as by limiting exposure. Subtracting value or reducing the end benefit to the attacker will also discourage potential abuse, therefore reducing risk.
    • Anonymity can, in turn, be reduced with authentication, logging and monitoring. Better authentication and increased accountability set the right incentives in place and work as a deterrent.
  4. In most cases, mitigating two vectors out of three should be more than enough to efficiently and effectively mitigate intentional risk. Work should be focused on mitigating the highest risk vector first, and if this were not possible, the other two dimensions should be mitigated simultaneously.

Victor Chapela is founder and chief executive officer of Sm4rt Security Services. He is a frequent speaker at ISACA conferences around the world and is currently coauthoring a book on the evolution of risk, titled RiskVolution, in conjunction with Santiago Moral.


CRISC Demonstrates Real-world IT Controls and Risk Experience
Shawna M. Flanders, CISA, CISM, CRISC, CSSGB, Shares Her Experiences As a CRISC

Shawna M. FlandersShawna Flanders is a productivity specialist for PSCU Financial Services. Having completed Kaplan University's Risk Management Certificate program in 2009, she wanted to pursue a certification in risk that was more technology-specific than others offered in the marketplace.

“I strongly believe in certification as a means to validate one’s skill set,” Flanders said. “I have been fortunate to work for organizations that strongly encourage certification and reward those who make the effort to achieve them. I have been selected for multiple positions and projects due, at least in part, to my various certifications.”

She found ISACA’s Certified in Risk and Information Systems Control™ (CRISC™) to be the perfect fit for her goal of earning a technology-focused risk certification. “I would strongly encourage anyone with adequate, real-world IT controls and risk experience to consider the CRISC certification,” said Flanders. “Becoming certified provides an additional level of assurance that you have the necessary skills and experience, and personally, it provides an additional sense of belonging to a select group of professionals with common interests.”

Right now, candidates who can provide evidence of at least 8 years of IT or business experience can apply for the CRISC certification under the grandfathering program until 30 June 2011. The program requirements and application are on the CRISC page of the ISACA web site.

For those looking to enter the risk/control field, Flanders also advises, “Governmental and other regulatory agencies are placing greater emphasis on risk management and effective controls. In the future, it will be critical that leaders fully understand what risks their organizations face and how to build controls.

“If your goal is to make risk/control your profession, make sure you choose a college that offers a degree (with an emphasis) in enterprise risk management. If your institution does not offer such a program, strongly consider taking an online certificate program in enterprise risk management,” she suggested.

To continue her education, Flanders makes efforts to remain involved with ISACA and takes advantage of the benefits and many opportunities available. “I have been able to leverage my passions for participating in publication development and reviews including ISACA’s Risk IT:  Based on COBIT® and CRISC and through public speaking/teaching by mentoring candidates preparing for their Certified Information Security Manager® (CISM®) exams. And, I am looking forward to doing the same for future CRISC candidates,” she explained.

For more information on CRISC and other ISACA certifications, visit the Certifications page of the ISACA web site.


“Search by Country” Now on ISACA’s Career Centre

Job seekers who want to relocate internationally or find a new job within their own country can now access a new feature on ISACA’s Career Centre. Job seekers can visit the Career Centre page on the ISACA web site, click on Search Jobs, then on Worldwide Search by Country, and select one of 54 countries for which they want to view job openings. The jobs posted by ISACA members will appear first, followed by jobs posted through the worldwide job aggregator, Indeed.com. Job seekers willing to relocate can also post their résumés for employers to search.

The ISACA® Career Centre is a valuable source for IT audit and information security professionals to find job listings and employers to find job seekers. In addition to geographic location, jobs are listed by certification, experience level and other factors. Members can post résumés/CVs and receive e-mails when new jobs are posted. A new career advice section is also available.

Visit the Career Centre frequently to see updated listings.


Book Review:  IT Project Management:  On Track From Start to Finish, 3rd Edition
Reviewed by Davide Vazzari, CISA, CCSA, CFE, CIA

When I first read the title of IT Project Management: On Track from Start to Finish, 3rd Edition, I was quite skeptical and was not sure my expectations would be met. The topic of the book is so extensive that it has been difficult to find publications that cover comprehensively and effectively all the aspects that this title entails.

Not only did the author, Joseph Phillips, achieve this objective, but he managed to present an enjoyable read as well.

As the title suggests, the publication serves as a guide for IT project management, from the initiation phase through project completion. The author’s experience in this field is extensive. The roles and responsibilities of project management are thoroughly explained and effectively broken down into smaller and more specific tasks, making the book even more understandable. In addition, there is a glossary providing a quick reference for industry terms.

Along with sound technical content, the publication considers the context in which the project management methodologies are applied, namely organizations and their business needs. Professionals and managers who deal daily with the complexity of a working environment will greatly appreciate this approach. With regard to this, the “From the Field” feature of each chapter, which consists of an interview with a real project manager answering questions related to the content covered in the respective chapter, reinforces the theoretical explanation provided in the chapter.

The author does not ignore aspects of communication and psychology (e.g., the motivation within a team), which are well integrated together with the other technicalities. This ability to include useful soft-skill elements, which are a day-to-day challenge in the real world, distinguishes the book from other similar publications.

The book includes a CD containing the electronic version of the book, handy worksheets and project files, and a training session for the CompTIA exam.

This volume is relevant to everyone working in the field of project management, and it may also be of interest to anyone who is expected to manage any type of project as part of their job responsibilities.

IT Project Management: On Track From Start to Finish, 3rd Edition is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA® Journal, visit the ISACA Bookstore online or e-mail bookstore@isaca.org.

Davide Vazzari, CISA, CCSA, CFE, CIA, is an internal auditor at ADM, a US company operating in agricultural sector.



Read More Articles in Our Archives