@ISACA Volume 12: 4 June 2014 

@ISACA Relevant, Timely News

Participate in CyberLympics With World Finals Hosted by ISACA

ISACA has partnered with the EC-Council Foundation to host the final round of the Global CyberLympics at the 2014 European Computer Audit, Control and Security (CACS)/Information Security and Risk Management (ISRM) Conference on 29 September in Barcelona, Spain. Register now through 31 July to participate in the Global CyberLympics, a cybersecurity competition in which teams from around the world compete in an ethical hacking cybergame.

Participating teams will compete in 4 rounds including computer forensics, computer network defense, penetration testing and capture the flag. To qualify for the final round, teams must successfully complete each prior round. The top teams from around the world will compete in the final rounds at EuroCACS/ISRM. The first, second and third place teams will receive trophies, medals and cash awards. The awards ceremony will take place on 30 September.

ISACA International President Tony Hayes says, “Among the many cybersecurity activities ISACA has planned for this year, we are excited to host the CyberLympics World Finals at EuroCACS/ISRM in September. Skilled cybersecurity professionals are a critical need today and we look forward to welcoming these talented individuals to our conference in Barcelona.”

Visit the CyberLympics web site to register a team to participate in the competition. The CyberLympics registration deadline is 31 July. Visit the EuroCACS/ISRM page of the ISACA web site to learn more about and register for the conference.


Follow the Risk: Tips for Interviewing and Collecting Information
By Lisa Young, CISA, CISM

Conducting effective interviews can greatly improve the audit process and your ability to identify risk to the business or mission. However, staff members may be reluctant to talk about weaknesses in internal controls, suspected or actual fraud, and work practices that place the organization at risk, even if the company has an ethics hotline, a compliance officer or other reporting mechanisms. When asked the right questions, however, personnel are often willing, even relieved, to talk about these issues.

Those questions include:

  1. Is there anything you want to say that I did not ask about or review during this assessment? This question provides the interviewee an opportunity to add relevant information to the discussion. This technique is particularly useful if you are using a set of structured interview questions about a limited topic area.
  2. If there was one thing you could change about your work, not including your salary, what would it be? This question can be dangerous in that it can result in having to listen to the interviewees’ perspective of everything that is wrong with the workplace. However, many times there are genuine pearls of wisdom that can result in meaningful change recommendations.
  3. Is there any risk that you are aware of that needs to be brought to management’s attention? If you think of anything later, would you please contact me? These questions give the interviewee an opportunity to divulge information about something that is potentially damaging to the organization and address it. This also opens the door for the interviewee to contact you privately if there is a situation that needs an intervention.

Make sure you consider the culture of the organization. You may need to be more casual or more formal in your tone of voice. You must also consider the level of detail that is required for the type of assessment or audit you are performing.

There are several techniques to cultivate as you grow in your interview style over time. Becoming an effective interviewer requires practice and persistence, as well as a combination of classroom and on-the-job training. It will pay dividends in career and personal growth.

Lisa Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.


CISM: 25,000 Strong

In April 2014, ISACA awarded the 25,000th Certified Information Security Manager (CISM) certification since the program’s inception. Established in 2002, the uniquely management-focused CISM certification promotes international security practices and recognizes the individual who manages, designs, oversees and assesses an enterprise’s information security.

CISM continues to rank among the highest-paying certifications in the workplace. Based on the 2014 IT Skills and Salary Survey, conducted by Global Knowledge and Penton, CISM was identified as the second highest-paying certification. Of the skills and certifications that gained 10 percent or more in market value in the last quarter of 2013, CISM tied for fourth among those earning the highest pay premiums according to a Foote Research Group study (surveyed 1 October 2013 through 1 January 2014).

As security continues to top the agendas of enterprises globally, ISACA certifications are increasingly in demand. To learn more about the CISM certification and requirements, visit the How to Become CISM Certified page of the ISACA web site.


Employers Support ISACA Involvement

Employers that value ISACA membership enough to give their employees time off work to volunteer for ISACA believe that their employees’ contributions to the profession, through membership in ISACA, are worth supporting. These employers also know their employees’ time away from the job will be more than compensated for by their increased proficiency and effectiveness as a result of their active involvement with ISACA.

“There is no issue with me traveling and spending time away from the office when it is ISACA-related,” says Jo Stewart-Rattray, CISA, CISM, CGEIT, CRISC, ISACA international director. “It is understood that my involvement in cutting-edge, pragmatic guidance and research means access to that material as soon as it is released, which can turn into a competitive advantage.”

Participating in ISACA activities and bringing what you learn back to the workplace is often the best way to negotiate time off for volunteering. It allows employers to see the benefit to their organization prior to providing time off to ISACA members.

“I have been actively involved with ISACA since I joined the Brisbane (Queensland, Australia) Chapter in the 1990s and have had the privilege to serve in many roles, both at the chapter and international levels,” says Glen McMurtrie, CISA, CBM, CFE, Nominating Committee member. “It is through this service that my employers (past and present) have come to understand the value ISACA offers and, as a result, have supported me through allocating time off (of up to 2 weeks per annum) to fulfil my volunteering roles.”

Aside from the educational benefits, membership also enables security professionals to consult with other experts on complex challenges. “My involvement has also given me a vast and powerful network of professionals around the world that I have access to if I need another opinion or am looking for an expert resource to work with me on an engagement,” Stewart-Rattray adds.

To learn more about membership benefits, visit the Membership page of the ISACA web site.


Preparing for the September 2014 Exams

Are you and your colleagues planning to take the upcoming September Certified Information Systems Auditor (CISA) or Certified Information Security Manager (CISM) exams? ISACA has an onsite training program for groups of individuals looking to prepare for the exams. Onsite training allows you to train many employees at minimal expense to your organization. This option is ideal if you have a group of people, would like to customize the content or need a consistent message across a global team.

A typical exam preparation course facilitated by ISACA trainers includes resources and study materials that will help your team best prepare for the exams. Our trainers are dedicated professionals who hold multiple industry certifications. Currently practicing in related fields, they bring unique, real-world experiences to the courses they facilitate. Each trainer delivers proven strategies, techniques and best practices to the classroom. These skilled facilitators are ISACA members who contribute regularly to ISACA research and the IT profession.

Questions? Contact onsitetraining@isaca.org.


Participate in New IT-related Surveys

ISACA supports academic research by promoting participation in research projects. The Academic Research page of the ISACA web site contains information about ongoing surveys. The projects listed on this page will result in articles or white papers that will be available on the ISACA web site. Your participation is requested in the following surveys:

  • Critical Success Factors (CSFs) of IT Governance (ITG) in Saudi Arabia” is divided into 6 categories. Participants can provide opinions about each category, factor and the relation between them. Suggestions can be made to add and/or remove categories and factors. The participation deadline is 6 October.
  • Maturity of IT Risk Management Practices and Reporting Structure: An IT Manager Perspective” is designed to find out whether the maturity of IT risk management practices (the extent to which management performs particular activities to identify, assess, monitor and respond to IT-related risk) in organizations depends on the chief information officer (CIO) reporting structure and the board’s leadership structure. The participation deadline is 30 June.
  • Verifying Business Rules in Conceptual Models is designed to test the benefit of principles developed for constructing conceptual models so that business rules are more clearly understood. IS audit, control and governance professionals can refer to conceptual models that describe the organization's processes and data and the various rules surrounding them. The researchers are offering generous prizes for those who participate. The participation deadline is 30 July.


Book Review: Big Data Governance: An Emerging Imperative
Reviewed by Jeimy J. Cano M., Ph.D., COBIT Foundation, CFE, CMAS

According to Sunil Soares’ Big Data Governance: An Emerging Imperative, when we talk about big data, we are referring to the 4 Vs: volume (data at rest), velocity (data in motion), variety (data in different formats) and value (cost-effectiveness). Big data has become a valuable tool for organizations to leverage to obtain strategic and tactical views of their operation.

This book explains, with depth and clarity, the concepts and challenges of big data and analytics. It establishes the basic disciplines needed to implement big data analysis, the requirements for big data-related business processes and applications, and the necessary steps to enhance its value to the company and minimize its associated risk.

While reading the 22 chapters and 4 appendices of this book, readers will find the development of a governance model based on large data quality, privacy and security, and the life cycle of information. These criteria ensure that the exercise of analytical information maximizes the benefits of big data while complying with international law and internal regulations.

Big Data Governance: An Emerging Imperative provides managers and IT auditors with a conceptual and strategic model to promote the generation of business value. This book fosters a proactive view of assurance and privacy in order to help organizations develop and maintain an adequate risk management plan.

It concludes by proposing the creation of a guide to set out actions to achieve better governance. This guide could potentiate the opportunities that remain undiscovered and shape a digital world, where technology, processes and people converge.

Big Data Governance: An Emerging Imperative is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or email bookstore@isaca.org.

Jeimy J. Cano M., Ph.D., COBIT Foundation, CFE, CMAS, is a distinguished professor in the law department of the Universidad de los Andes, Bogota, Colombia. He has been a practitioner and researcher in information and computer security, digital evidence and computer forensics for more than 17 years in different industries. Cano is a member of the ISACA Publications Subcommittee.


Read More Articles in Our Archives