@ISACA Volume 12: 5 June 2013 

@ISACA Relevant, Timely News

Time Change for 2013 Annual Meeting in Berlin, Germany

The time of the 2013 Annual Meeting of the Membership has been changed to 7:30 - 8:15AM (previously scheduled for 8:00 - 8:45AM) on 9 June 2013, at the Estrel Berlin Hotel in Berlin, Germany, in conjunction with ISACA’s World Congress: INSIGHTS 2013. All ISACA members are invited to attend the Annual Meeting. Visit the World Congress: INSIGHTS 2013 page of the ISACA web site for more information about the conference.


Find Solutions to Overcome Governance, Risk and Control Challenges

Share tactics, experiences and strategies in the shifting IT landscape at the 2013 Governance, Risk and Control Conference, an IIA & ISACA collaboration, 19-21 August, in Phoenix, Arizona, USA. This unique event will bring together a variety of today’s leaders and help participants align governance of enterprise IT and risk management efforts with key business strategies to improve enterprise efforts and advance overall objectives.

Sessions will include:

  • The Danger of Heuristics and Biases in Audit
  • Implementing a World-class Operational Risk Management Framework
  • Dissecting Dodd-Frank and the Consumer Protection Bureau: What to Expect From the New Sheriff in Town
  • The Psychology of Fraud

For more information and to register, visit the Governance, Risk and Control Conference page of the ISACA web site. Register by 7 June and save US $200.


Risk Response Requires Critical Thinking

Depending on your point of view, risk management is either a very easy or a terrifically difficult job. If you approach IT risk management from a controls perspective (as in, “This asset does not have all the controls listed here. That is a risk.”), risk management is very easy for you. Simply add the missing control and everything is back to normal.

If, however, you feel that the control deficiency calls for some analysis, risk management is much more difficult. To analyze risk, you need to conduct research to understand which assets reside on that system, how often it is attacked from various threat communities and the cumulative strength of the remaining controls. This approach involves building a model of attack sequences with associated probabilities and losses and considering the risk scenario in the greater context of the organization’s goals, objectives and overall risk posture. In other words, this approach is risk analysis in support of well-informed risk management. It is a very rare scenario where we hear, “The analysis has shown....”

Your enterprise needs to effectively compete in an evolving marketplace. Practicing risk management in a professional manner means responding in favor of risk analysis. A response to IT risk includes control maintenance, risk management strategies and critical thinking.

Jack Freund, Ph.D., CISA, CISM, CRISC, CIPP, CISSP, PMP, manages a team of IT risk analysts for TIAA-CREF and chairs the CRISC Test Enhancement Subcommittee.


Register Early and Save—September and December Exam Registration Is Open

Exam registration is currently open for both the 7 September and 14 December 2013 certification exam administrations.

The September exam administration is only for the Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) exams and is available only at select locations worldwide. You can learn more about the September exam locations on the September Exam Sites page of the ISACA web site. The early-bird registration deadline for the September administration is 12 June 2013—save an additional US $50 when you register before the deadline.

Registration for the December CISA, CISM, Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC) exams is also open on the Exam Registration page of the ISACA web site. The early-bird deadline for the December administration is 21 August 2013—save an additional US $50 when you register before the deadline.


One of ISACA’s Best-kept Secrets

Knowledge CenterThe Knowledge Center booth at the North America Computer Audit, Control and Security (CACS) Conference in Dallas, Texas, USA, in May provided attendees with a glimpse into one of ISACA’s best-kept secrets: the topic-based online communities within the Knowledge Center. The response was overwhelming and we want to make sure that you too are aware of the benefits of the Knowledge Center.

The Knowledge Center contains ISACA’s online communities for members who share a common professional interest. Users can access ISACA research and ISACA Journal articles on specific topics, exchange expertise and experiences, and build understanding through collaboration.

Frequently asked questions about the Knowledge Center include:

  • What can you do in the Knowledge Center? Join topics that are of interest to you and engage in online conversations with other ISACA members. Contribute documents, links and wikis. Keep in touch with members you met at an ISACA conference, chapter event or within the online community.
  • How can I keep up with community activity? Once you join a community, you can set the alert feature to send you a message whenever there is activity. You can also respond directly to discussion posts by simply replying to an email. You can learn more about email-enabled discussions on the web site.
  • What do community leaders do? Community leaders create a welcoming environment and help generate conversations. Each topic can have of up to 4 community leaders. For more information on the role of a community leader, visit the Become a Community Leader page of the ISACA web site.

As a member, you have full access to all of ISACA’s communities. To find one that interests you, go to the Knowledge Center and click on the “Browse Over 100 Topics” tab.


Explore Today’s Audit, Risk and Control Topics at EuroCACS/ISRM

The European Computer Audit, Control and Security and Information Security and Risk Management Conference (EuroCACS/ISRM) is a highly interactive event that gives attendees the opportunity to interact with speakers about leading IT-related topics. At this year’s event in London, England, on 16-18 September, experts from diverse sectors and geographies will include:

  • Amar Singh, chief information security officer (CISO) at News International Corporation, who will present his thoughts on the cloud environment in his session, “Is It Cloudy or Foggy? The Future of the Cloud”
  • David Lacey, author, innovator and founder of the Jericho Forum Board of Management and Infosecurity Europe Hall of Fame member, who will discuss underlying trends behind the paradigm shift between current and future network environments that may present a new doctrine for cybersecurity
  • John Meakin, Ph.D., CISO, head of security and technology risk at RBS, who will present case studies and lessons learned on security solutions to meet the latest threats, how to manage cost and benefits for security, and how to shift from commercial security efforts to dynamic management and monitoring

EuroCACS/ISRM attendees will also have the opportunity to expand their professional network and exchange information and strategies with colleagues in the audit, risk and security professions. Workshops will include:

  • Cloud, Social Networking and BYOD Collide: Pragmatic Risk Management for Today’s Business
  • Effective Management of IT-related Business Risk
  • COBIT 5 Foundation
  • Everything You Wanted to Know About Technology, Security, Cloud Computing and the Law but Were Too Afraid to Ask
  • Cloud Computing Audit, Risk and Control Frameworks

Visit the EuroCACS/ISRM page of the ISACA web site for more information. Register by 22 July and save US $200. Additionally, there is a special guest room rate of GB £179 at the Hilton Metropole for rooms booked by Friday, 12 July.


CISA Exam Language Updates

Additional updates to the Certified Information Systems Auditor (CISA) exam language offerings have been made as a result of the recent review of languages that had fewer than 100 candidates per administration in 2012:

  • The final offering of the CISA exam in Dutch will take place at the September 2013 administration. Effective with the December 2013 exam, the CISA exam will no longer be available in Dutch.
  • The CISA exam will not be offered in German or Italian at the December 2013 administration. Following the June and September 2013 exams, the next offering of the CISA exam in both German and Italian will be in June 2014.

For more information and to register, visit the CISA Exam Registration page of the ISACA web site. Registration for the September and December 2013 exam administrations is now open.


ISACA Congratulates CSO40 Award Winners

CSO Magazine recently issued the first annual CSO40 Awards recognizing 40 security projects that delivered outstanding business value. ISACA congratulates the following ISACA members who were involved in leadership roles on these projects for their award-winning work:

  • Mark Coderre, CISM, CRISC, enterprise information security architect at Aetna, recognized for its international governance, risk and compliance program
  • Jay Leek, CISA, CISM, CISSP, chief information security officer at Blackstone, recognized for security through simplicity
  • Devon Bryan, CISA, CISSP, senior director of client and vendor security at ADP, recognized for its client security management office portal
  • Tonya Byers, CISM, CRISC, PMP, director of information security, and Angela Williams, CISM, CRISC, senior security operations manager, at Blue Cross Blue Shield Michigan, recognized for its information security operations center
  • Miki Calero, CISM, PMP, chief security officer at the City of Columbus, recognized for its security program implementation
  • Kim Keever, CRISC, vice president of information security and controls at Coca-Cola Refreshments, recognized for its enterprisewide, cross-system role-based security
  • Jon Moore, CISA, CISM, CRISC, chief information security officer at Humana, recognized for its information security awareness and training program
  • Bob Cheong, CISM, CISSP, chief information security officer at Los Angeles World Airports, recognized for its daily cyber intelligence report
  • Jesus “Laz” Montano, CISM, CGEIT, chief information security officer, and Audrey Mydosh, CISA, CRISC, director of IT risk and security, at MetLife, recognized for its minimum IT control assessment and Application Vulnerability Testing Program
  • William Lisse, CISA, CGEIT, CIPP, CISSP, PMP, then chief information security officer at Online Computer Library Center, recognized for its global ISO/IEC 27001 information security management system implementation and certification
  • Stephen Gay, CISA, CISSP, associate director of information technology services at Kennesaw State University, recognized for its identity and access initiative implementation
  • Michael Barrett, CISM, CISSP, chief information security officer and vice president of information risk management at PayPal, recognized for its PayPal QuickPass
  • Wyatt MacManus, associate director of information security at Sharp Electronics, recognized for its compliant provisioning and deprovisioning


Read More Articles in Our Archives