@ISACA Volume 13: 19 June 2013 

@ISACA Relevant, Timely News

Mapping the New CGEIT Certification Job Practice to COBIT 5

The newly updated Certified in the Governance of Enterprise IT (CGEIT) job practice, which was tested for the first time with the June 2013 CGEIT certification exam, has been mapped to COBIT 5. Although knowledge of COBIT 5 is not specifically tested on the CGEIT exam, the principles and practices found in COBIT 5 are reflected in the CGEIT job practice.

The mapping will help focus the CGEIT candidate’s attention on the specific COBIT 5 content that relates to each CGEIT task statement. The mapping is available on the CGEIT Mapping to COBIT 5 page of the ISACA web site.


Tips for Understanding What Privacy Means to Your Organization
By Lisa R. Young, CISA, CISM

Organizations are struggling to manage privacy practices in an attempt to protect customer and employee information. A data breach of your customers’ or employees’ personal information can result in a damaged reputation, unbudgeted cleanup costs and/or legal action. Privacy risk is just another class of risk that must be well managed in order to meet the mission and business objectives of the organization. Here are some considerations to better understand what privacy may mean in your organization:

  • Is there a difference between “data privacy” and “data security”? The answer is, most definitely, yes. Data privacy is the right of individuals to control the collection, use and disclosure of their personal information. The laws defining data privacy vary from country to country; you should verify the definition in your country as well as the countries in which you do business. Data security includes the mechanisms (e.g., controls, policies, procedures, roles, accountability, training) that ensure privacy. Aligning what you say in your data privacy policies with what you do to ensure the protection of the information establishes trust with your customers and employees. A data privacy policy without supporting data security places the organization at greater risk for a compromise.
  • Do you collect more information than you need to serve your customers? How do you know? A privacy impact assessment can aid in understanding the gaps between policy and practice. The International Organization for Standardization’s ISO 22307:2008 may help in creating a set of objectives for privacy that consider the global nature of business.
  • Do you have a notification banner that requires authorized users of your systems to read and accept (informed consent) before accessing customer information? Transparency and openness with how data are collected, used and disposed of are a balancing act between providing people with enough information to make an informed decision and not overwhelming them with so much information that they click “accept” without really understanding to what they are agreeing.
  • Have you quantified your data breach exposure? Simply placing a monetary value on each record in your customer and employee records database assists in calculating potential exposure. For example, if you have 100,000 customer records multiplied by the latest estimated cost per record in a data breach, which is approximately US $214, the total potential exposure is more than US $21 million—yes, million. The number of records and estimated breach costs are unique to your organization, but this example shows the power of quantification to bring the potential risk exposure to the attention of the board and senior management.
  • Have you secured service agreements to provide call center, triage, crisis communications, credit-monitoring support and/or other services that are needed in the event of a data breach? As part of a comprehensive incident response plan, you should understand what options are available and seek to secure agreements before a data breach occurs. Trying to put an agreement in place for these types of services after a breach occurs will delay action and may cause additional reputation damage.

Compromised data affects an organization’s reputation, productivity and finances. Understanding your organization’s obligations and requirements for data privacy and the security mechanisms that must be in place to ensure that conditions are met will help manage this very real risk.

For more information on this topic, read ISACA’s Personally Identifiable Information (PII) Audit/Assurance Program. Additional content related to data privacy, data security or PII is available in ISACA’s Bookstore and the Knowledge Center.

Lisa R. Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide. Young was also a member of the ISACA task force that developed the Risk IT publications.


ISACA Announces Corporate Social Responsibility Program

At the Annual Meeting of the Membership in Berlin, on 9 June 2013, international president Tony Hayes announced the formation of an ISACA corporate social responsibility (CSR) program. The program is a formalized approach to giving, designed to promote positive social and environmental change.

The program arises from ISACA’s growth over two decades, higher profile and increased credibility—all of which have combined to place the association on a global stage. Through the program, ISACA has an opportunity to give back to appropriate causes and make a bold statement about its priorities beyond the activities specified by its mission.

To give ISACA time to fully develop and test the program, it is being kicked off via a planning phase (to be carried out over the remainder of 2013), followed by a three-year pilot program (2014-2016).

It is anticipated that ISACA’s CSR activities will fall into two general categories: financial and nonfinancial. Chapters and members will have the opportunity to submit proposals for funding from the ISACA program. The proposals will be reviewed by the international volunteer body that is being created to oversee the program.

For more information and to learn the details of the program as the planning phase unfolds over the next six months, see the Corporate Social Responsibility Program page of the ISACA web site. Also, keep an eye on ISACA’s social media postings and watch for articles in future issues of @ISACA.


IS Risk Management Plays Important Role When Disaster Strikes
Wataru Matsuhashi, CISA, CISM, CGEIT, CRISC, Shares His Experience as a CRISC

Wataru MatsuhashiSince 2006, Wataru Matsuhashi has been in charge of information systems (IS) risk management and information security management for companies in the life insurance industry. His work experience as a Certified in Risk and Information Systems Control (CRISC) professional helped him understand what was needed during disastrous events. “Personally, one of the most significant benefits of my CRISC certification is how I was able to appropriately and confidently deal with the 2011 earthquake, tsunami and nuclear power plant disaster in Japan, as well as other similar situations and various matters related to IS risk management.”

Getting CRISC-certified helped Matsuhashi organize his experience and knowledge. “I strongly recommend pursuit of the CRISC certification to professionals who are engaged in IS risk management. With CRISC certification as well as my related skills and knowledge, I am able to stay calm in chaotic situations—I know risk management and I understand how to deal with risk.”

Professionally, Matsuhashi believes that the CRISC certification sets him apart from the rest. “In Japan, there is no other certification like CRISC, focusing on IS risk and control. Thus, holding the CRISC certification is a great advantage for job security and when seeking career advancement.

“The business impacts of IS troubles or customer data leakage are getting bigger and bigger. Thus, IS risk management is becoming more important and more valuable. CRISC is not only valuable to risk management professionals but also everyone in the IT industry.”

To learn more about CRISC and other ISACA certifications, visit the Certification page of the ISACA web site.


New Practical COBIT, Cybersecurity and Cloud Guidance Available

ISACA has issued three new publications that provide practical guidance for addressing current business challenges.

COBIT 5 for Assurance, available in print and as an ebook, provides a focused view of COBIT 5 and offers guidance for professionals involved in information assurance. This is one of the planned professional guides within the COBIT 5 product family. It is the assurance equivalent of COBIT 5 for Information Security, published last year.

Responding to Targeted Cyberattacks, available in print and as an ebook (the latter is complimentary for ISACA members), is part of a series focusing on cybersecurity. It provides guidance to readers regarding the current cybersecurity landscape and identifies threats and challenges facing security professionals today.

Cloud Governance: Questions Boards of Directors Need to Ask, available as a complimentary download, provides specific questions board members should ask management teams to determine if proposed cloud initiatives will have a positive and sustainable impact on enterprise goals and to ensure that the risk involved is within enterprise tolerances.

Information on current research projects is posted on the Current Projects page of the ISACA web site.


Connect and Collaborate With Speakers on COBIT 5, Cybersecurity and More at Latin America CACS/ISRM

Audit, security, governance and risk are roles and critical factors to consider in management approaches. The Latin America Computer Audit, Control and Security and Information Security and Risk Management Conference (Latin America CACS/ISRM) is a collaborative event that gives attendees the opportunity to interact with speakers from leading IT-related fields. This year’s Spanish-language CACS, held in Medellin, Colombia, from 30 September through 1 October, will include the following experts:

  • Juan Carlos Morales, CISA, CISM, CGEIT, CRISC, chief executive officer at Bayer, Guatemala, and an ISACA-certified trainer. Morales will facilitate the 2-day COBIT 5 Fundamentals Workshop and moderate a conference session on COBIT 5 enablers.
  • Ulises Castillo, CISA, CISM, chief of main directorate at Scitum Security, Mexico. Castillo will discuss information security and cybersecurity, specifically related to advanced persistent threats (APTs).
  • Daniel Segui, head of IT audit, Banco Credicoop, Argentina. Segui will present case studies and lessons learned on auditing in open-source environments.

In addition to hearing from these and other experts in the field, Latin America CACS/ISRM attendees will also have the opportunity to expand their professional network and exchange information and strategies with colleagues in the audit, risk and security professions.

Visit the Latin America CACS/ISRM page of the ISACA web site for more information and to register. Register by 7 August and save US $100.


Book Review: ICT Ethics and Security in the 21st Century: New Developments and Applications
Reviewed by Dauda Sule, CISA

ICT Ethics and Security in the 21st Century: New Developments and Applications, by Marian Quigley, highlights ethical issues and security challenges arising from current technological advancements, such as the digital divide, privacy issues and security measures in organizations.

The book is divided into three sections: online ethics, ethical concerns in handling and delivery of health and safety information, and ethics and security in organizations. The online ethics section focuses on issues that arise with the use of the Internet, such as establishment of trust in virtual communities and social networking ethics and security. The next section discusses the challenges associated with using information communications and technology (ICT) to manage patient health data. The last section looks at how organizations can secure their critical infrastructure and discusses ethical dilemmas such as monitoring employees in the workplace.

The last chapter of the book offers a practical approach and a comprehensive method of evaluating the alignment of business objectives with IT and information security. It proposes integrating COBIT (the book references COBIT 4.1), the balanced scorecard (BSC) and the Systems Security Engineering Capability Maturity Model (SSE-CMM), highlighting the strengths and weaknesses of each tool.

Some chapters provide real-life sample case studies to enable easier understanding of issues presented, giving the chapter a more practical feel and a universal appeal and applicability. The book is a good source for reference material and could be very useful for research on ICT ethics and security. It could also benefit readers whose organizations are developing and establishing IT and IT security policies so that ethical problems and unnecessary security measures that may cause privacy and ethical problems with employees can be avoided.

ICT Ethics and Security in the 21st Century is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or email bookstore@isaca.org.

Dauda Sule, CISA, is a marketing manager at Audit Associates Ltd., a consultancy firm that specializes in designing and organizing training programs pertaining to auditing, fraud detection and prevention, information security and assurance, and anti-money laundering. Sule previously worked in the Nigerian banking industry and was a systems security and assurance supervisor at Gtech Computers, a computer and allied services company.


Read More Articles in Our Archives