@ISACA Volume 13: 20 June 2012 

@ISACA Relevant, Timely News

CGEIT Surpasses the 5,000 Mark

ISACA is proud to announce that in March 2012 the 5,000th individual earned the Certified in the Governance of Enterprise IT (CGEIT) certification since the program’s inception. The CGEIT designation recognizes a wide range of professionals for their knowledge and application of governance and management of enterprise IT (GEIT) principles and practices. A CGEIT-certified professional can demonstrate the capabilities of GEIT within an organization and grasps the complex subject holistically, thus providing value to the enterprise.

Boards and executive management expect IT to deliver business value and CGEITs help to make this happen.

To earn the CGEIT certification, individuals must pass the CGEIT exam; have five or more years of experience managing, serving in an advisory or oversight role, and/or otherwise supporting the governance of the IT-related contribution to an enterprise; have a minimum of one year of experience relating to the development and/or maintenance of an IT governance framework; and additional broad experience directly related to any two or more of the remaining CGEIT domains. The CGEIT domains are:

  • IT governance frameworks
  • Strategic alignment
  • Value delivery
  • Risk management
  • Resource management
  • Performance measurement

ISACA congratulates all individuals who have earned the prestigious CGEIT certification. Visit the CGEIT page of the ISACA web site to learn more.


Techniques for Gathering Audit Evidence

To ensure the overall good quality of audit evidence during the audit process, follow these techniques to gather audit evidence offered by ISACA Journal volume 3 author Ookeditse Kamau, CISA, CIA:

  1. Interviews—Gather data by asking the information systems (IS) personnel open and closed-ended questions. It is important to determine the right person to interview who has knowledge of the processes of the area being audited.
  2. Questionnaire—Gather data by allowing the IS personnel to answer predetermined questions. This technique is usually used to collect data during the planning phase of the audit. Information gathered through this process has to be corroborated through additional testing.
  3. Benchmarking—Compare the IS department to a similar organization or a well-accepted standard in the industry
  4. Data interrogation—Analyze data, usually by using computer-aided audit tools (CAATs). Generalized audit software can be embedded within an application to review transactions as they are being processed, producing exception reports showing variances or anomalies that can be used for further audit investigation.
  5. Extraction of system parameter—Review system configuration and user account details through the use of manual or utility tools/scripts, which are available freely online, developed in-house or obtained off the shelf on the market. Alternatively, the IS auditor can read manuals for the system being audited for guidance on how to manually retrieve system configurations and user accounts.

Read Ookeditse Kamau’s full article, “Audit Evidence Refresher,” in the current issue of the ISACA Journal, in which you will also find additional coverage of timely and relevant issues affecting the ISACA professional communities.


Giving Back to My Profession
Halina Tabacek, CGEIT, Shares Her Experiences

Halina TabacekIt was a colleague of mine who persuaded me to pursue the Certified in the Governance of Enterprise IT (CGEIT) certification while we were working together. He helped me to see that my career skills and experience were closely aligned with the certification,” Halina Tabacek recalls. When her friend first suggested this, he probably did not know the importance this venture would play in Tabacek’s professional growth.

Tabacek followed her colleague’s advice and earned the certification in late 2008. Not long after, “I was facing a great obstacle in my career and had to establish credibility in a new job at a new company, following the acquisition of my former employer. Fortunately, my CGEIT and other qualifications played an important role and led to me being offered a position directly related to IT governance.”

Tabacek has expanded her relationship with her “profession and became interested in actively participating to give back to the IT profession.” She found that volunteering with ISACA was a good way to do something useful for other IT professionals as well as herself. “By coming together through the ISACA community, I believe we each come away with a deeper understanding of our profession, and a better appreciation for how to apply certain subjects in different industries and regions.”

In addition to volunteering at ISACA, Tabacek has performed coaching and mentoring “to help other professionals solve problems, face challenges or grow in their profession.” She has welcomed the opportunity to join in these activities and help others to get a direct benefit from them. “Coaching and mentoring have been a rewarding experience and will likely lead to my participation in other ways with ISACA,” Tabacek says.

Tabacek continues to offer support to her colleagues and in doing so is establishing strong bonds professionally and personally. She finds that using networks, both professional and personal, makes a significant difference, providing her a sense of purpose and accomplishment.


Want to Become a Certification Exam Item Writer?
Learn More About ISACA’s New Exam Item Writing Strategy

Much of the global respect given to ISACA’s certification exams is due to the expertise and dedication of item writers—professionals who develop exam questions. To increase the quantity while maintaining the quality of exam items, ISACA commenced an item writing strategy in 2011. As part of this effort, ISACA developed the following item writing initiatives, which were piloted with a select group of Certified in Risk and Information Systems Control (CRISC) item writers:

  • Train interested subject matter experts on how to write quality items—ISACA developed a two-tiered training program and invited the most proficient CRISC item writers to participate in a pilot program. The CRISC item writers were required to participate in the following training:
       – Basics of Item Writing—This training opportunity, a recorded webcast, illustrated the
          basic item writing principles necessary to write questions for any of ISACA’s certification
       – Writing CRISC Exam Items—This live webinar was conducted by members of the
          CRISC Certification Committee and the CRISC Test Enhancement Subcommittee (TES).
          It provided detailed information on how to write acceptable CRISC items.
  • Conduct item writing workshops to develop quality items—A two-day, face-to-face CRISC item writing workshop was held at ISACA International Headquarters. After viewing the Basics of Item Writing webcast and participating in the Writing CRISC Exam Items live webinar prior to the face-to-face workshop, each participant submitted 20 questions for review at the workshop. The workshop participants broke into two groups, each led by a CRISC Certification Committee or TES member, and reviewed all items during the two-day session.
  • Retain item writers through acknowledging achievement—It is vital to the continued success of the certification exams that ISACA retain quality item writers. Therefore, ISACA recognizes item writers by:
       – Awarding honorariums for each item accepted by the TES
       – Awarding 2 CPE credits for each item accepted by the TES
       – Inviting the item writer with the most accepted workshop items to a TES meeting

The pilot of the item writing initiatives was considered a success by the CRISC Certification Committee and ISACA staff. During June 2012, ISACA will conduct the CISM Item Writing Workshop, and a CGEIT Item Writing Workshop is planned for 2013.

Visit the Item Writing page of the ISACA web site for more information on how to become an item writer.


Book Review:  Cybersecurity:  The Essential Body of Knowledge
Reviewed by Jeimy J. Cano M., Ph.D., CFC, CFE, CMAS

As mentioned in the US national strategy to secure cyberspace created in 2003, “it is necessary to empower Americans to secure the portion of cyberspace that they own, operate and control or with which they interact.” This sets the challenge to train every US citizen to develop an extended network of security to defend the nation from threats to the integrity of key information assets.

This scenario shows that only a collective understanding of defense and recognition of constant insecurity will make it possible to transform a nation that is passive and reactive regarding the threats of cyberspace into one that actively implements mechanisms that reduce the impacts of coordinated attacks against its infrastructure.

The US Department of Homeland Security (DHS) recognized the need to lay the foundation for the development of certification programs in information security. That is, a nation must set the fundamental definitions and practices in information security to enable the formation of core competencies for specific roles to protect information in enterprises.

In this context, San Shoemaker and Wm. Arthur Conklin have developed a book that sets out in detail, and with multiple examples, the profiles required to support the role of information security of enterprises. The book is divided into 20 chapters, which detail relevant ideas about elements, such as the roles and relationships that are key in the development of the information security function; key aspects of corporate strategy essential for security, compliance and regulatory considerations; and technical aspects related to the application of security.

This publication is particularly relevant for professionals in information security, IT governance and IT auditing, because you will find key elements to ensure the function of information security in enterprises and details about the roles and responsibilities required for professional profiles associated with the development of this function.

This book may be valuable in providing a detailed understanding of the challenges of cybersecurity in the business environment and as a formal reference to display the role of information security.

Cybersecurity:  The Essential Body of Knowledge is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or email bookstore@isaca.org.

Jeimy J. Cano M., Ph.D., CFC, CFE, CMAS, is a distinguished professor in the law department of the Universidad de los Andes, Colombia. He has been a practitioner and researcher in information and computer security and in computer forensics for more than 15 years in different industries. Cano holds the COBIT Foundation Certificate and is a member of the ISACA Publications Subcommittee.


Read More Articles in Our Archives