GRC Session Spotlight: Proactive Auditing to Reduce Enterprise Risk
The Honorable Theresa M. Grafenstine, CISA, CGEIT, CRISC, CIA, CGAP, is responsible for planning and leading independent, nonpartisan audits, advisories and investigations of the financial and administrative functions of the US House of Representatives. Learn from Grafenstine and other experts at the 2014 Governance, Risk and Control (GRC) Conference, organized by ISACA and the Institute of Internal Auditors (IIA).
Grafenstine and 2014-15 ISACA International President Robert E Stroud, CGEIT, CRISC, will lead a session titled “Keeping it Positive: Proactive Auditing to Reduce Enterprise Risk” on Wednesday, 20 August. Grafenstine encourages auditors to be more proactive in all IT projects. During this session, Stroud will interview Grafenstine and discuss how effective auditing can prevent costly errors that are detrimental to end-user relations.
To learn more about this session and others offered at the GRC Conference being held in Palm Beach, Florida, USA, on 18-20 August, visit the GRC Conference page of the ISACA web site.
Convergence of Technologies and IS Audit
By Sunil Bakshi, CISA, CISM, CGEIT, CRISC, AMIIB, ABCI, CEH, CISSP, ISO 27001 LA, BS 25999 LI, MCA, PMP
Enterprises today operate in an age where using the power of information is the most critical success factor of IT-enabled change. This has led to enterprises leveraging the power of converging digital technologies such as networks, mobility, analytics, cloud, security, social computing, sensors and applications that work on multiple platforms and devices. These technologies dramatically impact the business processes and, hence, the service delivery of the business operations. Converging technologies have reached a tipping point, compelling business executives to bring about a shift in the ways IT and business collaborate and convene to meet stakeholder requirements. Convergence has brought about a radical shift in focus from product to service.
It is imperative for IS auditors to consider and respond to these technological changes while planning and performing IS audits for organizations that focus on service delivery through convergence using digital infrastructure. Although this does not change the basic principles of planning, performing and reporting an IS audit, auditors have to understand the information flow of enterprises that have implemented convergence to achieve service delivery objectives. Further, they to need consider the risk and determine if appropriate security and controls have been implemented. Some of the key areas to be reviewed are the integration points where diverse technologies converge and the controls implemented at the time of data access, transfer, conversion and communication. IS auditors must ensure that fundamental controls relating to correctness, completeness, confidentiality, integrity and availability of recently updated real-time data are maintained.
IS auditors should consider the following when performing audits of converged technologies:
- Understand the business objectives of the service level and service delivery while reviewing and evaluating control design.
- Understand the information flow and information architecture used for service delivery.
- Review the infrastructure and various components that interact with each other and identify key risk and control factors.
- Review and evaluate the sourcing options of IT infrastructure, considering full or partial outsourcing.
- Ensure the evaluation of key controls at convergence points where data from different technologies (wireless and wired, web-based, and client server) are received and updated.
- Review and determine whether applications deployed are secured and are not dependent on end users securing their devices, browsers or other access methods.
- Identify monitoring process and performance measures that provide assurance on service-level objectives.
- Review whether controls implemented in the reengineered process improve efficiency.
- In reporting audit findings and providing recommendations, keep the focus on service objectives.
Sunil Bakshi, CISA, CISM, CGEIT, CRISC, AMIIB, ABCI, CEH, CISSP, ISO 27001 LA, BS 25999 LI, MCA, PMP, is a consultant and trainer in IT governance and information security.
ISACA and Protiviti Partner to Conduct IT Audit Survey
Protiviti and ISACA have teamed up to conduct an IT audit benchmarking survey in order to learn how enterprises organize and staff their IT audit departments.
The IT audit department and the role of IT auditors continues to be an element critical to the success of an enterprise, especially as new technologies and business processes are introduced and existing information systems are refined. These technologies bring with them risk and a need for IT auditors to monitor, assess and report on the efficiency and effectiveness of information systems and recommend changes resulting in greater trust in, and value from, information systems.
The results of this survey will also provide Protiviti and ISACA with an understanding of current audit practices. It will help IT auditors gain valuable and important insight into the status and stature of IT audit approaches across multiple industries and company sizes. This survey will be sent out to IT audit directors and heads of IT audit. The results are expected to be published and made available by the fourth quarter of 2014. For more information on this survey, please contact [email protected].
Come Out of the Shadows
Everyone has the default “shadow head” profile image when they join ISACA’s Knowledge Center. But we want to see you. Put a face to your name and come out of the shadows. A professional photo is not necessary—sometimes that personal (yet professionally appropriate, of course) photo can provide better insight into who you are.
To add a photo:
- Sign in to the ISACA web site. Upon entering your credentials, you will be directed to the MyISACA page.
- Click on myPROFILE.
- Click on Edit My Profile from the navigation bar on the right side of the screen.
- The first heading under Personal Information is Photo.
- Click on Browse and select the photo you want to add.
- Scroll to the bottom and click the Save Changes button.
To edit photo privacy settings:
- Click on Edit My Privacy Settings on the right side of the screen.
- Change the picture to your desired privacy setting.
- Click the Submit button at the bottom of the page.
Engage more fully with the ISACA community by personalizing your profile with a photo. For more tips on using any of the Knowledge Center features, visit the Learn About the Knowledge Center page of the ISACA web site
New Membership Benefits to Explore: COBIT 5 Online and Cybersecurity Nexus
Your ISACA membership gives you access to leading resources in the industry, such as COBIT 5 online (full release coming in August) and the new knowledge-based Cybersecurity Fundamentals Certificate.
With your ISACA membership, you have the latest news, insights and easy access to online versions of COBIT 5 publications, such as COBIT 5, COBIT 5 Implementation, COBIT 5: Enabling Processes and the COBIT 5: Enabling Information guides. COBIT online also includes collaborative communities where you can ask questions, share insights and learn best practices.
This year, ISACA also introduced Cybersecurity Nexus (CSX), a program of cybersecurity resources for members at every stage in their careers. CSX demonstrates ISACA’s firm commitment to addressing the cybersecurity skills gap and doing for cybersecurity professionals what ISACA has done (and will continue to do) for audit, control and governance professionals.
Throughout the second half of 2014, your ISACA membership will continue to produce tools you need to succeed. Browse all of your membership benefits in the myMembership tab of your ISACA profile.
Forging a New Career Path With the Help of ISACA Certification
Faisal Abdullah, CISA, CRISC, Group Internal Audit Manager for Abudawood Group (Pakistan) and Board Member of the Karachi Chapter, Shares His Experience as a CRISC
“The Certified in Risk and Information Systems Control (CRISC) certification is the most current and rigorous assessment available to evaluate the risk management proficiency of IT professionals,” says Faisal Abdullah, CISA, CRISC. “It has enhanced my professional credibility and recognition and has also helped me to understand business risk and acquire the technical knowledge to implement appropriate IS controls.”
For Abdullah, having the CRISC certification allowed him to pursue a different career path than the one he had planned. After finding that the field of chartered accountancy was not a good fit for him, Abdullah began learning more about IT and IT risk and controls. Obtaining the Certified Information Systems Auditor (CISA) and CRISC certifications helped him begin his new career in IT risk management.
“Sometimes there are obstacles that force you to rethink your career path,” he says. “Follow your passion and you can do anything you want. If you can think it, you can do it.”
Abdullah advises anyone interested in entering the field of risk to view it as a career, not just a job, as it requires constant learning. “Make a point of trying to learn something new every day,” he says. “In my profession, I have realized that the more things we know, the more effective we will be.”
Abdullah believes that one of the main benefits of ISACA certification and membership is the professional connections that can be made. “Professional networking through ISACA and my participation in ISACA events has created a pool of contacts from which I can draw leads, referrals and information for my career progress.”
In addition to the professional benefits, his CRISC certification has enabled Abdullah to apply risk and control principles to his personal life. “I have become more risk-conscious and security aware,” he says. “I performed a thorough analysis of my particular risk. I took the time to understand them and worked to develop a program that mitigates risk and gives me peace of mind.”
To learn more about certification, visit the Certification page of the ISACA web site.
Book Review: FISMA and the Risk Management Framework
Reviewed by Joyce Chua, CISA, CISM, CITPM, ITIL, PMP
FISMA and the Risk Management Framework is targeted toward information security professionals who are responsible for federal information security. Based on 2011 US Federal Information Security Management Act (FISMA) requirements, it classifies the process, procedures and specific security recommendations for a risk management framework.
The information is presented clearly and the book gives readers a comprehensive look at the new practices required of federal cybersecurity initiatives—all supported by a useful and appropriate amount of documentation.
FISMA and the Risk Management Framework is easy to read and it presents an effective system of ensuring proper information assurance, real-time risk monitoring and secure configurations for common operating systems. Though it focuses on FISMA, it also covers information security and privacy topics and considerations for organizations that do not have to comply with FISMA. It helps readers learn to build a robust and near real-time risk management system complying with FISMA. Additionally, this book provides information security personnel with the tools they need for system authorization.
Although the sequence of the topics and the interconnectivity between the chapters could have been better, the contents of the chapters sufficiently cover FISMA’s breadth and depth. The reader can expect to gain an ample explanation of FISMA, the obligations it places on federal agencies and others subject to the legislation, and the processes and activities needed to effectively implement its guidelines.
FISMA and the Risk Management Framework is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or email [email protected].
Joyce Chua, CISA, CISM, CITPM, ITIL, PMP, is a global IT compliance manager for GLOBALFOUNDRIES, one of the world’s top dedicated semiconductor foundries. Chua is a member of the ISACA Publications Subcommittee.