New ISACA Journal Column to Focus on Cloud Computing in Practice
Beginning with volume 4, 2011, of the ISACA® Journal, look for a new column on the practical use of cloud computing in business. Authors will talk about such issues as how their organizations used the cloud, what they didn’t use the cloud for, what risks they identified, what controls they used to mitigate those risks, and what benefits they gained from using the cloud.
The first installment of this column, “Cloud Computing Risk Assessment: A Case Study,” is now available in the Journal and can be accessed in the Journal area of the ISACA web site. Author Sailesh Gadia of KPMG discusses one company’s experiences using an Infrastructure as a Service cloud service provider for its Software as a Service product offering. Read how this company approached the risks of the cloud and watch for other cloud-related case studies in future editions of the ISACA Journal. If you have a case study or practical example of cloud usage you would be willing to share with Journal readers, please contact [email protected].
Key Aspects of a Data Protection Model
By Tara Kissoon, CISA, CISSP
“While a data protection model provides an analytic framework to evaluate the flow of data, key aspects of the model must be defined by the organization.”1 Important considerations when developing a data protection model include:
- Definition of the data—Defines data that need to be protected:
- Organizational information (e.g., intellectual property, business plans)
- Regulatory considerations (e.g., privacy, Sarbanes-Oxley)
- Industry regulations (e.g., Payment Card Industry Data Security Standard)
- Protection coverage—Indicates which data are protected:
- Importance and use of the data
- Type of data that need protection
- Degree of protection
- Scope and limitation—The scope of protection may vary for different types of data:
- Secret, private, sensitive (i.e., health records, personal, payment card, organization-specific)
- Consumer data
- Data collected online
- Aggregate and anonymous data
It is important to note that particular types of data may be outside of a given model if rules do not sufficiently protect them.
Tara Kissoon, CISA, CISSP, is a director at Visa Inc. Her expertise is focused in developing and implementing information security and risk management controls across global payment systems.
1 Swire, Peter; Sol Bermann; Information Privacy, International Association of Privacy Professional (IAPP), 2007
Enterprise Risk Management: Mitigation Strategies for Today’s Global Enterprise
Virtual Seminar and Tradeshow • 10 August 2011 • Your Computer
As companies become more global, the risks become more diverse and unpredictable. And, as the challenges of enterprise risk management mount, so must the involvement of every person in the company—up to the CEO—to manage and mitigate the risk.
The August ISACA® and SearchCompliance.com virtual seminar and tradeshow, titled “Enterprise Risk Management: Mitigation Strategies for Today’s Global Enterprise,” will offer you the opportunity to hear what the experts are saying on enterprise risk management (ERM). The event will begin with a special keynote address providing European perspectives on ERM and enterprise risk frameworks. Additional sessions will discuss supply chain risk management, the sustainability of an ERM infrastructure and the human component of successful ERM programs.
Mark your calendars for Wednesday, 10 August 2011, for this online, all-day event, where you can participate in live, educational sessions presented by knowledgeable presenters, ask questions of and have conversations with speakers and sponsors, and connect one-on-one with other ISACA members and staff.
In between attending educational sessions, you are welcome to visit exhibitor booths and interact with sponsors and ISACA staff in the exhibit hall. The networking lounge, where you can go to talk to other ISACA members and attendees, will be open throughout the event. A resource center complete with additional information and materials such as white papers and ISACA® Journal articles will also be available throughout the event.
As with ISACA’s other virtual seminar and tradeshow programs, attendance is free of charge. Participants will also be able to earn up to 5 continuing professional education (CPE) credits.
To learn more and register for the event, visit the Virtual Seminar and Tradeshow page of the ISACA web site.
CGEIT Widens the Horizon of Specialized Support
Kaushal Kumar Sharma, CISA, CGEIT, CRISC, CBC, CS, FCA, Shares His Experiences As a CGEIT
Kaushal Kumar Sharma, founder of freeee.in, a micro-niche search engine for business excellence solutions and education (primarily related to ISACA® certifications), developed a zero-tolerance approach to IT and information systems that prompted him to gain both academic and professional expertise in the field of governance, risk and compliance. After earning the Certified Information Systems Auditor® (CISA®) certification and learning about the Certified in the Governance of Enterprise IT® (CGEIT®) credential, he felt CGEIT offered the added buoyancy he needed for his career and to support his approach.
“The CGEIT certification provides recognition of professional knowledge and competencies, abilities, experiences, and skill sets, and it definitely enhances my professional standing within my organization and with my peers,” Sharma said. “It also adds value to my organization by demonstrating a commitment to excellence in IT governance practices.”
Sharma also feels that professional benefits of the ISACA certifications ultimately resulted in financial gains and personal excellence—he experienced a change in his outlook and vision.
“As you earn certifications, you work your way up a career pyramid,” he explained. “The base provides a wider spectrum of responsibilities, all geared toward attaining excellence. As you go up the ranks and levels of the pyramid, the competition is stiff, challenges are enormous, and opportunities are exponential. Likewise, I had experienced a similar tapering of the career pyramid as I treaded the path from a well-recognized organization to a start-up, global organization, to a huge infrastructure entity, and, finally, initiating my own venture.”
Sharma said ISACA certifications definitely continue to shape his career path. “The inspiration and structured learning program of ISACA and the domain-by-domain clarity helped prepare me to anticipate, populate, plan and act in a professional manner with utmost regard to professional ethics and code of conduct,” he said. “This has given me the recognition that I always sought.”
Further, to those thinking about pursuing the CGEIT credential, Sharma advises that the CGEIT certification widens the horizon of specialized support to those who need it most—enterprise stakeholders. “The academic and professional expertise gained with the CGEIT credential helps you to be a strategic enabler with respect to the value of IT, strategic alignment and performance measurement,” he explained. “ISACA’s initiative in governance of enterprise IT (GEIT) is exceptionally valuable for professionals working in this area.”
When Sharma is not working, he spends his time reading and researching governance, risk and compliance, both from user and control perspectives. “One thing that I will never forget is when I was a CGEIT student, someone helped me gain confidence to excel in all domains by pushing me to read, research and apply the knowledge I acquired and that is expected from a CGEIT professional. This constant push-pull strategy made me what I am today.”
ISACA Congratulates 2011 Award Winners
ISACA® congratulates the winners of the 2011 awards, many of which were presented at the World Congress in Washington DC, USA, in June.
John Lainhart Common Body of Knowledge Award—This award recognizes contributions to the development and enhancement of the common body of knowledge used by ISACA’s constituencies. It is not necessarily an annual award, but is presented only when individuals far exceed the norm. This year, ISACA presented the award to Graham Gal, Ph.D.
Paul Williams Award for Inspirational Leadership—This award is given to an ISACA volunteer to recognize strategic leadership accomplishments on ISACA’s behalf. This year, the award was presented to Michael P. Cangemi, CISA, CPA.
Michael Cangemi Best Book/Article Award—This award recognizes an individual who makes a major contribution in the form of an article or a book about information systems (IS) audit, control and/or security. This year, the award was presented to Dave Chennault, CISA, MCP, MCTS, and Chuck Strain, CISA, MCSE, MCTS, for their book, SharePoint® Deployment and Governance Using COBIT® 4.1: A Practical Approach.
Eugene M. Frank Award for Meritorious Performance—This award recognizes outstanding contributions to ISACA or the IT Governance Institute® (ITGI®). This year’s award was presented to Everett C. Johnson, CPA.
John Kuyers Best Speaker/Conference Contributor Award—This award, which recognizes individuals for major contributions to the development of ISACA global conferences or for outstanding individual speaking achievements, was presented to Vernon Poole, CISM, CGEIT.
President’s Cup Award—Established in 1992, this award recognizes chapters for participation in ISACA’s World Congress. Points are awarded to the chapter for each of its members who attend the event, and distance traveled to attend is taken into account as well. This year’s award was presented to the ISACA Abuja (Nigeria) Chapter.
K. Wayne Snipes Award—This award was established in 1989 to recognize chapters that demonstrate excellent service to their members and communities. Performance is assessed on several criteria, including membership growth, educational events, member communication, promotion of ISACA certifications, involvement with ISACA and involvement with other professional organizations. Winners are selected in each size category in each region. From those, one chapter in each size category is selected as the worldwide winner.
This year’s worldwide winners are:
- Best small chapter worldwide—New Orleans (Louisiana, USA)
- Best medium chapter worldwide—Israel
- Best large chapter worldwide—Denver (Colorado, USA)
- Best very large chapter worldwide—South Africa
This year’s regional winners are:Asia:
- Best small chapter—Macao
- Best medium chapter—Muscat (Oman)
- Best large chapter—Pune (India)
- Best very large chapter—UAE
- Best medium chapter—Costa Rica
- Best large chapter—Lima (Peru)
- Best medium chapter—Adelaide (South Australia, Australia)
- Best large chapter—Brisbane (Queensland, Australia)
- Best very large chapter—Sydney (New South Wales, Australia)
- Best small chapter—Lithuania
- Best medium chapter—Israel
- Best large chapter—Milan (Italy)
- Best very large chapter—South Africa
- Best small chapter—New Orleans (Louisiana, USA)
- Best medium chapter—Rhode Island (USA)
- Best large chapter—Denver (Colorado, USA)
- Best very large chapter—North Texas (USA)
Membership Growth Awards—The award for the highest percentage of growth is presented to four different chapters based on size. The chapters that earned the award for the highest percentage growth are:
- Small—Macao (64 percent)
- Medium—Accra (Ghana) (33 percent)
- Large—Lima (Peru) (37 percent)
- Very large—Virginia (USA) (12 percent)
Membership Retention Awards—The award for the highest percentage of retention is presented to four different chapters based on size. The chapters that earned the award for the highest percentage of retention are:
- Small—Iowa (USA) (90.91 percent)
- Medium—Czech Republic (90.17 percent)
- Large—Denmark (91.56 percent)
- Very large—Germany (86.71 percent)
Chapter Newsletter Awards—This award recognizes chapters for their newsletter, one of chapters’ strongest forms of communication with their members. One award per chapter size category is awarded annually. This year, the awards were presented to:
- Best small chapter—Jeddah (Saudi Arabia)
- Best medium chapter—Malta
- Best large chapter—Karachi (Pakistan)
- Best very large chapter—New York Metro (New York, USA) and Sydney (New South Wales, Australia) (tie)
Thomas H. Fitzgerald Award—This award is given in recognition for achieving the highest worldwide score on the June and December 2010 Certified Information Systems Auditor® (CISA®) exams.
- June—Christopher A. Wiseman, CISA, CRISC
- December—Daniel H. Ward, CISA, and Wesley R. Palmer (tie)
CISA Worldwide Achievement Award—This award is given in recognition for achieving the second highest worldwide score on the June and December 2010 Certified Information Systems Auditor® (CISA®) exams.
CISM Worldwide Excellence Award—This award is given in recognition for achieving the highest worldwide score on the June and December 2010 Certified Information Security Manager® (CISM®) exams.
- June—Marin Prisacaru, CISA, CISM, CRISC
- December—David Fugleberg, CISM
CISM Worldwide Achievement Award—This award is given in recognition for achieving the second highest worldwide score on the June and December 2010 CISM exams.
- June—Matthias Scholz, CISA, CISM
- December—Glenn Cater
CGEIT Worldwide Excellence Award—This award is given in recognition for achieving the highest worldwide score on the June and December 2010 Certified in the Governance of Enterprise IT® (CGEIT®) exams.
- June—Upesh Bhupendra Parekh, CISA
- December—Frank Sundgaard Nielsen, CISA, CGEIT
CGEIT Worldwide Achievement Award—This award is given in recognition for achieving the second highest worldwide score on the June and December 2010 CGEIT exams.
- June—Xiaowei Xiong
- December—Hendrik Hartje, CISA, and Brad Andrucyk, CISA (tie)
CISA Geographic Excellence Award—This award is given in recognition for achieving the highest score in the geographic area on the June and December 2010 CISA exams.
- Area 1—Lau Chi Wing, CISA
- Area 2—Rosso Leonardo Federico
- Area 5—Bradly Busch, CISA
- Area 1—Ng Chee Peng
- Area 2—Atahualpa Carvajales, CISA, Erika Veronica Garcia and Nestor Eduardo Del Cuardro (tie)
- Area 3—Stephen John Hancock, CISA
- Area 5— Khin Zaw and Chris Downs (tie)
CISA Geographic Achievement Award—This award is given in recognition for achieving the second highest score in the geographic area on the June and December 2010 CISA exams.
- Area 1—Lyndon Karol Kee Dujon
- Area 2—Rolando Gonzalez Montero, CISA, CISM, CRISC
- Area 3—Tobias Schmiemann and Sotirios Roussos, CISA (tie)
- Area 4—Charles B. Young, CISA, Matthew Nelson Smith and Adam Brand, CISA (tie)
- Area 5—Ian McGregor Craigen
- Area 1—Caere Chin, CISA, Yang Fang Yi and He Zhigang (tie)
- Area 3—Rudolf De Sousa, CISA, Emanual Tanase, CISA, CISM, and Aytekin Guzelis, CISA (tie)
CISM Geographic Excellence Award—This award is given in recognition for achieving the highest score in the geographic area on the June and December 2010 CISM exams.
- Area 1—William Wu, CISA, CISM
- Area 2—Ricardo Arturo Godoy Rendon, CISA, CISM
- Area 5—Kevin Vincent Hayes
- Area 1—Federico Vicente Capistrano Sevilla and Douglas Baigrie (tie)
- Area 2—Alvaro Zapata, CISA, CISM
- Area 3—Michael David, CISM
- Area 5—Sarah Mason, CISM
CISM Geographic Achievement Award—This award is given in recognition for achieving the second highest score in the geographic area on the June and December 2010 CISM exams.
- Area 1—Lee Chee Chong
- Area 2—Lia Hebe Molinari, CISA, CISM, Juan Carlos Morales, CISA, CISM, and Camilo Fernandez, CISA (tie)
- Area 3—Gerald Faerber, CISA, CISM
- Area 4—Stephen Gearig
- Area 5—Mark Williams, CISA, CISM
- Area 1—Rafael De Queiroz Batista
- Area 2—Pierre-Louis Laude, CISA, CISM, CRISC, and Michael Peter Nott, CISA (tie)
- Area 5—Justin-Rei Kurosqawa-Spratt
CGEIT Geographic Excellence Award—This award is given in recognition for achieving the highest score in the geographic area on the June and December 2010 CGEIT exams.
- Area 2—Marcius Rodrigues, CGEIT
- Area 3—Kari Erkki Antero Saarelainen, CISM, CGEIT, CRISC
- Area 4—Fida Musallam, CISA, CGEIT, Erick H. Mittnight, CGEIT, and Vadim Ratokhim, CGEIT (tie)
- Area 5—Ramaswami Karunanithi, CISA, CGEIT, CRISC
- Area 1—Karen Moutardier, CISA, and Salim Siti Syahida (tie)
- Area 2—Carlos Alberto Mamede Hernandes, CISA, CGEIT
- Area 5—Simon Coppins, CGEIT
CGEIT Geographic Achievement Award—This award is given in recognition for achieving the second highest score in the geographic area on the June and December 2010 CGEIT exams.
- Area 2—Luis Flavio Cibils, CGEIT
- Area 3—Padraic Berry, CGEIT
- Area 5— Christopher Walder
- Area 2—Jose Juan Marti, CISA, CISM, CRISC
- Area 4—Robert Polvado, CISM, CRISC
- Area 5—Mohamed Rizan Rizvi
COBIT 5 Exposure Drafts Await Your Comment
XBRL White Paper Available for Download
ISACA® has made the following new deliverables available on the ISACA web site:
- COBIT® 5 Framework Exposure Draft—The COBIT® 5 Framework provides an overview of the framework, which defines how governance and management of enterprise IT can be affected through the understanding of governance of enterprise IT (GEIT) principles, drivers, stakeholder issues, enterprise performance and governance objectives, and, ultimately, enablers that facilitate or permit governance and management. Comments are requested at the COBIT 5 page of the ISACA web site under COBIT 5 Initiative—Work Plan Overview until 31 July 2011.
- COBIT® 5 Process Reference Guide Exposure Draft—COBIT® 5 Process Reference Guide describes the goals cascade, process model, process reference model and detailed processes. It incorporates and is the successor to COBIT® 4.1, Val IT™: Based on COBIT® and Risk IT: Based on COBIT® processes. Comments are requested at the COBIT 5 page of the ISACA web site under COBIT 5 Initiative—Work Plan Overview until 31 July 2011.
- Leveraging XBRL for Value in Organizations—ISACA has added this new white paper to its library of resources. This paper, developed jointly with the Professional Accountants in Business Committee of the International Federation of Accountants (IFAC), provides guidance on deriving value by implementing eXtensible Business Reporting Language (XBRL) and identifies associated risks. Understanding how to embed XBRL in information processes helps enhance management communication and assurance, which can increase the value of the information used in an organization. Leveraging XBRL for Value in Organization is available as a complimentary PDF on the White Papers page of the ISACA web site.
Learn more about the ongoing ISACA research projects and upcoming deliverables by visiting the Current Projects page of the ISACA web site.