@ISACA Volume 15: 16 July 2014 

 
@ISACA Relevant, Timely News

In Search of “Real Risk”
By Jack Freund, Ph.D., CISA, CISM, CRISC, CIPP, CISSP, PMP

It is fashionable these days to want to talk about “real risk.” Oftentimes this discussion is at the request of someone trying to redirect a conversation away from technical talk to a more business-focused discussion. Sometimes it is less specific and used simply to express frustration at the current list of risk and classification taxonomies. It is dismissive in nature when used in this way. This discussion essentially expresses displeasure with whatever is at hand and describes a desire for utility in risk management practices, which is often difficult to articulate. An excessive emphasis on “real risk” may also be used to devalue a risk program or solution for personal reasons (so much in risk management these days is driven by strong personalities and custom-built solutions and models). Alternatively, this practice sometimes occurs during a sales experience. For example, a product may claim to offer a view into your organization’s “real risk.”

It is easy to become confused, frustrated or even cynical in the face of such proclamations. Although nothing can fully replace the analysis that is necessary to wade through the taxonomies and equations that may be set before you, getting to the heart of what “real risk” looks like can be fairly straightforward. “Real risk” maintains strict adherence to its definition; namely, it is some measure of how often bad things may happen in the future and, when they do, how bad they are likely to be. These are factors that can be evaluated using real units of measure, such as a count of events (frequency) or ratio scales that reflect probability over time (also frequency).

Too often, things purported to be “real risk” tend to ignore business or organizational impact. In security, we often stop short at the method of attack without taking the next logical step and measuring the resultant impact (i.e., after the web server is compromised, then what?). Avoid ordinal scales and their well-documented problems when describing risk. Instead, measure it in business terms like frequency, probability and currency. With a little practice, you too can gain the clarity to identify “real risk” among impostors.

Jack Freund, Ph.D., CISA, CISM, CRISC, CIPP, CISSP, PMP, is an IT risk manager for TIAA-CREF and chairs the CRISC Test Enhancement Subcommittee.

Top


Help Your Chapter Win a Guest Speaker Appearance

At the Global Leadership Conference in April, ISACA announced a chapter reward program to encourage members to participate in ISACA’s Knowledge Center. Winning chapters will get to choose a topic and work with ISACA to select a guest speaker. ISACA will pay for the speaker’s travel expenses to the chapter.

Members accumulate points for participation, and your individual points are added to your chapter’s total. The 2 chapters (based on size—small/medium and large/very large) with the highest average number of participation points at the end of the year will win the guest speaker appearance. You can earn points by:

  • Joining a topic community
  • Starting or responding to discussions
  • Rating discussions
  • Adding documents or links
  • Adding colleagues

For more information and step-by-step instructions on how to participate in the Knowledge Center, view the video tutorials on the Learn About the Knowledge Center page of the ISACA web site. You can check how many points you have in your profile and then browse the Knowledge Center communities to join topics that match your interests. Join the conversation and contribute to your chapter’s point total.

Note: To be eligible, chapters must have opted into the contest. Please verify with your chapter that it has opted in and is eligible to win.

Top


Annual CPE Audit Begins

The goal of ISACA's continuing professional education (CPE) policies is to ensure that all certified individuals maintain an adequate level of current knowledge and proficiency in their field. Each year, a random sample of certified individuals is selected for audit. CPE policies for all ISACA certifications require individuals to submit documentation of CPE activities if selected for the annual audit.

The 2013 annual CPE audit begins in mid-July. Those selected for the audit will be notified via email and postal mail and will need to supply the ISACA certification department with documentation for their 2013 reported CPE hours. The deadline for returning supporting documentation is 15 August. Individuals who do not comply with the audit will be subject to revocation.

As per all ISACA CPE policies, each certified individual must obtain and maintain documentation supporting reported CPE activities. Documentation should be retained for 12 months following the end of each 3-year reporting cycle. Documentation should be in the form of a letter, certificate of completion, attendance roster, verification of attendance form (a sample of which is located in each CPE policy) or other independent attestation of completion. At a minimum, each record should include the name of the attendee, name of the sponsoring organization, activity title, activity description, activity date and the number of CPE hours awarded or claimed. Detailed information on CPE requirements is available on the CISA, CISM, CGEIT and CRISC CPE Policy pages of the ISACA web site.

Questions? Please contact [email protected], [email protected], [email protected] or [email protected].

Top


Book Review: Developing and Securing the Cloud
Reviewed by Joyce Chua, CISA, CISM, CITPM, ITIL, PMP

The use of cloud computing platforms and applications has increased tremendously in recent years. However, many books on the cloud focus on high-level concepts and theories; there are very few books that provide detailed guidance on how to create a secure cloud platform.

Developing and Securing the Cloud is a guide to creating and maintaining secure cloud applications and is applicable to all industries and geographical areas, providing a comprehensive overview of cloud computing technology. The target audience is any professional who is required to develop or secure cloud applications, and this book provides step-by-step information on how to create a safe and reliable cloud platform.

The strengths of this publication include the easy to understand, yet detailed, instructions on how to make a reliable cloud application. It also details the various layers of the cloud computing framework, including the virtual machine monitor or hypervisor, cloud data storage, cloud data management, and virtual network monitor. It provides several examples of cloud products and prototypes including private, public and US government clouds. Author Bhavani Thuraisingham reviews the recent developments in cloud computing and illustrates the essential concepts, issues and challenges in developing and securing the cloud.

Throughout the book, the author relates the relevant topics to her research. The chapter on an education program for a secure cloud may show some bias toward the university where the author works. Although the research is academic in nature, her findings can provide the reader with ideas for developing a safe and reliable cloud platform.

Developing and Securing the Cloud is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or email [email protected].

Joyce Chua, CISA, CISM, CITPM, ITIL, PMP, is a global IT compliance manager for GLOBALFOUNDRIES, one of the world’s top dedicated semiconductor foundries. Chua is a member of the ISACA Publications Subcommittee.

Top


ISACA Congratulates 2013-14 Award Winners

ISACA would like to congratulate the winners of the 2013-14 awards, many of which were presented in June at the Annual Meeting of the Membership in Chicago, Illinois, USA.

Professional Awards

Michael Cangemi Best Book/Article Award
This award was instituted during the 1996-97 year to recognize individuals for major contributions in the field of IS audit, control and/or security. This year, the award was presented to Nageswaran Kumaresan, Ph.D., CISA, CRISC, CGMA, CIA, for his article in the ISACA Journal, volume 1, 2014, “Key Considerations in Protecting Sensitive Data Leakage Using Data Loss Prevention Tools.”

Eugene M. Frank Award for Meritorious Performance
This award is named after ISACA’s first president and recognizes individuals for outstanding contributions to ISACA/ITGI. This award is for performance that far exceeds the norm, and nominations are accepted only from a current board member or past international president. The award is granted with input by the international president and approved by two-thirds support from the ISACA/ITGI Board of Directors/Trustees. This year, ISACA presented the award to Ken Vander Wal, CISA, CPA.

John Kuyers Best Speaker/Conference Contributor Award
This award was instituted during the 1996-97 year to recognize individuals for major contributions in the development of ISACA global conference(s) and/or outstanding speaking achievements. This year’s award was presented to Theresa Grafenstine, CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA.

John Lainhart Common Body of Knowledge Award
This award was instituted during the 1996-97 year to recognize individuals for major contributions to the development and enhancement of the common body of knowledge used by the constituencies of the association in the field of IS audit, security and/or control; IS audit certification; and/or IS audit standards. It is not intended to be an annual award, but is presented only when individuals far exceed the norm. This year, ISACA presented the award to Robert E Stroud, CGEIT, CRISC.

Harold Weiss Award for Outstanding Achievement
This award was instituted in 1985 to recognize individuals for dedication to the IT governance profession. It is for achievement that far exceeds the norm. This year’s award was presented to Masatoshi Kajimoto, CISA, CRISC.

Paul Williams Award for Inspirational Leadership
This award is given to an ISACA volunteer to recognize strategic leadership accomplishments on ISACA’s behalf. The recipient must have contributed to ISACA over the course of several years and far exceeded the norm in achieving strategic results and/or driving ISACA’s strategy forward. This year, the award was presented to Jo Stewart-Rattray, CISA, CISM, CGEIT, CRISC, FACS CP.

Chapter Awards

K. Wayne Snipes Award
This award was established in 1989 to recognize chapters that demonstrate excellent service to their members and communities. Performance is assessed on several criteria, including membership growth, educational events, member communication, promotion of ISACA certifications, involvement with ISACA and involvement with other professional organizations. Winners are selected in each size category in each region. From those, 1 chapter in each size category is selected as the worldwide winner.

This year’s worldwide winners are:

  • Best small chapter worldwide—Estonia
  • Best medium chapter worldwide—Quebec City (Quebec, Canada)
  • Best large chapter worldwide—Middle Tennessee (Tennessee, USA)
  • Best very large chapter worldwide—South Africa

This year’s regional winners are:

Asia:

  • Best medium chapter—Sri Lanka
  • Best large chapter—Manila (Philippines)
  • Best very large chapter—Singapore

Latin America:

  • Best small chapter—Montevideo (Uruguay)
  • Best large chapter—Costa Rica

Oceania:

  • Best small chapter—Papua New Guinea
  • Best medium chapter—Wellington (New Zealand)
  • Best very large chapter—Melbourne (Victoria, Australia)

Europe/Africa:

  • Best small chapter—Estonia
  • Best medium chapter—Israel
  • Best large chapter—Athens (Greece)
  • Best very large chapter—South Africa

North America:

  • Best small chapter—Boise (Idaho, USA)
  • Best medium chapter—Quebec City (Quebec, Canada)
  • Best large chapter—Middle Tennessee, (USA)
  • Best very large chapter—Greater Houston (Texas, USA)

Starting this year, in addition to the K. Wayne Snipes Award winners, ISACA’s Chapter Support Committee is recognizing top contenders for the award. Honorable mentions were given to chapters that did not win the award but still excelled as a top chapter. This year’s K. Wayne Snipes honorable mentions are:

Asia:

  • Bangkok (Thailand)
  • Malaysia
  • Muscat (Oman)
  • Nagoya (Japan)
  • Tokyo (Japan)

Latin America:

  • Lima (Peru)

Europe/Africa:

  • Finland
  • Malta

Oceania:

  • Canberra (Australian Capital Territory, Australia)

North America:

  • Central Ohio (USA)
  • Denver (Colorado, USA)
  • Los Angles (California, USA)
  • Minnesota (USA)
  • Pittsburgh (Pennsylvania, USA)
  • Research Triangle (North Carolina, USA)
  • Rhode Island (USA)
  • South Carolina Midlands (USA)
  • Springfield (Missouri, USA)
  • Toronto (Ontario, Canada)
  • Trinidad & Tobago

Chapter Communications Awards
This award recognizes chapters that plan and execute great communications with their constituents. Winners are selected in each size category. This year’s communications top excellence award winners are:

  • Large—Athens (Greece)
  • Very Large—Los Angeles (California, USA)

In addition to the Communications Excellence Award winners, ISACA’s Chapter Support Committee is recognizing top contenders for the award. Commendations were given to chapters that did not win the Excellence Award but still proved to have an outstanding communication plan. This year’s Communications Commendations are:

  • Small—Springfield (Missouri, USA)
  • Medium—Quebec City (Quebec, Canada), Slovenia
  • Large—Middle Tennessee (USA), Pune (India), Vancouver (British Columbia, Canada)
  • Very Large—Chennai (India), China Hong Kong, Denver (Colorado, USA), London (United Kingdom), New Jersey (USA), South Africa

Membership Growth Awards
The award for the highest percentage of growth is presented to 4 different chapters based on size. The chapters that earned the award for the highest percentage growth are as follows:

  • Small—Katowice (Poland) (42 percent)
  • Medium—Venice (Italy) (44 percent)
  • Large—Accra (Ghana) (22 percent)
  • Very Large—South Africa (17 percent)

Starting this year, in addition to the respective winners, ISACA’s Chapter Support Committee is recognizing top contenders for the Chapter Growth Award. Honorable mentions are given to chapters that did not win an award but still had significant growth. This year’s Chapter Growth Honorable Mentions are:

  • Small—Illowa (Illinois/Iowa, USA), Lusaka (Zambia), Mendoza (Argentina)
  • Medium—Brasilia (Brazil), Kampala (Uganda), Latvia
  • Large—Costa Rica, Lima (Peru), Manila (Philippines)
  • Very Large—Atlanta (Georgia, USA), China Hong Kong, Kenya, UAE (United Arab Emirates)

Certification Awards

Each year, a variety of awards relating to the Certified Information Systems Auditor (CISA) Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified Risk and Information Systems Control (CRISC) certifications are presented. Worldwide top and second highest scorers in June, September and December exams and the highest scorer in each geographic area for each exam are recognized. The 2013 winners are presented here; award winners are listed once, under the highest achievement earned. In addition, publication of the winner’s names has been withheld if publication has not been authorized by the individual.

Thomas H. Fitzgerald Award
This award is given in recognition for achieving the highest worldwide score on the June, September and December 2013 CISA examinations. The award was earned by:

  • June—Paul Ryan, CA
  • September—Tamas Gergely Magos, CISA, and Dejan Stijovic, CISA, CISM, CISSP (tie)
  • December—Ajoy Ghosh, CISA, CISSP, GAICD, IRAP

CISA Worldwide Achievement Award
This award is given in recognition for achieving the second highest worldwide score on the June, September and December 2013 CISA examinations. The award was earned by:

  • June—Bruno Blumenthal, CISA, CISM, CISSP
  • December—Kathy Lynn Knight, CISA, CFE, CIA, CPA, CRMA

CISM Worldwide Excellence Award
This award is given in recognition for achieving the highest worldwide score on the June, September and December 2013 CISM examinations. The award was earned by:

  • June—Vern Perryman, CISA, CISM, CISSP, and Ove Liljeqvist, CISA, CISM, CISSP (tie)
  • September—George Edward Pajari, CISM, CISSP
  • December—Thomas Bosboom and Andrew P. Albrecht, CISM (tie)

CISM Worldwide Achievement Award
This award is given in recognition for achieving the second highest worldwide score on the June, September and December 2013 CISM examinations. The award was earned by:

  • September—Bonyaminou Porrogho, CISA, CISM, CISSP, PMP

CGEIT Worldwide Excellence Award

This award is given in recognition for achieving the highest worldwide score on the June and December 2013 CGEIT examinations. The award was earned by:

  • June—Muhammad Rehan, PMP, Nina Johansen, CGIET, CRISC, ITIL, and Diego Angel Lopez Guerrero, CGEIT (tie)
  • December—Pawel Klosek, CISA, CISM, CISSP, PMP

CRISC Worldwide Excellence Award

This award is given in recognition for achieving the highest worldwide score on the June and December 2013 CRISC examinations. The award was earned by:

  • June—Kurt Heinrich, CISA, CRISC
  • December—David F. B. Page, CISA, CRISC, CISSP, QSA, SSCP, and Robert Linkins, CISA, CRISC (tie)

CRISC Worldwide Achievement Award
This award is given in recognition for achieving the second highest worldwide score on the June and December 2013 CRISC examinations. The award was earned by:

  • June—Olanrewaju Odunsi, CISA, CRISC, FCCA, MBCS, Trevor Long, CISA, CISM, CRISC, FCCA, Joe Hancock, CISA, CISM, CRISC, and Richard A. Perrone, CRISC, CISSP, GSOC (tie)

CISA Geographic Excellence Award
This award is given in recognition for achieving the highest score in the geographic area on the June, September and December 2013 CISA examinations. The award was earned by:

June

  • Area 1—Youssef Karroum, CISA
  • Area 2—Gabriel Pla, CISA
  • Area 4—Alex Specogna, CISA, CISM, CISSP, and Jordan Seth Woolston, CISA (tie)

September

  • Area 1—Neha Chandra, CISSP
  • Area 2—Ruben Dario Castillo Rodriguez, CISA, EnCE(r)
  • Area 4—Ryan Sparkman, CISA, CGAP, and Sharon Laureen Parker, CISA, CISM, CGEIT, CRISC (tie)
  • Area 5—Paul Nathan Tresidder, CA

December

  • Area 2—Dale L. Holdaway, CFE, CIA, CRMA
  • Area 3—Cosmin Ionascu, CISA, Martin Gerstenberger, David Alexander Hogg, CISA, and Samir Nejjai (tie)

CISA Geographic Achievement Award
This award is given in recognition for achieving the second highest score in the geographic area on the June, September and December 2013 CISA examinations. The award was earned by:

June

  • Area 1—Tan Boon Keng, CISA
  • Area 2—David Tellez
  • Area 3—Eric Mutunga Ngei, CCNA
  • Area 5—Matthew James Donlon, CISA

September

  • Area 1—Shujie Zhao
December
  • Area 1—Maria Donna Tunacao Duran, CISA, CPA, and Christopher Ray Davis, CISA(tie)
  • Area 2—Arnold Brouwer, CIA, MSc
  • Area 4—James Bryan Buchanan Sr., CISA, CISM, CCNA, CEH, Security+, Rodger M. Will, CISA, and William E. Phillippe, CISA, CIPP/G (tie)
  • Area 5—James Manuel, CISA, CISSP

CISM Geographic Excellence Award
This award is given in recognition for achieving the highest score in the geographic area on the June, September and December 2013 CISM examinations. The award was earned by:

June

  • Area 1—Paras H. Gada, CA
  • Area 2—Matias Joel Cabellon, CISA, CISM, CRISC
  • Area 5—Lachlan George, CISA, CISM, and Robin Anson, CISM (tie)

September

  • Area 1—Hemanta Kumar Raval, CISA, CISM, CCNA Security, CCNP
  • Area 2—Alejandro Marco Alarcon y Montes de Oca, CISM
  • Area 3—David Houghton-Eccles, CISM, CISSP
  • Area 5— Ken Hendrie, CISA, CISM, CGEIT, CRISC

December

  • Area 1—Alexandre Hudelot, CISM, CISSP, and Jason Salvador, CISA, CISM (tie)
  • Area 2—Christian Teofilo Quispe Quispe, CCNA Security, CEH, ITIL
  • Area 5—Olivier Reuland, CISM, CISSP

CISM Geographic Achievement Award
This award is given in recognition for achieving the second highest score in the geographic area on the June, September and December 2013 CISM examinations. The award was earned by:

June

  • Area 1—Nikko Alen Jan Abayon Eustaquio, CISA, CRISC, CPA
  • Area 2—Maria Del Rosario Romero
  • Area 3—Michele Daryanani, CISM, CEH, CISSP, ITIL, Security+
  • Area 4—Marc Wilson, CISM

September

  • Area 2—Edgar Alejandro Sanchez, CISSP
  • Area 3—Peter Baird
  • Area 5—John Joseph Kolega, CISM, CISSP, SCF, and Christopher Paul Cooper, CISM (tie)

December

  • Area 2—Rajeev Devasia, CISA, CISM, CISSP
  • Area 3—Nicolas Schiller, DSS, PCI, QSA
  • Area 4—Katelynn Sandy, CISM, and Alexander M. Foley, CISA, CISM (tie)
  • Area 5—Paul Bilic, CISM, CISSP, and Martin K. Littlewood, PRINCE2 (tie)

CGEIT Geographic Excellence Award
This award is given in recognition for achieving the highest score in the geographic area on the June and December 2013 CGEIT examinations. The award was earned by:

June

  • Area 2—Douglas Enrique Salas Calderon, CISA, CISM, CGEIT, CRISC, ITILF, MAP
  • Area 4—Fayyaz Azam, ITIL, PMP, TOGAF
  • Area 5—Simon Roller, CISA, CGEIT, CISSP, CITP, DPSM, FBCS

December

  • Area 1—Manish Bindra, MSP, PRINCE2
  • Area 2—Fang Le, ITIL
  • Area 5—Ken Hendrie, CISA, CISM, CGEIT, CRISC

CGEIT Geographic Achievement Award
This award is given in recognition for achieving the second highest score in the geographic area on the June and December 2013 CGEIT examinations. The award was earned by:

June

  • Area 1—Hakam Majid Haddadin, CGEIT, PMP, TOGAF
  • Area 2—Jorge Betancourth Vega, CISM, CGEIT, CRISC
  • Area 4—Elvira Spika, CISA, CGEIT, ITIL, PMP
  • Area 5—Paul Michael O’Brien, CGEIT, CRISC, and Melissa Macphail (tie)

December

  • Area 1—Raihan Aamir, CISA, CGEIT
  • Area 2—Antonio Lenda Filho, CGEIT, ITIL
  • Area 3—Peter R. Bitterli, CISA, CISM, CGEIT
  • Area 4—Michele Guzzardo, CISA, CGEIT, CRISC, CPA, C-SOX, Michael Strong, CGEIT, and David Parker, CGEIT (tie)
  • Area 5—Orlando Samson Barrun, CBCP, ITIL, MOF

CRISC Geographic Excellence Award
This award is given in recognition for achieving the highest score in the geographic area on the June and December 2013 CRISC examinations. The award was earned by:

June

  • Area 1—Rafal Morawski, CISA, CISM, CGEIT, CRISC, IA, GCFA, GCIH, SCF
  • Area 2—Jorge Augusto Salazar Mendoza, CRISC, ABCP, CISSP, and Raul Rico Guisa, CISM, CRISC, CISSP (tie)

December

  • Area 1—German S. Constantino, Jr., CISA, CPA
  • Area 2—Felipe Barros, CRISC, and Cuauhtemoc Cazares, Sr. (tie)
  • Area 4—Stephen W. Aspenleiter, CRISC, CISSP
  • Area 5—Marhadi Salim, CISA, Indonesia CPA

CRISC Geographic Achievement Award
This award is given in recognition for achieving the second highest score in the geographic area on the June and December 2013 CRISC examinations. The award was earned by:

June

  • Area 1—Gregory Zoughbi, CISA, CISM, CGEIT, CRISC, ABCP, ITIL, PMP, TOGAF
  • Area 4—Tyler K. Sayer, CISA, CRISC, CISSP
  • Area 5—Ian Appleby, CISM, CRISC, and Diego Patricio del Hoyo, CISM, CRISC, MACS (tie)

December

  • Area 1—Vinayak Prabhakar Sawant, CISA, CISM, CRISC, and Arief Yudistia Bayuni, CISA, CRISC (tie)
  • Area 4—David L. Buxton, CRISC, Timothy M. Sternberg, CISM, CRISC, CISSP, FFSI, FLMI, and Kristin M. Harding, CISM, CRISC (tie)
  • Area 5—Craig Waterhouse, CISA, CISM, CRISC, and James Youden (tie)

Top

Read More Articles in Our Archives