@ISACA Volume 16: 3 August 2011 

@ISACA Relevant, Timely News

CISA, CISM and CGEIT Certifications Achieve ISO 17024/ANSI Accreditation

ISACA® has once again achieved ISO 17024/American National Standards Institute (ANSI) accreditation for the Certified Information Systems Auditor® (CISA®) and Certified Information Security Manager® (CISM®) certifications and, for the first time, the Certified in the Governance of Enterprise IT® (CGEIT®) certification. ISO 17024 specifies the requirements to be followed by organizations certifying individuals against specific requirements.

This accreditation signifies that ISACA’s procedures meet the international standard’s essential requirements for openness, balance, consensus and due process. To maintain accreditation, certification bodies, such as ISACA, are required to adhere consistently to a set of requirements or procedures related to quality, openness and due process. Recognitions such as this speak to the integrity of ISACA’s certifications and bring further acknowledgement of the certifications globally.

Learn more about ISACA’s certifications on the CISA, CISM, CGEIT and CRISC™ pages of the ISACA web site.


What to Consider When Evaluating Cloud Computing
By Lisa Young, CISA, CISM

The Cloud Security Alliance and the US National Institute of Standards and Technology define cloud computing as a model for enabling convenient, on-demand access to a shared pool of computing resources (e.g., networks, servers, storage, applications, services) that can be rapidly established and released with minimal interaction from either the organization or the service provider. Another way to view cloud services is as a public utility. Organizations subscribe to a pay-as-you-go model for things like electricity or water, and they now have the option of paying for IT software, security and network services on a consumption basis.

Cloud computing, as a “new” initiative, may also bring the potential for increased risk to the organization; therefore, organizations must choose a provider wisely. Considerations when evaluating cloud computing include the following:

  • When choosing a cloud service provider, consider the reputation, history, availability and sustainability of its service offerings. Sustainability is of particular importance to ensure that services will be available when needed and that data can be tracked and located easily.
  • Access to sensitive information by the service provider creates a risk of compromise to confidential information, intellectual property and trade secrets. Service providers must demonstrate the existence of effective and robust security controls, assuring customers that their information is properly secured against unauthorized access, modification and destruction.
  • Be sure to understand who owns the information vs. the applications. Service providers usually are the owners of the application and act as the custodians of organizations’ data. This is an especially important consideration in the Software as a Service (SaaS) model.
  • The dynamic nature of cloud computing may result in uncertainty as to where the information actually resides. This may be important for e-discovery practices, jurisdiction issues, compliance to regulations and laws in different geographic regions, and liability.
  • Make sure to obtain proper legal advice to ensure that the contract specifies the areas in which the cloud service provider is responsible and liable for ramifications arising from potential issues.
  • Know who is responsible for security. Ensure that you have established your security requirements and that those requirements are specified in the contract with the provider. Remember, the service provider is the custodian of the data and is obligated to follow the requirements specified by the organization as spelled out in the contract. If a service provider cannot meet the desired security requirements, these unmet requirements must be tracked as risks to the organization.
  • Structuring a detailed and complete service level agreement that includes specific rights to audit will assist the organization in managing its data as they are transported, stored or processed in the cloud. Cloud computing service providers will need to provide their customers assurance that they are doing the “right” things with the required level of transparency to inspire trust and confidence.

Cloud computing has many service models, deployment models and essential characteristics that are not covered in this article. The following publications related to cloud computing are available from ISACA®:  IT Control Objectives for Cloud Computing, Audit/Assurance Program:  Cloud Computing Management and Cloud Computing:  Business Benefits With Security, Governance and Assurance Perspectives. In addition, ISACA offers the Cloud Computing Group in the Knowledge Center and further guidance on the Cloud Computing page of the ISACA web site.

Lisa R. Young, CISA, CISM, is the past president of the ISACA West Florida Chapter in Tampa, Florida, USA, and a frequent speaker at information security conferences worldwide. Young was also a member of the ISACA task force that helped to develop the Risk IT: Based on COBIT® publications.


Cloud Computing Among Key Topics at Upcoming Latin America Conferences
Latin America CACS • 3-5 October 2011 • Latin America ISRM Conference • 5-6 October 2011 • San Juan, Puerto Rico

Traditionally, the ISACA® Latin America Computer Audit, Control and Security (CACSSM) and Information Security and Risk Management (ISRM) conferences have offered comprehensive coverage of the most important trends and issues relevant to audit and control, risk, governance, and information security professionals, but professionals in these disciplines have had to travel to both conferences at different times of the year to benefit from the combined curriculums. This year, for the first time, these two important conferences are scheduled back to back in the same venue, offering those who wish to attend a substantial savings in time and travel costs. As an added benefit to those who choose to attend both conferences, ISACA is offering a single discounted registration fee.

The sequence and colocation of these two conferences provide a unique opportunity for a cross-discipline learning and networking experience. Whether you are an IT auditor or looking to learn more about information security, or a security professional seeking a greater understanding of risk management and IT governance, this is a tremendous opportunity to gain insight and knowledge in these related disciplines.

Held 3-5 October 2011, the Latin America CACS conference will address a broad spectrum of topics pertaining to IT governance, IT audit, information security and risk management. Individuals who attend will have the opportunity to select topics across these for domains to build a program that best meets their professional interests and goals. Those who have recently obtained or that are in the process of earning their Certified in Risk and Information Systems Control™ (CRISC™) certification will find this event uniquely suited to their needs.

The Latin America ISRM Conference, held 5-6 October 2011, will focus on current trends and challenges that face information security professionals from both practitioner and management perspectives. This event is for all information security and IT professionals seeking to increase their knowledge in this field. Individuals that are preparing for the Certified Information Security Manager® (CISM®) designation will find this conference especially helpful.

The keynote speakers of both events will address important, but very different, aspects of cloud computing. At Latin America CACS, Erie Perez, chief technical officer (CTO) of FirstBank, will address the value behind the cloud model, its evolution and where cloud computing is predicted to go from here. Perez will also identify the optimal business model and strategic approaches to minimize the risk of adopting cloud services. Julio Cesar Ardita, CISM, technology director of CYBSEC, will speak at ISRM regarding the secure implementation and management of virtualized systems from the desktop to the cloud.

Held 3-6 October 2011 at the Caribe Hilton in the beautiful city of San Juan, Puerto Rico, both conferences allow professionals in the fields of IT audit, control, risk, governance and information security to network and learn with their peers from throughout Latin America. Visit the Latin America CACS and Latin America ISRM pages of the ISACA web site for more details. ¡Nos vemos allí!


What Is the Current State of Continuous Auditing/Continuous Monitoring?
Your Input Is Needed for a New Academic Research Survey

Although there is widespread recognition of the potential for continuous auditing (CA)/continuous monitoring (CM) to provide stronger overall control and assurance, questions remain about whether CA/CM is practical for most organizations.

You are invited to participate in a survey to help with a research project aimed at understanding the adoption and benefits of CA/CM. By participating, you will receive valuable insights for your own organization. A summary of the results will be available to you upon your request. In addition, the researchers, Elaine Mauldin, Ph.D., an ISACA academic advocate from the University of Missouri (USA), and Adi Masli, an assistant professor from the University of Kansas (USA), have agreed to write an article for the ISACA® Journal and to offer a webinar or conference presentation on the results of the study.

The researchers are seeking internal auditors or IT managers in organizations that file financial statements with the US Securities and Exchange Commission to complete a brief survey. If you meet these requirements, please complete the survey (whether or not your organization currently uses CA/CM) by 6 September 2011. A link to the survey can be at found on the Academic Research page of the ISACA web site.


Read More Articles in Our Archives