New IS Audit and Assurance Standards Released
Developing IS audit and assurance standards and making them available to professionals worldwide is a major undertaking for ISACA, and it is a significant part of ISACA’s professional contribution to the audit community. These standards define mandatory requirements for IS auditing and reporting. New guidelines, which support the standards, are being updated.
ITAF™: A Professional Practices Framework for IS Audit/Assurance, 2nd Edition, contains the new IS audit and assurance standards that will become effective 1 November 2013, at which time the previous standards will be withdrawn. The standards are mandatory in all cases for ISACA members and Certified Information Systems Auditors (CISAs). Any deviations must be addressed prior to completion of the IS audit or assurance engagement. The current IS audit and assurance guidelines are included in ITAF, 2nd Edition. The guidelines are also being updated and the exposure period for the new guidelines is scheduled for later this year.
ISACA CEO Retiring
ISACA CEO Susan M. Caldwell is retiring, effective 30 September 2013. Caldwell’s 21-year tenure with the association has encompassed numerous changes and significant growth worldwide. “I am grateful to have had the opportunity to work with so many committed and engaged members over the years. The chapter officers provide extraordinary leadership at the all-important local level—the level where things happen, ideas are formed and networks are built,” Susan noted recently. “ISACA members are second to none in their unwavering support of the association’s value proposition through their contributions, their expertise and their collaborative spirit.”
A search committee is being formed and a search firm will be used to help identify candidates for the CEO position.
New COBIT 5-related Publication Available
ISACA has issued the Transforming Cybersecurity: Using COBIT 5, which provides guidance on integrating cybersecurity with COBIT 5. This publication is part of a series focusing on cybersecurity and complements the recent ISACA publication Responding to Targeted Cyberattacks by integrating cybersecurity and the COBIT 5 product family. Transforming Cybersecurity provides a step-by-step guideline to address detailed cybersecurity issues and applying relevant parts of COBIT 5.
Information on current research projects is posted on the Current Projects page of the ISACA web site.
5 Key Elements of an Information Risk Profile
By John P. Pironti, CISA, CISM, CGEIT, CRISC, CISSP, ISSAP, ISSMP
An information risk profile (IRP) documents the types, amounts and priority of information risk that an organization finds acceptable and unacceptable, thus defining its information risk appetite. An effective IRP is developed collaboratively with numerous stakeholders throughout the organization, including business leaders, data and process owners, enterprise risk management, internal and external audit, legal, compliance, privacy, and information risk management and security (IRMS). With this guidance, all of the individuals and organizations that are charged with IRMS responsibilities have a clear and concise understanding of how to align their activities with the expectations of the business and its leadership. At the same time, the business and its leadership no longer have to wonder if they are over- or underinvesting in their IRMS activities and capabilities. With an IRP, these individuals can provide clear guidance about their expectations to the IRMS elements of their organization and can map their IRMS investments and activities to this profile. This ensures IRMS alignment with business expectations and that the organization is achieving an acceptable measure of due care for its information and data assets. While there are many factors that should be evaluated during the development of an IRP, the following 5 elements are key:
- Establish a definition for due care of information within your organization. When applied to IRMS, the concept of due care is often considered a technical compliance consideration and standards such as the Payment Card Industry Data Security Standard (PCI DSS) or the National Institute of Standards and Technology (NIST) guidelines are often referenced. While these standards can be effective at providing broad guidance, an organization must develop its own definition of due care and its own ability to implement and maintain capabilities to support this view. This definition becomes one of the key baseline data points for IRMS-related decisions and investment plans.
- Identify critical business processes and capabilities. Organizations often have numerous business processes and limited resources and bandwidth to protect them. An easy but often overlooked high-quality source for a listing of the critical processes and capabilities—those that, if impacted negatively, could cause a material impact to the operations or effectiveness of an organization—are the organization’s business continuity and disaster recovery plans. These plans typically identify not only the critical business processes, but also rank their level of importance to the organization. The plans also provide valuable insights into the recovery time and recovery point objectives that are often considered in both information and enterprise risk calculations.
- Define information risk levels and categories. Information risk levels provide a scale to represent the level of material business impact that would result if an information risk were to be realized. The categories help define the type and extent of impact that would likely take place if a successful exploitation were to occur. To be useful, the levels and categories should be simple and easily understood. One effective method is to follow a scale of high, medium and low for the levels, while the categories can align with the confidentiality, integrity and availability (CIA) triad commonly used in IRMS.
- Include material business impact considerations and guidelines. In the IRP, the material business impact considerations identify the impact an incident or loss will have in terms that are easily understood and recognized by the organization. These considerations should span a number of categories including financial, productivity, availability, reputation, compliance, partner and supply chain, and customer.
- Recognize key information risk and mitigation capabilities. It is important for business leaders and stakeholders, as well as IRMS professionals, to have an honest and accurate view of the key and material information threats and vulnerabilities, as well as the protective and mitigating controls that exist or are readily available to defend. These provide an accurate understanding of resulting risk to the information infrastructure and data assets. Since this information changes and evolves over time, this analysis should be revisited and updated minimally as part an annual IRP update cycle or as business conditions and threat intelligence warrants.
John P. Pironti, CISA, CISM, CGEIT, CRISC, CISSP, ISSAP, ISSMP, is the president of IP Architects LLC.
APEP Privacy Award Presented to ISACA
ISACA is honored to accept the Asociacion Profesional Espanola de Privacidad (APEP) (Spanish Privacy Professionals’ Association) 2013 Privacy Award. The award was presented at APEP’s 2nd National Congress in Madrid, Spain, in June. ISACA International Vice President Ramses Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, Six Sigma Black Belt, accepted the award on ISACA’s behalf.
APEP issued this award to ISACA “because of the association’s global efforts to promote a culture of security, trust, reliability and privacy,” said APEP President D. Ricard Martinez. In 2013, ISACA established a Data Privacy Task Force and was a champion of Data Privacy Day. ISACA chapters in Spain are also working with APEP on various initiatives that are applicable to risk, security, data protection and privacy.
To learn more about ISACA’s work in this area, please visit the Privacy/Data Protection community in the Knowledge Center.
Book Review: Information Security Governance Simplified
Reviewed by Jeimy J. Cano M., Ph.D, CFC, CFE, CMAS
A recent Ernst & Young study about information technology tendencies warns that megatrends will have an impact on some risk categories imposed by the implementation of the role of IT in enterprises. Cloud computing, the persistence of cybercrime and malware on mobile devices (among others) are global realities that organizations should consider.
With this in mind, 2 of the risk categories most affected are information security and privacy—components that cut across the reputation of enterprises and affect operations. These risk categories constitute the first line of defense.
Information Security Governance Simplified helps readers understand information security governance from an executive’s perspective and covers the natural steps required to understand the challenges faced by information security executives. This includes defining the organization required for the function, speaking the language of the executive board, understanding security and control compliance frameworks, designing effective communication strategies, providing attention to IT audit visits, and understanding the relationship between information security and legal aspects.
A source of ideas and insights relevant to information security specialists, IT auditors and IT governance professionals, Information Security Governance Simplified offers alternatives and recommendations to enhance the practice of information security governance.
Information Security Governance Simplified is available from the ISACA Bookstore. For more information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or email firstname.lastname@example.org.
Jeimy J. Cano M., Ph.D., COBIT (F), CFE, CMAS, is a distinguished professor in the law department of the Universidad de los Andes, Colombia. He has been a practitioner and researcher in information and computer security, digital evidence and in computer forensics for more than 17 years in different industries. Cano is a member of the ISACA Publications Subcommittee.