@ISACA Volume 17: 17 August 2011 

@ISACA Relevant, Timely News

COBIT 5 Public Exposure Extended to September—Members Strongly Urged to Comment

Act now to take advantage of a great—and rare—opportunity to have your voice heard, contribute to the profession and earn up to 10 free continuing professional education (CPE) hours! Two COBIT® 5 documents are available for public comment. The deadline for comments has been extended to 18 September 2011 so that we can incorporate feedback from as many professionals as possible.

Reviewing the exposure drafts will also put you a step ahead when COBIT 5 is released. As one COBIT® trainer and lecturer explains, “I have to be well prepared to provide my trainees with accurate information on the new or changed approach to IT governance found in COBIT 5—what better way to find out than to look at specific processes or problems and compare what is in COBIT® 4.1 with what will be in COBIT 5?”

Your comments are critical. They will help ensure that COBIT 5 represents what professionals truly need and value, and they help ISACA® validate the quality and acceptability of the COBIT 5 development work, which is crucial to its position as a generally accepted reference source.

In addition, your participation is a great way to contribute to the ISACA community. According to one Certified Information Systems Manager® (CISM®), “Often, the opportunity to participate as a volunteer committee member does not arise, so reviewing standards or certification questions provides a vehicle for satisfying the desire to give back.” All levels of participation are encouraged and welcome—you can choose to comment on all or specific parts of the draft documents.

To comment, download COBIT® 5:  The Framework Exposure Draft and COBIT® 5: Process Reference Guide Exposure Draft on the COBIT 5 Exposure page of the ISACA web site. After reviewing the documents, use the questionnaire on the same web page to provide feedback. To add more details, please use the feedback form that is also on that web page.

Thank you for your participation in this important and valuable opportunity! To learn more about applying your time spent on this toward CPE credits, please see the CISA, CISM, CGEIT or CRISC CPE policy page of the ISACA web site.


Tips to Manage Innovation Risk
By Victor Chapela

Information security practices have become an innovation inhibitor in many companies. We all know that the main purpose of security should be to reduce risk. On the other hand, innovation is often considered the exact opposite of security in terms of increasing risk for the organization. Therefore, the combination—innovation within security—is considered dangerous.

Over the past couple of years, I have been involved in some astonishing business process and technological innovations that have required a fundamental change in the way I think about and implement security controls. The result has been that security in those companies has started to become the main differentiator, by assuming more risk and finding new ways to back up business needs. This has convinced me of the extraordinary opportunity for security areas around the world as agents of change.

The following are 7 tips to manage innovation risk:

  1. At the very least, security and risk managers should try not to obstruct innovation that does not pose a life-threatening risk to the organization.
  2. Even though proper risk management may help organizations prevail, it normally leaves out “adaptation” risks that, when taken into consideration, allow organizations to be better prepared for changes in the external competitive environment.
  3. An organization has to be able to adapt quickly to future disruptive changes in the environment. Innovation is the equivalent of mutations within the evolution of a species; in the same way, enterprises must continuously test new options.
  4. Innovating at the same time in different directions could prove harmful or even fatal. Too many simultaneous and unrelated changes lead to a less-adapted position.
  5. Disruptive innovation should be focused on developing and enhancing our competitive advantages. It is much more probable that we will succeed from innovating within our strengths. Innovating in other less-strategic aspects of our business will distract resources, and even if proven successful, they may not materialize in a long-term survival advantage.
  6. A very good mechanism by which to innovate is coevolution. In this process, two or more organizations work together by focusing on enhancing each of their competitive advantages. This allows more complex innovations with less risk for the partnership. This approach works well when small and fast companies partner with large and solid organizations. A good rule of thumb is that the target markets for the partnering organizations should not overlap, or the collaboration will eventually fail.
  7. Digital risk managers are growing to be one of the most important strategic decision makers in an organization. Security innovation is an opportunity for organizations and professionals willing to think differently.

For additional guidance on risk, please visit the Risk IT page of the ISACA® web site.

Victor Chapela is founder and chief executive officer of Sm4rt Security Services and a frequent speaker at ISACA conferences around the world. Chapela and coauthor Santiago Moral are currently writing RiskVolution, a book on the evolution of risk.


10,000 Earn the CRISC Certification

The newest certification from ISACA®, Certified in Risk and Information Systems Control™ (CRISC™), reached a milestone in the month of June when the 10,000th professional was certified. The opportunity to earn the certification under the rigorous grandfathering provision began 1 April 2010 and ended 30 June 2011, and more than 16,000 applications were received during that period. The grandfathering program allowed IT professionals who have significant experience with risk identification, assessment and evaluation; risk response; risk monitoring; information systems (IS) control design and implementation; and IS control monitoring and maintenance to earn the CRISC credential without taking the exam.

With the grandfathering period now closed, individuals wishing to become CRISC-certified are required to pass the CRISC exam, which will next be held on 10 December 2011. To learn more about this certification, including exam information, please visit the CRISC page of the ISACA web site.


Cloud Computing and Data Analytics Among Topics of Latest ISACA Research Releases

ISACA® has recently released:

  • IT Control Objectives for Cloud Computing:  Controls and Assurance in the Cloud—This book does for cloud computing what the ISACA best seller IT Control Objectives for Sarbanes-Oxley did for US Sarbanes-Oxley Act compliance. It examines assurance in the cloud, with a focus on controls and countermeasures that can be used in the cloud. The publication examines how using the cloud can provide value and provides references to COBIT®. The entire publication is available for complimentary download by members on the Recent Research Deliverables page of the ISACA web site, where you can also find a publicly available PDF of chapters one and two of the publication. In addition, this and other guidance related to cloud computing are available for purchase in their complete form in the ISACA Bookstore.
  • Data Analytics—A Practical Approach—Data analytics (DA) is the science of examining raw data with the purpose of drawing conclusions about that information. DA is used in many industries to allow enterprises to make better business decisions and is used in the sciences to verify or disprove existing models or theories. This white paper helps readers understand the next generation of tools and techniques for providing analytics and insights to management based on data that already exist within the enterprise. Much of the analysis can be predictive based on data inference, as addressed by the white paper. The publication provides practical guidance for people who deal with data analysis and have to ensure the confidentiality, availability and integrity of the data. This and other white papers are available as complimentary PDFs on the White Papers page of the ISACA web site.
  • Microsoft® SQL Server® Database Audit/Assurance Program—This and other audit/assurance programs are available on the Audit Programs page of the ISACA web site as complimentary PDFs for ISACA members.

Learn more about ongoing ISACA research projects and upcoming deliverables by visiting the Current Projects page of the ISACA web site.


Read More Articles in Our Archives