@ISACA Volume 18: 28 August 2013 

@ISACA Relevant, Timely News

Why, When and How to Migrate to COBIT 5
By Sudarsan Jayaraman, CISA, CISM, COBIT (F), BS 25999 LA, ITIL V3 Expert, ISO 20000 LA, ISO 27001 LA, ISO 9001 LA

With the release of COBIT 5, a new evolution in the thinking process of managing and governing IT has taken shape. The first question to answer is whether organizations that have invested in the implementation of the earlier versions of COBIT should migrate to COBIT 5. If yes, the question becomes: Why, when and how does an organization migrate to the new framework?

Migrating to COBIT 5 is not the same as migration of software or hardware or a platform. Instead, this should be considered as a transition of the way work is done to meet the requirements of stakeholders. That said, was this not being done in the earlier versions of COBIT? That is, how different is COBIT 5 from COBIT 4.1 and what are the benefits an organization can realize from this new release?

In brief, the key benefits of COBIT 5 for enterprises can be summarized as follows:

  • Aligning business and IT more closely by taking into account the stakeholder needs as the starting point. This provides more business focus with due consideration of internal and external stakeholders’ needs.
  • Introducing the 7 enablers as a more efficient and effective way of using resources to meet business requirements
  • Showing the entire organization as responsible for governance of IT through the holistic inclusion of enhanced role descriptions in the responsible, accountable, consulted and informed (RACI) chart
  • Helping the organization to understand business perspectives more clearly by mapping the goals and objectives to a business scorecard model

Thus, for organizations that have implemented COBIT 4.1, migrating to COBIT 5 is a natural process of progression under which the organization will extend its coverage of IT governance to an enterprisewide governance initiative.

Read more on why, when and how to migrate to COBIT 5 in the full article in the latest issue of COBIT Focus, volume 3, in which you will also find COBIT case studies and the latest news on COBIT 5.


ISACA Supports European and US Cybersecurity Awareness

ISACA is supporting both the European Cyber Security Month (ECSM) as an event partner and the US National Cyber Security Awareness Month (NCSAM) this October. ISACA plans to offer blogs and point to ISACA webinars and local chapter events that are focused on cybersecurity and held during the month of October to support and create awareness of ECSM and NCSAM. ISACA will publish a research publication on advance persistent threats (APTs) in October.

ECSM is a European Union (EU) awareness campaign that aims to promote cybersecurity among citizens to help change their perception of cyberthreats and provide up-to-date security information through education and sharing good practices. In addition, ISACA chapters and members in EU member states are encouraged to participate as well. For example, the ISACA Latvia Chapter is also supporting ECSM as a partner.

Now in its 10th year, NCSAM was created as a collaborative effort between government and industry to promote cybersecurity among all American citizens and build awareness about the need to stay safe and secure online—through education and sharing good practices. ISACA encourages its chapters and members in the US to participate as well.

With the US Department of Homeland Security leadership and the National Cyber Security Alliance, NCSAM has grown exponentially, reaching consumers, small and medium-size businesses, corporations, educational institutions, and young people across the nation.

Visit the Cybersecurity Guidance page of the ISACA web site to learn more about ISACA’s contributions to this topic.


The 3 Lines of Defense: Bad Lenses in Good Frames

It is fashionable among consultancy firms to advocate for the 3-lines-of-defense approach when allocating risk management responsibilities. For those unfamiliar with this approach, risk tasks for front-line management lay out risk and control functions (financial controls, risk management, information security) and assurance tasks for internal audit. This notion is not new; a 2009 paper by KPMG outlines these 3 roles and a more recent position paper by The Institute of Internal Auditors (IIA) echoes the same points. The 3-lines-of-defense approach, like a bad pair of lenses in a fashionable pair of frames, looks good in theory but can fall short in practical application.

Dutch author Bernard de Mandeville offers a succinct demonstration of the benefit of division of labor in his 1705 work The Fable of the Bees:

But if one will wholly apply himself to the making of Bows and Arrows, whilst another provides Food...they not only become useful to one another, but...will in the same Number of Years receive much greater Improvements, than if all had been promiscuously followed by everyone.

The trouble with the 3-lines-of-defense approach is that much of the actual risk work is delegated to the first line, which arguably has the least amount of risk and control education and experience to warrant the responsibility. Members of this line have spent their careers becoming the best accounting, insurance, business, sales or marketing professionals possible. They are not security experts. Security professionals need to own the risk work for them and help them understand the risk—not delegate the risk work to them.

It is critical to give the front line the information it needs to make well-informed decisions. It is wholly irresponsible for the well-educated, well-trained and well-seasoned risk and control functions (information security or otherwise) to ask the equally well-everything business professional to do their jobs for them. Specifically, this means that the 2nd line of defense has to own the risk assessment and control evaluation work, as this technical specialty can be competently completed only by those with the appropriate specialization. To embrace and successfully implement the 3-lines-of-defense approach, it is critical to make sure that you own success over the things you can control, and that you do not hang the 1st line of defense out to dry.

Jack Freund, Ph.D., CISA, CISM, CRISC, CIPP, CISSP, PMP, manages a team of IT risk analysts for TIAA-CREF and chairs ISACA’s CRISC Test Enhancement Subcommittee.


Combating Privacy and Confidentiality Issues Using CISA Certification
Patrick Lynch, CISA, CISM, CGEIT, CRISC, Central New York (USA) Chapter, Shares His Experience as a CISA

Patrick LynchPatrick Lynch pursued the Certified Information Systems Auditor (CISA) designation because of his desire to demonstrate that he possesses a recognized benchmark of knowledge. As president of Palatech Partners, Lynch follows standards and practices that help to validate his qualifications in the IT audit field. “Whether I am competing with other firms or individuals, my CISA certification proves to a gatekeeper or decision maker that I have the requisite knowledge and a commitment to my career. The CISA certification is certainly a differentiator between equally experienced candidates.”

From a professional and educational standpoint, Lynch faces many challenges. “The biggest challenges that I face today revolve around privacy issues across borders and risk to confidentiality, integrity and availability of customer data. My CISA certification gives me a solid platform to utilize frameworks to ensure that controls are present for secure development and operations of business initiatives and to protect information assets.” Lynch further explains, “As I went through my career, I prepared myself for CISA certification and the subsequent continuing professional education (CPE) that I needed. I was exposed to new material and techniques, thus enhancing skills that would allow me to provide greater value to clients.

“Achieving the CISA designation sent me on a path of continuous improvement; being a CISA opened networking opportunities to establish both business contacts and friends in the field from all over the globe. My certification helped me to gain the confidence of organizations that I serve and it has certainly opened doors that would have remained closed.”

To learn more about CISA and other ISACA certifications, visit the Certification page of the ISACA web site.


Book Review: Introduction to Healthcare Information Technology
Reviewed by Dauda Sule, CISA

Introduction to Healthcare Information Technology, published by Course Technology— Cengage Learning, is based on CompTIA’s Healthcare IT Technician (HIT) exam objectives and framework. This book helps the reader to prepare for the CompTIA HIT certificate exam and gives detailed information on health care IT concerning regulatory requirements, functions of health care organizations, and medical business operations in light of hardware, software, security and networking.

Beyond preparing for the CompTIA HIT exam, Introduction to Healthcare Information Technology also offers benefits to anyone in the field of health care and health care IT, including IT professionals. For health care operators, for example, it can act as a guide to help them carry out their operations properly (particularly when use of IT and IT resources is required) and comply with regulatory requirements. This book offers value to anyone who wants to start a career in the developing field of health care IT.

The book’s language is simple and easy to comprehend. Introducing readers to health care laws and regulations such as the US Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH), it provides a glossary of key terms at the end of each chapter.

The book begins with an introduction to health care IT and culminates in coverage of advanced health care information security. The book opens with a hypothetical scenario involving a health care company and uses this scenario for practical exercises at the end of each chapter. In addition, each chapter ends with 20 review questions, as well as case projects to assist readers in testing and assessing their understanding of the content and preparing for the certificate exam. The appendices also give a range of beneficial information that includes the certificate exam objectives, a guide to online resources pertaining to health care IT and health care IT acronyms. An access code is provided to install and register CertBlaster test preparation resources that simulate the CompTIA HIT exam.

While the laws and regulations mentioned in the book pertain to the US, the concepts can be easily adapted to laws in other jurisdictions.

Dauda Sule, CISA, is a marketing manager at Audit Associates Ltd., a consultancy firm that specializes in designing and organizing training programs pertaining to auditing, fraud detection and prevention, information security and assurance, and anti-money laundering. Sule previously worked in the Nigerian banking industry and was a systems security and assurance supervisor.


An Innovator’s Look Into the Future of Information Security

Every day more boundaries between enterprises and people dissolve and everything becomes connected. Network infrastructures have become a lever for commercial successes and failures, replete with a battleground of criminals, soldiers and spies. How does the smart IT professional embrace these new risk factors (and opportunities) without risking intellectual assets and without some guidance?

As the keynote speaker at the European Computer Audit, Control and Security (CACS)/Information Security and Risk Management (ISRM) Conference 2013, David Lacey, who has more than 25 years of experience directing information security for leading organizations ranging from the British Foreign Office to the Royal Mail, will discuss underlying trends behind this paradigm shift and the new doctrine for cybersecurity that focuses on speed, intelligence and action. Lacey is an independent researcher, consultant and author of the books Managing the Human Factor for Information Security, Managing Security in Outsourced and Offshored Environments and Business Continuity Management for Small and Medium Sized Companies.

Following his presentation, Lacey will be joined on stage for a special Q&A session with industry leaders Ramses Gallego, CISM, CGEIT, security strategist and evangelist at Dell Software and international vice president of ISACA; Yves LeRoux, CISM, technology strategist at CA Technologies; and Rolf von Roessing, CISA, CISM, CGEIT, president at FORFA, AG. Do not miss these and more industry experts as they share their insights into today’s most relevant assurance, risk management, information security and governance topics. EuroCACS/ISRM 2013 will take place on 16-18 September at the Hilton Metropole in London, England.

For more information, visit the EuroCACS/ISRM web page of the ISACA web site.


How to Report Continuing Professional Education Hours

The goal of the continuing professional education (CPE) policy for the Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC) certifications is to ensure that those holding the certification maintain an adequate level of current knowledge and proficiency. To maintain their ISACA certification, individuals must attain and report a minimum of 20 CPE hours annually and a minimum of 120 CPE hours over their 3-year reporting period.

To assist certified individuals with tracking their CPE hours, ISACA’s new CPE reporting system gives options of how to enter CPE hours. CPE hours may be entered as a single total representing all of the CPE hours earned throughout the cycle year, or they may be entered as individual records for each CPE activity. To report CPE hours, log in to your My Certifications web page on ISACA’s web site.

ISACA encourages all certified individuals to enter CPE hours as they are earned for ease in tracking and to avoid an end-of-the-year rush to submit hours. Please review additional information on the new CPE reporting system, such as a tutorial and frequently asked questions.

If you need additional assistance or have questions or comments about the CPE reporting system, please contact certification@isaca.org. To learn more about the CPE requirements for certification, visit the CISA, CISM, CGEIT or CRISC CPE policy page of the ISACA® web site.


Read More Articles in Our Archives