@ISACA Volume 19: 11 September 2013 

@ISACA Relevant, Timely News

New COBIT 5 Training Courses and Exams Available

Two new COBIT 5 courses and exams have been launched as part of the COBIT 5 training program: COBIT 5 Implementation and COBIT 5 Assessor. These practitioner-level, instructor-led courses are available through ISACA’s training programs, accredited training organizations (ATOs) and accredited trainers. Prior to taking these courses, you must pass the COBIT 5 Foundation exam.

The learning objectives of the COBIT 5 Implementation course include:

  • Understanding how to analyze enterprise drivers
  • Identifying implementation challenges, root causes and success factors
  • Learning how to determine and assess current process capability
  • Mastering how to scope and plan improvements
  • Recognizing potential implementation pitfalls
  • Applying the latest good practices

The learning objectives of the COBIT 5 Assessor course include understanding how to:

  • Perform a process capability assessment via the Assessor Guide: Using COBIT 5
  • Apply the COBIT 5 Process Assessment Model (PAM) in performing a process capability assessment
  • Identify and assess the roles and responsibilities in the process capability assessment process
  • Perform and assess the 7 steps outlined in the Assessor Guide
  • Use the COBIT Self-Assessment Guide: Using COBIT 5

Upon successful completion of the COBIT 5 Assessor course and exam, as well as meeting the knowledge requirements, candidates may apply to become a COBIT 5 Certified Assessor. For more information, visit the COBIT 5 Training & Accreditation page of the ISACA web site and view the full list of COBIT 5 ATOs.


Board Nominations Are Open

Nominations for the ISACA Board of Directors for the 2014-2015 term are now open. Information about serving on the board, the attributes for office (both international president and vice president) and the nomination form are available on the Board Nominations page of the ISACA web site.

Members may submit nominations for themselves, for others or both. All nominations will be acknowledged and all candidates will be required to complete a candidate profile form that confirms the candidate’s willingness to serve if selected and provides the Nominating Committee information about the candidate. Self-nominating candidates will also be asked to submit a letter of recommendation from an ISACA member, outlining how the candidate demonstrates the attributes for office. Information on candidates will be gathered in other ways as well, including review of public web sites (e.g., Google, Facebook, LinkedIn) and interviews with the candidates.

Nominations for international president close on 15 October 2013; nominations for vice president close on 7 January 2014. All materials (i.e., completed candidate profile form and letter of recommendation, if required) must be received at ISACA International Headquarters by these dates. Do not wait until these deadline dates to submit the nomination form and other documentation—submit these materials as soon as possible to ensure that the committee will have all required information prior to these deadlines. Questions may be directed to nominate@isaca.org.


2008 Exam Passers: Deadline to Apply for Certification Is Approaching

Exam passers have 5 years to apply for certification once they have passed the exam. The deadline to apply for certification for those who passed a Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM) or Certified in the Governance of Enterprise IT (GEIT) exam in 2008 is 31 December 2013. An individual is not certified and cannot use the corresponding designation until the completed application is received and approved by ISACA International Headquarters staff.

If you have any questions or need assistance in completing the application form, email certification@isaca.org.


Captain Phillips to Discuss Leadership, Management and Teamwork at North America ISRM

Captain Richard Phillips describes himself as a regular person, yet he is known for his leadership actions that were anything but ordinary after his ship, the Maersk Alabama, was hijacked by Somali pirates. Captain Phillips’ harrowing and heroic efforts to survive were matched only by his decisive actions to save his crew and ship. Captain Phillips will be sharing his story about this experience and specifically his decisions as a leader under pressure at the upcoming North America Information Security and Risk Management (ISRM) Conference.

Captain Phillips will draw parallels on leadership, management and teamwork between his experiences and comparable experiences in a typical corporate setting. Some topics that will be addressed include:

  • Finding solutions “under the gun” after breaches are made
  • Giving clear guidelines and action plans for safety and security
  • Working with a team to transcend barriers so that the team as a whole will achieve their ultimate goal

Captain Phillips will facilitate the general closing session at North America ISRM 2013. For more information, visit the North America ISRM page of the ISACA web site.


IAASB Exposure Draft Available for Comment

The International Auditing and Assurance Standards Board (IAASB) has released its exposure draft Reporting on Audited Financial Statements: Proposed New and Revised International Standards on Auditing to the public for comment. The exposure draft responds to requests from users of audited financial statements, such as investors, analysts and others, that call for auditors to provide more relevant information in the auditor’s report of audited financial statements.

The exposure draft includes a new proposed International Standard on Auditing (ISA) titled “Communicating Key Audit Matters in the Independent Auditor’s Report.” This proposed directive would require auditors of financial statements to communicate those matters that, in the auditor’s professional judgment, are significant in the audit of each financial statement. In addition, the IAASB is also proposing requirements that would have auditors include specific and explicit statements about the auditor’s independence from the audited entity and would require listed entities disclose the name of the engagement partner in the auditor’s report.

The exposure draft includes example reports that illustrate how to apply the proposed new and revised ISAs in various circumstances. Comments to the exposure draft are due by 22 November 2013.


Participate in the 2013 ISACA Member Get a Member Campaign

When ISACA grows, members benefit. More recruits mean more networking, more connections and more resources. Additionally, by participating in the Member Get a Member campaign, you can earn valuable prizes.

For each new member who credits you as their recruiter (by entering your ID number), you will be entered to win one of the available monthly prizes. Plus, if you recruit between 5-9 new professional members, you will receive an Apple® iPod Touch®. If you recruit at least 10 new professional members, you will receive an Apple® iPad 2®.

Who should you recruit?

  • A coworker who could benefit from COBIT
  • Colleagues interested in professional growth
  • Members of other related professional associations
  • Someone who might be interested in taking the Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (GEIT) or the Certified in Risk and Information Systems Control (CRISC) exam
  • New college graduates eager for career advancement
  • Individuals from your larger network

To earn recruitment credit through the Member Get a Member program, your colleagues must enter your ISACA member ID number when joining. As an added bonus, your colleague’s new member fee (US $30 or US $10 online) will be waived when your member ID is entered during the application process.

Start recruiting new members today—the more members you recruit, the more you will be rewarded. More information can be found online on the Member Get a Member page of the ISACA web site. Direct questions or inquiries to mgam@isaca.org. Rules and restrictions apply and can be found at Member Get a Member Participation Rules.


Managing the Risk Factors of Physical and Information Security
By Lisa Young, CISA, CISM

Organizations are increasingly integrating physical assets and information security to reduce costs and make better use of technology investments. Reducing the gap between protecting physical assets and the intangible information assets that reside on physical assets is a smart business practice; however, many organizations are not fully aware of the risk to the business when the gap between physical and logical security is inadequately managed. The following are several questions to ask and tips to consider when managing disparate physical and logical security efforts:

  1. Have you inventoried the physical security systems in your organization? In a recent visit to a hospital to review its physical security audit, it was noted that the IT security department had approximately 150 cameras under its control and integrated into the network infrastructure. Upon further inspection and questioning, it was discovered that there were more than 250 cameras—all on different platforms and serviced by different vendors—that were not readily available to the physical security staff for end-to-end surveillance. Most of the additional cameras were showing up as unidentified network or wireless devices from the point of view of the IT security staff, making their job more difficult.
  2. Do you view physical and logical security events as separate? Would the information security incident response team have access to information alerts when an unauthorized person enters the data center or does the alert come after there is unauthorized network access? When physical and logical events are observed together, a more complete picture of the real threat is presented.
  3. What about business continuity and disaster recovery? Have you identified the physical security systems that need to be included in the response and recovery plans? This is especially important if the physical security systems are outside of the direct control of the organization, for example, if you are a tenant in a multitenant building and there is a common badging system for the building.

Unified security awareness training provides benefits to the organization and reinforces the message that both physical and information security are everyone’s responsibility. Many organizations have a strong safety culture. Leveraging the culture of safety to enhance information security can be a win-win for the organization.

Convergence of physical and information systems management may be worthwhile endeavors but getting there is not easy. The adoption of integrated technology provides an opportunity to begin converging physical and information security, but to achieve a more complete risk management view, convergence must extend beyond technology to include people and training.

For additional information on this topic visit the Business Model for Information Security (BMIS) page of ISACA’s web site. Additional content related to physical and information systems is available in the ISACA Bookstore and the Knowledge Center.

Lisa R. Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide. Young was also a member of the ISACA task force that developed the Risk IT publications.


Introducing COBIT 5 for Risk at
Latin America CACS

Jose Angel Pena Ibarra, CGEIT, CRISC, and Salomon Rico, CISA, CISM, CGEIT, will facilitate a workshop on COBIT 5 for Risk at the Latin America Computer Audit, Control and Security (CACS) and Information Security and Risk Management (ISRM) Conference in Medellin, Colombia. This 2-day workshop will take place on Saturday and Sunday, 28-29 September 2013—just before the conference.

This interactive workshop offers valuable knowledge for all professionals involved in information risk. It offers an information risk view of COBIT 5 that takes into account the most pressing business issues today. COBIT 5 for Risk is the new risk-focused equivalent of the COBIT 5 for Information Security publication within the COBIT 5 family of products.

Workshop attendees will:

  • Learn best practices and benchmarks for managing risk related to IT
  • Acquire tools and concepts through practical exercises that improve IT risk management
  • Review concepts required to implement ISACA’s new guidance in COBIT 5 for Risk

Learn more and register on the Latin America CACS/ISRM page of the ISACA web site.


Read More Articles in Our Archives