@ISACA Volume 19: 14 September 2011 

@ISACA Relevant, Timely News

Board of Directors Nominations Now Open!

Nominations for the ISACA® 2012-13 Board of Directors are now open. Information about serving on the board, the attributes for office (both international president and vice president) and the nomination form itself is available on the Volunteering page of the ISACA web site.

Members may submit nominations for themselves or for others (or both). All nominations will be acknowledged, and all candidates will be required to complete a candidate profile form that serves to confirm the candidate’s willingness to serve, if selected, and provides the Nominating Committee information on which to evaluate the candidate. Self-nominating candidates will also be asked to submit a letter of recommendation from an ISACA member. Information on candidates will also be gathered in other ways, including review of public web sites (e.g., Google, Facebook, LinkedIn) and candidate interviews.

Nominations for international president close on 31 October 2011, and nominations for vice president close on 9 January 2012. These are the dates by which all materials (i.e., completed candidate profile form and letter of recommendation, if required) must be received at ISACA International Headquarters, so please do not wait until that date to submit the nomination. Questions may be directed to nominate@isaca.org.


Ideal Attributes for Forensics Investigators
By Leighton Johnson, CISA, CISM, CIFI, CISSP

To effectively select and then manage investigators for a forensics team, you must utilize special selection criteria—beyond a person’s formal education and technical background. To be effective team members, individuals need to possess 6 basic attributes. Team members must be:

  1. Logical—The variable type of events that will be investigated will encompass a wide range of technologies, operating systems, storage devices and locations, as well as many other parameters, that team members need to be aware of and look at for potential evidence. Logical investigative skills will play a large part in the gathering and analysis of relevant evidence.
  2. Thorough—The wide scope of the types of investigations and examinations that can be performed by the forensics investigator requires a complete and thorough evaluation of all potential evidence gathered for relevance and applicability to the case.
  3. Objective—The actual facts of the case being examined are the primary criteria for evidence gathering and inclusion in the case. Extraneous events, opinions and beliefs should not be indicators of what the evidence is producing as the result of the investigation. As the saying goes, “Let the evidence lead you where it may.”
  4. Observant—The wide range of computing devices and models in the current world require that investigators be open to all possibilities and observe and examine all potential pieces of evidence for applicability.
  5. Resourceful—Given the current computing environment available to criminals and the large number of devices and software packages used, investigators are often confronted with new methods, techniques and uses for these packages and must possess analytical skills to determine the size, location or some other pertinent fact about the evidence under examination.
  6. Accurate—Above all else, forensics team members must be accurate in their analysis and examination activities. The result of these evaluations is often used in legal proceedings, and the accuracy of the reports produced often determines the outcome of the case.

Whether individual forensics team members possess these attributes can often determine the effectiveness and efficiency of the team as a unit and must be considered when appointing new team members or evaluating current members.

For more information on IT forensics, see “The Relevance of IT in Criminal Investigations” by Haris Hamidovic, CIA, ISMS IA, IT Project+, ITIL, in volume 1, 2011, of the ISACA® Journal. In addition, see the following guidance available from ISACA®Business Model for Information Security™ (BMIS™), Cybercrime:  Incident Response and Digital Forensics Services Project, and Information Systems Auditing Guideline 28:  Computer Forensics.

Leighton Johnson, CISA, CISM, CIFI, CISSP, is a senior security consultant for the Information Security & Forensics Management Team of Bath, South Carolina, USA.


COBIT Misconceptions and Facts

While the exposure period of COBIT® 5 continues through 18 September 2011, ISACA® has begun to review the comments provided. As a result of the comments seen to date, we would like to clear up some general misconceptions related to COBIT®.



COBIT is a standard. COBIT is a framework. Unlike a standard, which requires an enterprise to follow the complete guidance as it is documented, a framework is flexible and can—and should—be customized to fit an enterprise’s size, culture, risk profile, business needs, etc.
COBIT is an IT audit framework. COBIT is a framework that covers governance and management aspects of information and technology used across the complete enterprise from “end to end” and beyond, providing a common business language for the business’s use of information and technology assets.
COBIT is technical. COBIT is business-language-oriented and avoids use of technical terms wherever possible.
COBIT is a competitor of ITIL. COBIT and ITIL are complementary. COBIT brings breadth, covering all governance and management activities related to information and technology, and ITIL provides depth of guidance in IT service management areas.
COBIT provides only control objectives for IT processes. In addition, COBIT also provides guidance on good management practices. To reflect this shift in framework content, COBIT now goes by its acronym only.
COBIT is a tool for Sarbanes-Oxley compliance only. COBIT helps enterprises comply with any and all relevant legislation and regulations, including, but not limited to, Sarbanes-Oxley.
COBIT is complicated and overwhelming. The principles and supporting guidance in COBIT use business language to facilitate comprehension of the material; however, governance and management of enterprise IT are not simple topics to grasp or address.
COBIT must be “implemented” in its entirety or not at all. No enterprise is expected to implement all of the practices in COBIT; each enterprise should select the practices and activities that fit its business objectives, needs and capabilities.
COBIT is of value for big enterprises only. COBIT can be used by enterprises of any size, particularly when considering the principles and enablers related to the governance and management of enterprise IT.
COBIT provides specific directions and answers. COBIT is not a specific route that tells an enterprise exactly where to start and stop; instead, it is a broader map that enterprises can use to determine their starting points and where they want to go. As a result, it can be used by any enterprise, regardless of its size, location, industry or current level of management and governance capability.

There is limited time remaining in which to comment on the COBIT 5 exposure drafts. We will continue to analyze and implement the comments from the exposure period in the coming weeks. COBIT 5 is expected to be released in early 2012. Look for continuous and regular updates about the release on the COBIT 5 page of the ISACA web site.


How to Share Documents and Links in the ISACA Knowledge Center

The ISACA® Knowledge Center features valuable discussions and much more. Users are encouraged to share documents and links, also. Members have already begun sharing links to relevant information from other web sites and documents regarding subjects such as cloud computing and risk scenarios. Providing documents and links is an easy way to share guidance and insight with fellow IT audit, security, risk and governance professionals.

The following steps outline how to add documents and links in the Knowledge Center:

  • Log in to the ISACA web site.
  • Choose the “Knowledge Center” tab.
  • Click the “Browse Over 100 Topics” tab, and select the topic that best matches the subject matter of the document or link that you would like to share.
    Browse Over 100 Topics

    If you are not a member of the topic, click “Join this Community.” You must be a member of the topic to contribute content.
    Join this Community
  • To add a document, click “Contribute a Document.”
    Contribute a Document
  • Add the required information and click “Upload.”
  • To add a link, click “Contribute a Link.”
    Contribute a Link
  • Complete the required fields and click “OK.”
    Complete the required fields and click “OK.”

Once contributed, a document or link will appear in the accordion on the topic homepage with all other contributions. Members can now browse and use your contributed document or link as a resource.

Visit the Knowledge Center today to start sharing useful content with other ISACA members.


ISRM Europe Keynote Speaker to Address Security As a Global Need
ISRM Europe • 14-16 November 2011 • Barcelona, Spain

Attend the ISACA® Information Security and Risk Management Conference (ISRM Europe) in Barcelona, Spain, and learn from the experiences of Telefonica’s Javier Garcia de Castro, director of security business. He will discuss security in a globalized, ever-changing world as part of his keynote address at the November event. Garcia de Castro will explain how Telefonica is building a global security operation center (SOC) that, while operating worldwide, will simultaneously address the local needs of the enterprise’s operations in Brazil, Peru, Spain, Chile and the Czech Republic.

Based in Spain, Telefonica has a strong international presence, having acquired enterprises in both Brazil and the UK. Drawing from his experience at Telefonica, Garcia de Castro will explain how to integrate acquired organizations, how to build a security portfolio (for a SOC), and how to define pricing and risk management procedures.

In addition, Garcia de Castro will discuss Telefonica’s overarching perspective on security. The enterprise’s customer base extends from home users to large enterprises, which presents a striking example of the need for enterprises to secure every part of the business—from digital subscriber line (DSL) connections and antivirus and antispam software to more complex issues of compliance and identity and access management.

Held 14-16 November 2011, ISRM Europe will focus on security as an integral part of all enterprises. The sessions include such topics as mobile devices, the cloud, social media, trends in cybersecurity and current security incidents. Chief information security officers; risk managers; and security directors, managers and professionals from around Europe and the world are encouraged to attend. For more details, please visit the ISRM Europe page of the ISACA web site.


Enterprises Benefit From Customizable, On-site Training

The ISACA® On-site Training program allows enterprises to provide customizable courses from qualified trainers on topics relevant to employees—without having to leave the office. Flexible scheduling and custom course materials—including case studies and class exercises designed to align with the enterprise—enable tailored training sessions that meet the needs of employees and the business, and as these courses are held at a location of the enterprise’s choosing, expensive travel costs can be eliminated.

Previous On-site Training attendees have found the sessions to be valuable. According to one professional, “The hands-on exercises were challenging and engaging,” and another described the trainer as “very knowledgeable and friendly.” Training is provided by industry professionals who have many years of practical experience in the field.

Audit, security, governance and risk course offerings range from overviews such as “Fundamentals of IT Audit and Assurance” to more focused courses such as “IT Risk Management” and “Information Security Management.” Specific training related to COBIT includes “COBIT: Strategies for Implementing IT Governance,” “Using COBIT in IT Assurance and Audit,” and the COBIT Foundation Course. In addition, exam review/preparation boot camps are also available for all ISACA certifications.

For more information, please visit the On-site Training page of the ISACA web site.


Book Review:  IT Audit, Control and Security
Reviewed by Bright Munongwa, CISA, CGEIT, CRISC, CFSA, CIA

In his book IT Audit, Control and Security, Robert R. Moeller offers a comprehensive reference guide for IT audit and security professionals and gives the reader a broad understanding of key issues in IT audit, security and internal control.

The book is presented in a clear and easy-to-read manner. Moeller uses practical examples to explain concepts and includes an extensive amount of audit programs. Experienced and entry-level professionals within IT audit, governance and security will find this text a valuable reference guide. Exam candidates will also find this publication useful for preparing for ISACA® certification exams.

IT Audit, Control and Security is divided into 4 parts:

  • Part 1 takes the reader through a discussion of the US Sarbanes-Oxley Act and the Committee of Sponsoring Organizations of the Treadway Commission Internal Control—Integrated Framework. Part 1 also discusses the use of COBIT® to perform IT audits and ends with an outline on how to perform effective IT audits—from planning to reporting.
  • Part 2 focuses on auditing IT general controls, including evolving control issues in wireless networks, cloud computing and storage management virtualization.
  • Part 3 looks at auditing and testing IT application controls and includes a case study on how to conduct an application review. The use of computer-assisted audit tools and techniques is discussed extensively, and the issue of continuous assurance auditing is also examined.
  • Part 4 focuses on IT governance, cybersecurity and privacy controls among other interesting audit and information security topics.

Moeller is an internal audit specialist with more than 25 years of experience in the field. An author of several other audit and risk management books, his practical experience in internal audit and security is clearly evident throughout this book.

IT Audit, Control and Security is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA® Journal, visit the ISACA Bookstore online or e-mail bookstore@isaca.org.

Bright Munongwa, CISA, CGEIT, CRISC, CIA, is a specialist IT auditor at Nedbank Ltd., one of South Africa’s Big 4 banks, and he serves on the ISACA Publications Subcommittee.


Read More Articles in Our Archives