@ISACA Volume 2: 16 January 2013 

@ISACA Relevant, Timely News

CGEIT Job Practice Updated to Reflect Industry Changes

Governance and management of enterprise IT is an evolving process. From the impact of the US Sarbanes-Oxley Act to the game-changing aspects of cloud computing, regulatory requirements and IT business systems, there has been a major shift in how business looks at IT governance. To stay updated, ISACA’s Certified in the Governance of Enterprise IT (CGEIT) credential is also changing.

The revised CGEIT job practice, which will be effective in June 2013, conceptually aligns with COBIT 5. A major revision to the CGEIT job practice is the integration of the performance measurement tasks from domain 6 of the previous job practice into the benefits realization domain. Therefore, there are 5 instead of 6 domains in the new job practice.

In addition, there is a change in the requirements necessary for certification. The experience waivers that were once permitted for holding other certifications or related degrees will no longer be allowed under the new job practice for individuals testing in June 2013 and thereafter. The practice of IT governance has grown in maturity and ISACA’s CGEIT Certification Committee has observed that the vast majority of individuals having such waivers also have the experience required for certification.

Requirements for certification1 include 5 or more years of experience managing, serving in an advisory or oversight role, and/or otherwise supporting the governance of the IT-related contribution to an enterprise. This experience is defined specifically by the domains and task statements described in the CGEIT job practice. In addition, a minimum of 1 year of experience practicing tasks described in the Framework for the Governance of IT domain of the new job practice is required. It states: “Ensure the definition, establishment and management of a framework for the governance of enterprise IT in alignment with the mission, vision and values of the enterprise.” This is changed from the old job practice, under which individuals were required to develop or be part of the development or maintenance of an IT governance framework. In the new job practice, the requirement is to help ensure that a framework has been properly defined, established and managed.

There are many different IT governance professionals who perform the tasks within the CGEIT job practice. Their areas of responsibility, management level and titles vary, including, for example, IT director, security director, IT audit director or risk manager. Everyone plays a part.

Visit the Certification page of the ISACA web site to learn more about the CGEIT certification.

1 These requirements are effective for individuals testing in June 2013 and forward. The requirements that relate to the old job practice are still in effect for those who tested and passed prior to and including December 2012.


7 Tips for Maintaining Protection Strategies

As a Certified Information Security Manager (CISM) you are responsible for developing and implementing protection strategies, but when was the last time you revisited these strategies? Just as the nature of global business changes so does the risk tolerance of each enterprise. These changes, complemented by evolving technology, require a constant balance of risk and benefit within the security program.

Keeping up with the latest protection strategies can be difficult. Knowing the difference between what to trust and what to overlook as a current fad is a challenge. In the marketplace, we are seeing technology networks with no inside or outside networks, abandonment of firewalls, and movement toward new approaches, such as sandboxing. A significant strategy is the movement away from compliance toward security. Enterprises are leaving compliance to internal and external auditors and are redefining operational system certifications.

These protection strategies are not based on traditional audit approaches. Instead, protective controls, such as targeted hosting facilities with controlled development environments and automated tools, close the assurance gap between development and operations. These new protection strategies are reducing cost while increasing assurance. As a CISM, you provide efficient and effective options based on your expertise to keep your security programs relevant. Here are some tips on how to keep your protection strategies up to the task:

  1. Pay attention to how your enterprise is evolving. The way the enterprise is conducting business and who is running the business are keys to funding your protection strategies.
  2. Keep your risk assessment current. This will ensure you are protecting the correct assets against the residual risk.
  3. Train, train, train. People who are developing protection strategies using new technologies and techniques often find that training is critical to advancing expertise.
  4. Ask for or develop multiple protection strategies for each area of your security program. Remember that vendors tend to recommend what works for their technology and not necessarily what is best for the overall protection of your assets.
  5. Implement protection strategies that can be integrated into existing technology. Focus next on what can be purchased quickly. Then, budget and implement any remaining protection strategies within a technology refresh plan.
  6. Stay close to state-of-the-art technologies. Unless you are responsible for an innovative technology company, the business should not experiment with new technology. Have a place in your security program to evaluate innovative security approaches.
  7. Maintain and grow your knowledge. Continuing professional education (CPE) courses are a great way to keep up with ever-evolving protection strategies and educate yourself on a wide variety of technologies.

Security technology is not a guarantee for a secure enterprise. Protection strategies that have decayed due to technology evolution, lack of training or business need are as dangerous as not implementing the technology. Know your protection strategies and provide the necessary attention required to keep your security program relevant.

Bruce R. Wilkins, CISA, CISM, CGEIT, CRISC, CISSP, is the chief executive officer of TWM Associates Inc. In this capacity, Wilkins has the opportunity to provide his customers with secure engineering solutions for innovative technology and cost-reducing approaches to existing security programs.


David Pogue to Keynote North America CACS

David Pogue, host of Public Broadcasting Service® US NOVA scienceNOW television series, a weekly personal technology columnist for The New York Times and a monthly columnist for Scientific American, will be the keynote speaker at the 2013 North America Computer Audit, Control and Security (CACS) Conference. Pogue is the author/coauthor of 7 books in the For Dummies series, as well as the bestselling Macworld Mac Secrets. He is a regular contributor to CBS News Sunday Morning and appeared on numerous television and radio programs, including The Martha Stewart Show, National Public Radio’s Morning Edition, and CNBC’s Power Lunch and On The Money.

Attend North America CACS in Dallas, Texas, USA, 15-17 April 2013, and hear Pogue’s presentation, “Disruptive Tech: What's New, What's Coming and How It Will Change Everything.” Pogue will predict which of the upcoming gadgets and technologies will have the greatest impact on society in the coming years.

Register by 18 February and save. Visit the North America CACS page of the ISACA web site to learn more and register.


New COBIT IP Licensing Guidelines

With the release of COBIT 5, ISACA has changed and expanded its licensing program to support the many ways enterprises worldwide are using COBIT. Licensing affects those who are using a COBIT 5 family product for uses beyond their own individual purposes. Please see the usage guidelines for additional information. For example, COBIT 5 licensing is required for training, consulting, companywide internal and commercial uses. Please read about the different types of IP licensing and associated pricing on the COBIT 5 Licensing page of the ISACA web site.

Please note that this information is separate from guidance and licensure for COBIT 5 training. To learn more about COBIT 5 training and licensee opportunities, visit the COBIT 5 Education & Training page.

If you have any questions regarding licensure or if you are aware of any IP licensing opportunities that ISACA should pursue, please contact ISACA’s IP director, Julia Fullerton, at ipinfo@isaca.org.


Member Get A Member Results Are In

From 1 August through 31 December 2012, ISACA ran the Member Get A Member (MGAM) campaign with the goal to grow ISACA’s global community by 500 new members in 5 months. ISACA is pleased to report that you exceeded this goal!

Through this campaign ISACA awarded 10 prizes worth US $50 each to be used in the ISACA Bookstore, and 1 grand prize worth up to US $1,500 to be used toward an ISACA conference or exam. The winners were drawn from the 658 current ISACA members who successfully recruited 878 new members in 168 chapters. The December prize winners included a member of the Chennai (India) Chapter (professional member) and Rajeev Gupta of the Pune (India) Chapter (student member). The 2012 MGAM grand prize winner was a member of the Lima (Peru) Chapter. A list of all winners can be found on the MGAM page of the ISACA web site.

ISACA thanks all members who participated in the 2012 ISACA MGAM campaign. Send any questions about the MGAM campaign to the membership services team at mgam@isaca.org.


Read More Articles in Our Archives