@ISACA Volume 2: 19 January 2011 

@ISACA Relevant, Timely News

New Global ITGI Report:  Value Creation a Top Priority

Ask 834 business executives and heads of IT what they think about the role of IT in their enterprise and you might expect to get 834 different answers. But, that was not the case in the fourth edition of the IT Governance Institute’s (ITGI’s) Global Status Report on Governance of Enterprise IT.

The survey, covering 21 countries, 10 industries, and large and small enterprises, revealed a significant agreement on the contribution of IT to business success, the challenges and opportunities connected with IT, and the impact of newer technologies such as social networking and cloud computing.

Among the key findings are:
  • The good and the not-so-good. Value creation of IT investments is one of the most important dimensions of IT’s contribution to the business (mentioned by more than nine out of 10 respondents). But, challenges exist: increasing IT costs and an insufficient number of IT staff are the most common IT-related issues experienced by respondents in the past 12 months.
  • IT leading or following. There is a correlation between the position of the head of IT in the enterprise’s hierarchy and the proactive nature of the IT department. Overall, 70 percent of respondents noted that the head of IT is a member of the senior management team, but this figure increases to 80 percent for those enterprises where IT has a proactive role.
  • A focus on governance. Governance of enterprise IT (GEIT) is a priority with most enterprises—only 5 percent indicated they do not consider it important. Two-thirds of respondent enterprises have some GEIT activities in place, the most common being the use of IT policies and standards, followed by the employment of defined and managed IT processes. The main driver for activities related to GEIT is ensuring that IT functionality aligns with business needs, and the most commonly experienced outcomes are improvements in management of IT-related risk, and communication and relationships between business and IT.

In addition to more key findings, the report contains conclusions that can be drawn from cross-analysis of the data and recommendations for practical ways to put the information to use within enterprises.

As with previous editions, the research was conducted for ITGI® by PricewaterhouseCoopers Belgium, making use of PwC’s International Survey Unit. Surveys were conducted by phone or online, in the respondent’s preferred language. The resulting report, which includes charts and graphs illustrating the data and a copy of the original questionnaire, in addition to the results, findings, conclusions and recommendations, is available as a free download through the ISACA® and ITGI web sites.


5 Steps in Evidence Examination
By Leighton Johnson, CISA, CISM, CIFI, CISSP

In a forensics investigation, evidence examiners usually perform a thorough review of the data. Accuracy is more important than the length of the examination, and these steps will help improve the process.

  1. Bottom layer examination—System construction. This is where the file system details, directory system structure, operating system parameters and partitions are reviewed.
  2. Second layer examination—File header and extension analysis. This is where file headers and extensions are reviewed, obvious files of interest are identified, and exclusion of known files by hashing is performed.
  3. Third layer examination—Password-protected, encrypted, compressed and deleted files are examined and reviewed in this step. Link analysis and evaluation of compressed e-mail files are of special importance in this step.
  4. Fourth layer examination—Unallocated and slack-space files are examined and evaluated in this step. Data use in these areas usually constitutes some form of malicious intent or purpose.
  5. Fifth layer examination—File content. Examinations at this layer look at file metadata, user configuration files for applications and use pattern evaluations.

Leighton Johnson, CISA, CISM, CIFI, CISSP, is a senior security consultant for the Information Security & Forensics Management Team (ISFMT) of Bath, South Carolina, USA.


The Joy of Item Writing—Writing a Good Question
By Alisdair McKenzie, CISA, CISSP

Have you encountered a unique situation from which you learned a great deal? You can earn free continuing professional education (CPE) credits by writing a question about it for one of ISACA’s four certification exams. For example, as a new auditor, what situations did you find difficult or demanding? How did your supervisor at the time advise you? These are the nuts and bolts that make up the best practices of your profession and should be known by practitioners as they continue to grow in their careers. Is there something you learned, or wish you had learned, early in your career that is now common knowledge? Here is advice on how to write a question based on your experiences.

Volunteering as an item writer to help support the development of ISACA® exams is a rewarding way to get involved and help support the continuation of your profession. It is also a creative way to earn CPE credits and make some extra money.

This 3-part series on exam item writing will discuss how to develop a good question, what is involved with the item review process and the benefits of being an exam item writer.

What Makes a Good Question?

A good question:

  • Is constructed as per the Item Development Guide
  • Is written at the right level—i.e., tests the knowledge of an individual with 3–5 years of experience performing the tasks listed in the CISA job practice1 2
  • Has a single, clear testing concept and is concisely written
  • Is relevant across all cultures and industries—not specific to a country or particular business. Item writers must take into consideration that information systems and control is a global industry, and individual perceptions and experience might not reflect the more global position or circumstances.
  • Has good plausible distracters
  • Has appropriate and relevant references to allow the review committees to understand the writer’s intent3

Remember, when writing exam questions, it is important that all of these facts are taken into consideration for the item to be reviewed and approved for inclusion in the respective exam.

Next month, the item review process will be discussed in this 3-part @ISACA series. Information on item writing and how to be an item writer is available on the Item Writing page of the ISACA web site.

Alisdair McKenzie, CISA, CISSP, has been active for more than 15 years in the ISACA Wellington Chapter and is a past president of the chapter. He has spent 3 years as a member of the CISA Technical Evaluation Committee and is currently a member of the CISA Certification Committee. His career in IT spans almost 40years.

1 CISA is a practitioners’ certification and not merely a test of book learning. Questions are aimed at testing the knowledge of an IS auditor with 3–5 years of experience. It is important to note that many individuals choose to take the CISA exam prior to meeting the experience requirements. This practice is acceptable and encouraged although the CISA designation will not be awarded until all requirements are met.
2 This article contains specifics regarding CISA exam item writing. The concepts remain the same for all ISACA item development although the specification certification requirements may change.
3 Wikipedia is not sufficient as a reference. It can be a starting point to identify reference sources but references should be to textbooks and refereed papers and articles from, quality publications and conferences.


Remembering Past President Paul Williams

ISACA® is saddened to learn of the death of past international president Paul Williams, CITP, FCA, MBCS, on 14 January 2011. Paul served as president of ISACA and the IT Governance Institute® (ITGI®) from 1999 to 2001 and continued thereafter to dedicate time and commitment to the association, most recently by chairing the Strategic Advisory Council and serving on the Governance Advisory Council.

Recounting Paul’s many activities within ISACA and ITGI is like reading a list of all volunteer bodies in existence over the course of his 30-year membership. He was a regional vice president on the board, served on and chaired the Nominating Committee, worked on the task forces to develop COBIT® and Val IT:  Based on COBIT®, and held a variety of other positions addressing enterprise risk management, marketing, leadership development, fundraising and conference development. He was a frequent contributor to the ISACA Journal and a regular media spokesman for ISACA and ITGI. His efforts were recognized over the years by two prestigious ISACA awards: the Eugene Frank Award (for outstanding contributions to ISACA/ITGI) in 2005 and the President’s Recognition Award in 2007. In 2009, a new award was created in his name—the Paul Williams Inspirational Leadership Award—to recognize special accomplishments, outreach and advocacy on behalf of ISACA. He was the first recipient.

Paul had a rich and varied professional life outside ISACA as well. In 2002, he retired as a partner in one of the largest global professional services firms, where he had responsibility for the development and delivery of technology risk management services. After retirement, he continued to consult, specializing in IT governance, IT due diligence, IT audit and project risk management. He was a UK Chartered Accountant, Chartered Information Technology Professional and a Member of the British Computer Society.

Perhaps even more than Paul’s formal contributions are the ways he motivated and inspired those around him. Since news broke of his passing, ISACA has received messages from many ISACA members remembering when and where they first met Paul and describing how he encouraged them to pursue involvement in ISACA. They referred to him as their mentor and someone who never failed to inspire respect and admiration. Many noted that Paul was not only a professional standout, but a personal one as well: a warm, friendly man who enjoyed life, family, friends and, especially, music. Paul had a lifelong love for music, playing in bands in his youth and recently re-forming the band and playing “the old songs” at various venues in and around London. His collection of guitars—up to 19 at last count—was impressive, but it was not just for show; he played every one of them in his home studio.

Paul himself may have most succinctly stated his relationship with ISACA in 1999, when he noted: “Serving on the ISACA Board of Directors has given me the opportunity to work with other senior professionals in better understanding the needs of the IS control and audit community in its broadest sense and in laying out a vision for the future which will benefit current and future members of our profession and the business world at large. This has helped me develop a far broader perspective on IS governance issues which benefits both my firm and my clients.” It is typical of Paul to describe the relationship as a win-win: he gained a better understanding of professional concerns and he gave back to the profession and the association via his service. He was someone who always found the positive in a situation, perhaps because he tended to create a positive environment around himself.

Paul Williams was a visionary, a friend, a dedicated member, a committed leader, and an articulate spokesman for ISACA, ITGI and the profession. He will be greatly missed.

Paul’s family has provided the following information for those who wish to honor Paul’s memory by making a donation in his name:

We will be having family flowers only. As music was such a big part of our dad’s life, our chosen charity is Youth Music (http://www.youthmusic.org.uk/musicispower/index.html). You may donate directly to the charity or do so care of Alan Greenwood Funeral Directors, 119 London Road, Kingston-upon-Thames, Surrey KT2 6NH, United Kingdom (Phone 004420 8546 3960). Thank you.



You Are Invited to Volunteer With ISACA

The Invitation to Participate opens the door to volunteer with ISACA® in a hands-on environment. You can collaborate with peers around the world to ensure successful certification programs and comprehensive professional conferences and educational resources that represent ISACA’s professional standards and sound infrastructure. You can even volunteer to serve on multiple groups. Send in your 2011-2012 Invitation to Participate form before the 25 February 2011 deadline to get the process started.

The selection of volunteers is based on the current needs of the groups, the relevant professional background of the candidates and the need to reflect a global perspective. All appointments are for a one-year term and are ratified by the Board of Directors.

For more information, to view volunteer opportunities outlined in the brochure and to apply to be an ISACA volunteer, visit the Volunteering page of the ISACA web site.


Join Your Colleagues, Get Involved in ISACA’s Online Community
Join a Topic, Become a Topic Leader

When confronted with a new or difficult project, you now have a team of experts to help. ISACA's IT Professional Networking and Knowledge Center is a meeting place for IT professionals who share common interests. The Knowledge Center was launched on the ISACA® web site in June 2010, and already more than 5,000 members have joined a Topic. Topic members are utilizing the Web 2.0 features by starting discussions, uploading documents and links, adding profile pictures, and connecting with other users. Some of the more popular topics include “IT Audit Tools and Techniques,” “COBIT, Use It Effectively” and “Risk Management.” Visit the Knowledge Center to find and join the topics most appropriate to you. For detailed instructions, read “Join the Conversation” in volume 24 of @ISACA.

Currently, there are more than 60 topic leaders. It is your time to join, learn or lead a conversation, too. Topic leaders facilitate activity within a topic, offer their advice and expertise, and ensure that topic members remain active and on topic. Apply to become a topic leader. To view a complete list of responsibilities and to apply, visit the Become a Topic Leader page of the ISACA Knowledge Center on ISACA’s web site. On average, the role of topic leader will require approximately 2–4 hours per week, for which up to 10 CPE credits can be earned.


External Relationships Help ISACA Continue to Advance Its Goals

In 2010, ISACA® continued to increase member benefits by building external relationships with other organizations. Highlights of this year’s activities include:

  • The sponsorship of SecureCloud 2010 with European Network and Information Security Agency (ENISA), the Cloud Security Alliance (CSA), and the IEEE with the support of the Barcelona Chapter
  • Development of an audit, compliance and legal issues track at the CSA Cloud Security Congress
  • Working with technology and cloud provider organizations on the development of the CSA Consensus Assessment, consisting in a series of questions that cloud service users and auditors should ask of cloud providers
  • Contributing to the development of the Common Assurance Maturity Model, sponsored by ENISA, that provides a means for cloud users to gain assurance of the protection that cloud providers offer
  • Development of the revision to the CSA Controls Matrix and mapping of COBIT® 4.1 to the controls matrix
  • Contributing to the mapping of COBIT 4.1 to the Shared Assessments Guide:  Evaluating Cloud Risks for the Enterprise
  • Supporting the National Institute of Standards survey identifying the Economic Benefits of Role Based Access Control
  • Development, along with Information Security Forum and (ISC)2, of a common set of individual performance principles for information security practitioners
  • Development of a formal memorandum of understanding (MOU) with The Institute of Internal Auditors (The IIA) to collaborate on the advancement of the global internal auditing profession through the sharing of knowledge, experience and best practices

Through these and other similar relationships, ISACA hopes to:

  • Expose its intellectual property to outsiders, increasing its recognition
  • Gain credibility
  • Address need
  • Obtain additional resources for its constituents
  • Gain expertise

So far, these external relationships have resulted in numerous benefits for ISACA members and constituents, including new educational opportunities, publications and certifications.


Training Week Keeps Growing in Popularity and Value

Popular since they were first introduced, ISACA’s Training Week program continues to grow in participation and value. The most recent event, held in Las Vegas, Nevada, USA, sold out with record attendance. The participants received instruction through the following courses:

  • IT Audit and Assurance Practices
  • Information Security Management
  • COBIT: Strategies for Implementing IT Governance

The active learning environment provides a great opportunity to obtain valuable tools that attendees are able to take back to their enterprises and incorporate in their IT roles immediately. Attendees network with peers and shared experiences, which adds to the value of the event and increases knowledge. ISACA® Training Week attendees also benefit from:

  • Experienced trainers
  • Relevant content that addresses today’s challenges
  • A pragmatic learning approach

ISACA Training Week is coming to five venues in 2011:

  • New Orleans, Louisiana, USA, 14–18 March
  • Ottawa, Ontario, Canada, 4–8 April
  • Seattle, Washington, USA, 8–12 August
  • Minneapolis, Minnesota, USA, 12–16 September
  • Baltimore, Maryland, USA, 24–28 October
  • Scottsdale, Arizona, USA, 5–9 December

Additionally, a new course joins the 2011 agenda:  Governance of Enterprise IT. Visit the Training Week page of the ISACA web site for more information and to register for one of the upcoming events.


Read More Articles in Our Archives