@ISACA Volume 20: 24 September 2014 

@ISACA Relevant, Timely News

Pell Report Calls for Creation of Cybersecurity Association

A recent report from the Pell Center for International Relations and Public Policy at Salve Regina University (Rhode Island, USA) notes that the number of cyberattacks and breaches has been increasing. As a result, the authors of the report call for a professional cybersecurity association. In April, ISACA created the Cybersecurity Nexus (CSX) after extensive research by global cybersecurity experts indicated the need for more cybersecurity professionals. CSX addresses this need and the Pell Center report’s call for a professional cybersecurity association.

Among the recommendations of Pell Center report are the creation of a regulatory body for cybersecurity professionals, certification and licensing requirements, a code of ethics and member professional associations for each specialty. By providing a central location for cybersecurity professionals to find research, guidance, certifications and education, CSX addresses many of the Pell Center report’s recommendations for a cybersecurity association.

The report also calls for cybersecurity certification. A component of CSX is the Cybersecurity Fundamentals Certificate. By passing the exam and agreeing to adhere to ISACA’s Code of Professional Ethics, certificate holders can show employers that they have foundational knowledge to help organizations address cybersecurity issues. This knowledge-based certificate exam will be available online starting on 1 October.

To learn more about CSX, visit the Cybersecurity Nexus page of the ISACA web site.


CSX Webinar Offers Strategic Planning Guidance

As part of its Cybersecurity Nexus (CSX) program, ISACA will offer a cybersecurity-related webinar to help organizations better protect themselves against cyberthreats. The “Countering Cyber Insecurity with Strategic Planning” webinar will take place on 30 September at 11:00AM CDT (UTC -5 hours), and members can earn 1 continuing professional education (CPE) hour for attending.

Many large, high-profile companies have been victims of cyberattacks recently and no organization is safe from cybercrime. This webinar will explain the importance of having a strategic cybersecurity plan, summarize the cybersecurity strategic planning process and share how some companies are combating cyberrisk and cyberinsecurity.

To register for this webinar or to learn more about it, visit the Countering Cyber Insecurity with Strategic Planning page of the ISACA web site.


Seven Essential Functions of a Vulnerability Management Program

Vulnerability management is an essential function and capability in any information risk and security program. Vulnerabilities will always exist within an organization’s information infrastructure. Their existence is not as important as how effectively they are managed. Successful vulnerability management programs often include the following 7 functions:

  • Identification—Identification of vulnerabilities is critical since an organization cannot manage what it does not know. Identification of vulnerabilities will come from numerous sources and should include both technical and nontechnical vulnerabilities.
  • Validation and assessment—All identified vulnerabilities should be independently validated and assessed for their potential business impacts if successfully exploited. When assessing vulnerabilities, attention should initially be focused on the probability of discovering vulnerabilities and exploiting them, and the material business impacts of successful exploitation.
  • Management—The management function includes the identification of conditions and thresholds for vulnerability remediation actions and prioritization of resources and capabilities. Management also includes the development and use of compensating control objectives and controls and tracking remediation activities.
  • Monitoring—Vulnerability monitoring includes the identification and implementation of effective monitoring and oversight capabilities. Monitoring should include both point-in-time and constant monitoring of identified vulnerabilities and controls.
  • Remediating and compensating controls—Effectively managing vulnerabilities often includes the need for both remediating and compensating controls. These controls often include business process adjustments, technology, and behavioral and cultural modifications.
  • Assurance—Assurance is the “trust but verify” function of a vulnerability management program and should include independent validation of the effectiveness of remediation activities or compensating controls.
  • Reporting—Effective reporting ensures visibility and transparency into vulnerability management activities to interested parties. Different groups will have different interests and need to have personalized reporting to gain value from the information provided. In all cases, it is important to be consistent and align with reporting and communication. A 3-tier model is often the simplest and most effective approach to reporting. In this model, the first tier is leadership, the second tier is process owners and stakeholders, and the third tier is operations.

John P. Pironti, CISA, CISM, CGEIT, CRISC, CISSP, ISSAP, ISSMP, is the president of IP Architects LLC.


Earn CPE at Internal Controls Webinar

To help address the governance, risk management and internal control requirements from Clause 49 of the Securities and Exchange Board of India’s Listing Agreement and the new Companies Act, 2013, ISACA is offering a webinar on internal controls using COBIT 5 guidance. The “Internal Controls for Indian Financial Reporting Using COBIT 5 Based Guidance” webinar will be held on 2 October at 5:00AM (UTC -5 hours), and members can earn 1 continuing professional education (CPE) hour for attending the webinar.

As a result of Clause 49 and the new companies Act, 2013, organizations must now assure that any internal controls regarding financial reporting are reliable. ISACA recently released Guidance Note on Corporate Governance, ERM and Assurance for COBIT 5, which also addresses these regulatory requirements. This guidance note, along with this webinar, can give you the tools you need to bring valuable risk management and governance knowledge to your organization.

To register for this webinar, visit the Internal Controls for Indian Financial Reporting Using COBIT 5 Based Guidance page of the ISACA web site.


Earn Free CPE at COBIT 5 Webinar

To help organizations better use COBIT 5, ISACA is offering a COBIT-related webinar led by Executive Director of Ernst & Young, Debbie Lew, and President of Escoute, Mark Thomas. The “COBIT 5 Flexibility: Cut to Size, File to Fit and Paint to Match” webinar will take place on 2 October at 11:00AM CDT (UTC -5 hours), and members can earn continuing professional education (CPE) credit for attending.

While COBIT may seem academic in nature, it is a useful and comprehensive tool that businesses can use to meet their value needs. This webinar describes COBIT and its product family and examines real examples of successful COBIT use. The webinar will focus on COBIT’s flexibility and the examples will show how organizations utilize this flexibility.

To register or learn more about the webinar, visit the COBIT Flexibility Webinar page of the ISACA web site.


Certification Renewal and CPE Reporting Process

Certification renewals for the 2015 year will open shortly. The goal of the continuing professional education (CPE) policy for each ISACA certification is to ensure that all certification holders maintain an adequate level of current knowledge and proficiency. The CPE policy requires certified individuals to attain and report an annual minimum of 20 CPE hours and attain and report a minimum of 120 CPE hours for their specific 3-year (triennial) reporting period.

Renewing your 2015 certification requires paying the annual maintenance fee and earning and reporting the appropriate CPE from 2014. Individuals have until 31 December 2014 to earn any needed CPE to satisfy their yearly and 3-year cycle requirement. To assist you with tracking CPE, the ISACA CPE reporting system allows you to enter your CPE hours as they are earned or as a single total representing all of the CPE hours earned throughout the cycle year. To report CPE, please visit the Reporting CPE page of the ISACA web site. Information on the CPE reporting system, a tutorial and CPE frequently asked questions can be found on the How to Report and Earn CPE page of the ISACA web site.

ISACA membership provides you with many ways to earn CPE hours, several of which are free. To learn more about ways to earn free CPE through ISACA membership, visit the How to Report and Earn CPE page of the ISACA web site.

To view the CPE requirements and qualifying activities for each certification, visit the CISA, CISM, CGEIT and CRISC CPE Policy pages of the ISACA web site. Questions? Contact certification@isaca.org.


Become Influential in ISACA’s Knowledge Center

Become Influential in ISACA’s Knowledge CenterA common question asked in ISACA’s Knowledge Center is, “What do the points in my profile represent?” You earn points for various activities such as starting a discussion, rating a discussion or adding a document or a link. The points you earn in the Knowledge Center are now represented as community participation badges.

Community participation badges help others understand your level of community activity and your reputation as a contributor within the Knowledge Center. The badge levels, from lowest number of points to highest, are observer, lively, social, energizer and influential.

The badge you are awarded is determined as a percentage of the number of points you earn compared to the average of all users’ Knowledge Center points. Not only does your community activity influence the badge you earn, but the overall activity of the community also plays a role. For more information on badges, badge status and how you can earn points please visit the Knowledge Center Community Activity page of the ISACA web site.


Accomplish Personal and Professional Goals With an ISACA Certification
Sesha Prakash S Kusuma CISA, COBIT Foundation, CISSP, C|CISO, CPISI, ITIL (2011), JA IIB, ISO-31000 Risk Manager, Certified Lead Auditor – ISO-27001:2013 & Certified Trainer, PRINCE2 (P), Shares His Experience as a CISA

Sesha Prakash S KusumaSesha Prakash S Kusuma always wanted to travel and work overseas, but he did not feel that his education or work experience gave him the competitive edge he needed to accomplish those goals. “Becoming a Certified Information Systems Auditor (CISA) was the only qualification that got me a call from an audit firm in Indonesia, where I joined as head of strategic IT,” he says. “There has been no looking back since then as I have moved from strength to strength professionally.”

Kusuma says a major obstacle he has faced in his career is middle/upper-age career obsolescence. But his aggressive pursuit of certifications has helped his skills remain relevant in the field. In 2013, Kusuma passed the Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC) certification exams, an impressive accomplishment in such a short time period, and in 2014, he earned the COBIT Foundation certification. “Only the candidate’s limitations inhibit the full utility or exploitation of the certification’s potential,” he says. “Certification alone may not get you a new job, but it definitely can catalyze career growth and opportunities.”

While the certification opened many doors for Kusuma, it was his involvement with an ISACA chapter that helped Kusuma broaden his knowledge base and build strong relationships with his clients. “My clients value my opinion on IS assurance matters,” he says. “As a CISA coordinator for the Bangalore (India) Chapter, interaction with younger generations and trainees from various domains (banking, finance, financial auditing, hardware and software, business process outsourcing) further enhances my professional horizon, endearing me to my clients.”

Kusuma’s CISA certification helped him achieve his goal of traveling more. But the certification has done more than affect his career; it changed the way he thinks about and handles his professional life. “CISA brought in a whole new perspective,” he says. “My structured thinking sharpened and my ability to take a composite view with an eye for details were fine-tuned. These changed the way I approached my own issues—personal, family and financial.”

To learn more about CISA and ISACA’s other certifications, visit the Certification page of the ISACA web site.


Cybersecurity Fundamentals Study Guide Now Available

ISACA has issued the Cybersecurity Fundamentals Study Guide, a comprehensive study aid that will help to prepare learners for the Cybersecurity Fundamentals Certificate exam. By passing the exam and agreeing to adhere to ISACA’s Code of Ethics, candidates will earn the Cybersecurity Fundamentals Certificate, a knowledge-based certificate that was developed to address the growing demand for skilled cybersecurity professionals. The Cybersecurity Fundamentals Study Guide covers key areas that will be tested on the exam, including cybersecurity concepts; security architecture principles; incident response; security of networks, systems, applications and data; and security implications of evolving technology. The Cybersecurity Fundamentals Certificate exam will be available online starting on 1 October. The PDF of the Cybersecurity Fundamentals Study Guide is available for purchase now, with a print version available for purchase in the ISACA Bookstore later this month.

Additional information on recent and upcoming research projects is posted on the Current Projects page.


Book Review: Visible Ops Private Cloud: From Virtualization to Private Cloud in 4 Practical Steps
Reviewed by A. Krista Kivisild, CA, CISA

“We should implement cloud computing” seems to be the call to arms of the 21st-century executive when it comes to solving IT issues, but is cloud computing something every organization really needs? And if it is, how can they go about implementing it successfully? Cloud information is everywhere. There are web sites offering directors advice on questions to ask about cloud computing, white papers explaining how to fit the cloud into existing IT infrastructures, articles on why cloud computing tools should be used, blogs on the benefits of cloud computing and how cloud computing works, and use cases and implementation advice on the subject.

Visible Ops Private Cloud: From Virtualization to Private Cloud in 4 Practical Steps is focused, straightforward and practical advice to help navigate the numerous resources on cloud computing. In a world where volume and complexity reign supreme, this book simplifies the topic by discussing the 3 main advantages of why one might choose a private cloud over a public cloud offering, and it provides a 4-phased approach to manage the development and rollout of a private cloud. The phases outlined are: Cut through cloud clutter; design services, not systems; orchestrate and optimize resources; and align and accelerate business results. These 4 phases are repeated throughout the book in different forms, reinforcing their importance to the reader.

This book is directed toward enterprise IT executives, data center managers and those who are responsible for the success of private cloud initiatives. The majority of the book is focused on offering practical how-to advice to help enterprises understand the challenges other IT organizations have had to overcome to successfully deploy a private cloud; which key people, processes and technological competencies are needed for success; how to gain acceptance by all stakeholders; and how to follow the 4-phased approach to implement a private cloud tailored to any organization’s unique business needs.

In addition, the book has a small section on virtualization impact on audit and compliance, and understanding and reducing private cloud security risk. While not the key point of the book, it is useful for auditors and security professionals to have practical, focused information on the risk associated with private cloud usage. Furthermore, this will help implementers understand the audit and security point of view and areas they will be concerned with, helping them address these concerns up front.

While the cloud and cloud offerings keep evolving and changing, the basic messages, such as focusing on governance, serving the business, optimizing and aligning business results, provided in Visible Ops Private Cloud are fundamental and not likely to change over time. This book can act as a guide to help organizations successfully navigate an initial private cloud offering or refine their current one.

Visible Ops Private Cloud: From Virtualization to Private Cloud in 4 Practical Steps is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or email bookstore@isaca.org.

A. Krista Kivisild, CA, CISA, has had a diverse career in audit while working in government, private companies and public organizations. She has served as a volunteer instructor, training not-for-profit boards on board governance concepts, with the Alberta Government Board Development Program and has served as the membership director and CISA director for the ISACA Winnipeg (Manitoba, Canada) Chapter.


Read More Articles in Our Archives