@ISACA Volume 20: 28 September 2011 

@ISACA Relevant, Timely News

New COBIT Process Assessment Model Now Available

Once the need and value of a formal assessment approach based on COBIT® were established through a survey and analysis (more information can be found in volume 7, 2011, of @ISACA), ISACA® began development on a process assessment model (PAM) based on COBIT® 4.1 and ISO/IEC 15504-2:2003 Information technology—Process assessment—Part 2:  Performing an assessment. Process assessment requirements have also been provided as input to the COBIT® 5 initiative for consideration in updating the COBIT framework.

The new ISACA publication COBIT® Process Assessment Model (PAM):  Using COBIT® 4.1 provides specific guidance and evidential requirements on how to determine where a process is in terms of the measurement scale. COBIT® Assessor Guide:  Using COBIT® 4.1, scheduled for release in October 2011, will support COBIT PAM and detail how to undertake an assessment.

Assessment sponsors and assessors will be provided with options for scoping the assessment, including risk and scoping tools that are based on existing COBIT mappings. As a specific example, this scoping approach supports an assessment of IT processes relevant to cloud computing. The COBIT processes in scope are defined in Cloud Computing Management Audit/Assurance Program published by ISACA in August 2010.

The initial PAM release will be progressive, subject to the successful completion of pilot assessments, and includes:

  • COBIT PAM—The base reference document for the assessment of an enterprise’s IT processes against COBIT 4.1 and ISO/IEC 15504
  • COBIT Assessor Guide—Will provide information on how to undertake an assessment
  • COBIT® Self-assessment Guide:  Using COBIT® 4.1—To be used by enterprises to perform self-assessments and develop their own improvement plans, scheduled for release in November 2011
  • Supplementary tools—Will support process assessment activities and include scoping templates

The COBIT Self-assessment Guide will enable enterprises to undertake a preliminary internal determination, and the self-assessment results will enable initial process improvement planning. The COBIT Assessor Guide will enable a more formal ISO/IEC 15504 compliance assessment. To meet the requirements of ISO/IEC 15504, it is essential for these evidential-based assessments to be undertaken by competent assessors.

Look for the COBIT Process Assessment Model in the ISACA Bookstore, and watch the Research page for more information on upcoming related releases.


Tips on Evaluating Tokenization Systems
By Tara Kissoon, CISA, CISSP

Tokenization is the process by which sensitive data are replaced with an alternate, nonsensitive value referred to as a token. There are many ways to implement a tokenization solution; therefore, careful evaluation of tokenization systems should be performed prior to implementing any one solution.

Here are some tips to consider when evaluating a tokenization solution for your organization:

  • Ensure that sensitive data values are replaced with nonsensitive values (i.e., a token) and that recovery of the original sensitive data element must be computationally infeasible by having access to only the tokens.
  • Ensure that all elements of the tokenization solution include:
    • Technologies to capture, store and transmit sensitive data elements
    • Operations to manage the tokenization/detokenization process
    • Controls to protect the system(s) responsible for managing:
        – Generation/retrieval of a token
        – Token mapping
        – The sensitive data repository
        – Cryptographic operations
  • Ensure that appropriate security controls are in place on the tokenization systems/processes to include, but not be limited to:
    • Network segmentation
    • An authentication mechanism
    • Logging, monitoring and alerting
    • Token distinguishability

For additional information related to tokenization, see “Simplify and Layer Your Security Approach to Protect Card Data” by Tim Horton, in volume 1, 2011, of the ISACA® Journal.

Tara Kissoon, CISA, CISSP, is a director at Research in Motion. Her expertise is focused in payment security across mobile systems.


Register for the 2011 CISM Exam—Updated Job Practice Takes Effect Starting With 2012 Exams

Certified Information Security Manager® (CISM®) exam candidates who have been studying from the current job practice are encouraged to sit for the December 2011 CISM exam as this will be the last exam created using the current job practice. The revised CISM job practice will be used for the first time with the June 2012 CISM exam administration.

Following the 2011 CISM job practice analysis, ISACA® and the CISM Practice Analysis Task Force (PATF) approved a revised CISM job practice and exam delineation. The major change to the job practice involves combining the Information Security Program Development and Program Management domains, as well as updates to better reflect current information security management practices, information security governance and the increased importance of risk management.

ISACA thanks those individuals who participated in the CISM PATF, performed independent reviews of the revised job practice and responded to the CISM job practice survey. These efforts enable ISACA to administer exams that test the most current security management principles and practices.

The final registration deadline for the 2011 CISM exam is 5 October 2011. To register, please visit the CISM Exam Registration page of the ISACA web site.


Auditing Information Security? New Course From ISACA and Deloitte Can Help
Information Security Essentials for IT Auditors • 24-28 October 2011 • Chicago, Illinois, USA

ISACA® and Deloitte & Touche have partnered to offer Information Security Essentials for IT Auditors, a new 5-day course that provides strategies and tactics to effectively address information security issues in the workplace. Attendees have the opportunity to strengthen their information security skills and knowledge through discussions, exercises and case studies led by an expert team of Deloitte trainers.

John Berti, CISM, CISSP, SSCP, a senior manager in the Canadian practice of Deloitte & Touche’s Security and Privacy Services consulting practice, and Charlie Blanchard, CISA, CISM, CRISC, ACA, CIPP, CISSP, MBCS, a manager in the Audit & Enterprise Risk Services practice of Deloitte & Touche’s Los Angeles, California, USA, office, will instruct participants in using information security frameworks, common architectures and security models, and in identifying, measuring and mitigating information security risks relevant to today’s complex IT systems.

Held 24-28 October 2011 at Deloitte’s Chicago offices, Information Security Essentials for IT Auditors is recommended for IT auditors, integrated auditors, business process auditors, audit managers and IT managers responsible for information security. Take advantage of this new opportunity and register now!


Shape Your Profession—Volunteer Now for

Volunteers are critical to the success of ISACA®, and we are continually looking for individuals who are willing to share their time and talent. Through an extensive network of oversight boards, committees and subcommittees, volunteers help ensure successful certification programs, comprehensive professional conferences, timely education programs, insightful research, thorough and appropriate online resources, representative professional standards, and financially sound infrastructures. In short, ISACA volunteers ensure that members receive the high-quality resources they have come to expect from ISACA.

You can volunteer now. Visit the Volunteering page of the ISACA web site and read the newly released 2012-13 Invitation to Participate brochure. There you can learn more about volunteering at the international level, including the opportunities available and the process for submitting names for consideration. After reviewing the details on the web site and in the brochure, identify the volunteer opportunities that are of most interest to you and complete the online application. Volunteer applications for the 2012-13 administrative term are due 16 February 2012.

Please note that hard copies of the Invitation to Participate brochure will be mailed to all members with volume 6, 2011, of the ISACA® Journal.


CISA Certification Provides Opportunities for Networking and Professional Advancement
Ulrike Knödlstorfer-Ross, CISA, CIA, Shares Her Experiences as a CISA

Ulrike Knödlstorfer-RossAlthough already a seasoned Certified Internal Auditor (CIA), Ulrike Knödlstorfer-Ross knew that specializing in a particular area of auditing would further develop her skills. Her interest in IT, coupled with some initial experience in IT auditing, led her to pursue the ISACA® Certified Information Systems Auditor® (CISA®) designation. “It was clear to me that I would need the CISA certification if I was going to make real progress,” Knödlstorfer-Ross explained. She also knew that the Europen Union (EU) recommends the ISACA COBIT® framework as a reference for paying agencies and that the EU values the CISA qualification.

Now a senior auditor at Agrarmarkt Austria, Knödlstorfer-Ross values the variety her position offers. “I enjoy the opportunity to question established procedures—to really get below the surface and understand how they work. That involves a good deal of analysis, which I find intellectually stimulating,” she explained. In addition, “I really like working closely with colleagues from different parts of the organization, forging agreements on the best ways to move forward,” she said.

Because of her almost decade-long involvement with ISACA, including serving as a board member of the Austria Chapter and as a certification coordinator, Knödlstorfer-Ross is able to collaborate with like-minded professionals away from the office, as well. “ISACA membership provides opportunities for meeting with colleagues from outside my own organization and for networking,” she explained.

In addition to providing networking opportunities, attending IT events helps Knödlstorfer-Ross ensure that her knowledge is current. “Keeping up to date with the latest developments in the IT world, which, as you know, occur with incredible speed, is the biggest challenge I face in my job,” she stated. “That is another area in which ISACA provides me with support, through educational events at the chapter level as well as international e-symposia,” she explained. Knödlstorfer-Ross’ employer understands the value of continuing professional education and funds her attendance at various IT events in both Germany and Austria.

For those professionals considering pursuing the CISA certification, Knödlstorfer-Ross offers the following advice: “The amount of work they will have to put into preparation for the exam may be considerable, depending on the extent and nature of their previous experience and education; however,” she continued, “if they see it correctly—as the first step towards a very interesting career—then the input will seem more than justified.”


New ISACA Publications on COBIT Mapping, Geolocation and BCM Available

ISACA® recently released:

  • Geolocation:  Risk, Issues and Strategies—Geolocation data, which reveal an individual’s physical location, are obtained using tracking technologies such as global positioning system devices, Internet Protocol (IP) geolocation databases that map IP addresses to geographic locations, and financial transaction information. This white paper explains how geolocation works and presents the business benefits and the risk, security and privacy concerns. The white paper also discusses the governance and assurance of applications using geolocation. This and other white papers are available as complimentary PDFs on the White Papers page of the ISACA web site.
  • COBIT® Mapping:  Overview of International IT Guidance, 3rd Edition—This is an updated overview of the series of detailed COBIT® mapping publications, including mappings with Capability Maturity Model Integration for Development, Version 1.2; the US Federal Financial Institutions Examination Council; ISO/IEC 17799 and 20000; ITIL Version 3; US National Institute of Standards and Technology Special Publication 800-53 Revision 1; the Project Management Body of Knowledge; and The Open Group Architecture Framework 8.1. The overview is available as a complimentary PDF on the Research page.
  • Audit/assurance programs—These and other audit/assurance programs are available as complimentary Word documents for ISACA members on the Audit Programs page:
    • Business Continuity Management Audit/Assurance Program
    • Microsoft® Windows File Server Audit/Assurance Program

Information on current research projects is posted on the Current Projects page.


Read More Articles in Our Archives