@ISACA Volume 20: 29 September 2010 

@ISACA Relevant, Timely News

New Risk IT Case Study Available:  MetLife

MetLife Inc., a provider of insurance and other financial services to individual and institutional customers throughout the US, chose to use Risk IT:  Based on COBIT® to create its IT Risk Management Framework because COBIT® is a globally accepted source of best practices and Risk IT’s structure and contents are easily digested by risk professionals. MetLife considers averting risk to its clients, stakeholders and reputation to be vital and seeks to continually enhance its IT risk management processes to remain current with leading practices, the regulatory environment and evolving technology.

The IT Risk and Compliance Group at MetLife plans to use the MetLife IT Risk Management Framework to perform a process maturity analysis on an annual basis, updating its continuous improvement road map based on the results of the analysis, regulatory requirements, available resources and management’s desired process maturity.

Visit the Case Studies page of the ISACA web site to read more about MetLife’s plans to implement Risk IT.


Five Tips for Understanding Risk in Cloud Computing
By Brian Barnier, CGEIT

Understanding the risk in the cloud starts with understanding the value in cloud computing. Cloud computing is not new. The current interest in the cloud comes from four sources of value: economies of scale, efficiencies in management processes, moving to lower-wage countries and new developments in systems management software. This last factor has enabled more complex services in the cloud or allowing for providing these services on more generic platforms (as opposed to mainframes). These four sources are also where you can look for changes in risk compared to your current environment. Here are five tips to help:

  1. Get a detailed understanding of the cloud provider’s environment—applications, middleware, servers, data management, data storage, network, facilities and IT management processes (e.g., COBIT®, ITIL). Ask about new technologies or new ways of assembling technology. Probe on middleware and systems management software that provide key points of connection that might be newer and riskier.
  2. Compare to your current environment to fully understand the differences and, thus, differences in risk. This includes both logical and physical differences such as where data are located and through which locations data are transferred.
  3. Probe for threat characteristics that are different in the cloud provider’s environment than in your own. For example, does the location of facilities or employee turnover rates make them more susceptible to physical penetration by organized crime or foreign government covert action? Alternatively, greater scale in the service provider might mean more resources to support deeper use of COBIT, Val IT™:  Based on COBIT or Risk IT:  Based on COBIT.
  4. Move beyond risks to operations, and consider risk to business value. For example, application outsourcing (especially offshoring) breaks most principles of agile application development. If your enterprise is stable, this might be an opportunity for cost savings. If flexibility is key to competition, then using a service provider might add significant risk.
  5. Frame the results of your analysis in business terms—risk to revenue, cost, marketing and operating metrics. With cloud computing decisions frequently driven by business (especially financial) metrics, it is critical that your risk assessment is also in business terms.

A white paper, available as a free download from ISACA, titled Cloud Computing: Business Benefits with Security, Governance and Assurance Perspectives, describes how enterprises can achieve greater efficiencies and mitigate new risks associated with cloud computing. Also, ISACA’s Risk IT framework can assist prospective cloud clients in initiating their own security risk assurance program and determining if current cloud service offerings meet the security requirements needed for specific cloud applications and data.

Brian Barnier, CGEIT, is a principal at ValueBridge Advisors. He teaches, speaks and researches widely. For information on Risk IT, visit The ISACA Risk IT Framework presentation by Barnier on the Mash Risk Television web site. Barnier can be reached at brian@valuebridgeadvisors.com.


“Don’t Think, Just Do” for a Rewarding IT Career
Ross E. Wescott, CISA, CIA, CCP, CBM, Shares His Experiences as a CISA

When Ross E. Wescott was in college, he was aware of auditing only in relation to the US Internal Revenue Service (IRS) and was not familiar with the career in IT auditing that awaited him. “Audit, security, governance, risk and control were not in my career plans,” he explained. “While I did spend 13 years as an IT professional, it was not until I ‘fell’ into IT audit and started to refocus on audit, security, governance, risk and control that my career became expanded, full of opportunities and satisfying.”

As Wescott moved into internal auditing from a position in IT, certification was a requirement of his director for advancement. “Since I wanted to advance and have a meaningful career in internal audit, it made sense to pursue the Certified Information Systems Auditor® (CISA®). It was the only IT-audit-related certification at the time (1988),” he said.

Aside from gaining a sense of accomplishment by earning the CISA, Wescott soon found a world of opportunities open to him. “IT audit, ISACA® and the CISA certification have afforded me opportunities that I would not have had staying strictly in IT, including being professionally published, speaking and presenting at conferences and educational events, traveling beyond North America, and meeting and working with other professionals in the worldwide community,” he said. “I know that if I had stayed in my former profession, those opportunities would not have surfaced.”

Further, Wescott feels holding the CISA credential has provided job security. “Professionally, quite frankly, having the CISA has kept me continuously employed since 1986,” he noted. “And, the annual training I take to maintain the CISA helps me to stay abreast of current IT issues and remain relevant for my clients.”

Wescott finds the biggest challenge he faces in his job is staying relevant and competent. “Certification without competence is shallow,” he stated. “While the essence of IT and IT auditing remain fairly stable (e.g., well-controlled access, the ability to recover from unexpected events, efficient and effective processes for development and maintenance), new technology and new ways of using existing technology put different spins and challenges on how the basic essence is handled.”

Continuing education helps Wescott meet the challenge. He earns continuing professional education (CPE) credits by attending ISACA-related courses put on by his local chapter, attending at least one conference a year and volunteering for ISACA at the international level. “In aggregate, all of those provide me with the knowledge and professional interaction needed to keep my certification and job performance relevant,” he said.

To those thinking about pursuing the CISA credential, Wescott advises, “Stop thinking about it and just do it. The satisfaction and potential for a better and satisfying career are there, out in the open, for the taking.” He urged, “Don’t think, just do. With diligence and increasing competence, that world is open and available.”

Ross E. Wescott, CISA, CIA, CCP, CBM, is the chief IT auditor at Portland General Electric Company. He has been actively involved with ISACA, serving over the years on numerous boards and committees. He has also been an international vice president and has held officer positions with the Willamette Valley Chapter.

Editor’s Note

The deadline to register for ISACA’s December CISA exam is 6 October 2010. Visit the Certification page of the ISACA web site for information on ISACA certifications.


New Online COBIT Training

ISACA® has enhanced and restructured its online COBIT® training to meet the needs of ISACA’s global membership. This web-based, self-paced course is designed to give foundation-level instruction on the COBIT® 4.1 framework and prepare you for the COBIT exam.

The course is divided into five sections, or modules, each designed to educate you on the need for, and benefits of, an enterprise governance of IT framework. In module one, you will become familiar with the principles of governance of IT and be able to recognize the IT management issues that commonly affect enterprises. In module two, you will begin to identify COBIT components and understand how COBIT satisfies the requirements for a control framework. In module three, you will learn about the COBIT IT processes and control objectives and the IT Assurance Guide. Module four explains how to apply the COBIT framework in a practical situation by explaining the use of management guidelines, control objectives and control practices for key processes. Module five covers several different COBIT resources that are available to users, including COBIT Online® and COBIT® Quickstart.

The new and improved Online COBIT® Foundation Course, complete with an updated case study, interactive activities and a practice test, is now available on the ISACA® e-Learning Campus. Visit the E-learning page of the ISACA web site to register for the course; e-mail elearning@isaca.org for more information.


DEA Names CISA a Certification Required to Perform Audits of Electronic Prescriptions

The US Drug Enforcement Administration (DEA), which regulates the wholesale and retail distribution of controlled substances by pharmaceutical manufacturers, doctors and pharmacies, recently issued a new regulation requiring third-party audits of electronic prescriptions to be performed by either a Certified Information Systems Auditor® (CISA®) or a Certified Public Accountant (CPA) (using the SAS 70 and/or SysTrust standards).

The Electronic Prescriptions for Controlled Substances (21 CFR Parts 1300, 1304, 1306, and 1311) regulation, which provides prescribers with the option of writing prescriptions for controlled substances electronically, permits pharmacies to receive, dispense and archive these electronic prescriptions.

The mandate is found within section 1311.300, “Application provider requirements—Third-party audits or certifications,” which requires that “both electronic prescription applications and the prescription processing module in pharmacy applications should be subject to a third-party audit that met the requirements of SysTrust or WebTrust audits (or for pharmacies, SAS 70).” The regulation instructs that the audit must be performed by a CISA or CPA.

“By establishing these requirements, the DEA is encouraging the pharmaceutical industry to use the conveniences and efficiencies of modern technology, while safeguarding the process with a system of controls and reviews,” said Mark H. Petterson, CISA, chair of ISACA’s CISA Certification Committee. “It is rewarding that the CISA certification can be a part of that process.”

Visit the CISA page of the ISACA web site for information about the CISA certification. The deadline to register for ISACA’s December CISA exam is 6 October 2010.


Study Aids Help in Preparing for Certification Exams

Are you preparing for the December 2010 Certified Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®) or Certified in the Governance of Enterprise IT® (CGEIT®) exam? ISACAs’ Bookstore offers a variety of study aids that can assist in your preparations. Many of ISACA’s certification exam study aids are available in French, Italian, Japanese and Spanish.

2010 December exam study aids:

Contact the Bookstore at bookstore@isaca.org or +1.847.660.5650.


ISACA Publishes Turkish Edition of Its Standards Publication

To increase public awareness of IT governance, audit and assurance in Turkey, ISACA® has released a Turkish edition of its assurance guidance, IT Standards, Guidelines, and Tools and Techniques for Audit and Assurance and Control Professionals.

ISACA thanks the following contributors for their translation work. ISACA member Omer Yurdagul, a former bank inspector and the internal auditor of Social Security Institution of Turkey, initiated the translation project to provide comprehensive assurance guidance to help Turkey as it transforms to an information society. Kurtulus Ozgur Yildiz and Mehmet Ali Ocakli have provided professional technical assistance and support to Yurdagul in the translation project. Fatih Sahin, CISA, senior bank inspector and member of Vakifbank Inspection Board, shared his experience and support for the quality and assurance of the work. His contribution and voluntary effort provided significant value to the project.

Visit the Standards page of the ISACA web site to download this translation at no cost.


Read More Articles in Our Archives