@ISACA Volume 21: 10 October 2012 

@ISACA Relevant, Timely News

ISACA Partners With APMG for COBIT Training

ISACA has appointed APMG-International as its official international training and accreditation partner for COBIT 5. APMG is a global examination institute that accredits organizations and professionals.

ISACA, in partnership with APMG, is pleased to introduce a new COBIT 5 Training and Accreditation Program, a system that will accredit trainers and organizations to provide training and examination services. Trainers and training organizations are approved, accredited and licensed by APMG to deliver COBIT 5 training and examination services to candidates. Accreditation offers trainers and training organizations the ability to deliver the highest-quality training while also demonstrating the value of their services.

ISACA will work closely with APMG to develop four new COBIT 5 training courses in the next five months. The COBIT 5 course levels and expected availability dates include:

  • Foundation-level training, November 2012
  • Process-level training, December 2012
  • Implementation-level training, January 2013
  • Assessment-level training, January 2013

ISACA’s own subject matter experts will collaborate with APMG to create course syllabi, exam items and accreditation standards.

Learn more about the APMG and ISACA COBIT 5 training and accreditation partnership.


Tips for IT Security Auditing
By Lisa R. Young, CISA, CISM

As an information security professional, it is your responsibility to protect and sustain the enterprise’s information assets from all types of threats. One way to enhance the security posture of your enterprise is to leverage the expertise of a security auditor to help find and fix the worst problems in your security infrastructure. You may be thinking, “Why would I want to invite a security auditor to help me find my greatest weaknesses?” No one relishes an audit—which often seems to involve people poking around and looking for holes in the network or systems. However, a thoroughly conducted audit, with appropriate risk-based scoping, can keep you from having to report to your management or board that a data breach happened on your watch.

In most enterprises, the information security and audit functions are involved with protection and sustainment of important organizational assets. The information security function has the primary responsibility for establishing and maintaining a cost-effective and robust security program. The audit function, whether internal or external, provides an independent review and analysis of the program. Here are some considerations for participating in and preparing for an IT security audit:

  1. Remember that audits are opportunities to improve the security program, not a personal indictment of security practices. Taking the initiative to request a thorough audit of your security shows management that you are willing to do what is best for the enterprise. It can also help you get additional budget to address serious areas of risk.
  2. Receive from the audit team an audit plan outlining the purpose, scope and approach to the audit. If you are the requestor of the audit, you have an opportunity to provide input on what areas of focus you think are most at risk.
  3. Conduct a review of the current security policies, standards and guidelines, and make sure you understand how those policies are implemented in operation. Often, there are conflicts in the way policies are implemented, especially when relying on technology alone, and an audit can pinpoint the gaps.
  4. Collect, document and organize the procedures and processes that your staff follows to perform their duties. You may find that lack of consistency in performing the processes results in unacceptable variance in the way that certain security controls are implemented.

Security audits should not be limited to technology testing, penetration testing or exploiting vulnerabilities, but should provide an accurate analysis of the risk areas that pose the most danger to the enterprise. A thorough security audit is about regular and consistent validation and verification that the security program is effective in doing what it is designed to do: protect and sustain the enterprise’s critical assets.

Lisa R. Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide. Young was also a member of the ISACA task force that developed the Risk IT publications.


Renew Your Benefits With ISACA

Now is the time to plan for the future in your career. By renewing your ISACA membership you are assured of continued Benefits that will result in accessing networking opportunities and receiving other knowledge resources to serve your professional needs.

  • Did you join a discussion group in the Knowledge Center?
  • Did you attend one of ISACA’s web-based networking and educational opportunities?
  • Did you take an exam and/or earn free CPE credits toward maintaining your certification?
  • Did you download your free copies of the first three COBIT 5 publications?

Stay equipped with the resources you need to enhance your skills, expand your professional knowledge and experience a vibrant local and global community of peers through 2013. Renew your ISACA membership today.

The 2013 ISACA membership renewal invoices will be sent to your preferred mailing address on file on 24 October 2012. To ensure delivery of your invoice, please make sure that your contact information in your Profile is up to date.


Participate as a 2013-2014 ISACA Volunteer

Apply to become an ISACA volunteer—contribute to your profession and earn free CPEs. ISACA’s annual invitation to participate application period is now open.

Volunteers are critical to the success of ISACA, and we are continually looking for individuals willing to share their time and talent. Members interested in volunteering with ISACA at the international level can find information on the opportunities available and the process for submitting names for consideration on the 2013-2014 Invitation to Participate page. In addition to the invitation to participate, learn more about the boards, committees and subcommittees that support the association.

Interested members should review the information contained in the brochure and online, identify those volunteer opportunities that are of most interest, and complete the online application. Volunteer applications for the 2013-2014 administrative term are due by 14 February 2013.

In addition to the annual volunteer appointments, there are a number of volunteer opportunities available throughout the year. For more information visit the Additional Volunteer Opportunities page of the ISACA web site.


Securing Your Enterprise in the Cloud
Join ISACA in Las Vegas for North America ISRM / IT GRC

One of the top concerns expressed by CIOs and security professionals is that sensitive data in the cloud may fall into the wrong hands—exposing the enterprise to an unacceptable level of risk. Attend the North America Information Security and Risk Management and IT Governance, Risk and Compliance Conference (North America ISRM / IT GRC) to learn about the security, risk and governance programs, tools and resources you need to stay on top of the cloud and other industry changes.

This multidimensional event, combining two of ISACA’s premier conferences, will be held 14-16 November in Las Vegas, Nevada, USA, and will feature the latest guidance on security, governance and risk.

Vikas Jain, director of product management—identity products at McAfee, will speak on best practices for secure access to cloud apps. He will discuss creating and managing an identity authorization and authentication structure that will deliver high levels of assurance, without significantly compromising the user experience.

Visit the North America ISRM / IT GRC page of the ISACA web site to learn more and register.


Book Review: A Practical Guide to Reducing IT Costs
Reviewed by Kumar Setty, CISA

A Practical Guide to Reducing IT Costs discusses a high priority at most companies. Total annual IT expenditures range from 2-6 percent of annual revenues. Given the strict constraints and enormous pressures on executives and boards to slash costs, reducing the cost of ownership of IT assets is an important area to address and explore. Depending on how an internal audit department is positioned within an enterprise, IT auditors can have a unique and comprehensive view of the inner workings of the mechanics and decision-making processes that govern IT spending.

IT evolves at a rapid pace and follows different trends. One axiom that has held true for more than 5 decades is Moore’s Law—the number of transistors on integrated circuits doubles approximately every 4 years. This law correlates with a decrease in the cost of computing power. This availability of cost-effective computing power also corresponds with an increase in the global generation of data by devices, machinery, appliances and humans.

Using interviews of 60 IT leaders from various industries with a wide range of backgrounds, Anita Cassidy and Dan Cassidy do a commendable job of illustrating ways to reduce IT costs. The authors also reference their own experiences (60 years of combined experience) to provide further perspective.

The book contains many valuable concepts. The subjects are presented in a well-planned and organized fashion. The authors carefully vetted and evaluated the feedback that they received from IT leaders. Especially useful are the “The Cost Reduction Project” and “Technical Infrastructure” chapters.

This book is well-written and a good reference for an internal audit team. One area where an IT auditor may find tremendous value is in the service level agreement (SLA) review process. Throughout this book, the authors outline a solid approach for the elements of a sound SLA and methods for evaluating SLAs. The book accommodates a wide range of perspectives and business models. This book may serve as a viable reference for an IT governance audit, SLA review, IT budget review, and could even assist in demystifying the inner workings of IT budgeting to non-IT finance and legal staff.

A Practical Guide to Reducing IT Costs presents a practical set of guidelines for evaluating IT costs and the consequences and risk of making choices which have an appreciable effect on an IT budget.

A Practical Guide to Reducing IT Costs is available from the ISACA Bookstore. For more information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or email bookstore@isaca.org.

Kumar Setty, CISA, has more than 10 years of experience in the areas of data analysis, applications development, system development life cycle, auditing and computer security. Setty is a manager at Grant Thornton LLP.


Get the Latest ISACA Releases on the Cloud and Cybercrime and Participate in Standards Exposure

ISACA has issued the following new publications:

  • Security Considerations for Cloud Computing—Part of the Cloud Computing Vision Series, this publication presents practical guidance to all current and potential cloud users who need to ensure protection of information assets moving to the cloud. It helps enable effective analysis and measurement of risk through the use of decision trees and checklists outlining the security factors to be considered when evaluating the cloud as a potential solution. It is available to members as a complimentary PDF and in the ISACA Bookstore for purchase.
  • 2012 Cloud Computing Market Maturity Study Results—This complimentary white paper by ISACA and the Cloud Security Alliance (CSA) discusses important cloud-related issues, provides guidance to help better understand cloud market maturity and addresses factors that inhibit the ability to realize the value of cloud computing. This is part of the Cloud Computing Vision Series.
  • Cybercrime Audit/Assurance Program—This complimentary member download provides management with an independent assessment relating to the effectiveness of cybercrime prevention, detection and incident management processes, policies, procedures and governance activities. The focus is on cybercrime management standards, guidelines and procedures as well as the implementation and governance of these activities.
  • IS Audit and Assurance Standards—This exposure document has been designed to be a living document. The exposure draft updates the current audit and assurance standards, more closely aligning them with the Information Technology Assurance Framework (ITAF). This exposure draft will be available for review and feedback online until 28 December.

Information on current research projects is posted on the Current Projects page of the ISACA web site.


Read More Articles in Our Archives