@ISACA Volume 21: 13 October 2010 

@ISACA Relevant, Timely News

Take a Seat at the Board Table

Nominations for the ISACA® Board of Directors for the 2011-2012 term are open. Visit the Volunteering page of the ISACA web site for information about serving on the board, the attributes for office (both international president and vice president) and the nomination form.

Members may nominate themselves and/or other members they believe match the attributes of office. All nominations will be acknowledged and all candidates will be required to complete a candidate profile form. The form confirms the candidate’s willingness to serve if selected and provides the Nominating Committee information on which to evaluate the candidate. The committee may also choose to review other information on candidates as well, for example, via public web sites (e.g., Google, Facebook, LinkedIn) and telephone interviews with the candidates.

Nominations for the Board of Directors close 7 January 2011. Interested parties are encouraged to submit their nomination form as early as possible, however, to provide the Nominating Committee ample time for evaluation.


1,000th CRISC Certified
Early-bird Deadline for Grandfathering Program Fast Approaches

Four months into its rigorous grandfathering program for the Certified in Risk and Information Systems Control™ (CRISC™) designation, ISACA has certified the 1,000th professional.

The CRISC certification serves IT and business professionals who have knowledge and experience identifying and evaluating entity-specific risk, and a proven ability to design, implement, monitor and maintain effective risk-based information systems controls.

Requirements for the CRISC certification under the grandfathering program, which kicked off 1 April 2010, call for applicants to prove at least eight years of IT or business experience, including six years of cumulative work experience covering the five CRISC domains. Three of those six years of experience must be in the risk-related domains (domains 1-3).

  • Domain 1—Risk identification, assessment and evaluation
  • Domain 2—Risk response
  • Domain 3—Risk monitoring
  • Domain 4—IS control design and implementation
  • Domain 5—IS control monitoring and maintenance

While the CRISC grandfathering period will remain open through 31 March 2011, you can take advantage of the grandfathering early-bird application fee by applying by 31 October 2010.

After the grandfathering period has closed, candidates will be required to pass the CRISC exam in addition to fulfilling other requirements to attain the designation. The first CRISC exam will be administered in June 2011.

Visit the CRISC Grandfathering page of the ISACA web site to learn more about this certification and how to apply.


Four Steps to Evidence Review
By Leighton Johnson, CISA, CISM, CIFI, CISSP

There are four general steps to any evidence review collected during an incident event or forensics investigation. Each of these steps is critical to ensure the proper response and/or investigation takes place for the event or incident. Follow these steps to conduct an effective evidence review:

  1. Acquire the evidence during the case investigation by conducting a proper search for all of the data available during the initial response. Once the data are discovered, then they need to be seized so they cannot be inadvertently or maliciously altered before the analysis can begin.
  2. Authenticate the data seized at the incident scene for proper activities and eventual disposition. The collection activity must include all potential sources of data involved in the incident, such as computers, storage devices including digital Subscriber Identity Module (SIM) chips from cameras or personal digital assistants (PDAs), cellular phones, removable storage devices, and, if necessary, network storage locations. The data must be collected in the proper format, using forensics methodologies such as bit-stream image copying with hashing of copies.
  3. Examine the evidence with a detailed digital analysis for full and proper review. Utilization of documented and approved outside data repository information, such as national or international law enforcement databases, is permitted within the constraints of the investigation. All evidence seized must be evaluated as it is found, in context of the incident, and with proper tools and techniques for complete content review of all potential sources of data.
  4. Document and record every step of the response and investigation for further examination and possible legal actions. Each step has to be meticulously recorded for actions taken, time and date of actions, investigator performing the actions, and the results from the application of the tools and techniques taken against the evidence. This process results in a detailed report of all actions, activities, results and conclusions of the investigation and/or response. This reporting must be formal and detailed since it is very possible this report will be included in a legal action.

Leighton Johnson, CISA, CISM, CIFI, CISSP, is a senior security consultant for the Information Security & Forensics Management Team (ISFMT) of Bath, South Carolina, USA.


Caniglia Receives Appreciation Award for Years of Service

Don CanigliaIn honor of his years of service to ISACA®, Don Caniglia was presented with the ISACA Appreciation Award in September. This award is in recognition of his key role in the management of K-NET®, since its inception as the Global Information Repository in 1999.

K-NET was an Internet-based compendium of reference materials on topics of concern to IS auditors, control and security professionals, IT executives, and others impacted by the governance of enterprise IT. It was designed to help those individuals meet their needs for continuous, consistent and up-to-date information. A database with thousands of entries, K-NET was an invaluable resource when utilized as a research tool for seeking knowledge on a broad spectrum of IT issues.

Caniglia acted as the primary resource for this important ISACA benefit since 2001, reviewing, adding and maintaining K-NET links and communicating with K-NET volunteers, who recommended links. He also recommended and set new categories and subcategories of content, assisting in K-NET’s evolution.

With the advent of the renovated ISACA web site, K-NET has now evolved into the Knowledge Center. The next step in the evolution of sharing knowledge on ISACA’s web site, the Knowledge Center offers a place for participants to consume information, exchange expertise and experience, and build new understanding through collaboration. Learn more by visiting the Knowledge Center on ISACA’s web site.


New Monitoring of Internal Controls Publication Expands Guidance

Monitoring Internal Control Systems and IT provides useful guidance and tools for enterprises interested in applying IT to support and sustain the monitoring of internal controls. In addition, it provides guidance for the design and operation of monitoring activities over existing IT controls.

The publication shifts from a mere conceptual elaboration on the concepts and applications for monitoring and provides diverse examples, case studies and practical tools to help implement monitoring. Customization of the approaches provided will be necessary to reflect the specific circumstances of each enterprise.

Monitoring Internal Control Systems and IT:
  • Complements and expands on the 2009 edition of COSO Guidance on Monitoring of Internal Controls Systems
  • Brings emphasis to the monitoring of application and IT general controls
  • Discusses the use of automation (tools) for increased efficiency and effectiveness of monitoring processes

Executives and other members of senior management will benefit particularly from the executive overview of the subject matter and suggested questions that senior management should ask to determine whether the monitoring of internal controls is adequately addressed within their enterprise. Business process owners will find particular value in the description of how to monitor key IT application controls and how to automate monitoring processes. IT professionals will benefit from the overall approach of the publication, which goes beyond theory and provides templates and tools that can be leveraged when developing and implementing a monitoring project.

A complimentary PDF of Monitoring Internal Control Systems and IT is available to members only for download on the ISACA web site. The Executive Summary of the publication is available to members and nonmembers as a complimentary PDF download on the ISACA web site. The printed publication can be purchased from the ISACA Bookstore.


ISACA Knowledge Center Tips:  Connecting With Other Users

In addition to collaborating with ISACA’s 95,000 constituents through discussions within the Knowledge Center of the ISACA® web site, members can connect by using the “My Connections” feature. Once you are connected with other users, you will be able to send them messages through the ISACA messaging system.

Follow these steps to make connections:
  • Log in to ISACA.org to make connections.
  • Click on a user’s name to view his/her profile. Users can be found in the Knowledge Center within a topic. At the bottom of “Newest Members” click “See all members” to see all members of a topic area.
  • Search for users using People Search.
  • As part of the profile, invite them to be part of your connections.
  • View all of your connections and Knowledge Center groups in MyISACA. You can send messages to your connections by clicking on “Contact” under their name. The number next to the orange icon displays your connections to other users.
  • Control what other users see about you in your profile. To edit your profile settings, add your profile to search and manage your privacy settings, click on MyProfile in the MyISACA tab. Then, select from the right navigation menu.

We encourage you to connect frequently with members of ISACA to share knowledge and experience and join discussions of industry developments. The ISACA community is growing; be a part of it!


Four New Audit/Assurance Programs Available

ISACA® has developed four new audit/assurance programs. These programs are part of the Information Technology Assurance Framework (ITAF) section 4000—IT Assurance Tools and Techniques and are now available on the New Books page in the ISACA Bookstore. These programs are available to members as a complimentary download.

  • Audit/Assurance Program: Cloud Computing Management
  • Audit/Assurance Program: Crisis Management
  • Audit/Assurance Program: Information Security Management
  • Audit/Assurance Program: Windows Active Directory
Please visit the ISACA Bookstore page of the ISACA web site for additional ISACA-published audit/assurance programs, including:
  • Audit/Assurance Program: Change Management
  • Audit/Assurance Program: Generic Application
  • Audit/Assurance Program: Identity Management
  • Audit/Assurance Program: IT Continuity Planning
  • Audit/Assurance Program: Network Perimeter Security
  • Audit/Assurance Program: Outsourced IT Environments
  • Audit/Assurance Program: Security Incident Management
  • Audit/Assurance Program: Systems Development and Project Management
  • Audit/Assurance Program: UNIX/LINUX Operating Systems Security
  • Audit/Assurance Program: z/OS Security

Contact the Bookstore at bookstore@isaca.org or telephone +1.847.660.5650 with any questions.


Taking Governance Forward Web Site Launch

The new Taking Governance Forward web site has been launched to help put all of the pieces of a governance system—objectives, enablers, views, roles, activities and relationships—together. ISACA® believes delivering the results as an interactive web site will foster more deliberation and discussion and provide a dynamic way for everyone to contribute to the current debate on what governance is and how it works.

This web site is the outcome of an initiative led by the IT Governance Institute® (ITGI®) to provide a high-level overview of governance: its definition, components, participants and views. It is designed to be brief, simple, straightforward and practical, with minimum theory. It is intended to depict “governance on a page”—holistically and completely.

The objective of this Taking Governance Forward initiative is to reach an agreement on a universally acceptable definition of governance; to clarify the debate on governance by providing a comprehensive, yet simple-to-use overview of the components and relationships of governance; and to provide the reader and user with practical tools to understand the governance views model and learn high-level ways to initiate its implementation.

The material will appeal to different audiences depending on their position and priorities. Those in senior executive ranks or on boards will find the strategic nature of the definition of governance and the one-page modeling of governance of interest. Those who are charged with building governance frameworks or performing practical implementation of governance in the enterprise will find the mappings and implementation guidance useful.

This material has been through several rounds of review by groups of individuals representing differing job titles, years of experience, type of expertise and levels of engagement with governance issues. Now it is time for others to provide input. We look forward to a wide and engaging collaboration!

Visit the new Taking Governance Forward web site to engage in the progress of the governance of IT.


Read More Articles in Our Archives