@ISACA Volume 21: 9 October 2013 

@ISACA Relevant, Timely News

ISACA Welcomes Acting CEO

Ron HaleISACA is pleased to announce that, effective 1 October 2013, Ron Hale, CISM, Ph.D., has begun serving as the acting chief executive officer (CEO) and corporate secretary of both the association and the IT Governance Institute (ITGI). Prior to taking on the CEO responsibilities, Hale held the position of ISACA’s chief knowledge officer (CKO).

Hale’s professional background includes more than 20 years of security experience. He was manager of security services for Northrop Corporation Defense Systems Division, responsible for developing and managing the security program for classified and unclassified systems, as well as corporate investigations, crisis management, technical surveillance countermeasures, executive protection and security awareness. As a research manager for the Bank Administration Institute, Hale published research reports on bank security and fraud, including the first study of ATM security and fraud. Hale has also provided consulting services to many leading organizations as a practice director in the enterprise risk management practice within Deloitte & Touche.

In his time with ISACA, Hale has been responsible for directing the Certified Information Security Manager (CISM) certification program and for serving the needs of the security profession through research projects and publications. He has a master’s degree in criminal justice from the University of Illinois (USA) and a doctorate in public policy from the Walden University School of Public Policy and Administration (Minnesota, USA).


Your Input Is Sought on IS Audit and Assurance Guidelines Exposure Drafts

Your comments are important! As part of the due diligence process, ISACA has issued the revised IS Audit and Assurance Guidelines Exposure Drafts for public comment through 31 December 2013. The ISACA Professional Standards and Career Management Committee revised the guidelines to ensure that they directly support the new standards and align with COBIT 5.

The number of guidelines has been reduced from more than 40 to 18, among other improvements. This update was achieved by optimizing the portfolio to consist of only guidelines that directly support one or several standards.

In July 2013, ISACA released its revised IS Audit and Assurance Standards, which are effective as of 1 November 2013. Topics previously covered within the guidelines, but outside of the new scope, have been largely addressed through audit programs and white papers.

The online survey for each guideline category (2000 General, 2200 Performance and 2400 Reporting) contains 5 questions for each guideline. Each question addresses a separate aspect of the guideline:

  1. Rate the guideline’s support of the standards listed.
  2. Rate the guideline according to the following characteristics:
    • Accurate
    • Complete
    • Relevant
    • Clear and concise
    • At the appropriate level of detail
    • Well structured
  3. Is the linkage to the listed COBIT 5 process appropriate?
  4. Provide any additions/revisions to the COBIT linkage in the guideline.
  5. Provide any suggested revisions for the guideline. Identify the section number.

To submit feedback on the draft guidelines, visit the IS Audit and Assurance Guidance page of the ISACA web site.


Nominate Members for 2014-2015 International President and Vice President

Nominations for the ISACA Board of Directors for the 2014-2015 term are now open. Information about serving on the board, the attributes for office (both international president and vice president) and the nomination form are available from the Board Nominations page of the ISACA web site.

Members may submit nominations for themselves or for others (or both). All nominations will be acknowledged and all candidates will be required to complete a candidate profile form that confirms the candidate’s willingness to serve if selected and provides the Nominating Committee information about the candidate. If self-nominating, you will also be asked to submit a letter of recommendation from an ISACA member, outlining how you demonstrate the attributes for office. Information on candidates will be gathered in other ways as well, including review of public web sites (e.g., Google, Facebook, LinkedIn) and, possibly, interviews.

Nominations for international president close on 15 October 2013; nominations for vice president close on 7 January 2014. These are the dates by which all materials must be received at ISACA International Headquarters (i.e., completed candidate profile form, résumé and letter of recommendation, if required). Please allow enough time to contribute all materials by the deadlines noted. Questions may be directed to nominate@isaca.org.


ISACA Certifications Rank High for Pay Performance

According to the latest IT Skills and Certifications Pay Index™ (ITSCPI) report from Foote Partners LLC, individuals who have attained an ISACA certification ranked among the highest on its pay performance index.

The average pay premiums for 289 IT certifications were surveyed and the Certified Information Security Manager (CISM) and the Certified in the Governance of Enterprise IT (CGEIT) tied with other certifications as the fourth highest-paying certification for the second quarter of 2013. The Certified Information Systems Auditor (CISA) and the Certified in Risk and Information Systems Control (CRISC) tied as the fifth highest-paying certification. In addition, CGEIT’s market value increased by 10 percent during the quarter ending 1 July 2013.

This recognition of ISACA certifications indicates that employers are investing in professionals with specific IT skill sets that demonstrate the knowledge and expertise to address current and emerging challenges.

Learn more about ISACA certification on the Certification page of the ISACA web site.


Book Review: Reverse Deception: Organized Cyber Threat Counter-Exploitation
Reviewed by Jeimy J. Cano M., Ph.D, COBIT (F), CFE, CMAS

The art of deception has been used since ancient times to achieve objectives in the fields of battle, on the negotiating table, in disputes and in business. However, deception can also be a source of assurance to help businesses protect themselves from cyberenemies and increase their ability to respond to the unexpected.

Reverse Deception: Organized Cyber Threat Counter-Exploitation illustrates a set of strategies and models to help information security professionals develop the ability to deceive as an organizational competence, thus allowing the organization to control the responses of adversaries as far as possible and to maintain a competitive advantage over current dynamic IT threats.

This book helps to identify unseen threats and to categorize and organize each level of risk and its actions according to expert judgment. The authors describe the techniques used in this context including deception, counterdeception, behavioral profiling and emerging issues such as persistent threats. Readers may find familiar analysis scenarios and new approaches to help generate a different understanding of the current problems of protecting information and networks.

Reverse Deception: Organized Cyber Threat Counter-Exploitation provides a resource for understanding threats to ensure information security practices in organizations. The book’s unique approach helps IT auditors and information security professionals to think outside of their comfort zone and raise their thoughts and recommendations beyond current risk practice indications.

Reverse Deception: Organized Cyber Threat Counter-Exploitation is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or email bookstore@isaca.org.

Jeimy J. Cano M., Ph.D., COBIT (F), CFE, CMAS, is a distinguished professor in the law department of the Universidad de los Andes, Colombia. He has been a practitioner and researcher in information and computer security, digital evidence and computer forensics for more than 17 years in different industries. Cano is a member of the ISACA Publications Subcommittee.


Outsourcing Management Tips

Each type of outsourcing has its pros and cons and the type of outsourcing selected depends upon the organization’s requirements. In addition, whichever services organizations choose to outsource, the organization must ensure that risk associated with outsourcing is identified and necessary controls are in place.

Generally, organizations outsource to take advantage of skills and knowledge availability and to optimize operational costs. Outsourcing deals are typically of 3 types:

  1. Total outsourcing—The vendor provides and manages the entire IT setup required to run business processes.
  2. Partial outsourcing—The organization and service provider jointly provide and manage the IT that supports business processes.
  3. Resource sourcing—The organization manages services and the service provider manages resources.
Here are a few tips that organizations may consider when managing outsourcing:
  1. Build a foundation—Ensure the appropriateness of requirements and solutions. If needed, get impartial advice.
  2. Define a road map—Determine the final outcome of outsourcing and prepare a strategy.
  3. Plan sourcing—Unplanned sourcing decisions may cost more money than resulting savings.
  4. Determine service levels and a measurement process—To build a relationship with outsourcing third parties, it is necessary to determine the appropriate service level agreement that covers the business, compliance and legal requirements. Once service levels are determined, ensure that a process is in place to measure achievement of service levels based on performance and ensure that the measures are understood.
  5. Draft the service level agreement (SLA)—Drafting the SLA and getting approval from the vendor is the most essential part of outsourcing. It is a good idea to ensure that the SLA is specific, simple and defines the method for adopting future changes.
  6. Build the relationship—Although outsourcing revolves around the SLA, building a relationship for mutual benefits is helpful. Consider appointing a relationship manager.
  7. Manage people—The success of outsourcing is in appropriate management. Process and technology perform only if people perform.
  8. Manage change—Change management is the crux of outsourcing management and a robust change management process must be in place.

Sunil Bakshi, CISA, CISM, CGEIT, CRISC, AMIIB, ABCI, CEH, CISSP, ISO 27001 LA, BS 25999 LI, MCA, PMP, is a consultant and trainer in IT governance and information security.


Explore New Training Opportunities

Businesses worldwide are looking for talented trainers. The On-site Training program from ISACA is looking for experienced professionals to deliver outstanding training programs to enterprises in nearly all industries.

ISACA trainers are dedicated professionals who hold multiple IT industry certifications. Currently practicing in their related fields, these professionals bring their unique, real-world experiences to the course they facilitate. Each trainer delivers proven strategies, techniques and good practices to the classroom. These skilled facilitators are also ISACA members who have contributed regularly to ISACA research and the IT profession.

If you or someone you know has training experience in IT audit and assurance, risk management, security, governance and/or compliance and would like to learn more about training opportunities with ISACA, please contact onsitetraining@isaca.org.


Expert From Google Enterprise to Speak on the Cloud

Significant opportunities in cloud computing exist. From public cloud messaging to collaboration using applications such as Google Apps, users are enabled and can communicate from anywhere on any device while reducing the amount of infrastructure the IT team will need to support. James Snow, product strategist at Google Enterprise, focuses on Google Apps and is the voice of product and engineering to customers and partners. Snow will present a special discussion session titled, “Is Your Data Safer in the Cloud?” at the North America Information Security and Risk Management (ISRM) Conference, 6-8 November 2013, in Las Vegas, Nevada, USA.

In this special session, Snow will explore opportunities available to deploy cloud computing solutions; how to assess security, privacy and other risk factors of concern to the information security (IS) professional; and how Google is addressing these issues. Formerly responsible for security and compliance in error modes and effect analysis (EMEA) for Google Enterprise, Snow has extensive product knowledge in Google Apps, the Google Cloud Platform, and enterprise search and message security products. Snow has been the lead engineer on some of the largest apps, search and security arrangements for companies such as Ahold, Randstad and KLM.

For additional information, visit the North America ISRM page of the ISACA web site.


Read More Articles in Our Archives