@ISACA Volume 22: 23 October 2013 

@ISACA Relevant, Timely News

Take the COBIT 5 Courses and Exams

More than 4,000 people worldwide have taken the COBIT 5 Foundation, Implementation or Assessor exams. Individuals looking to take exams have the following options:

  • Take an exam through an Accredited Training Organization (ATO) or through an accredited individual trainer who offers the exam as part of a training course.
  • Take an ISACA educational program (available onsite, at pre- and post-conference workshops and through ISACA Training Week).
  • As a self-study candidate for the Foundation exam, take the exam at a public exam center with our third-party partner, APMG, online or via a Pearson testing center. For additional information on this option, please visit APMG-International.

There are 2 COBIT training paths: COBIT Implementation and COBIT Assessor. Both paths first require passing the COBIT Foundation exam. An individual interested in the Implementation path will be required to complete the Implementation course and pass the Implementation exam.

For the Assessor path, an individual must complete the Assessor course, pass the exam and meet experience requirements to apply to become a COBIT Certified Assessor. For additional information, please contact cobittraining@isaca.org.


Making a Difference in Governance and in Students’ Lives
Wole Akpose, CGEIT, National Capital Area (Washington DC, USA) Chapter, Shares His Experience as a CGEIT

Wole AkposeAs the chief information officer (CIO) at Morgan State University (Baltimore, Maryland, USA), Wole Akpose has the opportunity to make a difference in the overall operations of the university and ultimately affect the lives of the students. “My ability to prioritize based on the enterprise vision and business drivers helps ensure that we are able to meet the core needs of the university with the available resources.”

Akpose decided to pursue the Certified in the Governance of Enterprise IT (CGEIT) certification to demonstrate that as a professional he manages an enterprise’s IT, provides advisory and assurance services related to it, and supports its governance. “The CGEIT certification provides validation of my experience and skills in governance of enterprise IT and attaining this certification also helps others to quickly recognize my potential ability to perform certain tasks.”

Akpose also recommends CGEIT certification to gain professional recognition of the skill sets that are tested during the CGEIT exam. “The primary value of certification, I believe, is to validate to potential employers, customers or businesses that you are capable of performing the job responsibilities that the certification purports to certify.” Akpose also advises prospective candidates to consider the future. “All professional certifications are not to be considered the first step in a professional journey. Rather, they should be taken as part of the journey and it is easier when your certification track fits your background and your future career plans.”

To learn more about CGEIT and other ISACA certifications, visit the Certification page of the ISACA web site.


5 Skills Every Risk and Security Leader and Professional Should Develop to Be More Effective

Risk and security leaders and professionals typically have well-developed technology, audit, governance and compliance skills, but are often lacking in other critical areas that can assist with their ability to gain business support and alignment with their activities. While these other critical skill areas may not immediately resonate as core competencies of a risk and security leader or professional, they are vital to their ongoing success. Here are 5 critical skill areas that all risk and security leaders and professionals should obtain or enhance to ensure that they will gain future business support and enhance their standing within their organization:

  1. Salesmanship—While often shunned by risk and security professionals, the art of selling is core to the success of every interaction they will have with their stakeholders, leaders and constituents. Risk and security professionals are often influencers and not product, business process, or profit and loss owners. Their ability to influence others is vital to their success.
  2. Finance—Risk and security professionals often are challenged to gain and maintain a budget that is adequate for them to sustain or enhance their activities. In many cases, they develop budgets based on an operational model for capabilities and controls that are used along with the people, processes, procedures and technologies required to support each activity. What they do not do is develop finance plans that can be directly connected to the financial success, health, goals and aspirations of their organization. To reduce the risk of budget adjustments and reductions, security leaders and professionals should understand the financial statements, requirements and accounting concepts used by their organization. They can then use this information to create budget requirements and requests that are meaningful to finance professionals.
  3. Legal—Many risk and security professionals have a fundamental view of legal considerations that is based on contract negotiations, investigations and compliance-related activities that allow them to interact with legal professionals. These professionals are often challenged when it comes to appreciating the greater role and activities of legal counsel and, most important, do not recognize the level of influence and value that a legal opinion has on business leaders and stakeholders. In this case, the concept of due care becomes important for risk and security leaders and professionals to be aware of and to support the efforts of their legal counsel. When applied to risk management and security, due care is often considered a technical compliance consideration and standards such as the Payment Card Industry Data Security Standard (PCI DSS), International Organization for Standardization’s ISO 2700x or the National Institute of Standards and Technology (NIST) guidelines are often referenced. While these standards can be effective at providing broad guidance, an organization must develop its own view of due care and its own capability to implement and support this view. This is an area in which risk and security leaders and professionals can become invaluable assets and advisors to their legal counsel.
  4. Marketing and communications—Many risk and security leaders and professionals are extremely talented and capable but often go unrecognized as they lack the ability to effectively market and communicate their own capabilities and those of their programs. Effective marketing and communication skills are essential to influence cultural and behavioral change in an organization and are often required when introducing risk and security controls and concepts. Marketing and communication for risk and security focuses on identifying and gaining the attention of targeted individuals; generating interest in programs and their capabilities; and ensuring information is understood, internalized and embraced. These activities are ongoing, require constant focus and attention to be effective, and cannot be considered a point activity or delivered only through annual required awareness training campaigns.
  5. Project management—As risk and security requirements, activities and programs mature and become more robust, they also become more complex. In many organizations, risk and security professionals leverage separate project managers to oversee the implementation of large and complex projects. These individuals often possess a minimal amount of risk and security subject matter expertise, if any at all, which can lead to project delays, frustration with stakeholders and constituents, and delays in meeting project milestones and objectives. If risk and security professionals have comprehensive skill sets in project management, they can be more effective in directing and assisting the project managers they are leveraging by identifying and correcting potential issues and concerns before they have a material impact on projects and programs.

John P. Pironti, CISA, CISM, CGEIT, CRISC, CISSP, ISSAP, ISSMP, is the president of IP Architects LLC.


Lusaka Chapter Hosts First Event

Allan Boardman, CISA, CISM, CGEIT, CRISC, ISACA international vice president, was present in Lusaka, Zambia, for the first Lusaka Chapter event. “There is great interest in ISACA in Zambia and I think the chapter will be successful in growing and attracting new members,” said Boardman. According to Boardman, the Lusaka Chapter board is very enthusiastic and organized a great 2-day event.

Members of the press were present at the event including the Zambian radio, The Post Newspapers Zambia and the Lusaka Times. The Lusaka Chapter is in the process of developing its web site and planning additional events for 2013.

For more information on joining a local chapter in your area, visit the Local Chapter Information page on ISACA’s web site.


Book Review: Cloud Computing—Assessing the Risks
Reviewed by Joyce Chua, CISA, CISM, CITPM, ITIL, PMP

More companies are moving their applications to the cloud as cloud computing gains significant interest in private, hybrid or public clouds. However, what is cloud computing? How safe or reliable is the cloud? Can we trust the cloud environment? How secure will our data or information be? How different are its business continuity or disaster recovery techniques from traditional onsite systems? Where is cloud computing heading in the next few years? Should we really move to the cloud? This book provides answers to these questions.

Cloud Computing—Assessing the Risks targets upper management, senior stakeholders, and security and compliance professionals. It appeals particularly to individuals who need to understand and implement cloud computing and the associated security, risk, governance and compliance. The book is also suitable for anyone who wants to understand cloud computing.

The book provides readers with an up-to-date, basic learning guide to cloud computing and invaluable insight with real-world examples. The content is clearly presented and has an appropriate amount of documentation to take the reader on a comprehensive journey through cloud computing.

Cloud Computing—Assessing the Risks spans various important considerations when implementing the cloud and important elements to assess security, risk and computer forensics. It translates the complex and difficult field and its components into an easy-to-read context using jargon-free language and relevant examples, analogies and diagrams. In addition, the book covers extensive data protection and privacy laws and the legal implications of international data protection and privacy laws, which is a vital aspect of cloud computing.

Cloud Computing—Assessing the Risks is available from the ISACA Bookstore. For more information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or email bookstore@isaca.org.

Joyce Chua, CISA, PMP, CITPM, MCP, is a project manager (Sarbanes-Oxley 404 compliance) for Chartered Semiconductor Manufacturing, one of the world’s top dedicated semiconductor foundries. Chua is a member of the ISACA Publications Subcommittee.


New COBIT Resources Available

The following COBIT 5 products have been released recently:

  • COBIT 5 for Risk creates an information risk view of COBIT 5, which serves as the information-risk-specific guidance related to COBIT 5 for ISACA’s information risk constituents. The guide should be considered the risk-focused equivalent of COBIT 5 for Information Security within the COBIT 5 family of products.
  • Configuration Management: Using COBIT 5 provides practical guidance about implementing and managing configuration management using COBIT 5 as a foundation. It describes the most common risk, threats, controls and best practices to maximize benefits and reduce associated risk. A good portion of the book is dedicated to the configuration management database concept, including how to build an effective database, interaction with other IT processes, configuration item life-cycle management and security controls.

Information on current research projects is posted on the Current Projects page of the ISACA web site.


Take Advantage of Your ISACA Membership, Recruit New Members

As the 2013 ISACA membership year nears an end, we encourage you to think back on your ISACA activities, the benefits you most enjoyed and the many opportunities that were available. For example:

Stay equipped with the resources you need to enhance your skills, expand your professional knowledge and experiences along with local and global peers, and encourage your colleagues to do the same. Recruit a colleague as a new member through the Member Get a Member program and earn valuable prizes. Watch the Member Get a Member Winners’ Circle web page on ISACA’s web site to see the monthly winners and renew your ISACA membership today.


Read More Articles in Our Archives