@ISACA Volume 22: 24 October 2012 

@ISACA Relevant, Timely News

Learn How to Increase the Awareness of Risk Management at Your Enterprise
Attend ISACA’s Risk Workshops

Are you looking to raise awareness of risk management concepts and techniques to enable your enterprise to identify risk and develop an appropriate plan to manage potential threats?

ISACA’s 2-day risk-related workshops in New York, New York, USA, may be right for you.

A Pragmatic Approach to Information Risk Management and Security on 6-7 November will explore the concepts of developing an information security and risk management strategy, the structure and associated functions of an information security program, threat and vulnerability analysis concepts and methodologies, and metrics and measures for effective information security governance. You will examine key areas and concepts and the business benefits that they provide.

A Risk-based and Business-aligned Approach to Protecting Information Infrastructure and Assets on 8-9 November will explore the current and future states of information risk management and security. You will discuss the development of information and risk management and security strategies and programs, cultural considerations and development, threat and vulnerability management, business resiliency, metrics and measures for risk management, and security programs and capabilities.

Register now for A Pragmatic Approach to Information Risk Management and Security and/or A Risk-based and Business-aligned Approach to Protecting Information Infrastructure and Assets on the ISACA web site.


5 Considerations for Choosing an MDM Solution

Many professionals are being asked to provide recommendations for evaluating mobile device management (MDM) solutions. A number of vendors, solutions and technologies are available in the global marketplace that provide a broad range of MDM capabilities and solutions. This is a rapidly growing area, so here are 5 important business and technical elements to consider.

  1. What levels of capability and control are actually required? Each enterprise will have its own view on the level of control and access that it would like to have on mobile devices. Often security professionals seek a broad and extensive range of capabilities and controls when choosing an MDM solution. In many cases though, enterprises require and/or desire only a basic set of controls for the majority of their users and use cases. The best way to find a balance between these two differing points of view is to perform a threat and vulnerability analysis of your mobile device solutions to identify the appropriate control objectives and functionality.
  2. What MDM functionality can you actually support and use on an ongoing basis? MDM solutions are constantly being advanced with new functions and capabilities. Some beneficial and appealing features, such as security analytics and mobile application management, may require full-time staff and extensive resources to be effectively utilized. Dedicating full-time, or even significant amounts of part-time, staff is often not desirable or even possible for many enterprises.
  3. If you are managing personally owned devices, what level of capability do you want to have on these devices? MDM solutions can assist enterprises in providing operational support and security policy enforcement for the use of personal mobile devices to access corporate resources (bring your own device [BYOD]). Technologists and information security professionals are quick to point out the benefits of their use for this purpose, but often overlook the legal and cultural impacts that MDM solutions can create. It is important to consult with all stakeholders during the requirements-gathering stage of evaluation to ensure that you have an understanding of the limitations or controls each would like put in place for the use of MDM solutions. This will ensure that your enterprise is not exposing itself to unwanted liability, risk and privacy concerns. It will also help to ensure that the users are educated about your capabilities and amenable to the level of control you have on their personal devices in a BYOD scenario.
  4. Are your current MDM solutions good enough? When evaluating MDM solutions, it is important to evaluate the current solutions’ capabilities, whether in use or available. Many enterprises find that these solutions, while not ideal, meet a majority of their MDM business requirements and technical control objectives. Microsoft Active Synch, for example, is offered to enterprises as part of their Microsoft Exchange Server implementation. Active Synch provides MDM functionality, such as password policy enforcement, requirement for use of encryption for data at rest and in transit to the Exchange Server, and remote device data wipe for Active Synch-enabled mobile devices. For many enterprises, this level of capability and functionality is considered acceptable for the majority of their mobile-user population. While more advanced MDM solutions may be considered ideal because they provide features above and beyond this level of functionality, the total cost of ownership associated with them (e.g., license, maintenance, infrastructure, staff and support costs) may make the acceptable solution more palatable.
  5. Can the MDM solution effectively manage the mobile devices you want to support? MDM solutions typically require software agents that require highly privileged access to the mobile device’s operating system and associated applications to be installed and active on target devices. Unfortunately, some of the most popular mobile devices severely limit the functionality of most MDM software agents. While many MDM solution vendors are attempting to overcome these challenges, they are unlikely to be successful without a shift in strategy and approach from the mobile device manufacturers. It is important to ensure your minimum business and technical requirements can be met by the MDM solution for all popular mobile platforms that you plan on leveraging, especially if you plan to implement a BYOD approach to their use in your enterprise.

John P. Pironti, CISA, CISM, CGEIT, CRISC, CISSP, ISSAP, ISSMP, is the president of IP Architects LLC.


ISACA Member Recognized for His Information Security Initiative

ISACA congratulates Khawaja Faisal Javed, CISA, CRISC, CBCP, on winning the Senior Information Security Professional Category at the 6th annual Asia-Pacific Information Security Leadership Achievements (ISLA) Awards in Tokyo, Japan. This award from (ISC)2 recognizes outstanding leadership and achievement in workforce improvement of information security and management professionals in the region, based on their contribution to the enhancement of the information security workforce by demonstrating a leadership role in any information security workforce improvement initiative, program or project.

Khawaja’s distinguished workforce initiative was achieved due to his leadership role in designing and conducting several certification courses on information security and related topics, training approximately 2,000 professionals in the field for more than 300 organizations across the globe, and serving the security community with volunteer research.

Khawaja is manager of operations and information and communication technology (ICT) products for SGS Pakistan (Pvt.) Limited (a subsidiary of SGS S.A. based in Switzerland). Khawaja is responsible for controlling the day-to-day activities related to overall auditing and training operations in systems and services certification in Pakistan. Furthermore, he is handling the management, execution and development of auditors and trainers in the ICT products (ISO 27000, ISO 20000 and BS 25999) division in Pakistan and other Gulf Cooperation Council (GCC) countries.


Provide Flexible, Customizable On-site Training

Do you manage a training budget that you want to maintain and would like to use toward next year’s training? Or, perhaps you are preparing for end-of-the-year training and want to get your needs addressed as soon as possible.

ISACA On-site Training provides a flexible, customizable solution to align with your specific needs.

What to expect? ISACA training delivers:

  • Value—Train groups of 10 or more in a single session for one flat fee. Eliminate high travel costs.
  • Customization—Tailor training to your specific requirements. You choose the topic, location and course length.
  • Experienced instruction—Receive high-quality training and expertise from ISACA-accredited trainers.

Whether it is training a small group or an entire organization, ISACA’s On-site Training team will develop a focused training plan to meet your objectives. Learn more about available courses on such topics as COBIT, IT risk, governance, security, audit and assurance.

Visit the On-site Training page of the ISACA web site or contact onsitetraining@isaca.org with your training needs.


Grow by Synchronizing Personal and Professional Goals
Leroy Reynolds, CISA, CISM, CRISC, CIA, CISSP, Shares His Experiences

Leroy ReynoldsIn the field of IT auditing, “The best part about my job is learning about new and emerging technologies and assessing their impact on the enterprise when those get deployed. Working with management in addressing probable threats associated with linking legacy technologies with new technologies, even though it can be risky, offers some of the greatest rewards, when implemented properly,” Leroy Reynolds says.

Over the years, auditing has remained a critical interest in Reynolds’ career. Having a career road map in place was very important to him and selecting a certification path was a critical next step. “I was in information systems development for many years and had always wanted to get into IT auditing. With the Certified in Risk and Information Systems Control (CRISC) certification, it was easier to synchronize my personal goals with my professional goals, and I now enjoy working in IT auditing.”

The risk-related certification has provided “a good source of opportunities for interacting with multiple groups within and outside my organization, as well as helping me to ensure a continued improvement and refinement on how to approach each audit in terms of planning, executing and reporting on issues based on threats.”

From a more personal perspective, Reynolds explains that “the successful completion of the CRISC certification was gratifying and the recognition from my peers was also very uplifting. CRISC is recognized throughout the world and in many professional bodies and social networking platforms where I share knowledge and information with peers and others with similar interests. CRISC provides a great opportunity not only to share, but to learn from others.”

Once Reynolds achieved his professional goal of becoming a CRISC, he put these risk management concepts into practice in his personal life. “The principles covered in the CRISC courses are applicable to life outside of the profession. If I am negotiating a loan or buying a property or automobile, the knowledge I have gained as a result of achieving the CRISC certification helps me to focus on the risk associated with any of these transactions. Frankly, these principles and practices are not only relevant to information systems professionals, but can in fact be applied to any discipline or circumstance.”

Reynolds has found it gratifying to keep a balance between his personal plans and his professional objectives. “Challenges within my job have been opportunities for improvement. It is rewarding to obtain good results when you have concentrated on keeping abreast of emerging threats related to new technology deployment. CRISC certification has helped me to do a better job in identifying and ranking the risk associated with new technology deployment and has provided a framework for addressing key areas of risk within the IT environment.”


Book Review: IT Auditing: Using Controls to Protect Information Assets, 2nd Edition
Reviewed by Dauda Sule, CISA

The second edition of IT Auditing: Using Controls to Protect Information Assets, by Chris Davis, Mike Schiller and Kevin Wheeler covers IT auditing and control with an update on audits involving mobile devices and cloud computing. In fact, even the foreword, although brief, is a beneficial read for anyone interested in auditing.

IT Auditing: Using Controls to Protect Information Assets, 2nd Edition is targeted toward IT auditors and the IT audit function. The book provides a clear and practical approach to the topic. The authors, for example, suggest that IT auditors and IT audit teams refer to their auditees as customers—encouraging auditors to be friendlier and be seen as such. The book reminds auditors that they are supposed to help the enterprise’s development by plugging loopholes that can lead to losses and are not there simply to highlight mistakes without actively participating in proffering solutions.

The book is subdivided into 3 parts and has 18 chapters. The 1st part (Audit Overview) provides guidance to IT auditors based on best practices on how to carry out their function in a way that would be cherished by their employers (whether internal or external). Part 2, Auditing Techniques, offers a guide on how and why to perform the IT audit function, ensuring that the auditor comprehends why each task is carried out and, thereby, ensuring more efficiency. Frameworks, standards and regulations, such as COSO, COBIT, ITIL, ISO 27001, the US Sarbanes-Oxley Act and the Payment Card Industry Data Security Standard (PCI DSS), are discussed in the third part.

The book is a useful guide and good reference for IT auditors and auditing trainers (including academics and researchers) in the field of information security, audit, assurance and control. The book is also useful for top management of enterprises, government agencies and anyone with an interest in IT audit.

IT Auditing: Using Controls to Protect Information Assets, 2nd Edition is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or email bookstore@isaca.org.

Dauda Sule, CISA, is marketing manager at Audit Associates Limited, a consultancy firm that specializes in designing and organizing training programs pertaining to auditing, fraud detection and prevention, information security and assurance, and anti-money laundering. Sule has more than 5 years of experience in the Nigerian banking industry and previously worked as a systems security and assurance supervisor for Gtech Computers (a computer and allied services company).


Learn How One Member Finds Value in the Knowledge Center
Ian Cooke Shares His Experiences as a Topic Leader

Ian CookeQuestion How were you introduced to the Knowledge Center?

Answer I was preparing for an audit in an area that I was not that familiar with at the time—IT governance—and found a wealth of information on the ISACA web site and specifically in the Knowledge Center.

Question In your opinion, what makes the Knowledge Center a valuable resource for ISACA members?

Answer Collaboration and experience have been crucial in making the Knowledge Center a site that bridges IT security, risk and governance knowledge and professionals from all industries. ISACA provides guidance, in a wide range of ways, in addition to frameworks and standards. The Knowledge Center makes these useful resources accessible for all ISACA members.

Question What made you decide to become a topic leader?

Answer I was impressed by some of the speakers at the European Computer Audit, Control and Security (EuroCACS) Conference in 2011 and decided that I too should volunteer in some capacity. Being a topic leader provides me an opportunity to give back to the profession.

Question How did you choose your topic?

Answer As is probably the case for most topic leaders, it was the subject I felt most comfortable with. For me, it has worked well to concentrate and provide my input on a single subject matter.

Question What is one thing you wish all ISACA members knew about the Knowledge Center?

Answer The Knowledge Center is supported by topic leaders on a voluntary basis. Topic leaders do so because they are passionate about the subject matters, are willing to share their experiences and enjoy helping other members.

Question Which feature do you wish was used more?

Answer The “User Contributed External Links” feature. If all members contributed external links, this feature would become the go-to resource for related topics on the web.

Question Any parting words of advice to those who have not yet visited the Knowledge Center?

Answer Give it a go; you have nothing to lose! Once you have embraced the site, contact me with questions. As a topic leader, it would be my pleasure to help.



Read More Articles in Our Archives