@ISACA Volume 22: 26 October 2011 

@ISACA Relevant, Timely News

Volunteering Enables Worldwide Collaboration

Volunteering with ISACA offers a great opportunity for those wishing to collaborate with like-minded peers on a global level. ISACA volunteers from around the world work together to develop pragmatic knowledge and guidance, successful certification programs, comprehensive conferences and educational resources, representative professional standards, and sound professional relationships.

Learn more about volunteering at ISACA; the opportunities available; and the process for submitting your name, or the name of a peer, for consideration as part of the 2012-2013 volunteer appointments in the 2012-2013 Invitation to Participate brochure, a link to which is available on the Volunteering page of the ISACA web site. Volunteer applications for the 2012-2013 administrative term are due by 16 February 2012.


Tips for Getting Started With Data Analytics
By Lisa R. Young, CISA, CISM

Data analytics (DA) involves processes and activities designed to obtain and evaluate data to extract useful information. The results of DA may be used to identify areas of key risk, fraud, errors or misuse; improve business efficiencies; verify process effectiveness; and influence business decisions. If your organization is interested in DA, remember that collecting the data, analyzing the data, protecting the data and storing the data are resource-intensive and you should have a business purpose for using the information the data can provide.

The following points should be considered for a DA effort:

  • What is the goal of the data analysis initiative? DA should have a well-developed plan that serves a business objective. In other words—what do you want to know from the data?
  • How will the data be used? Anyone who will access data during the analysis must also adhere to organizational data governance standards. This is especially important if you are using an external vendor or supplier to analyze the data.
  • Who will be able to access, review and analyze the data? It is important to be aware of the roles and responsibilities of users and user groups within an enterprise who may have access to confidential or personally identifiable information.
  • How will the data be secured to prevent unauthorized access?
  • How will the data be updated?

Each DA project requires specific objectives to determine project success and, therefore, project benefits. Success can be based on financial or nonfinancial criteria. Examples may include the identification of wasted business costs, lack of adherence to policy, total work hours saved, fees/fines reduced or not incurred, and more accurate reporting of transaction rework not performed. All of these benefits can potentially be achieved via clearly defined objectives for DA projects.

Few would argue that an enterprise’s data are among its most valuable assets. Yet, without a way to collect, sort, organize and evaluate the data, the enterprise is left with a vast, chaotic pool of 1s and 0s. DA helps explain patterns, which, in turn, help the enterprise identify what it is doing well, determine how to do it better and recognize problems before they spiral out of control.

For additional resources related to DA, please visit the Data Analytics page of the ISACA web site.

Lisa R. Young, CISA, CISM, is the past president of the ISACA West Florida Chapter in Tampa, Florida, USA, and a frequent speaker at information security conferences worldwide. Young was also a member of the ISACA task force that helped to develop the Risk IT publications.


Enhance Your Knowledge With New GEIT and IT Risk Management Courses
Training Week • 12-16 December 2011 • Chicago, Illinois, USA

Join other professionals in attending the new IT Risk Management and Governance of Enterprise IT (GEIT) courses as part of ISACA Training Week this December in Chicago, Illinois, USA. While earning up to 38 continuing professional education (CPE) hours, attendees will be instructed in recognizing when effective governance has been achieved, understanding the practices of enterprise governance, integrating IT risk management with enterprise risk management (ERM), and making risk-aware business decisions.

As instructor of the GEIT course, Barry D. Lewis, CISM, CGEIT, president of Cerberus, will instruct professionals in the value and risk practices necessary for business success, the capabilities needed to implement enterprise governance, and the measures to validate governance success. Shawna Flanders, productivity specialist at PSCU Financial Services and instructor of the IT risk management course, will provide an in-depth review of the ISACA Risk IT Framework and how to apply its concepts to realize the full business benefits and outcomes.

Held 12-16 December 2011 in Chicago, Illinois, USA, this Training Week offering is recommended for IT management, managers responsible for IT investments, compliance and information security professionals, organizational strategic managers, and IT professionals with responsibility for assessing and quantifying risk and identifying controls and measures to reduce risk. Register now to take advantage of this valuable opportunity!


Certification Increases Personal and Professional Confidence
Natarajan Ramasastry Karri, CISA, CGEIT, Shares His Experiences With ISACA Certifications

Natarajan Ramasastry KarriNatarajan Ramasastry Karri, deputy general manager/head of the information assurance division of Sify Technologies Ltd., started his career as a banker in a prominent commercial bank in India. From there, he moved to core banking operations, then IT support and later information systems audit. According to Natarajan, “I would have continued my career in banking operations and risen in the hierarchy as a core banking professional” had he not made the change from banking to IT.

Natarajan, now a seasoned consultant in the governance of enterprise IT (GEIT), attributes, in part, the self-assurance with which he presents himself to his ISACA Certified Information Systems Auditor (CISA) and Certified in the Governance of Enterprise IT (CGEIT) designations. As he explained, “The CISA and CGEIT certifications I hold have given me a high level of confidence. They have taught me to look at things in wholly new and different ways and even more so in a completely professional manner.” He also credits his certifications with helping him attain greater recognition and professional growth, in addition to increasing his professional opportunities.

“CGEIT is an elite and exclusive certification that provides an individual value and recognition among enterprise management professionals,” Natarajan explained, “and the certification shows that the individual has the requisite experience in enterprise IT governance.” He believes that CGEIT is the right certification to showcase his extensive experience in GEIT. “ISACA has fulfilled a long-felt need among professionals by introducing this niche certificate in the area of enterprise IT governance,” he continued. “I would advise everyone who is in an IT management role to pursue the CGEIT credential.”

Natarajan encourages students looking to join the IT profession after graduation to pursue other certifications, including the ISACA Certified in Risk and Information Systems Control (CRISC) designation. “In order to start a fruitful career,” he explained, “I advise students to actively pursue the CRISC and CISA certifications. These certifications will catapult them into the professional world of information security, which continues to offer immense opportunities.”


CISA, CISM and CGEIT Certifications Recognized

ISACA certifications have been recognized by both the National Association of Insurance Companies (NAIC) and Foote Partners LLC. NAIC has included the Certified Information Systems Auditor (CISA) designation among the approved certifications for qualified IT examiners. According to the association, IT examiners must have sufficient knowledge, background and experience to perform the IT portion of a financial exam and CISA satisfies this requirement.

The independent IT research firm Foote Partners LLC’s updated IT Skills and Certification Pay Index found that professionals with the CISA, Certified Information Security Manager (CISM) and Certified in the Governance of Enterprise IT (CGEIT) designations earn the highest pay premiums among the 53 information security certifications reported in the index. In particular, the CISA credential averages 13 percent of base salary in premium pay and earns between 8 and 11 percent and averages 10 percent of base salary. The average pay premium for all of the certifications reported in the IT Skills and Certification Pay Index is 7.1 percent of base salary.

Learn more about CISA, CISM, CGEIT, and the Certified in Risk and Information Systems Control (CRISC) designations on the Certification page of the ISACA web site.


New White Paper and Audit/Assurance Programs Now Available

The following valuable resources have recently been released by ISACA:

  • Web Application Security:  Business and Risk Considerations—The use of web applications in the enterprise has grown exponentially in the last decade. While businesses are benefiting in many ways from the new capabilities of these applications, the prevalence of inherent security vulnerabilities in web applications is creating significant exposure for many enterprises. This white paper explores the root causes of these vulnerabilities, examines the associated risk and impacts, and provides guidance as to how enterprises can alter their practices to mitigate this risk. Although this publication focuses specifically on web application security, the guidance presented applies to all types of software development activities. This and other white papers are available as complimentary PDFs on the White Papers page of the ISACA web site.
  • Audit/assurance programs—These and other audit/assurance programs are available as complimentary Word documents for ISACA members on the Audit Programs page:
    • Microsoft® Exchange Server 2010 Audit/Assurance Program
    • Microsoft® SharePoint 2010 Audit/Assurance Program

Information on current research projects is posted on the Current Projects page.


ISACA Member Recognized for Research in Rotational Programs

ISACA congratulates Rachel L. Bond, an ISACA member who recently earned a graduate degree in accounting from Louisiana State University (USA), on winning the Esther R. Sawyer Research Award from The Institute of Internal Auditors. This award recognizes an internal audit student or graduate from an Internal Auditing Education Partnership school, based on the submission of an original manuscript on a topic related to modern internal auditing.

Bond’s winning submission, “Internal Auditing Rotational Programs:  Opportunities for Internal Audit to Add Value,” deals with enterprises’ rotational programs—programs for internal auditors to rotate between business units in an enterprise and internal auditing. She sought to find the answers to whether rotational programs benefit the internal audit activity and how they impact an internal auditor’s independence and objectivity.

Bond has started her career with Deloitte's Enterprise Risk Services division in New York, New York, USA.


Read More Articles in Our Archives