@ISACA Volume 22: 27 October 2010 

@ISACA Relevant, Timely News

Make Your Mark—Volunteer for ISACA in 2011-2012

Now is the time for you to gain more value from your membership in ISACA—view the Invitation to Participate brochure on the ISACA® web site. This is the first step toward a great opportunity to be a hands-on volunteer with fellow ISACA members around the world. Collaborate with peers to ensure successful certification programs, comprehensive professional conferences and educational resources, representative professional standards, and sound infrastructures. Several volunteer opportunities are outlined in the brochure. You can volunteer to serve on multiple groups if your schedule allows.

For more information about getting involved, including details about submitting your name for consideration, please visit the Volunteering page of the ISACA web site.


Tips on Managing a Successful Security Architecture Program
By Tara Kissoon, CISA, CISSP

The purpose of an organization’s security architecture is to provide a road map for individual projects supporting business initiatives. The architecture provides the overall strategic direction across the enterprise. Here are tips on managing a successful security architecture program:

  1. Ensure that the proposed solution addresses a business problem.
  2. Maximize the return on investment (ROI) and optimize the cost/benefit ratio. Ensure economies of scale are well understood by senior management (i.e., the ability to lower the cost of acquisition, IT support and training).
  3. Emphasize the benefits of the program to senior management, including enhancing corporate governance and risk management practices, improving preparedness for formal audits, increasing flexibility to respond to business priorities, reducing operating costs, and improving productivity through better user support.
  4. Remember this is a team activity. Give consideration to the configuration of the team. Understand the skills profiles of the individual team members and the team dynamics.
  5. Ensure that effective program planning and management are maintained.
  6. Manage ongoing collection of business-related information in an effective manner. Interview key business managers. Facilitate small group sessions. Reference existing materials written by key business managers/executives.
  7. Gain consensus on the conceptual security architecture before starting any detailed design activities. Achieve a suitable architecture governance process by utilizing an architecture board that will ensure that individual projects adhere to the architecture standards, approve projects and enforce compliance through control of project budgets, oversee the architectural maintenance process, and approve changes to the architecture as a result of business need and/or technical solutions.
  8. Maintain the long-term confidence of senior management and manage their expectations. Build into the program a series of deliverables that show visible, tangible benefits to the business on a regular basis.

Tara Kissoon, CISA, CISSP, is a director at Visa Inc. Her expertise is focused in developing and implementing information security and risk management controls across global payment systems.


New Business-oriented Information Security Model

ISACA® has just published the latest title in its Business Model for Information Security™ (BMIS™) series. BMIS, as described in The Business Model for Information Security, enables security professionals to examine security from a systems perspective, creating an environment where security can be managed holistically and effectively.

Information security has become a critical business function as the success of many enterprises now relies on their ability to manage risks appropriately. Protecting valued and sensitive information is essential for enterprise sustainability. Effective management of information risks and exposures—as well as opportunities—can directly affect the profitability and overall value of an enterprise.

BMIS offers a business-oriented approach to managing information security and fills the gap that exists among other standards and frameworks.

The Business Model for Information Security is available as a complimentary PDF download from the ISACA web site. Print copies are available for purchase from the ISACA Bookstore.


CRISC Is “Relevant,” “Recognized” and “Respected”
Raees Khan, CRISC, BIT, CLMC, G7799, SCPM, Shares His Experiences as a CRISC

Raees KhanTo those with aspirations of joining the business and technology risk management profession and/or who are already working in the profession, Raees Khan advises, “CRISC is by far one of the most relevant, recognized and respected credentials for you to pursue in your career.”

Khan decided to pursue the Certified in Risk and Information Systems Control™ (CRISC™) certification because of ISACA’s reputation for offering industry-recognized and globally accepted professional certifications for more than three decades. He explains, “Based on my professional background and industry experience, I specifically chose to pursue the CRISC certification for two main reasons. First, due to the extensive coverage of the concepts and principles described in the CRISC body of knowledge for effectively designing, developing, implementing and maintaining risk management processes across the organization in an effort to substantially contribute toward achieving business objectives. Second, but most important, the CRISC certification is completely vendor-neutral.”

Kahn strongly advises those looking to follow his path to work in the risk and control field to “familiarize themselves with a variety of risk management publications (e.g., The Risk IT Framework, The Risk IT Practitioner Guide, the COBIT framework, and the ISO 31000 International Risk Management Standard) to gain a thorough understanding of the concepts and principles used in effectively managing business and technology risks across the organization.” He further advises, “Then, aim to join a graduate recruitment program that focuses on risk management related functions/roles.”

Once in the field, Khan says contributing to the achievement of business goals can be a great reward. “Regardless of the industry you are working in, the risk and compliance management function/role is and will always be a fun, challenging and exciting area to get into, and it truly feels great to discover that you and your team have assisted your organization in managing organizational IT and business risks in an effective manner, and have brought it one step closer to achieving its business objectives.”

To keep his CRISC certification current, Kahn enjoys the convenience of online opportunities provided by ISACA to earn continuing professional education (CPE) credits. “Over the past few years, ISACA has been very active in devising new and convenient options to assist its certified members in accumulating CPE credits,” he said. “Considering my busy and hectic lifestyle, I personally like to attend the online monthly e-symposia and upcoming online quizzes, which are conducted by highly skilled and experienced personnel from all over the world. It is a great way to learn from experts. ”

When not working, Khan likes to cook for family and friends and actively participates in a variety of charity and humanitarian work for underprivileged and disadvantaged communities.

Information on CRISC and other ISACA certifications can be found on the Certifications page of the ISACA web site.

Raees Khan, CRISC, BIT, CLMC, G7799, SCPM, is a risk and compliance manager at Telstra Corp. He is also a member of ISACA’s CRISC Certification Committee.


Israel Regulation Declares COBIT a Recommended Framework

Israel’s Insurance and Capital Market Supervisor recently published the final regulations regarding IT governance in institutional bodies that provide insurance and financial services. The regulations stipulate that the Insurance and Capital Market Supervisor declares COBIT® an acceptable and recommended control framework for the existence of efficient control and governance mechanisms in IT.

The regulations are part of Israel’s finance-sector reform and impact the banking industry and all capital markets and insurance and savings divisions in Israel.

Prior to issuing the regulations, senior representatives from the Insurance and Capital Market Supervisor held several meetings with the ISACA Israel Chapter’s Government and Regulatory Agencies Committee and Cooperation Committee.

“The Supervisor was aware that COBIT is becoming more widely recognized in Israel for a number of reasons, including its effective structure and comprehensive concept of IT,” said Doron Ronen, CPA, member of ISACA’s Israel Chapter.

Additional information about COBIT can be found on the COBIT page of the ISACA web site. The Hebrew translation of COBIT can be purchased by calling +972.3.6910093. Click here for details on the regulations, which are also available on the ISACA Israel Chapter’s web site.


Dynamic Conference to be Held in Dynamic Region
Asia-Pacific CACS • Dubai, UAE • 21-22 February 2011

The 2011 Asia-Pacific Computer Audit, Control and Security (CACSSM) conference theme, “Assuring Value, Building Trust,” is a fitting one for a region full of dynamic change. The host city of Dubai in the United Arab Emirates is a prime example of transformation experienced throughout the region. Traditional customs and commerce are giving way to international business, where speed and flexibility are vital. The same can be said for the information systems that facilitate and, in many ways, drive economic growth. Companies and customers alike must have confidence in the information systems and these systems must create value.

ISACA’s 2011 Asia-Pacific CACS conference will offer a variety of major topics that address not only the global perspectives of the changing environment of IT, but also the nuances of the Gulf States. Attendees can choose to attend sessions on e-government, cloud computing, sustainability, digital forensics, payment systems and managing IT value.

The conference will be held in Dubai Festival City, a multiuse development of hotels, residential communities, shopping malls, golf courses and other entertainment opportunities, including the Dubai Festival Centre. This city-within-a-city is the largest development of its kind in the Middle East. It hosts festivals for a variety of subjects including literature, rock music and motorcycles. Conference attendees will experience world-class, professional education in a vibrant business environment.

The two-day event will offer two streams of sessions as well as two optional one-day preconference workshops to extend the education experience. The Conference Development Task Force will be announcing the complete educational program soon. For more information and to register for the conference, visit the Asia-Pacific CACS page in the Education area of the ISACA web site.


Maharashtra IT Award Recognizes ISACA Volunteer

AAA Technologies Private Limited recently received the respected Maharashtra Information Technology Award for its overall performance in the field of security. The Maharashtra IT Awards are awarded by Maharashtra State Government in India and were presented by the Honorable Chief Minister of Maharashtra Shri Ashok Chavan. Anjay Agarwal, CISA, CGEIT, CRISC, ABCI, ACS, CA, CFE, CIA, chairman and managing director of AAA Technologies and member of ISACA’s Professional Influence/Advocacy Committee and GRA Regional Subcommittee Region 1, accepted the award on behalf of AAA Technologies.

The Maharashtra Information Technology Awards were established in 2004 to recognize IT companies and institutions in Maharashtra for outstanding performance during the year. The objectives of the Maharashtra IT Awards are to:

  • Promote entrepreneurship in the IT industry in the state
  • Recognize and appreciate outstanding performance in IT activities
  • Encourage the rapid spread of the use of IT in society
  • Encourage the use of IT as a means of creating employment opportunities

“This prestigious award recognizes our efforts to make IT more secure in India,” said Agarwal. “We are very honored to receive the award and look forward to continuing to make significant contributions to IT security in our area.”

The awards are presented for various categories, including IT hardware, IT software, IT enabled services, IT human resource development, IT infrastructure, IT research and development, IT service provider and IT security solutions.


Read More Articles in Our Archives