@ISACA Volume 23: 7 November 2012 

 
@ISACA Relevant, Timely News

Interested in Serving on ISACA’s Board of Directors? Act Soon!

Nominations for the position of vice president on the ISACA Board of Directors for the 2013-2014 term are open, but time is running out. (The period for presidential nominations is closed.) Information about serving on the board, the attributes for office and the nomination form itself are available on the Board Nominations page of the ISACA web site.

Members may nominate themselves, others or both. After nomination, candidates must complete a candidate profile form that confirms the candidate’s willingness to serve if selected and provides the Nominating Committee information by which to evaluate the candidate. Self-nominating candidates will also be asked to submit a letter of recommendation from an ISACA member, outlining how the candidate demonstrates the attributes for office. Information on candidates will be gathered in other ways as well, including review of public web sites (e.g., Google, Facebook, LinkedIn) and interviews with candidates.

Nominations for vice president close on 7 January 2013. This is the date by which all materials must be received at ISACA International Headquarters (i.e., completed candidate profile form and letter of recommendation, if required), so do not wait until this deadline date to submit the nomination form. Questions may be directed to nominate@isaca.org.

Top


Tips for Understanding User Privacy When Operating in Multiple Countries
By Victor Chapela

When managing customer or employee privacy in several countries, chances are good that there will be local laws that approach privacy differently. This variance originates from fundamental differences in each country’s history, needs and experience.

Privacy in Europe, for example, has largely evolved from the need to protect citizens from the inappropriate use of their personal data by the government, institutions and companies. The government’s role in privacy is to define how privacy policies should be notified to citizens, to ensure that individuals can get their data corrected or deleted, and to guarantee that citizens’ data are securely stored. On the other hand, privacy in the US is viewed from a consumer’s rights perspective and it self-regulates through lawsuits and other consumer responses, which keep companies in check. From a US perspective, companies own the user’s personally identifiable information (PII) and therefore can do almost anything they wish with it, as long as the consumers think it is fair. Companies and governments that view privacy this way believe that the main risk to personal data lies in an external attacker hacking in and then using the data for illegitimate purposes.

Many countries have approaches that may be similar or combine these two approaches. And, of course, there are countries that do not recognize any kind of citizen or customer privacy.

Thus, the definition of privacy changes from one country to another. Understanding these fundamental differences can help organizations determine a centralized privacy compliance strategy that can be adopted worldwide.

Keep the following in mind when creating a unified privacy strategy:

  1. Define a baseline with the most restrictive regulation in mind. The strategy should be implemented the same worldwide, making it your organization’s privacy standard.
  2. Try to avoid specific case-by-case local policies. They tend to require continuous adaptation, can be more expensive over time, and can increase legal and regulatory risk.
  3. Focus on all PII, not only customer data. Include the PII of employees and other stakeholders who may not have economic or legally binding relationships.
  4. Recognize each person as the owner of his/her personal data, and ask permission from each individual data owner before storing or using his/her data.
  5. Consider availability as a business need, not a privacy requirement. Privacy focuses on keeping information confidential, integral and updated from an end user’s perspective.
  6. Classify sensitive information as that which may be used for discrimination (e.g., racial or ethnic origin; health records; religious, philosophical or moral beliefs; political affiliation; and sexual orientation).
  7. Consider that by managing data privacy correctly, information security requirements may also be solved.
  8. Consider the full data life cycle, from reception or generation of the data through the destruction process. Policy, procedures and standards for each data life cycle must be defined.
  9. Ensure that privacy is viewed beyond simply compliance. Through privacy, you guarantee each person’s rights and, by doing so, you increase your stakeholder’s trust.

To read more on this topic, consider these related ISACA resources: the Privacy/Data Protection topic in the ISACA Knowledge Center, Securing Sensitive Personal Data or Information: Using COBIT 5 for India’s IT Act exposure draft, and the CIO Strategy for Privacy Compliance.

Victor Chapela is founder and chief executive officer of Sm4rt Security Services and a frequent speaker at ISACA conferences around the world. Chapela and coauthor Santiago Moral are currently writing RiskVolution, a book on the evolution of risk.

Top


Do Not Miss Out on Free CPE

Do you need continuing professional education (CPE) hours for your 2012 reporting year? It is not too late.

As an ISACA member and certified professional, you have the opportunity to earn more than 70 CPE hours per year through ISACA Journal quizzes; archived e-symposia, virtual tradeshows and webinars; mentoring your peers; and volunteering with your local ISACA chapter.

Find information on these and other CPE opportunities on the CPE page of the ISACA web site.

Remember that meeting CPE requirements is necessary to renew your ISACA certification(s). The 2013 ISACA membership and certification renewal invoices were sent to your preferred mailing address on 24 October 2012, and you should receive yours soon. If your contact details have changed, please update your ISACA profile on the ISACA web site.

Top


Provide Your Feedback—IS Audit and Assurance Standards Exposure Draft

The ISACA Professional Standards and Career Management Committee has issued the ITAF™ IS Audit and Assurance Standards exposure draft for public comment through 28 December 2012. To review and comment, visit the IT Audit and Assurance Guidance page of the ISACA web site.

The 17 exposed standards are:

  • General Standards
    • 1001—Professional Independence
    • 1002—Organisational Independence
    • 1003—Reasonable Expectation
    • 1004—Due Professional Care
    • 1005—Proficiency
    • 1006—Assertions
    • 1007—Criteria
    • 1008—Audit Charter
  • Performance Standards
    • 1201—Planning
    • 1202—Risk Assessment in Audit Planning
    • 1203—Performance and Supervision
    • 1204—Audit Materiality
    • 1205—Using the Work of Other Experts
    • 1206—Audit Evidence
    • 1207—Irregularity and Illegal Acts
  • Reporting Standards
    • 1401—Reporting
    • 1401—Follow-up Activities

The online survey contains 20 questions. Once all feedback has been gathered and addressed, the updated standards are expected to be released in the first quarter of 2013. Thank you for your support of the work of the ISACA Professional Standards and Career Management Committee.

Top


Certification Helpful in Critical Moments of My Life
Nino Seritti, CISA, Shares His Experiences

Nino Seritti“The best part about obtaining the CISA certification is, by far, the respect of my peers. Furthermore, it has brought a positive outcome in my professional life after facing economic downturns and has helped me in the recovery of my professional and personal equilibrium. Being certified has also brought me closer to a new set of friends and associates. I am glad I joined ISACA and look forward to helping the association to expand in my area,” Nino Seritti says.

For Seritti, the CISA certification helped increase his professional recognition and provided him with the ability to improve his capability and performance. “I have always been a professional, but the CISA designation has given me the imprimatur I felt I was lacking. My biggest professional goal was to find a position that would allow me to experience a better quality of life,” Seritti explains.

“Being out of work put me in a difficult situation where I had to endure several economic downturns while trying to sustain a business with shrinking profit margins, leave my family to go to work in several other cities and attend to a terminal illness in my family,” Seritti recalls. “There are many lessons to draw from these life experiences, but what I take away from them is that determination and sustained professionalism helped me to overcome these challenges.”

Circumstances fortunately soon favored Seritti’s efforts to land a job after being certified, “With a CISA designation my credentials became clearer and my path became much brighter.”

“In my current position, the best part is the knowledge that I have the background and skills to do a thorough and accurate job,” Seritti says.

Additionally, the certification helped Seritti to stay focused. “Using the skills of observation, analysis and assessment, I have further developed my skills as a CISA. These skills have been critical in helping me to make more educated decisions in my personal life, as well. For instance, as a member of the board of directors of a local hospital, I was more easily able to offer strategic direction for the upcoming 2013 business plan,” Seritti explains.

The certification process has also helped Seritti to reconnect with old friends, become a community emergency response team member and a board member for a community general hospital. “CISA has brought me to a professional experience that gives me the liberty to grow professionally, free of major personal sacrifice, and to connect with other people with the same interests.”

Top


Participate in Survey on Advanced Persistent Threats

To kick off a series of cybersecurity initiatives, ISACA’s Guidance and Practices Committee has formed a work group to analyze awareness of advanced persistent threats (APTs). One of the first actions of this group is to conduct a survey, the results of which will be presented in a report to be finalized this year.

If you are involved in information security, take a few minutes to complete this anonymous survey. No personal information including IP addresses will be collected.

Top


Governance a Top Concern for Cloud Users, According to Cloud Maturity Study

ISACA and the Cloud Security Alliance have recently released the results of the Cloud Market Maturity study. The study provides detailed insight on the adoption of cloud services among all levels within today’s global enterprises and businesses, including the C-suite.

“One of the most interesting findings is that governance issues recur repeatedly on the list of the top 10 concerns. Cloud users recognize the value of this model, but are wrestling with such questions as data ownership, legal issues, contract lock-in, international data privacy and government regulations,” said Greg Grocholski, CISA, ISACA international president, in response to the results of the Cloud Market Maturity study. “As cloud services continue to evolve, it is critical that we work together as an industry to provide insights and recommendations on these issues so that service and solution providers can look to innovate and deliver what the cloud services market needs to advance and what enterprises need to succeed.”

Visit the Study Results page to read the full study.

Top


Member Needs Survey—Your Feedback Is Important!

The ISACA 2012 Member Needs Assessment Survey has been sent to a random sampling of ISACA members.

If you received this email survey, your feedback is essential in helping us improve the member experience. Please take this opportunity to:

  • Comment on the value of your ISACA membership
  • Share your perspective with ISACA committees and boards
  • Influence the development of new member services and resources

If you have been selected as part of the survey sample, you received an email invitation on 30 October. Please take a few minutes and respond to the survey now!

Top

Read More Articles in Our Archives