@ISACA Volume 24: 20 November 2013 

@ISACA Relevant, Timely News

Complete Your My ISACA Profile by Connecting With LinkedIn

Busy schedules make it difficult to allocate time to complete your My ISACA online profile when all you really want to do is respond to a Knowledge Center topic discussion. To help you start participating in the Knowledge Center as soon as possible, you can now import select fields of your LinkedIn profile to your My ISACA profile. The more information you include in your profile, the greater the likelihood you will connect with ISACA members who share your interests. Like LinkedIn, the ISACA Knowledge Center online community is for professional networking, however, each ISACA topic also contains resources related to the topic and includes discussions by ISACA members, research publications, ISACA Journal articles and third-party links.

Complete your profile and start interacting with other ISACA members in the Knowledge Center topic discussions that match your interests. Log in and click on the My ISACA tab at the top of the home page, then click on myProfile. The blue box on the right side of the web page contains links from which you can edit your profile and privacy settings. From here, you can also view your profile as it will appear to others.

Importing information from LinkedIn is available as an option in the Edit My Profile page. Look for the Sign in With LinkedIn button on the left side of the page and follow the online instructions.

Join a Knowledge Center topic and connect with other like-minded professionals.


Using Risk to Take the High Road

It disappoints me to continue to see the practice of “name calling” among some of my colleagues. I recently attended a security conference where attendees and presenters alike referred to management as “stupid.” Management is not “stupid,” rather, information security professionals must learn how to better understand the needs of management and communicate risk accordingly.

Information security must consider the various situational factors that would lead management to not invest in security. For example, understand that the purpose of a business is to make money. Businesses exist to offer products and services for profit, which is in itself a risky proposition. Management needs to weigh and evaluate risk from various sources and then apply good judgment to appropriately manage the company. Occasionally, this means that security be deprioritized in favor of some other pursuit such as a new product launch, market pressure or changing customer preference. It does not mean that management does not care about security; rather, it means management has limited resources to achieve all of the enterprise’s goals.

To ensure that management is spending an appropriate amount of resources on information security, focus on risk communication. Anyone can point out current-state gaps against a standard and demand investment to close them. If security were that easy, we would all be out of a job. A mature risk function focuses on taking a prioritized, risk-based list of things to management for treatment. Differentiate yourself and bring value to your organization by focusing on the hard job of prioritizing top risk scenarios and leaving the rest for later; and let’s all agree to stop the name-calling.

Jack Freund, Ph.D., CISA, CISM, CRISC, CIPP, CISSP, PMP, manages a team of IT risk analysts for TIAA-CREF and chairs the CRISC Test Enhancement Subcommittee.


VP Nominations Remain Open

Nominations for the office of international vice president on the ISACA Board of Directors for the 2014-2015 term are still open (the deadline for international president nominations has passed). Information about serving on the board, the attributes for office and the nomination form itself are available on the Board Nominations page of the ISACA web site.

Members may submit nominations for themselves or for others (or both). All nominations will be acknowledged and all candidates will be required to complete a candidate profile form that confirms the candidate’s willingness to serve if selected and provides the Nominating Committee information about the candidate. Self-nominating candidates will also be asked to submit a letter of recommendation from an ISACA member outlining how the candidate demonstrates the attributes for office. Information on candidates will be gathered in other ways as well, including review of public web sites (e.g., Google, Facebook, LinkedIn) and, possibly, interviews.

Nominations for vice president close on 7 January 2014. This is the date by which all materials must be received at ISACA International Headquarters (i.e., completed candidate profile form and letter of recommendation, if required). Be sure to submit your nomination form early so you allow the time necessary to provide the committee all the information required. Questions? Contact nominate@isaca.org.


Take Part in the Member Get a Member Program

Recruiting your colleagues to ISACA via the Member Get a Member campaign is simple and can pay off for you. Do you know someone interested in the Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) or Certified in Risk and Information Systems Control (CRISC) certification? Have you reached out to your coworkers or members in other professional associations? To begin recruiting your colleagues, send them a personalized email. Share the benefits of ISACA membership by inviting your colleagues to connect with ISACA on Facebook and Twitter. Example emails, other recruiting tips and program rules are available on the Member Get a Member Overview page of the ISACA web site.

Every time you recruit a new member, you strengthen ISACA. A vital and growing membership means greater recognition of the profession and an expanded global web for enhanced networking and knowledge sharing.

The more colleagues you recruit, the better your rewards. If you recruit one professional member, you will be automatically entered into a monthly drawing to win a mini tablet device from the world’s leading manufacturer. Recruit 5-9 new members to receive a handheld digital music and entertainment device that puts streaming video, games, messaging and more at your fingertips. To earn a full-size tablet device, recruit at least 10 new members before 31 December 2013. Your recruited members must be paid in full by 31 December 2013 to apply to the Member Get a Member campaign.


New Advanced Persistent Threats Book and Other Resources Available

The following recently released resources are available on the ISACA web site:

  • Advanced Persistent Threats: How to Manage the Risk to Your Business—Advanced persistent threats (APTs) are significantly different from traditional threats and require different tools to manage them. Advanced Persistent Threats: How to Manage the Risk to Your Business is designed primarily for security managers, IT managers, IT auditors and students. It provides helpful advice on how to assess the risk of an APT to the organization and recommends practical measures that can be taken to prevent, detect and respond to such an attack. In addition, Advanced Persistent Threats: How to Manage the Risk to Your Business highlights key differences between controls needed to counter the risk of an APT attack and those commonly used to mitigate everyday information security risk.
  • IS Audit and Assurance Guidelines Exposure Drafts—Updated to support ISACA’s newly issued IS Audit and Assurance Standards, these exposure drafts are posted for online feedback through December 2013. After public exposure feedback is incorporated, the new guidelines are scheduled to be issued in the third quarter of 2014 to replace those currently in force.
  • IS Audit and Assurance Standards—Effective 1 November 2013, these updated standards were released earlier this year. The previous standards have been withdrawn.

Information on current research projects is posted on the Current Projects page of the ISACA web site.


Guidance for Implementing Updated COSO Internal Control Framework

The new framework issued in May 2013 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), Internal Control Framework, is an important development. It facilitates efforts by organizations to develop cost-effective systems of internal control to achieve important business objectives and to sustain and improve performance. The new framework also supports organizations as they adapt to the increasing complexity and pace of a changing business environment, manage risk to acceptable levels and improve the reliability of information for decision making.

Companies using the 1992 framework for US Sarbanes-Oxley compliance and other purposes should:

  • Familiarize themselves with the new framework and companion materials
  • Determine their transition plan
  • Communicate to the appropriate stakeholders the release of the new framework and its implications to the organization

The updated COSO Internal Control Framework includes numerous important changes, including:

  • The new framework explicitly states 17 principles representing fundamental concepts associated with the 5 components of internal control. COSO decided to make these principles explicit to increase management’s understanding as to what constitutes effective internal control. These principles remain broad, as they are intended to apply to for-profit companies (including publicly traded and privately held companies), not-for-profit entities, government bodies and other organizations.
  • The new framework clarifies the role of objective-setting in internal control and moves the primary discussion of the concept from the chapter on risk assessment to the second chapter to emphasize the point that objective-setting is not part of internal control.
  • The new framework reflects the increased relevance of technology. This is important because the number of organizations that use or rely on technology, and the extent of that use, have grown substantially over the past 20 years. More sophisticated technology can impact how all components of internal control are implemented.
  • The new framework incorporates an enhanced discussion of governance concepts. These concepts relate primarily to the board of directors and subcommittees of the board, including audit committees, compensation committees and governance committees. The key message is that board oversight is vital to effective internal control.
  • The new framework expands the reporting category of objectives. The financial reporting objective category is expanded to consider external reporting beyond financial reporting and internal reporting (both financial and nonfinancial). Thus, there are four types of reporting: internal financial, internal nonfinancial, external financial and external nonfinancial.
  • The new framework enhances consideration of antifraud expectations. The 2013 version contains considerably more discussion of fraud and considers the potential causes of fraud as a separate principle of internal control.

The Updated COSO Internal Control Framework: Frequently Asked Questions, 2nd Edition will help you get started.

Editor’s Note: © 2013 Protiviti Inc. All rights reserved. This guide was excerpted with permission from Protiviti’s KnowledgeLeader, a subscription-based web site that provides audit programs, checklists, tools, resources and best practices to help internal auditors and risk management professionals save time, manage risk and add value. ISACA members receive a discount on an annual subscription to the service.


Book Review: There Is a New Sheriff in Town
Reviewed by Maria Patricia Prandini, CISA, CRISC

Much of the protection offered years ago to families settling in the Old West of the US came from law enforcement agents known as sheriffs. Many of them were heroic, fearless figures who were in high demand in most new towns and mining camps to impose order and protect law-abiding citizens and their belongings. More than 100 years later, protection is still an issue, as noted in this compilation of the insights of a group of information security experts, titled There Is a New Sheriff in Town, under the premise that information security leaders are the new stewards of the digital world, fulfilling a similar task as those sheriffs in the Old West.

The book compiles the contributions of leading professionals who work in different industries in the US, hold high-ranking positions in large companies and have strong experience in the field of information security. The book indicates that information security professionals today need to develop strong leadership and communication skills as well as an understanding of the growing influence that information security has on the success of an organization. These experts provide insight and guidance on the new role of security professionals and leaders whose activities have evolved from just implementing the latest technologies to adding value to the organization.

Topics as diverse as security governance, skills, value and culture, managing risk, and the protection of intellectual property are presented, and insights into how leaders are being viewed as a balance between art and science are discussed. The integration of security into the business and the future of information security invites readers to increase their competencies for the protection of the organization’s assets.

Reading There Is a New Sheriff in Town is similar to having the opportunity to meet with each expert to learn from their experience and knowledge and to obtain guidance on how to tame the complexities of technology. It gives the reader a chance to see where the field of information security is going and provides a look beyond the day-to-day operations to the future of the information security professional.

Maria Patricia Prandini, CISA, CRISC, has a long career as a public official in different positions related to information technology at the Argentine Government. Prandini was involved in the development of the National PKI and the foundation of ARCERT, the first governmental computer security incident response team (CSIRT) in Argentina. She is the immediate past president of the ISACA Buenos Aires Chapter.


Read More Articles in Our Archives