@ISACA Volume 24: 21 November 2012 

@ISACA Relevant, Timely News

CPE Reporting Made Easy

ISACA’s continuing professional education (CPE) reporting system has recently been enhanced and, as a result, CPE can now be reported when earned. This new reporting system makes it more convenient and efficient to record and track CPE and to clearly indicate the progress toward acquiring the CPE hours needed to meet the annual and three-year renewal requirements.

The primary advantage of the new system is the ability to record CPE as earned and in greater detail. In addition, some ISACA-related CPE activity will be automatically loaded into certification holders’ accounts for convenience; however, a confirmation of the number of hours earned will still need to be verified by the certified individual.

To access the new CPE reporting system, log in to your ISACA.org account from the home page and click the My ISACA tab. To learn more about this new reporting tool and its features, click on the View the Video Quick Tour link on the CPE page of the ISACA web site, where you can also find frequently asked questions regarding reporting CPE.

Remember that meeting CPE requirements is necessary to renew your ISACA certification(s). The 2013 ISACA membership and certification renewal invoices were sent to your preferred mailing address on 24 October 2012. If your contact details have changed, please update your ISACA profile on the ISACA web site.


6 Primary Threat Sources to Our Business Environment
By Leighton Johnson

The environment for which we provide support and in which we work has been evolving over the past several years. As incident responders, we need to identify the potential threat sources for attacks and exploits into our operating domains. Recent US governmental information security risk publications1 have provided an updated review of this threat environment and identified the following primary threat sources:

  1. Organized crime over the Internet—These sources are usually sophisticated attackers with the most to gain in the financial arena. These threat sources tend to use hacking, impersonation, social engineering, system-level intrusion, break-ins and unauthorized system access. These types of threats are reported to comprise nearly 80 percent of all current attacks across the Internet.
  2. Foreign intelligence service over the Internet—These sources are usually the most sophisticated attackers with the most to gain in the economic, military and political arenas. These threat sources tend to use hacking, impersonation, social engineering, external intrusion, break-ins and unauthorized system access. Nation-state-based cyberattackers often launch multistep and multihost attacks that can incrementally penetrate the network with the goal of eventually compromising critical systems.
  3. Terrorist over the Internet—These sources tend to be fairly sophisticated attackers with the most to gain in the financial and political arenas, and want to threaten harm to nations and/or individuals and create general chaos. These threat sources tend to use hacking, impersonation, social engineering, denial of service, system intrusion, break-ins and unauthorized system access. Currently, these types of attacks are not well understood, but are publicized when successful.
  4. Individual hacker over the Internet—These sources usually are moderate to sophisticated attackers with the most to gain in the malicious challenge, ego and rebellion arenas, and want to create chaos. These threat sources tend to use hacking, social engineering, system intrusion, break-ins and unauthorized system access. This has been the primary threat source for Internet-based attacks in the past, but has been reduced in recent years.
  5. Disgruntled former employee over the Internet—These sources are usually moderate to sophisticated attackers with the most to gain in the malicious revenge and ego arenas, and they usually attempt to gain monetarily from their actions. These threat sources tend to use hacking, social engineering, system intrusion, break-ins and unauthorized system access. Use of this threat source has been steady over the past decade.
  6. Disgruntled employee (e.g., system administrator or engineer via intranet)—These insiders usually have a high degree of technical, sophisticated attack mechanisms with the most to gain in the malicious revenge, ego and curiosity arenas, and they usually attempt to gain monetarily from their actions. These threat sources tend to use unauthorized access, browsing proprietary information, fraud and theft, input of false or corrupt information, and sabotage. This threat source has consistently remained the largest focus for data breach and reputational risk threats.

To read more on this topic, consider these related ISACA resources: Cybercrime Audit/Assurance Program, Securing Mobile Devices Using COBIT 5 for Information Security and Security Considerations for Cloud Computing.

Leighton R. Johnson III, CAP, CISA, CISM, CSSLP, CISSP, CRISC, is a senior security consultant for the Information Security & Forensics Management Team of Bath, South Carolina, USA.

1 National Institute of Standards and Technology, NIST SP 800-30, rev. 1, “Guide for Conducting Risk Assessments,” USA, September 2012; NIST SP 800-37, rev. 1, “Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach,” USA, March 2010; NIST SP 800-39, “Managing Information Security Risk: Organization, Mission, and Information System View,” USA, March 2011


Participate in the Member Get A Member Campaign Before It Is Too Late

We are proud to announce that the first three months of the ISACA Member Get A Member campaign has been a success. Since August, 527 of your peers have expanded your global network by recruiting 689 new professional and student members to ISACA. Since the launch of our campaign on 1 August, we have awarded six ISACA Bookstore prizes worth US $50 each. Our monthly winners for August, September and October are:

  • Irene Atieno Kasuko of the Kenya chapter (professional member)
  • M. Awais Naseem of the Lahore chapter (student member)
  • Undisclosed member of the New York Metro (USA) Chapter (professional member)
  • Shu Tang of the South Florida (USA) Chapter(student member)
  • Musibau Adegoke Adeleke of the Abuja, Nigeria Chapter (professional member)
  • Rahul Das of the Kolkata Chapter (student member)

Two months remain in the 2012 Member Get A Member campaign—spread the word about your ISACA membership experience, grow our global network and earn a prize. Encourage your colleagues to enter your ISACA member ID on their membership application, so you will receive credit for their recruitment and they will have their new member processing fee waived.

If you have any questions, please contact the membership service team at mgam@isaca.org.


Volunteering Enables Worldwide Collaboration

Volunteering with ISACA offers a great opportunity to collaborate with like-minded peers on a global level. ISACA volunteers from around the world work together to facilitate the development of pragmatic knowledge and guidance, successful certification programs, comprehensive conferences and educational resources, representative professional standards, and sound professional relationships.

Learn more about volunteering at ISACA; the opportunities available; and the process for submitting your name, or the name of a peer, for consideration as part of the 2013-14 volunteer appointments in the Invitation to Participate brochure—a link is available on the Volunteering page of the ISACA web site. In addition to the online brochure, a printed version of the brochure has also been sent to all members with volume 6 of the ISACA Journal. Volunteer applications for the 2013-14 administrative term are due by 14 February 2013.

In addition to the annual volunteer appointments, there are a number of volunteer opportunities available throughout the year. For more information visit the Additional Volunteer Opportunities page.


Offer On-site Training, Additional CPE Opportunity

ISACA members looking for additional continuing professional education (CPE) hours by the end of 2012 may find what they are looking for through ISACA’s On-site Training program. The On-site Training program can still be scheduled and offered at your location in 2012.

ISACA’s On-site Training provides a flexible, customizable solution to align with your specific needs. You can expect ISACA training to provide:

  • Value—Train groups of 10 or more in a single session for one flat fee. Eliminate high travel costs.
  • Customization—Tailor training to your specific requirements. You choose the topic, location and course length.
  • Experienced instruction—Receive high-quality training and expertise from ISACA trainers.

Whether you want to train a small group or entire organization, ISACA’s On-site Training team can develop a focused training plan to meet your objectives. Topics include COBIT, IT risk, governance, security, audit and assurance. Visit the On-site Training page of the ISACA web site to access the training catalog.


New ISACA Resources on COBIT, SOC 2 and More

The latest ISACA releases, available on the ISACA web site, include:

  • Securing Mobile Devices Using COBIT 5 for Information Security is intended for audiences who use mobile devices directly or indirectly, including end users, IT administrators, information security managers, service providers for mobile devices and IT auditors.
  • SOC™ 2 User Guide is an ISACA joint project with American Institute of CPAs (AICPA). This publication focuses on the SOC 2 report issued by service organizations relevant to the effectiveness of the design and operation of their controls related to security, availability, processing integrity, confidentiality or privacy.
  • Biometrics Audit/Assurance Program provides management with an independent assessment of the effectiveness of the architecture and security of the deployed biometric systems and their proper alignment with the enterprise’s IT security policies, information systems architecture, information asset criticality and industry good practices.
  • E-commerce/Public Key Infrastructure (PKI) Audit/Assurance Program provides management with an independent assessment of the effectiveness of the architecture and security of the e-commerce and PKI environments and their alignment with the enterprise’s IT security policies and architecture and industry good practices, and an evaluation of the IT function’s preparedness in the event of an intrusion or major failure of the e-commerce or PKI environments. It identifies issues that may impact the security of the enterprise’s e-commerce stance.
  • VPN Security Audit/Assurance Program provides management with an independent assessment of the VPN implementation and ongoing monitoring/maintenance of the effectiveness of the supporting technology. The focus is on VPN standards, guidelines and procedures as well as the implementation and governance of these activities.
  • IS Audit and Assurance Standards—This exposure document has been designed to be a living document. The exposure draft updates the current audit and assurance standards, more closely aligning them with the Information Technology Assurance Framework (ITAF). This exposure draft will be available for review and feedback online until 28 December.

Information on current research projects is posted on the Current Projects page of the ISACA web site.


Set Knowledge Center Alerts the Easy Way

Earlier this year, ISACA launched email-enabled discussion alerts for Knowledge Center communities. These alerts allow you to participate in topic-area discussions by replying to the email.

Members have the option of immediate, daily or weekly alerts to remain aware of topic discussion activity. However, only immediate alerts have the email response capability.

Instead of going to each topic individually, set your alerts for all topics you belong to in one place. Click on My Alerts, which can be found in the upper right corner of the screen when you are signed in.

Click on My Alerts

In My Alerts, all the topics to which you belong are listed with a delivery option, title of topic and description. Here, you can set your desired alert frequency for each topic.

Visit the Knowledge Center for information about how to participate.


How to Select an ERP System

The correlation between investment and reward is perhaps nowhere more tenuous than when implementing a new enterprise resource planning (ERP) system. Seasoned companies, and even technology powerhouses, have invested hundreds of millions of dollars in upgrading their ERP systems, only to discover they have simply bought tickets to a horror show of lost revenues, grossly missed sales forecasts, frustrated customers and dissatisfied investors.

The success or failure of an ERP implementation is not predicated on the characteristics of the software package. In fact, it is extremely rare for an ERP implementation to fail because of technical reasons. Often, the same software functions smoothly at peer firms. Frequently, it is this knowledge that gives project managers the false confidence to rush the selection and implementation of a new ERP system.

To address the challenges of choosing the ERP system best suited for an organization’s specific needs, an ERP selection methodology should anchor itself in the business process and can involve three phases:

  • Future business-system landscape
  • Business process optimization
  • Solution design

This three-phased approach helps ensure that a company selects the single best ERP solution to its particular context and anticipated growth. Moreover, this significant decision is made with confidence in terms of the estimated total cost of ownership, implementation time frame and expected benefits.

Access the full white paper on the KnowledgeLeader web site.

Editor’s Note: ©2012 Protiviti Inc. All rights reserved. This article was reprinted with permission from Protiviti’s KnowledgeLeader, a subscription-based web site that provides audit programs, checklists, tools, resources and best practices to help internal auditors and risk management professionals save time, manage risk and add value. ISACA members receive a discount on an annual subscription to the service.


Read More Articles in Our Archives