@ISACA Volume 24: 22 November 2010 

@ISACA Relevant, Timely News

Contribute to Industry-relevant Resources, Volunteer for ISACA

ISACA® relies heavily on volunteer leaders to ensure the continuation of high-quality resources. ISACA is currently accepting applications to participate with volunteer groups during the 2010-2011 term.

Volunteers help ensure successful certification programs, comprehensive professional conferences, timely education programs, insightful research, thorough and appropriate online resources, representative professional standards, and financially sound infrastructures.

Volunteering with ISACA has several benefits, including:

  • A role in the future of the association
  • Influence on professional issues
  • Networking opportunities with peers around the world
  • Enhancement of leadership and professional skills
  • Participation in a forum for sharing expertise and learning from others

The selection of volunteers is based on the current needs of the groups, the relevant professional background of the candidates and the need to reflect a global perspective. All appointments are for a one-year term and are ratified by the ISACA Board of Directors.

To apply to be an ISACA volunteer, review the application form included with volume 6 of the ISACA Journal, mailed this month. Then, visit the Volunteering page of the ISACA web site to fill out the online application. The deadline for applying is 25 February 2011, but we welcome and encourage early applications.


Tips for Mitigating the Risks of EUCA Data Usage
By Lisa Young, CISA

Spreadsheets, Microsoft Access databases, business intelligence systems and other end-user computing applications (EUCAs) play an important role in business operations. Many of these applications store, transmit and process information that is critical to the operation of the organization’s mission. These applications are difficult to monitor and manage because they are controlled by users, are stored on distributed devices, and are generally not on the radar of most IT operations or business continuity departments.

The risks in financial reporting from using spreadsheets have been a hot topic for the past few years. As auditors, we might be more familiar with spreadsheet risks, especially related to financial applications, than our colleagues in other parts of the organization. Here are additional considerations for EUCAs from an IT operations, governance and business continuity perspective:

  1. Policy—Is there a policy governing EUCA data, especially manipulation of financial data using desktop applications?
  2. Documentation—What data reside on EUCAs? Where are the data located? Who owns the data? When and how are the data modified? Is there a formal naming convention for data that contain sensitive information so they can be more easily located?
  3. Risk assessment—Is there a formal process to discover, inventory and assess the risk from EUCAs?
  4. Change control—Do the data stored on EUCAs receive the same level of change control rigor and scrutiny as an application under the control of IT operations? Are there periodic reviews of changes made to macros and versions or a review of logic (e.g., formulas, data object relationships) that is used in EUCAs?
  5. Security and access control—Are periodic reviews of network shares and permissions performed? What are the data transfer mechanisms for sending EUCA data to third parties (e.g., transfer of payroll data)?
  6. Backup and archival—How does information stored on EUCAs get replicated and archived?
  7. Continuity planning—Are file shares considered when planning disaster recovery or business continuity strategies? If document sharing repositories are a part of your infrastructure, there may be complex, linked spreadsheets or other reference data sources that may be overlooked when planning for continuity of operations.

Lisa R. Young, CISA, is the past president of the ISACA West Florida Chapter in Tampa, Florida, USA, and a frequent speaker at information security conferences worldwide. Young was also a member of the ISACA task force for the Risk IT:  Based on COBIT® publications.


New Trends in Shopping on the Job
ISACA’s Online Holiday Shopping and Workplace Internet Safety Survey

ISACA® conducted its third annual two-part survey, titled Shopping on the Job:  ISACA’s Online Holiday Shopping and Workplace Internet Safety Survey, to examine employees’ risky online activities using employer-issued computers and mobile devices. One part surveyed 3,307 IT professionals who are members of ISACA around the world about the risks of online shopping and other activities. The other part was conducted with US consumers/employees to examine their online behavior.

Global survey results revealed other interesting news including:
  • The expected cost of lost productivity due to online activities
  • How many enterprises have security policies and provide training on them
  • Whether employers tend to ban, limit or freely allow employees to shop online and visit social networking sites

ISACA encourages an “embrace and educate” approach and developed tips for consumers and IT professionals for safe shopping from work computers or mobile devices. Full survey results, including the tips, PowerPoint slides, video presentations, graphics and regional news releases are available on the Shopping on the Job page of the ISACA web site.

ISACA members are welcome to use this information, including slides from the PowerPoint presentation and the graphics, to develop presentations and reports. Please give proper attribution to: Shopping on the Job:  ISACA’s Online Holiday Shopping and Workplace Internet Safety Survey.

Also, a new white paper has been developed by ISACA titled E-commerce and Consumer Retailing:  Risks and Benefits. It is available as a complimentary download from the Shopping on the Job page of the ISACA web site.


Does the Cloud Have You Confused?
Gain New Insight at ISACA’s Upcoming Complimentary Virtual Event

ISACA is excited to offer its next Virtual Seminar and Tradeshow, “Security and Compliance in the Cloud: Define, Defend and Regulate,” on Wednesday, 8 December, from 8:30 a.m.–4:30 p.m. EST (UTC -5). This one-day, complimentary event offers attendees the opportunity to network with peers, interact with sponsors and exhibitors with no travel expense, and earn up to four free continuing professional education (CPE) hours.

Learn more about what it takes to get a grasp on cloud computing and build a trustworthy reputation in this medium during the keynote presentation by Dave Cullinane, chief information security officer and vice president of eBay. Cullinane also spoke at ISACA’s Information Security and Risk Management events in Las Vegas and Vienna this year. If you weren’t able to attend those events, you will find his keynote, “Cloud Security: Building Trust in the Cloud,” at this event of particular value.

Additional presentations at the December virtual event include:
  • “Data Protection and Access Control in the Cloud,” presented by Joseph Granneman, CISSP, an active member of the US Federal Bureau of Investigation’s Infragard program and Chicago’s Electronic Crimes Task Force. Granneman’s presentation will provide insight on the challenges companies will face when they outsource to the cloud and will focus on the how and why of ensuring that an organization’s data remains safe once in a provider’s hands.
  • “Compliance and the Cloud,” presented by Richard E. Mackey Jr., vice president of SystemExperts. Mackey will present on how laws, regulations and standards, including emerging audit guidelines and standards for cloud computing, apply to the cloud.
  • “Vendor Management in the Cloud,” presented by Jeffrey Ritter, founder and chief executive officer of Waters Edge Consulting. Ritter will discuss vendor management issues in the cloud and will provide real-world examples of challenges being faced in identifying special requirements to govern the relationship with vendors.

Visit the Cloud Security and Compliance:  Virtual Seminar and Tradeshow page of the ISACA web site to register and learn more about the program. If you cannot attend the event live on 8 December, you can access the archived event immediately following the live event. The archived event will be available until 8 January 2011.


Join the Conversation

ISACA's IT Professional Networking and Knowledge Center is a meeting place for IT professionals who share common interests. Participants can not only consume information, but exchange expertise and experience through collaboration. And, the best news: getting started is easy. To participate in a Knowledge Center discussion, please follow the following steps:

  1. Log in to the ISACA® web site. You must be logged in to participate in a topic.
  2. Go to the Knowledge Center and choose your topic. With many topics to choose from, there is sure to be one that suits your professional interests. Simply click on “Browse Over 100 Topics” and scroll through the list of disciplines. Click your topic of choice to open it.
  3. Once in your topic home page, you will see a number of choices, including publications and articles to read, external links, and discussions. Under recent discussions, click “More” to view all discussions and comments. NOTE: To participate in a discussion, you must “Join This Community” by clicking the yellow button.

  4. You may now choose to start a discussion by clicking on the yellow button, or read and reply to an existing discussion.

  5. To leave a comment on another member’s discussion, scroll to the bottom of the page to the comment box.
  6. You may also keep track of your comments/discussions by setting alerts. At the top of the discussion pages are icons in which you can click to alert you on this discussion (yellow bell) or to subscribe to the discussion’s RSS feed (orange box). This ensures that you do not miss any comments made on your chosen discussion.



New Governance Course Coming to 2011 Training Weeks

ISACA® has developed a new Training Week course, titled Governance of Enterprise IT, which will be included in the 2011 Training Week events. This new course will provide answers to questions being asked within your enterprise, such as:

  • What value does governance bring?
  • What risks can we encounter if we do or do not implement governance practices regarding the use of IT resources?
  • How much governance is enough?
  • How do you know when you have achieved effective governance?
  • How do we sustain governed practices?
This course is designed for IT professionals and business managers looking for more efficient and effective results from IT. By attending, you will gain tools to:
  • Define governance in all its practices with regard to business support
  • Recognize the value vs. risk practices necessary for business success
  • Know the governance standards established for guidance affecting IT
  • Identify major constraints to achieving governance success
  • Understand and recognize operational and investment reasons for governance implementation within your organization
  • Recognize the need to govern IT as a business resource and measure its success in those terms
  • Determine measures to validate governance success

Visit the Training Week page of the ISACA web site for information on this and all Training Week courses and upcoming events.


Building a Department of Integrated Auditors
By Jim Kaplan

As internal audit leaders look to improve staff skills and increase audit efficiencies, they should put at the top of their priorities the concept of “the integrated auditor.” This concept combines both generalist and specialist skills, particularly the ability to use and apply the most effective technologies and the traditional responsibilities in financial, operational and compliance areas.

Having integrated capabilities greatly increases an audit team’s technical and functional competencies. Rather than settling for minimum proficiency levels defined for auditors, training your staff to become integrated auditors opens up opportunities to build further expertise and enhance your department’s capabilities.

Access the full article on the KnowledgeLeader web site.

Editor’s Note:  © 2010 Protiviti Inc. All rights reserved. This article was reprinted with permission from Protiviti’s KnowledgeLeader. KnowledgeLeader is a subscription-based web site that provides audit programs, checklists, tools, resources and best practices to help internal auditors and risk management professionals save time, manage risk and add value. ISACA® members receive a discount on an annual subscription to the service.


Book Review:  24 Deadly Sins of Software Security
Reviewed by Horst Karin, Ph.D., CISA, CISSP, ITIL

Software code developers or engineers will always focus their program code design first on functionality and efficiency. This is understandable because software design must meet a multitude of architectural, operational, functional or application-usability requirements. This focus unlocks the designer’s creativity in the process of code development. Who thinks about information security at this point? It seems that thinking about security sets limits and wastes time and money. Information security is often sacrificed for code execution speed.

It is well known that writing secure code in the first place is more cost efficient than fixing it later and dealing with public relations nightmares or lawsuits. But, where are the knowledge and experience that help the programmer to write secure code in the first place? Sure, the experienced code designer and software companies with effective governance have their secure-coding standards, but are they sufficient and up to date?

24 Deadly Sins of Software Security, by Michael Howard, David LeBlanc and John Viega, is a great resource to fill in these gaps and to reduce the risk of homemade, well-known backdoors for hacking attacks or noncompliance with information security standards, at least for the 24 coding “sins” described in this interesting book.

In four parts, the authors present common coding security flaws and their antidote in the areas of web applications, code implementations, cryptography and networking. The book’s chapters deliver advice in a wide range of languages, such as Windows, UNIX, Linux, Mac OS X, C, C++, C#, Java, PHP, Perl, Python, Ruby, Visual Basic, Web, Smart-Client Applications and Mobile Applications. Each chapter explains security exposures with code examples, shows remediation steps, provides links to other vulnerabilities and additional resources, and concludes with a summary. Helpful testing techniques are described to identify the “committed sins” in program code. This makes the book a valuable reference not only for the programmer, but for the IT security auditor as well. The IT auditor or security professional conducting a code review will be empowered with the experiences that the authors offer.

Yes, the matter is very technical, as coding is expected to be. But, the authors succeed at presenting not only the technical details, but also making the complicated matter accessible to the auditor or security professional through textual explanations, background information, screen prints, code examples and practical examples. A detailed index is provided at the end of the book for easy navigation to specific topics.

Using this book, an auditor could develop an audit program for a specialized code review. A security professional who is, for example, responsible for the development of corporate secure coding standards could use it for the development of rules, self-study, development of a security assessment or training of developers. A code developer could use it as a learning guide about how to avoid common programming security flaws in the first place.

24 Deadly Sins of Software Security is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or e-mail bookstore@isaca.org.

Horst Karin, Ph.D., CISA, CISSP, ITIL, is the owner and principal consultant of DELTA Information Security Consulting Inc.


Read More Articles in Our Archives