@ISACA Volume 25: 5 December 2012 

@ISACA Relevant, Timely News

CISM Celebrates 10 Successful Years

2012 marks the 10-year anniversary of ISACA’s Certified Information Security Manager (CISM) certification. The certification has come a long way since its inception and its value in the marketplace has increased tremendously in the ever-changing world of technology. Keeping an organization safe and secure while maintaining an enterprise governance perspective is paramount and ISACA’s CISM certification allows its holders to demonstrate related skills and knowledge.

Since its introduction in 2002, the CISM credential has become recognized worldwide as a symbol of excellence in information security and has been earned by more than 21,000 professionals. The uniquely management-focused certification promotes international security practices and recognizes the individual who manages, designs, oversees and assesses an enterprise’s information security. CISMs understand the business and know how to manage and adapt technology to their enterprise and industry to identify critical issues and customize company-specific practices to support the governance of information and related technologies. The certification affirms to employers that the candidate they are hiring is equipped with strong security management skills and has demonstrated experience in security management.

Visit the Certification page of the ISACA web site to learn more about CISM and all ISACA certifications.


10 Key Considerations for Mobile Security
By Tara Kissoon, CISA, CISSP

With the expansion of mobile device usage in enterprises as a communication method for corporate and personal information, mobile devices have become an additional source of risk to the enterprise. To assist the business in managing the risk, several security controls should be considered when deploying mobile devices. They include, but are not limited to:

  1. Strong authentication
  2. Data loss prevention (DLP) and data protection controls. Data protection controls include data-at-rest encryption and secure-channel communication.
  3. Life-cycle management for enterprise apps. This refers to the ability to inventory, report and control apps on a mobile device, which includes provisioning, updating and deleting enterprise apps.
  4. Malware protection
  5. Device compliance and antitheft methods. This refers to the ability to perform compliance inspections on the device according to corporate policy and implement loss/antitheft capabilities.
  6. Privacy controls. Privacy controls include restricting available device information and real-time auditing of apps to assist with data leakage events.
  7. SMS archiving
  8. Selective wipe capabilities. Selective wipe refers to the ability to remove specific apps/files from the device without affecting an employee’s personal data and environment (i.e., bring your own device).
  9. URL filtering
  10. Over-the-air (OTA) device management. OTA is a requirement for mobile management and includes device life-cycle management (i.e., discovery, registration, update, deletion, decommissioning).

Tara Kissoon, CISA, CISSP, is an associate vice president within Technology Risk Management and Information Security at TD Bank Group.


Gain Detailed Knowledge on Pressing Industry Topics

Are you looking for detailed, all-encompassing content on COBIT 5, IT risk, applied data analytics, securing and auditing mobile devices, or global privacy requirements? The workshops preceding or following the North America Computer Audit, Control and Security Conference (North America CACS) may be the answer.

With 6 workshops planned around the North America CACS conference, attendees have the opportunity for in-depth learning on these subject matters, while attending the conference sessions for more general knowledge and networking opportunities. At this time, the planned workshops include:

  • IT Risk: Governance and Assessment
  • COBIT 5 Foundation Course
  • Applied Data Analytics for IS Audit
  • Securing and Auditing Mobile Technologies
  • Barbarians at the Gate: Taming Global Privacy Requirements

Attending the conferences is not just about education, it is also about networking. ISACA conferences include an average of 8 hours of networking time—providing attendees with time to interact with their peers and solutions experts.

Register for North America CACS 2013 now and benefit from the early-bird pricing, which is available through 18 February 2013.


Board of Directors Nominations Due in January

The nomination period for the position of vice president on the ISACA Board of Directors for the 2013-2014 term will be closing soon. The nomination process encompasses two stages: making the nomination itself and submitting the supporting candidate materials. The deadline date of 7 January 2013 is for both components of the process. So, if you wait until that date to tackle stage 1 (the nomination itself), you will not leave time for yourself or your candidate to complete and submit the candidate materials, which are due on the same date.

Information about serving on the board, the attributes for office and the nomination form itself are available on the Board Nominations page of the ISACA web site.

Members may nominate themselves, others or both. Self-nominating candidates are also asked to submit a letter of recommendation from an ISACA member, outlining how the candidate demonstrates the attributes for office. Information on candidates will be gathered in other ways as well, including review of public web sites (e.g., Google, Facebook, LinkedIn) and interviews with the candidates.

Questions? Contact nominate@isaca.org.


How Did ISACA Benefit You in 2012?

As 2012 is coming to a close, members are sharing how their ISACA membership has benefited them throughout the year.

“The ISACA community has helped me understand information security in a better way,” says member Rahul Das.

Victor Joshua Penumaka says, “ISACA helps me network with people that are highly passionate and motivated about their career. Thanks ISACA.”

“ISACA has benefited me by offering relevant opportunities for keeping up with what peers in the profession are thinking and doing worldwide—by offering great networking opportunities for IT governance professionals and the opportunity to contribute something back to the profession,” wrote Vittal R. Raj.

Take a moment for reflection and share your favorite benefits on Facebook, LinkedIn or Twitter.


IT Risk/Reward Barometer Survey Reveals BYOD and Cloud Computing Trends

ISACA’s annual IT Risk/Reward Barometer surveyed more than 4,500 ISACA members worldwide on cloud computing, bring your own device (BYOD), risk management hurdles and staffing plans for 2013. Among the findings:

  • Nearly half of responding enterprises in Oceania freely allow BYOD (48 percent), while only 28 percent of European companies do.
  • Despite BYOD’s growing acceptance, IT professionals in every region surveyed report that the risk of BYOD outweighs the benefit.
  • Enterprises in Africa and Europe reported the lowest rates of public cloud adoption (25 percent in each region), while enterprises in Oceania (36 percent) and North America (33 percent) report the highest rates.

Visit the 2012 IT Risk/Reward Barometer page of the ISACA web site for full results.


Board of Directors Meets in Chicago

The ISACA/ITGI Board of Directors/Trustees held its midterm meeting in early November in Chicago, Illinois, USA. The day before the board meeting, a meeting was held of the members of the three oversight boards (Relations, Knowledge, and Credentialing and Career Management) to discuss their roles in taking forward Strategy 2022 (S22). A good portion of the board’s discussion focused on that meeting and the strategy itself.

  • Strategy—During the meeting of the oversight boards, the ISACA stakeholder map, which defines who the association exists to serve, was refined and the line-of-business (LOB) goals were further developed. (ISACA refers to the areas covered by the three oversight boards as its “lines of business.”) Taking the LOB goals down to a more tactical level, each of the oversight boards reviewed the prioritized work plans (PWPs) for the committees, subcommittees and task forces working in that LOB, to ensure that all activity is aligned with the objectives of S22 and those objectives are aligned and harmonized with business as usual. In looking ahead to the activity that will be undertaken over the next 9 years covered by the S22 horizon, it is clear that ISACA may need to use a portion of the strategic reserves each year for the required funding. This is the reason that reserves have been established and funded so assiduously over the past several years.
  • COBIT 5—Further developments in the COBIT 5 family of products were discussed. Possible additions mentioned include more case studies, a version of COBIT 5 for small to medium enterprises, and descriptions of COBIT 5 benefits/value for each of a number of professional roles. It was also noted that COBIT Online will play a key part in the adoption and use of COBIT 5, and in support of the COBIT Assessment Program, currently in development. COBIT Online is being rebuilt to align with COBIT 5 and to provide more functionality and easier navigation; it will be available in 2013.
  • Education—Information will be gathered from members, certification holders and conference attendees to determine their preferences with regard to content and delivery format, and their takeaways from previous conferences. The information will be used to build a more stakeholder-driven portfolio of education programs.
  • Audit committee—The committee is working with Grant Thornton to conduct a review of ISACA’s IT general controls.
  • Relations—Two upcoming projects with the National Association of Corporate Directors (NACD) were discussed. An educational video will be produced with NACD and another partner, and a publication or education event on asymmetric information will be developed.

The next meeting of the ISACA/ITGI Board of Directors/Trustees will be held in March in San Antonio, Texas, USA.


Read More Articles in Our Archives