@ISACA Volume 25: 7 December 2011 

@ISACA Relevant, Timely News

VP Nominations Open Through Early January 2012

Nominations for the position of vice president (VP) on the ISACA Board of Directors for the 2012-2013 term are open through 9 January 2012. (Nominations for international president closed on 31 October 2011.) You will find information on the Volunteering page of the ISACA web site about serving as vice president—the time commitments, the responsibilities, the meetings, the attributes of office, and, of course, a link to the form you will need to complete and submit to start the evaluation process.

You may nominate yourself or others (or both). Once your nomination form is received, you will be asked to complete a candidate profile form that confirms your willingness to serve if selected and provides the Nominating Committee information it will use to evaluate you. If you nominate yourself, you will also be asked to submit a letter of recommendation from an ISACA member describing how you, as a candidate, demonstrate the attributes of office (listed on the nomination form). Information on you will be gathered in other ways as well, including review of public web sites (e.g., Google, Facebook, LinkedIn) and a possible phone interview.

Even though the official close date for VP nominations is 9 January 2012, please note that this is the date by which all materials must be received at ISACA International Headquarters (i.e., completed candidate profile form and letter of recommendation, if required), so do not wait until that date to submit the nomination form. If you have questions, please e-mail nominate@isaca.org.


Using the ISACA Wiki to Build New Knowledge

Have you ever looked for an audit program only to discover that one is not available? If you could ask hundreds or even thousands of your colleagues to help create the audit program, would you? Using the collaboration tools on the ISACA web site allows you to do just that.

By creating a wiki and inviting others to provide input, you can benefit from the experience and expertise of other members. Wikis are available in all Knowledge Center topics. Just find the topic that matches the subject matter and then create your wiki. Here are the steps to create your wiki:

  1. Log on to the ISACA web site and navigate to www.isaca.org/knowledgecenter. From there, click on the + button next to Wikis to start a new wiki or to view all existing wiki pages. ISACA members are able to edit any of the existing wiki pages by clicking on the title of the page and then clicking on the Edit button.
  2. On the wiki page, click on the Edit link.
  3. Add your wiki title at the bottom of the page in [[ ]] and click OK.
  4. The page reloads and displays your new wiki as a link. Click on your wiki title.
  5. Add content to your wiki page. When you are done, click Create.
  6. Your content is now posted to the wiki.

Your final step is to advertise that your wiki is available. ISACA recommends that you start a discussion within the topic and link your wiki within the discussion. This will give the wiki additional visibility. Contact wikihelp@isaca.org with any questions you may have.


ISACA Certifications Now Qualify for University Postgraduate Credit

In another example of the growing recognition of ISACA certifications by universities around the world, Charles Sturt University, Victoria, Australia, has advised that the Certified Information Systems Auditor (CISA) and the Certified Information Security Manager (CISM) certifications now qualify for master’s degree credit. Charles Sturt University will award one full subject of unspecified credit toward both the Master of Information Systems Security and the Master of Management (IT) to those who have obtained the CISA or CISM certifications. Both degrees are obtained via the university’s distance education environment.


Last Month for ISACA Certification Holders to Earn CPE for 2011

All ISACA memberships and certifications will expire at the end of the month, but it is not too late to earn continuing professional education (CPE) hours. As an ISACA member, you are afforded many opportunities to earn free CPEs each year, including:

  • Journal quizzes—One CPE available with each issue of the ISACA Journal. Up to 6 new CPEs available each year.
  • Monthly eSymposium quizzes—Three CPEs available for each of the 12 e-symposia. Up to 36 new CPEs available each year.
  • Volunteering with ISACA—One CPE available for each active hour you participate on a board, committee or task force or as a chapter officer. Up to 20 CPEs each year.
  • Mentoring peers—One CPE available for each hour of mentoring directly related to coaching, reviewing or assisting a colleague with exam preparation or providing guidance in the credentialing process. Up to 10 CPEs each year.

Visit the CPE page of the ISACA web site to learn more about how to earn more than 70 free CPEs toward maintaining your ISACA certifications each year. Your 2011 hours must be earned by 31 December, and you may visit the MyCertifications tab of your MyISACA page of the ISACA web site, following login, to update your 2011 hours now.


7 Common Threat Areas
By Leighton Johnson, CISA, CISM, CIFI, CISSP

In the current Internet-based world, there are common threat areas to be aware of and plan for as we provide security services to our customers and clients. They are:

  1. Data breaches—The current trend of stealing corporate data for financial or ideological reasons has lead to wide-reaching political and economic fallout. There are multiple possible sources for these data thefts including, among others, compromised accounts, web attacks and insider threat realization. There are reports of large-scale data breaches appearing in the press with regularity. Both internal compromised accounts and external attacks against web sites and networks have been the source of these attacks. Always be on watch for potential exfiltration of corporate data as an indication of a potential data breach.
  2. Identity theft—The current statistics on identity theft are somewhat staggering. The US government is reporting that there is an identity stolen every 3 seconds. The incredible ramifications of personal loss and stress cause many to experience a lack of guidance and policy in this area. The means for such attacks are usually phishing e-mail attachments being sent via personal and corporate e-mail accounts. The best way to handle all e-mail is to “distrust by default” all e-mail attachments, no matter where they come from or who sent them.
  3. Web 2.0 attacks—The proliferation of embedded malware on legitimate web sites has lead to computers being attacked by unknown assailants from normal web activity. The actual sites are infected by pictures or mashup actions wherein malware is installed via pictures, images, searches or scripts that then install them when these “pictures” are read by the unsuspecting browser.
  4. Messaging attacks—E-mail and instant message still provide the largest spread of questionable content on the Internet. Standard spam accounts for more than 85% of all e-mails travelling the Internet on a daily basis and these messages provide attackers a way into personal and corporate servers. The incredible range of computing devices and models in the current world require the security professional to constantly be aware of the messaging methods for attack.
  5. Botnets and zombie computers—The primary reason for computers being infected and the incredible increase in botnets is very simple: money. Given the current economic state globally, these programs allow the criminal element to obtain large sums of money with relative ease and low risk. Always be on the lookout for machines running when they should be off and communicating on new or different channels, which can indicate they are part of a botnet.
  6. Rootkits—These programs are usually targeted attacks against a specific company or person, very technical in nature, extremely difficult to detect, and even harder to remove once detected. These programs are designed to run below the operating system on the computer, while most security software runs at the operating system level; therefore, such security software will not detect these malicious programs running. One possible way to determine if a rootkit is running is to monitor the system processing channels while the machine is operating; however, the machine would most likely not reflect this activity if it was turned off.
  7. Logic bombs—Logic bombs are pieces of code or scripts attached to legitimate code that operate in the normal computing environment, but have time-based triggers to cause detrimental or malicious effects. These are almost always loaded by insiders who are disgruntled or angry. Always watch the activity of soon-to-be ex employees or passed-over administrators for these types of activities.

Each area of your computing environments has the potential to be attacked and have a malicious or detrimental effect on you, your organization or a customer. So always be on guard as you provide security services for them and yourself.

Leighton Johnson, CISA, CISM, CIFI, CISSP, is a senior security consultant for the Information Security & Forensics Management Team of Bath, South Carolina, USA.


ISACA Member Named the New US Deputy Under Secretary for Cybersecurity

ISACA congratulates Mark Weatherford, CISM, CISSP, on being named the deputy under secretary for cybersecurity at the US Department of Homeland Security (DHS). Previously, he was chief security officer at North American Electric Reliability Corporation (NERC) and, as an ISACA member, served on ISACA’s GRA Subcommittee.

Under the current US presidential administration, the DHS has been given the responsibility for managing the federal government’s cyberdefenses. Weatherford’s experience at NERC, a nonprofit organization for US smart grid operators, will be valuable in his new position of protecting the nation’s critical infrastructure from cyberattacks.

In his new role, Weatherford will focus on ensuring robust cybersecurity operations and communications resilience for the DHS, allowing the DHS to better carry out its mission to create a safe and secure cyberspace. He will play a key role in managing the department’s cybersecurity operations, which include overseeing the agency’s partnership with the private sector and security of the dot-gov network.

While at NERC, Weatherford directed the organization’s critical infrastructure and cybersecurity program. He previously served as the chief information security officer in the State of California’s Office of Information Security, and as chief security officer for the State of Colorado, where he helped establish the state’s first cybersecurity program. Weatherford is a former Naval Cryptologic Officer, where he led the US Navy’s Computer Network Defense operations and the Naval Computer Incident Response Team.


Customizable Audit/Assurance Programs Available

You are encouraged to take advantage of the numerous audit/assurance programs available in the ISACA Bookstore. These publications, which cover a range of topics, are offered to members as complimentary downloads, as well as for purchase by nonmembers. The audit/assurance program is a customizable tool and template to be used as a road map for the completion of a specific assurance process.

Please visit the ISACA Bookstore for all available audit/assurance programs, including:

  • Apache Web Services Server Audit/Assurance Program
  • Business Continuity Management Audit/Assurance Program
  • Change Management Audit/Assurance Program
  • Cloud Computing Management Audit/Assurance Program
  • Crisis Management Audit/Assurance Program
  • Generic Application Audit/Assurance Program
  • Identity Management Audit/Assurance Program
  • Information Security Management Audit/Assurance Program
  • IT Continuity Planning Audit/Assurance Program
  • Lotus Domino Server Audit/Assurance Program
  • Microsoft Exchange Server Audit/Assurance Program
  • Microsoft Internet Information Services (IIS) 7 Web Services Server Audit/Assurance Program
  • Microsoft SharePoint 2010 Audit/Assurance Program
  • Microsoft SQL Server Database Audit/Assurance Program
  • Microsoft Windows File Server Audit/Assurance Program
  • Mobile Computing Security Audit/Assurance Program
  • MySQL Server Audit/Assurance Program
  • Network Perimeter Security Audit/Assurance Program
  • Outsourced IT Environments Audit/Assurance Program
  • Security Incident Management Audit/Assurance Program
  • Social Media Audit/Assurance Program
  • Systems Development and Project Management Audit/Assurance Program
  • UNIX/LINUX Operating Systems Security Audit/Assurance Program
  • VMware Server Virtualization Audit/Assurance Program
  • Windows Active Directory Audit/Assurance Program
  • z/OS Security Audit/Assurance Program

For more information, please contact the ISACA Bookstore at bookstore@isaca.org.



Read More Articles in Our Archives