@ISACA Volume 25: 8 December 2010 

@ISACA Relevant, Timely News

Now Is the Time to Submit Nominations for the Board of Directors

The time to submit nominations for the ISACA® Board of Directors for the 2011-2012 term is drawing to a close. On 7 January 2011, nominations will close and the Nominating Committee will consider only the candidates presented by that time. There is still time to submit your own nomination or the nomination of someone you believe would be an asset to the board. Please note that there is additional paperwork (in addition to the nomination form) that needs to be completed before the Nominating Committee can consider a candidate, so it is best not to wait until the last minute to submit your nomination(s).

Visit the Volunteering page of the ISACA web site for information about serving on the board, the attributes for office (both international president and vice president) and the nomination form itself.

Serving on the board is a great way to build your skills and expertise, expand your professional network, influence the direction of the association, and give back to the profession. The experience is bound to help you, and it can help your employer as well. Your employer will enjoy the benefits of having an employee who is more self-assured, can access information from professional colleagues worldwide and can use his/her expanded understanding of ISACA’s offerings to enhance activities within his/her enterprise. Everyone comes out a winner.

Please consider submitting a nomination form. ISACA looks to the Board of Directors for guidance, counsel and strategy; the association can only be as strong as its top-most governing body. This is your chance to make a difference—in your association and your profession.


5 Tips for Managing Information Risk During Innovation
By Victor Chapela

Some of the main risks with many innovative products or services may be related to information security. Nevertheless, the tools and processes that we normally use may be useless given the different nature of innovation projects. Here are a few tips that can help focus your efforts to reduce risk in this type of venture:

  1. Innovation always requires the management of uncertainty; we deal with many unknowns. Information security can help reduce uncertainty by offering risk reduction solutions, but it can also increase uncertainty by overcompensating or ignoring risk.
  2. Vulnerability-based assessments are not useful in evaluating information risk in innovation projects. Risk can be evaluated based on the type of risk. There are three groups that allow for a good assessment:
    • Accidental risk can be evaluated with existing business impact analysis methodologies. This type of risk generally does not change for innovation projects. Redundancy controls should be proposed to mitigate risk.
    • Opportunistic risk changes based on exposure. The more connections and interrelations a new system, product and process have with each other or with the Internet, the more inherent opportunistic risk they pose. The sum of filtering, authentication and monitoring controls helps reduce risk. It does not need to be perfect security; it should be at least as good as your competitor’s.
    • Intentional risk increases relative to the value of the information. Some of the information that will be processed may have value for third parties, such as organized crime, competitors, news media or even your employees, but it may not have any value at all for your organization or project. If information has value for others, it will be at a much higher risk of being compromised. Intentional risk must be managed by using strategic isolation of these high-risk components or data.
  3. All three types of risks should be considered in the design stage of innovation. But, they should be assessed separately to define a correct set of mitigation controls. The speed of implementation may also vary. Intentional risk should always be addressed at the design and development stage, but opportunistic risk may be mitigated when already in production.
  4. It is very easy to kill innovation by trying to reduce all future theoretical risks. A good balance should be the goal. In my experience, mitigating the top three risks for each category has been enough to get the project safely implemented.
  5. Finally, managing risk can be an innovation in itself. For example, finding new ways to authenticate that are cost-effective may increase your innovation’s success probabilities.

Victor Chapela is founder and chief executive officer of Sm4rt Security Services. He is coauthoring a book on the evolution of risk and is a frequent speaker at conferences around the world.


ISO Requests Comments From ISACA Members

ISACA® and ISO/IEC JTC1 SC7 WG 21, the body responsible for International Software Asset Management (SAM) standards, are offering ISACA members a preview of revisions to the Software Asset Management standard (ISO/IEC19770-1). Your feedback is requested.

Addressing market requirements, the revision features four successive tiers that build on each other. Tier 1 is called Trustworthy Data and covers repeatable license compliance processes, addressing the highest-priority objective for SAM based on industry research conducted by ISO/IEC JTC1 SC7.

To enable the widest use, the new draft of ISO/IEC19770-1 includes guidance annexes and a standards road map. Guidance annexes relate the SAM standard to complementary industry guidance and practices. The standards road map is a further planning tool to aid in the development of SAM business practices so organizations may benefit from converging and harmonizing standards in the longer term, which may include harmonized management system standards and provisions for capability and organizational maturity assessment.

Special permission has been obtained from ISO for wider distribution of this draft than normally permitted by the standards development process. Click here to access the document, which includes a link to a brief (25 questions) web site questionnaire to gather your feedback. Reviewers may also provide up to 5 detailed comments to be included in the revision process for the updated standard.

The feedback period ends on 1 March 2011, and results are scheduled to be published in May 2011. Reviewers who provide contact details will be offered a summary of the feedback.


Certification Changes
CPE Policies and Code of Ethics Updated

Effective 1 January 2011, the annual limitation for earning continuing professional education (CPE) hours for working on ISACA® boards and committees will increase from 10 to 20 hours for each ISACA certification. This qualifying activity includes active participation on an ISACA board, committee, subcommittee or task force or active participation as an officer of an ISACA chapter. One continuing professional education (CPE) hour is earned for each hour of active participation. Such activities can be counted toward each ISACA designation that is held.

For more information on CPE policies and how to earn CPE hours, visit the Maintain Your CISA, CISM and CGEIT pages of the ISACA web site.

The ISACA Code of Professional Ethics has been updated and will be effective 1 January 2011. The changes to the code include more specific recognition of ISACA constituents as well as modification of wording to reflect current practice and terminology.


New Audit/Assurance Programs Help Improve Security

ISACA® has released 2 new audit/assurance programs to help improve security and efficiency. An additional benefit, these programs are offered free of charge to ISACA members:

  • The objective of the new Apache Web Server Audit/Assurance Program is to provide an independent assessment of configuration effectiveness and security. The Apache web server relies on the integrity of the host operating system (OS), so assurance of the integrity and security of the host OS should be obtained prior to a review of an Apache web server. Additionally, since each installation may use different web programming and support tools, this program should be customized for each installation.
  • The objective of the new MySQL Server Audit/Assurance Program is to provide an independent assessment of configuration effectiveness and security. MySQL web servers rely on the integrity of the host operating system (OS), so assurance of the integrity and security of the host OS should be obtained prior to a review of a MySQL web server. This program should be customized to describe which servers and applications are reviewed.

Both of these new audit/assurance programs are available. Visit the Audit Programs page of the ISACA web site for these and other valuable audit programs.


Earn Recognition As a Long-term Member of ISACA

ISACA® is now awarding 4 new levels of recognition for its distinguished long-term members:

  • Bronze-level membership—Awarded to those with 3 to 4 consecutive years of membership
  • Silver-level membership—Awarded to those with 5 to 9 consecutive years of membership
  • Gold-level membership—Awarded to those with 10 to 14 consecutive years of membership
  • Platinum-level membership—Awarded to those with 15 or more consecutive years of membership

The suggestion for a member-level program came out of several recommendations from the ISACA Membership Growth and Retention Committee, and the program was officially put into place on 1 November 2010. You can learn more about the program on the Member Levels page of the ISACA web site.

For example, if you joined in 2009 and have been a member since that time, when you renew for 2011, you will earn bronze-level membership in appreciation for your involvement and engagement with ISACA. As a long-standing ISACA member, you can take pride in knowing that you are contributing to the profession’s body of knowledge and are part of a prestigious global organization. ISACA acknowledges your contributions and professional investment and wants to recognize you.


ISACA and The IIA Sign MOU

ISACA® has entered into a formal memorandum of understanding (MOU) with The Institute of Internal Auditors (The IIA). The MOU creates a basis for cooperation and collaboration between ISACA and The IIA for the advancement of the global internal auditing profession through the mutual sharing of knowledge, experience and best practices. Both organizations recognize the great potential of this relationship. While the list of potential activities that could take place is nearly endless, some possibilities identified in the MOU include:

  • Speaking and exhibiting at each other’s conferences, seminars and events
  • Conducting jointly sponsored events
  • Mutually recognizing, where appropriate, each other’s continuing education programs for continuing education credits to satisfy requisite certification requirements
  • Encouraging similar cooperation and collaboration among local chapters of ISACA and The IIA (an activity that already thrives in many places throughout the world)
  • Identifying opportunities for joint projects that advance the global internal audit profession and the professional standing of its members
  • Engaging in periodic discussions on matters of public policy that impact the internal auditing profession
  • Where appropriate, coordinating and promoting unified messages and responses to standards setters, regulators and legislators globally, and providing them with information regarding best professional practices

Any new opportunities and developments will be relayed to members as they become available. ISACA looks forward to the opportunity to provide additional benefit and support to its members and constituents through this and all of its relationships.


ISACA’s eLearning Campus Features a New Look

ISACA® has made some improvements to the eLearning Campus, giving it a new and fresh look and feel and making it easier to navigate and find the courses you need.

The ISACA® eLearning Campus is designed to provide convenience and flexibility to ISACA constituents who are interested in online, self-paced study courses. The campus offers a variety of courses—developed by ISACA subject matter experts and designed to prepare candidates for the Certified Information Systems Auditor® (CISA®) certification exam and educate users about COBIT®—and webcasts on industry-relevant topics. Courses include interactive exercises, case studies and practice exams, all of which will help visitors build their professional skills and earn continuing professional education credits.

Check out the improved eLearning Campus on the ISACA web site. Click on the Go to Campus button and log in with your ISACA credentials. While you are there, take a look at all of the courses we have to offer, including our new and improved Online COBIT® Foundation Course, complete with an updated case study, interactive activities and a practice test.

If you have any questions about the new eLearning Campus or our Online COBIT Foundation Course, please e-mail elearning@isaca.org.


Book Review:  Hacking Wireless Exposed:  Wireless Security Secrets & Solutions, 2nd Edition
Reviewed by Horst Karin, Ph.D., CISA, CISSP, ITIL

Hacking Wireless Exposed:  Wireless Security Secrets & Solutions, 2nd Edition, by Johnny Cache, Joshua Wright and Vincent Liu, is the much improved and updated version of Hacking Exposed Wireless,” published in 2007. The 2nd edition continues the successful tradition of the Hacking Exposed series of books by telling the reader the story of information security through the background of potential hacking attempts in information systems and technologies. By choosing this perspective, the authors make reading this book much more exciting than conventional security books, which use the traditional approach of just explaining security features. For that reason, it is very entertaining and educating when this book takes the reader on a journey into the wireless world with its intriguing technological opportunities and potentially dangerous security vulnerabilities.

The ambitious authors have delivered a comprehensive book that builds a bridge between the technological details of discovering security vulnerabilities and the general consequences and business impacts if those security weaknesses are not being addressed. The authors invest a considerable amount of effort in explaining the technical details, concepts and implications. The presented knowledge is equally an eye-opener for the IT specialist, security consultant and auditor and is also a great resource as a how-to guide that enables an auditor to develop an audit program for specific cases to assess the threat level of attacks and the overall security posture of a wireless network or remote client.

The authors describe the vulnerabilities of wireless technologies and systems by showing methodologies, attacks and tools that black hats would use for exploits. In this way, the reader understands much better the risks and the needs and means to mitigate them.

The three parts of the book contain 12 chapters and one appendix. The appendix provides information about scoping, planning and estimating the effort of a security assessment of a wireless network—a valuable resource for the security consultant or IT auditor. The chapters are logically structured with appropriate figures, photographs and screen shots to present the technical, advanced content in an easy-to-understand style. This great combination of security concepts, case-studies, how-to instructions and vulnerability testing tools empowers the reader to develop an approach for penetration testing wireless networks.

Hacking Wireless Exposed:  Wireless Security Secrets & Solutions, 2nd Edition is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or e-mail bookstore@isaca.org.

Horst Karin, Ph.D., CISA, CISSP, ITIL, is the owner and principal consultant of DELTA Information Security Consulting Inc.


Read More Articles in Our Archives