@ISACA Volume 3: 1 February 2012 

@ISACA Relevant, Timely News

Invitation to Participate Application Submission Period Coming to a Close

Now is your opportunity to submit your application for ISACA’s 2012-2013 volunteer term. The invitation to participate application period will close Friday, 16 February 2012. Act immediately and apply to participate on one of ISACA’s international boards, committees or subcommittees.

Volunteering provides you an opportunity to collaborate with peers around the world, ensuring successful certification programs, insightful research and guidance, comprehensive and timely education programs, and representative professional standards.

The selection of volunteers is based on the resources needed in support of ISACA’s strategy and the responsibilities of its volunteer bodies, the relevant professional background of the candidates, and ISACA’s desire to reflect a global perspective. All appointments are for a one-year term and are ratified by the Board of Directors.

For more information and to apply to be an ISACA volunteer and help shape your profession, visit the Volunteer page of the ISACA web site. Do not delay—your contributions are needed.


Tips on Managing, Controlling and Securing Mobile Devices
By Tara Kissoon, CISA, CISSP

While mobile devices increase employee productivity and are seen as contributing to a rise in return on investment (ROI), organizations must also identify the risks associated with mobile devices stemming from human factors to technology and architecture issues. To benefit from the operational efficiencies gained from mobile device usage, organizations should implement controls to mitigate any associated risk.

Here are 7 considerations to help in managing, controlling and securing mobile devices in your organization:1

  • Policy—A security policy should exist for mobile devices and should include:
    • Rules for appropriate physical and logical handling
    • Controls pertaining to mobile device usage, specifying the type of information, the kind of devices and the type of information services that may be accessible through the devices
  • Mobile security tools—Mobile devices should be safeguarded against malicious code by:
    • Scanning apps and other programs/data
    • Regularly updating antivirus software
  • Encryption—All data labeled as sensitive should be properly secured while in transit or at rest.
  • Secure transmission—The mobile device user should connect to the corporate network via a secure connection, and sensitive information should be adequately protected as per corporate policy.
  • Device management—There should be an asset management process in place for tracking mobile devices. It should include procedures for lost and stolen devices and terminated employees,
  • Access control—The configuration must include limiting access to sensitive data by disabling data synchronization features that can access shared files or network drives that contain data prohibited for mobile use.
  • Awareness training—Ongoing awareness training should be in place to address physical and logical security of mobile devices. This should include identifying types of information being stored on mobile devices.

Tara Kissoon, CISA, CISSP, is a director at Research in Motion. Her expertise is focused in payment security across mobile systems.

1 ISACA, Securing Mobile Devices, white paper, USA, August 2010


ISACA Training Courses—A New Year, a New Focus
First of New 2-day Training Courses Will Address Cloud Computing

ISACA is kicking off the year offering a more extensive variety of classroom courses that will continue to explore aspects of IT assurance, audit, governance, risk and security, and provide learning opportunities for proven techniques based on best practices and lessons learned from the ISACA community. In addition to the traditional training weeks (4-day courses), ISACA is now offering 2-day training courses in the classroom setting. Courses cover the following areas of concentration:

The first of these 2-day courses, Cloud Computing Fundamentals for IT Professionals, will be held 24-25 April 2012 in Denver, Colorado, USA. Taught by Albert J. Marcella, Ph.D., CISA, CISM, chief executive officer of Business Automation Consultants, this course defines cloud computing, the service delivery models of a cloud computing architecture, and the methods in which they can be deployed as public, private, hybrid and community clouds. The security and privacy issues related to cloud computing environments will be examined by exploring the threat model and security issues related to data and computation outsourcing, and identifying practical applications of secure cloud computing.

Marcella brings a wealth of professional and academic experience in the field of IT audit and security and is a well-known author in the field. He is also a professor of management at Webster University, where he teaches computer resource management courses. In 2000, he was awarded the Leon R. Radde Educator of the Year award from the Institute of Internal Auditors, recognizing his contributions to the advancement of internal auditing and education.

“I am excited for the new format of these concentrated, 2-day courses,” said Marcella. “It provides the opportunity to hone in on one area and focus on a thorough presentation and information exchange on the topic. Attendees will come away with expanded knowledge and practical tools on the subject matter.”

For information on ISACA’s training courses, visit the Training page of the ISACA web site.


COSO Issues Public Exposure of Internal Control—Integrated Framework

ISACA continues to play an active role as a member of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Advisory Council, as it has done since September 2010. As a member of the council, ISACA has assisted by providing constructive feedback and suggestions on various versions of the Internal Control—Integrated Framework.

Ken Vander Wal, ISACA international president, represents ISACA on the COSO Advisory Council. He is assisted by a highly qualified ISACA work group comprised of dedicated subject matter experts and volunteers. Active participation by Vander Wal and the work group members has contributed to making sure the important voice and practical knowledge of IT control, risk and assurance professionals are considered. However, it is the COSO board that ultimately determines if and how any submitted content is used within the Internal Control—Integrated Framework.

ISACA constituents are encouraged to review the refreshed COSO public exposure draft, its principles, attributes and examples, and provide comments. Access the Internal Control—Integrated Framework exposure draft, and submit your comments before the 31 March 2012 deadline.


CISA and CISM Receive Recognition

ISACA’s Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) certifications have recently received 2 new recognitions.

The World Lottery Association (WLA) has recognized ISACA’s CISA and CISM as certifications that are required for someone to be a WLA auditor. The WLA’s Guide to Certification for the WLA Security Control Standard details that a certification auditor seeking accreditation from the WLA to conduct WLA SCS certification audits should be actively involved in the business of information systems; be either ISO/IEC 27001:2005 lead auditor certified, or an IT security expert or IT auditor, as certified by an internationally recognized certification body; possess experience in the lottery sector of reasonable duration; and hold one or more designations, of which the CISA and CISM certifications qualify.

CISM is listed in the top 5 information security certifications for 2012, according to a report by Information Security Media Group. The report notes that CISM is in demand not only for its demonstration of IT security proficiency, but also because certified candidates go through training that reflects a higher standard of ethical conduct—a topic that has renewed focus by hiring managers. According to the report, “Certified Information Security Manager is in demand, as organizations increasingly need executives to focus on governance, accountability and the business aspects of security” and “CISM is ideal for IT security professionals looking to grow their career into mid-level and senior management positions.” To read more, visit Govinfosecurity.com.



Read More Articles in Our Archives