@ISACA Volume 3: 2 February 2011 

@ISACA Relevant, Timely News

5 Ways to Limit Data Leakage and Exposure

  1. Develop a clean-desk policy that includes a clean-white-board policy for conference rooms and public areas. Data leakage and exposure can come from the most obvious and innocent of oversights by personnel who have access to or handle sensitive data. A clean desk policy will ensure that sensitive information that is being used during the business day is not viewed or removed by unauthorized personnel when not under the direct control of the authorized personnel. A clean-white-board policy (which includes nightly cleaning of conference rooms and public areas) will ensure that sensitive information is not viewed by personnel who are appropriately using facilities but are not authorized to view sensitive data.
  2. Implement secure printing. Even in the age of the paperless office, more and more people are printing sensitive materials than ever before. Sensitive documents are often left at communal printers for long periods of time where anyone can read them or collect the printouts. Using secure printing capabilities, such as follow-me printing or PIN-required printing for sensitive documents, will ensure that the printer only activates when the authorized user is near the printer and ready to pick up the printout.
  3. Implement and maintain an asset inventory. Data leakage and exposure often occur when sensitive or controlled data are unaccounted for and not in the direct control of the data owners. Implementing and maintaining an asset inventory of both physical and logical data assets will allow an organization to identify and classify data and apply appropriate controls.
  4. Implement trust-but-verify policies and procedures for sensitive data. The unfortunate reality of data leakage often is the fact that an insider either knowingly or unknowingly contributed to the incident. Individuals are less likely to act upon a malicious action, such as data theft, if they know their activities are being monitored. Implementing trust-but-verify policies and procedures for access to and handling of sensitive data will provide protection to both the individual and organization. The individual with privileged access will not have to worry about wrongful prosecution and the organization can quickly identify the scope as well as methods and practices used if a data leakage incident were to occur. Examples of trust-but-verify policy and procedures are pervasive and consistent logging and monitoring of all access and activities to technical infrastructure and environments that contain sensitive data.
  5. Establish hardware configuration password protection. The ability for data leakage and exposure to occur has been greatly enhanced by the advanced technologies organizations deploy to their users and the vast amount of data that they store on these technologies. One area that should be protected in these situations but is often neglected is the hardware configuration’s basic input/output system (BIOS) settings. Once an organization has established the settings for its users, the settings should be password-protected to prevent the user from changing them. This is especially important in the case of Bluetooth-enabled devices, which can allow a user to establish a short-range data network connection to mass storage devices (including smartphones) without being detected by typical network or application controls such as network-based intrusion detection or data leak prevention tools.

More information on data leak prevention is available in ISACA’s Data Leak Prevention white paper, as a complimentary download to members and nonmembers.

John P. Pironti, CISA, CISM, CGEIT, CRISC, CISSP, ISSAP, ISSMP, is the president of IP Architects LLC.


The Joy of Item Writing—The Review Process
By Alisdair McKenzie, CISA, CISSP

An exam item writer supports the development of ISACA® exams, and writing items is a rewarding way to get involved and help support the continuation of your profession for years to come. It is also a creative way to earn free continuing professional education (CPE) hours and make extra money. Items include a stem and options for answers, and can either be direct questions, incomplete statements, or issue/scenario descriptions.

Part 2 of this @ISACA series discusses what is involved in the item review process.

Item Review Process

Questions that are submitted by item writers are initially reviewed by ISACA staff members to ensure compliance with ISACA’s basic item-writing principles and grammar. Items that are flawed in any significant way will be sent back to the item writer with appropriate and constructive feedback.

Items that are initially accepted are then reviewed during the next semiannual Test Enhancement Subcommittee (TES) meeting for the appropriate certification. During this meeting, the TES members analyze, discuss and debate how well each question reflects the job practice and whether it will test the appropriate knowledge required of a CISA candidate. This discussion is often animated and stimulating.

At this point, items may be accepted by the TES or returned to the item writer for further work. The TES will provide detailed feedback, summarizing the discussion, on items returned to the item writer. Accepted questions become the property of ISACA.

Items accepted by the TES are then reviewed by the appropriate certification committee for final approval. This review process mirrors the TES reviews. Items accepted by the CISA Certification Committee are placed into the CISA exam item pool for inclusion on future CISA exams.

Part 1 of this series on exam item writing discussed developing a good question and appeared in @ISACA, volume 2, 2011. Next month, the benefits of being an item writer will be discussed in the final article in the 3-part series.

Information on item writing and how to be an item writer is available on the item writing page of the ISACA web site.

Alisdair McKenzie, CISA, CISSP, has been active for more than 15 years in the ISACA Wellington Chapter and is a past president of the chapter. He has spent 3 years as a member of the CISA Test Enhancement Subcommitee and is currently a member of the CISA Certification Committee. His career in IT spans almost 40 years.


Uncover Renewed Perspectives to Identity Management at Asia-Pacific CACS 2011
R. Vittal Raj, CISA, CISM, CGEIT, CFE, CIA, CISSP, FCA, Shares His Experience as an ISACA Speaker

R. Vittal Raj will present “Auditing Identity Management in Extended Enterprises” at this year’s Asia-Pacific Computer Audit, Control and Security (CACSSM) conference to be held in Dubai, UAE, 21–22 February 2011.

Internet technologies and the cloud are radically transforming the way businesses run, and managing identities is assuming newer dimensions and challenges. “Today, an individual’s digital identity has assumed sacred proportions, often more significant than one’s physical identity,” Raj said. “Everything related to ownership, access and rights to information and applications is linked to identities in these vulnerable digital spaces. Given the ever-extending, cyber-agile enterprises, managing risks and protecting digital identities and attached information assets are increasingly complex challenges.”

Raj’s session at Asia-Pacific CACS will uncover renewed perspectives to understanding the vulnerabilities to managing identities in extended enterprises and will address the need for innovative approaches to managing them in the emerging era of doing “‘business in the cloud.” Participants will share thoughts, approaches and solutions through a lively exchange of knowledge, experience, case studies and quick polls.

Raj also finds the session “Designing Next Generation Security and Audit for Cloud Computing Environments” of particular interest. “The mobile phone and Internet were once technologies that were considered a myth and so appears the cloud, today,” he said. “It will be interesting to understand newer perspectives that will help intensify my research for security paradigms in this emerging, hazy information age.”

Raj has been associated with ISACA since 1997 and has held several positions at the Chennai Chapter, including serving as the president, CISA coordinator and director of certification. In global roles, he has served as a member of the Governmental and Regulatory Agencies Board Asia I (GRAB Asia I) and is currently a member of the Asia-Pacific CACS Task Force.

Raj is eager to visit this “dynamic hub of intense activity in the lap of the Gulf region. I am looking forward to getting more insights into the Persian Gulf culture and to visit some of its recent masterpieces in construction.”

For information on this conference, including sessions and registration, visit the Asia-Pacific CACS page of the ISACA web site.

R. Vittal Raj, CISA, CISM, CGEIT, CFE, CIA, CISSP, FCA, is a partner with Kumar & Raj and is director of Pristine Consulting, India.


ISACA Certifications Bridge the Gap Between IT and the Business
Kathleen Ann Mullin, CISA, CISM, CGEIT, CRISC, CIA, CISSP, Shares Her Experiences With ISACA Certifications

The first certification Kathleen Ann Mullin sought was the Certified Information Systems Auditor® (CISA®). She was the director of internal audit and property records for a large school district. “What I was doing was based on business experience, compliance and regulatory requirements and best practices,” Mullin said. “However, I had only one staff member who was a CPA and no other employees with certifications. I knew I needed some external guidance.”

Mullin sought the advice of Steven Smith, director of internal audit at the City of St Petersburg, Florida, USA. She asked him for guidance on developing her staff and motivating them to get certified as CPAs and CIAs, as well as what direction to take her own career. “Steven told me about ISACA and the CISA certification,” Mullin said. “I left his office with a job offer, the opportunity to take both the CIA and the CISA exams, and encouragement to become involved in the local ISACA chapter. The only condition he presented was that I needed to pass the CISA exam the first time.”

Some may consider her choice to accept Smith’s offer an illogical jump. “However, the opportunity to join an organization that would allow me the opportunity to keep current and advance in my knowledge and experience was one that I could not pass up,” Mullin explained. “As I pursued the CISA and learned about COBIT®, I found a framework that made sense and a way to recommend changes that helped the organization while taking the element of surprise out of the audit experience. I was hooked on ISACA and as my career progressed, ISACA developed certifications that matched what I had done and was doing.”

While attaining the CISA designation was a requirement for Mullin’s position with the City of St. Petersburg, the Certified Information Security Manager® (CISM®) is a requirement for her current position with Hillsborough County Aviation Authority, where they would have also accepted a CISSP. “I now have both of those certifications and I find that the job knowledge and job task areas of the CISM more closely relate to my current position, even when using the (ISC)2 common body of knowledge,” Mullin said.

Mullin feels that having ISACA certifications provides a baseline so that others know what her knowledge and background includes. “It helps provide a common viewpoint that allows for discussion and consensus building when solving everyday business problems,” she said. “My time with St. Petersburg, the Technical Answer Group and the Tampa International Airport has helped build my understanding of the intricacies of information assurance. Today, my certifications help me on a daily basis:

  • CISA assists me in preparing the organization for what internal and external auditors are looking to find when auditing, and more importantly, why they are looking for specific controls. This helps management decide what frameworks to adopt and what processes to put in place.
  • CISM is the core part of my position where monitoring and controls fall into place. I utilize CISM knowledge when working with management to ensure that they have the information they need to manage information effectively, developing and managing the Computer Security Incident Response Team (CSIRT); building relationships with other local governments, vendors and the Federal Bureau of Investigation; developing and delivering information security awareness and training.
  • Certified in the Governance of Enterprise IT® (CGEIT®) is useful when I work with senior management as they provide management and IT the business direction and expectations. We discuss what technology can and should do to enhance the business and minimize the risks.
  • Certified in Risk and Information Systems Control™ (CRISC™) assists me in developing risk analysis and assessment, as well as business impact analysis. Risk and how it is handled determines what I do to develop and run the information security program.”

Mullin said she approaches challenges as opportunities in her job and the people involved pose the greatest challenges. “Business leaders tend to be focused on the bottom line and when they want something done, they rely on IT to put appropriate measures in place. Often, IT will focus on the technology without focusing on what the business is trying to achieve,” she explained. “Bridging that disconnect between the business leaders and IT in a language they can both understand becomes the largest and most important challenge I face.”

Kathleen Ann Mullin, CISA, CISM, CGEIT, CRISC, CIA, CISSP, is a member of the CGEIT Certification Committee and is the IT systems security manager for Hillsborough County Aviation Authority (Tampa International Airport).


2011-2012 Invitation to Participate Application Deadline Near

The invitation to participate application period will close on Friday, 25 February 2011. This is your final opportunity to apply to participate on the 2011-2012 ISACA® boards, committees and subcommittees.

The 2011-2012 Invitation to Participate provides a great opportunity for those who would like to volunteer with ISACA in a hands-on environment, collaborating with peers to ensure successful certification programs, comprehensive professional conferences and educational resources that are representative of professional standards and sound infrastructures.

The selection of volunteers is based upon the current needs of the groups, the relevant professional background of the candidates and the need to reflect a global perspective. All appointments are for a one-year term and are ratified by the Board of Directors.

For more information and to apply to be an ISACA volunteer, visit the Volunteering page of the ISACA web site.


Report Says Best-performing Organizations Are Using COBIT

A new report by the IT Policy Compliance Group (ITPCG), titled “How the Masters of IT Deliver More Value and Less Risk,” reveals findings from research conducted on organizations with the best-performing IT and what they are doing differently with IT to deliver the most value and least risk, compared with all other organizations. The major findings reveal several management practices, tools and supporting IT systems that are unique to the “masters of IT.”

According to the report, the masters of IT are using COBIT, IT balanced scorecards and IT portfolio management to improve alignment and deliver more value. The report states, “The use of COBIT, IT portfolio management, IT balanced scorecards and IT strategy maps were found to be emerging management tools in 2005 and 2006, were more widely adopted by 2008, and by 2010 are the principle strategic tools being employed by the best-performing organizations to manage and govern value and risk related to the use of IT.”

This widespread adoption confirms previous findings, including the use of COBIT to manage and govern the value being delivered by IT and the use of IT governance, risk and compliance (GRC) systems with COBIT. According to the report, “COBIT is now the principle strategic tool employed to manage value and risk related to the use of IT.”

The report points out that the COBIT management tools go beyond strategic alignment by including delivery of value, management of risk, measurement and assessment of performance. Because of this, the report states, when it comes to managing value and risk related to the use of IT, the best-in-class organizations consistently take the same actions: governance of IT via the use of COBIT and the preservation of value and management of risk through the use of IT GRC systems, COBIT, ISO and CIS benchmarks.

The full report is on the ITGI Global Survey Results page of the ISACA web site. More information on COBIT can be found on the COBIT page.


Updated CISA Online Review Course

The CISA® Online Review Course has been updated to include the new 2011 CISA certification job practice, which is now in place and posted on the ISACA® web site. This update reflects the reorganization of and revision to the task statements and knowledge statements in the 2011 CISA job practice.

One of the major changes in the new job practice is the incorporation of domain 6 from the previous job practice into job domains 2 and 4. The updated CISA Online Review Course reflects this change. The 5 updated course modules are:

  • Module 1—CISA: The Process of Auditing Information Systems
  • Module 2—CISA's Role in IT Governance
  • Module 3—CISA's Role in Systems and Infrastructure Life Cycle Management
  • Module 4—CISA's Role in IT Service Delivery and Support
  • Module 5—CISA's Role in Protection of Information Assets

The number of continuing professional education (CPE) hours (26) and the seat time (26 hours) to complete the course remain the same.


Read More Articles in Our Archives