@ISACA Volume 3: 30 January 2013 

@ISACA Relevant, Timely News

New COBIT 5 Foundation Course and Certificate

The COBIT 5 Foundation Course and exam is now available. Passing the exam earns candidates the COBIT 5 Foundation Certificate, which demonstrates knowledge and understanding of the COBIT 5 framework.

COBIT 5 training provides IT and business professionals with the opportunity to learn how COBIT 5 can be used to add value to their enterprises in all industries and geographies. COBIT 5 training and examinations are available through ISACA’s global network of accredited training organizations and accredited individual trainers.

COBIT 5 exam candidates can self-study for the exam. After completing the self-study course, available through ISACA, candidates may elect to take the exam online or sit for the exam at an authorized testing center.

For more information, visit the COBIT 5 Education & Training page of the ISACA web site or contact onsitetraining@isaca.org.


Maximize Benefits of Your IT Risk Management Program

Many enterprises implement IT risk management programs to meet compliance requirements for ISO or related certification or regulatory compliance (e.g., Basel, US Sarbanes-Oxley Act). One major benefit of developing a risk management program is to help management establish a complete internal control environment. To maximize benefits, consider the following factors when developing and deploying an IT risk management program:

  1. Understand that an IT risk management program is not only for IT. Technology has introduced new risk factors. How to respond to risk depends on the impact the risk might have on the enterprise’s business. The impacts on IT will directly or indirectly affect the enterprise’s business; therefore, ensure that the risk impact is measured in terms of the enterprise’s business.
  2. Determine the objectives of the risk management program. Implementation of an IT risk management program might be prompted by compliance requirements; however, it is not the primary objective for implementing a program. Ensure that the primary objective of the program is defined as benefits derived by the business.
  3. Identify and develop a methodology. There are many standards and frameworks available for developing an IT risk management program; however, do not pick one randomly. Determine the enterprise’s requirements, the risk culture, the objectives of an IT risk management program and the expected benefits, and then make selections that are suitable for the enterprise.
  4. Determine the appropriate terminology and establish uniform definitions. The terminology used in risk management might have different meanings to different individuals. Prepare a glossary of terms with definitions that can be easily understood by all users. Use business-related definitions (rather than technical definitions). For example, the definition of “likelihood” and “impact” should be described based on the user’s understanding of the terms.
  5. Ensure that the risk management program is aligned with the enterprise’s business needs. The need for alignment is primarily due to the following:
    • A business risk scenario (e.g., “technology is not available to support the business process”) might refer to multiple IT risk scenarios resulting in nonavailability of technology. Ensure that the assessment of multiple IT risk scenarios matches the enterprise’s risk scenario.
    • The impact of an IT risk scenario might have a different impact on different business processes. When preparing the IT risk profile to match with the enterprise risk profile, the IT risk manager must consider the overall impact on business processes.
  6. Develop and implement processes for ongoing updates of risk levels. Risk management is an ongoing activity. To ensure that the risk profile for the enterprise is current, it is best to embed risk management in operational processes. The following processes trigger changes in IT and may be routed through the risk management process:
    • IT procurement
    • Overall change management
    • Incident management and root-cause analysis to prevent incident recurrence
    • Periodic audit and review report closures
    • Project approval and review
    • Periodic risk review by process owners
  7. Establish linkage between the risk register and control catalog. Establishing a link between the risk register and the control catalog helps ensure the currency of the risk register.

Sunil Bakshi, CISA, CISM, CGEIT, CRISC, AMIIB, ABCI, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP, is a consultant and trainer in IT governance and information security.


CISA, CISM and CRISC Certification Program Recognition

The Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM) and Certified in Risk and Information Systems Control (CRISC) certification programs have been named “Best Professional Certification Program” finalists in SC Magazine’s 2013 awards. Programs are defined by SC Magazine as professional industry groups offering certifications to IT security professionals who want to receive educational experience and credentials. Entrants include organizations in the industry that grant certification for training and education.

Additionally, Foote Partners has found in a recent study that CISA, CISM and CRISC certification holders earn pay premiums that place the certifications in the top 7 percent of all 268 IT industry certifications reported by Foote Partners. According to the IT Skills and Certifications Pay Index, individuals who obtain the CISA, CISM or CRISC certification are ranked among the highest paid professionals. To make this list, a certification program must average a pay premium in excess of the equivalent of 10 percent of base salary.

Find out more about how you can earn the CISA, CISM or CRISC certifications on the Certification page of the ISACA web site, and leverage your position and value within your enterprise.


2013-2014 Volunteer Application Period Coming to a Close
Apply by 14 February 2013 to Participate

Your opportunity to submit your volunteer application for the 2013-2014 term is closing soon. The invitation to participate closes on Friday, 14 February 2013. Act now and apply to participate on an ISACA board, committee or subcommittee.

Volunteering provides you with an opportunity to collaborate with peers from around the world, ensuring successful certification programs, insightful research and guidance, comprehensive and timely education programs, and representative professional standards.

The selection of volunteers is based on the resources needed to support ISACA’s strategy and the responsibilities of its volunteer bodies, the relevant professional background of the candidates and ISACA’s desire to reflect a global perspective. All appointments are for a 1-year term and are approved by the Board of Directors.

For more information on how to join an ISACA volunteer body and to access the volunteer application, visit the Volunteering section of the ISACA web site. Volunteer and help shape the future of your profession today!


New ISACA Resources Available on BYOD and BCM

ISACA has issued the following new resources:

  • BYOD Security Audit/Assurance Program provides management with an assessment of BYOD policies and procedures and their operating effectiveness. It is posted for complimentary member download and is available in the ISACA Bookstore.
  • Business Continuity Management: Emerging Trends provides an overview of the impacts, benefits and opportunities of four emerging technologies (virtualization, cloud computing, mobile devices and social networks) as they relate to BCM. The white paper is available for complimentary download.

Information on current research projects is posted on the Current Projects page of the ISACA web site.


Read More Articles in Our Archives