@ISACA Volume 4: 13 February 2013 

@ISACA Relevant, Timely News

Honor Members by Nominating Them for Prestigious Awards

Help ISACA’s Board of Directors honor individuals who have made a difference in ISACA and the professions it supports by nominating an individual for the Harold Weiss Award for Outstanding Achievement or the John Lainhart Common Body of Knowledge Award. The deadline for award nominations is 22 March 2013.

The Harold Weiss Award for Outstanding Achievement was initiated by ISACA in 1985. This award recognizes individuals for their dedication to and outstanding achievement in the IT governance profession.

The John Lainhart Common Body of Knowledge Award, which is named after past president John Lainhart and was initiated in 1997, recognizes individuals for major contributions to the development and enhancement of the common body of knowledge used by the constituencies of the association in the field of information systems (IS) audit, security and/or control; IS audit certification; and/or IS audit standards.

ISACA members nominate qualified and deserving candidates for each of these awards by submitting a nomination letter via email or fax. The nomination letter must include:

  • Name of the nominee
  • Description of accomplishments relating to the award
  • Professional affiliations
  • Other honors and awards achieved
  • Publications or articles published
  • References
  • Name and contact information of the nominator

For information on these awards, additional volunteer awards presented by ISACA and prior award recipients, please visit the Volunteer Awards Winners page of the ISACA web site. Nominations can be submitted to mmcgee@isaca.org (or faxed to +1.847.253.1443 to the attention of Mikel McGee).


CISA, CISM, CGEIT, CRISC Holders: Note Changes to CPE Policy

Continuing professional education (CPE) policies have been updated for ISACA’s 4 credentials, effective 1 January 2013. The changes, which apply equally to all 4 ISACA certifications, address:

  • Reconsideration and appeal—Individuals whose certification has been revoked due to noncompliance with the CPE policy and who later appeal for reinstatement may incur an additional reinstatement fee of US $50. This reinstatement fee is effective for individuals reinstated after 1 January 2013 (when the revocation had been outstanding more than 60 days) and is in addition to any back or current certification maintenance fees needed for the certified individual to be compliant with the CPE policy.
  • Calculating CPE hours—One CPE hour is earned for each 50 minutes of active participation (excluding lunches and breaks) in qualifying ISACA and non-ISACA professional educational activities and meetings. CPE hours can be earned in quarter-hour increments and can also be reported in quarter hours (rounded to the nearest quarter hour).
  • Exam question development and review (no limit)—For those serving on an ISACA committee/task force that is responsible for exam question review, evidence of actual hours for the formal item review process will be provided.
  • Contributions to the profession (20-hour annual limit)—CPE hours are earned for the actual number of hours contributed.

For complete details, please read the updated CPE policies on the CISA, CISM, CGEIT and CRISC CPE Policy pages of the ISACA web site. Questions or comments can be directed to the Certification Department at certification@isaca.org.


5 Questions to Improve Business Resiliency Plans

Business resiliency plans (which often include incident response, command and control, business continuity, and disaster recovery components) should be reviewed and updated on an annual basis with other business continuity components. Here are five important questions to consider:

  1. Do the plans account for all current critical business processes and activities? The pace that business processes and activities change within many organizations often supersedes their ability to accurately and effectively adjust business resiliency plans and capabilities. It is important to maintain an accurate inventory of critical business processes and activities. This helps ensure that the business resiliency plans and capabilities that support the viability and availability of these processes and activities can be properly developed and maintained. It is helpful to maintain a registry of any significant changes in business activities, processes or structures in between updates. This helps reduce the efforts associated with updating this inventory based on a point in time and provides key data points for the review and update processes.
  2. Is the contact information accurate for all individuals and entitles identified in the plans (including third parties)? One of the most common lessons to emerge from incidents is the inability to reach critical resources due to inaccurate contact information. Many organizations assume that the contact information included in their electronic directory solution is accurate and do not require key individuals to confirm these data on a regular basis. This trust does not account for life events or changes that occur as part of the normal course of business activities. Further, while the internal contact directory may be accurate, it is often found that the contact information for critical third parties is not. Organizations typically have limited visibility into the business operations of third parties and often put the responsibility of updating contact information on the third party. Without verification controls in place it is difficult for an organization to be sure that the contact information it has is accurate.

    Verification and testing of contact information for critical resources and entities identified in the business resiliency plans should be incorporated into plan testing activities. This information should be verified, at a minimum, annually and, if possible, quarterly. These tests should include a positive response test of all primary and backup data methods. Plan testing activities should also be conducted during off-hours and weekends to ensure effectiveness during nonworking time frames.
  3. Are the identified key resources individuals still willing and able to participate if required? An often overlooked but essential requirement of any business resiliency plan is the availability and willingness of key resources to participate in the activity. If plans are implemented, individuals who previously agreed to be part of a resiliency plan may have had changes in their lives or capabilities that make them no longer interested or suitable to be an effective contributor. It is important to reaffirm an individual’s willingness and ability to perform their assigned tasks as part of the update process. This also helps to remind individuals of their commitment and responsibilities to ensure that they are prepared if they were required to operate as part of a business resiliency plan.

    It is also important to provide these resources with the ability to say “no” to these obligations and responsibilities without any consequences. This will ensure that the individual will not feel pressured into agreeing to participate if they are not a viable resource.
  4. Are the identified key resources individuals updated on training and briefings? Key resources individuals identified in the business resiliency plans should be trained and briefed on a regular basis. They should be prepared and able to carry out the activities they will be expected to perform, and they should be aware of their responsibilities. While these activities and responsibilities are typically part of their normal job functions, individuals should be trained and tested in stress scenarios to ensure that they are capable of performing in a crisis or high-stress situation.
  5. Do the recovery time and recovery point objectives identified in the plans still make sense? Business requirements and expectations change more often than the business resiliency plans that support them. Key components of the plans are the recovery time and recovery point objectives that define and prioritize response and recovery efforts for key business processes. It is imperative to validate the accuracy of these objectives as part of the plans’ review and update processes to ensure that they are still accurate and aligned with the organization’s expectations. Internal and external expectations of availability for key business processes become more stringent as their value, visibility and contribution to the success and/or reputation of an organization increases. At the same time, recovery time and recovery point objectives for existing business processes and capabilities may diminish as their value to the organization decreases. Ensuring the accuracy of these objectives allows for appropriate levels of investment in associated business resiliency activities and continued support from the organization’s leadership.

John P. Pironti, CISA, CISM, CGEIT, CRISC, CISSP, ISSAP, ISSMP, is the president of IP Architects LLC.


Knowledge Center: The Learning Potential Is Limitless
Jason Yakencheck, CISA, CISM, of the National Capital Area (Washington DC, USA) Chapter Shares His Knowledge Center Experience

Jason YakencheckQuestion How were you introduced to ISACA’s Knowledge Center?

Answer I became aware of the Knowledge Center when I became an ISACA member and began exploring the web site. Before becoming an active participant in the discussion forum in the Young Professionals group, I used the ISACA web site as a source of information and for reference materials for several years—the Knowledge Center is accessible from the ISACA home page. After recognizing the many benefits of active participation, I’ve been a topic leader for more than a year.

Question In your opinion, what makes the Knowledge Center a valuable resource for ISACA members?

Answer The Knowledge Center is a tremendous resource for all ISACA members. In addition to all the publications and reference materials, the discussion groups provide each person with direct access to fellow practitioners. This communication medium connects people worldwide and provides a way to leverage the insight and knowledge of others. The ability to ask a question about a problem at work, career or general industry information and then get a relevant and informative answer in a timely manner is invaluable. I would like to see more members engage in active discussion and information sharing. The more involved the members get in the Knowledge Center groups, the better it will be for everyone. The learning potential is limitless.

Question What made you decide to become a topic leader?

Answer I became a topic leader because I wanted to increase the discussion activity and content in the Young Professionals group. I believed it was an area that had a lot of potential and could add significant value to its members. I wanted to help connect other members with each other and really foster a sense of community within the group. Being a topic leader was the perfect role and opportunity for me to perform this function.

Question How did you choose your topic?

Answer The Young Professionals group was the best fit for me considering that I am a young professional, I have mentored many young professionals, and I am a member of ISACA’s Young Professionals Subcommittee.

Question What is one thing you wish all ISACA members knew about the Knowledge Center?

Answer I don’t think all ISACA members realize the extent of information that can be found in the Knowledge Center and how it can be used as a resource to ask other professionals questions and get their feedback. Additionally, I don’t believe many members are aware that alerts can be set so you can be notified when new content is added or posted in the topics in which you are interested.


Formulate and Present Effective Business Cases

Implementing IT governance in a business unit can be challenging. Strategies and tactics are needed to change the culture and behaviors of people and realize benefits. To provide a road map, ISACA Journal volume 1 author Rajesh Bhatia, CISA, CGEIT, PMP, MDP, provides clear steps to formulate and present effective business cases for governance over IT:

  1. Develop initial strategies and tactics—Similar to any transformational change or process improvement initiative, business-unit strategies and tactics should be developed along the three dimensions of the people, processes and tools (PPT) triangle.
  2. Implement Hoshin Kanri planning—After the initial PPT strategies and tactics are developed, they need to be refined and aligned with the organization’s strategies and communicated to all business-unit staff. Also called Policy Deployment, Hoshin Kanri planning is a strategic planning/strategic management/strategic control methodology based on Deming’s Plan-Do-Check-Act (PDCA) cycle.
  3. Implement an adequate communications plan—Implementation cannot succeed without adequate communication, awareness, culture change and reinforcement activities.
  4. Summarize the cost and schedule—A question that is always asked when business cases are presented is the cost and schedule of institutionalization activities. It is critical to provide the summarized cost and schedule with milestones, because executives frequently base their decisions on this information.
  5. Present the business benefits—While presenting business cases, questions frequently surround the benefits: What are the benefits? When will they be realized? How will they be measured and reported? Presenting benefits using a results chain model can be useful.
  6. Present the measurement and reporting plan—Executives also want to know how the business benefits will be monitored, measured and reported. Presenting the metrics and the measurement and reporting plan is important.
  7. Relay success stories—Relaying success stories, if available, reinforces the business case authenticity and practicality.
  8. Choose the appropriate presentation technique—It is very important to match the delivery with the personality types of the executives.

Read Rajesh Bhatia’s full article, “IT Governance Implementation—Formulating and Presenting Practical Business Cases,” in the current issue of the ISACA Journal, in which you will also find additional coverage of timely and relevant issues affecting the ISACA professional communities.


Read More Articles in Our Archives