@ISACA Volume 4: 16 February 2011 

@ISACA Relevant, Timely News

CISA Certifieds Remain in Demand
Shankar Natarajan, CISA, CEH, CIA, FICWA, Shares His Experiences as a CISA

Shankar NatarajanShankar Natarajan, manager of systems and process assurance with PricewaterhouseCoopers, earned the Certified Information Systems Auditor® (CISA®) certification in 2001. At the time, the IT sector was opening up in India and there was a huge demand for IT-related skills. “There were many opportunities in system audit, in particular, but the supply of professionals did not meet the demand,” Natarajan explained. “With companies moving from traditional bookkeeping to enterprise resource planning (ERP) and banks implementing core banking solutions, it became mandatory for auditors to enhance their audit certifications and skills to match the requirements and demand.”

Ten years later, Natarajan still finds that earning the CISA certification was the right move. “ISACA® is a pioneer in information system audit certification and the CISA designation is trusted, reliable and recognized across the globe,” he said. “Being an audit professional, I have found that the CISA aptly suits my passion for IT and enhances my career opportunities.”

Natarajan advises those considering pursuing the CISA certification to follow these steps:

  1. Go to a chapter meeting of an organization, such as ISACA, that specializes in information systems audit, security, governance, risk and controls. Gain exposure within the organization for a year, which will help you to understand and appreciate the basics in IT and information systems.
  2. Become an ISACA member and explore the ISACA web site (which includes a wealth of information). This will help you focus more toward your goal of obtaining the certification.
  3. Enroll in a CISA class conducted by your local ISACA chapter.
  4. Register for the CISA exam. Buy the review materials, suggested books and guides to study for the exam.
  5. Pass the CISA exam.
  6. Enjoy better recognition and growth compared to your peers. You will find better career opportunities and an enhanced market value for your résumé.

Natarajan feels that becoming a CISA and working in this industry is a wise, sound choice. “This field was evolving and maturing during the end of the last century,” Natarajan said. “Now, as the world is in a recession, the information systems audit and IT field, in general, is among those professions that have remained strong, due in part to regulatory compliance and client demands.”


Tips for Effectively Deploying an SIEM Solution
By Lisa Young, CISA, CISM

There is a rich set of data provided by security and security-aware devices in our ever-expanding technological universe. Many security professionals find themselves with too much data to effectively correlate and action the items that may place the organization at the highest risk for data breach, fraud or unwanted intrusions.

Security information and event management (SIEM) technology emerged during the last decade as an attempt to address this information overload. SIEM specifically seeks to answer two distinct questions: Which alerts and logged security events (among the thousands that are happening on my network each day) require my attention? How do I extract meaningful and actionable information from the log data collected from the ever-increasing number of devices on my enterprise infrastructure?

Here are some additional questions to consider if you are thinking of an SIEM deployment project.

  1. What are the objectives for the monitoring program? Is the monitoring process well-defined and do the SIEM tools you are considering support the objectives? How are the SIEM processes aligned with the business and other security processes? Is there an overall plan and road map for SIEM deployment with measurable business objectives? Careful planning and communication are required to ensure that the SIEM solution meets stakeholder expectations, supports business objectives and adds value to the enterprise. Define the scope of the initial efforts and ensure that the requirements documented for the SIEM solution list all systems that will be monitored by the solution, and secure confirmation that these systems are supported by the SIEM solution.
  2. What are the core monitoring capabilities you need to meet business objectives? What capabilities are supported by the currently installed security or security-aware platforms (if any)? Are there add-ons or enhancements to your existing technology that may serve to meet business objectives without completely replacing the technology that is already deployed? Document the current state of security and security-aware monitoring capability, and compare the current state to the desired state and program objectives. This gap analysis will provide a technology and process road map for a successful SIEM deployment.
  3. Have you carefully planned for the capacity required in both the network infrastructure and the individual host systems to support the (sometimes intensive) monitoring and data collection function of SIEM technology? It is important to ensure that a careful assessment is made of the rate of log data expected to be processed by the SIEM solution. In addition to the rate of data, the location of target hosts and the network infrastructure that the log data must traverse will impact both product selection and the deployment model utilized. Do not forget to plan for appropriate storage capacity and compliance requirements for the data that will need to be retained and archived.
  4. Do you have an established incident response capability to effectively handle alerts and events that may be detected by the SIEM technology? If not, what do you plan to do with the SIEM data? Establishing an incident handling and response process may be a good idea before the deployment of SIEM solutions.
  5. Have the security analysts been trained in the specifics of the SIEM technology? SIEM is not a plug-and-play solution, and it will not replace the skills of a trained security analyst. Instead, SIEM enables the security analyst to focus on what is important by eliminating what is unimportant or repetitive.
  6. What questions do you intend for the SIEM to answer for you? What are the blind spots in the SIEM environment? Understanding what is not covered by the SIEM scope is just as important as documenting what is covered. Operating from an outdated asset inventory may lead to undetected or misinterpreted alerts that decrease the effectiveness of the information security resources charged with protecting organizational assets.

To find out more about SIEM, download a complimentary copy of ISACA’s white paper, Security Information and Event Management: Business Benefits and Security, Governance and Assurance Perspective, from ISACA’s web site.

Lisa R. Young, CISA, CISM, is the past president of the ISACA® West Florida Chapter in Tampa, Florida, USA, and a frequent speaker at information security conferences worldwide. Young was also a member of the ISACA task force that helped to develop the Risk IT:  Based on COBIT® publications.


New Audit Programs Address Microsoft IIS and Social Media

ISACA® has added two new audit programs to its resources available as downloads from the ISACA Bookstore, which are complimentary for ISACA members. These documents are to be used as review tools and starting points, and are in Word for easy modification by the IT audit and assurance professional. They are not intended to be checklists or questionnaires.

  • Microsoft® Internet Information Services (IIS) 7 Audit/Assurance Program—A Microsoft IIS audit/assurance review provides management with an independent assessment of the effectiveness of the configuration and security of the IIS servers in the enterprise’s computing environment. This document is to be used as a review tool and starting point. It may be modified by the IT audit and assurance professional; it is not intended to be a checklist or questionnaire.
  • Social Media Audit/Assurance Program—Social media risks resulting from unauthorized or negative posting include violations of legal and regulatory requirements and loss of competitive advantage. The objective of a social media audit/assurance review is to provide management with an independent assessment relating to the effectiveness of controls over the organization’s social media policies and processes.

Learn more about the ongoing ISACA research projects and upcoming deliverables by visiting the Current Projects page of the ISACA web site.


Join the Discussion on IT Governance Issues and Security Trends

What are the trends you need to be aware of for 2011? What are the issues you are facing? Join other ISACA® members in discussing the top IT governance issues and security trends.

The IT Governance topic features a question by Topic Leader Larry Marks who asks, “What are the top IT governance issues for 2011 that we have to be aware of or deal with?” Marks suggests his top 7 include:

  1. IT risk management
  2. Establishing a governance framework or enhancing the existing framework
  3. Sense of teamwork
  4. Budgets
  5. Role of information security
  6. Cloud technology
  7. Continuous auditing and assurance

What would you add to the list?

If your area of expertise falls more under the security domain, the Guidance and Practices Committee is seeking your help in identifying the latest security trends that are of interest to ISACA members. Join the Security Trends topic and share the trends you are seeing in your professional environment—such as technology, policy, regulation and human factors—that could be issues of interest to security professionals.

Browse other topics to join in the IT Professional Networking and Knowledge Center of the ISACA web site.


Protecting Corporate and Customer Information a Hot Topic at EuroCACS
Ray Butler, CISA, Cochair of the EuroCACS Task Force Shares His Thoughts on This Year’s Conference

For this year’s European Computer Audit, Control and Security (EuroCACSSM) conference, 20-23 March 2011 in Manchester, England, UK, the task force deliberately avoided setting a theme for the conference. “There are so many information and IT risks and challenges that we did not want to restrict interest from speakers and delegates,” explained Ray Butler, CISA, a member of the conference development task forces since 2006 and retired head of information policy and security for Highways Agency. “This has really paid off in the number of topics and variety of great speakers we have lined up.”

The common thread that runs through most of the sessions, however, is the many and varied ways of protecting corporate and customer information, whether through security, governance or assurance processes and professionals. “The perennial need to manage risks to confidentiality, integrity and availability of information and information systems will be prominent,” explained Butler, who is past president of the ISACA® Northern England Chapter and has also served on the chapter’s Membership Board. “We will be covering, in particular, how this can be achieved in a cloud computing environment (or where our colleagues are using and delivering information through social media) and how this can be done in a sustainable, low-carbon way.”

Many sessions are rooted in the latest ISACA standards and guidance to help delegates and their organizations get the best out of their investment in ISACA. Industry sectors covered include finance, government and infrastructure management, but the sector lessons will apply to almost any business and professional among ISACA’s governance, assurance and security constituencies.

“All of the speakers will provide useful resources to help attendees turn what they have learned at the conference into actions back at the office,” said Butler. “These range from comprehensive resource and reading lists, draft audit programs and self-assessment tools to adapt and build on, and white papers to help sell the topics to top managers, to (in a couple of cases) trial versions of software on which to practice.”

Speakers will showcase the application of the ISACA Business Model for Information Security™ (BMIS™), the UK Government’s Information Assurance Strategy, the use of the Extensible Business Reporting Language (XBRL), the latest Payment Card Industry Data Security Standards (PCI DSS), and, of course, managing the new (and newly expressed) risks from the use of cloud computing and social media.

For information and to register, visit the EuroCACS 2011 page of the ISACA web site.


Mapping CMMI With COBIT

COBIT Mapping:  Mapping CMMI® for Development V1.2 With COBIT 4.1 compares the COBIT® framework and the core components of the process groupings, process areas, integral practices, maturity levels and capability levels found in CMMI for Development (CMMI-Dev) V1.2, published in 2006 by the Software Engineering Institute (SEI) of the Carnegie Mellon University (Pennsylvania, USA). The mapping results help process implementers and auditors use the COBIT® framework with CMMI to understand overlaps, synergies, gaps and probable control deficiencies. For example, “segregation of duties” and “security” are areas of possible control deficiencies in an organization that has used CMMI exclusively for process definition and implementation.

COBIT Mapping:  Mapping CMMI® for Development V1.2 With COBIT 4.1 is available as a complimentary download for ISACA members from the Research Deliverables page of the ISACA web site and for purchase in the ISACA Bookstore.


The Joy of Item Writing—Benefits of Contributing
By Alisdair McKenzie, CISA, CISSP

Becoming an exam item writer is a rewarding way to get involved with ISACA®. It is also a creative way to earn free continuing professional education (CPE) hours and earn extra money. Items may be submitted at any time during the year, but ISACA also hosts specific campaigns prior to each review meeting date. Items include a stem and options for answers, and can either be direct questions, incomplete statements, or issue/scenario descriptions.

This third and final installment of this @ISACA series discusses the benefits of being an exam item writer.

Benefits of Item Writing

In addition to the 2 CPE hours awarded for accepted items, successful writers receive an honorarium US $100 for accepted questions in “areas of need” (areas where there are a lack of items, as determined by ISACA) compared to US $50 for items accepted in other areas.

Beyond these tangible benefits, item writers (professionals who develop potential questions for ISACA’s certification exams) have the pleasure and satisfaction of giving back to their profession. They also benefit by strengthening their knowledge through the research they put into developing questions.

Consider volunteering as an item writer, for one or more of the ISACA certifications. To learn more about item writing and how to become an item writer, visit the Item Writing page of the ISACA web site.

Part 1 of this series on exam item writing discussed developing a good question and appeared in @ISACA, volume 2. Part 2 discussed the item review process and appeared in @ISACA, volume 3.

Alisdair McKenzie, CISA, CISSP, has been active for more than 15 years in the ISACA Wellington Chapter and is a past president of the chapter. He has spent 3 years as a member of the CISA Test Enhancement Subcommitee and is currently a member of the CISA Certification Committee. His career in IT spans almost 40 years.


Read More Articles in Our Archives