@ISACA Volume 6: 14 March 2012 

@ISACA Relevant, Timely News

COBIT 5 Is Coming—Available in April 2012!

The wait is nearly over:  COBIT® 5 will be released in April 2012! COBIT 5 helps enterprises create optimal value from information and technology IT assets by maintaining a balance between realizing benefits and optimizing risk levels and resource use. COBIT 5 is a major strategic advancement, providing the next generation of guidance on the governance and management of enterprise IT.

Chief executives more than ever need to achieve an aggressive return on investment (ROI) as it pertains to information systems. In addition, these same C-level executives are charged with ensuring that technological infrastructure maintains the agility needed to support business growth. COBIT 5 is a comprehensive framework enabling improved ROI from information systems, maintaining the level of support and service for which ISACA is known.

COBIT 5 provides five principles and seven enablers for the governance and management of enterprise IT assets.

The April 2012 launch includes the following three publications:

  • COBIT 5 (the framework itself)
  • COBIT® 5: Enabling Processes (expanded guidance on the COBIT 5 processes, including a process reference model)
  • COBIT® 5 Implementation (implementation guidance for COBIT 5)

COBIT 5 is designed to work with all major IT frameworks and standards such as ITIL and ISO. As such, COBIT 5 not only supports compliance with relevant laws, regulations and policies but also dovetails seamlessly with any framework approaches that the organization already has in place.

Visit the COBIT 5 page of the ISACA web site to find out how COBIT 5 can be a resource for your organization.


Five Things to Consider When Developing Information Risk Management and Security Metrics

  1. Provide enhanced business value via metrics with thresholds and business context—When developing, analyzing and reporting metrics it is important to identify if the corresponding measures are considered acceptable or unacceptable to the intended audience. When developing metrics and reporting capabilities collaborate with the intended users to establish positive and negative thresholds that can be used to identify when greater attention or action is required. Metrics should also incorporate contextual parameters and insights (such as seasonality considerations) to ensure that they are agile enough to account for changing business activities and conditions.
  2. When developing metrics and reporting capabilities, collaborate with the intended audience to ensure value to them—Metrics and reports that are developed without direct involvement of the intended audience can result in them not being useful. When developing metrics and reporting capabilities, do not assume you know what the intended users will find valuable. Instead, collaborate with them to understand their requirements and interests. This can be an opportunity to develop expanded requirements that you have identified could provide them value, but that they may not have considered.
  3. Be consistent in metrics data collection and activities processing—For metrics to provide consistent value to an organization, they must have integrity. It is acceptable to make adjustments to the methods and practices used for the collection and processing of data; when in their initial deployment, metrics should be noted in any reporting that is provided. If possible, data collection and processing should be kept consistent for at least one year or business cycle prior to making any material adjustments. This will minimize any concern about the integrity of the metrics or measures and will allow for the comparison of historical data when the adjusted methods and practices are implemented.
  4. Ensure that the legal and enterprise risk elements of your organization are comfortable with the metrics and reporting that are being collected and documented—Metrics and reporting can be both a positive and negative force within organizations. Metrics and their associated reports often provide value to stakeholders within organizations by increasing visibility into their activities. At the same time, metrics can be used against the organization in litigation or misinterpreted by public opinion, if they are disclosed. It is important to consult with the legal and enterprise risk management functions within your organization, to ensure that they are comfortable with the tracked metrics and generated reports. In some cases, the existence of these metrics and reports may be considered a liability to the organization, in which case they should not be generated or documented.
  5. Identify actionable vs. informational metrics and measures—Metrics and measures typically fall into one of two categories: actionable or informational. When developing metrics and measures, identify this classification to allow the intended audience to understand the purpose of the metrics and measures. Actionable metrics and measures typically have a specific purpose and audience. Informational metrics and measures often have a broad-spectrum of uses and interested parties that can benefit from them.

John P. Pironti, CISA, CISM, CGEIT, CRISC, CISSP, ISSAP, ISSMP, is the president of IP Architects LLC.


CISA Reaches New Milestone

ISACA is pleased to announce that it has awarded the 90,000th Certified Information Systems Auditor (CISA) certification since the credential’s inception in 1978. With a growing demand for individuals possessing information systems (IS) audit, control and security skills, CISA has become a preferred certification program, recognized internationally as a global standard for professionals and organizations.

ISACA is proud to share this significant achievement with its members worldwide. Over the course of the last four decades, ISACA, through its certifications, research and education, has continually played an integral role in helping its constituents to gain a higher degree of skills and credibility.

Visit the CISA page of the ISACA web site to learn more.


North America CACS Keynote Provides Webinar on Influencing and Understanding Behaviors
View the Webinar Now and See Him Speak at North America CACS in May

Ed Robinson, CPA, CSP, Robinson Performance Group president and chief executive officer, and 2012 North America Computer Audit, Control and Security (North America CACS) conference closing keynote speaker, provides a six-step process to develop your ability to “read” others and build collaborative relations in his recent archived webinar, Using a Six Step Process to Influence and Understand Behaviors.

To better recognize an individual’s communication style, Robinson suggests assessing the following personality traits:

  • Introverted vs. extroverted
  • People-oriented vs. task-oriented
  • High need for a challenge
  • High need to verbalize what is on one’s mind
  • High need to accommodate others
  • High need to follow rules

In the webinar, Robinson provides additional insights on how to utilize this information to better influence and understand the behaviors of your colleagues, supervisors and staff. To view the archived webinar and download a copy of his presentation, visit Using a Six Step Process to Influence and Understand Behaviors page of the ISACA web site.

Register for North America CACS, where you can hear Robinson and other subject matter experts speak in person. North America CACS, 7-10 May 2012 in Orlando, Florida, USA, will be an educational opportunity where you can join colleagues, expand networking opportunities, and interact with speakers who will provide insight on IT audit and related topics to expand your knowledge.


ISACA Partners With the Skills Framework for the Information Age Foundation

ISACA has entered into a partnership with the Skills Framework for the Information Age Foundation (SFIA), under which the Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) certifications are recognized within the Skills Framework. This framework provides a standardized view of IT-related work areas and levels of responsibility that employers can use to identify skill gaps in organizations and that IT workers can use to benchmark their skills and plan for career growth.

The Skills Framework, since its beginning in 2003, has become the preferred model used by governments and more than 15,000 businesses, in 100-plus countries, to manage skill needs and to set national education and training requirements. It is currently used by governments to develop cyberskills competency guides for information systems (IS) security and assurance professionals and to recognize certifications for professionals in these roles.

Within the almost 100 IT skills designations and seven levels of responsibility identified within the Skills Framework, those who hold the CISA or CISM certifications are recognized for their expertise in information strategy, business and IT strategy planning, systems development, technology strategy and planning, service design and operation, service transition, resource management, and quality management. CISA and CISM skill competency information is now available online. A mapping of Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC) to the Skills Framework is in progress.


Customize Your ISACA Experience With My ISACA

Upload a photo, join a group and search for peers on ISACA’s customized web site. As an ISACA member, you are now able to customize your private and public profiles, join discussion groups on hot topics, keep your membership and certifications up to date, review your purchase history, and connect with peers—all on the ISACA web site. Take a tour of all the possibilities available to you with My ISACA through the Member Tutorials.

Here are some of the things you can do on the My ISACA portal:

  • Upload a photo.
  • Display your areas of expertise and create a blog.
  • Download the ISACA membership return on investment (ROI) for your employer.
  • View your certification summary.
  • Edit your continuing professional education (CPE) hours.
  • Contribute web site links and documents to the ISACA Knowledge Center communities.
  • Download and print your ISACA invoices and receipts.
  • Search for peers, view their blogs and make connections.
  • Send messages to colleagues.
  • Review the list of communities you belong to and see an overview of recent group activities.

If you have not yet renewed your ISACA membership, please renew now and get connected.


Insight Into the Audit, Risk, Control and Regulatory Environment:  Canada
By Horst Karin, Ph.D., CISA, CISSP, ITIL

Over the next few months, the members of the Publications Subcommittee will be writing a new series for @ISACA. Each article within the series will include brief overviews of the risk, audit, control and regulatory environment in their respective countries. The articles will include references to titles in the ISACA Bookstore and content in the ISACA Knowledge Center that may help constituents with their individual needs.

The goal of this series is to give readers insight into the environments of other countries, as well as provide resources for further knowledge. Watch for a new overview each month.

In Canada, audit is a well-developed function in corporate and government organizations. It is understood as a control activity with the objective to verify the existence and effectiveness of measures to ensure that the results of human activity in business and enterprises meet generally accepted standards and comply with norms. For audits to be effective, auditors need to meet strict standards of independence, ethics and compliance with audit criteria.

Areas where audits are performed and are mandatory include:

  • Finance and tax for corporations
  • Tax of individuals (randomly selected or selected depending on tax law compliance history)
  • Financial reporting for publicly traded corporations
  • Government spending, major administrative and decision-making activities, and accountability
  • Financial institutions, financial transactions above defined thresholds and leasing processes
  • Areas in IT related to finance, financial reporting and data privacy
  • Health, safety, environment, and compliance with health, safety and environmental laws
  • Internal controls and compliance with regulations

Risk is considered an integral part of all business and organizational activities. Risk management is implemented to reduce risk levels to an acceptable, minimum level; to ensure successful developments; and to prevent waste of, loss of or damage to resources and funds.

Controls, such as financial controls or IT controls, are commonly used to ensure compliance with regulations, for accountability, and to meet organizational goals and objectives. Controls are generally accepted and enforced by management as policy. Noncompliance has repercussions as defined in organizational policies, regulations and laws. Auditors and accountants have the important function of detecting control weaknesses and advising management about the potential impacts and remediation of control deficiencies and flaws.

Canada has a quite structured and developed environment of regulations in most areas of business and government. Regulations are developed based on requirements and public interests. Compliance with regulations is enforced by policies, management and law enforcement. Auditors and accountants are tasked to disclose noncompliance.

Related reference books from the ISACA Bookstore include:

Selected ISACA Knowledge Center resources and articles include:

Horst Karin, Ph.D., CISA, CISSP, CRISC, ITIL, is president of DELTA Information Security Consulting Inc., which provides consulting services in information security, risk management and sustainable compliance, and SAP. He also advises clients in WebTrust and security integration with public key infrastructure. He is the author of information security articles, several book reviews and coauthor of SAP Security and Risk Management.



Read More Articles in Our Archives