@ISACA Volume 6: 16 March 2011 

@ISACA Relevant, Timely News

How and When to Report CPE Hours

ISACA® International Headquarters is frequently asked: “When is it time to enter continuing professional education (CPE) hours into my profile?” CPE hours are reported annually during the renewal process—you can report CPE hours at the same time you pay the annual maintenance fees. You may also update CPE hours at any time after the renewal process begins. (Note:  You cannot report hours and do not need to report hours during the year in which you obtain certification.)

To update CPE hours through the ISACA web site, log on using your personalized login credentials and follow the steps below.

  1.  Click on the MyISACA tab at the top of the page.

  2.  Click on the myCERTIFICATIONS tab.

3.  Click the Edit My CPE Hours link.

  4.  CPE reporting is located in the My Demographic, Certification CPE and Other Information tab. Scroll to the bottom of the page to view and edit the appropriate CPE fields. If you do not see a CPE section, CPE hours are not being accepted or you are not required to report CPEs yet.

  5.  Enter CPE hours. Then, click Save at the bottom of the page.

You may also use this form to easily update personal contact, demographic and professional information.


Action Steps for Responding to Computer Incidents
By Leighton Johnson, CISA, CISM, CIFI, CISSP

To understand what actions are necessary when responding to an incident, you must be able to relate the event to the system under investigation. To accomplish this understanding, first identify the actual risk of adverse impacts to the system. Risk, itself, can be defined as “the function of the likelihood of a given threat-source exercising a particular potential vulnerability, and the resultant impact of that adverse event on the organization,” according to the NIST Special Publication SP 800-37, rev. 1. There are five steps to any evaluation process for these events:

  1. Identify the threat itself. What is the source? What attack location does it come from? If possible, who initiated the threat?
  2. Identify and define the vulnerability of the system. What operating system is in use? What application, network device or server is involved? Has the manufacturer created and issued a patch for this vulnerability?
  3. Determine the likelihood of this vulnerability being exploited. What is the probability of this happening in your environment? Are you open to this issue?
  4. Determine the kind of harm this threat can create. What is or could be the impact on your system or data? Does this threat create a potential data breach? Is there a regulatory or statutory requirement for reporting here? How can the impact hurt the business?
  5. Always look for the larger impact areas from the threat event. Does the company have to report the event to the authorities or other outside agencies? Look at the full effect of the event when responding to the incident.

Leighton Johnson, CISA, CISM, CIFI, CISSP, is a senior security consultant for the Information Security & Forensics Management Team (ISFMT) of Bath, South Carolina, USA.


Every Day Is Different in the IT Profession
Umberto Annino, CISA, CISM, CGEIT, CRISC, CISSP, ISO 27001 LA, Shares His Experiences With ISACA Certifications

Umberto AnninoUmberto Annino, lead auditor and IT system security officer at Swiss Life AG, has earned all of the certifications ISACA® offers. He feels each has deepened and broadened his knowledge and helps to advance his career. “Having these certifications proves what I know and that I am able to do the work related to these areas,” Annino said. “I have a broad, certified knowledge ranging from IT governance and risk management to information security management and IT audit. This helps a lot when discussing issues with peers, coworkers and management.”

He found additional benefit while preparing for the exams of these certifications. “During the preparation for the exams, I had the chance to review things I already knew,” he explained. “It is always good to review what you already know after a couple of years’ time—again and again.”

Annino finds that the best part of his job is that information security is such an interdisciplinary field of work. “Every day is different and you get to do many different things, covering many aspects of information security,” he said.

However, he finds there are some challenges for which those working in the field need to be prepared that stem from management’s expectations of the IT area. “Management attention increases as the public scrutiny of business processes and governance, in general, increases,” he said. “And, the workload likely will increase in the future, which can be a challenge as management typically expects you to solve all information risks with little budget.”

To keep his certifications current and to delve deeper into the industry, Annino is a lecturer at several trade schools and tries to attend as many events as his schedule allows. “I get to write books and scripts, such as teaching curricula and presentations,” he mentioned. “I am also active on the board of the ISACA Switzerland Chapter, which helps me acquire CPE credit, as well.”

To those entering the profession, he advises, “Start small. Do not expect the big companies to pay you a big salary and send you traveling around the world just because you have earned a degree. Get some years of experience and then rethink your expectations and career path. And then, of course, earn appropriate certifications, such as ISACA’s.”


ISACA Approves ICWAI’s Use of Standards, Guidelines, and Tools and Techniques

ISACA® has signed an agreement with the Institute of Cost and Works Accountants of India (ICWAI) giving ICWAI approval to use ISACA’s IT Audit and Assurance Standards, Guidelines, and Tools and Techniques.

The standards inform IT auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in ISACA’s Code of Professional Ethics for IS auditors, the profession’s expectations concerning the work of practitioners and the requirements for IS audit practitioners.

The guidelines are considered when the IS auditor is determining how to achieve implementation of standards, to use professional judgment in their application and to be prepared to justify any departure from the guidelines. The guidelines provide further information on how to comply with the IT Audit and Assurance Standards.

The IT Audit and Assurance Tools and Techniques provide examples of how an IT auditor might follow an audit process and information on how to meet the standards when performing IT auditing work.

ISACA is excited to work with ICWAI and values the use of ISACA’s Standards, Guidelines, and Tools and Techniques by IS professionals the world over.



Read More Articles in Our Archives