@ISACA Volume 7: 28 March 2012 

@ISACA Relevant, Timely News

Recent Changes to ISACA Training Courses

“The ability to effectively hire, retain, deploy, and engage talent—at all levels—is really the only true competitive advantage an organization possesses.”1

A key component of an effective talent management program is the ability to provide professional development opportunities for existing talent. For an enterprise to achieve success in today’s economic climate, it must focus on giving its employees the training they need to prosper in their roles and grow within the enterprise.

ISACA recognizes that training resources—both financial and time—are limited. Therefore, in 2012, we have made some important changes to ISACA’s training offerings:

  • Shortened Training courses by one day, so that you spend less time away from your office and home
  • Expanded our technical offerings through partnerships with Deloitte and other industry leaders
  • Increased the number of free webinars—now providing these free continuing professional education (CPE) opportunities to members every 2nd and 3rd Thursday of the month
  • Enhanced our onsite training program to make it easier to facilitate classes at your enterprise

For more information, download the Training brochure, available on the Training Courses page of the ISACA web site.

1Wellins, S. Richard, et al., “White Paper—Nine Best Practices for Effective Talent Management,” Development Dimensions International Inc., 2006, revised 2009


Considerations for an Effective E-discovery Program
By Lisa R.Young, CISA, CISM

An effective e-discovery program includes the proper mix of policy, process, technology, employee training and awareness. The first area of concern for an enterprise in developing an effective e-discovery program is assessing any regulatory requirements specific to the organization. Often, the types and extent of information required to be retained to demonstrate the organization’s compliance with laws and regulations may also be required in the event of a lawsuit filed by a government, regulatory body or civil litigant.

The top e-discovery IT risk and security concerns include:

  1. Intentional removal or modification of records
  2. Privacy considerations of the information contained in the records
  3. Inability to recover records from storage. This risk may increase, if the storage repository is in the cloud.
  4. Unnecessary records delivery
  5. Wrong records delivery

An effective e-discovery program can not only reduce the risk of exposure pertaining to litigation, but also improve an organization’s overall regulatory compliance posture. When considering controls in place to mitigate the risk from an e-discovery request, it is important to first consider the broader control environment within the enterprise. Many e-discovery risks may be mitigated with controls that are already in place—by either modifying the controls or expanding their scope.

When conducting an e-discovery review of the existing control environment it is best to consider a top-down approach, beginning with a review of the existing entity- or organizational-level controls. Entity-level controls are internal controls that help ensure that management directives pertaining to the entire organization are achieved. A review of the overall control structure and entity-level controls can help you understand the organization’s current readiness for e-discovery. While IT general controls often support entity-level controls, they are not generally included within an organization’s entity-level controls. When conducting a review of the risk associated with e-discovery, IT general controls should be included in the review to determine the extent to which they can support the organization’s strategy for mitigating e-discovery risk. COBIT can serve as a useful resource when reviewing the organization’s IT general controls in relation to e-discovery.

When an organization has an effective e-discovery program in place, it can respond to requests for e-discovery in a thorough and efficient manner—by providing only the required information and trying to avoid giving any additional data that were not originally requested.

For additional information on this topic, visit the Electronic Discovery page of the ISACA web site.

Lisa R. Young, CISA, CISM, is a past president of the ISACA West Florida Chapter in Tampa, Florida, USA, and a frequent speaker at information security conferences worldwide. Young was also a member of the ISACA task force that helped to develop the Risk IT publications.


Journal App Now Available for Android and Fire

The ISACA Journal App is now available for Android devices and the Kindle Fire, in addition to Apple devices. Click here to o go directly to the app on your Android, Kindle Fire, iPhone or iPad, or visit your device’s marketplace and search “ISACA Journal”, to download the free app from your Android device, Kindle Fire, iPhone or iPad.

The app includes archived issues including the most recent issue—volume 2, 2012—back to volume 2, 2011, as well as JOnline articles, the ISACA Journal Author Blog and the ISACA Now blog. Content is updated weekly with the blog updates and monthly with each new issue of the Journal or JOnline.

With the ISACA Journal App, you can:

  • Download available issues and access them offline at anytime
  • Read industry-related content on the go
  • Read and search archived issues (beginning with volume 2, 2011) for the information you need, as you need it
  • Read articles in magazine-page or text formats
  • Bookmark and share articles
  • Keep up on the latest news from ISACA
  • Access the latest blogs from ISACA
  • Download the app completely free


Participate in Discussions by Email

Now, you can participate in ISACA Knowledge Center topic discussions by simply responding to discussion message posts that are sent to your email address. This enhanced functionality increases the ease by which you can take part in online discussions.

The feature includes the ability to:

  • Set the email alert frequency—receive immediate alerts, daily summaries or weekly summaries
  • Respond to discussions by replying to the discussion email
  • Respond to emails using a smartphone
  • Access discussions without logging back into the web site (for immediate frequency only)

To enable this new feature:

  • Log in to www.isaca.org.
  • Click on “Knowledge Center” under the ISACA tab.
  • Using the tabs at the top of the page, navigate to your topic. If you already belong to topics, click on the My Topics button to quickly locate your topics.

On the topic overview page, just below the topic summary, you will see “Recent Discussions.” Click on the More link at the bottom of this box.

  • On the right side of the discussion overview page, click the Set Alerts/Participate by Email button

  • Set the frequency of the alert:
    • Choosing “Immediate” allows you to participate by email.
    • Choosing daily and weekly digests results in an email with links to the discussions on the ISACA web site. You will need to follow the link and log in prior to responding.

  • To disable an alert, click on the Manage My Alerts button, select “none” as the frequency and click OK. The Manage Alerts/Email button will appear at the top of every discussion page within the topic.

  • Alerts will be sent to the email address listed in your ISACA profile. To respond to a discussion, simply reply by email.
  • To manage multiple topic alerts, click on the My Alerts link at the top right of the page

An important note about your email address: Alerts will be sent to the email address in your ISACA profile. If you respond to a discussion, the system will allow the message to post only from the address that is in your profile.

To view or update your email address:

  • Log into www.isaca.org
  • Click on the My ISACA tab
  • Click on MyProfile in the top navigation
  • Click on the Account – Certification CPE – Demographic Info tab to view the email address on file

  • To make changes to the email, scroll to the bottom of the page and click the Edit link, make your change, and click on the Save My Changes link.

Visit the Knowledge Center for information about how to participate.


Professional Recognition Does Not Come on Its Own:  You Must Stick to Your Plan
Cheng-Lung Chen, CISA, CGEIT, PMP, CEH, Shares His Experiences

Cheng-Lung ChenWhen Cheng-Lung Chen decided to change his job four years ago, he knew where he wanted to take his professional career. As a devoted runner who methodically increases his distances, he has used his training to develop a consistent plan to pull ahead of his professional competition.

“The biggest challenge lies in obtaining professional recognition,” Chen says about his goal to maintain the highest competence in his personal and professional life, while ensuring that this not only meets his objectives, but also those of his employer.

His plan turned out well. In 2009, he attained his Certified Information Systems Auditor (CISA) certification. As a result of choosing “the right way to gain recognition and to increase my credibility in the field,” Chen gained confidence. Obtaining his CISA certification allowed him to focus more on IT and internal control audits. His interest and knowledge of IT security is now more evident; in everyday life, he pays special attention to procedures and controls of security-related functions, even when shopping or going out to a restaurant.

Apace with his involvement in the IT security field, Chen has set additional goals in his professional life and continues to pursue more training. He believes that proper training will set him apart from the rest of the field and enhance his value to the IT profession. He has been actively coordinating activities for the ISACA Taiwan Chapter and helping to build a closer community. Chen’s professional ties with other colleagues have resulted in numerous local and global contacts.

Chen is aiming to become an IT security expert, and will continue the practice of running as an avenue to clear his mind and relax from his experiences. He finds it a sound way to develop his capacity to face new challenges.


North America CACS 2012 Available on the Go!

ISACA is pleased to announce a new feature for the North America Computer Audit, Control and SecuritySM (North America CACSSM) conference: mobile applications. While attending the conference, you can get your conference information on the go.

The new conference mobile application provides:

  • Easy viewing of the schedule of events, exhibitors, speaker information and floor plans
  • Instant alerts to changes in the conference agenda
  • A personalized schedule for each attendee, which will prompt session choices and exhibitor preferences
  • A map function identifying Orlando area attractions and restaurants
  • The conference schedule
  • Session information
  • Speaker bios
  • The exhibitor listing
  • Hotel information
  • Event sponsor information
  • Frequently asked questions (FAQs)
  • Conference presentations

You can network effectively by utilizing the network application, which will link you directly to popular social media providers such as LinkedIn, Facebook and Twitter.

North America CACS will take place 7-10 May in Orlando, Florida, USA. Look for more information on the North America CACS page of the ISACA web site.


New ISACA Resources Available

ISACA has issued the following new deliverables that are available on the ISACA web site:

Information on current research projects is posted on the Current Projects page of the ISACA web site.


Book Review:  Data Protection—Governance, Risk Management and Compliance
Reviewed by Upesh Parekh, CISA

Data Protection—Governance, Risk Management and Compliance by David G. Hill aims to define an all-encompassing data protection framework that ties business and compliance needs to data protection technology. Though the book primarily focuses on aspects of storage and related technologies, which are normally highly technical subject matter, the book is written in a fairly nontechnical manner to help business managers understand and support decisions related to data protection.

To state that today’s age is the information age is a cliché. No business would be able to survive without its information, and this information is available in a digital format within the organization in the form of data. Needless to say, protection of data is vital for a business’s survival.

Having said that, the crucial question is: Do businesses really understand what data protection is, what it encompass, how money invested in data protection technologies would ensure an additional layer of protection? The answer: Only a few.

This book helps businesses and technology managers to relate to various data protection technologies within the business and compliance requirements. The book covers most of the aspects of data protection, such as disaster recovery, business continuity, compliance, governance, data privacy and data security. Furthermore, the book is product and technology neutral.

While it is not possible to cover thoroughly all these aspects in the limitations of a single publication, this book provides an overview of aspects such as compliance and governance requirements and focuses more on the technologies that support data protection objectives.

The greatest strength of this book is in how Hill relates technology to business and compliance needs. The business reader may find it challenging to understand a few aspects at the beginning, but with just a little effort the technology mystery unfolds, leaving the business reader with invaluable insight into the most important aspect of information management: data protection.

Data Protection—Governance, Risk Management and Compliance is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or email bookstore@isaca.org.

Upesh Parekh, CISA, works in process governance, testing governance and activities related to IT operational risk assessment at Barclays Technology Centre in India. Parekh has experience in IT security audits, application audits, functional testing and governance-related activities.


Read More Articles in Our Archives