@ISACA Volume 8: 11 April 2012 

@ISACA Relevant, Timely News

Want to Know What the Buzz Is All About?

COBIT® 5 at North America CACS and World Congress:  INSIGHTS 2012!

Join us in the COBIT Lounge at upcoming ISACA conferences to learn more about the exciting launch of COBIT 5. ISACA research team members and ISACA volunteer leaders will be available in the COBIT Lounge throughout both the North America Computer Audit, Control and SecuritySM (North America CACSSM) conference, which will be held 7-10 May in Orlando, Florida, USA, and World Congress:  INSIGHTS 2012, which will be held 25-27 June in San Francisco, California, USA.

You can learn more about the next generation of ISACA’s framework and ask specific questions about implementing COBIT 5. Stop by the lounge and join in the discussion.

Additionally, two special COBIT 5 sessions will be offered during North America CACS:

  • Introduction to COBIT® 5 on Monday, 7 May
  • Comparing COBIT® 4.1 to COBIT® 5 on Tuesday, 8 May

Visit the North America CACS page or the INSIGHTS 2012 page for more information and to register.


The Top Six Areas of Incident Response
By Leighton Johnson, CISA, CISM, CIFI, CISSP

Incident response (IR) teams and handlers are the front-line responders in our cybercentric world. IR is one of the four domains of the Certified Information Security Manager (CISM) certification and has great value to IT security professionals throughout the industry. Each IR team is developed and staffed differently; however, there are a few primary areas of IR, in which every response team should provide services, including:

  • Alerts, warnings and announcements—Most IR teams coordinate and report on any security incident to management, IT staff and outside agencies, if necessary. This is a basic requirement for IR teams at any level within an organization. The coordination may include, for example, advice on handling the incident, the known facts of the incident and how many users are affected.
  • Incident handling—The response efforts will include IR at the scene, incident support efforts, correlation with other scenes, if necessary, and incident analysis. These activities are all primary for IR teams at the time of the incident and shortly thereafter. All of these can have major impacts on IR event or incident resolution.
  • Containment—What are the first steps to be taken by the incident responders? When approaching an incident scene, review what is occurring on the computer screen. If data are being deleted, pull the power plug from the wall; otherwise, perform real-time capture of volatile system data first. Evaluate what network or systems are being affected.
  • Vulnerability response—What is the method of access if the incident appears to have been perpetrated by an outsider? Are there patches missing from the system? Has a new defect or deficiency been identified through this incident? Analysis and handling of the vulnerabilities exploited during the incident are another of the primary tasks for an IR team. By whom, and when are patches tested, loaded and evaluated? Who controls the configurations of the servers and network devices? All these questions are to be answered during this activity.
  • Artifact handling—The actual incident could involve some evidence or artifact left on the system, computer or device. The handling of and methods of review for this artifact are an area of strong emphasis and security for the IR team and its members. Chain of custody requirements are often necessary for the artifact to become evidence in some types of litigation or court cases.
  • Education and training—On many occasions, the IR team is called upon to provide training for users, IT personnel and management in, for example, the areas of IT security, proper help-desk notification procedures and corporate data at risk. All these educational efforts require the IR team members to develop and produce training for the specific class and focus of the requesting customer.

Leighton Johnson, CISA, CISM, CIFI, CISSP, is a senior security consultant for the Information Security & Forensics Management Team of Bath, South Carolina, USA.


COBIT 5 Among the Latest Publications Made Available by ISACA

The first three COBIT 5 publications are available in the ISACA Bookstore as complimentary PDF downloads to ISACA members:

Additionally, the Incident Response white paper is now available as a complimentary PDF download.

Information on current research projects is posted on the Current Projects page of the ISACA web site.


Report of the Nominating Committee
By Everett C. Johnson Jr., CPA, Nominating Committee Chair

The charge of the ISACA Nominating Committee, as described in sections 7.02 and 9.01 of the ISACA bylaws, is to prepare a slate of candidates for the ISACA Board of Directors—consisting of an international president and up to 7 vice presidents—for review and approval by the association membership at the Annual Meeting of the Membership. The Nominating Committee is chaired by a past international president of ISACA, and its members include 2 additional past international presidents and 3 to 4 members with significant ISACA experience and diverse geographic representation.

The committee takes very seriously its obligation to prepare the best possible slate of individuals that will work together as a team to lead the association. Its evaluation of candidates takes into account the intent to reflect the organization’s geographic distribution and its professional areas of focus, while also balancing continuity and new viewpoints.

The process is managed with attention to detail: the proper information and documentation must be submitted with sufficient detail and backing by the published deadline. Nominations are treated with unbiased consideration, candidates are interviewed, and strict confidentiality is maintained throughout the process. The Governance Advisory Council (GAC) provides oversight to the committee’s processes and the committee reports to the Board of Directors and the membership of ISACA.

The 2011-2012 Nominating Committee is pleased to present the slate for the 2012-2013 ISACA Board of Directors. As chair of the committee, I affirm that the committee’s deliberations were carried out in accordance with the bylaws and good governance principles.

2011-2012 Nominating Committee members are:

  • Everett C. Johnson Jr., CPA, chair, USA (past international president)
  • Lynn Lawton, CISA, CRISC, FBCS CITP, FCA, FIIA, Russia (past international president)
  • Emil D’Angelo, CISA, CISM, USA (past international president)
  • Sushil Chatterji, CGEIT, Singapore
  • Alex Zapata, CISA, CGEIT, CRISC, Mexico
  • Karin Thelemann, CISA, CISM, Germany
  • Garry Barnes, CISA, CISM, CGEIT, CRISC, Australia


Slate of 2012-2013 Board of Directors

ISACA will hold its Annual Meeting of the Membership on 24 June 2012, at the Palace Hotel in San Francisco, California, USA, during World Congress:  INSIGHTS 2012, at which it will install the 2012-2013 Board of Directors. In accordance with the association’s bylaws, the Nominating Committee submits the following slate as the proposed 2012-2013 Board of Directors:

  • Greg Grocholski, CISA, international president
  • Juan Luis Carselle, CISA, CGEIT, CRISC, vice president
  • Allan Boardman, CISA, CISM, CGEIT, CRISC, ACA, CA, CISSP, vice president
  • Christos Dimitriadis, CISA, CISM, CRISC, vice president
  • Ramses Gallego, CISM, CGEIT, CISSP, SCPM, 6 Sigma, vice president
  • Marc Vael, CISA, CISM, CGEIT, CISSP, vice president
  • Jeff Spivey, CRISC, vice president
  • Tony Hayes, CGEIT, vice president
  • Kenneth Vander Wal, CISA, CPA, past international president
  • Emil D’Angelo, CISA, CISM, past international president

The board will be augmented by appointees—who will serve as directors on the ISACA Board of Directors—made by the international president, in keeping with the authority granted him in the bylaws. Those appointments are:

  • Jo Stewart-Rattray, CISA, CISM, CGEIT, CRISC, Australia
  • John Ho Chi, CISA, CISM, CRISC, Singapore
  • Krysten McCabe, CISA, Atlanta, Georgia, USA

Included on the agenda of the Annual Meeting will be the president’s annual report, the treasurer’s report, ratification of significant board actions from the 2011-2012 administrative year, a vote on the revisions to the Articles of Incorporation and comments from the international president.

All ISACA members are invited to attend the Annual Meeting. Visit ISACA’s World Congress:  INSIGHTS 2012 page of the ISACA web site for more information about the conference.


Check Out the New Additions to 2012 ISACA Training

The 2012 ISACA Training has been revised to include 2-day courses. The titles and topics of these courses are:

  • Cloud Computing Fundamentals for IT Professionals—A comprehensive review of cloud computing environments and an in-depth look at the cloud from the auditor’s perspective
  • Information Risk and Business Continuity/Disaster Recovery Planning—An opportunity to discuss and determine how a well-defined business continuity and disaster recovery plan is an essential component of an IT risk management program

Each course was developed from the most popular sessions at ISACA’s 2011 conferences and as a result of ISACA’s top technology trends research. These courses are scheduled at 3 training event locations in 2012 and available as On-site Training. The first 2-day event is scheduled for 24–27 April in Denver, Colorado, USA. Visit the Upcoming Events page of the ISACA web site to learn more and register for upcoming ISACA Training events.


Meeting of the ISACA/ITGI Board of Directors/Trustees

The ISACA/ITGI Board of Directors/Trustees held its final meeting for the 2011-2012 term on 2-3 March 2012 in Phoenix, Arizona, USA. The day-and-a-half meeting covered several topics, with a considerable amount of focus on:

  • Strategy 2022—The status of the 24 initiatives contained in the S22 portfolio was reviewed and it was agreed that further market research and validation were needed for many of the initiatives. Work will begin immediately to gather that research on a global basis, and a preliminary report will be reviewed by the board at its next meeting in June 2012.
  • Privacy initiatives—Privacy continues to emerge as a topic of broad concern to ISACA constituents worldwide. The board discussed current activity being undertaken by ENISA, which may result in an enterprise certification for privacy that would become a requirement for EU member states. A similar situation is unfolding in India. The need for practical guidance is pressing and will be an area of focus for ISACA in the coming months.
  • COBIT® 5—The first three publications of the COBIT 5 family of products (framework, implementation guide and process reference guide) have been released. Given the transformed nature of COBIT 5, a new business model for pricing, licensing and enterprise discounts is being finalized. New copyright language is also being drafted to reflect acceptable use of COBIT materials. The PDF downloads of the COBIT 5 materials (and other publications to come) will contain the name of the individual downloading on each page, as a simplified approach to digital rights management.
  • University relations—It was agreed that more student materials, based on real-life cases, would be advantageous in introducing students to ISACA and the professions it serves. In addition, focus needs to be placed on defining ISACA’s relationship to universities and the way the association can contribute to higher education.
  • Continuing professional education (CPE)—The board was advised that ISACA’s CPE tracking functionality is being updated to allow members to enter their CPE credits anytime during the year.

The next Board of Directors/Trustees meeting will take place in June 2012, in conjunction with ISACA’s World Congress:  INSIGHTS 2012. It will be the first meeting of the 2012-2013 board.


Insight Into the Audit, Risk, Control and Regulatory Environment:  United States
By Linda Betz, CISA

Auditing is an independent, objective assurance or consulting activity designed to add value and improve an enterprise’s operations. It involves formal inspection and verifies whether a standard or set of guidelines is being followed, whether records are accurate, or whether efficiency and effectiveness targets are being met. The audit function helps an enterprise to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.

Risk is a function of the likelihood of a given threat source’s attempt to exercise a particular potential vulnerability, and the magnitude of the impact of that adverse event on the enterprise. The adequacy of planned or existing controls reduces or eliminates risk. To minimize or eliminate identified risk, several factors should be considered before recommending controls and alternative solutions. Among them are the effectiveness of recommended options, organizational policy, operational impact, safety and reliability, legislation, and regulation.

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a US law that regulates the use and disclosure of patient information held by covered entities (e.g., health care clearinghouses, employer-sponsored health plans, health insurers and medical service providers that engage in certain transactions). The HIPAA Information Security Rules require covered entities to protect the integrity, confidentiality and availability of protected health information (PHI) that they collect, maintain, use or transmit in electronic format. The rules contain the following three types of safeguards:

  • Administrative
  • Physical
  • Technical

The Gramm-Leach-Bliley Act, passed in 1999 in the US Congress, protects the privacy of consumer information held by financial institutions. The Act covers banks, savings and loans, credit unions, insurance companies and securities firms, and requires them to ensure the security and confidentiality of customer information. This includes protecting the information from any threats or unauthorized access. Additionally, the Act requires companies to provide consumers with privacy notices that explain the institutions’ information-sharing practices and include the option to opt out of certain information sharing. The privacy notice must be an accurate statement of the company’s privacy practices and should describe how they protect the security and confidentiality of consumer/customer information.

The Sarbanes-Oxley Act of 2002 is a US law enacted as a reaction to a number of major corporate accounting scandals. The Act’s intent is to ensure that publicly traded companies in the US maintain open transparency in their accounting procedures, and that they have controls in place to prevent manipulation of financial data. The Act requires the US Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the law. As a result, the Public Company Accounting Oversight Board (PCAOB) was created and is charged with oversight, regulation, inspection and discipline of accounting firms in their roles as auditors of public companies.

The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM and point-of-sale (POS) cards. Defined by the Payment Card Industry Security Standards Council, launched in 2006, the standard was created to increase controls around cardholder data to reduce credit card fraud via data exposure. Validation of PCI DSS compliance is performed either by an external qualified security assessor for enterprises handling large volumes of transactions or by self-assessment questionnaires (SAQs) for companies handling smaller volumes.

Related reference books from the ISACA Bookstore include:

Selected ISACA Knowledge Center resources and articles include:

This is the second in a series of brief overviews written by members of the ISACA Publications Subcommittee for @ISACA. Read the previous article: “Insight Into the Audit, Risk, Control and Regulatory Environment:  Canada.”

Linda Betz, CISA, is an information systems assurance professional at the Erie Insurance Group, headquartered in Erie, Pennsylvania, USA. She has been an exam writer for the Certified in the Governance of Enterprise IT (CGEIT) and Certified Information Systems Auditor (CISA) exams since 2008, and was an ISACA Journal reviewer from 2008-11. Betz is a member of the ISACA Publications Subcommittee.


Read More Articles in Our Archives