@ISACA Volume 9: 24 April 2013 

@ISACA Relevant, Timely News

COBIT 5 Addresses Strategic Support of ISACA Initiatives

One of the many assets of the COBIT framework is its flexibility—it accommodates and encourages user customization. ISACA has taken advantage of this flexibility and applied the COBIT 5 framework to Strategy 2022, which focuses on extending ISACA’s global leadership in educating and informing individuals and enterprises on the topic of trust and value in information and information systems. The implementation process is described in COBIT Case Study: Use of COBIT 5 for ISACA Strategy Implementation.

COBIT’s concepts are rational, reasonable, coherent and consistent, and can provide value to guiding any number of business issues. COBIT addressed the following challenges inherent in the strategy implementation:

  • Identification and clarification dependencies among initiatives
  • Ensuring the use of a consistent approach to executing tactics required to achieve the strategic objectives
  • Providing a method to think through issues surrounding each initiative in a logical and methodical way and taking a holistic view when considering the 7 enablers
  • Helping to establish the scope for each initiative that is particularly important in balancing ISACA’s desire to excel in all activities it undertakes
  • Helping to ensure wise and unified use of limited resources
  • Helping to recognize and mitigate risk in a timely manner, and helping to ensure realization of the value anticipated from the project
  • Supporting the identification of stakeholders and the subsequent development and implementation of sound value propositions for each in a coherent way

To find out how COBIT was used as a strategic implementation tool at ISACA, read the case study on the ISACA web site. Additional COBIT case studies are available on the COBIT Recognition and Case Studies web pages. If you have a unique COBIT implementation story to share, please contact publication@isaca.org.


Become an ISACA Certification Exam Item Writer
Learn How to Develop Exam Questions

A key to the success of ISACA’s certification exams is the submission of high-quality items (questions) from subject matter experts across the IT community. To increase the quantity while maintaining the quality of exam questions, ISACA developed the following item writing initiatives:

  • Train interested subject matter experts on how to write quality questions.
  • Conduct item writing workshops to develop quality questions.
  • Retain item writers through acknowledging achievement.

It is vital to the continued success of the certification exams that ISACA retain quality item writers. Therefore, ISACA recognizes item writers by:

  • Awarding honorariums for each question accepted by the Test Enhancement Subcommittee (TES)
  • Awarding 2 CPE credits for each question accepted by the TES
  • Inviting the item writer with the most accepted workshop questions to a TES meeting

Visit the Item Writing page of the ISACA web site for more information on how to become an item writer.


Utilizing Big Data to Improve Business—Read Latest ISACA White Paper

Big data represents a new approach to making business decisions based on large amounts of complex data (e.g., tweets, videos, commercial transactions). Big data can be counted in gigabytes, terabytes or petabytes. In essence, big data refers to data sets that are too large or change too quickly for analysis using traditional database techniques or commonly used software tools.

Big Data: Impacts and Benefits, a new ISACA white paper, provides an overview of the impact that big data collection and analytics can have on an enterprise. It identifies potential business benefits, challenges, risk, governance and risk management practices, and provides an overview of relevant assurance considerations related to big data analytics.

Experienced business and IT professionals know that optimizing the use of big data as a resource will deliver real business value to enterprise stakeholders. A comprehensive governance and management approach is needed to realize those benefits and to manage the risk associated with the collection, analysis and storage of sensitive information, as well as the resource implications involved.

The primary objective of analyzing big data is to support enterprises in making better business decisions. A targeted marketing approach can be enabled by big data analytics, provided by a better understanding of customers. This will influence internal processes, and ultimately, could increase profit, which provides the competitive edge sought by most enterprises.

Download the Big Data: Impacts and Benefits white paper today. Visit the Research page of the ISACA web site for more information on this and other ISACA-published material. To discuss, collaborate on and access all resources pertaining to big data, join the Big Data topic in the Knowledge Center.


Board of Directors Holds Final Meeting of Term

The 2012-2013 ISACA/ITGI Board of Directors/Trustees held the final meeting of this administrative term in March 2013. Among the points of discussion were:

  • Strategy 2022—The stakeholder map and strategy map were approved. The stakeholder map serves two purposes. It identifies those who ISACA exists to serve (stakeholders, e.g., members, credential holders) and whose support ISACA requires to achieve strategic objectives (enablers, e.g., volunteers, staff). The strategy map lists the goals for the enterprise (ISACA), its lines of business (knowledge, relations, and credentialing and career management) and the enablers (resource and nonresource), and illustrates how those goals interconnect. Both maps are considered living documents and will be revisited on a periodic basis. (Note: The board is committed to full transparency with regard to use of reserve funds for strategic activity. To date in 2013, approximately US $9,100 has been taken from the strategic reserve, and, whenever feasible, staff-related costs in support of S22 are absorbed within operations. Nearly US $2.2 million is budgeted to be expended from the strategic reserve in 2013 to fund strategic activity.)
  • Audit—ISACA recently completed an external audit of its internal controls. The audit uncovered only three very minor items and was otherwise clean. Some consideration was given to conducting future IT audits in conjunction with the financial audit, but the consensus was that the two should be independent. The Audit Committee will determine the scope and frequency of future IT audits.
  • Credentialing—A third exam administration only for the Certified Information Systems Auditor (CISA) and the Certified Information Security Manager (CISM) will be introduced in September 2013. To accommodate the reduced amount of time between exams, CISA and CISM exam results will be released three weeks earlier to enable candidates to register for the next exam, if needed. The maturity of the CISA and CISM item pools enables release of the earlier results. The Certified in Risk and Information Systems Control (CRISC) will develop a new job practice a year earlier than planned, to be released in June 2015.
  • Knowledge and relations—A unified strategy will be developed between the knowledge and relations areas to address academia, both students and professors (academic advocates), with specific objectives and success measures.

The next meeting of the Board of Directors/Trustees will take place immediately following the Annual Meeting of the Membership on 9 June 2013, in Berlin, Germany, just before the commencement of World Congress: INSIGHTS 2013. It will mark the first meeting of the 2013-2014 board, which will be installed at the Annual Meeting.


Audit Report Risk- and Compliance-based Plans

The IS auditor must provide a report (in an appropriate format) upon the completion of the organization’s audit. The report should state the findings, conclusions and recommendations as well as any reservations, qualifications or limitations that he/she has with respect to the audit. Depending on the scope and objectives, IS audits are categorized as:

  • Audit (direct or attest): A reasonable level of assurance on effectiveness of controls
  • Review (direct or attest): A moderate level of assurance on effectiveness of controls
  • Agreed-upon procedures (compliance testing): No assurance on effectiveness of control; status of compliance is based on agreed-upon procedures.

The auditor must then select one of the two schemas for reporting depending upon the type of audit:

  1. Risk-based: Rate the findings based on assessment of associated risk being high, medium, or low.
  2. Compliance-based: Rate the findings based on the degree of compliance as major nonconformance/compliance, minor nonconformance/compliance, observations or improvements

When selecting the reporting scheme, the auditor should be careful. The following tips might be useful for this task:

  • Use a risk-based schema to report findings when management expects comments on the level of assurance and effectiveness of controls. The risk-based schema is useful when the audit scope is generic and does not specify the type of control to be implemented. Management will expect the auditor’s judgment to determine the appropriate level of controls to be implemented.
  • Use a compliance-based schema when reporting the level of compliance when reviewing the agreed-upon procedures, e.g., regulatory compliance review, ISO certifications. Be ready to comment on level of compliance of agreed-upon controls.
  • When the audit scope does not describe the specific type of controls to be implemented, select the risk-based schema. In such situations, selecting the schema becomes tricky. Auditors always come across situations where the audit scope and expectations from management are not always clear. If the scope statement says to verify controls for securing electronic documents, then analyze the implemented controls and determine the level of security achieved.

Sunil Bakshi, CISA, CISM, CGEIT, CRISC, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP, is a consultant and trainer in IT governance and information security.


Securing the Battlefields of Business
James Rees, CISM, London (UK) Chapter, Shares His Experience as a CISM

James ReesJames Rees finds enjoyment in information security both professionally and personally. “My professional life and my personal life are very closely intertwined. That is not to say I do not have other diversions. Everyone should have an outlet, but most of mine, in some form or another, are applicable to information security.” Rees takes his work in, and passion for, information security into his hobbies; he has developed a keen interest in warfare—both digital and historical—and takes part in battlefield re-enactments.

Rees decided to pursue the Certified Information Security Manager (CISM) certification to prove on a professional level that he understood the needs of his profession. From a personal level, Rees knew that CISM certification would allow him to be innovative and creative in the information security field and that this would help him to protect the enterprise on the every-day business battlefield. “Progression in information security on a professional level requires that you prove you can reach a minimum standard; being certified is a great way to do this. Even if you are a seasoned professional, there will be gaps in your knowledge that you must fill in order to attain the CISM certification. As such, maintaining the CISM certification shows that you have what it takes.”

Rees believes that CISM certification opened many doors for him and helped him in his business. “I started Razor Thorn Security Ltd., a security advisory firm that has a focus on developing solutions to protect business-critical assets. My business has increased my enjoyment in my career immeasurably as well as provided a source to promote good information security for a number of clients.

“Respected in the business world and among information security professionals, the CISM certification opened doors. Without it, my career would have been a great deal more difficult to cultivate.

“I have always loved the security world; there is so much to it,” says Rees. “CISM has allowed me to be part of this world, to contribute to it and to carve a successful career within it. I am a firm believer that careers never reach a plateau unless you set that plateau. Careers are always ongoing, and in this particular discipline, ever evolving.”

To learn more about CISM and other ISACA certifications, visit the Certification page of the ISACA web site.


Read More Articles in Our Archives