@ISACA Volume 9: 27 April 2011 

@ISACA Relevant, Timely News

Top Business/Technology Issues Survey 2011 Results Released

ISACA® has released Top Business/Technology Survey Results 2011, which was developed from the findings of a survey of audit/assurance, IT and information security managers across the globe to identify current business issues supported by technology. The survey was conducted by ISACA in October/November 2010. This report summarizes the findings of the survey and provides a concise view of the top 7 current business/technology issues. It also reviews the top 5 issues from the perspectives of audit/assurance, IT management and security management. This is the second such survey conducted by ISACA, and correlations are made to the 2008 survey report. Top Business/Technology Survey Results 2011 is available as a complimentary download from the Research page of the ISACA web site.

Learn more about the ongoing ISACA research projects and upcoming deliverables by visiting the Current Projects page of the ISACA web site.


5 Considerations When Evaluating ISRM Programs and Capabilities

The following are 5 key items to consider when evaluating information security and risk management (ISRM) programs and capabilities:

  1. Does a defined and business-endorsed strategy exist? It is important to assess whether an organization has developed and implemented a formal strategy for the ISRM program, that associated capabilities exist, and that the strategy has been documented and approved within the organization. A comprehensive strategy will include, at minimum, the following key elements:
    • Comprehension and acknowledgement of current business conditions
    • Governance models that will be utilized
    • Alignment with the organizational risk profile and appetite
    • Budget considerations and sourcing plans
    • Metrics and measures
    • Communication and awareness plans
  2. How effective are the methods and practices for threat, vulnerability and risk assessment? The methods and practices that are used as part of ISRM programs and capabilities to evaluate threats, vulnerabilities and risks should be consistent, repeatable and easily understood by their target audiences. These methods and practices should minimally include the following components:
    • Business process mapping
    • Asset inventory and classification
    • Threat and vulnerability analysis methodology
    • Risk assessment methodology
    • Intelligence gathering, processing and reporting capabilities
  3. What is the approach to compliance? Compliance has quickly become an integrated part of any ISRM program or capability within an organization. There are numerous external regulatory, legal and industry standards and internal policies with which organizations need to be compliant to meet their compliance goals. Ideally, compliance should be considered a starting point and not an end point of ISRM capabilities. Unfortunately, many organizations have adopted an approach called “security by compliance,” which is not only a sign of immaturity, but also may make them vulnerable to a significant number of business-impacting threats and may expose them to a wide range of risks for which they may not properly account.
  4. How are metrics and measures utilized? Metrics and measures are often used by organizations to evaluate the capabilities of their business units and functions. ISRM programs and capabilities have become more engrained within organizations as independent business functions and business units, instead of as elements within technology programs. The need for these programs and capabilities to demonstrate and monitor their business value to their constituencies, including the organizations that they serve, has become a critical consideration in organizations’ operating strategy. The metrics and measures associated with ISRM capabilities should demonstrate a focus on the value provided and the efficiency of their functional capabilities.

    Each key metric or measure (collections of multiple metrics and measures or are considered critical to the success of the organization) should also include thresholds with associated actions or activities. Metrics and measures without thresholds do not provide insights into the values they produce. Thresholds can be as simple as a notification or as complex as a trigger for a series of actions and activities that will be executed once met. The intended audiences that will be required to take an action or will be impacted by an action once the threshold is achieved should be able to easily understand the business need or justification for the action and understand the value provided to the organization.
  5. Does the program use an operational or consultative approach? Information security and risk management programs can include operational components as part of their core capabilities or can operate in an advisory and consulting capacity to the organization. If operational components are included, there should be a clear definition of expectations of the operational responsibilities and how they differentiate from other operational capabilities within the organization. There also should be documented processes and procedures for sharing information related to operational effectiveness, requirements, intelligence and incident-response activities.

    If the approach is purely an advisory and consultative approach, the services that are provided to the organization should be clearly documented, as should the level of effort and interactions with the business that will be required for the services to be successful. Providing guidance and advice without operational responsibilities often allows an ISRM organization to be viewed positively from within the organization since it is limited in its ability to prevent the organization from implementing operational capabilities to which it may not agree.

If you would like to read more about key considerations when evaluating information security and risk management programs and capabilities, look for the article of the same name in the volume 2, 2011, issue of the ISACA Journal or attend one of the ISACA Information Security and Risk Management conferences later this year.

John P. Pironti, CISA, CISM, CGEIT, CRISC, CISSP, ISSAP, ISSMP, is the president of IP Architects LLC.


Now Available in the Apple App Store:  ISACA Journal App

ISACA® is launching its first app: ISACA Journal App. It is available now for member-only access in the Apple App Store. Visit the Apple App Store and search “ISACA Journal” to download the free app from your iPhone, iTouch or iPad.

The app is launching with content from ISACA® Journal, volume 2, 2011, as well as the ISACA Journal Author Blog and ISACA Now blog. Content will be updated weekly with the blog updates and bimonthly with each new issue of the Journal.

With the ISACA Journal App, you’ll be able to:

  • Download available issues and access them offline at anytime
  • Read topical industry-related content on the go
  • Read and search archived issues (beginning with volume 2, 2011) for the information you need as you need it
  • Read articles in magazine-page or text formats
  • Bookmark and share articles
  • Keep up on the latest news from ISACA.org
  • Access the latest blogs from ISACA.org
  • Download the app completely free

This same functionality will soon be available on the Droid as well. Please watch for the ISACA Journal Droid app later this year.

If you are viewing @ISACA from your iPhone or iPad, click here to download the ISACA Journal app from the Apple App Store.


Keep Your ISACA Account Information Up to Date

It is important to keep your ISACA® account information up to date to ensure accurate and timely delivery of all of your ISACA benefits. The following guidance will help you navigate this process on the web site.

To update your ISACA account information such as your home and business contact details, including your e-mail address, please go to MyISACA and click on My Profile from the top navigation. Next, click “Edit My Profile” from the right navigation menu.

Click the Account—Certification CPE—Demographic Info tab.

Your ISACA account information will be displayed. To make changes, scroll to the bottom of the page and click the Edit button.

Address Changes

To edit home (or business) contact details already listed, click on Home (or Business) and the field will be editable in a pop up. Save your changes by clicking on the button at the bottom right.

A new form appears. Please ensure your pop-up blocker is not turned on and make your changes. Click the Continue button to save your changes.

Add an Address

To add a home or office address, click the Add Address button. Note, you may have one home address and one business address. If both exist, you cannot add an address. (See previous Address Changes section.)

A new form appears. Please ensure your pop-up blocker is not turned on.

For more information about navigating ISACA’s web site and updating personal information, visit the New ISACA Web Site page.


Results of Board Meeting in March 2011

The ISACA® Board of Directors met 4-5 March 2011 in Laguna Niguel, California, USA, to receive and review the reports of volunteer bodies and take action on a number of proposals.

Considerable time was spent discussing the activities that ISACA will undertake relative to cloud computing. A task force of volunteers presented a strategic plan covering research, education, ISACA® Journal and alliance activities that will mesh to form a coherent and cohesive program to address cloud-related issues pertinent to ISACA constituents. A new volunteer task force will be appointed to oversee implementation of the activities, many of which, including a cloud model publication, will begin to roll out in 2011.

The Governance Advisory Council presented, and the board approved, guiding principles to assist in populating all the volunteer boards, committees, subcommittees and task forces. In addition, changes to the IT Governance Institute’s Articles of Incorporation, to bring them in line with current practice, will be pursued.

The board received updates on COBIT® 5 development and approved a project initiation document for a security-specific COBIT-driven publication. A presentation was made on the results of the Global Status Report on Governance of Enterprise IT (GEIT)—2011, and plans were discussed for new ways to approach the project at its next iteration. On the topic of GEIT, the task force assigned to oversee ISACA’s own governance reported excellent progress in establishing proper governance measures and noted that ISACA’s experience would make a good case study on the use of ISACA frameworks and other intellectual property in a small organization.

The Paul Williams Award for Inspirational Leadership was redefined to enable a focus on long service and strategic accomplishments, in keeping with the legacy left by its namesake. The first presentation of the newly defined award will occur in June 2011 in conjunction with the World Congress.

This was the final meeting of the 2010-2011 Board of Directors. The first meeting of the 2011-2012 board will occur on 26 June 2011, in Washington DC, USA, at the site of ISACA’s World Congress:  INSIGHTS 2011 conference.


Conference Looked to the Future and Addressed Assuring Value, Building Trust
Similar Topics to Be Covered at Upcoming ISACA Events

The 2011 Asia-Pacific Computer Audit, Control and Security (CACSSM) conference’s theme, “Assuring Value, Building Trust,” was fitting. Delegates from Gulf States, India, Europe, Southeast Asia and North America participated in sessions on governance of enterprise IT (GEIT), risk management, IT audit and the future of information. The delegates also learned about metrics for information security, the ISO 27001 standard, e-government security, social media and building an intentional culture of security. The theme could have easily been “Looking to the Future,” as the delegates participated in discussions on the future of information and the next generation of security and audit for cloud computing. Even Neeraj Kumar’s keynote address talked about the dynamic and growing conglomerate of business and technologies, the need to prepare for change, and how to be proactive so the future does not take you by surprise.

Industry leaders from around the world served as presenters for the two-day event. Companies that supported presenters include SAP Business Objects Division, Microsoft, Dubai Aluminium Company, NetWitness Corporation, E-government Authority of Bahrain and Dubai Customs. Delegates represented industry leaders including Accenture Services, Bank Muscat, Central Bank of Bahrain, Dubai World, Emirates Airlines, First Gulf Bank, GlaxoSmithKline, PricewaterhouseCoopers, Protiviti, Qatar Petroleum, Riyadh Bank and United Arab Shipping Company.

ISACA® offers a variety of educational opportunities including conferences such as the 2011 Asia-Pacific CACS conference, training weeks, and eLearning events such as webinars, virtual conferences, the e-symposia series and self-paced courses. You can learn more about ISACA educational events on the Education page of the ISACA web site. Further, ISACA is always looking for volunteers to help design and develop educational programs and to present various sessions. To express an interest in volunteering with ISACA education, send an e-mail to conferences@isaca.org.


Book Review:  Protecting Industrial Control Systems From Electronic Threat
Reviewed by Horst Karin, Ph.D., CISA, CISSP, ITIL

When I reviewed this book, I was impressed by how unique it is. First, its mission is to address the protection of worldwide, important industrial infrastructures that we all depend on every day. I thought, “How can this complex topic be covered in 300 pages?”

Second, Protecting Industrial Control Systems From Electronic Threat, by Joseph Weiss, CISM, CRISC, is not just another IT security publication. It is a very helpful handbook that provides guidance about industrial control systems and the security threats they face, in general terms and as a result of the convergence with digital information technology and the Internet. IT auditors and security consultants are familiar with the risks of IT, but may not be sure how to protect or audit systems controlling industrial infrastructures, such as electric power plants or grids, pipelines or transportation in a global dimension.

This book addresses these issues with comprehensive and thorough content. It provides the background knowledge to understand the essential components of infrastructures, their risks, the measures to identify threats, how to mitigate issues, how to support protection and how to enable continuous secure operation. It is about protecting these essential infrastructures and their controls, not only against external threats and vulnerabilities, but also internal malicious activities or human error with disastrous consequences.

The content includes numerous interesting facts and examples of historic North American infrastructure security incidents. It analyzes causes, implications, reactions and “lessons learned” from past incidents. This methodology generates very valuable insight for the reader and demonstrates the author’s more than 35 years of experience in the energy industry.

This book demonstrates the importance of building “functional security” and threat/risk mitigation into the design and shows ways to address security risk management supported by the corporate audit function.

This message is the backbone of the book and it makes the book valuable for the engineer, the security consultant and auditor who, as I mentioned, work in this very special area of control systems of industrial infrastructures. Considering that the infrastructures are so critical and this book addresses their security sustainability in a very informative and constructive way, I recommend the book for appropriate staff of utilities companies as well.

Protecting Industrial Control Systems From Electronic Threat is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA® Journal, visit the ISACA Bookstore online or e-mail bookstore@isaca.org.

Horst Karin, Ph.D., CISA, CISSP, ITIL, is the owner and principal consultant of DELTA Information Security Consulting Inc.


Read More Articles in Our Archives