Volume 2, 2012 

The ISACA Journal is dedicated to the publication of managerial and technical guidance from experienced global authors to enhance the proficiency and competitive advantage of its international readership. With volume 2, 2012, the Journal focuses on the theme Extended Enterprise, with articles on creating a risk-conscious and security-aware culture, security through effective penetration testing, and strengthening information security governance, among others.

Cloud Computing
Gates Corporation Makes Sales a Companywide Effort in the Cloud
Eric Berridge
Beyond cost savings, the real value of cloud computing is its ability to facilitate collaboration across all business units.
CPE Quiz
Quiz 141
Based on Volume 6, 2011
Features
A Case for a Partnership Between Information Security and Records Information Management
Kerry A. Anderson, CISA, CISM, CRISC, CGEIT, CISSP, ISSMP, ISSAP, CSSLP, CFE
The closer alignment between RIM and information security may provide an approach to managing increasing data protection concerns and tough privacy regulations rather than maintaining the separation between these critical compliance functions.
Changing the Mind-set: Creating a Risk-conscious and Security-aware Culture
John P. Pironti, CISA, CISM, CGEIT, CRISC, CISSP, ISSAP, ISSMP
Risk and security will no longer be something that the organization consciously considers and instead will become integrated in business-as-usual activities.
Fundamental Concepts of IT Security Assurance
Haris Hamidovic, CIA, ISMS IA, IT Project+
The requirement to protect information is particularly important in today’s environment because many organizations are internally and externally connected by networks of IT systems..
Mitigating the Risk of OSS-based Development
Charles Gold
While open-source technology offers significant benefits, using open-source components carries technical and business risks that cannot be ignored.
Security Through Effective Penetration Testing
Jonathan Trull, CISA, CFE, OSCP
Successful penetration of any critical resource could identify vulnerabilities that could become targets for real hackers.
Sharing or Controlling? Examining the Decision to Segregate Information Within the Organization
Carl A. Foerster
This article discusses recently conducted research that examined the factors considered in the decision to apply access controls to segregate information within an organization.
Strengthening Information Security Governance
Ed Gelbstein, Ph.D.
In the last couple of years, it has become evident that no organization can avoid being influenced by the tsunami of innovative technology, with ever shorter life cycles.
HelpSource Q&A
HelpSource Q&A
Gan Subramaniam, CISA, CISM, CCNA, CCSA, CIA, CISSP, ISO 27001 LA, SSCP
What should be the recovery strategy that I must impose on the vendor to ensure an effective recovery of the services, if a crisis were to ever occur?
Information Ethics
Changing Times and the Eternality of Ethics
Vasant Raval, CISA, DBA
While humanity has learned about morality forever, it seems that people falter easily in their consideration of ethical behavior.
Information Security Matters
Making Preparedness Pay
Steven J. Ross, CISA, CISSP, MBCP
The Conference Board study addresses the resilience of companies “to bounce back from a disruption” caused by security events, which are defined rather loosely as environmental disasters, terrorism and cyberattacks.
IT Audit Basics
Testing Controls Associated With Data Transfers
Tommie W. Singleton, Ph.D., CISA, CGEIT, CITP, CPA
This article addresses some of the IT audit issues associated with data transfers.
Online Exclusive
JOnline: Book Review—Master Data Management and Data Governance
Alex Berson and Larry Dubov | Reviewed by Bright Munongwa
This book is a reference guide that looks at the topics of MDM and data governance from multiple perspectives.
JOnline: Customer Relationship Information Technology Internal Control and Security Framework
Robbie Sauerberg, Weston Smith and Jonathan Tudor, CCNA
This article first describes the benefits of CRM systems and identifies risk areas inherent in CRM systems that threaten the benefits an organization can receive from a CRM system.
JOnline: Testing Your Computer Security Incident Response Plan
Steve Markey
This article discusses the genesis for CSIR testing, several testing methodologies and/or exercises with which an organization can assess the maturity of its CSIR plan/program.
Standards, Guidelines, Tools and Techniques
Standards, Guidelines, Tools and Techniques
ISACA Member and Certification Holder Compliance
An up-to-date listing of the current IT Audit and Assurance Standards, Guidelines, and Tools and Techniques
Translated Articles
Обеспечение безопасности с помощью эффективного теста на проникновение
Джонатан Трулл (Jonathan Trull, CISA, CFE, OSCP)
Успешное проникновение в критически важные ресурсы помогло выявить уязвимости, которые могли бы стать объектами атаки для настоящих хакеров.
Снижение риска, связанного с использованием ПО с открытым исходным кодом в процессе разработки
Чарльз Голд (Charles Gold)
Несмотря на значительные преимущества открытых технологий, нельзя игнорировать, что использование компонентов с открытым исходным кодом способно повлечь за собой как технические, так и бизнес-риски.