Knowledge Center > ISACA Now

 ‭(Hidden)‬ Admin Links


Why am I a huge fan of COBIT?

Mark ThomasIf you’ve been thinking about looking into COBIT, but haven’t because you are not quite sure what it can do for your enterprise, now is the time to get started. As an IT professional who has used COBIT for several years, I can say without hesitation that it has more to offer than you might imagine. COBIT can help you look at your organization from the governance and management standpoints, and expands the view beyond just processes through the use of enablers. This framework is not an academic reference that grew out of the audit, risk and security areas. It is a flexible, useable tool that has completely won me over, and here are five reasons I’m a big fan:

  1. COBIT is relevant—the goal is to deliver value.
    The enterprise exists to create value for its stakeholders. This is simple in theory, but tough in real life. COBIT was created from the top down, meaning that the entire model focuses on the primary facets of providing value by realizing benefits while optimizing risks and resources. From the goals cascade to the enablers, COBIT helps you focus on value.
  2. COBIT still focuses on information.
    If an enterprise does not manage its information, it will no longer exist. COBIT focuses on the information first, and that is the right way to look at it. Without information, there is no need for the technology.
  3. COBIT is not just for the big companies.
    COBIT has escaped the “for big companies only” misconception. Whether you have a small IT organization or several hundred resources, COBIT fits any size; you just need to identify your business goals, objectives and mission to operate as a going concern. I have seen an organization with two IT staff members leverage COBIT.
  4. COBIT is a framework that looks beyond just processes.
    COBIT’s seven enablers are designed to help you get beyond just looking at processes. These enablers include 1) Principles, Polices and Frameworks, 2) Processes, 3) Organizational Structures, 4) Culture, Ethics and Behavior, 5) Information, 6) Services, Infrastructure and Applications, and 7) People, Skills and Competencies. These provide a more holistic approach to governance where changes in one enabler must be adequately assessed across all enablers.
  5. COBIT is a great reference for process owners.
    All processes should have owners. I will even take that a step further and say that all processes should have assigned roles. Within COBIT 5 there is a wealth of information regarding processes. There are 37 processes organized into five domains (one governance domain and four management domains). Within this process reference model, the biggest hitters for me include: process description and purpose, practices and activities, inputs and outputs, RACI charts, goals, and related industry standards and frameworks.

And the benefits don’t end there. See five additional reasons here.

Category: COBIT-Governance of Enterprise IT     Published: 12/18/2014 3:08:00 PM

Are Your Talents Undermining Your Ability to Influence?

Carlann Fergusson and Sandy FadaleIt happens slowly. In the past, you were asked early into the change processes but now it seems the invites are coming reluctantly. When you do show up, no one seems thrilled to see you. Or perhaps you get ready to deliver the reasons for the needed compliance steps in a meeting and you can see in the others’ body language and eyes that they are gearing up to counter with all the reasons they cannot do something.

What is with these people? Can’t they see you are just trying to help, to do your job, to make the company safe?

Perhaps it is not entirely their issue. Often, our greatest strengths as a professional are also our greatest weaknesses to influencing others. Here are two to consider:

  1. Brilliant Critical Evaluator:
    Strength: You are wicked smart at being able to break down a system to see where the potential problems could arise. Your mind easily processes the system implications and potential outcomes to each potential problem.
    Unintended Consequences: Your gift gets misinterpreted as finding faults in both programs and their owners. Others could view you as being a pessimist. When they see you, they think doom and gloom.
    How to Improve: Start by pointing out what is right with the proposal or plan. Limit your criticisms. Consider bucketing smaller criticisms under one main problem area, so it does not seem overwhelming to the person you are trying to influence. Do not worry about giving them the full analysisjust give them one or two points so they understand the concern. Recognize you are just trying to get them to agree that there is an issue; not buy into the whole correction plan yet.
  2. Passionate Expert:
    Strength: You strongly identify with your role and you know you can help the company improve its security and results. You feel it is your mission to keep others from unintentionally or intentionally going astray for the betterment of the organization.
    Unintended Consequences: Your passion gets misinterpreted as intensity in stating your ideas. Others could view you as pushing too hard on your ideas. Their natural tendency when feeling pushed is to push back and this is unintentionally engaged.
    How to Improve: Recognize that others cannot hear your great suggestions when you are overly passionate. Remind yourself that you are not the sole owner to the success or failure. Recognize that when you are running head first to break down a wallonly your head is the one getting bloody. Ask yourself if it is absolutely true that everything you are proposing be done tomorrow. Slow down and calmly enlist others in your quest. A first step is better than no step in the right direction.

Use these two examples to find what may be keeping you from being more effective. Ask yourself what your one or two key strengths are. Then look for the shadow of these gifts.

Category: Audit-Assurance     Published: 12/16/2014 3:06:00 PM

An auditor’s role in social media

Mahmoud D. GhuneimIs Social Media Causing Us to Self-Censor on Hot-Button Issues? Social media is great for expressing our opinions. Or is it? –McAfee Facebook post, 5 September 2014

In today’s highly competitive business world, social media is not a choice—it is a must. As a professional IT auditor, your job is targeting how to help your business navigate through the maze of risks and governance issues surrounding social media.

It is no secret to governance executives that the genuine social media’s value-delivering strategy is well known as “how it could go wrong.” The role of a Certified Information Systems Auditor (CISA) practitioner here is to effectively and efficiently monitor and measure all social media-related aspects through listening and learning best practices.

IT auditing experts focusing on social media compliance explore the risk and compliance issues every business must consider when using social media. In turn, they explain why it works, the legal issues involved, how to develop a social media policy and strategy, and how to track it through strong metrics and the elements of an effective social media policy for both internal and external stakeholders. This will expose social media risks by stressing that the greatest risk related to social media is what organizations do not know.

Category: Audit-Assurance     Published: 12/11/2014 3:05:00 PM

Cybersecurity: No cease fire, who will win? - Insights from North America ISRM 2014

Alan TangIn the cybersecurity industry, you will never feel bored due to the enormous amount of buzz words and headlines—the good, the bad and the ugly. High profile data breaches have been exposed to the public one after another. Nations escalated cybersecurity to their highest priority. New regulations and standards were developed to catch up to the trend.

ISACA’s 2014 North America Information Security and Risk Management (ISRM) conference, which will be transformed into CSX 2015 next year, provided a great platform for cybersecurity professionals to share and learn in this big context. I appreciated the opportunity to attend the conference, and especially it was my privilege to interview several conference speakers.

Here are some thoughts as I look back at ISRM 2014.

The fear of cybersecurity
It was not a surprise to me that quite a few speakers started their presentations by illustrating the current threat landscape. Enough evidence justified why everyone should consider cybersecurity a serious concern.

During his “2014 Top Security & Privacy Bloopers” presentation, Todd Fitzgerald skillfully summarized and analyzed data breaches from Target to Sochi Olympics and from EBay to JP Morgan. The number of companies notified by the US Federal Bureau of Investigation (FBI) in 2013 of breaches alarmed and reminded us that there is no place to hide in cyberspace. Regardless of the industry, the size and the type of your organization, it seems that cyberattacks can happen at any time. It brings further complexity to the table when your organization is leveraging new technology forces such as cloud, software defined networking (SDN), big data or the Internet of Things (IoT). Another critical aspect, proposed by Tim Mather, is to be aware of application programming interface ( API) , which will most likely be the next hacker target.

Category: Security     Published: 12/9/2014 3:11:00 PM

Keeping up with emerging technologies amidst legislative lag

Harris Buller and Virginia MushkatblatGovernment organizations, such as the US Congress, can be a bit slow on the uptake, taking decades to recognize new technology and adjust our laws accordingly. For industries that deal with sensitive data, however, relying on legislative lag can lead to a false sense of security. Governments around the world have grown wise to the rapid pace of technological development, and the law is prepared to incorporate new technology as it is developed.

Some of the biggest challenges faced by businesses that handle sensitive personal data are best practices laws. Best practices laws demand a constant awareness of current and new technology and its potential impact on a client’s business practices. Depending on your field, privacy laws and regulations are often so vague that “best practices” just means the most conservative practices you can design, including a good insurance policy.

Contractual obligations are another challenging part of maintaining sensitive data. Businesses and governments frequently mandate data protection via contracts. The European Union (EU) recommends contractual clauses designed to export its privacy regulations to foreign businesses dealing with companies from the EU. Banks, insurers and other large corporations often maximize their protection by demanding “all reasonable protections,” “the utmost care” and other vague statements that seem more concerned with shifting liability to their contractual partner than actually protecting sensitive data.

Category: Government-Regulatory     Published: 12/4/2014 3:03:00 PM
<< First   < Previous     Page: 1 of 89     Next >   Last >>

 About This Blog


This blog is intended to offer a way for ISACA leaders, constituents and staff to exchange information of interest pertinent to the association, the business environment and/or the profession.

The comments on this site are the author’s own and do not necessarily represent ISACA’s opinions or plans. ISACA does not endorse, monitor or control any links to external sites offered in this blog, and makes no warranty or statement regarding the content on those external sites.

Anyone posting comments on this site should ensure that the content remains on-topic and steers well clear of any statements that could be considered insensitive, offensive or threatening. Given ISACA’s global nature, the need to communicate in a way that is accessible and acceptable to many cultures should be taken into account. ISACA retains the right, at its sole discretion, to refuse content that is considered inappropriate.


To volunteer to write a blog or suggest a topic send an email here.