Top Business/Technology Issues Survey 2011

Similar documents
ISACA International Perspective

BRING EXPERT TRAINING TO YOUR WORKPLACE.

Learn How to Increase the Awareness of Risk Management at Your Enterprise

MY CERTIFICATION HELPED ME GET HERE. MY MEMBERSHIP HELPS KEEP ME HERE.

5 Ways to Limit Data Leakage and Exposure

WELCOME TO ISACA Claudio CILLI, CISA, CISM, CRISC, CGEIT

BECOME TOMORROW S LEADER, TODAY. SEE WHAT S NEXT, NOW

THE ISACA CURACAO CHAPTER IS ORGANIZING FOLLOWING INFORMATION SECURITY AND TECHNOLOGY SESSIONS ON MAY 15-MAY :

Position Description IT Auditor

Certified Information Security Manager (CISM) Course Overview

Effective COBIT Learning Solutions Information package Corporate customers

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

Val-EdTM. Valiant Technologies Education & Training Services. Workshop for CISM aspirants. All Trademarks and Copyrights recognized.

The President s Message 3. ISACA Karachi Chapter Presentation Flyer 5. ISACA Karachi Chapter Presentation Report 6. ISACA Book Store Update 9

2018 CALENDAR OF ACTIVITIES

ISACA Survey Results. 27 April Ms. Nancy M. Morris, Secretary Securities and Exchange Commission 100 F Street NE Washington, DC

Implementation PREVIEW VERSION

ISACA Enterprise. Solutions and Resources

แนวทางการพ ฒนา Information Security Professional ในประเทศไทย

Strategies for Deriving Maximum Benefit From Audit. Allan Boardman CyberAdvisor.London

ISO/ IEC (ITSM) Certification Roadmap

TRAINING WEEK COURSE OUTLINE May RADISSON HOTEL TRINIDAD Port of Spain, Trinidad, W.I.

Report of the Nominating Committee

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

The Experience of Generali Group in Implementing COBIT 5. Marco Salvato, CISA, CISM, CGEIT, CRISC Andrea Pontoni, CISA

The President s Message 3. ISACA Karachi Chapter AGM & Elections Members Event: Cloud Adoption & (Secaas) 11. ISACA Book Store Update 11

building for my Future 2013 Certification

2017 PORT SECURITY SEMINAR & EXPO. ISACA/CISM Information Security Management Training for Security Directors/Managers

Department of Management Services REQUEST FOR INFORMATION

FDIC InTREx What Documentation Are You Expected to Have?

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

BHConsulting. Your trusted cybersecurity partner

Run the business. Not the risks.

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Risk Advisory Academy Training Brochure

Threat and Vulnerability Assessment Tool

Mohammad Shahadat Hossain

MNsure Privacy Program Strategic Plan FY

AUDIT UNITED NATIONS VOLUNTEERS PROGRAMME INFORMATION AND COMMUNICATION TECHNOLOGY. Report No Issue Date: 8 January 2014

TEL2813/IS2820 Security Management

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

SOC for cybersecurity

Integrating ITIL and COBIT 5 to optimize IT Process and service delivery. Johan Muliadi Kerta

Cybersecurity & Privacy Enhancements

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Invest in. ISACA-certified professionals, see the. rewards.

INTERNATIONAL INFORMATION SYSTEMS SECURITY CERTIFICATION CONSORTIUM, INC. Annual Meeting Minutes October 15, 2005 Miami, Florida USA

Security and Privacy Governance Program Guidelines

CISM - Certified Information Security Manager. Course Outline. CISM - Certified Information Security Manager.

Northeast Ohio Chapter Annual General Meeting

New Global ITGI Report: Value Creation a Top Priority

ISACA MANILA CHAPTER CALENDAR OF ACTIVITIES

ISACA MANILA CHAPTER CALENDAR OF ACTIVITIES

Avanade s Approach to Client Data Protection

EXAM PREPARATION GUIDE

COURSE BROCHURE. COBIT5 FOUNDATION Training & Certification

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

Rethinking Information Security Risk Management CRM002

Les joies et les peines de la transformation numérique

How to get the Enterprise to Understand the Value of Security

COBIT 5 Update October 2010

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

Program Review for Information Security Management Assistance. Keith Watson, CISSP- ISSAP, CISA IA Research Engineer, CERIAS

IS Audit and Assurance Guideline 2002 Organisational Independence

CSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague

Data Governance Quick Start

CERTIFIED IN THE GOVERNANCE OF ENTERPRISE IT CGEIT AFFIRM YOUR STRATEGIC VALUE AND CAREER SUCCESS

KENYA SCHOOL OF GOVERNMENT EMPLOYMENT OPORTUNITY (EXTERNAL ADVERTISEMENT)

Security Management Models And Practices Feb 5, 2008

Information Security and Service Management. Security and Risk Management ISSM and ITIL/ITSM Interrelationship

Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING

Handling Complex and Difficult Privacy and Information Security Issues

Business Context: Key for Successful Risk Management

CISM - Certified Information Security Manager. Course Outline. CISM - Certified Information Security Manager. 22 Mar

Big data privacy in Australia

Accelerate Your Enterprise Private Cloud Initiative

Cyber Risks in the Boardroom Conference

COBIT 5 With COSO 2013

COBIT 5 Security. Robert E Stroud CGEIT CRISC Vice President Strategy & Innovation ISACA Strategic Advisory Council

NCSF Foundation Certification

The Role of Public Sector Audit and Risk Committees in Cybersecurity & Digital Transformation. ISACA All Rights Reserved.

Fill in the attached registration Form and send to fax number or at

Quality Assurance and IT Risk Management

Manchester Metropolitan University Information Security Strategy

Continuous protection to reduce risk and maintain production availability

Cyber Security Incident Response Fighting Fire with Fire

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

locuz.com SOC Services

Certified in the Governance of Enterprise IT Training - Brochure

Information Security Risk Strategies. By

Security In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.

Cybersecurity Auditing in an Unsecure World

Wearable Technology and Its Associated Security Risk

CYBERSECURITY HOW IT IS TRANSFORMING THE IT ASSURANCE FIELD

ASHRAE. Strategic Plan STARTING APPROVED BY ASHRAE BOARD OF DIRECTORS JUNE 24, 2014

Defining the Challenges and Solutions. Resiliency Model. A Holistic Approach to Risk Management. Discussion Outline

IT Audit Essentials. Date: 10 th 12 th March 2015 Time: 9 am to 5.30 pm Venue: Iverson Associates, Center Point Bandar Utama, Kuala Lumpur

Transcription:

Volume 9, 27 April 2011 In This Issue: Top Business/Technology Issues Survey 2011 Results Released 5 Considerations When Evaluating ISRM Programs and Capabilities Now Available in the Apple App Store: ISACA Journal App Keep Your ISACA Account Information Up to Date Results of Board Meeting in March 2011 Conference Looked to the Future and Addressed Assuring Value, Building Trust Book Review: Protecting Industrial Control Systems From Electronic Threat Top Business/Technology Issues Survey 2011 Results Released ISACA has released Top Business/Technology Survey Results 2011, which was developed from the findings of a survey of audit/assurance, IT and information security managers across the globe to identify current business issues supported by technology. 5 Considerations When Evaluating ISRM Programs and Capabilities By John P. Pironti, CISA, CISM, CGEIT, CRISC, CISSP, ISSAP, ISSMP The following are 5 key items to consider when evaluating information security and risk management (ISRM) programs and capabilities Now Available in the Apple App Store: ISACA

Journal App ISACA is launching its first app: ISACA Journal App. It is available now for member-only access in the Apple App Store. Visit the Apple App Store and search ISACA Journal to download the free app from your iphone, itouch or ipad. Keep Your ISACA Account Information Up to Date It is important to keep your ISACA account information up to date to ensure accurate and timely delivery of all of your ISACA benefits. The following guidance will help you navigate this process on the web site. Results of Board Meeting in March 2011 The ISACA Board of Directors met 4-5 March 2011 in Laguna Niguel, California, USA, to receive and review the reports of volunteer bodies and take action on a number of proposals. Conference Looked to the Future and Addressed Assuring Value, Building Trust Similar Topics to Be Covered at Upcoming ISACA Events The 2011 Asia-Pacific CACS SM conference s theme, Assuring Value, Building Trust, was fitting. Delegates from Gulf States, India, Europe, Southeast Asia and North America participated in sessions on governance of enterprise IT (GEIT), risk management, IT audit and the future of information. Book Review: Protecting Industrial Control Systems From Electronic Threat

Reviewed by Horst Karin, Ph.D., CISA, CISSP, ITIL Protecting Industrial Control Systems From Electronic Threat, by Joseph Weiss, CISM, CRISC, is not just another IT security publication. It is a very helpful handbook that provides guidance about industrial control systems and the security threats they face, in general terms and as a result of the convergence with digital information technology and the Internet. Top Business/Technology Issues Survey 2011 Results Released ISACA has released Top Business/Technology Survey Results 2011, which was developed from the findings of a survey of audit/assurance, IT and information security managers across the globe to identify current business issues supported by technology. The survey was conducted by ISACA in October/November 2010. This report summarizes the findings of the survey and provides a concise view of the top 7 current business/technology issues. It also reviews the top 5 issues from the perspectives of audit/assurance, IT management and security management. This is the second such survey conducted by ISACA, and correlations are made to the 2008 survey report. Top Business/Technology Survey Results 2011 is available as a complimentary download from the Research page of the ISACA web site. Learn more about the ongoing ISACA research projects and upcoming deliverables by visiting the Current Projects page of the ISACA web site. 5 Considerations When Evaluating ISRM Programs and Capabilities By John P. Pironti, CISA, CISM, CGEIT, CRISC, CISSP, ISSAP, ISSMP The following are 5 key items to consider when evaluating information security and risk management (ISRM) programs and capabilities: 1. Does a defined and business-endorsed strategy exist? It is important to assess whether an organization has developed and implemented a formal strategy for the ISRM program, that associated capabilities exist, and that the strategy has been documented and approved within the organization. A comprehensive strategy will include, at minimum, the following key elements:

Comprehension and acknowledgement of current business conditions Governance models that will be utilized Alignment with the organizational risk profile and appetite Budget considerations and sourcing plans Metrics and measures Communication and awareness plans 2. How effective are the methods and practices for threat, vulnerability and risk assessment? The methods and practices that are used as part of ISRM programs and capabilities to evaluate threats, vulnerabilities and risks should be consistent, repeatable and easily understood by their target audiences. These methods and practices should minimally include the following components: Business process mapping Asset inventory and classification Threat and vulnerability analysis methodology Risk assessment methodology Intelligence gathering, processing and reporting capabilities 3. What is the approach to compliance? Compliance has quickly become an integrated part of any ISRM program or capability within an organization. There are numerous external regulatory, legal and industry standards and internal policies with which organizations need to be compliant to meet their compliance goals. Ideally, compliance should be considered a starting point and not an end point of ISRM capabilities. Unfortunately, many organizations have adopted an approach called security by compliance, which is not only a sign of immaturity, but also may make them vulnerable to a significant number of business-impacting threats and may expose them to a wide range of risks for which they may not properly account. 4. How are metrics and measures utilized? Metrics and measures are often used by organizations to evaluate the capabilities of their business units and functions. ISRM programs and capabilities have become more engrained within organizations as independent business functions and business units, instead of as elements within technology programs. The need for these programs and capabilities to demonstrate and monitor their business value to their constituencies, including the organizations that they serve, has become a critical consideration in organizations operating strategy. The metrics and measures associated with ISRM capabilities should demonstrate a focus on the value provided and the efficiency of their functional capabilities. Each key metric or measure (collections of multiple metrics and measures or are considered critical to the success of the organization) should also include thresholds with associated actions or activities. Metrics and measures without thresholds do not provide

insights into the values they produce. Thresholds can be as simple as a notification or as complex as a trigger for a series of actions and activities that will be executed once met. The intended audiences that will be required to take an action or will be impacted by an action once the threshold is achieved should be able to easily understand the business need or justification for the action and understand the value provided to the organization. 5. Does the program use an operational or consultative approach? Information security and risk management programs can include operational components as part of their core capabilities or can operate in an advisory and consulting capacity to the organization. If operational components are included, there should be a clear definition of expectations of the operational responsibilities and how they differentiate from other operational capabilities within the organization. There also should be documented processes and procedures for sharing information related to operational effectiveness, requirements, intelligence and incident-response activities. If the approach is purely an advisory and consultative approach, the services that are provided to the organization should be clearly documented, as should the level of effort and interactions with the business that will be required for the services to be successful. Providing guidance and advice without operational responsibilities often allows an ISRM organization to be viewed positively from within the organization since it is limited in its ability to prevent the organization from implementing operational capabilities to which it may not agree. If you would like to read more about key considerations when evaluating information security and risk management programs and capabilities, look for the article of the same name in the volume 2, 2011, issue of the ISACA Journal or attend one of the ISACA Information Security and Risk Management conferences later this year. John P. Pironti, CISA, CISM, CGEIT, CRISC, CISSP, ISSAP, ISSMP, is the president of IP Architects LLC. Now Available in the Apple App Store: ISACA Journal App ISACA is launching its first app: ISACA Journal App. It is available now for member-only access in the Apple App Store. Visit the Apple App Store and search ISACA Journal to download the free app from your iphone, itouch or ipad. The app is launching with content from ISACA Journal, volume 2, 2011, as well as the ISACA Journal Author Blog and ISACA Now blog. Content will be updated weekly with the blog

updates and bimonthly with each new issue of the Journal. With the ISACA Journal App, you ll be able to: Download available issues and access them offline at anytime Read topical industry-related content on the go Read and search archived issues (beginning with volume 2, 2011) for the information you need as you need it Read articles in magazine-page or text formats Bookmark and share articles Keep up on the latest news from ISACA.org Access the latest blogs from ISACA.org Download the app completely free This same functionality will soon be available on the Droid as well. Please watch for the ISACA Journal Droid app later this year. If you are viewing @ISACA from your iphone or ipad, click here to download the ISACA Journal app from the Apple App Store. Keep Your ISACA Account Information Up to Date It is important to keep your ISACA account information up to date to ensure accurate and timely delivery of all of your ISACA benefits. The following guidance will help you navigate this process on the web site. To update your ISACA account information such as your home and business contact details, including your e-mail address, please go to MyISACA and click on My Profile from the top navigation. Next, click Edit My Profile from the right navigation menu. Click the Account Certification CPE Demographic Info tab. Your ISACA account information will be displayed. To make changes, scroll to the bottom of the page and click the Edit button.

Address Changes To edit home (or business) contact details already listed, click on Home (or Business) and the field will be editable in a pop up. Save your changes by clicking on the button at the bottom right. A new form appears. Please ensure your pop-up blocker is not turned on and make your changes. Click the Continue button to save your changes.

Add an Address To add a home or office address, click the Add Address button. Note, you may have one home address and one business address. If both exist, you cannot add an address. (See previous Address Changes section.) A new form appears. Please ensure your pop-up blocker is not turned on.

For more information about navigating ISACA s web site and updating personal information, visit the New ISACA Web Site page. Results of Board Meeting in March 2011 The ISACA Board of Directors met 4-5 March 2011 in Laguna Niguel, California, USA, to receive and review the reports of volunteer bodies and take action on a number of proposals. Considerable time was spent discussing the activities that ISACA will undertake relative to cloud computing. A task force of volunteers presented a strategic plan covering research, education, ISACA Journal and alliance activities that will mesh to form a coherent and cohesive program to address cloud-related issues pertinent to ISACA constituents. A new volunteer task force will be appointed to oversee implementation of the activities, many of which, including a cloud model publication, will begin to roll out in 2011. The Governance Advisory Council presented, and the board approved, guiding principles to assist in populating all the volunteer boards, committees, subcommittees and task forces. In addition, changes to the IT Governance Institute s Articles of Incorporation, to bring them in line with current practice, will be pursued.

The board received updates on COBIT 5 development and approved a project initiation document for a security-specific COBIT-driven publication. A presentation was made on the results of the Global Status Report on Governance of Enterprise IT (GEIT) 2011, and plans were discussed for new ways to approach the project at its next iteration. On the topic of GEIT, the task force assigned to oversee ISACA s own governance reported excellent progress in establishing proper governance measures and noted that ISACA s experience would make a good case study on the use of ISACA frameworks and other intellectual property in a small organization. The Paul Williams Award for Inspirational Leadership was redefined to enable a focus on long service and strategic accomplishments, in keeping with the legacy left by its namesake. The first presentation of the newly defined award will occur in June 2011 in conjunction with the World Congress. This was the final meeting of the 2010-2011 Board of Directors. The first meeting of the 2011-2012 board will occur on 26 June 2011, in Washington DC, USA, at the site of ISACA s World Congress: INSIGHTS 2011 conference. Conference Looked to the Future and Addressed Assuring Value, Building Trust Similar Topics to Be Covered at Upcoming ISACA Events The 2011 Asia-Pacific Computer Audit, Control and Security (CACS SM ) conference s theme, Assuring Value, Building Trust, was fitting. Delegates from Gulf States, India, Europe, Southeast Asia and North America participated in sessions on governance of enterprise IT (GEIT), risk management, IT audit and the future of information. The delegates also learned about metrics for information security, the ISO 27001 standard, e-government security, social media and building an intentional culture of security. The theme could have easily been Looking to the Future, as the delegates participated in discussions on the future of information and the next generation of security and audit for cloud computing. Even Neeraj Kumar s keynote address talked about the dynamic and growing conglomerate of business and technologies, the need to prepare for change, and how to be proactive so the future does not take you by surprise. Industry leaders from around the world served as presenters for the two-day event. Companies that supported presenters include SAP Business Objects Division, Microsoft, Dubai Aluminium Company, NetWitness Corporation, E-government Authority of Bahrain and Dubai Customs. Delegates represented industry leaders including Accenture Services, Bank Muscat, Central Bank of Bahrain, Dubai World, Emirates Airlines, First Gulf Bank, GlaxoSmithKline, PricewaterhouseCoopers, Protiviti, Qatar Petroleum, Riyadh Bank and United Arab Shipping

Company. ISACA offers a variety of educational opportunities including conferences such as the 2011 Asia-Pacific CACS conference, training weeks, and elearning events such as webinars, virtual conferences, the e-symposia series and self-paced courses. You can learn more about ISACA educational events on the Education page of the ISACA web site. Further, ISACA is always looking for volunteers to help design and develop educational programs and to present various sessions. To express an interest in volunteering with ISACA education, send an e-mail to conferences@isaca.org. Book Review: Protecting Industrial Control Systems From Electronic Threat Reviewed by Horst Karin, Ph.D., CISA, CISSP, ITIL When I reviewed this book, I was impressed by how unique it is. First, its mission is to address the protection of worldwide, important industrial infrastructures that we all depend on every day. I thought, How can this complex topic be covered in 300 pages? Second, Protecting Industrial Control Systems From Electronic Threat, by Joseph Weiss, CISM, CRISC, is not just another IT security publication. It is a very helpful handbook that provides guidance about industrial control systems and the security threats they face, in general terms and as a result of the convergence with digital information technology and the Internet. IT auditors and security consultants are familiar with the risks of IT, but may not be sure how to protect or audit systems controlling industrial infrastructures, such as electric power plants or grids, pipelines or transportation in a global dimension. This book addresses these issues with comprehensive and thorough content. It provides the background knowledge to understand the essential components of infrastructures, their risks, the measures to identify threats, how to mitigate issues, how to support protection and how to enable continuous secure operation. It is about protecting these essential infrastructures and their controls, not only against external threats and vulnerabilities, but also internal malicious activities or human error with disastrous consequences. The content includes numerous interesting facts and examples of historic North American infrastructure security incidents. It analyzes causes, implications, reactions and lessons learned from past incidents. This methodology generates very valuable insight for the reader and demonstrates the author s more than 35 years of experience in the energy industry. This book demonstrates the importance of building functional security and threat/risk mitigation into the design and shows ways to address security risk management supported by the corporate audit function.

This message is the backbone of the book and it makes the book valuable for the engineer, the security consultant and auditor who, as I mentioned, work in this very special area of control systems of industrial infrastructures. Considering that the infrastructures are so critical and this book addresses their security sustainability in a very informative and constructive way, I recommend the book for appropriate staff of utilities companies as well. Protecting Industrial Control Systems From Electronic Threat is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or e-mail bookstore@isaca.org. Horst Karin, Ph.D., CISA, CISSP, ITIL, is the owner and principal consultant of DELTA Information Security Consulting Inc. 2011 ISACA. All rights reserved.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback