www.isaca.

org January/February 2016

STAY AHEAD OF THREATS.
MOVE AHEAD IN YOUR CAREER.
Cybersecurity NexusTM (CSX) is your premier resource for knowledge, tools, guidance and professional
development in the critical areas of cybersecurity. And now, you can test your abilities with our new
skills-based training programs and prove them with our performance-based certifications.
Because it’s not about showing you have the knowledge — it’s about getting the job done.

Visit www.isaca.org/cybercertcsx for more information.

 CREATE VALUE FOR YOURSELF AND YOUR ENTERPRISE—START BY REGISTERING FOR AN ISACA® CERTIFICATION EXAM TODAY!

“EMPLOYERS SEE MY
ISACA CERTIFICATIONS.
THEY KNOW I WILL BE A
VALUABLE RESOURCE.”
— MARCUS CHAMBERS, CISM, CGEIT
CONSULTANT
LONDON, UNITED KINGDOM
ISACA MEMBER SINCE 2012

Becoming ISACA-certified showcases your knowledge

and expertise. Give yourself an edge and gain the
recognition you deserve with ISACA certifications—
register for an upcoming exam soon!
Register at www.isaca.org/2016exams-Jv1

UPCOMING CERTIFICATION EXAM

11 June 2016
Early registration deadline: 10 February 2016
Final registration deadline: 8 April 2016
Take the first step towards gaining the recognition you deserve—register for a June exam today!

Register early to save US $50! www.isaca.org/2016exams-Jv1

VOLUME 1, 2016

ISACA
Journal
®

The ISACA® Journal

Columns 18 44
Transforming the IT Audit Function— Actionable Security Intelligence From Big, seeks to enhance
4 Taking the Digital Journey
(Disponible también en español)
Midsize and Small Data
C. Warren Axelrod, Ph.D., CISM, CISSP
the proficiency and
Information Security Matters: competitive advantage
Cyber/Privacy Robert (Bob) E. Kress
Steven J. Ross, CISA, CISSP, MBCP 51 of its international
22 Comparison of PCI DSS and
readership by providing
7 Auditing Cybersecurity ISO/IEC 27001 Standards
Tolga Mataracioglu, CISA, CISM, COBIT
Guest Editorial: Why Everyone Dislikes the Martin Coe, DBA, CISA, CISM, CPA managerial and
Foundation, CCNA, CEH, ISO 27001 LA,
IT Auditor and How To Change It
BS 25999 LA, MCP, MCTS, VCP technical guidance from
Tommie Singleton, CISA, CGEIT 27
The Art of Data Visualization, Part I experienced global
10 Karina Korpela, CISA, CISM, CISSP, PMP
Plus authors. The Journal’s
The Network
32 noncommercial,
Urmilla Persad, CISA, CISM, CRISC,
ITIL V3 Foundation
56
How to Be the Most Wanted IS Auditor Crossword Puzzle peer-reviewed articles
Sanjiv Agarwala, CISA, CISM, CGEIT, Myles Mellor
12 BS 25999/ISO 22301 LA, CISSP, focus on topics critical to
ISO 27001:2013 LA, MBCI
IS Audit Basics: Trust, but Verify
Ed Gelbstein, Ph.D.
57 professionals involved
35 CPE Quiz #164
Based on Volume 5, 2015—
in IT audit, governance,
Features Seven Software-related Incidents and
How to Avoid or Remediate Them
Cybersecurity security and assurance.
Prepared by Sally Chan, CGEIT, CMA, CPA
14 Frederick G. Mackaden, CISA, CMA, PMP
How COBIT 5 Improves the Work Process 59
Capability of Auditors, Assurance 41 Standards, Guidelines, Tools
Professionals and Assessors Managing Data Protection and and Techniques
(Disponible también en español) Cybersecurity—Audit’s Role
Graciela Braga, CGEIT, COBIT Foundation, CPA Mohammed J. Khan, CISA, CRISC, CIPM S1-S4 Read more from these
ISACA Bookstore Supplement Journal authors…
Journal authors are
now blogging at
www.isaca.org/journal/blog.
Online­-exclusive Features Visit the ISACA Journal
Do not miss out on the Journal’s online-exclusive content. With new content weekly through feature articles and blogs, the Journal is more than a Author Blog to gain more
static print publication. Use your unique member login credentials to access these articles at www.isaca.org/journal. insight from colleagues and
Online Features to participate in the growing
The following is a sample of the upcoming features planned for January and February. ISACA community.
A Framework for Automated Compliance IS Audit Basics: Is There Such a Using Color to Enhance Spreadsheet
Monitoring in Oracle/SAP Environment Thing as a Bad IS Auditor?, Part 1 Accuracy and Usefulness
Balraj Thuppalay, CISM, CISSP Ed Gelbstein, Ph.D. Joshua J. Filzen, Ph.D., CPA, and
Mark G. Simkin, Ph.D.

Discuss topics in the ISACA Knowledge Center: www.isaca.org/knowledgecenter

Follow ISACA on Twitter: http://twitter.com/isacanews; Hashtag: #ISACA 3701 Algonquin Road, Suite 1010
Rolling Meadows, Illinois 60008 USA
Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial Telephone +1.847.253.1545
Fax +1.847.253.1443
Like ISACA on Facebook: www.facebook.com/ISACAHQ
www.isaca.org
 THERE’S NO SHORTAGE OF
CYBER SECURITY THREATS
BUT THERE IS A SHORTAGE OF IT SECURITY PROFESSIONALS

DO YOU HAVE WHAT IT TAKES TO BE PART OF THE SOLUTION?

Cyber attacks are on the rise. Information security professionals are in high demand.
Get up-to-date security skills with Capella University’s master’s or graduate certificate in Digital
Forensics or Network Defense, aligned to the latest NSA focus areas.

The new graduate certificates can be completed in as little as 9 months, then applied toward
your Master’s in Information Assurance and Security (MS-IAS) to make an even bigger impact.

Plus, the knowledge you gained for your CISSP®, CEH®, or CNDA® certifications can help you
earn credit toward your MS-IAS, saving you time and money.

ANSWER THE CALL. START TODAY TO LEARN MORE AND EARN MORE.
CAPELLA.EDU/ISACA OR 1.866.933.5836

See graduation rates, median student debt, and other information at www.capellaresults.com/
outcomes.asp.
ACCREDITATION: Capella University is accredited by the Higher Learning Commission.
CAPELLA UNIVERSITY: Capella Tower, 225 South Sixth Street, Ninth Floor, Minneapolis, MN
55402, 1.888.CAPELLA (227.3552), www.capella.edu. ©Copyright 2015. Capella University. 15-8066
 Information
Steven J. Ross, CISA, CISSP,
MBCP, is executive principal
of Risk Masters International
LLC. Ross has been writing
one of the Journal’s most
popular columns since 1998.
He can be reached at
stross@riskmastersintl.com.
Do you have
something
to say about
this article?
Visit the Journal
pages of the ISACA®
web site (www.isaca.
org/journal), find the
article and choose
the Comments tab to
share your thoughts.
Go directly to the article:
4 ISACA JOURNAL VOLUME 1, 2016
SecurityMatters
Cyber/Privacy
Twice in the past year or so I have received
replacement credit cards because the numbers
and expiration dates had been disclosed by
merchants that I frequented. Each time, this
resulted in about an hour of researching my
credit card records, visiting the web sites of
companies that I regularly pay via the card and
updating my records. Surely, I am not the only
one who has been affected. Multiply my lost hour
by 70 million here, 40 million there, and sooner
or later it adds up to some real inconvenience.
The merchants in question had not simply
lost control of their customer records, nor did
they publish my credit card information in
the newspapers. They had been victimized by
criminals who had penetrated their systems
specifically to steal my data and that of millions
of others; in other words, they had suffered
a cybercrime. All the attention has focused
on the crime; I am concerned here about
the information.
INTRINSIC AND CONSEQUENTIAL IMPACTS
When information is stolen, it may have either
intrinsic or consequential impact. In the former
category, some lost information has value unto
itself. Books and movies, for example, have
intrinsic value. (When Sony was attacked last
year, it was reported that in addition to crashing
vital systems and publicizing embarrassing
emails, the perpetrators stole several films. I am
amused by the thought of the attackers—widely
attributed to be North Koreans—sitting around
and watching Annie.1)
Indeed, stolen credit card numbers are said
to have intrinsic value, since thieves sell them to
yet other criminals, who then use the numbers
and expiration dates to buy stuff.2 In the case
of stolen debit cards, the information is used to
withdraw money from peoples’ accounts. That
is the consequential impact: what perpetrators
can do with the information to create value for
themselves once they have it. From my personal
perspective, the net effect was inconvenience,
but at a deeper level, it was a violation of my
financial privacy. I have not seen much in the
public discussion of cyberattacks to indicate an
understanding that privacy violations have been
the focal point of the most widely publicized
attacks.3
GENERALLY ACCEPTED PRIVACY PRINCIPLES
The Generally Accepted Privacy Principles
(GAPP)4 is the definitive statement on data
privacy. It defines privacy as “the rights and
obligations of individuals and organizations
with respect to the collection, use, retention,
disclosure, and destruction of personal
information.” Considering the cybercrimes that
have affected cardholders’ financial privacy,
perhaps GAPP can offer some insight into how
privacy can be protected from cyberattackers.
There are 10 principles.
Principle 1: Management
There must be an enterprisewide policy
regarding privacy that must be communicated
within the organization. Thus, privacy and, by
extension, prevention of the breach of privacy
are explicitly assigned to a designated person,5
such as a chief privacy officer (CPO). I am not
aware of any CPOs who are taking a leading
role in cybersecurity and I would welcome
communications to the contrary. That being the
case, perhaps GAPP might be extended to require
a chief cyber officer, part of whose mandate
would be developing methods to protect data
privacy against cyberthieves.
Principle 2: Notice
Organizations are supposed to notify data
subjects about the purposes for which personal
information is collected, used, retained and
disclosed. No one is going to say, “We collect
your credit card information in order to turn it
over to criminals.” But it would be nice to learn
that my card had potentially been compromised
at the time the merchant or the bank knew
about it. My new credit cards just showed up
in the mail.
Principle 3: Choice and Consent
Of course, I had no choice in the matter of whether my credit
card information would be stolen, but I do have a choice as
to whether or not to shop with merchants who do not protect
me. Evidently, after the announcement of several major data
thefts, customers have voted with their wallets to take their
business elsewhere.6
Principle 4: Collection
My credit card information was used by criminals for purposes
other than that for which it was collected by the merchants. But
were the merchants’ systems designed and used in a manner
cognizant of the risk? Systems containing personal information
should be subject to especially tight security.
Principle 5: Use, Retention and Disposal
My credit card is supposed to be used to buy things. If the
information associated with the card was stolen one card at a
“
time from a point-of-sale
(POS) device, then this
The underlying privacy principle was not
vulnerability of violated. But if it was
information systems is taken wholesale from
unencrypted files, then
not inferior security, but
”
the merchants’ systems
inadequate software. did not retain and dispose
of the information in a
proper fashion. Unfortunately, technical details on how some
of the major retail cybercrimes occurred are sketchy at best.
From press reports, it would seem that both POS terminals and
central servers have been the source of the stolen information.
Principles 6 and 7: Access and Disclosure to Third Parties
My ability to access, review and update information about
myself has nothing to do with cybercrime. Neither does the
disclosure provision. While giving my personal information to
crooks fits under this principle, I doubt that it was what was
meant by the authors.
Principle 8: Security for Privacy
This principle, as applied to cybercrime, is exactly what the
authors had in mind. Prevention of unauthorized access,
either physical or logical, is what current IT practices
evidently fail to do. In light of all the cyberattacks that have
• Read Keeping a Lock on Privacy: How Enterprises Are
Managing Their Privacy Function.
www.isaca.org/
2015-privacy-survey-report
• Learn more about, discuss and collaborate on
cybersecurity and privacy/data protection in the
Knowledge Center.
www.isaca.org/Knowledgecenter
happened, it seems that access control systems are being
used to keep the honest honest. Keeping out well-funded,
dedicated cyberthieves has proven as effective as the Maginot
Line (more on this in a future article).
Principle 9: Quality
The authors of GAPP defined quality as the maintenance
of “accurate, complete and relevant personal information.”
That is not what I mean by the term and it is
not how I would apply this principle to privacy protection in
the age of cyberattacks. As I have written previously, I believe
that the underlying vulnerability of information systems is not
inferior security, but inadequate software.7
Principle 10: Monitoring and Enforcement
One of the most maddening aspects of major thefts of personal
information, according to media reports, is that in many cases
the losses occurred for lengthy periods of time before the
organization under attack even realized it. For just one example,
the US Office of Personnel Management (OPM) notified its
personnel in July 2014 that a breach of personnel records had
occurred in March of that year.8 Then, in June of 2015, OPM
announced that 4 million records were taken, which by July
had been raised to 21.5 million.9 I do not know precisely how
the breach occurred, but I do believe that someone should
have noticed it was going on the moment it happened. The
technology is there for that purpose and evidently it was not
used, because the computer systems were too old.10
ISACA JOURNAL VOLUME 1, 2016 5
 CONCLUSION
There is a lot to be learned by considering certain
cyberattacks as privacy violations. GAPP offers some
guidance, but the principles are not a tight fit with the
cybertheft of personal information. Will organizations apply
those lessons? That remains to be seen.
ENDNOTES
1
Sakoui, Anousha; “Sony Films ‘Fury’ and ‘Annie’ Said
Stolen in Cyberattack,” Bloomberg Business, 29 November
2014, www.bloomberg.com/news/articles/2014-11-30/
sony-films-fury-and-annie-said-stolen-in-cyberattack
2
Hackett, Robert; “Online, a Bazaar Bursting With Stolen
Credit Card Information,” Fortune, 21 September 2014,
http://fortune.com/2014/09/21/home-depot-stolen-card-
information-market/
3
Interestingly, the Preliminary Cybersecurity Framework
issued by the US National Institute of Standards and
Technology contained a section on a “Methodology to
Protect Privacy and Civil Liberties for a Cybersecurity
Program” that was eliminated in the final version issued in
February 2014.
6 ISACA JOURNAL VOLUME 1, 2016
4
 merican Institute of Certified Public Accountants (AICPA)
A
and Canadian Institute of Chartered Accountants (CICA),
Generally Accepted Privacy Principles, August 2009.
ISACA® and the Institute of Internal Auditors were also
contributors to this document.
5
Ibid., p. 13. The document referenced here is the version for
business people, not the one for accounting practitioners.
6
For example, see Target, “Target Provides Update on Data
Breach and Financial Performance,” press release,
http://pressroom.target.com/news/target-provides-update-
on-data-breach-and-financial-performance.
7
Ross, Steven J.; “Microwave Software,” ISACA® Journal,
USA, vol. 1, 2015
8
Email reproduced in the Washington Post, “E-mail to
OPM Staff on Security Breach,” 10 July 2014.
9
Bisson, David; “The OPM Breach: Timeline of a Hack,”
Tripwire, 29 June 2015, www.tripwire.com/state-of-
security/security-data-protection/cyber-security/the-opm-
breach-timeline-of-a-hack/
10
C-SPAN, Testimony by the Office of Personnel Director
Katherine Archuleta, www.c-span.org/video/
?326767-1/opm-director-katherine-archuleta-testimony-
data-security-breach
www.isaca.org/Journal2016-Jv1

Tommie Singleton, CISA,
CGEIT, is the director of
consulting for Carr Riggs
& Ingram, a large regional
public accounting firm.
His duties involve forensic
accounting, business
valuation, IT assurance and
service organization control
engagements. Singleton is
responsible for recruiting,
training, research, support
and quality control for those
services and the staff who
perform them. He is also a
former academic, having
taught at several universities
from 1991-2012. Singleton
has published numerous
articles, coauthored books,
and presented many sessions
on IT auditing and fraud. He
authored the ISACA® Journal’s
IS Audit Basics column from
2005-2014.
Do you have
something
to say about
this article?
Visit the Journal
pages of the ISACA
web site (www.isaca.
org/journal), find the
article and choose
the Comments tab to
share your thoughts.
Go directly to the article:
Guest Editorial
Why Everyone Dislikes the
IT Auditor and How to Change It
Well, to be truthful, not everyone dislikes the IT
auditor. But there have been a lot of remarks made
over the years, and some personal observations,
that indicate some dissonance between the IT
auditor and management or users of IT audit
services. Some of them are beyond our ability
to affect a change. But some can be remediated
with an appropriate effort on our part. This
article will address some of the more common
criticisms made about IT auditors and what we, as
professionals, can do to address them.
CRITICISM 1—IT AUDITORS ARE DIFFICULT
TO UNDERSTAND
There are some who rely on or use IT auditors yet
have a difficult time understanding what they are
trying to say when recommendations or reports
come back. Some individuals are not familiar
with IT and will be unable to fully understand
much about the results in technical jargon. Some,
if not many, of those people will simply rely on
the IT auditor with blind faith. IT auditors can
address this issue.
It is important to recognize that our
profession is a highly technical field (with a
limited number of professionals who understand
it well) and we have our own language. To
complicate our language, we use many acronyms.
And to complicate the knowledge base, it is
constantly changing. Combine those factors,
and there is a probability, at some level, that our
communications will be a challenge to many who
use IT auditors.
Therefore, IT auditors should make a
concerted effort to tailor their communication
to the audience. Take time to know where the
audience is in its understanding of IT and in its
ability to understand our language, concepts and
technologies. When the hearers are not literate in
IT and do not understand our words, concepts,
terms and acronyms, we need to become the
interpreters of our own communications for
them. When communicating with management,
take the time to understand their perspective
INDUSTRY LEADERS EXAMINE
THE LATEST BUSINESS ISSUES
and needs and strategically formulate
communications with those needs in mind. If it
is a general user, keep in mind that they are less
likely to understand our information, so convert
it to a more simplified level for the more general
reader. I know of one person who talked to his
eight-year-old daughter while preparing a major
report and kept revising his information until she
understood it. He later claimed that it was his
most successful presentation ever.
We should strive to present our reports and
recommendations in “plain English.” Some
suggestions to consider:
• Do not use acronyms (except within our
own profession).
• Use relatable anecdotes or stories to
demonstrate your point.
• Compare your results or recommendations with
things the audience already understands—such
as current events or stories in the news.
Also, we should take opportunities to improve
our communication craft.1
CRITICISM 2—IT AUDITORS WASTE RESOURCES
(OVER AUDIT)
I have heard this comment several times, usually
from professionals who do not have a positive
relationship with IT. It is said in different ways,
but the point being made by this group appears
to be related to their perception that IT auditors
spend a lot of time providing services, but with a
disproportionate benefit to the firm, user or client
in the end. There are several points we should
keep in mind and, when appropriate, gently
remind others of these circumstances.
First, for public accounting, our technical
literature requires the use of an IT auditor (or
auditor trained in IT assurance) in the financial
audit, except where internal controls are assessed
at the maximum weakness (i.e., controls cannot
be relied upon at all). The truth is that very few
clients have systems where controls cannot be
relied upon at all in financial audits. Certified
public accountants (CPAs) cannot simply
ISACA JOURNAL VOLUME 1, 2016 7
 ignore the technical literature because it makes sense to do
so for some reason (e.g., from a budget or perceived benefit
perspective). It is a requirement.
Second, the risk related to IT in a financial audit is real
and growing. These risk factors have an impact on the risk
of material misstatement (RMM). It may be true that most of
the time IT risk does not materially affect financials, but one
does not know that without going through a diligent process
with integrity and professional care. For example, how many
companies use a spreadsheet to do some part of the financial
reporting process? Does the fact that a spreadsheet is used
in financial reporting cause the associated risk (i.e., RMM)
with the technology and not the accounting transactions or
processes per se? Yes! In addition, IT auditors can add value
to an audit even when the conclusion is that IT risk has a
nominal or limited effect on RMM (e.g., client relations).
Third, one thing the IT assurance profession can do
to diminish this criticism is to be sure to properly scope
engagements related to IT. There is a temptation for IT
assurance professionals to get involved in assessing all of
the “broken” things in the IT space and to lose track of their
proper scope. For instance, in a financial audit, the IT auditor
will be tempted (due to natural tendencies) to identify all of
the things that are “broken” in the IT space and report on all
of them, without considering the RMM for each one. There
is a temptation to spend time evaluating IT that is, in reality,
out of scope and, thus, results in “over auditing” IT. Thus, if
IT auditors are not careful, they can inadvertently create an
atmosphere to justify the criticism of wasting resources. The
truth is that all IT spaces will have several things that are
“broken,” but IT auditors need to filter through them with the
audit objectives of the service being provided and not include
something just because it is “broken.” That being said, broken
things need to be fixed.2
Lastly, IT auditors should be careful to add value to each
audit, either through client relations or internally to the entity.
Referring back to IT things that are broken and need fixing,
those items that are excluded for scope purposes are still
prospective items to be communicated to the client or entity,
even if it is “off the record.” Most of the time, management is
interested in learning about IT deficiencies or security holes,
whether they are in scope or not.
There are a lot of other ways IT auditors can add value to
the service beyond the testing and formal reporting processes.
8 ISACA JOURNAL VOLUME 1, 2016
IT auditors can explain IT risk by using easy-to-understand
illustrations to help make the point. Adding value to the team,
such as using IT to facilitate the team processes or even to
gain efficiencies, is another way.
CRITICISM 3—IT AUDITORS LIVE IN A DIFFERENT WORLD
IT auditors live in the world of IT; it is full of things most
people do not understand and we do use a language that is
foreign to most people. But it does not have to lead to this
criticism. We can speak in “plain English,” relate findings to
our audience and generally make an effort to relate
to those involved in
our services.
That relating can start with considering existing business
risk, goals, strategies, etc., not only in performing our services,
but in communicating with others during and after completion
of those services. IT auditors can also avoid this criticism by
being realistic about IT risk. For instance, a firewall that is
ineffective, broken and needs to be fixed is definitely a security
“
breach waiting to happen.
But that broken firewall
IT auditors should needs to be considered in
always use a realistic light of the scope of the
”
assessment about risk. service. If it is a financial
audit and logical access
controls at the server and
application layers are good, then the firewall becomes irrelevant
in light of the RMM. That is, if someone does break through
the firewall, what are they going to do to financial data? It is
true the intruder can go around the application by accessing
the data, but if that happens, will other controls (manual
or automated) be able to recognize a material misstatement
and make a timely correction? If so, then the broken firewall
is irrelevant to the RMM. However, it is relevant to client
relations, and the IT auditor would want to mention it to
management, probably off the record, so it can be fixed.
Another point using the same scenario is that IT
auditors should always use a realistic assessment about risk.
Specifically, that assessment should include the magnitude of
the risk (should the risk lead to a deleterious fruition) and the
likelihood that the risk will lead to a “bad” event. Sometimes
IT auditors focus solely on the magnitude without a realistic
appraisal of the likelihood. That approach leads to this
criticism of living in a different world. For small businesses
with a low public profile, the likelihood that a hacker will
break through that firewall and do something bad is quite
low. In fact, it may be so low as to be reasonably ignored.
It is true that if someone breaks through the firewall, they
can do something bad, but specifically, what will the hacker
do, and, specifically, how would that be a violation in light
of the service being provided? If the service is internal audit
evaluating security, it is in scope and is an exception that
should be reported and remediated; however, realistically,
there is a low probability of a breach. If the service is
external audit, the firewall risk can be reasonably ignored in
most cases.
the response came without discussing some reasonable
compensating controls that could be employed to remediate
the privacy risk.
IT auditors need to avoid any response or actions that
appear to be those of a control freak. We do not need
to sacrifice our responsibilities in our role as IT audit
professionals, but we also do not need to alienate management
or clients when a different, responsible and reasonable
response or alternative solution is possible.
A basic principle that can be used to avoid this criticism is
to stop and think about cost-effective solutions that take into
consideration magnitude and likelihood instead of seeking

“
Lastly, it is a valuable exercise to practice good social skills absolute perfection
when working with clients and management. Being nice to in solutions. After all,
Stop and think about
people always leads to benefits for both parties. no solution is truly
cost-effective solutions perfect in the IT space.
CRITICISM 4—IT AUDITORS ARE TOO RESTRICTIVE AND PROTECTIVE that take into consideration A suitable response
Sometimes people in our profession are quick to respond to goes back to a principle
magnitude and likelihood
certain requests with a curt remark. When management asks above: Make sure to
instead of seeking absolute

about doing X, IT auditors need to avoid using the phrase
“X cannot be done.” IT auditors need to think through the
request and seek alternative solutions. In some rare cases, X
does not need to be done, but even then, we should seek an
alternative response such as, “I wish we could do X, but here
are some concerns I have….” Then try to work through the
responses to come up with a reasonable, secure, appropriate,
alternative solution.
Another frequent response some IT auditors use is “That
is a security risk,” and then they resist doing anything related
to the request. It may be a security risk, but we need to first
use the magnitude X likelihood approach mentioned above to
determine if it is necessary to seek an alternative solution that
has an acceptable level of (residual) risk, as opposed to just
saying, “No, it is a security risk.”
For instance, in a recent scenario, an IT auditor was told
that management planned to have its customers access their
proprietary data in the entity’s database remotely, whereupon
the IT auditor said, “No way. The customer could potentially
access anyone’s data and that is a privacy issue.” While that
is theoretically true, the response was totally focused on the
magnitude without consideration of likelihood. In addition,
”
understand the needs
perfection in solutions. and purposes users/
management have for
their request before dismissing it unilaterally without due
diligence in seeking reasonable alternatives.
CONCLUSION
Some criticisms that are aimed at IT auditors can sometimes
make us feel like everyone dislikes the IT auditor. Some of
those criticisms cannot be avoided because of attitudes that
are not susceptible to efforts to the contrary. But often we can
mitigate those criticisms, make people appreciate us and even
cause users/management to like the IT auditor.
ENDNOTES
1
Singleton, T.; “IT Audit Basics: Beyond the IT in
IT Audit (Part 2),” ISACA Journal, vol. 4, 2014,
www.isaca.org/archives
2
Singleton, T.; “IT Audit Basics: What Every IT Auditor
Should Know About Scoping an IT Audit,” ISACA Journal,
vol. 4, 2009, www.isaca.org/archives

ISACA JOURNAL VOLUME 1, 2016 9

 Urmilla Persad, CISA, CISM,
CRISC, ITIL V3 Foundation,
has more than 18 years of
experience in the IT field.
Her career started (with
PricewaterhouseCoopers)
in IT administration. From
there, she moved to external
auditing and IT advisory
services. She is now an IT
audit manager with First
Citizens Bank Ltd., Trinidad
and Tobago and has strategic
responsibility for the IT audit
needs of the bank with a
focus on IT systems and IT
initiatives, as well as system-
related development and
implementation activities and
oversight of the execution
of IT audit programs. Persad
has held various roles in the
ISACA Trinidad and Tobago
Chapter over the past six
years and is currently the
chapter’s president.
Do you have
something
to say about
this article?
Visit the Journal
pages of the ISACA
web site (www.isaca.
org/journal), find the
article and choose
the Comments tab to
share your thoughts.
Go directly to the article:
10 ISACA JOURNAL VOLUME 1, 2016
Urmilla Persad
Q: How do you think the role of the IS auditor is
changing or has changed? What would be your best
advice for IS auditors as they plan their career path
and look at the future of IS auditing?
A: While the core objectives of the IS auditor
have remained the same and auditors continue to
be assurance providers and advisors within their
organisations, the fast pace of technology, its uptake
and the resulting changing business environments
have driven the changing role of IS auditors.
In response to the changing environment and
the increasing expectations of management and
the board, the IS auditor’s role is evolving into a
more business-like one, where developing more
efficient and effective audit plans aligned with
strategic objectives is imperative. This requires
IT auditors to be professionally qualified,
multiskilled, knowledgeable, and have a high level
of understanding of not just technology elements
and controls, but the business that the controls are
designed to secure.
This all makes for an exciting time for IS auditors
as the opportunity exists to contribute to an
organization’s overall success more than ever
before. My advice for IS auditors as they plan their
career in these new times:
• Get certified—ensure that you have the necessary
foundation knowledge (e.g., Certified Information
Systems Auditor® [CISA®], Certified Internal
Auditor [CIA]).
• Commit to continuous learning, invest in yourself.
Once certified, consider enhancements with
credentials such as those related to COBIT®, ITIL,
CAPM/PMP and Cybersecurity Nexus (CSX).
• Pay attention to nontechnical skills
development—critical thinking, relationship
building, partnering, communication and
openness to diverse viewpoints.
• Understand the business/industry you work
in as this will support your ability to articulate
business insights, better assess existing and new
technology, and provide recommendations that
can add value to the business.
Q: How do you see the role of governance of
enterprise IT (GEIT) changing in the long term?
A: The role of GEIT has changed with the role of
IT within organisations. The days where IT was
merely a support function are long gone as the
pace of technology advancement and its adoption
in enabling strategic initiatives has ingrained IT
in almost every part of the business. The banking
sector is a good example as it is impossible to
think of a bank that runs without IT applications,
supporting routine back-end processes to complex
e-banking interfaces. As IT is increasingly relied on
to enable business strategy, the role of GEIT has to
be increasingly focused on keeping business and
IT initiatives on track by understanding how much
value IT is creating, how its day-to-day operations
are performing, and how IT risk and IT resources
are managed.
As GEIT continues to improve, the involvement
of all the stakeholders within the organisation is
imperative in ensuring that IT strategy is linked
to business strategy and drives balance between
investments and efficient use of IT resources.
Q: What do you see as the biggest risk factors
being addressed by IS audit, risk and governance
professionals? How can businesses protect
themselves?
A: The biggest risk factors being faced by IS audit,
risk and governance professionals are preserving
the business (i.e., systems, data, reputation) amidst
increasing technology change as digital strategies
are rolled out. With the pace of change, it is a
challenge ensuring that the controls environment
(including internal policies and procedures) can be
maintained at an equal pace to mitigate the risk.
Businesses can protect themselves from the risk
associated with technology investment and change
by ensuring that adequate discussions, collaboration
and due diligence in decision making occurs with
the right people (across the business and including
assurance providers) from inception to execution
and implementation.
Q: What has been your biggest workplace or career
challenge and how did you face it?
A: Successful internal auditing today requires
a deep understanding of the business and the
strategic direction of the organisation. That
understanding requires continuous collaboration
and partnering with management and key
stakeholders across the organisation. Maintaining
independence and objectivity has proven
challenging as closer collaboration can easily lead
to the rationalising of risk factors being assessed.
Being self-aware of this has proven useful in
addressing it because it requires strong adherence
to auditing standards; getting input from other
auditing peers and the chief audit executive (CAE)
has also helped in safeguarding from any potential
compromise of independence and/or objectivity.
(Another growing career challenge is balancing a
successful career with successful parenting!)
WHAT DO YOU ANTICIPATE BEING THE BIGGEST
COMPLIANCE CHALLENGE IN 2016? HOW WILL
YOU FACE IT?
Cybersecurity. The increase in connected devices
and how businesses harness the benefits of the
Internet of Things to support their digital business
strategy will only add to the cybersecurity challenge.

WHAT ARE YOUR THREE GOALS FOR 2016 AS YOU

ENTER THE NEW YEAR?
1. Execute an IS audit strategy that meets the
assurance needs of my organization as well as
the career development needs of my team.
2. Work with my peers on the board of our
local ISACA® chapter to find and execute
new and innovative ways to deliver value to
our members.
3. Spend more time with my son, with his
schoolwork and new adventures.

WHAT IS ON YOUR DESK RIGHT NOW?

Laptop, water, art calendar, family photo,
bamboo plant

HOW HAS SOCIAL MEDIA IMPACTED YOU

PROFESSIONALLY?
Social networking—staying connected with peers
and professional groups

WHAT IS YOUR NUMBER ONE PIECE OF ADVICE

FOR OTHER RISK PROFESSIONALS?
Understand the business and collaborate with
stakeholders across the organisation.

WHAT ARE YOUR FAVORITE BENEFITS OF YOUR

ISACA MEMBERSHIP?
1. The knowledge resources (white papers, work
programs, webinars)
2. The networking and professional development
opportunities that come with volunteering

WHAT DO YOU DO WHEN YOU ARE NOT AT WORK?

Read, spend time with my family, watch Netflix.

ISACA JOURNAL VOLUME 1, 2016 11


Ed Gelbstein, Ph.D., worked
in IS/IT in the private and public
sectors in various countries
for more than 50 years.
Gelbstein did analog and digital
development in the 1960s,
incorporated digital computers
in the control systems for
continuous process in the
late ‘60s and early ‘70s, and
managed projects of increasing
size and complexity until the
early 1990s. In the 1990s, he
became an executive at the
preprivatized British Railways
and then the United Nations
global computing and data
communications provider.
Following his (semi) retirement
from the UN, he joined the
audit teams of the UN Board
of Auditors and the French
National Audit Office. Thanks
to his generous spirit and
prolific writing, his column will
continue to be published in the
ISACA® Journal posthumously.
Do you have
something
to say about
this article?
Visit the Journal
pages of the ISACA
web site (www.isaca.
org/journal), find the
article and choose
the Comments tab to
share your thoughts.
Go directly to the article:
12 ISACA JOURNAL VOLUME 1, 2016
Trust, but Verify
“Trust, but verify” is a Russian proverb that
became more widely known when then-US
President Ronald Reagan used it in the 1980s.
( ). The
fact that proverbs are passed unchanged through
generations implies that they are seen as the truth.
TO RE-AUDIT OR NOT TO RE-AUDIT
The auditors arrive, do their work, write a report
that includes critical recommendations that could
be seen as an instruction: “...the auditee shall....”
“
Should the audit strategy
and planning call for a review
The audit universe has
(e.g., one year after issuing the
final report) to see if they have become
been implemented and, if so, re-auditing issues are
whether the implementation has bound to conflict with the know it, it is audit time again.
been completed in a way that
significantly reduces business risk?
overall audit
While this makes good sense,
the challenge is that the audit universe has
become so large that re-auditing issues are bound
to conflict with the overall audit plan.
THAT UNWELCOME FEELING
Many auditees mistrust the auditors: Their
findings are the equivalent of calling the auditee’s
baby “ugly.” No parent would ever do this, but
then, there are ugly babies. Therefore, unless a
good working relationship has been established
over the years, the auditor cannot expect a
warm welcome or for the auditees to share their
problems and concerns.
A poor welcome could include finding
that the auditors have been assigned poor
accommodations, possibly in an inconvenient
location, limited support facilities (e.g., printers,
photocopiers, locked doors and cabinets,
shredders), an unhelpful contact point or
discovering on short notice that a critical person
is not available for discussions.
There will be many plausible excuses. It
is never a good time to conduct an audit and
accommodation is an issue almost everywhere. If
the arrangements are really poor, it may be good
to have the chief audit executive (CAE) speak with
a senior manager who can act to resolve the issue
and understand the root cause of the situation.
THINGS AUDITEES MAY “FORGET” TO DISCLOSE
A competent and experienced information
systems (IS) manager would be expected
to anticipate what the auditors may find by
conducting a brutally honest assessment of
the many aspects of IS and IT. Guidelines and
frameworks such as COBIT® 5 can
facilitate this task. In practice, this
does not happen often as other
so large that activities, deemed more urgent,
displace these and before you
”
If the auditee can demonstrate
plan. to the auditor that they care
about the audit process; that
they understand how it is conducted; and then
come up with a list of findings, observations and
corrective actions by themselves, the relationship
would be strengthened and it would make better
use of the auditor’s knowledge and experience.
The downside of keeping information from the
auditors is that they will find out by chance or
by process.
In one example, there was a wiring cabinet in
an office environment for a critical network that
the “owner” had known for years consisted of
spaghetti cabling, equipment on the floor and a
tree of extension leads. This was not mentioned
at the start of the audit, but as the auditors were
passing by, someone opened the cupboard door.
A photograph of the scene was included in the
draft and final audit reports, despite requests for
its removal.
LOOK AND LISTEN
The examples in the previous section show
carelessness and incompetence, but not malice.
Unfortunately there are many more things that
the auditees know that their management does
not. This becomes an explosive issue when it involves the
means to work around sound policies (e.g., need to know,
least privilege, segregation of duties, change management).
Here are some examples collected over many years.
A homemade, old (e.g., COBOL) financial application
was made Y2K-compliant and fully met the needs of the
organization. It was robust, reasonably well documented and
maintained by a small team that had done so since the initial
design. During an audit that did not involve this application,
it was discovered that the lead developer had embedded
undocumented hidden accounts and backdoors, not to be
abused, but to “help” the organization toward bypassing
the usual controls. And, there was no record of who had
what access controls and privileges or if any were kept by
individuals as their careers progressed. Furthermore, weak
change control supported these changes.
The lead designer was due to retire, and once the auditors
became unofficially aware of this, the question arose as to
whether a colleague months or years away from retirement
should hold the “secret” of these unofficial features. The
management view was a clear no, and the system was retired
and replaced by a commercial application with role-based
access controls and more manageable superuser features.
Superuser privileges can be a problem. In another case
at a different organization, the design of an enterprise
resource planning (ERP) system had a project manager who
assigned himself extensive superuser rights. After the project
was completed, nobody thought to verify what rights were
retained by the implementation team.
An even more extraordinary situation happened when
a senior executive at an organization instructed that all
security policies be withdrawn and the organization’s data be
declassified in order to be fully transparent. Neither internal
audit, risk management or legal counsel were consulted and
nobody was willing to say, “The emperor has no clothes.”
SERENDIPITY
Sometimes one has the good fortune of coming across
something interesting without looking for it. Here are some
examples.
• The invisible single point of failure—A law enforcement
unit (in the 1980s) was implementing a new secure network
of leased lines. The service provider designed it to ensure
that different cable routes provided resilience. Surprise! The
two leased lines entered the building through a single point
accessible through a manhole in the street just outside the
main entrance.
• External audit of a large and complex information
systems and technology department—During an audit,
the systems architecture, i.e., how applications exchanged
data with other applications—with or without format
conversion, dynamically, by file transfer—was requested.
Lo and behold, it had not been documented. There was no
comprehensive systems architecture listing, for example,
the name of the system, its custodian, purpose, high-
level functionality and interfaces. Moreover, there was no
“
statement about the system’s
condition (e.g., robust, well
There is much to documented, frozen) and
be gained from an planned activities. This led
to an unplanned question
open, collaborative
about the data architecture,
relationship between
”
as the audit team tried to
auditors and auditees. understand how many
data entities were
duplicated across systems (in incompatible formats, of
course), and this was received with a “not in my job
description” response.
• Hidden or forgotten opportunities—In fact, there is plenty out
there neatly hidden or forgotten, including software licenses
that are paid for, but not used; large, over-optimistic and
underresourced projects; renewals and upgrades postponed
until the service deteriorates, bypassing procurement rules;
critical activities for which there are no backups for the
responsible individuals; and unqualified individuals (e.g.,
interns or trainees) doing things beyond their capabilities.
Some are due to weak management or political posturing
(e.g., “It is my budget and I will do it despite what you say.”);
others are caused by SMRC (saving money regardless of cost),
also referred to as “shareholder value.”
CONCLUSION
There is much to be gained from an open, collaborative
relationship between auditors and auditees in which both
parties focus on understanding and managing business risk.
Rationally, we all know this is the case, but human factors
such as lack of trust and organizational politics often get in
the way.
ISACA JOURNAL VOLUME 1, 2016 13
 Feature

How COBIT 5 Improves the Work Process

Graciela Braga, CGEIT,
COBIT Foundation, CPA,
is vice president of the
Commission for the Study
of Record Systems of the
Capability of Auditors, Assurance Professionals
Buenos Aires Institute of
CPAs in the city of Buenos
and Assessors
Aires, Argentina. She is also
IS and IT auditors, assurance professionals and
a researcher at the Instituto
assessors undertake audits, assurance work or Also available in Spanish
Autónomo de Derecho
Contable (Autonomous
assessments of IT processes (the assignment) Disponible también en español
and, in addition to the final objective, have
Accountancy Law Institute),
common tasks to complete such as planning and
Argentina. She has worked
performing activities and reporting results. Because ISACA’s COBIT® Self-assessment
on audits and internal control
The work entails evaluating processes owned Guide: Using COBIT® 52 and COBIT® Process
reviews for public and private
by others. But, who is looking at the work Assessment Model (PAM): Using COBIT® 53
entities using international
processes of the auditor, assurance professional explain in detail how to perform the assessment,
frameworks such as COBIT®,
or assessor? How capable are the work processes this article does not discuss the performance of
COSO and the ISO 27000
with regard to meeting the assignment objective this task. Instead, it provides an example of how
series. She has participated in
defined by the employer, executive manager, to determine whether a work process is at a
the preparation and review of
board of directors (BoD), client, sponsor or level 1 capability and a reflection on why and
ISACA® products and research
external reviewer? how auditors, assurance professionals and
related to COBIT, privacy and
The COBIT® 5 Assessment Programme assessors have to think about and improve their
big data.
can help. own capability levels.
It incorporates the COBIT® 5 Process
Reference Model and ISO/IEC 15504 as the basis THE MEASUREMENT FRAMEWORK
for the measurement framework and assessment As the COBIT® Self-assessment Guide: Using
process. This means that: COBIT® 5 mentions, the assessment process
• The specifications of the process used in the involves establishing a capability rating for a
assessment are based on COBIT® 5. process, which involves:4
• The capability of each process assessed is • Defined capability levels (from ISO/IEC
expressed in terms of a rating scale from 15504) (figure 1)
Do you have
0 to 5, based on international standards from • Process attributes used to rate each process
something
to say about the International Organization for (from ISO/IEC 15504) (figure 2)
this article? Standardization (ISO).1
Visit the Journal
pages of the ISACA Figure 1—Process Capability Levels
web site (www.isaca. Process Level Capability
org/journal), find the
0 (Incomplete) The process is not implemented or fails to achieve its process purpose. At this level, there is little or no
article and choose evidence of any systematic achievement of the process purpose.
the Comments tab to
share your thoughts. 1 (Performed) The implemented process achieves its process purpose.
2 (Managed) The performed process is now implemented in a managed fashion (planned, monitored and adjusted)
Go directly to the article: and its work products are appropriately established, controlled and maintained.
3 (Established) The managed process is now implemented using a defined process that is capable of achieving its
process outcomes.
4 (Predictable) The established process now operates within defined limits to achieve its process outcomes.
5 (Optimizing) The predictable process is continuously improved to meet relevant current and projected business goals.
Source: ISACA, COBIT Self-assessment Guide: Using COBIT 5, USA, 2013

14 ISACA JOURNAL VOLUME 1, 2016

 Figure 2—Process Attributes
Level 5: Optimising
PA 5.1 Process Innovation
PA 5.2 Process Optimisation

6 Process Level 4: Predictable

PA 4.1 Process Measurement
Capability PA 4.2 Process Control
Levels Level 3: Established
PA 3.1 Process Definition
PA 3.2 Process Deployment

Level 2: Managed
PA 2.1 Performance Management
PA 2.2 Work Product Management

Level 1: Performed 9 Process

PA 1.1 Process Performance Attributes
Level 0: Incomplete

Source: ISACA, COBIT Self-assessment Guide: Using COBIT 5, USA, 2013

• Indicators on which to base the assessment achievement of
each process attribute (based on and aligned with ISO/IEC
15504):
–C apability level 1—Indicators are specific for each
process and assess whether the following attribute has
been achieved: The implemented process achieves its
process purpose. Level 1 deals with the detailed content
of COBIT 5 processes, so one needs to define his/her
work in COBIT 5 terms.
– Capability levels 2 to 5—Assessment of capability is based
on generic process indicators of performance. These are
called generic because they apply across all processes, but
they are different from one capability level to another.
CAPABILITY LEVEL 1: DEFINING WORK PROCESS SPECIFICATIONS
There are very recognized and useful audit frameworks, such
as ISACA’s ITAF: A Professional Practices Framework for IS
Audit/Assurance5 or the Institute of Internal Auditors’s (IIA)
International Standards for the Professional Practice of Internal
Auditing (Standards),6 but, in general, key aspects are the same.
Following COBIT 5, one must define the process itself,
including purpose, outcomes, base practices and work products.
For example, work may be defined using the words in figure 3.
DEFINING THE RIGHT OR REQUIRED CAPABILITY LEVEL
As part of the assessment, professionals should choose
which level of capability their work requires, depending on
some considerations:7
• Professional environment—The required level can be set by
regulations or standards if the assignment is under revision
of a third party or controller (i.e., Protecting Investors
Through Audit Oversight [PCAOB] or government
agencies), or it shall comply with certain standards (i.e.,
ISACA frameworks).
• Expected goals, benefits and resourcing considerations—
For example, if the professional wants to position his/
her work or fees as “first class” or improve his/her work
process; if the professional staff is very large; or if the
structure is complex with a lot of levels.
PROCESS CAPABILITY INDICATORS LEVELS 2 TO 5
Assessment of capability levels 2 to 5 is based on generic
process indicators of performance.8 There are six capability
levels and nine process attributes (PAs) associated. Each
PA has indicators called “generic practices,” or a means of
achieving the capabilities addressed by them and “work
products” required to support the management of a process.
At level 2, process performance is now implemented in a
managed fashion (planned, monitored and adjusted) and its
work products are appropriately established, controlled and
maintained. At first glance, professionals could think that
these requirements are included in the audit process and they
are met at level 1, but the difference is the documentation
requirement. Perhaps the assignment activities and, of course,
the report are documented at level 1, but the process itself has
to be documented.

ISACA JOURNAL VOLUME 1, 2016 15

 Figure 3—Assignment Process Definition
Process Name Assignment process (audit, engagement, assessment)
Process description Perform specific procedures to provide an appropriate level of assurance about the subject matter in compliance with the
applicable professional practices framework, including professional’s ethics, independence, objectivity and due care, as well
as knowledge, competency and skill.
Process purpose Plan, perform and report on the results of the assignment (audit, engagement, assessment) while meeting applicable
statement professional standards, assuring organizational and professional independence, exercising due professional care, and
possessing an adequate level of skills around and knowledge of the subject matter.
Outcomes (Os)
Number Description
01 Report to communicate the results upon completion of the assignment
Base Practices (BPs)
Number Description
BP1 Assignment Planning
Professionals shall plan the assignment to address objective(s), scope, timeline and deliverables, compliance with applicable
laws and professional standards, assignment-specific issues, and documentation and reporting requirements.
BP2 Assignment Performance and Supervision
Conduct the work in accordance with the plan, obtain sufficient and appropriate evidence to achieve the assignment
objective, and provide supervision and professional education to staff, if required.
BP3 Assignment Reporting
Provide a report to communicate the results upon completion of the assignment and include in the report findings,
assessments, conclusions and recommendations.
Work Products (WPs)
Inputs
Number Description Supports
Outside Process Terms of the assignment defined by the overall IS audit plan, engagement letter or agreement on ALL
the purpose and scope of the assessment
Output
Number Description Supports
WP1 Assignment Project Plan BP1
A document that describes the assignment nature, objectives, timeline and resource requirements,
and timing and extent of procedures to complete the assignment.
WP2 Assignment Program BP2
A step-by-step set of procedures and instructions that should be performed to complete the
assignment and the evidence that supports findings, assessments and conclusions.
WP3 Continuing Professional Education (CPE) Requirements BP2
A set of basic and new knowledge and skills needed to perform current or future works.
WP 4 Assignment Report BP3
A document that communicates the results upon completion of the assignment, including findings,
assessments, conclusions and recommendations.
Based in part on: ISACA, ITAF: A Professional Practices Framework for IS Audit/Assurance, 3rd Edition, USA, 2014,
www.isaca.org/research. ISACA, Glossary of Terms, USA, 2015, www.isaca.org/glossary

16 ISACA JOURNAL VOLUME 1, 2016

 At level 2, process documentation has to specify who is
responsible for its design (process owner) and its scope; roles;
Responsible, Accountable, Consulted and Informed (RACI)
chart; and internal control matrix. At level 3, a document
outlining the activities required to achieve the required process
outcomes (“process procedures”) and a process map are
required and, thus, the process documentation is completed.
The same considerations apply to the rest of level 2’s work
product, process plan, quality plan and quality record. At
this level, very important aspects of the assignment report are
established, including content, quality criteria (against which
it will be reviewed and approved), documentation and control,
including identification, traceability and approvals, and
procedures for versioning and change control to be applied.
At level 3, the established process completes level 2 and
adds two work products: policies and standards and process
performance records. At this level, a managed process is
now implemented using a defined process that is capable of
achieving its process outcomes.
Its indicators include the following products:
• A defined standard process, including appropriate tailoring
guidelines, and the sequence and interaction with
other processes
• Required competencies and roles and infrastructure for
performing the defined process
• Suitable methods for monitoring the effectiveness and
suitability of the defined process
At this point, questions arise, including: Which is the
appropriate level to comply with professional standards—
level 3 or level 1? Indicators suggest the answer. It is, at
least, level 3: A defined process is capable of achieving the
process outcomes, including analyze process and product
measurement results, identify and implement corrective
actions, and reestablish control.
At level 4, the established process now operates within
defined limits to achieve its process outcomes by measuring
results and controlling the process.
Of course, level 5, Optimizing Process, is a great objective
and resources and efforts should be assigned to reach it.
• Learn more about, discuss and collaborate on COBIT 5
assessment and COBIT 5 Use It Effectively in the
Knowledge Center.
www.isaca.org/knowledgecenter
CONCLUSIONS
IS and IT auditors, assurance professionals and assessors must
comply with different professional standards and maintain
and improve their own process work at the appropriate
capability level to meet the assignment objective defined by
employers, executive managers, BoDs, clients, sponsors or
external reviewers. This can be achieved by transforming
the auditors’, assurance professionals’ and assessors’ own
processes by applying the COBIT® 5 Assessment Programme.
ENDNOTES
1
ISACA, COBIT® Assessor Guide: Using COBIT® 5, USA,
2013, www.isaca.org/COBIT/Pages/Assessor-Guide.aspx
2
ISACA, COBIT Self-assessment Guide: Using COBIT 5,
USA, 2013, www.isaca.org/COBIT/Pages/Self-Assessment-
Guide.aspx
3
ISACA, COBIT Process Assessment Model (PAM): Using
COBIT 5, USA, 2013, www.isaca.org/COBIT/Pages/
COBIT-5-PAM.aspx
4
Op cit, ISACA, COBIT Self-assessment Guide
5
ISACA, ITAF: A Professional Practices Framework for IS
Audit/Assurance, 3rd Edition, USA, 2014, www.isaca.org/
Knowledge-Center/Research/ResearchDeliverables/Pages/
ITAF-3rd-Edition.aspx
6
The Institute of Internal Auditors, International Standards
for the Professional Practice of Internal Auditing
(Standards), USA, 2012, https://na.theiia.org/standards-
guidance/mandatory-guidance/Pages/Standards.aspx
7
Op cit, COBIT Assessor Guide: Using COBIT 5
8
Op cit, ISACA, COBIT Process Assessment Model (PAM)
ISACA JOURNAL VOLUME 1, 2016 17
 Feature
Robert (Bob) E. Kress is the
managing director of global IT
audit in Accenture’s internal
audit organization, which
supports the US $31 billion
company and its 358,000
employees working in more
than 120 countries. He has
overall responsibility for
identifying, evaluating and
reporting on the full range
of client-facing and internal
technology risk.
Do you have
something
to say about
this article?
Visit the Journal
pages of the ISACA
web site (www.isaca.
org/journal) find the
article and choose
the Comments tab to
share your thoughts.
Go directly to the article:
18 ISACA JOURNAL VOLUME 1, 2016
Transforming the IT Audit Function—
Taking the Digital Journey
Today’s digital revolution is disrupting every
corner of the business world and every function
across the business enterprise, including IT
audit. Where does IT audit need to go when the
mantra is “better, faster, cheaper?” The relentless
transformational impact of IT is redefining the IT
audit function itself, forcing auditors to question
long-established practices, rethink fundamental
processes and recalibrate their function for the
digital era.
DEFINING THE DIGITAL DESTINATION
As with so many enterprises, particularly well-
established global players, digital disruption was
the major challenge facing Accenture two years
ago. At that time, work was largely siloed by risk
category and retrospective. Digital disruption
was sweeping aside established companies and
reshaping markets and industries, and these
pressures were felt acutely. So the organization
pondered what implications all this digital
change held for IT audit. The internal audit
(IA) function knew that it needed to be better
integrated across the entire risk spectrum, so
that a holistic approach could be taken. With
markets, the business environment, competition
and client needs changing so rapidly, there was
also a sense that purely retrospective audits
would be increasingly inadequate going forward.
Lastly, while the digital revolution was driving
much of this change, it was also understood
that digital technologies provided the tools
needed to respond and adapt to the disruptive
forces buffeting the organization, assuming the
knowledge of how to use them effectively.
So the team began by reexamining the
fundamental mission and strategy, asking:
What is the digital destination, and what kind
of capabilities are needed to audit the IT of
tomorrow? For Accenture, a global giant in
technology services with more than 358,000
professionals, this question went to the very core
of the business. But the same issues of mission,
strategy and long-term goals are relevant
Also available in Spanish
Disponible también en español
for every IT audit group embarking on this
transformational journey. While IT will have
different capabilities and maturities from one
company to the next, envisioning the future
state of an organization’s IT operation is the
first and surest prerequisite for setting off on a
transformational journey with the confidence
of knowing that successfully arriving at that
destination can be achieved.
Accenture knew that IT audit had to support
the high-performance business strategy by
identifying, evaluating and reporting the fullest
possible range of client-facing and internal risk
factors in the digital age. Accenture’s audit team
also aimed to be a value-add partner to the
business by providing objective and relevant IT
assurance and contributing to the effectiveness
and efficiency of governance, risk management
and control processes.
Less obvious were two strategic conclusions
to which the group came. Given the speed with
which business changes today, the IT audit
team felt that it would be necessary to shed the
traditional stance of IT audit as an “outsider”
coming in to measure after the fact. Rather,
continuous alignment with the business and its
evolving strategy would be essential to measure
whether IT audit was advancing the company’s
business strategy. Similarly, the audit team
believed that it could be more effective if it shed
IT audit’s historic cost-center mentality in favor
of running IT audit “like a business,” which
meant using a managed services approach and
treating the organizations it served as customers.
LEVERAGING DIGITAL TECHNOLOGY
The audit team’s strategy depended on value,
flexibility and efficiency—qualities not always
associated with audit functions in the past—and
it sensed that leveraging new and powerful technologies
would be essential for executing that strategy effectively.
Accenture’s audit team set about evaluating, selecting and
integrating new technologies that were aligned with the
strategy and would allow a step-function improvement in
the capability.
The group began by looking at how to enhance audit
management through the use of end-to-end audit life cycle
management tools. There are several powerful platforms
available in the marketplace. The team systematically assessed
the capabilities and costs of each before selecting the solution
that best matched Accenture’s requirements. Implementing a
robust governance, risk and compliance (GRC) capability is
critical for IA. GRC would provide the platform to automate
the audit work and improve productivity, ensure consistency
across global teams, enhance risk coverage and assessment,
“
and improve the ability to
manage the audit process.
Collaboration and The group then sought
communication tools to leverage analytics to
had become immense support continuous audit,
continuous monitoring
force multipliers capable
and value identification.
of increasing the Once again, the digital
productivity of a relatively revolution has made
”
sophisticated analytics
small audit staff.
software available for
this purpose. Analytics
software enables auditors to increase risk coverage across
an entire universe of data (versus using sampling) and focus
on outliers in higher-risk areas. Analytics also allow auditors
to identify trends and predict areas of higher risk, while
creating a clear line of sight on cost-saving opportunities for
the business.
The third item on the digital shopping list was a tool for
enabling a continuous risk assessment approach. Previously, the
group had focused on an annual risk assessment, but the pace
of change in the business and the associated risk is accelerating,
rendering strictly annual assessments potentially anachronistic.
By moving to a continuous risk assessment approach, the audit
group was able to stay current with the business, anticipate
risk and proactively offer services to help manage risk, and
implement appropriate controls before issues occur.
The challenge was in deciding how to automate and
manage a risk assessment effort that interviews more than
400 top leaders to identify risk themes and then sharing this
information across a global IA group. The team decided to take
an innovative approach and leverage customer relationship
management (CRM) technology to manage the interview
process, capturing risk notes and themes and making this
information available on a real-time basis to the global team.
The audit group knew, from innovations in other parts
of Accenture, that collaboration and communication tools
had become immense force multipliers capable of increasing
the productivity of a relatively small audit staff. So the
group set out to leverage these new technologies, using
videoconferencing to eliminate travel wherever possible
and using internal social media channels to accelerate IT
audit collaboration throughout the enterprise. Leveraging
collaboration technology enhanced the auditors’ ability to
share knowledge across global teams, improved their ability to
work virtually, and strengthened the relationships between the
enterprise’s people, teams and customers.
RESULTS
What results was the team able to achieve with these moves?
In Accenture’s case, the team increased the number of IT
audits provided by more than 250 percent (from 16 to 45
annually) between 2012 and 2015 (see figure 1).
Accenture’s digitization of IT audit has helped it manage
risk better, faster and more cost effectively. By moving into the
digital realm, Accenture has been able to increase productivity,
add new services and be far more proactive in monitoring the
changing risk profiles of the enterprise’s rapidly growing global
businesses. Leadership can now reach out to the audit team
to assess risk before making strategic decisions, rather than
calculating costs afterward. The group’s experience can be
instructive for every IT audit leader who is evaluating how and
where digital technologies fit into their scope of work.
The success of the team’s transformation also established
a model for the broader evolution of the entire IA function at
Accenture (figure 2). Having brought the IT audit team into
the digital era, the group followed the same road map for the
rest of IA.
ISACA JOURNAL VOLUME 1, 2016 19
 Figure 1—IT and Internal Audit Transformation, Before and After

2012 Today
Back office Coverage Focus Client delivery and back office

Once/year, based on Continuous; risk framework by

experience, unstructured Risk Assessment organization/function/ COBIT

Baseline Audits Completed 250+%

50 Internal Auditors 80

6 IT Auditors 17

18% Auditors in 35%

low-cost locations
Financial, operational, IT audits PLUS; integrated, horizontal, continuous
Services Offered audits; advisory services; analytics
NA Advisory Services 20+
16 IT Audits 45
NA Integrated Audits >20
Limited audit automation; Global, web-based eGRC; enterprisewide
desktop analytics Technology server analytics; web portal; CRM;
collaboration suite
Source: Robert Kress. Reprinted with permission

Figure 2—Accenture’s IT Audit Journey

Phase 1 Phase 2 Phase 3 Phase 4

Value
• Advisory services
• Continuous risk
Effectiveness discussions
• Analytics and
• Extend focus to all of continuous monitoring
internal audit. • CRM to support
Foundation • Service offerings— risk assessment
integrated audits,
• Establish internal audit strategy continuous auditing.
and governance • Technology upgrade.
Assessment • Align with the business. • People programs.
• Implement comprehensive risk model. • Metrics and reporting.
• Stakeholder • Run internal audit like a business.
input
• Benchmarking • Upgrade skills.
• Focus on • Ensure low-cost locations.
IT audit • Focus on coverage.

Source: Robert Kress. Reprinted with permission

20 ISACA JOURNAL VOLUME 1, 2016

LESSONS LEARNED
It is important to note that while digital technology enabled
many of the performance improvements that were realized
at Accenture, these tools alone do not get the job done.
Just as critical are the changes in mind-set that were made
throughout the process
Here are the most important lessons learned during
Accenture’s IT audit transformation:
• Align IT audit strategy with business strategy—In today’s
business environment, corporate strategies can change
frequently in response to market pressures, competitive
challenges or emerging technologies. IT capabilities and the
IT audit function need to be just as nimble in adjusting to
the changing needs of the business and new technologies.
• Clarify governance—It is critical to have senior business
leadership input on new and changing risk factors resulting
from changes in business strategy, IT audit’s assessment
of risk, and high-level IA plans. This demands a more
robust governance regimen in which input is solicited
from business leads on a near-continuous basis, rather
than once a year.
• Run IT audit like a business—Operate the IT audit
function like a business, and treat the people and
organizations served as true customers. Provide these
customers with a set of defined service offerings in a
‘managed service’ approach, so they can request the services
they want based on the changing needs of the business.
Focus relentlessly on value-add to the business, and measure
customer satisfaction.
• Manage performance metrics—Measure critical success
factors, benchmark progress, and use the overall metrics
to drive change. The role of IT audit leadership is critical
here, intervening where necessary to rectify deficiencies and
capitalize on achievements.
• Transform people—An integral part of transforming
the function may involve transforming the people and
the internal culture in which they are working. An audit
function that historically has been retrospective needs to
undergo a radical shift when moving to a proactive stance.
Strong leadership is required to drive culture and process
change, so be sure to have the right people in senior
management positions. Work to instill new ways of thinking
and working throughout the function.
• Learn more about, discuss and collaborate on audit
tools and techniques in the Knowledge Center.
www.isaca.org/
topic-audit-tools-and-techniques
• Go big—Make bold decisions to drive step-function
increases in the enterprise’s capabilities, and apply rigor and
discipline in executing the changes. Be just as tough on the
internal business processes of IT audit as on the business
areas tasked with auditing.
• Communicate success—This, along with benchmarking,
is helpful to demonstrate the value IT audit adds and the
progress being made to senior leadership as well as the
IA team. Do not be embarrassed to speak highly of the IT
audit function when meaningful and measurable progress
are achieved.
How applicable are these lessons to IT audit teams at
other organizations? After all, one could argue that the
circumstances at Accenture were not representative, since
internal audit is part of a company that lives and breathes IT
every minute of every business day.
CONCLUSION
Looking back over the digital journey at Accenture, it is
likely that, if anything, this transformation stands as a hyper-
example of what IT audit transformation can achieve for all
IA organizations. Stakeholders are viewed as true customers,
and the IT audit role is focused on providing a variety of
valuable services to meet the needs of the audit committee
and the company. These transformation results demonstrate
the potential prize that every IT audit team committed to
digital transformation can pursue and win.
ISACA JOURNAL VOLUME 1, 2016 21
 Feature
Martin Coe, DBA, CISA,
CISM, CPA, is an accounting
professor at Western Illinois
University (USA). His research
has been published in
professional and academic
journals and he is regarded
as an expert in the fields
of accounting, accounting
information systems and
information systems auditing.
He is also the president of
Vistabon, an IT auditing firm.
Coe has managed information
technology vulnerability
assessments since 1998.
Do you have
something
to say about
this article?
Visit the Journal
pages of the ISACA
web site (www.isaca.
org/journal), find the
article and choose
the Comments tab to
share your thoughts.
Go directly to the article:
22 ISACA JOURNAL VOLUME 1, 2016
Auditing Cybersecurity
Information security risk has dramatically
evolved; however, security strategies that are
typically compliance-based and perimeter-oriented
have not kept pace. Consequently, sophisticated
intruders can bypass perimeter defenses to
perpetrate attacks that are highly targeted and
difficult to detect. This article discusses an
approach to assess the adequacy of a firm’s
cybersecurity posture.
The results of the Global State of
Information Security Survey published by
PricewaterhouseCoopers (PwC) in September
of 2013 show that while information security
risk factors have dramatically evolved, security
strategies that are typically compliance-based
and perimeter-oriented have not kept pace.1
Consequently, sophisticated intruders can bypass
perimeter defenses to perpetrate dynamic attacks
that are highly targeted and difficult to detect.
The results of the PwC survey suggest that today’s
elevated risk landscape demands a new approach
to security—one that is driven by knowledge of
threats, assets and adversaries.
Given the need for a strong cybersecurity
posture, there have been various efforts to create
cybersecurity standards. One such standard is ISO
27001, Information security management systems,2
which provides a set of specifications against which
an organization can have its information security
management system independently certified.
ISO 27001 is tied to ISO 27002, Information
technology—Security techniques—Code of practice
for information security controls,3 which contains
39 control objectives for protecting information
assets from threats to their confidentiality, integrity
and availability. Each of the 39 objectives is then
broken down into many specific controls. The
standard does not require any specific controls to
be implemented, but rather leaves it to the user to
select those controls appropriate for their specific
requirements.
Another standard is the US National Institute
of Standards and Technology’s (NIST) Special
Publication (SP) 800-53, Recommended Security
Controls for Federal Information Systems and
Organizations.4 NIST SP 800-53 identifies
198 security practices that are divided into 18
families and three classes. Each of these security
practices has been mapped to ISO 27001.
SP 800-53 defines three security baselines that
provide a starting point for determining the
security controls that should be implemented for
low-impact, moderate-impact and high-impact IT
systems. These baselines could serve as the basis
for a risk-based security standard for various
categories and subcategories of assets.
In February 2013, recognizing that the
national and economic security of the US
depends on the reliable functioning of critical
infrastructure, US President Barack Obama
issued Executive Order 13636, Improving
Critical Infrastructure Cybersecurity.5 The
order directed NIST to work with stakeholders
to develop a voluntary framework (based on
existing standards, guidelines and practices) for
reducing cyberrisk to critical infrastructure. NIST
released the first version of the Framework for
Improving Critical Infrastructure Cybersecurity
on 12 February 2014.6 The framework, created
through collaboration between industry and
government, consists of standards, guidelines
and practices to promote the protection of
critical infrastructure. The prioritized, flexible,
repeatable and cost-effective approach of the
framework was designed to help owners and
operators of critical infrastructure to manage
cybersecurity-related risk.
While the certified public accountant’s (CPA’s)
external audit responsibilities do include the
responsibility to assess security as part of certain
engagements, such as audits of controls at service
organizations, the CPA’s financial statement audits
do not usually include the responsibility to assess
cybersecurity. However, the internal IT audit
function frequently does include the responsibility
to assess cybersecurity. Indeed, assessing security
is a key component of the Certified Information
Systems Auditor® (CISA®) job practice analysis,
which reflects the responsibilities of IT auditors.7
Regarding cybersecurity assessment approaches,
IT audit standards include a procedure related to cybersecurity
assessment. ISACA’s IS Auditing Procedure P8 Security
Assessment—Penetration Testing and Vulnerability Analysis,
(P8)8 provides scope and procedure guidance related to
cybersecurity assessments.
CYBERVULNERABILITY ASSESSMENT APPROACH
Managing many cybervulnerability projects has revealed
valuable insights into approaches used to assess a firm’s
cybersecurity posture. Utilizing ISACA’s IS Auditing P8
offers an approach that focuses on attack vectors and has
assessment phases for the relevant attack vectors (i.e., the
Internet and the internal network).
The assessment phases are typically conducted utilizing
the Tenable Network Security Nessus vulnerability scanning
tool (Nessus)9 combined with other assessment procedures.
Nessus utilizes the Common Vulnerability Scoring System
(CVSS) to facilitate risk assessment. A risk assessment requires
a qualitative analysis of vulnerabilities within a network. The
Forum of Incident Response and Security Teams (FIRST)10
created CVSS to normalize the methodology of analyzing risk.
CVSS provides an open framework for communicating the
characteristics and impacts of IT vulnerabilities. CVSS consists
of three metric groups: base, temporal and environmental.11
The base metric represents the intrinsic qualities of a
vulnerability. The temporal metric reflects the characteristics of
a vulnerability that change over time. The environmental metric
represents the characteristics of a vulnerability that are unique
to any user’s environment. When the base metrics are assigned
values by an analyst, the base equation computes a score ranging
from 0.0 to 10.0 as illustrated in figure 1.
The Nessus reports use the base metric group to aid in the
performance of qualitative risk analysis.12 Vulnerabilities with
a CVSS base score in the 7.0-10.0 range are critical, those in
the 4.0-6.9 range are major, and those in the 0.0-3.9 range are
minor. The CVSS scores correspond to the Tenable severity
levels, which are:
• 10.0 = Critical
• 7.0-9.9 = High
• 4.0-6.9 = Medium
• 0.0-3.9 = Low
At each severity level, the number of vulnerabilities is
displayed along with the percentages of those vulnerabilities
in each CVSS score grouping.
The assessment team uses the Nessus results to identify
hosts that warrant interrogation. In general, the team focuses
on hosts that have vulnerabilities rated as medium, high
or critical. The team then performs procedures to confirm
the validity of the findings and rule out false positives. The
team uses a variety of tools to assist in the interrogation of
vulnerabilities. Another term for this aspect of the assessment
is exploitation.
Often the goal of exploitation is to gain control over a
system. More specifically, an exploit is a way to leverage a

Figure 1—CVSS Metrics and Equations

10

0
+
CVSS Vector
Score String

Exploit (AV, AC, PR, UI) Temp (E, RL, RC) Env (CR, IR, AR,…)
Impact (C, I, A), S

Base Metrics Temporal Environmental

Metrics Metrics
Optional

Source: FIRST.Org, Inc., https://www.first.org/cvss/specification-document#i1.1. Reprinted with permission.

ISACA JOURNAL VOLUME 1, 2016 23

 security flaw or circumvent security controls. The process
can take many forms; however, the goal is usually to gain
administrative access to a computer or device. The wide range
of activities, tools and options related to exploitation make
this step more of an art than a science. Indeed, exploitation
is one of the most ambiguous phases of the cybersecurity
assessment process. The reason for this is simple; each
system is different and each target is unique. Depending on a
multitude of factors, the attack vectors will vary from target to
target, so skilled attackers have to understand the nuances of
each system they are attempting to exploit.13
While the assessment approach discussed here is an effective
way to assess cybersecurity, there are several propositions to
improve the cybervulnerability assessment process.
SKILLS AND TOOLS
The assessment team needs to include skilled attackers who
understand the nuances of each system they are attempting
energy on areas of greatest risk. Such an approach is
consistent with the NIST framework.
• Proposition 2a—Cybersecurity assessments should be
risk-based.
• Proposition 2b—Cybersecurity assessments should require
a step to ensure that false positives are eliminated.
PATCH MANAGEMENT
IT change and patch management can be defined as the set of
processes executed within the organization’s IT department
designed to manage the enhancements, updates, incremental
fixes and patches to production systems, which include
application code revisions, system upgrades and infrastructure
changes.14 Patch management tasks include:
• Maintaining current knowledge of available patches
• Deciding what patches are appropriate for particular systems
• Ensuring that patches are installed properly
• Testing systems after installation

“
Exploitation is one of the
most ambiguous phases
of the cybersecurity
assessment process. The
reason for this is simple;
each system is different
to exploit. For example,
assessors should have
a current and thorough
understanding of security
related to operating
systems, firewalls, routers
and other network
devices. The team should
also utilize a mix of
• Documenting all associated procedures, such as specific
configurations required
Patches often are designed to fix security vulnerabilities.
Indeed, many of the recommendations to address
vulnerabilities identified in a cybersecurity assessment include
the installation of a specific patch. Accordingly, implementing
patch management practices such as a tactical, integrated and
automated approach to handling vulnerabilities can boost a
company’s cybersecurity posture. Likewise, successful patch

”
tools to perform the
and each target is unique.
assessment. For example,
assessors should utilize
a variety of programs to discover potential vulnerabilities and
determine if the vulnerability can be exploited.
• Proposition 1a—Cybersecurity assessments should require
a step to ensure that assessors understand the nuances of
each system they are attempting to exploit.
• Proposition 1b—Cybersecurity assessments should require
a step to ensure that assessors have a variety of tools at
their disposal.
RISK FOCUS
It is important to eliminate false positives. Given the large
number of vulnerabilities identified by Nessus, the task to
eliminate false positives can be significant. The assessment
team should utilize a risk-based approach to focus audit
management policies can also help with security audits and
compliance audits. For example, continuous auditing routines
could be developed to ensure that patches are applied on a
timely basis.
In response to increased cyberattacks, there is a need
for models to focus limited administrator attention and
build cases for additional resources. One proposed method
is based on Markov-decision processes for the generation
and graphical evaluation of relevant maintenance policies
for cases with limited data availability.15 Since cybersecurity
assessments provide security information by host, steps
should be taken to categorize hosts (i.e., ordinary host
with no sensitive data, critical host with sensitive data) to
ensure that maintenance policies are directed toward the most
critical hosts.
• Proposition 3a—Cybersecurity assessments should include
an assessment of patch management policies.

24 ISACA JOURNAL VOLUME 1, 2016

• Proposition 3b—Cybersecurity assessments should leverage
continuous auditing procedures to ensure that patches are
applied on a timely basis.
• Proposition 3c—Cybersecurity assessments should categorize
hosts to ensure that maintenance recommendations can be
directed toward the most critical hosts.
ATTACK VECTORS AND DEFENSE-IN-DEPTH
Given that adversaries can attack a target from multiple
points using either insiders or outsiders, an organization
needs to deploy protection mechanisms at multiple locations
to resist all classes of attacks. Defense-in-depth is a practical
strategy for achieving information assurance in today’s highly
networked environments.16 Accordingly, some information
security postures utilize a defense-in-depth model. Such a
model refers to the way hardware and software is configured
to provide different levels of security. A defense-in-depth
model recognizes that not all resources require the same level
of security. In addition, this model can mitigate exposures that
might otherwise exist. For example, if a server is vulnerable
to an exploit because it is not able to be updated, a defense-
in-depth layer can be added to mitigate the exposure.
Accordingly, cybersecurity assessments should include a
review of defense-in-depth security layers. Likewise, since a
company may accept a risk related to one attack vector by
relying on defense-in-depth, the assessment should include
various exploitation paths to test defense-in-depth.
• Proposition 4—Cybersecurity assessments should include a
review of defense-in-depth security layers.
• Proposition 4b—Cybersecurity assessments should include
various exploitation paths to test defense-in-depth.
STANDARDS
Given the fact that a cybersecurity assessment should test an
actual state against a desired state, it is necessary to
have a standard against which to audit. At this point in time,
NIST SP 800-53, Recommended Security Controls for
Federal Information Systems and Organizations,17 which has
been mapped to ISO 27001, is a logical standard to utilize.
In addition, specific regulatory security standards that must
be met for categories of assets or specific assets (e.g., ports/
services and default account requirements related to critical
infrastructure protection assets) should be utilized.
• Proposition 5a—Cybersecurity assessments should utilize
standards such as NIST SP 800-53.
• Proposition 5b—Cybersecurity assessments should utilize
specific regulatory security standards that must be met for
applicable categories of assets or specific assets.
CONCLUSION
Cybersecurity assessments should be conducted in phases
and focus on attack vectors, as indicated in IS Auditing P8.
In addition, cybersecurity assessments should include steps to
ensure that the assessment team has adequate skills and tools
to perform the assessment. The assessment should focus on the
greatest risk and include steps to reduce false positives. Given
the importance of patch management, assessments should
include steps to assess the adequacy of patch management.
Since attacks can come from multiple points, assessments
should include a review of defense-in-depth security layers.
Since cybersecurity assessments should test an actual state
against a desired state, assessments should utilize standards.
ENDNOTES
1 PricewaterhouseCoopers, The Global State of
Information Security Survey 2013, USA,
www.pwc.ru/en/riskassurance/publications/information-
security-survey.html
2 International Organization for Standardization,
ISO/IEC 27001, Information security management,
www.iso.org/iso/home/standards/management-standards/
iso27001.htm
3 International Organization for Standardization,
ISO 27002, Information technology—Security
techniques—Code of practice for information security
controls, www.iso.org/iso/home/store/catalogue_tc/
catalogue_detail.htm?csnumber=54533
4 National Institute of Standards and Technology, Security
and Privacy Controls for Federal Information Systems
and Organizations, SP 800-53, Revision 4, USA,
30 April 2013, http://csrc.nist.gov/publications/PubsSPs.
html#800-53
5 National Archives and Records Administration, Executive
Order 13636, Improving Critical Infrastructure
Cybersecurity, USA, 19 February 2013, www.gpo.gov/
fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf
6 National Institute for Standards and Technology,
Framework for Improving Critical Infrastructure
Cybersecurity, USA, 2014, www.nist.gov/
cyberframework/
ISACA JOURNAL VOLUME 1, 2016 25
 7 ISACA®, Certified Information Systems Auditor Job
Practice, USA, June 2011, www.isaca.org/Certification/
CISA-Certified-Information-Systems-Auditor/Job-Practice-
Areas/Pages/CISA-Job-Practice-Areas.aspx
8 ISACA, IS Auditing Procedure P8, Security Assessment-
Penetration Testing and Vulnerability Analysis, IS
Standards, Guidelines and Procedures for Auditing and
Control Professionals, USA,15 March 2008
9 Tenable Network Security, Nessus, www.tenable.com/
products/nessus-vulnerability-scanner
10 Forum of Incident Response and Security Teams,
www.first.org/
Mell, P.; K. Scarfone; “A Complete Guide to the Common
11
12 Dumont, Cody; “Understanding Risk,” Tenable Network
Security, 14 October 2014, www.tenable.com/
sc-dashboards/understanding-risk
13 Engebretson, Patrick; The Basics of Hacking and
Penetration Testing: Ethical Hacking and Penetration
Testing Made Easy, Elsevier, USA, 2013
14 Institute of Internal Auditors, Global Technology Audit
Guide Change and Patch Management Controls: Critical
for Organizational Success, 2012
15 Afful-Dadzie, A.; T. Allen; “Data-driven Cyber-
vulnerability Maintenance Policies,” Journal of Quality
Technology, vol. 46, no. 3, 2014, p. 234-250
National Security Agency, “Defense in Depth,” USA,
16

Vulnerability Scoring System Version 2.0,” First.org, www.nsa.gov/ia/_files/support/defenseindepth.pdf

June 2007, www.first.org/cvss/cvss-v2-guide.pdf 17 Op cit, National Institute for Standards and Technology 2013

Pinpoint your next job opportunity

with ISACA’s CareerLaser
ISACA’s CareerLaser newsletter offers monthly updates on the latest jobs, top-of-mind industry news,
events and employment trends to help you navigate a successful career in the information systems industry.
Let CareerLaser become your top resource for quality jobs matched specifically to your talents in audit,
assurance, security, cyber security, governance, risk management and more.

Subscribe today by visiting www.isaca.org/careerlaser

Visit the ISACA Career Centre at www.isaca.org/careercentre to

find additional career tools, including access to top job candidates.

26 ISACA JOURNAL VOLUME 1, 2016


Karina Korpela, CISA,
CISM, CISSP, PMP, is the IT
audit manager at AltaLink, a
Berkshire Hathaway Energy
Company and Alberta’s
largest transmission provider.
She has more than 13 years
of experience with IT risk and
controls, performing data
analytics and developing
continuous controls
monitoring applications for
many different business
processes. She began her
career at Coopers & Lybrand
as a system administrator
and she was later invited
to join its Computer Audit
Assistance Group (CAAG)
as an IT auditor. Korpela
later became a manager in
PricewaterhouseCooper’s
Global Risk Management
Solution practice. She
can be reached at
karina.korpela@altalink.ca.
Do you have
something
to say about
this article?
Visit the Journal
pages of the ISACA
web site (www.isaca.
org/journal), find the
article and choose
the Comments tab to
share your thoughts.
Go directly to the article:
The Art of Data Visualization
A Gift or a Skill?, Part 1
The ability to create eye-catching visuals is not
an inherited skill. The skills required for most
effectively displaying information are not intuitive
and rely largely on principles that can be learned.
There are, indeed, some visualization techniques
that are best left to designers, but there are
others, e.g., audit findings, key performance
indicators (KPIs) and cybermonitoring indicators,
that do not need the designer’s touch.
Scientific evidence supports the importance of
data visualization. As Neil DeGrasse Tyson once
said, “The good thing about science is that it’s
true whether or not you believe in it.” And there
is as much science behind data visualization as
there is behind analytics.
The brain receives 8.96 megabits of data
from the eye every second. The average person
comprehends 120 words per minute when
reading, which is equivalent to 81.6 bits of data
per second.1
Humans are not wired to read quickly; they
are wired to visualize quickly. Brains perform
more efficiently and more information is retained
when the learning comes from visuals.
A well-designed dashboard allows the viewer
to analyze massive data sets at a glance. Learning
how to represent data in a way that immediately
tells a story, sparks an insight or provokes
discussion is as important as being able to run
data analytics.
Data visualization is comprised of a set of
tools and techniques to create graphs (also called
charts or diagrams) that, when used the right
way, are extremely powerful. It is not about
flashy 3-dimensional rainbow graphs. Data
visualization is about being simple and
representing data effectively.
Before considering design principles, there are
important layers to be covered in preparation for
the design layer.
KNOW THE DATA
What data types are in the data set? Are the
variables mostly categorical, e.g., regions and
Feature
departments? Do the data have geospatial
variables, such as country, city, address or
postal codes? What about dates? What are the
quantitative variables? Is the categorical data
nominal, ordinal, hierarchical or interval (≥70
points, <70 and ≥50 points, and <50) in nature?
Understating the data types can aid in
selecting the best graph to visualize the data.
After identifying the data types, it is necessary
to understand the relationships among all
variables, because one variable by itself is not
very interesting. The first question to ask about a
number is “Compared to what?”2
Relationships are data’s way to tell their
story. It is important to identify whether one or
more of these relationships exist in the data set:
nominal comparison, time-series, correlation,
ranking, deviation, distribution, part-to-whole
relationships and geospatial.
KNOW THE MESSAGE
What is being conveyed? Is the purpose to find
the story the data are telling or simply to provide
an explanation of a known issue?
Visualization for exploring is useful when
what the data have to tell is unknown and it is
still necessary to get a sense of the relationships
and patterns contained within it for the first time.
It allows for imprecision.
Certain graphs are better at enabling
exploration, while others, such as pie charts,
provide only a simple explanation. Interactive
dashboards allow internal auditors to find their
own stories in the data. Some graphs are more
forgiving, allowing for the use of many categories
and colors since users will be able to apply filters.
Visualization for explaining is best when it
is cleanest.3 Here, the ability to pare down the
information to its simplest form—to strip away
the noise entirely—will increase the efficiency
with which a decision maker can understand it.
This is the approach to take once it is understood
what the data are saying and when that message
is ready to be communicated to the audience.
ISACA JOURNAL VOLUME 1, 2016 27
 KNOW THE AUDIENCE of times, people don’t know what they want until you show it
Knowing the audience goes a long way toward making a to them.”
connection and maximizing the chances that management will And finally, color blindness and cultural differences must
understand and retain the information being conveyed. What be taken into consideration as well. Both need to be factored
experience, skill and understanding of the subject will the in when selecting a color palette for graphs.
audience members have? What is their ability to focus? How
interested are they? KNOW THE OPTIONS
Organize, group or prioritize the information in order to This is one of the most interesting parts of data visualization—
emphasize what should be conveyed to the audience, and do choosing the correct graph for the data type and relationships
not bury the key messages in a mass of detail and graphs. in the data set. This is when the relationships identified earlier
Most audiences are used to plain bar, line and pie charts. come to life.
Bar charts can be useful to convey information, but it may When putting together a graph, one of four things with the
help to provide the audience with some initial attention- data should be shown: a relationship between/among data
grabbing visuals to “wow” them and, as a result, draw their points, a comparison of data points, a composition of data, a
attention to the story that follows. Consider compelling distribution of data or the geospatial location of data points.4
visuals to include everything that calls the reader’s attention To help determine which graph to use, see figure 1, created
without sacrificing or obfuscating the message. Do not be by Andrew Abela, author of the book Advanced Presentations
afraid of trying different chart types. As Steve Jobs said, “A lot by Design.5

Figure 1—Chart Suggestions

Variable Width Table or Table With Bar Chart Column Chart Circular Area Chart Line Chart Column Chart Line Chart
Column Chart Embedded Charts

Many Items Few Items Cyclical Data Noncyclical Data Single or Few Categories Many Categories
Two Variables Many
per Item Categories
Few Categories Many Periods Few Periods

One Variable per Item

Over Time
Among Items
Column Histogram
Few
Single Data
Comparison Variable Points

Scatter Chart Two

Variables

What would you Line Histogram

Relationship like to show? Distribution Many
Data
Points

Bubble Chart

Three
Composition Scatter Chart
Variables
Two
Variables

Changing Static
Over Time
3D Area Chart

Three
Few Periods Many Periods Variables

Only Relative Relative and Absolute Only Relative Relative and Absolute Simple Share Accumulation or Components
Differences Matter Differences Matter Differences Matter Differences Matter of Total Subtraction to Total of Components
Stacked 100% Stacked Stacked 100% Stacked Area Chart Pie Chart Watterfall Chart Stacked 100% Column
Column Chart Column Chart Area Chart Chart With
Subcomponents

Source: Andrew Abela. Reprinted with permission.

28 ISACA JOURNAL VOLUME 1, 2016

 Some other graphs not featured in figure 1 are shown
in figure 2:
• Bubble chart—This is a variation of the scatter plot. This is
one of the charts that should be used only as eye-candy or
when getting to know the data set. This chart looks fun, but
is ineffective in communicating meaningful data, and it is
often troublesome to get the scaling right.
• Tree map—This is a way to compare data types so that
categorical data are represented by the colors and numerical
variables by their size. Tree maps display large numbers
of values that exceed the number that could be displayed
simply and effectively with a bar graph.
• Heat map—This is a representation of data in which the
individual values contained in a matrix are represented as
colors. There are many types of heat maps, but they all have
Figure 2—Additional Graph Suggestions
Word cloud
Heat map
Doughnut
Source: Tableau Public. Reprinted with permission
one thing in common—they use color to communicate the
relationship between categorical and numerical variables.
• Trellis chart—This is not a grouping of line charts copied
and pasted together. It is one graph using the same scale and
axes as line charts, but it is divided into categories. Trellis
charts are useful for finding the structure and patterns in
complex data.
• Word cloud—This is an engaging way to visualize the
frequency distribution of words with textual data; however,
it should be used sparingly as word clouds cannot show how
a word is used. It is best used to highlight categorical data
types, e.g., departments with most sales. A word cloud can
display the filter being applied if using an interactive tool.
• Bullet graph—This graph was developed by Stephen Few6
to replace the meters and gauges that are often used on
Tree map Box plot
Bullet graph Map
Trellis chart Bubble chart
ISACA JOURNAL VOLUME 1, 2016 29
 dashboards. Its linear, no-frills design provides a rich display
of data in a small space, which is essential on a dashboard.
Like most meters and gauges, bullet graphs feature a single
quantitative measure (i.e., year-to-date revenue) along
with complementary measures to enrich the meaning of
the featured measure. Its design not only gives it a small
footprint, but it also supports more efficient readings than
radial meters.
• Box plot—This represents data by showing the lowest value,
highest value, median value, and the size of the first and
third quartile. The box plot is useful in analyzing small data
sets that do not lend themselves easily to histograms.
• Doughnut chart—This is basically a pie chart with a hole
in the middle. The beauty of it is that the blank space in the
middle gives room to add a text or even one more variables,
e.g., total percentage complete. A doughnut chart can be
combined with a pie chart to represent more than one
categorical variable or data set (assuming those relate
• Learn more about, discuss and collaborate on career
management in the Knowledge Center.
www.isaca.org/
topic-career-management
somehow). Each variable in a doughnut chart adds a ring
to the chart. The first variable is displayed in the center of
the chart.
• Map—This is the perfect graph to use if there are geospatial
data types in the data set. It is not necessary to have street
addresses; just the city is sufficient to map, for example,
where most of the transactions are occurring.
For the purpose of awareness, figure 3 has examples of
other graphs that may be useful. Many data visualization

Figure 3— Combining Data Visualization Methods

Doughnut and Pie Stacked bars and line Map and bubble

Bar and dot Bar and area

(aka) lollipop chart) (aka Funnel chart) Bars and tree map

Source: Tableau Public. Reprinted with permission.

30 ISACA JOURNAL VOLUME 1, 2016

gurus make strong cases against using some of these for very 2
valid reasons. These graphs combine two types of graphs in
order to best convey the information. 3
As part 1 of this series, this article is meant to provide
the basics in data visualization, but it also establishes the
importance of data science. Knowledge is not power. Power is 4
what is done with this knowledge and the decisions and actions 5
taken as a result of understanding the information. And data
visualization is key in making sense of it. Part 2 of this article
will discuss how to make appropriate and effective use of colors,
fonts and gestalt principles, and how to avoid chartjunk. 6
ENDNOTES
1
Koch, K., “How Much the Eye Tells the Brain,” Current
Biology, 25 July 2006; 16(14): p. 1428–1434,
www.ncbi.nlm.nih.gov/pmc/articles/PMC1564115/
 ew, Stephen, “Effectively Communicating Numbers,”
F
Perceptual Edge, November 2005
Steele, Julie; “Why Data Visualization Matters,” Radar,
15 February 2012, http://radar.oreilly.com/2012/02/why-
data-visualization-matters.html
Op cit, Few
Abela, Andrew; “Choosing a Good Chart,”
The Extreme Presentation Method, 6 September, 2006,
http://extremepresentation.typepad.com/blog/2006/09/
choosing_a_good.html
Stephen Few is an innovator, consultant and educator in the
fields of business intelligence and information design.
http://perceptualedge.com/about.php

ADVANCE YOUR CYBER SKILLS AND CAREER

Train for the new performance-based CSX Practitioner Certification. Acquire hands-on instruction in a
cyber-lab environment—available through CSX certification training partners. Embrace skills aligned with
globally recognized NIST Cyber Security Framework domains. Gain the certification that affirms your readiness
to be an in-demand first responder in the global cyber security workforce.

Start now at: www.isaca.org/cybercertcsxp

ISACA_CSX_FINAL_Half.indd 1 12/2/15 4:25 PM

ISACA JOURNAL VOLUME 1, 2016 31
 Feature
Sanjiv Agarwala, CISA,
CISM, CGEIT, BS 25999/ISO
22301 LA, CISSP,
ISO 27001:2013 LA, MBCI,
is currently director and
principal consultant at Oxygen
Consulting Services Pvt. Ltd.
Agarwala has more than 17
years of experience across
multiple industry domains in
various information security
roles and has expertise in
areas such as information
security management
systems, risk management,
cybersecurity, systems audit,
IT governance and business
continuity management.
Do you have
something
to say about
this article?
Visit the Journal
pages of the ISACA
web site (www.isaca.
org/journal), find the
article and choose
the Comments tab to
share your thoughts.
Go directly to the article:
32 ISACA JOURNAL VOLUME 1, 2016
How to Be the Most Wanted IS Auditor
The audit profession is known to businesses of
all kinds, especially those that are governed by
regulation. While businesses understand the
importance of audits, some people perceive
audits as a postmortem exercise directed at
finding faults and reporting to regulators,
management and other interested parties. IS
audit is a stream of the broader audit profession.
It involves the audit of the business with respect
to the usage of IT. While it is true and obvious
that the IS auditor has the additional role of
understanding the technology and its associated
risk, the question persists as to whether the
perception of the auditee is any different.
Most organizations have an audit function,
whether it be a part-time internal auditor or
full-fledged audit teams and independent audit
committees. The role of auditors, in most cases, is
to independently report on significant risk factors
in the current environment. From the viewpoint of
the auditee, the same auditor would identify risk
in the auditee’s environment. After sharing this
risk with management, management may conclude
that auditees are not managing their area well, so
during the audit, the auditees may be reluctant to
share weaknesses with the auditor.
Technology advancements are occurring
quickly, businesses are adopting new and
dynamic business models, and there is an
emerging trend of increasing cybercrimes and
fraud. Because of these challenges, it is time
that IS auditors play a more significant role.
This article provides strategies for how the IS
auditor can become the most wanted by auditees,
meet expectations of the business, and gain true
respect from one and all.
BE PASSIONATE ABOUT THE PROFESSION
Auditors should be passionate about audits.
When auditors are passionate, it creates a
positive environment. Even the auditees can feel
when the auditor is there in full heart and mind
to do the assignment. Auditors with passion send
positive signals, and auditees will potentially
demonstrate more interest in the audit. Even if
auditors are working in a familiar environment,
they should look at it with fresh eyes every time
they audit. The auditor knows there are changes
in the environment, so there are definite areas for
improvement. When auditors are passionate, they
are able to continuously learn and contribute.
RESPECT THE PEOPLE AND CULTURE AND
USE SOFT SKILLS
Auditors need to recognize the fact that they
are dealing with people. Auditees are the people
who will provide the information and evidence
needed to conduct a smooth audit. Auditors need
to respect auditees’ time and what they do in
their daily organizational activities. In addition,
every organization has its own culture and way of
doing things.1 Auditors need to understand and
respect the company culture, or auditors may not
be received with true respect.
Auditors should not create an environment
of fear in the enterprise. When auditors better
connect with people, properly explain the
audit observations to the auditee in terms
of risk and value, and obtain acceptance, a
level of trust is created between the auditor
and auditee. Communication throughout the
audit engagement is important. Soft skills
such as observation, listening, presenting,
communicating, documenting and negotiating
are important skills for an IS auditor. Soft skills
are difficult to learn and apply in real-life audits2
when compared to technical skills.
UNDERSTAND THE CLIENT’S BUSINESS DOMAIN
Auditors need to understand the business
processes of the client’s business domain. Though
IS auditors are evaluating the IS controls, no IS
controls work in isolation from business controls.
Technology is important but is primarily an
enabler. Without proper understanding of the
business process, auditors may not be positioned
to understand the real risk to the business process.
In addition, the auditee may not share important
information with the auditor if the auditor does
not talk in terms of business processes.
STAY UP-TO-DATE ON TECHNOLOGY TRENDS AND INDUSTRY ISSUES
Auditors need to be up-to-date on current technologies and
upcoming technologies, how these technologies can be used
for business advantage, the risk inherent in these technologies,
and how various industry issues are related to information
systems. The IS auditor should subscribe to audit journals,
knowledge resources and industry newsletters to stay aware
of the latest trends. When IS auditors explain real-time and
current issues with examples, auditees may be more open to
discussing the issues that may be present in their environment.
Auditors frequently face challenges while auditing the IT
department in terms of the complexity of the IT systems they
“
need to audit. When
IS auditors are unable
When IS auditors are unable to speak the IT
to speak the IT language, language, they
they may not get the respect may not get the
”
respect they desire.
they desire. Keeping up to date
on technology
concepts and asking the right technical questions will help in
such scenarios.
KEEP THE OBJECTIVES IN FOCUS AND PROVIDE REALISTIC VALUE
In the context of COBIT® 5,3 any business would expect that
if benefits are delivered and risk and resources are optimized,
value would be created for stakeholders. While there
would be specific audit objectives depending on the audit
in question, audits generally tie back to value delivery, risk
management and resource optimization.
The COBIT 5 framework is based on a holistic set of
seven enablers. The seven enablers are Principles, Policies and
Frameworks; Processes; Organizational Structures; Culture,
Ethics and Behavior; Information; Services, Infrastructure and
Applications; and People, Skills and Competencies. When
IS auditors take all of these enablers into consideration, they
provide realistic value added to the organization. When auditors
are able to explain the larger picture of the audit to the auditees,
e.g., what is in it for them and possible improvement actions,
auditees are able to relate more. Keeping the audit objectives in
focus, considering these important enablers, and recommending
a practical and relevant assessment of the audit areas brings
forth greater respect for the auditor and greater buy-in from all.
FOLLOW THE AGREED-UPON AUDIT PROCESS
The IS audit should be conducted by following the standard
and well-known approach that is endorsed by recognized
industry leaders. ISACA® provides a number of IS audit-
related standards and references.4 The Institute of Internal
Auditors (IIA) is another useful source for such audit
practices. There are auditing guidelines for the popular
standard ISO 27001 for information security management
systems.5 In some scenarios, auditors and client audit
management can agree upon the audit process of their choice.
Once the process is decided upon, it is best to follow the
process as it helps in the smooth conduct of the IS audit.
Typically, drawing up the audit schedule, conducting the audit
and drafting the final audit report are essential components
of any audit assignment. A risk-based audit approach is
a popular IS audit approach in the banking and financial
industry; auditors need to follow the approach best suited as
per the audit engagement. Auditor knowledge of all of these
audit standards and best practices increases the confidence of
the auditee and client audit management.
BE INNOVATIVE WHEN STUCK WITH CHALLENGES
It is not uncommon that during the course of audits, auditors
will face various challenges, such as the auditee not being
available due to emergencies in the operational environment,
the auditee not understanding the question being asked, the
auditee being defensive about providing more details and
other similar situations.
Sometimes the audit schedule agreed upon previously
may be difficult to implement, and auditors are tasked with
the challenge of doing proper audits and producing a report.
While the audit schedule is important, there are moments
when the auditor needs to be dynamic to make changes
in the schedule to accommodate unforeseen challenges in
the business environment. Auditors need to come up with
innovative approaches to gather audit-related information,
restrategize on how to audit an area in limited time, collect
relevant evidence and reach an opinion.
CREATE A PROPER IS AUDIT REPORT
The IS audit report is an important component of the IS
audit process. When possible, IS auditors should explain
the audit findings to the auditee in terms of risk, value and
benefits to the organization. Doing so during the audit and
ISACA JOURNAL VOLUME 1, 2016 33
 obtaining an agreement with the auditee ensures that the audit
observations will be taken seriously and the auditee will not
be caught by surprise.
When the findings are properly communicated, it creates
a good impression and corrective actions can be initiated.
Audit reports should be drafted with proper recognition of
the accomplishments in each of the audit areas; otherwise,
the report looks like a fault-finding mission and gives a bad
reputation to the IS auditor.
Considering the importance of the IS audit report, auditors
should spend 40-50 percent of their time on the audit report
preparation and finalization. IS audit reports can be sent to
many interested parties, including some that the auditor may
not have even met during the engagement, so the report has to
properly communicate the results of the audit.
EMBED THE LESSONS LEARNED INTO THE AUDIT PROCESS
Audit management may be tasked with the important job of
independently identifying risk factors and areas of concern
that need improvement. Auditors verify if the process owners
have a lessons learned process to improve on the issues
reported. But there is a high likelihood they may not properly
follow the lessons learned process for the IS audit process.
Auditors may not achieve the intended objectives for various
reasons, or there can be some formal and informal feedback
from auditees and the audit client.
Postaudit, it is good practice for an auditor to perform
a root-cause exploration for the feedback obtained, if any,
and also perform a self-assessment of how the overall audit
process went and areas for improvement, e.g., the need
for better planning, improving soft skills or training in
upcoming technologies. Doing this will help auditors improve
their audit skills.
ACQUIRE POPULAR AUDIT CERTIFICATIONS
Many organizations have a minimum requirement for IS auditor
qualifications. Popular IS audit certifications test the candidate
on recognized audit practices, and acquiring certifications
demonstrates the minimum level of understanding of IS audit
practices. Acquiring a popular, industry-recognized IS audit
certification, such as the Certified Information Systems Auditor®
(CISA®),6 Certified Internal Auditor (CIA),7 GIAC Systems
and Network Auditor (GSNA)8 and other similar certifications,
34 ISACA JOURNAL VOLUME 1, 2016
boosts auditee confidence and increases recognition. When the
IS auditor systematically applies lessons learned from obtaining
these certifications in real-life audits, it helps the auditor to gain
more respect.
CONCLUSION
Organizations are increasingly adopting technology to fuel
their business growth engine. Data security threats, fraud
and advanced attacks are on the rise. Boards of directors are
increasingly concerned with whether the system on which
the business is dependent is secure enough, optimized and
contributes value to the entire enterprise.
Auditors play a critical role by being an independent
entity and being the eyes and ears for the organization. It is
time that IS auditors understand the expectations of various
stakeholders. Auditors need to effectively fight the negative
perceptions that are in the minds of many auditees to become
the most wanted IS auditor.
ENDNOTES
1
White, S.; “How Internal Audit Can Assess and Support
Culture,” CGMA Magazine, 12 August 2015,
www.cgma.org/Magazine/News/Pages/how-internal-audit-
can-assess-and-support-culture-201512818.aspx
2
Chambers, R.; “Five Things Internal Auditing Has Taught
Me About Human Nature,” Internal Auditor Online,
11 February 2013, https://iaonline.theiia.org/five-things-
internal-auditing-has-taught-me-about-human-nature
3
ISACA, COBIT 5, USA, 2012, www.isaca.org/cobit
4
ISACA, ITAF, www.isaca.org/itaf
5
ISO/IEC 27007:2011, Information technology—
Security techniques—Guidelines for information
security management systems auditing, www.iso.
org/iso/iso_catalogue/catalogue_tc/catalogue_detail.
htm?csnumber=42506
6
ISACA, Certified Information Systems Auditor (CISA),
www.isaca.org/cisa
7
The Institute of Internal Auditors, Certified Internal Auditor
(CIA), https://na.theiia.org/certification/CIA-Certification/
Pages/CIA-Certification.aspx
8
Global Information Assurance Certification, GIAC
Systems and Network Auditor (GSNA), www.giac.org/
certifications/audit

Frederick G. Mackaden,
CISA, CMA, PMP, is currently
with Crowe Horwath, a
leading consulting network
in the global top 10. He
recently implemented
management controls for a
leading hospital group in the
Middle East through Horwath
MAK, the consulting arm
of Crowe Horwath in the
Middle East. His previous
employers include a Fortune
500 multinational, where
he worked as an enterprise
resource planning (ERP)
specialist supporting finance,
sales, purchasing and
manufacturing modules.
He has more than a decade
of experience in the ERP
consulting environment
and more than 25 years of
experience overall. He is
one of the contributors and
reviewers of A Guide to the
Project Management Body of
Knowledge, 5th Edition.
Do you have
something
to say about
this article?
Visit the Journal
pages of the ISACA
web site (www.isaca.
org/journal), find the
article and choose
the Comments tab to
share your thoughts.
Go directly to the article:
Seven Software-related Incidents and
How to Avoid or Remediate Them
Verizon’s 2015 Data Breach Investigations
Report,1 which addresses industry verticals such
as education, entertainment and manufacturing,
points to key incidents related to data breaches
to watch for, primarily:
• Education: Crimeware (represents “Malware
infections within Organizations not associated
with specialized patterns”2), miscellaneous
errors, cyberespionage
• Manufacturing: Cyberespionage, crimeware,
insider misuse
This article focuses on miscellaneous
errors and insider misuse as these are not
as closely monitored, perhaps because they
are not perceived as an external threat. The
potential incident is created by errors of insiders
(employees) and approved suppliers who
function as trustworthy insiders. In these cases,
a malicious intent may not be present, yet the
errors can become catastrophic.
It goes without saying that risk relating to
incidents such as those mentioned need to be
planned for, and potential disaster recovery
options should be in place. Otherwise, the
organization will be caught off guard and suffer
real business losses in terms of delays in cash
flow, which could seriously impact the stability
of the business, especially in markets where
customers delay payments.
This article will focus on seven software
incidents that caused a great deal of panic and
heartache.3 Nearly 60 percent of the incidents
resulted from incorrect or accidental deletions. The
others were caused by faulty customized code and
lack of comprehensive testing prior to promotion
to the live environment. The whole point is that
such errors often slip by unnoticed by the IT
department until operations actually grind to a halt.
Any multinational organization should have
incident management and disaster recovery
Feature
measures in place so that such events can be
prevented, at best, or recovered from, at worst,
with minimal impact to the business as a whole.
Lessons learned from incidents when
they occur are very important. Effective
communication is key in all of this, especially
when programmers are offshore in another
country and only telephonic or other electronic
communication methods are possible (figure 1,
incident 1). Of course, everyone knows that face-
to-face communication is best, but that is not
possible when one team is located in one country
and another team is located in the headquarters
in a different country. If weekly project calls
are not held and interactions with the offshore
programmers and the onshore functional
consultants are minimal, it can lead to problems
down the line.
Effective change management acts as
a preventive step, especially with respect
to programming code movement across
environments. When customized code is moved
across software environments, it needs to
follow a gate review process in which the senior
management representatives (who look at the
business in its entirety) along with concerned
independent specialists (who focus on the
technical angle) open the gate or door into the
next environment or request the programmers to
review the code due to a critical testing failure.
This process enables the team to revisit the work
and check whether all is well before launching
the (software) vessel on the high seas. Figure 2
gives a graphic design of this process. Change
management can be done for hardware as well as
software changes. Unfortunately, this was not the
case in the examples in figure 1, incidents
1 and 2.
Figure 1 details seven incidents which caused
significant turmoil and distress.
ISACA JOURNAL VOLUME 1, 2016 35
 In one instance (figure 1, incident 3), the functional
consultant had forgotten the program number of the
functional route to the problem and resorted to the technical
route to solve the issue. The technician concerned also did not
know the English language well and further complicated the
situation as he also was not sure of what needed to be done.
Once an incident has happened, it should be logged
into the incident reporting system. The incident reporting
system alerts key personnel to an emergency and analysts
and programmers relevant to the task can be deployed.
The recovery project needs to be monitored closely. In one
instance (figure 1, incident 7), the recovery was possible
within a few

Figure 1—Seven Incidents to Be Avoided and/or Remediated

Remedial Suggested
Incident Industry Broad Threat Impact Measures Preventive
Number Vertical Category Actor Type Incident Incident Details Rating Initiated Measures
1 Education Miscellaneous External Inadequate Failure to test A program was Low The code in the live Comprehensive testing
errors/insider supplier test for foreign conducted by the environment was is key. It requires
misuse scenarios currencies offshore team suspended and the quiet reflection and
and the functional code was redone discussion with
tester assumed that in the development client stakeholders to
foreign currencies environment; ensure that testers
were tested. With comprehensive testing have not missed a
this assumption, he for domestic and scenario. A list of client
tested all scenarios foreign currencies transactions across
for the Great Britain was conducted and a quarter would have
pound (GBP) currency, the code was then revealed what needed
as the client was in promoted to the live to be tested.
the UK. When the environment.
code went into the Use of comprehensive
live environment, a use case diagrams
transaction for the for the proposed
Euro currency failed system may help to
and the program had prevent missing any
to be stopped and live scenarios being
redone. tested in the test
environment prior to
the software going
live.
2 Education External Inadequate Automatic The customized High The program was Prior to promotion
supplier testing reconciliation program was to cater suspended in the of code regression,
program with to the bank receipt live environment and testing needs
recursive and payment types reconciliations had to be done and
code, which of the client. A senior to be done manually better coordination
reconciled programmer inserted from the previous measures should be
unreconciled a code she thought reconciled period. initiated between the
transactions would be perfect programmers working
in the live at the last minute. offshore and the
environment Testing had previously functional consultant
worked in the final working on the client’s
acceptance test (FAT) sites across the globe.
environment. The code
was moved to the live
environment.

In the live
environment, the
code added the
reconciled code “R”
to transactions that
should not have been
reconciled otherwise.

36 ISACA JOURNAL VOLUME 1, 2016

 Figure 1—Seven Incidents to Be Avoided and/or Remediated (cont.)
Remedial Suggested
Incident Industry Broad Threat Impact Measures Preventive
Number Vertical Category Actor Type Incident Incident Details Rating Initiated Measures
3 Professional External Database The functional Emergency The database had to Key files should be
supplier administrator consultant and project be restored using the mirrored on a
who was lead had to do a repost last available backup. real-time basis so that
asked to of the ledger since recovery is complete
delete record there was trial balance down to the minute.
locks instead imbalance between
deleted log debits and credits.
files, making During the process
the database of reposting, all users
suspect should have been out
of the system. The
functional consultant
checked with the
network administrator
who confirmed all
users were out in
that location. When
the repost was done,
several users were
on the system at a
remote branch and
this caused record
locks.

The functional
consultant could
not remember the
functional program
to delete record
locks and sought the
help of a database
administrator (DBA).

The inexperienced
DBA deleted log
files instead and the
database became
suspect.
4 Manufacturing Accidental In the process of Medium The standard program All SQLs should be
deletion of correcting a cash to recreate header checked separately in
receipt header receipt record, the records was used the FAT environment
records finance functional to re-create all the before being run in the
consultant accidentally missing headers. live environment.
deleted all the receipt
header table records
by hitting the Enter
key without a where
clause in the delete
Structured Query
Language (SQL).

ISACA JOURNAL VOLUME 1, 2016 37

 Figure 1—Seven Incidents to Be Avoided and/or Remediated (cont.)
Remedial Suggested
Incident Industry Broad Threat Impact Measures Preventive
Number Vertical Category Actor Type Incident Incident Details Rating Initiated Measures
5 Manufacturing Employee Accidental The functional High After the investigating Refreshing of the FAT
deletion of the consultant was team inspected environment with
manufacturing replicating setups for journals (a customized live setups enabled a
warehouse a new manufacturing program detailing reference state when
in the live facility. user actions on the the correction of the
environment applications database damage done was
Instead of copying, generating attempted.
he accidentally cut user-friendly reports,
and pasted deleting but referring to
the manufacturing database logs of
warehouse setup in insert, delete and
the live environment. update actions) and
discovered who was
When the interfaces responsible, the
ran in the live functional consultant
environment for the was notified and
manufacturing facility, asked to remedy
it showed errors of the the damage done.
missing setup. He was then able to
replicate the setup
The order while referring to the
administrator was FAT environment for
puzzled by this error reference.
as all was well the
previous morning.
6 Manufacturing Employee Accidental The financial controller Medium The FAT environment Weekly refreshing of
deletion of was having some had just been the FAT environment
records of the trouble with a trial refreshed with live with live data can
trial balance balance report and data, so the functional help when correcting
file sought the help of the consultant replicated accidents.
functional consultant. the file structure in the
In the process of FAT environment and
investigating, the then used the printout
consultant accidentally of the financial
deleted a few records controller to get the
in the trial balance file. figures in order using
SQL updates.
7 Manufacturing External Sudden An order administrator Emergency The interface was Mirroring key files on
supplier appearance reported that the sales immediately stopped a real-time basis was
of corrupt orders were showing and the mirror images key to an effective
records in incorrect figures; of the file prior to recovery in a few
sales detail file investigation revealed running the interface hours’ time with
that an interface had restored. minimal impact to the
corrupted sales order business.
detail records. The faulty code
in the sales order Interface programs
interface to the with new code should
compliance software be regression tested to
was then fixed and ensure that there are
the interfaces ran no new errors.
successfully the
following day.
Source: Frederick G. Mackaden. Reprinted with permission.

38 ISACA JOURNAL VOLUME 1, 2016

 Figure 2—Environment-gate Review for Effective Change Management

Environment- Environment- Environment-

gate gate gate
Review Review Review

User Acceptance
Development Conference Test (UAT)/Final Production or
Room Pilot Acceptance Test Live
(FAT)

Source: Frederick G. Mackaden. Reprinted with permission.

hours as it was one of the best practices of that organization
to mirror key files of the enterprise resource planning (ERP)
system on a real-time basis. This, coupled with the fact that
the organization had extremely skilled technicians who set
to work immediately and were successful in their endeavor,
enabled the organization to recover within the same business
day. The disaster recovery measures in place thus enabled
the organization to recover from the emergency and ensured
correction of the issue in an extraordinarily swift manner. It is
notable that in this case, an incident report from one country’s
user who noticed the anomaly triggered the response. This
underscores the need, even in the midst of a crisis, to issue the
appropriate communication to all users of the software and
the senior management concerned. A matrix of who needs
to be informed and when, (e.g., hourly or at the end of the
business day) would also be helpful.
Maintenance of journal files (which tracked database
activity such as Update, Delete, Insert to the concerned users)
ensured tracing the root cause of the incident in at least one of
the instances (figure 1, incident 5).
IT heads also need to focus inward as the actors
responsible for incidents may be within the same building. An
organization with effective internal control systems needs to
have an effective backup regime. Mirroring of key files on a
real-time basis nightly, along with regular weekly and monthly
backups, ensures that data are protected. Occasionally
restoring runs of the available backup helps ensure that staff
are prepared for such incidents and also supports confirming
the veracity of the backup tapes, even when things are
going pretty well. In fact, the recovery in just a few hours
demonstrated in one of the scenarios (figure 1, incident 7)
was possible due to the mirroring of the key files and the
backup that resulted from this.
CONCLUSION
IT stakeholders need to look inward to ensure that their data
are safe at all times. Maintenance of confidentiality, integrity
and availability are priorities that are always present in the
increasingly complex world of enterprise software among
others. IT professionals must watch for miscellaneous errors
and insider misuse especially.
Five processes, when performed effectively, can help
prevent dire and distressing situations:
• Effective communication
• Change management
• Backup and restore

ISACA JOURNAL VOLUME 1, 2016 39

 • Incident reporting
• Crisis management
That “integrity rings like fine glass, true, clear and
reassuring”3 is true for data and the software environments • Learn more about, discuss and collaborate on
that create and sustain it. Indeed, this needs to be assured incident management in the Knowledge Center.
not just for the data within an organization, but all of the www.isaca.org/
hardware, software, and people responsible and accountable
for them. topic-incident-management

ENDNOTES 3
 his article highlights software incidents that caused great
T
1
Verizon, 2015 Data Breach Investigations Report, distress in the author’s personal experience or led to a
www.verizonenterprise.com/DBIR/2015/ project failure, but the focus is on a preventive, rather than a
2
Ibid., page 39 corrective, approach.
4
Brown, P.; Helen Exley Giftbook, Watford, UK, 2002

PLAN AHEAD FOR 2016.

KEEP AHEAD WITH ISACA’S
WORLD-CLASS TRAINING.
READY YOUR SKILLS TODAY FOR TOMORROW’S CHALLENGES AND OPPORTUNITIES.
Gain new expertise or refresh your skills to align with current industry standards, protocols and best practices.
ISACA® Training Week offers invaluable tools, proven techniques and state-of-the-art thinking—something for
professionals at every level—in information systems audit, security, cybersecurity, privacy, governance, and risk.

REGISTER EARLY: $200 USD Early Bird discount available!

Register today or learn more at: www.isaca.org/train16-jv1
EARN UP TO 32 CPE CREDITS!

40 ISACA JOURNAL VOLUME 1, 2016

 Feature

Managing Data Protection and

Mohammed J. Khan, CISA,
CRISC, CIPM, is a global
audit, security and privacy
manager serving the teams of
the chief information security
Cybersecurity—Audit’s Role
officer, chief privacy officer
Data protection and cybersecurity go hand-in- enterprises face in the growing threat landscape
and chief audit executive at
hand due to the nature of the risk involved. The operating at a global level. As a result, every
Baxter International. He has
underlying assumption is that all data, whether audit function should consider spending time
spearheaded multinational
they are stationary or in motion, are threatened to on identifying opportunities to perform a review
global audits in several areas,
be compromised. around data protection and cybersecurity within
including enterprise resource
A prime example of this can be seen in the its respective enterprise to help identify gaps and
planning systems, global data
medical device industry. Due to the explosion work with key departments in the enterprise
centers, third-party reviews,
of medical device innovation, resulting in to help reduce and/or eliminate the gaps as best
process reengineering and
both economic and consumer/patient health as possible.
improvement, global privacy
advancement, the industry has seen a growing
assessments (EMEA, APAC,
number of threats from a cybersecurity risk RISK ASSESSMENT
UCAN), and cybersecurity
landscape. The US is the largest medical device To begin, enterprises should consider performing
readiness in several major
market in the world with a market size of a risk assessment of the threat landscape; making
countries over the past five
approximately US $110 billion, and it is expected this happen starts with the tone at the top. The
years. Khan has worked
to reach US $133 billion by 2016.1 The industry risk assessment normally should be owned by
previously as a senior
has seen a rise in innovation since the early 2000s, the enterprise-level functions, and it can be
assurance and advisory
primarily due to the advent of technological a joint effort between the audit function and
consultant for Ernst & Young
advancement and the demand from consumers the business functions in an effort to ensure
and as a business systems
and health care practitioners to further the that there is synergy between the two. Risk
analyst for Motorola.
quality of the patient care provided. A few of assessments are meant to help identify and
the relevant, more commonly known medical address the gaps that may be exacerbated in
devices are pacemakers, infusion pumps, operating the event of a cyberrisk due to a lack of key
room monitors, dialysis machines—all of which controls. One of the primary resources for
retain and potentially transmit vital patient and creating an internal risk assessment analysis
equipment data to medical professionals and other of an organization is the framework provided
sources gathering data. by the American Institute of Certified Public
Do you have Security experts say cybercriminals are Accountants (AICPA).4 The AICPA has
something
increasingly targeting the US $3 trillion drafted a white paper that attempts to simplify
to say about
US health care industry, in which many the practitioner’s understanding of the risk
this article?
companies remain reliant on aging computer assessment standards and process by focusing
Visit the Journal
systems that do not use the latest security on the end game and how that objective can be
pages of the ISACA
features.2 As a result, the percentage of health achieved in an effective, yet efficient, manner.5
web site (www.isaca.
org/journal), find the care organizations that have reported a criminal An effective way to simplify the risk assessment
article and choose cyberattack rose to 40 percent in 2013 from 20 is by dividing the areas of the assessment into the
the Comments tab to percent in 2009, according to an annual survey following categories (figure 1):
share your thoughts. by the Ponemon Institute think tank on data • Understand the business. It is vital to include
protection policy. As revealed in the 2014 Cost of the fundamentals of the organization from the
Go directly to the article:
Data Breach Study: Global Analysis, sponsored top. This includes knowing who the customers
by IBM, the average cost of a breach to a are and what the key products are that drive
company was US $3.5 million dollars, 15 percent the very engine of the enterprise. One of the
more than what it cost the previous year.3 best resources for US companies to utilize
The role of IT security professionals, especially to further the organizational knowledge is
in the audit function, is to be the front line in to review Form 10-K, an annual report
identifying and helping to address the risk that required by the US Securities and Exchange

ISACA JOURNAL VOLUME 1, 2016 41

 Commission (SEC). This gives a comprehensive summary Figure 1—Steps Required to Perform a Robust Risk Assessment
of a company’s financial performance. It can help further
an understanding of the enterprise based on the knowledge
already amassed and enable a view of the risk from a Understand
business and financial perspective. the Business
• Know the organization’s internal control environment.
Elements of a strong internal control environment include
the right combination of IT and transactional-level controls
that are backed by a process to manage the reporting of any Know the
breakdown of controls and actionable plans stemming from Collaborate Risk Organization’s
Among Assessment Internal
such a breakdown. The DNA of the internal controls of an Departments Control
organization is composed of the philosophy, adaptation, Environment
integrity and stance of the organization’s resources toward
the control environment.
• Collaborate among departments. The audit function has
Summarize
one of the best positions in the company when it comes to and
bringing together various departments to collaborate on all Communicate
the Risk
aspects of key business, financial and regulatory risk—both Assessment
internal and external. Collaboration among the chief privacy
officer (CPO), chief information security officer (CISO), Source: Mohammed J. Khan. Reprinted with permission.
chief audit executive (CAE) and chief risk officer (CRO) is
vital to have a robust risk assessment program in place.6 environmental/physical security, and all applicable vendors
• Summarize and communicate the risk assessment. Risk or third parties in any of these areas. Specifically, for each of
communication is commonly defined as the “process of the areas, the auditor should consider the following areas as
exchanging information among interested parties about part of the audit:
the nature, magnitude, significance, or control of a risk.”7 • Key IT systems and applications located in the local
It is important to include all the key stakeholders of the data centers:
organization as part of the risk assessment summary of – Verification of the security management of the systems
recipients, which should be ideally communicated for each and applications, including the logging and monitoring of
key business and function, as well as at the enterprisewide systems containing sensitive data
level. This helps with the delivery and the overall execution • HR (full-time and temporary labor):
of the proposed audits that are planned for the year and – Recruitment and vetting of candidates for key roles
in paving the way for having a robust audit plan clearly within the organization that have access to highly
defining the audit and the risk that correlates to why the confidential data
audit is being conducted. – Management of the on-boarding process and proper
training and compliance monitoring as needed for specific
DATA PROTECTION AND CYBERSECURITY AUDIT SCOPE roles, while paying attention to company and country laws
To have a meaningful scope for an audit around data around employee rights and privacy
protection and cybersecurity, one must consider all relevant – Off-boarding process of employees and agreements of
areas of the organization that require inclusion in the scope of noncompete and confidentiality of organizational and
the audit. The functional entities that ought to be considered product intellectual property
in scope should include customer operations, finance, • Internal collaboration tools management:
human resources (HR), IT systems and applications, legal, – Enterprise content and document management (ECDM)
pharmacovigilance, purchasing, regulatory affairs, system usage and data handling:

42 ISACA JOURNAL VOLUME 1, 2016

 . Verification of the overall management of data within
the organization that are shared among peers on
collaboration tools and platforms
– File share management:
. File management and permissions on massive file shares
utilized by the organization’s departments, the protection
of the file shares via proper system administrative
authorities, and monitoring of key file shares
• Third-party interaction and data sharing:
– Contract management end-to-end life cycle, including
standard language of key vendors that would have access
to highly confidential data, including patient health
information and intellectual property
• Personal computer device physical protection and encryption:
– Internal and external technological controls necessary to
deter flight of data from employees and/or contractors
• Records storage and management:
– Onsite and off-site physical security of confidential paper
data, including electronic tapes if off-site storage is utilized
for backup purposes
• Incident response and handling:
– Electronic asset management of key devices, including
laptops, desktops, servers and mobile devices:
. End-to-end life cycle of asset loss and disposal process
CONCLUSION
Data protection and cybersecurity management is a key
area that all organizations have to manage well. A CIO
Network event held by The Wall Street Journal included a
panel of CIOs who prioritized a set of recommendations to
drive business and policy in the coming years. Cybersecurity
was one of the key themes that came out of the event and
corresponding special report.
A primary responsibility for a CIO or CISO when talking
to the chief executive officer (CEO) or board of directors
(BoD) is to articulate how cybersecurity translates into
revenue. Putting monetary value on security events and tying
security to real-life business cases can show senior executives
the potential impact of a cyberevent in terms that make sense
to them.8
The role of audit is to embrace the function it plays as a
key member of the organization that has to independently
assess the organization’s management of risk around data loss
and prevention by performing robust risk assessments at the
organization level and delivering meaningful data protection
and cybersecurity-related audits. This will help further the
• Learn more about, discuss and collaborate on
privacy/data protection and cybersecurity in the
Knowledge Center.
www.isaca.org/knowledgecenter
chance of an organization’s maturity level to increase when it
comes to fighting the ever-growing threat of cyberespionage
and internal malicious data loss through organizational
employee resources and temporary labor workforces.
ENDNOTES
1
SelectUSA, “The Medical Device Industry in the USA,”
http://selectusa.commerce.gov/industry-snapshots/medical-
device-industry-united-states
2
Humer, C.; J. Finkle; “Your Medical Record Is Worth
More to Hackers Than Your Credit Card,” Reuters, 24
September 2014, www.reuters.com/article/2014/09/24/us-
cybersecurity-hospitals-idUSKCN0HJ21I20140924
3
Ponemon Institute, 2014 Cost of Data Breach: Global
Analysis, www.ponemon.org/blog/ponemon-institute-
releases-2014-cost-of-data-breach-global-analysis
4
While the AICPA framework is generally used for financial
statements, it has proven to be a valuable framework for the
general management and creation of guidance that embodies
a generic model for other risk assessments—those that are
not necessarily related to financial statements.
5
American Institute of Certified Public Accountants, “Risk
Assessment,” USA, www.aicpa.org/InterestAreas/FRC/
AuditAttest/Pages/RiskAssessment.aspx
6
Tsikoudakis, M.; “Collaboration Between Risk Management,
Internal Audit Valuable: Report,” Business Insurance, 11
April 2012, www.businessinsurance.com/article/20120411/
NEWS06/120419970
7
Covello, V. T.; “Risk Communication: An Emerging Area
of Health Communication Research,” Communication
Yearbook 15, Sage, USA, 1992, p. 359-373
8
Norton, S.; “CIOs Name Their Top 5 Strategic Priorities,”
The Wall Street Journal CIO Journal, 3 February 2015,
http://blogs.wsj.com/cio/2015/02/03/cios-name-their-top-5-
strategic-priorities/
ISACA JOURNAL VOLUME 1, 2016 43
 Feature
C. Warren Axelrod, Ph.D.,
CISM, CISSP, is a senior
consultant with Delta
Risk LLC, specializing
in cybersecurity, risk
management and business
resiliency. Previously, he was
the business information
security officer and chief
privacy officer for US
Trust. He was a founding
member of the Financial
Services Information Sharing
and Analysis Center and
represented financial services
cybersecurity interests in
the US National Information
Center during the Y2K date
rollover. He testified before
the US Congress in 2001
on cybersecurity. His most
recent book is Engineering
Safe and Secure Software
Systems. Previously he
published Outsourcing
Information Security and
was coordinating editor
of Enterprise Information
Security and Privacy.
Do you have
something
to say about
this article?
Visit the Journal
pages of the ISACA
web site (www.isaca.
org/journal), find the
article and choose
the Comments tab to
share your thoughts.
Go directly to the article:
44 ISACA JOURNAL VOLUME 1, 2016
Actionable Security Intelligence From Big,
Midsize and Small Data
Information security professionals continue
to struggle with acquiring and understanding
the most relevant and useful data in order to
anticipate threats, guard against attacks and
determine forensically what happened after a
hack occurs. However, despite such efforts, data
breaches, such as those recently perpetrated
against Target and the US Government’s Office
of Personnel Management (OPM), are getting
much bigger in scope; more damaging as to
consequences; more difficult to monitor, analyze
and address; and more costly to resolve.1 Is there
anything on the horizon that might make security
metrics more effective? The answer: Quite
possibly.
WHAT HAS CHANGED?
Over the past five or so years, big data has burst
onto the scene along with highly efficient tools
for big data storage and analysis. The sources
of big data are many, ranging from search data
captured by the likes of Google and reported
to advertisers to enable targeted marketing, to
transaction data from Amazon and other major
online retailers and auction sites that identify
products that might interest customers, and
network traffic monitored by telecommunications
companies and used for billing, analysis and
other applications.2
This mother lode of data, the development
of high-efficiency tools, including open-source
products such as software framework Apache
Hadoop, and the dramatic drops in the costs of
processing and storage, have led to an environment
that can be exploited for many purposes—in this
case, cybersecurity. Never before has so much
information been available to security and risk
professionals. In addition, the rapidly evolving
creative and innovative benefits from this data and
analysis bonanza are being realized.
Nevertheless, results from the cloud, while
clearly adding considerably to resources already
available to fend off cyberattacks, are by no
means the whole story. There is a growing
realization by big data analysts of a need for
so-called “small data,” which derive from
surveys and interviews of subject matter experts,
alerts, reports, internal and external audits and
assessments, and the like.3
Furthermore, the myriad of traditional
security metrics, which this article calls “midsize
data” and which are obtained from logs of
network and host intrusion detection systems
(IDSs) and intrusion protection systems (IPSs),
applications, network and systems firewalls, and
the like, must not be forgotten. Data from these
sources are aggregated, correlated and analyzed
by increasingly sophisticated security information
and event management (SIEM) systems. Midsize
data can bring further meaning to big data and
may also be put into context by small data.
This article shows the synergistic effects of
combining big, midsize and small data. It further
suggests how one might aggregate, correlate and
analyze data to fully understand the business and
operational environment that an organization’s
computer systems and networks support. From
such an understanding emanates focused actions
that should be taken to ensure a higher degree of
information security.
It should be noted, however, that the collective
power of big, midsize and small data does not
preclude the need for incorporating value and
uncertainty into the mix.4 These characteristics
are obtained via small data processes, such as
the Operationally Critical Threat, Asset, and
Vulnerability Evaluation (OCTAVE) approach to
handling risk.5
BIG, MIDSIZE AND SMALL DATA
The differentiation among big, midsize and
small data appears, at first look, to be fairly
straightforward. Nevertheless, complexities are
introduced when combining analyses of various
data sources since they frequently are not in
compatible formats. Some tools operate on both
structured and unstructured data and others do
not. Some unstructured information can add to
the analyses of structured data, such as providing business
context for network traffic, whereas in other situations,
unstructured data yield few benefits because they are not in
formats that are mutually compatible.
There are some groundbreaking efforts being made to
standardize data structures across certain big and midsize data
collection programs to provide consistency and improve ease
of use. A notable example is the Soltra approach created by
the US financial services industry. Soltra uses open standards,
including Structured Threat Information eXpression (STIX)
and Trusted Automated eXchange of Indicator Information
(TAXII),6 to be able to interoperate with established security
tools using the same standards.7
Big Data
Data in this category are usually collected in real time in
enormous volumes from web traffic and internal traffic.8 The
data are then often analyzed rigorously using increasingly
sophisticated tools. It is common in today’s world to run
massive amounts of data through analytic engines and
announce interesting relationships, often regardless of
whether or not there is any predictable cause and effect.
Judging from the claims of some security product and
service vendors, one might think that if only one were to
gather enough data, then one should be able to anticipate all
applicable threats, exploits and attacks sufficiently well in
advance so as to take preventive or defensive action as the
analysis of the data would suggest. Clearly this utopian view
is not reality. Some considerable expertise is still needed to
interpret results and put them in context. Notwithstanding
their limitations, however, big data analyses contribute
significantly to better understanding of security posture and
environments and may well provide an edge that information
security professionals have been seeking for decades, as
supported by a number of publications and articles.9
Another important aspect of the big data revolution has
been the proliferation of highly efficient analytical tools
designed to rapidly sift through huge volumes of structured and
unstructured data. These tools can run against data obtained
from external sources and internally generated data or a
combination of both. Whether or not predictive analysis can
derive patterns to enable forecasting future events remains to
be seen, but the prospect is encouraging for a profession that
usually deals with attacks after the fact rather than proactively.
Midsize Data
Data collected by network and host IDSs and IPSs, network
and application firewalls, and application instrumentation
can run typically gigabytes, but even terabytes, per day. Yet,
such data are still considered to be significantly smaller than
the terabytes and petabytes typical of big data, which is why
the term “midsize” is used when referring to data relating
specifically to the organization and collected by internally
deployed security products or third-party services. These data
are typically aggregated, correlated, analyzed and displayed
by SIEM systems, which also issue alerts when suspicious,
unusual or unexpected activities occur.
Even though SIEM data can result in very large databases,
which can be analyzed in real time, they provide only part of
the picture. There is a strong, largely unmet need to generate
and analyze data about activities within applications and
system software. This area is, unfortunately, underserved
in many organizations, as suggested by so many reports of
companies, government agencies, academic institutions and
others not knowing exactly who and what was affected by a
data breach and when the breach might have occurred. The
key here is to incorporate security data collection capabilities
into software early in the development life cycle. This will
largely avoid the expensive reworking of applications that
postdevelopment instrumentation incurs.10
Small Data
Big and midsize data need to be supplemented with small
data to better understand their meaning and context. The
information value of small data is derived mainly from analysts
being able to put other data analyses into perspective. By
surveying or interviewing business managers, users, customers,
business partners, suppliers, and other internal areas, such as
legal, compliance, and marketing, one can get a better sense of
what is important to each area and how its activities vary with
new business, seasonal factors and the like.
As an example, network- and host-based IDSs and IPSs
monitor message volumes and traffic characteristics. In the
case of IPSs, the systems also respond to unusual activities
and block specific messages. Often the IT and information
security areas are not fully aware of business changes and
might, as a result, interpret a sudden surge in traffic volume
as a cyberattack or nefarious insider activities, for example,
when in fact the increase might be due solely to taking on a
ISACA JOURNAL VOLUME 1, 2016 45
 large new customer. Similarly, a big drop in volume might be
due to the loss of a major customer. The prospect of any such
major business shifts needs to be conveyed to the security staff,
which, in turn, need to pass on the information in advance to
those responsible for IDSs, IPSs and other monitoring systems.
No amount of analysis of historical data would anticipate such
changes, so it makes sense to regularly communicate such
changes in the form of small data inquiries and reports.
It is important to have accurate and timely reporting
systems in place that inform security staff of events and
potential changes that might affect any and all aspects of
business operations, IT and information security. Such
advisories might include system failures, lost data media,
unusual activities and system upgrades.
Another example of small data collection is implementing
a method for determining information security risk, such as
OCTAVE.11 In this approach, all involved departments, which
often means the entire enterprise, are asked very specific
questions about their assessment of security risk relating to
information systems. The responses are evaluated and an
overall security risk posture is established.
PUTTING IT ALL TOGETHER
As shown in figure 1, big, midsize and small data are collected
and preliminary analyses are performed using a variety of
tools relevant to each source of data.
The results can then be pooled to provide an overall view
of information security threats, attacks and vulnerabilities
potentially affecting an organization’s networks, systems
and applications, leading to situational awareness. The
organization then must respond to the possibility of attacks by
patching vulnerabilities and updating security tools to protect
against known attacks.
When data collection, analysis and reporting are performed
in real time, systems will likely issue instantaneous alerts.
Immediate responses are then usually required. However,
many analyses are done in batch mode, taking weeks or even
months before results are issued. Responses to these reports
are tactical and strategic rather than operational, as are
reactions to real-time incident reports.
It is important that analysts have a holistic view of an
organization’s business functions and IT systems so that their
responses do not result in unintended consequences. For
example, a sudden increase in transaction volume might be due
to a denial-of-service (DoS) attack or may result from taking
on a big new customer. In such a case, the incident response
team needs to know in advance about significant changes in the
business so that they interpret changes appropriately.
Figure 2 shows the various sources of data and
corresponding analyses for both batch and real time
(stream) and illustrates how results might be consolidated and
actions taken.

Figure 1—Processes for Acquiring and Analyzing Figure 2—Real-time and Batch Data Collection and Processing
Security Data From Various Sources
Structured and
Unstructured Internal and External Event
Data From Data From Applications and
Structured and Internal and From System and Network
Big Data Small Data Unstructured Data From External Data Collectors
Midsize Data Surveys, Interviews and Sources
Published Reports

Structuring
of Data
Aggregation
of Data
Summarization
of Data (e.g., via BIG Midsize
(e.g., Hadoop) (e.g., SIEM) Survey Monkey) Small
Data DATA Data

Analytics Correlation Analysis of Aggregation, Batch Event

Stream

Engines and Analysis Results Summarization Data Aggregation,

and Analysis Mining Correlation
Key: and Analysis
Real-time (SIEMs)
Threats, Attacks, Context, Value, Processing
Exploits, Unusual Uncertainty, Enterprisewide Analysis, Reporting and Decision Making
Incidents Behavior Criticality Batch Actions Actions
Processing

Source: C. Warren Axelrod. Reprinted with permission.

Source: C. Warren Axelrod. Reprinted with permission.

46 ISACA JOURNAL VOLUME 1, 2016

 In general, big data are collected in real time, typically
running into the millions of transactions per second for large
organizations.12 Big data are usually analyzed in batch mode,
but increasingly, tools are becoming available for real-time
analysis.13 Midsize data are typically collected, analyzed,
reported and acted upon in real time. Small data are usually
collected and analyzed over longer periods, such as days,
weeks or months.
CHARACTERISTICS OF DATA TYPES
Each category of data, whether big, midsize or small, has its
own particular characteristics and capabilities and produces
different results. It should be noted that the field of security
intelligence is very dynamic and new tools and methods are
continually being introduced. In general, but clearly not in
all cases, innovative big data capabilities are appearing at
the fastest rate, with moderate evolution for midsize data
methods and procedures, and small data showing relatively
little change. While small data methods and procedures are
generally well established, their rate of adoption is slower
than hoped. Similarly the adoption of approaches for midsize
data is not as rapid as needed, particularly when it comes to
providing security information from within applications.
Figure 3 summarizes the characteristics, capabilities
and information produced by data type. It is provided as
guidance and is by no means comprehensive, particularly with
respect to capabilities, since new uses of these data types for
developing better security intelligence are being created daily.

Figure 3—Characteristics, Capabilities and Information From Big, Midsize and Small Data
Data Type Size of Data Characteristics Capabilities Information Produced
Big Terabytes to • Volume (huge amounts of data) • Data capture • Threat advisories
petabytes • Velocity (very high speed of data in • Analysis • Exploits “in the wild”
and out) •D atabase curation (healing, manual • Incidents/events/attacks
• Variety (broad range of data types updating) • Unusual activities
and sources) • Search • Predictive analytics
• Veracity (trustworthiness of data • Sharing • Supply-chain events
and analytics) • Storage • Geopolitical events
• Transfer
• Security
• Visualization
Midsize Gigabytes to • Continuous real-time monitoring • Data logging • Attempted attacks
terabytes and logging from IDS/IPS systems, • Data aggregation • Successful attacks
firewalls, etc. • Correlation • Details of attackers
• Real-time logging of user activities • Alerting • Unusual activities
within applications and databases • Dashboards • Relationships among events
• Real-time analysis and reporting • Compliance
(visualization) for network, host and • Retention
applications analyses • Forensic analysis
• Report generation for auditors,
management, regulators,
shareholders, corporate customers
Small Kilobytes to • Surveys/interviews tailored to •B  uilding of asset-based threat • Context
gigabytes specific departments profiles • Business value
• Internal operational reports • Identification of infrastructure • Uncertainty/risk
• External public and private reports vulnerabilities • Different perspectives on criticality
• Internal and external alerts and • Vulnerability assessments of systems and data
notifications •D  evelopment of security strategy • Investment in security, privacy and
• Internal and external audit reports and plans secrecy
• Internal and third-party
assessments
• Vendor/supply chain risk
management
Source: C. Warren Axelrod. Reprinted with permission.

ISACA JOURNAL VOLUME 1, 2016 47

 REAL-WORLD CASES
The following is a series of example cases.14
Big Data
Long before big data as such were on the radar,
telecommunications companies and ISPs had been gathering
and analyzing huge amounts of data regarding activities on
their networks. Shortly after the structured query language
(SQL) Slammer computer worm struck in January 2003, one
ISP was able to show retrospectively how the implementer of
the worm had made several trial runs against a particular port
before launching the main attack. In this case, the analysis
was after the fact, but the goal has been to develop predictive
capabilities for teasing out questionable activities from the
huge amounts of collected traffic data.
A current example of using big data to provide organizations
with immediate notifications of threats is the Soltra Edge
initiative sponsored by the Financial Services Information
Sharing and Analysis Center (FS-ISAC) and the Depository
Trust and Clearing Corporation (DTCC). The goal of Soltra is to
“deliver software automation and services that collect, distill and
speed the transfer of threat intelligence from a myriad of sources
to help safeguard against cyber attacks.”15
Midsize Data
As one company began to implement security information
management (SIM) technology (SIM was later superseded,
at least in name, by SIEM), its operation of, and support for,
firewalls was moving from information security to network
operations since the technology had become mainstream.
IDSs and SIM systems were still managed by information
security staff, but soon thereafter IDSs transitioned to
operations. Then, when IPSs were introduced, the technology
was considered too dangerous to move into day-to-day
operations, since a single misstep in supporting IPSs could
rapidly lead to major business catastrophes. An IPS vendor
illustrated the point by giving the example of a company that
implemented an IPS on a Friday evening. The system, which
monitored traffic patterns in order to set up prevention rules,
observed and established its baseline volume pattern on
typical low-volume weekend traffic. On Monday morning,
when everyone came to work, the IPS saw a sharp jump
in volume and proceeded to close down new traffic, which
meant all employees and connected customers.
48 ISACA JOURNAL VOLUME 1, 2016
• Learn more about, discuss and collaborate on big
data in the Knowledge Center.
www.isaca.org/topic-big-data
Furthermore, early SIM systems did not have user-friendly
interfaces, and interpreting events required significant effort
by subject matter experts. However, it was found that it was
helpful to obtain information from business units regularly
so that teams expected and were prepared for major
anticipated changes.
Small Data
The types of data that comprise small data and the means of
collecting them are many and diverse. While some measure
of automation can be invoked to assist in collecting and
analyzing survey data, the quantity of data collected and
the number of persons surveyed are usually small and few,
respectively. While periodic reporting of security metrics may,
at some level, also be automated, there is often a need for
manual data entry. Consequently, there are limits to what one
might ask for and the quality and quantity of the data received
in response. Such data are often unstructured, although some
are designated specific formats ahead of time as dictated by
the products being used.
OCTAVE Method
One such approach is the OCTAVE method, which was
developed by Carnegie Mellon University’s (Pittsburgh,
Pennsylvania, USA) Software Engineering Institute.
One definition of OCTAVE is “a security framework for
determining risk level and planning defenses against cyber
assaults.”16 Since its initial development in 2001 for the
US Department of Defense (DoD), OCTAVE has broadened
its scope to include the private sector and has undergone a
number of changes and enhancements. It has been published
in several versions, including the most recent version,
OCTAVE Allegro, which is based on OCTAVE Original
and OCTAVE-S. Today, OCTAVE-S is used for smaller
organizations, while OCTAVE Allegro is used for large
organizations with multilevel structures.
 OCTAVE defines three phases:17
1. Build asset-based threat profiles.
2. Identify infrastructure vulnerabilities.
3. Develop security strategy and plans.
Clearly, being able to develop a security strategy requires
more than the responses to OCTAVE questions, which is why
an overall program requires additional analyses of data from
other sources.
Management of an OCTAVE project for a smaller financial
organization found significant benefits in being able to
approach all areas of the company with a prepared set of
questions. In some organizations, it may be more effective to
have outside parties conduct the surveys since often internal
department staff is more responsive to outside consultants.
Supplementary Information
Many organizations report security metrics, such as threats
from big data sources and numbers of attempted and
successful intrusions from network and system monitoring
products (firewalls, IDSs, etc.). In some cases, third-party
services will match threats against a company’s particular
infrastructure and software and hardware products in use so
that organizations are provided with information relevant to
their environment. In other situations, one has to perform the
matching oneself. In either case, a full, accurate and up-to-
date inventory is needed. While there are automated systems
that run through an organization’s systems and networks
and pick up details of software installed, including version
numbers to determine whether patching is current, there
is usually a considerable ongoing manual effort involved in
making sure that all resources have been covered.
Even when the above “scoreboards” are presented to
management, auditors and regulators, they often require
supplementary information without which the numbers
have little meaning. For example, if a report shows that 80
percent of installations of a particular software product have
been updated with the latest patch, it is still necessary to
know whether the remaining 20 percent includes systems
that are critical to the functioning of the organization.18 If so,
there may be considerable risk exposure until all systems are
patched or otherwise fixed.
If the reported security metrics do not include descriptions
of their criticality and their purpose within the organization,
then decision makers will not have sufficient information
with respect to the value of the systems involved and the
importance of making sure that the applications and the data
are adequately protected.
Recommendations
Here is a summary of actions to be taken in order to fully
benefit from the rich inventory of security-related data that is
increasing rapidly as new sources and tools are discovered:
• Determine appropriate information security metrics for
decision making and action.
• Determine the sources from which data supporting decision
making and action might be extracted.
• Socialize benefits of collecting and analyzing data and
reporting and reacting to metrics.
• Introduce policies and procedures that formalize data
collection, analysis and reporting.
• Obtain senior-level management commitment to apply
sufficient resources to build the necessary capabilities for
data collection, analysis, reporting and response.
• Formalize the interactions within and among the various
constituencies (i.e., information security, risk management,
application development, quality assurance, operations,
vendor management, internal audit, business continuity).
CONCLUSIONS
The proliferation of enormous data sources and advanced
analytical tools has lead the world to the brink of major
breakthroughs for determining threats, predicting and avoiding
attacks, and detecting and responding to breaches. The full
benefits of these innovations will not automatically accrue in
the cybersecurity world. They require work in selecting and
integrating known data and expressing results in terms that are
understandable and actionable for decision makers.
This article ex amines the potential and suggests
approaches that will help realize synergies among big, midsize
and small data analyses and result in capabilities that will, for
the first time, give defenders a chance to overtake the rapidly
rising abilities of attackers.
ENDNOTES
1
For an authoritative account of the characteristics of recent
data breaches, see Verizon, 2015 Data Breach Investigations
Report, www.verizonenterprise.com/DBIR/2015/.
ISACA JOURNAL VOLUME 1, 2016 49
 2
 ccording to IBM, 2.5 x 1015 bytes of data are being
A infotype=SA&subtype=WH&htmlfid=WGW03020USEN.
created daily. This number is increasing rapidly in that 90
percent of all data were created in the prior two years, as
described in Bringing Big Data to the Enterprise, www-01.
ibm.com/software/data/bigdata/what-is-big-data.html.
3
Peysakhovich, Alex; Seth Stevens-Davidowitz; “How Not to
Drown in Numbers,” Sunday Review, The New York Times,
2 May 2015, www.nytimes.com/2015/05/03/opinion/
sunday/how-not-to-drown-in-numbers.html?_r=0
4
Axelrod, C. Warren; “Accounting for Value and Uncertainty
in Security Metrics,” ISACA Journal, vol. 6, 2008
5
Caralli, Richard A.; James F. Stevens; Lisa R. Young;
William R. Wilson; Introducing OCTAVE Allegro:
Improving the Information Security Risk Assessment
Process, Technical Report CMU/SEI-2007-TR-012
ESC-TR-2007-012, Software Engineering Institute,
May 2007, http://resources.sei.cmu.edu/asset_files/
TechnicalReport/2007_005_001_14885.pdf
6
Depository Trust and Clearing Corporation, “FS-ISAC and
DTCC Announce Soltra, a Strategic Partnership to Improve
Cyber Security Capabilities and Resilience of Critical
Infrastructure Organizations Worldwide,” press release,
24 September 2014, www.dtcc.com/news/2014/
september/24/fs-isac-and-dtcc-announce-soltra.aspx
7
Tripwire, “Soltra Edge and Tripwire Enterprise,” https://
www.tripwire.com/solutions/integrations/soltra/.
8
In the case of Hewlett-Packard, for example, the enterprise
reportedly generated one trillion events per day, or about 12
million events per second in 2013, as noted in section 4.2
in CSA Big Data Working Group; Big Data Analytics for
Security Intelligence, Cloud Security Alliance, September
2013, https://cloudsecurityalliance.org/download/big-data-
analytics-for-security-intelligence/.
9
CSA Big Data Working Group, Big Data Taxonomy,
Cloud Security Alliance, September 2014, https://
cloudsecurityalliance.org/download/big-data-taxonomy/.
IBM, Extending Security Intelligence with Big Data
Solutions: Leveraging Big Data Technologies to Uncover
Actionable Insights into Modern, Advanced Data Threats,
Thought Leadership white paper, IBM Software, January
2013, www-01.ibm.com/common/ssi/cgi-bin/ssialias?
50 ISACA JOURNAL VOLUME 1, 2016
Marko, Kurt; “Big Data: Cyber Security’s Silver Bullet? Intel
Makes the Case,” Forbes.com, 9 November 2014, www.
forbes.com/sites/kurtmarko/2014/11/09/big-data-cyber-
security/. Ponemon Institute, Big Data Analytics in Cyber
Defense, Ponemon Institute Research Report, Sponsored
by Teradata, February 2013, www.ponemon.org/library/
big-data-analytics-in-cyber-defense. Teradata, Big Data
Analytics: A New Way Forward for Optimizing Cyber
Defense, November 2013, www.teradata.com/Resources/
Brochures/Big-Data-Analytics-A-New-Way-Forward-for-
Optimizing-Cyber-Defense-Government-Version/?LangType
=1033&LangSelect=true
10
Axelrod, C. Warren; “Creating Data from Applications for
Detecting Stealth Attacks,” STSC CrossTalk: The Journal of
Defense Software Engineering, September/October 2011
11
Op cit, Caralli
12
Op cit, CSA, 2011
13
Ibid.
14
These cases are examples from the author’s personal
experiences.
15
Op cit, Depository Trust and Clearing Corporation
16
TechTarget, “Definition: OCTAVE,” WhatIs.com,
http://whatis.techtarget.com/definition/OCTAVE
17
Ibid.
18
“Criticality” has several definitions with respect to computer
systems. In regulated industries, such as financial services,
systems that are needed to comply with legal and regulatory
requirements are highly critical, as are those systems that
are needed to maintain the continuous operation of the
organization in both normal circumstances and contingency
mode. Real-time systems (such as trading systems) are
time-critical, since even a short outage can incur significant
monetary and reputation costs and bring on the wrath of
regulators. Batch systems may not be as time critical as
online systems, but their compromise (failure, malfunction,
loss of data integrity) may affect timely and accurate
processing of data and can hugely impact the continued
survival of the organization from financial and operational
perspectives.

Tolga Mataracioglu, CISA,
CISM, COBIT Foundation,
CCNA, CEH, ISO 27001 LA,
BS 25999 LA, MCP, MCTS,
VCP, is chief researcher
at TUBITAK BILGEM Cyber
Security Institute in Turkey.
He is the author of many
papers about information
security published nationally
and internationally. His areas
of specialization are system
design and security, operating
systems security, information
security management
systems, business continuity,
COBIT®, and social
engineering.
Do you have
something
to say about
this article?
Visit the Journal
pages of the ISACA
web site (www.isaca.
org/journal), find the
article and choose
the Comments tab to
share your thoughts.
Go directly to the article:
Comparison of PCI DSS and
ISO/IEC 27001 Standards
The Payment Card Industry Data Security
Standard (PCI DSS) is an information security
standard for organizations that handle branded
credit cards from the major card companies,
including Visa, MasterCard, American Express,
Discover and JCB. PCI DSS “was created to
increase controls around cardholder data to
reduce credit card fraud via its exposure.”1 “[The]
ISO/IEC 27001 standard is a specification for an
information security management system (ISMS)
published by the International Organization for
Standardization (ISO) and the International
Electrotechnical Commission (IEC) under the
joint ISO and IEC subcommittee.”2
While both standards focus on information
security, ISO/IEC 27001 is suitable for every
type of organization and PCI DSS focuses on
organizations dealing with e-commerce.
Figure 1—Overview: 12 Requirements of PCI DSS
PCI Data Security Standard: High-level Overview
Build and maintain a secure network and systems.
Protect cardholder data.
Maintain a vulnerability management program.
Implement strong control access measures.
Regularly monitor and test networks.
Maintain an information security policy.
Source: Tolga Mataracioglu. Reprinted with permission. Based on PCI Security Standards Council, PCI DSS Quick Reference Guide,
October 2010, https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf
Feature
What if those two standards were to be
combined? Is that feasible? What are the
differences between the standards?
This article discusses and examines
the interoperability of PCI DSS 3.1 and
ISO/IEC 27001:2013. Further, the pros and
cons of the PCI DSS and ISO/IEC 27001
standards are compared and contrasted.
PCI DSS
PCI DSS is a standard developed by a council
consisting of Visa, MasterCard, American Express,
Discover and JCB in order to preserve payment
card and cardholders’ sensitive information.3 There
are six goals and 12 requirements in the standard
(figure 1).
These 12 requirements have been addressed
at a high level in ISO/IEC 27001:2013 standard
1. Install and maintain a firewall configuration to protect
cardholder data.
2. D
 o not use vendor-supplied defaults for system passwords
and other security parameters.
3. P rotect stored cardholder data.
4. E ncrypt transmission of cardholder data across open,
public networks.
5. P rotect all systems against malware and regularly update
antivirus software or programs.
6. Develop and maintain secure systems and applications.
7. R
 estrict access to cardholder data by business need
to know.
8. Identify and authenticate access to system components.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and
cardholder data.
11. Regularly test security systems and processes.
12. M
 aintain a policy that addresses information security for
all personnel.
ISACA JOURNAL VOLUME 1, 2016 51
 Figure 2—High-level Mapping of PCI DSS Requirements to ISO/IEC 27001
PCI DSS Requirement ISO/IEC 27001 Clause
1. Install and maintain a firewall configuration to protect cardholder data. A.12 Operations security
A.13 Communications security
2. D
 o not use vendor-supplied defaults for system passwords and other A.12 Operations security
security parameters. A.13 Communications security
3. Protect stored cardholder data. A.12 Operations security
A.13 Communications security
4. Encrypt transmission of cardholder data across open, public networks. A.14 System acquisition, development and maintenance
5. P rotect all systems against malware and regularly update antivirus A.14 System acquisition, development and maintenance
software or programs.
6. Develop and maintain secure systems and applications. A.14 System acquisition, development and maintenance
7. Restrict access to cardholder data by business need to know. A.12 Operations security
A.13 Communications security
8. Identify and authenticate access to system components. A.12 Operations security
A.13 Communications security
9. Restrict physical access to cardholder data. A.11 Physical and environmental security
10. Track and monitor all access to network resources and cardholder data. A.12 Operations security
A.13 Communications security
11. Regularly test security systems and processes. A.14 System acquisition, development and maintenance
A. 6 Organization of information security
A.18 Compliance
12. Maintain a policy that addresses information security for all personnel. A.5 Information security policies
Source: Tolga Mataracioglu. Reprinted with permission.

developed by the ISO and the IEC. Figure 2 shows high-level Figure 3—Compliance of PCI DSS
mapping of these 12 PCI DSS requirements to ISO/IEC
Merchant
27001:2013 clauses. Level Merchant Definition Compliance
Companies must be audited by a qualified security
Level 1 More than 6 million Annual onsite PCI data
assessor (QSA) and an approved scanning vendor (ASV) in V/MC transactions annually security assessment and
predetermined periods that have been authorized by the PCI across all channels, quarterly network scans
Council.4 Further, the International Society of Automation including e-commerce
(ISA) can perform assessments using self-assessment Level 2 1,000,000-5,999,999 Annual self-assessment
questionnaires (SAQs), depending on the size and the level of V/MC transactions annually and quarterly network
scans
the merchants.
Figure 3 illustrates the compliance of PCI DSS in four Level 3 20,000-1,000,000 V/MC Annual self-assessment
e-commerce transactions and quarterly network
different levels based on number and type of transactions. annually scans
Figure 4 depicts the compliance of JCB. Figure 5 portrays
Level 4 Less than 20,000 V/MC Annual self-assessment
the compliance of American Express. These three figures e-commerce transactions and annual network scans
help organizations by providing information on how to audit annually and all merchants
information security within the context of the number of across channel up
to 1,000,000 VISA
transactions performed annually. By using the information transactions annually
in the following figures, chief information security officers Source: Tolga Mataracioglu. Reprinted with permission. Based on Compliance
(CISOs) can easily decide in what circumstances to perform Resource Kit, What Is PCI DSS, complianceresourcekit.com/index.php?
a self-assessment, a security scan or an on-site review for option=com_content&task=view&id=67

auditing information security.

52 ISACA JOURNAL VOLUME 1, 2016
 Figure 4—Compliance of JCB
If cardholder data and transaction data are handled via the Internet or Internet-accessible network:
Merchants Payment Processors
One million JCB transactions or more Less than 1 million JCB transactions per Regardless of the number of
per year year JCB transactions
Self-assessment N/A ✓ N/A
Security scan Quarterly Quarterly Quarterly
Onsite review Yearly N/A Yearly

If cardholder data and transaction data are not handled via the Internet or Internet-accessible network
Merchants Payment Processors
One million JCB transactions or more Less than 1 million JCB transactions per Regardless of the number of
per year year JCB transactions
Self-assessment N/A ✓ N/A
Security scan N/A N/A N/A
Onsite review Yearly N/A Yearly
Source: Tolga Mataracioglu. Reprinted with permission. Based on JCB, JCB Data Security Program, partner.jcbcard.com/security/jcbprogram/index.html

Figure 5—Compliance of American Express

Levels Explanation
Level 1 2.5 million or more American Express card transactions per year
Level 2 50,000 to 2.5 million American Express card transactions per year (Service providers: fewer than 2.5 million transactions)
Level 3 designated Fewer than 50,000 American Express card transactions per year and have been designated by American Express as being
required to submit validation documents
Level 3 Fewer than 50,000 American Express card transactions per year (merchants only)
Level EMV 50,000 or more American Express chip-enabled card transactions per year with at least 75 percent made on an EMV-enabled
(chip-enabled) terminal capable of processing contact and contactless American Express transactions
Source: Tolga Mataracioglu. Reprinted with permission. Based on American Express, The Data Security Operating Policy, https://www209.americanexpress.com/
merchant/services/en_US/data-security

ISO/IEC 27001 STANDARD
This standard includes seven main titles within the scope
of annex SL: organization, leadership, planning, support,
operation, performance evaluation and improvement.5 Annex
SL is a new management system format that helps streamline
creation of new standards and make implementing multiple
standards within one organization easier. It was created by
ISO Technical Management Board’s (TMB) Joint Technical
Coordination Group (JTCG).6 Using the same titles defined
in the annex SL is useful for those organizations that choose
to operate a single management system that meets the
requirements of two or more management system standards.
Although ISO/IEC 27001 does not suggest a Plan-Do-Check-
Act (PDCA) cycle, the seven titles can be mapped into the
cycle as shown in figure 6.

ISACA JOURNAL VOLUME 1, 2016 53

 Figure 6—Mapping of ISO/IEC 27001 Titles Into PDCA Cycle
Act Plan

5. Leadership
10. Improvement

4. Context of the
Requirements Organization 6. Planning Managed Risks

9. Performance Evaluation
7. Support

8. Operation

Check Do
Source: Tolga Mataracioglu. Reprinted with permission.

ISO/IEC 27001 contains 14 control domains, shown in COMPARISON OF THE STANDARDS

figure 7, and 114 controls. InformationShield has developed a table that provides
high-level mapping between the security requirements of
Figure 7—The 14 Control Domains of ISO/IEC 27001 PCI DSS and ISO/IEC 27001.7
It is recommended that combining both PCI DSS and
Control Domains Number of
Controls ISO/IEC 27001 provides better solutions about information
A.5: Information security policies 2 security to organizations. The flexibility of ISO/IEC 27001
is higher than that of PCI DSS, since all of the controls have
A.6: Organization of information security 7
been written at a high level.
A.7: Human resources security 6
“The organizations have to determine the boundaries and
A.8: Asset management 10 applicability of the information security management system
A.9: Access control 14 to establish its scope.”8 When comparing the scope of the two
A.10: Cryptography 2 standards, scope selection in ISO/IEC 27001 depends on the
A.11: Physical and environmental security 15 company; however, the scope is exactly the credit cardholder
information in PCI DSS.
A.12: Operations security 14
Although the controls in ISO/IEC 27001 are
A.13: Communications security 7
recommendations, it is important to note that the controls in
A.14: S ystem acquisition, development 13 PCI DSS are compulsory.
and maintenance
Since ISO/IEC 27001 is more flexible than PCI DSS, it is
A.15: Supplier relationships 5 easier to conform to the ISO/IEC 27001 standard.
A.16: Information security incident management 7 When comparing the costs, establishing a typical
A.17: Information security aspects of business 4 information security management system (ISMS) and
continuity management completing the PDCA cycle costs approximately
A.18: Compliance 8 US $150,000 in a typical organization. The cost of a typical
TOTAL: 114 PDCA cycle includes:9
Source: Tolga Mataracioglu. Reprinted with permission. Based on International • The costs that are caused by information security incidents
Organization for Standardization, ISO/IEC 27002, Information technology— • The costs for managing information security
Security techniques—Code of practice for information security controls, www.
iso.org/iso/catalogue_detail?csnumber=54533 • The costs that are related to information security measures
• The costs of capital that are induced by information
security risk

54 ISACA JOURNAL VOLUME 1, 2016

 However, the cost of compliance with PCI DSS is
approximately US $120,000 to US $700,000, due to the
differences among the four levels.
And what about auditing? Recertification auditing of
ISO/IEC 27001 is performed in three-year cycles and
small-scope auditing is performed every year. There are also
surveillance audits that are performed at least once a year. In
contrast, there are four network scanning audits and an onsite
audit for level 1 in PCI DSS.
There are compliance levels in PCI DSS to measure the
maturity level of the company; no compliance levels exist in
ISO/IEC 27001.
Mapping of PCI DSS and ISO/IEC 27001 is shown in
figure 8.
CONCLUSION
PCI DSS is a standard to cover information security of credit
cardholders’ information, whereas ISO/IEC 27001 is a
specification for an information security management system.
Mapping of PCI DSS and ISO/IEC 27001 standards is vital
information for managers who are tasked with conforming
to either standard in their organizations. It is recommended
that PCI DSS and ISO/IEC 27001 be combined to give better
solutions about information security to organizations.
ENDNOTES
1 CDS, PCI Security Standards Council, cdsus.com/default/
PCICompliance.php?url=PCICompliance&PHPSESSID=
bdd07f210c2e5109832eee383d0b1656
International Organization for Standardization,
2

Figure 8—Mapping of PCI DSS and ISO/IEC 27001:2013 Technical Commitees, www.iso.org/iso/home/standards_
development/list_of_iso_technical_committees.htm
ISO/IEC 27001:2013
Parameter Standard PCI DSS 3 PCI Security Standards Council, What Is the PCI Security
Creator ISO PCI Council Standards Council?, www.pcisecuritystandards.org/
security_standards/role_of_pci_council.php
Flexibility High Low
4 PCI Security Standards Council, Payment Card Industry
Scope Depends on the Credit cardholders’
Data Security Standard Approved Scanning Vendors,
company information
May 2013, https://www.pcisecuritystandards.org/
Controls applied Flexible Tight
documents/ASV_Program_Guide_v2.pdf
Controls High-level Low-level 5 Tangen, S.; A. Warris; “Management Makeover - New
Control types “Should” “Must” Format for Future ISO Management System Standards,”
Compliance Easy Hard International Organization for Standardization, 18 July
Number of controls 114 224 2012, www.iso.org/iso/news.htm?refid=Ref1621
Auditing Three-year cycles Four network 6 The 9000 Store, ISO 9001:2015 in Detail: What is the
and a small-scope scanning audits and New Annex SL Platform?, the9000store.com/
audit performed an onsite audit for iso-9001-2015-annex-sl.aspx
every year level 1
7 InformationShield, PCI-DSS Policy Mapping Table,
Certification May be given to all Any companies that www.informationshield.com/papers/ISO27002%20PCI-
companies provide information
DSS%20V3%20Policy%20Map.pdf
security for critical
paying processes International Organization for Standardization,
8

Compliance level Does not exist Exists ISO/IEC 27001 Information Technology—Security
Techniques—Information Security Management
Source: Tolga Mataracioglu. Reprinted with permission.
Systems—Requirements, www.iso.org/iso/iso_catalogue/
catalogue_tc/catalogue_detail.htm?csnumber=42103
9 Brecht, M.; T. Nowey; A Closer Look at Information
Security Costs, working paper, The Workshop on the
Economics of Information Security, www.econinfosec.org/
archive/weis2012/papers/Brecht_WEIS2012.pdf

ISACA JOURNAL VOLUME 1, 2016 55

 Crossword
Puzzle
By Myles Mellor
www.themecrosswords.com

1 2 3 4 5 6 7 8 31. Family of operating systems

9
32. What an IT auditor should come up with rather than
“cannot be done”
10 11 12
36. COBIT-related credential
13 37. End weakly
14 15 16 38. Morning time
41. File sorting aid
17 18 19
43. It can affect the reliable operation of computer equipment
20 21 22
44. Money paid out
23 24 45. Like a room that has not been used for a long time
25 26 27 28 29
DOWN
30 31
1. Its role has to be focused on keeping business and
32 33
IT initiatives on track, abbr.
34 35 2. Rights and obligations relating to personal information
36 37 38 39
4. Incautious
5. One of the Poles
40 41 42
6. Holding, storing
43 44 45 7. Defect in a computer system
8. Magnitude
9. Nimbleness, ability to adapt
16. It may stand in the way of changing viewpoint
ACROSS 17. Key factor to establish and stick to during an IT audit
1. Definitive statement on data privacy, abbr. 19. Firm, for short
3. Open to attack 21. Blemish
10. Verifying identity 22. Formed into a structured and coherent whole
11. Open conflict 23. Established standard by which things are measured
12. The best kind of security relating to storage of 24. “____, but verify” old Russian proverb made popular
personal information by Ronald Reagan
13. “This __ test,” 2 words 26. Decide
14. Prove deficient 27. Continent (abbr)
15. Be determined by, 2 words 28. Scribble
18. Very cold 29. Warnings that might be delivered by an IT auditor
20. Secret prefix 31. Short for dealer
21. Check, track and observe 33. General direction
23. Exclude 34. IS auditor certification, abbr.
25. Type of device that has been susceptible to cyberattack, abbr. 35. Like some predictions
28. Computerese, e.g., language that can cause IT auditors to 39. Bathroom need
be unappreciated 40. High grades
29. Popular rental 42. Word indicating authorship
30. Organization to improve the quality of the environment

(Answers on page 58)

56 ISACA JOURNAL VOLUME 1, 2016


QUIZ #164
Based on Volume 5, 2015—Cybersecurity
Value—1 hour of CISA/CISM/CGEIT/CRISC continuing professional education (CPE) credit
TRUE OR FALSE
MOSCA ARTICLE
1. What organizations need to begin thinking about quantum
computers now is not an immediate drastic overhaul of their
security infrastructure, but rather an “ounce of prevention” as
quantum technologies begin to take shape on the horizon.
2. Quantum cryptography is based on the law of quantum
mechanics that says that observing quantum data necessarily
disturbs them; this means that any eavesdropping on a quantum
transmission used for key establishment can be instantly detected
before any data can possibly be compromised.
SHARKASI ARTICLE
3. For a long time, service providers, government organizations
and private enterprises have been able to benefit from the
cost savings and flexibility of choosing the right security
tools to mitigate the risk of deliberately intercepted, stolen or
corrupted sensitive data.
4. Without a coordinated risk management strategy, organizations
will continue to struggle with repeated policy iterations before
risk-handling procedures and controls are efficiently aligned.
5. All cloud application providers offer basic transport layer
security, such as Secure Sockets Layer (SSL), to protect data
while in transit to their servers. Employees uploading sensitive
documents on unencrypted connections is not an issue that
must be addressed.
6. Optimal cloud security practices should include encryption of
sensitive data used by cloud-based virtual machines, centralized
key management that allows the user (and not the cloud
provider) to control cloud data, and an assurance that cloud data
are accessible according to established enterprise policies.
7. End-point protection should be focused on tools that deliver
a centrally managed, web-based, easy-to-use, fully integrated
management interface that delivers a full suite of protection to
end points. End-point security tools should also be supported
by a management dashboard that provides real-time security
posture reporting over all managed end points.
8. Security tools cannot keep Internet users from becoming
Internet abusers or guard against network-draining viruses,
spam and chain email, or mitigate legal, compliance and
reputational risk.
CPE Quiz
Prepared by Sally Chan, CGEIT,
CMA, CPA,
Take the quiz online:
WLOSINSKI ARTICLE
9. The annual cost of cybercrime to consumers in the US is more
than US $38 billion; in China, it is more than US $37 billion;
and in Europe, more than US $13 billion.
10. The problem with the underground threat is not at the
organization’s enterprise or system level; rather, it is a world
threat. Stopping all sources is a monumental task that requires
the cooperation of many countries and organizations.
11. Some of the countermeasures that can be implemented at
the global level include developing an inventory system that
would document what it discovers and having those who use
encryption employ something that cannot be broken, such as
developing an internal proprietary encryption formula that
works for a single organization only.
SULLIVAN ARTICLE
12. Microcertifications periodically validate access privileges
against business policies when they are triggered by
questionable activities and events. If violations are found,
notifications are batched to the relevant managers for remedial
action. Managers constantly rectify compliant user accounts.
13. Implementing microcertifications requires two elements: a
unified IT security infrastructure and big data analysis tools.
The COBIT® 5 governance map, developed by ISACA®,
addresses the current patchwork nature of most identity and
access management systems.
LIEBERMAN ARTICLE
14. In any well-designed business continuity/disaster recovery
(BC/DR) program, there are three roles that provide
leadership: sponsorship, ownership and custodianship.
Traditionally, a successful program starts with sponsorship that
flows from the C-suite and the board of directors (BoD) to the
rest of the firm.
15. As part of the development and implementation of the
BC/DR cyberbreach program, and prior to any cyberbreach
actually happening, the chief executive officer (CEO) should
locate an experienced outside cyberbreach expert—one who
understands the technical, legal and regulatory implications of
particular types of cyberbreaches.
ISACA JOURNAL VOLUME 1, 2016 57
 ISACA® Journal
CPE Quiz
Based on Volume 5, 2015—Cybersecurity

Quiz #164 Answer Form

(Please print or type)

Get noticed…
Name______________________________________________
__________________________________________________
Address_____________________________________________

Advertise in the
__________________________________________________
__________________________________________________
CISA, CISM, CGEIT or CRISC #_____________________________

Quiz #164 ISACA® Journal

True or False
For more information, contact
MOSCA ARTICLE WLOSINSKI ARTICLE
1.___________ 9.___________
media@isaca.org.
2.___________ 10.__________

SHARKASI ARTICLE 11.__________

3.___________ SULLIVAN ARTICLE

4.___________ 12.__________
5.___________ 13.__________
6.___________ LIEBERMAN ARTICLE Answers—Crossword by Myles Mellor
See page 56 for the puzzle.
7.___________ 14.__________
1 2 3 4 5 6 7 8
8.___________ G A P P V U L N E R A B L E
15.__________ 9
E R A N O E U X
10 11 12
I D I N G W A R T I G H T
13
T V I S A T E E
14 15 16
F A I L R H I N G E O N
17 18 19
S C I C Y T G T
20 21 22
C R Y P T O M O N I T O R
23 24
Please confirm with other designation-granting professional bodies for their O Y B A R O T
25 26 27 28 29
CPE qualification acceptance criteria. Quizzes may be submitted for grading only P O S J A R G O N C A R
by current Journal subscribers. An electronic version of the quiz is available at 30 31
www.isaca.org/cpequiz; it is graded online and is available to all interested parties. E P A D O S A A U
If choosing to submit using this print copy, please email, fax or mail your 32 33
answers for grading. Return your answers and contact information by email to T A L T E R N A T I V E S
info@isaca.org or by fax to +1.847.253.1443. If you prefer to mail your quiz, 34 35
in the US, send your CPE Quiz along with a stamped, self-addressed envelope, C D R L I R E T
to ISACA International Headquarters, 3701 Algonquin Rd., #1010, Rolling 36 37 38 39
Meadows, IL 60008 USA. I T I L F I Z Z L E A M
Outside the US, ISACA will pay the postage to return your graded quiz. 40 41 42
You need only to include an envelope with your address. S R A N E N T A B
43 44 45
You will be responsible for submitting your credit hours at year-end for A G E S P E N D D U S T Y
CPE credits.
A passing score of 75 percent will earn one hour of CISA, CISM, CGEIT or
CRISC CPE credit.

58 ISACA JOURNAL VOLUME 1, 2016

 Standards
Guidelines
ISACA MEMBER AND CERTIFICATION HOLDER COMPLIANCE
Tools and Techniques
The specialised nature of information systems (IS) audit and assurance and the skills necessary to perform such engagements require standards that
apply specifically to IS audit and assurance. The development and dissemination of the IS audit and assurance standards are a cornerstone of the
ISACA® professional contribution to the audit community.
IS audit and assurance standards define mandatory requirements for IS auditing. They report and inform:
n IS audit and assurance professionals of the minimum level of acceptable performance required to meet the professional responsibilities set out in the
ISACA Code of Professional Ethics
n Management and other interested parties of the profession’s expectations concerning the work of practitioners
n Holders of the Certified Information Systems Auditor® (CISA®) designation of requirements. Failure to comply with these standards may result in an
investigation into the CISA holder’s conduct by the ISACA Board of Directors or appropriate committee and, ultimately, in disciplinary action.
ITAF TM, 3rd Edition (www.isaca.org/itaf) provides a framework for multiple levels of guidance:
n IS Audit and Assurance Standards
The standards are divided into three categories:
–G  eneral standards (1000 series)—Are the guiding principles under which the IS assurance profession operates. They apply to the conduct of
all assignments and deal with the IS audit and assurance professional’s ethics, independence, objectivity and due care as well as knowledge,
competency and skill.
–P  erformance standards (1200 series)—Deal with the conduct of the assignment, such as planning and supervision, scoping, risk and materiality,
resource mobilisation, supervision and assignment management, audit and assurance evidence, and the exercising of professional judgement and
due care.
–R  eporting standards (1400 series)—Address the types of reports, means of communication and the information communicated.
n IS Audit and Assurance
 The guidelines are designed to directly support the standards and help practitioners achieve alignment with the standards. They follow the same
categorisation as the standards (also divided into three categories):
–G  eneral guidelines (2000 series)
–P  erformance guidelines (2200 series)
–R  eporting guidelines (2400 series)
n IS Audit and Assurance Tools and Techniques
– These documents provide additional guidance for IS audit and assurance professionals and consist, among other things, of white papers, IS audit/
assurance programmes, reference books, and the COBIT® 5 family of products. Tools and techniques are listed under www.isaca.org/itaf.
An online glossary of terms used in ITAF is provided at www.isaca.org/glossary.
Disclaimer: ISACA has designed this guidance as the minimum level of acceptable performance required to meet the professional responsibilities set
out in the ISACA Code of Professional Ethics. ISACA makes no claim that use of this product will assure a successful outcome. The guidance should
not be considered inclusive of any proper procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtaining the
same results. In determining the propriety of any specific procedure or test, the control professionals should apply their own professional judgment to
the specific control circumstances presented by the particular systems or IS environment.

IS Audit and Assurance Standards IS Audit and Assurance Guidelines

The titles of issued standards documents are listed as follows: Please note that the new guidelines became effective 1 September 2014.
General General
1001 Audit Charter 2001 Audit Charter
1002 Organisational Independence 2002 Organisational Independence
1003 Professional Independence 2003 Professional Independence
1004 Reasonable Expectation 2004 Reasonable Expectation
1005 Due Professional Care 2005 Due Professional Care
1006 Proficiency 2006 Proficiency
1007 Assertions 2007 Assertions
1008 Criteria 2008 Criteria
Performance Performance
1201 Engagement Planning 2201 Engagement Planning
1202 Risk Assessment in Planning 2202 Risk Assessment in Planning
1203 Performance and Supervision 2203 Performance and Supervision
1204 Materiality 2204 Materiality
1205 Evidence 2205 Evidence
1206 Using the Work of Other Experts 2206 Using the Work of Other Experts
1207 Irregularity and Illegal Acts 2207 Irregularity and Illegal Acts
2208 Sampling
Reporting
1401 Reporting Reporting
1402 Follow-up Activities 2401 Reporting
2402 Follow-up Activities

The ISACA Professional Standards and Career Management Committee (PSCMC) is dedicated to ensuring wide consultation in the preparation of
ITAF standards and guidelines. Prior to issuing any document, an exposure draft is issued internationally for general public comment.
Comments may also be submitted to the attention of the Director of Professional Standards Development via email (standards@isaca.org); fax
(+1.847. 253.1443) or postal mail (ISACA International Headquarters, 3701 Algonquin Road, Suite 1010, Rolling Meadows, IL 60008-3105, USA).
Links to current and exposed ISACA Standards, Guidelines, and Tools and Techniques are posted at www.isaca.org/standards.

ISACA JOURNAL VOLUME 1, 2016 59

 Advertisers/Web Sites
Capella capella.edu/ISACA 3
Chiron chirontech.com Back Cover
Leaders and Supporters
Editor
Jennifer Hajigeorgiou
publication@isaca.org
Assistant Editorial Manager
Maurita Jasper
Contributing Editors
Sally Chan, CGEIT, CPA, CMA
Ed Gelbstein, Ph.D.
Kamal Khan, CISA, CISSP, CITP, MBCS
Vasant Raval, DBA, CISA
Steven J. Ross, CISA, CBCP, CISSP
B. Ganapathi Subramaniam, CISA, CIA,
CISSP, SSCP, CCNA, CCSA, BS 7799 LA Norman Marks
Smita Totade, Ph.D., CISA, CISM, CGEIT, CRISC Tamer Marzouk, CISA
ISACA® Journal, formerly Information Systems
Control Journal, is published by the Information Advertising
Systems Audit and Control Association® media@isaca.org
(ISACA®), a nonprofit organization created for the
public in 1969. Membership in the association,
Media Relations
a voluntary organization serving IT governance
professionals, entitles one to receive an annual news@isaca.org
subscription to the ISACA Journal.
Editorial Reviewers
Opinions expressed in the ISACA Journal
represent the views of the authors and
Matt Altman, CISA, CISM, CGEIT, CRISC
advertisers. They may differ from policies and Sanjiv Agarwala, CISA, CISM, CGEIT, CISSP, Ezekiel Demetrio J. Navarro, CPA
official statements of ISACA and/or the IT ITIL, MBCI
Governance Institute and their committees, and Cheolin Bae, CISA, CCIE
from opinions endorsed by authors, employers
Brian Barnier, CGEIT, CRISC
or the editors of this Journal. ISACA Journal does
Pascal A. Bizarro, CISA
not attest to the originality of authors’ content.
Jerome Capirossi, CISA
© 2016 ISACA. All rights reserved. Joyce Chua, CISA, CISM, PMP, ITILv3
Ashwin K. Chaudary, CISA, CISM, CGEIT, CRISC Parvathi Ramesh, CISA, CA
Instructors are permitted to photocopy isolated
articles for noncommercial classroom use Ken Doughty, CISA, CRISC, CBCP
without fee. For other copying, reprint or Nikesh L. Dubey, CISA, CISM, CRISC, CISSP
republication, permission must be obtained in Ross Dworman, CISM, GSLC
writing from the association. Where necessary, Robert Findlay
permission is granted by the copyright
owners for those registered with the Copyright John Flowers
Jack Freund, CISA, CISM, CRISC, CIPP,
Clearance Center (CCC) (www.copyright.
com), 27 Congress St., Salem, MA 01970, CISSP, PMP
to photocopy articles owned by ISACA, for a Sailesh Gadia, CISA
flat fee of US $2.50 per article plus 25¢ per
Robin Generous, CISA, CPA
page. Send payment to the CCC stating the
ISSN (1944-1967), date, volume, and first and Anuj Goel, Ph.D., CISA, CGEIT, CRISC, CISSP Johannes Tekle, CISA, CFSA, CIA
last page number of each article. Copying for Tushar Gokhale, CISA, CISM, CISSP,
other than personal use or internal reference, ISO 27001 LA
or of articles or columns not owned by the
Tanja Grivicic
association without express permission of the
Manish Gupta, Ph.D., CISA, CISM, CRISC,
association or the copyright owner is expressly
prohibited. CISSP
Mike Hansen, CISA, CFE
Subscription Rates:
Jeffrey Hare, CISA, CPA, CIA
US: one year (6 issues) $80.00
All international orders: one year (6 issues) Jocelyn Howard, CISA, CISMP, CISSP
$95.00. Remittance must be made in US Francisco Igual, CISA, CGEIT, CISSP
funds. Jennifer Inserro, CISA, CISSP
ISSN 1944-1967
Khawaja Faisal Javed, CISA, CRISC, CBCP, ISACA Board of Directors
ISMS LA (2015–16)
Farzan Kolini GIAC International President
Abbas Kudrati, CISA, CISM, CGEIT, CEH, CHFI, Christos Dimitriadis, Ph.D., CISA, CISM, CRISC,
EDRP, ISMS ISO 20000 LA
Shruti Kulkarni, CISA, CRISC, CCSK, ITIL V3
Vice President
Bhanu Kumar
Rosemary Amato, CISA, CMA, CPA
Hiu Sing (Vincent) Lam, CISA, CPIT(BA),
ITIL, PMP Vice President
Edward A. Lane, CISA, CCP, PMP Garry Barnes, CISA, CISM, CGEIT, CRISC
Romulo Lomparte, CISA, CISM, CGEIT, CRISC, Vice President
CRMA, ISO 27002, IRCA Rob Clyde, CISM
Juan Macias, CISA, CRISC
Larry Marks, CISA, CGEIT, CRISC Vice President
Theresa Grafenstine, CISA, CGEIT, CRISC, CGAP,
CGMA, CIA, CPA
Krysten McCabe, CISA Vice President
Brian McLaughlin, CISA, CISM, CRISC, CIA, Leonard Ong, CISA, CISM, CGEIT, CRISC, CFE,
CISSP, CPA CFP, CIPM, CIPT, CISSP, CISSLP, PMP
Brian McSweeney
Vice President
Irina Medvinskaya, CISM, FINRA, Series 99
Andre Pitkowski, CGEIT, CRISC, CRMA, OCTAVE
David Earl Mills, CISA, CGEIT, CRISC, MCSE
Robert Moeller, CISA, CISSP, CPA, CSQE Vice President
Ramu Muthiah, CISM, GSLC, ITIL, PMP Edward Schwartz, CISA, CISM, CAP, CISSP,
Gretchen Myers, CISSP ISSEP, NSA-IAM, PMP, SSCP
Past International President, 2014-2015
Jonathan Neel, CISA Robert E Stroud, CGEIT, CRISC
Anas Olateju Oyewole, CISA, CISM, CRISC,
CISSP, CSOE, ITIL Past International President, 2013–2014
Tony Hayes, CGEIT, AFCHSE, CHE, FACS,
Pak Lok Poon, Ph.D., CISA, CSQA, MIEEE
FCPA, FIIA
John Pouey, CISA, CISM, CRISC, CIA
Steve Primost, CISM Past International President, 2012–2013
Greg Grocholski, CISA
Antonio Ramos Garcia, CISA, CISM, CRISC,
Director
CDPP, ITIL
Ron Roy, CISA, CRP Zubin Chagpar, CISA, CISM
Louisa Saunier, CISSP, PMP, Six Sigma Director
Green Belt Raghu Iyer, CISA, CRISC
Nrupak D. Shah, CISM, CCSK, CEH, ECSA ITIL
Director
Shaharyak Shaikh
Jo Stewart-Rattray, CISA, CISM, CGEIT, CRISC
Sandeep Sharma
Catherine Stevens, ITIL Chief Executive Officer and Secretary
Matthew S. Loeb, CAE
Robert W. Theriot Jr., CISA, CRISC
Nancy Thompson, CISA, CISM, CGEIT, PMP
Smita Totade, Ph.D., CISA, CISM, CGEIT,
CRISC
Ilija Vadjon, CISA
Sadir Vanderloot Sr., CISA, CISM, CCNA,
CCSA, NCSA
Anthony Wallis, CISA, CRISC, CBCP, CIA
Kevin Wegryn, PMP, Security+, PFMP
Tashi Williamson
Ellis Wong, CISA, CRISC, CFE, CISSP
ISACA BOOKSTORE
RESOURCES FOR YOUR
PROFESSIONAL DEVELOPMENT
www.isaca.org/bookstore

NOW AVAILABLE!

NEW! UPDATED CERTIFICATION EXAM

PREPARATION MATERIALS
GET PREPPED FOR EXAM AND CAREER SUCCESS

Browse over 450 publications featuring the latest research and expert thinking on standards,
best practices, emerging trends and more at www.isaca.org/bookstore S-1
 ISACA® Certification Exam Prep Materials
BESTSELLING PRODUCT

CISA® Review Questions, Answers & CISA® Review Manual, 26th Edition
Explanations Database—12-Month Subscription The CISA® Review Manual, 26th Edition is a comprehensive
The CISA Review Questions, Answers & Explanations reference guide designed to help individuals prepare for the
Database is a comprehensive 1,000-question pool of items CISA exam and understand the roles and responsibilities
that contains the questions from the CISA Review Questions, of an information systems (IS) auditor. The manual has
Answers & Explanations Manual, 11th Edition. The database been revised according to the 2016 CISA Job Practice and
has been revised according to the recently updated 2016 represents the most current, comprehensive, peer-reviewed
CISA Job Practice. IS audit, assurance, security and control resource available.

Exam candidates can take sample exams with randomly The 26th edition is organized to assist candidates in
selected questions and view the results by job practice understanding essential concepts and studying the following
domain, allowing for concentrated study in particular areas. job practice areas: The Process of Auditing Information
Additionally, questions generated during a study session Systems; Governance and Management of IT; Information
are sorted based on previous scoring history, allowing CISA Systems Acquisition, Development and Implementation;
candidates to identify their strengths and weaknesses and Information Systems Operations, Maintenance and Service
focus their study efforts accordingly. Management; Protection of Information Assets.

The information contained in the 12-month subscription is Member: US $105.00

26 Edition
th

the same information that is contained in the CISA Review

CISA Non-member: US $135.00
3701 Algonquin Road | Suite 1010
Rolling Meadows, IL 60008 | USA

P: +1.847.253.1545
F: +1.847.253.1443
E: info@isaca.org

Questions, Answers & Explanations Manual, 11th Edition. The Product Code: CRM26ED
isaca.org

Review Manual

database is available via the web, allowing candidates to log

CISA Review Manual — 26th Edition

Available in: Chinese Simplified, French, Italian,

in anywhere they have Internet connectivity. This database is
Japanese, and Spanish.
MAC and Windows compatible.

2016
Member: US $185.00
Non-member: US $225.00
CISA
Review Questions, Answers
& Explanations Database
Product Code: XMXCA15-12M
The CISA® Review Questions, Answers &
Explanations Database is also available on
CISA® Review Questions, Answers &
CD-Rom in Spanish. Explanations Manual, 11th Edition
Designed to familiarize candidates with the question types
and topics featured in the CISA exam, the CISA® Review
Questions, Answers & Explanations Manual, 11th Edition
consists of 1,000 multiple-choice study questions. The
CISA® Review Questions, Answers & information contained in the CISA Review Questions,
Explanations Database—6-Month Extension Answers & Explanations is the same information that is
contained in the 12-Month Subscription.
The CISA® Questions, Answers & Explanations Database—
6-Month Extension can only be purchased only as an Many questions have been revised or completely rewritten
extension to the CISA Questions, Answers & Explanations to be more representative of the CISA exam question
Database—12-Month Subscription. The database is available format and/or to provide further clarity or explanation of
via the web, allowing CISA Candidates to log in at home, the correct answer. These questions are not actual exam
at work or anywhere they have Internet connectivity. items but are intended to provide CISA candidates with an
understanding of the type and structure of questions and
Member: US $45.00 content that have previously appeared on the exam.
2016
Non-member: US $65.00
CISA
Review Questions, Answers
& Explanations Database
Product Code: XMXCA15-EXT180 Member: US $100.00
CISA Review Questions, Answers & Explanations Manual

Non-member: US $130.00
Product Code: QAE11ED
11 Edition
Available in: Chinese Simplified, Italian,
th

CISA
3701 Algonquin Road | Suite 1010
Rolling Meadows, IL 60008 | USA

P: +1.847.253.1545

Japanese, and Spanish

F: +1.847.253.1443
E: info@isaca.org
isaca.org

Review Questions, Answers &

Explanations Manual
11th Edition

S-2

BESTSELLING PRODUCT
CISM® Review Questions, Answers &
Explanations Database—12-Month Subscription
The CISM® Review Questions, Answers & Explanations
Database is a comprehensive 950-question pool of items
that contains the questions from the CISM® Review
Questions, Answers & Explanations Manual, 8th Edition.
The database is available via the web, allowing our CISM
candidates to log in at home, at work or anywhere they
have Internet connectivity. The database is MAC and
Windows compatible.
Exam candidates can take sample exams with randomly
selected questions and view the results by job practice
domain, allowing for concentrated study in particular areas.
Additionally questions generated during a study session are
sorted based on previous scoring history, allowing CISM
candidates to identify their strengths and weaknesses and
focus their study efforts accordingly.
The information contained in the 12-Month Subscription is
the same information that is contained in the CISM Review
Questions, Answers & Explanations Manual, 8th Edition.
Member: US $185.00
2016
CISM
Review Questions, Answers
& Explanations Database
Non-member: US $225.00
Product Code: XMXCM15-12M
CISM Review Questions, Answers &
® Manual, 8th Edition consists of 950 multiple-choice study
Explanations Database—6-Month Extension
The CISM® Questions, Answers & Explanations Database—
6-Month Extension can only be purchased only as an
extension to the CISM Questions, Answers & Explanations
Database—12-Month Subscription. The database is available
via the web, allowing CISM Candidates to log in at home,
at work or anywhere they have Internet connectivity.
2016
Member: US $45.00
CISM
Review Questions, Answers
& Explanations Database
Non-member: US $65.00
Product Code: XMXCM15-EXT180
NE
UP W
DA LY
TE
D!
CISM® Review Manual, 14th Edition
The CISM® Review Manual, 14th Edition assists candidates
to study and understand essential concepts in the following
job practice areas: Information Security Governance;
Information Risk Management and Compliance; Information
Security Program Development and Management;
Information Security Incident Management.
Each of the book’s four chapters has been divided into two
sections for focused study. Section one of each chapter
contains the definitions and objectives for the four
areas, as well as the corresponding tasks performed by
information security managers and knowledge statements
that are tested on the exam. Section two of each chapter
consists of reference material and content that support
the knowledge statements. The material enhances CISM
candidates’ knowledge and/or understanding when
preparing for the CISM certification exam. Also included are
definitions of terms most commonly found on the exam.
Member: US $105.00
Non-member: US $135.00
Product Code: CM14ED
Also available in Spanish
Product Code: CM14EDS
CISM® Review Questions, Answers &
Explanations Manual, 8th Edition
The CISM® Review Questions, Answers & Explanations
questions, answers and explanations, which are organized
according to the CISM job practice domains.
The questions, answers and explanations are intended
to introduce the CISM candidate to the types of questions
that appear on the CISM exam. They are not actual
questions from the exam. Questions are sorted by CISM
job practice domains and a sample exam of 200 questions
is also provided. The information contained in the CISM
Review Questions, Answers & Explanations is the same
information that is contained in the 12-Month Subscription.
Member: US $100.00
Non-member: US $130.00
Product Code: CQA8ED
S-3
 ISACA® Certification Exam Prep Materials

CGEIT® Review Manual, 7th Edition CRISC™ Review Questions, Answers &
The CGEIT® Review Manual is designed to help individuals Explanations Database—12-Month Subscription
prepare for the CGEIT exam and understand the responsibilities The CRISC™ Practice Question Database is a comprehensive
of those who implement or manage the governance of 500-question pool of items that contains the questions from
enterprise IT (GEIT). It is a detailed reference guide that has the CRISC™ Review Questions, Answers & Explanations
been developed and reviewed by subject matter experts Manual, 4th Edition. The database is available via the web,
actively involved in governance of enterprise IT worldwide. allowing CRISC candidates to log in at home, at work or
anywhere they have Internet connectivity. The database is
The CGEIT® Review Manual features an easy-to-use format.
MAC and Windows compatible.
Each of the book’s five chapters has been divided into
two sections for focused study. Section one contains the Exam candidates can take sample exams with randomly
definitions and objectives for each of the five CGEIT practice selected questions and view the results by job practice
areas, as well as the corresponding tasks performed by domain, allowing for concentrated study in particular areas.
GEIT professionals and knowledge statements necessary Additionally, questions generated during a study session are
to perform these tasks. Section two of each chapter sorted based on previous scoring history, allowing CRISC
consists of content and reference material that supports the candidates to identify their strengths and weaknesses and
knowledge statements. focus their study efforts accordingly.

7 Edition
th
Member: US $85.00 Member: US $185.00
2016

CGEIT Non-member: US $115.00

CRISC Non-member: US $225.00
3701 Algonquin Road | Suite 1010
Rolling Meadows, IL 60008 | USA

P: +1.847.253.1545
F: +1.847.253.1443

Product Code: CGM7ED

E: info@isaca.org

Product Code: XMXCR14-12M

isaca.org

Review Manual
Review Questions, Answers
& Explanations Database
CGEIT Review Manual — 7th Edition

CRISC Review Manual — 6th Edition

Available in Japanese CRISC Review Questions, Answers & Explanations

Product Code: CGM7EDJ Manual, 4th Edition is available in print.
Member: US $60.00
Non-member: US $80.00
Product Code: CRQ4ED
Available in Spanish. Product Code: CRQ4EDS

CGEIT® Review Questions, Answers &

Explanations Manual, 4th Edition
The CGEIT® Review Questions, Answers & Explanations CRISC™ Review Manual, 6th Edition
Manual is designed to familiarize candidates with the question The CRISC™ Review Manual is a comprehensive reference
types and topics featured in the CGEIT exam. The questions guide designed to help individuals prepare for the CRISC
are not actual exam items but are intended to provide CGEIT exam and understand IT-related business risk management
candidates with an understanding of the type and structure roles and responsibilities. The manual has been enhanced
of questions and content that has previously appeared on the over the past editions and represents the most current,
exam. To help candidates maximize—and customize—study comprehensive, peer-reviewed IT-related business risk
efforts, questions are presented in the following two ways: management resource available worldwide. The CRISC™
• Sorted by job practice area Review Manual, 6th Edition offers an easy-to-navigate
• Scrambled as a sample 75-question exam format. Each of the book’s four chapters has been divided
into two sections for focused study.
Member: US $60.00
CGEIT Review Questions, Answers & Explanations Manual

Non-member: US $75.00 6 Edition

th
Member: US $85.00
CRISC Non-member: US $115.00
3701 Algonquin Road | Suite 1010

Product Code: CGQ4ED

Rolling Meadows, IL 60008 | USA

P: +1.847.253.1545
F: +1.847.253.1443
E: info@isaca.org

Product Code: CRR6ED

isaca.org

Review Manual
4 Edition
th

CGEIT
CRISC Review Manual — 6th Edition

Available in Spanish
Review Questions, Answers &
Explanations Manual
Product Code: CRR6EDS
4th Edition

2 EASY WAYS TO ORDER:

1. Online — Access ISACA’s bookstore online anytime 24/7 at www.isaca.org/bookstore
S-4
2. Phone — Contact us by phone M – F between 8:00AM – 5:00PM Central Time (CT) at 847.660.5650
DEVELOP YOUR EDGE AS A CYBER SECURITY
FIRST RESPONDER.
Build and hone your abilities to be an in-demand professional in the growing global cyber workforce.
CSX Practitioner Labs enable you to develop your technical skills in an adaptive, performance-based cyber
laboratory environment. You’ll practice applying essential concepts and industry-leading methods, using an
array of open-source tools, within real-world scenarios. Gain critical skills to help you advance your career –
and prove you have what it takes to get the job done, by preparing for the CSX Practitioner certification.

Visit www.isaca.org/csxplabs for more information.

 TRAIN
LIKE YOU
FIGHT

CHIRON’S TEAM OF EXPERT INSTRUCTORS BRING YEARS OF

RELEVANT, REAL-WORLD EXPERIENCE INTO THE CLASSROOM.

Chiron’s cyber protection program trainees are challenged and OFFENSIVE AND DEFENSIVE
tested with real-world scenarios based on today’s dynamic, CYBER OPERATIONS
agile and constantly evolving threat environment. Unlike
ADVANCED THREAT SIMULATION
simulated training, Chiron’s classes are held in a laboratory
setting unrestricted by rigid network security constraints that NETWORK FORENSICS AND
hamper the hands-on learning experience. THREAT ANALYSIS
Our customized training approach creates qualified Information
MALWARE REVERSE ENGINEERING
Operations professionals that are tested and equipped to
handle the real-life cyber threats of today. SIMULATED TRAINING ENVIRONMENT

LEARN MORE ABOUT OUR TRAINING:

410-672-1522, ext. 113 | training@chirontech.com
or visit chirontech.com