Beruflich Dokumente
Kultur Dokumente
A N D TA K E YO U R C A R E E R
TO THE NEXT LEVEL
www.isaca.org/FREEQUIZ-Jv4
SCCE’s 18th Annual
The compliance and ethics industry is growing, with new regulations and strategies emerging on
a regular basis. The annual Compliance & Ethics Institute (CEI) can help you stay informed and
updated, allowing you to maintain an effective compliance program.
FEATURES
PLUS
14
The Pain of Automation 54
(Disponible également en français) HelpSource
Wade Cassels, CISA, CFE, CIA, Jane Traub, Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI,
CCSA, CIA, Kevin Alvero, CISA, CFE, and AMIIB, BS 25999LI, CEH, CISSP, ISO 27001 LA,
Jessica Fernandez, CISA MCA, PMP
19 56
Acknowledging Humanity in the Governance Crossword Puzzle
of Emerging Technology and Digital Myles Mellor
Transformation
(Disponible également en français) 57 Read more from these
Guy Pearce, CGEIT CPE Quiz Journal authors...
Do not miss out on the Journal’s online-exclusive content. With new content weekly through feature articles
and blogs, the Journal is more than a static print publication. Use your unique member login credentials to
access these articles at www.isaca.org/journal.
Online Features
The following is a sample of the upcoming features planned for July and August.and _________________.
_______________ 1700 E. Golf Road,
Suite 400
Auditing Green IT Governance and Evolving From Qualitative to Understanding Compliance Risk
Management With COBIT 5 Quantitative Risk Assessment in Finance and Banking Schaumburg, IL 60173, USA
J. David Patón-Romero, CISA, Benoit Heynderickx, CISA, CRISC Muhammad Waheed Qureshi, Telephone
PMP, Maria Teresa Baldassarre, CISA, CIPP/IT, CISSP, GPEN, +1.847.660.5505
PMP, Moisés Rodríguez, CISA, ITIL v3, PCIP
and Mario Piattini, CISA, CRISC, Fax: +1.847.253.1755
CISM, CGEIT, PMP www.isaca.org
Someone Else
Running an IT department used to be so simple. The to carry out their business. Containing all of IT
programmers wrote programs; the technicians within an organization gave management the
Do you have
migrated the programs into production; and the (supposed) ability to secure all of it.
something
operators ran them. These days, programmers to say about this
implement systems purchased from a vendor. The The idea that all of IT could be contained was a article?
techs have their hands full just keeping the chimera. The computers in the data center were
infrastructure (or more likely, the infrastructures) up powered by someone else (the electric company), Visit the Journal pages
of the ISACA® website
and running. And, more often than not, the programs communicated via someone else (the
(www.isaca.org/journal),
are running in someone else’s data center. telecommunications carriers) and were maintained
find the article and click
by someone else (the hardware vendors). Operating on the Comments link to
Let me complicate that a bit more. If the operators are and database management systems were certainly share your thoughts.
running systems at all, they may be running them in not developed in-house. Purchased applications are
https://bit.ly/2X6cpVv
someone else’s data center, a colocation facility or not new either. But, for the most part, there was
colo. Many of the applications and much of the a certain degree of comfort knowing that all of
infrastructure are, or soon will be, rented from a third these systems were running in an access- and
party as a service (or, more likely, as-a-service). And climate-controlled room somewhere in
each of those services may well have been selected management’s own building.
by end-user management with little or no input from
IT personnel who specialize in security, reliability, Where Did the Data Center Go?
recoverability or interoperability with other systems.
Today, the data center is everywhere from
So, organizations are facing problems, if not yet someone’s pocket to the cloud. I am looking at my
crises, of IT governance, security, risk management smartphone and I find applications such as foreign
and control—the perfecta of ISACA’s certifications.1 If exchange calculation, medical benefits, voicemail
you are a holder of any of these, you ought to be and encryption that used to run in data centers. I
concerned. Frankly, even without those certifications, know that these are applications running in a data
there is cause for concern. If you are a programmer, center somewhere that I can access through the
technician or operator, you may already be seeing terminal in my pocket. The point is that both the
jobs of some colleagues disappear from your data center and the terminal used to be in the
organization. Even though someone else is building to which I had to travel in order to work.
experiencing a talent shortage,2 they seem to be on
the sell-side rather than the buy-side.3 The use of colos is recognition that computer
operations and real estate are separable. The
organization had a data center that was built around
Steven J. Ross,
Restructuring the Way IT Is Done CISA, AFBCI,
many basic controls: who could enter, how fires
The concern is not—or at least, not only—vendor would be prevented, how power failures would be
CISSP, MBCP
Is executive principal
management. It is a fundamental restructuring of managed, how recovery would be carried out if of Risk Masters
the way information technology has been done there were a disaster. Now, those controls are International LLC.
since the dawn of commercial data processing in someone else’s problem. Ross has been
the 1960s. An organization, whether a corporation writing one of the
or a government agency, was viewed as an organic And, when information and the systems that Journal’s most
whole with a consolidated set of information support it disappear into the cloud, management’s popular columns
resources. The objective, only imperfectly achieved, ability to exercise control over them becomes even since 1998. He can
but the goal nonetheless, was to have a single base more tenuous. Depending on what services for be reached at
stross@riskmasters
of information that would be apportioned to each which a particular business function contracts,
intl.com.
business and each authorized individual as needed someone else—the cloud vendor—may be
Figure 2—CISO: Mandate, Operating Principles, Span of Control and Authority Level
Area Characteristic
Mandate The overall responsibility of the enterprise information security programme
Operating principles Depending on a variety factors within the enterprise, the CISO may report to the CEO, COO, CIO,
CRO or other senior executive management.
The CISO is the liaison between executive management and the information security
programme. The CISO should also communicate and co-ordinate closely with key business
stakeholders to address information protection needs.
Accountability (and sign-off of important decisions) resides in the function to which the CISO
reports, for example, senior executive management team member or the ISSC.
Delegation rights The CISO should delegate tasks to information security managers and business people.
Escalation path The CISO should escalate key information risk-related issues to his/her direct supervisor and/
or the ISSC.
Source: ISACA®, COBIT® 5 for Information Security, USA, 2012. Reprinted with permission.
The patch management policy also identified the Equifax Ran Business-Critical Systems
roles and responsibilities for various individuals on Legacy IT With Documented
within their portfolios. The business owner was
Security Risks
informed of the need to patch and was responsible
for approving downtime so the patch could be Equifax faced increased security risk due, in part, to
applied. The system owner was responsible for its complex legacy IT environment. Legacy
applying the patch, and the application owner was technology is both a security issue and a hindrance
then responsible for ensuring the patch was applied to innovation, and legacy systems are tough to
correctly. While roles and responsibilities were secure because they are often extremely difficult to
defined in the policy, there were no official patch, monitor or upgrade. Equifax ran a number of
designees for these roles. Again, this was not an its business-critical systems on legacy
acceptable situation. infrastructure, including the system compromised
by attackers during the 2017 data breach.14
COBIT® 2019 process Deliver, Service and Support
(DSS) includes the management practice DSS05.01 The use of legacy technologies and applications
Protect against malicious software, which requires resulted in a dwindling number of employees with
an organization to implement and maintain knowledge of how to operate and maintain the
preventive detective and corrective measures in aging system. For example, Equifax did not have a
place (especially up-to-date security patches and comprehensive picture of the software used within
virus control) across the enterprise to protect the application. This was a key issue, as the patch
information systems and technology from management policy relied on its employees
malicious software (e.g., ransomware, malware, knowing the source and version of all software
viruses, worms, spyware, spam).12 running on a certain application in order to manually
initiate the patching process.
In addition, COBIT 2019 defines who is responsible
and accountable (figure 3) for each of its key Equifax recognized the risk posed by continued
management practices. Clearly, the message here is operation of its legacy IT systems, had documented
that these roles should be mapped to named some security risk factors and even planned an
individuals in each of our enterprises. upgrade, however, it failed to move quickly enough,
resulting in the breach of the system.
Also noteworthy was the fact that internal audit had
reported issues with the patching process. These Again, COBIT has documented these risk scenarios.
included the failure to patch or remediate Build, Acquire and Implement (BAI) BAI03.10
Head IT Operations
Head Development
Privacy Officer
unproven. And one should not forget the business so significant that the global financial services
case risk, i.e., the uncertainty in terms of whether regulatory agency, the Financial Stability Board
the technology will eventually realize the business (FSB), has been explicit about the role of culture
benefits being proposed of it—a risk amplified by (the set of human behaviors and norms that an
emerging technology. organization finds acceptable) in establishing
effective risk management, being the first regulatory
The accelerated rate of privacy concerns and privacy agency to do so. In particular, the FSB speaks of
regulations globally raises more compliance risk and setting the appropriate tone at the top; in other
even more questions, with a further rapidly emerging words, that the organization’s leadership sets a
issue concerning the ethical use of technology and/or behavioral example for the organization to follow.
its data, especially in AI applications.
There is increasing recognition that culture is
These risk factors and issues are compounded for integral to absolutely everything. Some have
emerging digital technologies because the referred to the tone at the top as “the first ingredient
unknowns associated with emerging technologies in a world-class ethics and compliance program.”4 It
are greater than those of mature technologies. The is little wonder that the concept is the subject of
requirements for the appropriate oversight of digital international attention, even becoming the subject
transformation and emerging technologies of corporate governance codes such as South
intensifies the already demanding requirements for Africa’s King IV.5 Without a determined tone at the
good risk management knowledge, risk top, ethics and cultural initiatives lose their impact.
management experience and risk management What is the impact of ethics and integrity programs
instincts in today’s IT governance professionals. in organizations where “more and more CEOs [are]
leaving their role amid accusations of ethics
Culture’s Role in Effective IT Governance breaches and lack of integrity?”6
Has Been Established
On a related note, corporate culture has been found
As complex as the previously mentioned risk to be the most significant critical success factor
factors are, they are still much easier to manage (CSF) for effective enterprise IT governance.7
than are any human factors. The human factors are Furthermore, International Organization for
In Toronto, Canada, a current tech controversy • Security and protecting against technologies
concerns what Sidewalk Labs—a subsidiary of being used for bad
Alphabet, just like Google, YouTube and Google X
are—is really up to in its desire to create a
• The unforeseen consequences of AI-driven
automation
hyperefficient sensor (and, therefore, data-driven)
Data Diodes
Disrupting old school firewalls
owlcyberdefense.com/diota @OwlCyberDefense
Mohammed Khan
Is global head of digital health, IT, cyber and privacy audit at Baxter, a global medical device and healthcare organization. He
manages a global team responsible for enterprise risk management across the organization and conducting audits, assessments
and advisory engagements. He has spearheaded multinational global audits and assessments in several areas, including enterprise
resource planning systems, global data centers, cloud platforms (i.e., Amazon Web Services), third-party manufacturing and
outsourcing reviews, process re-engineering and improvement, global privacy assessments (EU Data Protection Directive, the US
Health Information Portability, and Accountability Act [HIPAA], the EU General Data Protection Regulation [GDPR]), and FDA guidance
specific to medical device cybersecurity over the past several years. Khan previously worked as an advisory consultant for leading
consulting firms and multinational organizations. He frequently speaks at national and international conferences on topics related to
data privacy, cybersecurity and risk advisory. He volunteers as an ISACA® Journal article reviewer and contributes actively to the
ISACA Journal and ISACA’s blogs. In 2019, Khan received the ISACA® John W. Lainhart IV Common Body of Knowledge Award.
CLASS
LOW
system will not only monitor glucose levels in the If the patient goes to the hospital and checks into
body, but also automatically adjust the delivery of the emergency room (ER), data from the wearable
insulin to reduce high blood glucose levels device can be extracted and loaded into the
(hyperglycemia) and minimize the incidence of low electronic medical records (EMR) system, which is
blood glucose (hypoglycemia) with little or no input connected to the hospital network, which is further
from the patient.5 connected with physicians’ tablet software so that,
when the patient is seen, all data are available for
the health practitioner.
Patients
Supply Chain
Rethinking Risk
A New Ethics of Enterprise IT
Not all that long ago, getting the enterprise to invest impact analysis (BIA) exercise. The routine BIA may
in IT required some convincing. According to give moderately sophisticated organizations
Do you have
conventional wisdom, IT was a back-office sufficient information, awareness, lead time and
something
operation and no more. Today, the power and incentive to prepare and react. However, IT risk to say about this
potential business benefit of IT are accepted facts— management and prevention should go deeper than article?
indeed, in many industries, IT virtually has the same the average BIA—into the mind-set of organizations,
scope and boundaries of the organization itself, and their employees and leaders, both in IT and the Visit
Visit the
the Journal
Journal pages
pages
of
of the ISACA®® website
the ISACA website
alignment of IT with business strategy and goals is business. The scale of potential failure—running the
(www.isaca.org/journal),
(www.isaca.org/journal),
a key recommendation of IT governance gamut from public inconvenience to catastrophe—
find
find the
the article
article and
and click
click
frameworks. Cybersecurity and information security argues for the recognition of an ethics of IT as a risk on
on the
the Comments
Comments linklink to
to
threats increasingly force awareness of IT risk on domain in its own right. Ethics of enterprise IT share
share your
your thoughts.
thoughts.
boards of directors and senior management. (EEIT) could include organizational culture and
____________________
https://bit.ly/2YUiipm
Compliance requirements—and associated individual employee values, all of which profoundly
penalties—bring IT into board rooms and corner affect IT operations and delivery.
offices and necessitate investment in compliance
risk management. Governance, security and In the context of IT, ethics would address the risk to
compliance failures can be critical and deserve IT systems due to intentional or unintentional
attention at the highest organizational levels; subversion of existing controls and established
however, they do not represent the entire universe of means, where intentional does not necessarily
IT risk. ISACA’s Risk IT Framework asserts that “Risk mean malicious or criminal. Rather, intent would be
IT is not limited to information security. It covers all construed to encompass personal motives, like
IT-related risk,”1 including:2 convenience or expediency in the service of self-
promotion; ideals, like an orientation toward service;
• Late project delivery
and collective dynamics, including politics or
• Not achieving enough value from IT
• Compliance
• Misalignment
Among relatively mature enterprises, the use of Personal agendas, organizational politics, distorted
service management processes, controls, automation communication, weak vendor management,
and sophisticated tools is a good defense against department silos and sometimes even unrealistic
wrongdoing in IT; together, they make bypassing service level agreements/timelines/targets can
controls and other processes difficult, especially in dilute the overall intention of IT: to serve business
the absence of deliberate intent. However, like any users and customers.
hacker skilled in finding and eventually exploiting
weaknesses, an internal IT resource may subvert The Risk IT principles “Promotes fair and open
controls with criminal intent. Others can bypass communication of IT risk” and “Establishes the right
established processes—nonetheless intentionally, but tone at the top and while defining and enforcing
without malice, in an effort just to get the work done— personal accountability” encompass a range of
without fully realizing the potential impact of control concrete activities where ethics of IT could set
failures. However, as the ethics of IT is more higher standards, track their achievement, report
integrated with IT, it improves consciousness and abuses and improve outcomes. The following is a
reduces the temptation to bypass established sample list of common and day-to-day IT
processes and controls. operations, where any gaps and deficiencies can
compromise the overall intent of IT:
Ethics of Enterprise IT in Practice • Metrics and dashboards—Data are often
To implement ethics of enterprise IT, one might gathered from multiple sources to assess and
start by looking within the organization, determining report on the health of IT systems for upper
how things actually get done in IT, and management and boards of directors. Tweaking
acknowledging the reality with honesty and these metrics to put the best foot forward,
transparency. For the most part, people do not have impress clients or meet service availability
malicious intent. However, because timelines and targets can be common and may hurt enterprise
delivery targets are often aggressive—and both IT in the long run by obscuring opportunities for
internal teams and external vendors work in all too process improvement.
human contexts of shifting loyalties, internal Metrics and dashboards are usually a rollup from
competition, career aspirations, tight budgets and several underlying data points and sub-metrics.
2019 VIRTUAL
INSTRUCTOR-LED
TRAINING
C Y B E R S E C U R I T Y A U D I T C E R T I F I C AT E
29–30 AUGUST
C Y B E R S E C U R I T Y F U N D A M E N TA L S
5–6 NOVEMBER
www.isaca.org/VILT19jv4
The Path to DevSecOps These concerns led to the start of the DevSecOps
methodology movement, which applies the same
DevOps is defined as a “combination of cultural principles to cybersecurity that DevOps applies to
philosophies, practices, and tools that increases an traditional IT processes to improve efficiency and
organization’s ability to deliver applications and
services at high velocity.”1 DevOps does not treat
the development and operations teams as separate
entities. Instead, DevOps blurs the lines between the
two entities, resulting in greater harmony and
alignment, without compromising quality. Estimates
say the global market for DevOps will reach
US$12.85 billion by 2025.2
A BUG BOUNTY
DevOps Is Critical to Evolution
PROGRAM EXTENDS AND
The previously mentioned strategies are a few of
COMPLEMENTS (BUT DOES the key success factors for a DevSecOps program,
but they only are a starting point and not an
NOT REPLACE) THE
exhaustive list. The era of high-speed software
ENTERPRISE STANDARD deployments is here to stay. A quick fix to
implement DevSecOps does not exist. Enterprises
VULNERABILITY SCANNING
must invest significant time and effort in changing
AND PENETRATION their culture, tools and staff skill set to adapt and
get the best results from DevOps while remaining
TESTING EXERCISES.
secure. Information security professionals must
realize that, more than any tool or technology, their
mind-set must evolve to survive and remain relevant
Lesson 3—Bug Bounty Programs Must in a DevOps world.
Become Business as Usual
Many enterprises use continuous penetration Endnotes
testing as a tool to assess the security of their 1 Amazon Web Services, “What Is DevOps?”
software products after major changes. Although 2019, https://aws.amazon.com/devops/
this tool works well in a traditional environment, what-is-devops/
manual penetration tests do not scale well in a 2 DEVOPSdigest, “DevOps Market Worth
DevOps environment and need to be supplemented $12.85 Billion by 2025,” 19 March 2018,
with bug bounty programs to be truly effective. www.devopsdigest.com/devops-market-
Every daily release of code can contain worth-1285-billion-by-2025
vulnerabilities that may have been missed by
security tools and tests earlier in the pipeline. Bug
Mina Miri
Is a security researcher at SD Elements/Security Compass. She is particularly attuned to the need for applications to have well-
developed security characteristics. In her current position, she researches various security and privacy contexts for securing
software all throughout its life cycle. Miri has published articles in the ISACA® Journal and IAPP Privacy Tech, and she has
presented at the Open Web Application Security Project (OWASP) AppSec conference.
Nathanael Mohammed
Is a technical writer at SD Elements/Security Compass. He specializes in communicating about technology, with a focus on
security and privacy. He has been involved with projects concerning EU General Data Protection Regulation requirements in Agile
software development, and he has published an article on a tagging approach to privacy impact assessments in IAPP Privacy Tech.
In this study, PCI SSF is analyzed as a recently In the first step of the proposed framework, PCI
published compliance regulation.11 In January 2019, SSLC guidelines are analyzed and compared to
the PCI Security Standards Council (PCI SSC) existing best practices. This analysis helps identify
released two new PCI Software Security Standards gaps in the currently implemented controls. For
as part of the new PCI SSF. These standards are the example, section 4.1 of PCI SSLC requires a mature
PCI SSC’s efforts to better address the integrity of process for security testing that aims to determine
payment transactions and the confidentiality of all the existence and emergence of vulnerabilities.
sensitive data as new technologies and software While existing best practices aligned with traditional
development practices emerge. standards and business requirements advise
utilizing static application security testing (SAST),
The Secure Software Life Cycle (Secure SLC or they do not require a proper process for identifying
SSLC) Requirements and Assessment Procedures the appropriate tool, the practical integration of
is a standard in the PCI SSF that offers security those tools into the application development and
assessment guidance for both the development and deployment pipelines, or the proper management of
operations life cycles. Secure SLC compliance vulnerabilities.
aligns with Agile and continuous deployment
methodologies to develop software faster and Although the new standard mandates the addition
without requiring an assessment from a qualified and governance of more processes and activities to
assessor for each release.12 an application’s life cycle, it does not provide a code
of practice or set of guidelines for implementation.
Conclusion and Next Steps was leveraged to mitigate the perceived disruption
of security requirements for Agile and DevOps
This approach seeks to bridge the gap between environments. Next, best practices with respect to
complying with requirements outlined in a each requirement given in the PCI SSF were
regulation and determining actionable tasks using a compiled from the experience of organizations of
policy-to-execution platform. This systematic varying maturity levels. Then, SMEs were
approach can be repeated in similar situations interviewed to evaluate and augment the collected
where requirements in regulations are too high level best practices in the previous step. The entire
and do not provide sufficient guidance for process led to a set of actionable tasks that
implementation. Though this example used the correspond to the original requirements of a
newly published PCI SSF, a similar approach can be compliance regulation, which can be adapted to an
adopted with other compliance regulations. The organization of a given maturity level.
utility of an existing policy-to-execution platform
The attacker understands security not as a final Analyst and Adversary: Integrating Two
objective to achieve, but as an incomplete journey;
Opposing Visions
preliminary and partial responses are the norm,
vulnerabilities require adaptive goals, and security Finding value in the methodology of adversaries is
demands lead to imperfect trust. The adversary’s not intended to romanticize or promote illegal
mind is restless; either it was never formed within activity. Rather, it illustrates how their methods,
the mentality and framework of traditional mind-set and culture can be repurposed to enrich
education, or it quickly outgrew them. Instead, the the education and training of security and
adversary responds to the adrenaline rush produced cybersecurity professionals. The old, static
by breaking existing protection paradigms. He or practices around controls (and their respective
she relishes a sense of permanent inevitability of verifications) will not be viable for 21st century
security failure as the new normal in the education organizations as a source of imperfect trust. In fact,
of security and control specialists. improving security and cybersecurity today will
depend on consciously and selectively integrating
these historically opposing roles.
UNDERSTANDING THE The analyst conventionally works across three
MIND OF THE ADVERSARY categories: threat, control and impact (i.e., a
common vocabulary, widely recognized and
CAN OPEN SPACE FOR accepted across enterprises). The adversary thinks
THE AUTHENTICALLY in terms of intention, capacity and vulnerability
(figure 1). The categories of the analyst generally
ENLIGHTENED TRAINING entail negative reactions to the open-ended,
OF THE SECURITY dynamic terms of the adversary. The analyst closes
off (or at least reduces) attack surfaces; the
AND CONTROL adversary emphasizes possibility, openness and
PROFESSIONALS. opportunity. Harmonizing these oppositions may
seem contradictory or counterintuitive, but for the
analyst, actually encourages a constructive
Yet, understanding the mind of the adversary can unlearning of existing assumptions and tactics that
open space for the authentically enlightened may be inherently weak by virtue of their
training of the security and control professionals. It standardization and ubiquity (i.e., their status as
can teach them to understand the instability of the best practice).
Suspension:
Break with reality
in new experience Learning/Unlearning
Incorporation: Connection:
Appropriate and
structure
Individual Compare new
experience with
knowledge prior knowledge
Transformation:
Deepen and
construct
new knowledge
Source: Adapted from Reyes, A.; R. Zarama; “The Process of Embodying Distinctions: A Reconstruction of the Process of Learning,” Cybernetics and Human Knowing, vol. 5,
no. 3, 1 March 1998, https://www.ingentaconnect.com/contentone/imp/chk/1998/00000005/00000003/14. Reprinted with permission.
Do you have
Q services, but we belong to the small and
medium enterprise (SME) sector. Is enterprise
Governance of IT for the organization2 is the
standard for IT governance, and COBIT® 20193 is
something
to say about this governance of IT (EGIT) relevant for SME the framework for implementing IT governance
article? organizations? Are the available frameworks, within the organization.
particularly COBIT®, different for different
Visit the Journal pages organizations? The challenges faced by SMEs can be broadly
of the ISACA® website
viewed along two areas:
(www.isaca.org/journal),
find the article and click
on the Comments link to A EGIT is relevant and, in today’s environment, a
must for all types and sizes of organizations.
That said, organizations must choose the framework
• The ability to ensure that management is
cognizant of the value IT brings to the table
share your thoughts.
that they would like to adopt wisely. The decision to • Adequate resources on the IT team that make it
https://bit.ly/2I3pKYt
adopt a framework itself is a great step forward. capable to enable the previous point
Research on IT governance has typically been done Indeed, the primary focus of IT governance in COBIT
on large organizations. Research on smaller is value creation achieved by realizing benefits and
organizations has been limited, and research that optimizing risk and resources.
does comes to mind indicates that IT governance
structures in SMEs is quite limited. SMEs tend to SMEs generally face challenges in adopting COBIT
have an idiographic profile with characteristics that due to its generic nature. They are good at setting
differ strongly from large enterprises.1 business goals but find it difficult to set IT goals
since IT is a comparatively small function. But it is
Broadly speaking, SMEs differ from large interesting to see that many times their IT
organizations in many ways such as technology and investment as a percentage of overall investment is
environment, organizational size, and structural the same as any large enterprise.
differentiation. These, in turn, influence the nature of
instituted decision-making processes and structures, One COBIT user states that:
including IT. Governance structures in SMEs tend to
The organization must identify for itself
be characterized by centralized decision structures as
what it needs from IT and how expansion
opposed to the hierarchical and institutionalized
can serve those needs. Within this
decision structures of large organizations.
paradigm, however, COBIT® 5 offers a set of
structured processes to smooth the
IT governance is necessary to ensure that the
transition and ensure that such growth is a
business gains value through IT, which enhances
symptom of improvement, directed by a
shareholder value. It enables value creation by
knowledgeable and engaged board. In an
optimizing risk and the utilization of resources.
ongoing application of COBIT 5, in fact, this
This paradigm is true for all organizations that
should become a matter of course as the
depend on IT for competitive advantage, efficiency,
framework develops and provides the
effectiveness, compliance, security and reliability
components of a continual improvement
of data.
life cycle. This enables the enterprise to
fully leverage COBIT’s strengths, thereby
International Organization for Standardization
developing a mature, flexible and effective
(ISO)/International Electrotechnical Commission
IT function.4
B A LT I M O R E , M D
12-14 MAY 2020
Save US$500 when you register before
5 August 2019 with promo code NAC20SUMR
W W W. I S A C A . O R G / N A C A C S - J V 4
by Myles Mellor
www.themecrosswords.com
ACROSS 1 2 3 4 5 6 7
1. Shared IT facility
8
3. IT base of operations that vendors are moving
away from, 2 words 9 10 11
9. Basic facilities and systems of operation in
an organization 12 13 14
12. View
15 16 17
13. Positioning app
15. Deep hole 18 19
Answers on page 58
https://bit.ly/2HGVuDO
TRUE OR FALSE
SAURBAUGH ARTICLE BRUNSWICK ARTICLE Name
PLEASE PRINT OR TYPE
1.
13.
2.
14. Address
3.
15.
PUTRUS ARTICLE
NACHIN, TANGMANEE AND CISA, CRISC, CISM or CGEIT #
PIROMSOPA ARTICLE
4.
18. C O L O
8
D A T A C E N T E R
L O L U B N A
KEEF ARTICLE 9
I N F R A S T R U
10
C T U R
11
E
12 13 14
M T P O S E E G P S
7. DURMISEVIC-MUTAPCIC 15 16 17
A B Y S S P E E R E Y
ARTICLE T
18
K E W
19
K T S
8. 20 21 22 23
E N D U S E R P R E C E P T
24 25
U B E T A Y D E
19. 26 27 28 29 30
C L O U D G D P R D P M
LEE ARTICLE P
31
R U S E
32
A P
33
P S
20. 34 35 36
C O N T R O L R C I S O
37 38 39
9. 21. 40
O
41
O
42
T A P C Y O U
B I O D A T A B R E A C H
43 44
10. 45
I F I
46
L T E R
47
S H I
T O T R E S I N S P E C T
Please confirm with other designation-granting professional bodies for their CPE qualification acceptance criteria. Quizzes may be submitted for grading
SERRES ARTICLE only by current Journal subscribers. An electronic version of the quiz is available at www.isaca.org/cpequiz; it is graded online and is available to all interested
parties. If choosing to submit using this print copy, please email, fax or mail your answers for grading. Return your answers and contact information by
email to info@isaca.org or by fax to +1.847.253.1755. If you prefer to mail your quiz, in the US, send your CPE Quiz along with a stamped, self-addressed
11. envelope, to ISACA International Headquarters, 1700 E. Golf Rd., Suite 400, Schaumburg, IL 60173 USA. Outside the US, ISACA will pay the postage to return
your graded quiz. You need only to include an envelope with your address. You will be responsible for submitting your credit hours at year-end for CPE
credits. A passing score of 75 percent will earn one hour of CISA, CRISC, CISM or CGEIT CPE credit.
12.
Get Noticed
Advertise in the ISACA® Journal
Journal
58 ISACA JOURNAL VOL 4
STANDARDS GUIDELINES
TOOLS AND TECHNIQUES
ISACA Member and Certification Holder Compliance IS Audit and Assurance Guidelines
The guidelines are designed to directly support the standards and help
The specialized nature of information systems (IS) audit and assurance practitioners achieve alignment with the standards. They follow the same
and the skills necessary to perform such engagements require standards categorization as the standards (also divided into three categories):
that apply specifically to IS audit and assurance. The development and
dissemination of the IS audit and assurance standards are a cornerstone
• General guidelines (2000 series)
of the ISACA® professional contribution to the audit community. • Performance guidelines (2200 series)
IS audit and assurance standards define mandatory requirements for • Reporting guidelines (2400 series)
IS auditing. They report and inform:
General
• IS audit and assurance professionals of the minimum level of 2001 Audit Charter
acceptable performance required to meet the professional 2002 Organizational Independence
responsibilities set out in the ISACA Code of Professional Ethics 2003 Professional Independence
2004 Reasonable Expectation
• Management and other interested parties of the profession’s 2005 Due Professional Care
expectations concerning the work of practitioners 2006 Proficiency
2007 Assertions
• Holders of the Certified Information Systems Auditor® (CISA®) 2008 Criteria
designation of requirements. Failure to comply with these standards
may result in an investigation into the CISA holder’s conduct by the
ISACA Board of Directors or appropriate committee and, ultimately, in Performance
disciplinary action. 2201 Engagement Planning
2202 Risk Assessment in Planning
2203 Performance and Supervision
ITAFTM, 3rd Edition (www.isaca.org/itaf) provides a framework for 2204 Materiality
multiple levels of guidance: 2205 Evidence
2206 Using the Work of Other Experts
IS Audit and Assurance Standards 2207 Irregularity and Illegal Acts
2208 Sampling
The standards are divided into three categories:
Reporting
• General standards (1000 series)—Are the guiding principles under 2401 Reporting
which the IS assurance profession operates. They apply to the 2402 Follow-Up Activities
conduct of all assignments and deal with the IS audit and assurance
professional’s ethics, independence, objectivity and due care as well IS Audit and Assurance Tools and Techniques
as knowledge, competency and skill. These documents provide additional guidance for IS audit and assurance
• Performance standards (1200 series)—Deal with the conduct of the professionals and consist, among other things, of white papers, IS
assignment, such as planning and supervision, scoping, risk and audit/assurance programs, reference books and the COBIT® 5 family of
materiality, resource mobilization, supervision and assignment products. Tools and techniques are listed under www.isaca.org/itaf.
management, audit and assurance evidence, and the exercising of
professional judgment and due care. An online glossary of terms used in ITAF is provided at www.isaca.org/glossary.
Please note that the guidelines are effective 1 September 2014. Comments may also be submitted to the attention of the Director,
Content Strategy, via email (standards@isaca.org); fax (+1.847.253.1755)
General or postal mail (ISACA International Headquarters, 1700 E. Golf Road,
1001 Audit Charter Suite 400, Schaumburg, IL 60173, USA).
1002 Organizational Independence
1003 Professional Independence Links to current and exposed ISACA Standards, Guidelines, and Tools
1004 Reasonable Expectation and Techniques are posted at www.isaca.org/standards.
1005 Due Professional Care
1006 Proficiency Disclaimer: ISACA has designed this guidance as the minimum
1007 Assertions level of acceptable performance required to meet the professional
1008 Criteria responsibilities set out in the ISACA Code of Professional Ethics.
ISACA makes no claim that use of these products will assure a
Performance successful outcome. The guidance should not be considered
1201 Engagement Planning inclusive of any proper procedures and tests or exclusive of other
1202 Risk Assessment in Planning procedures and tests that are reasonably directed to obtaining the
1203 Performance and Supervision same results. In determining the propriety of any specific procedure
1204 Materiality or test, the control professionals should apply their own professional
1205 Evidence judgment to the specific control circumstances presented by the
1206 Using the Work of Other Experts particular systems or IS environment.
1207 Irregularity and Illegal Acts
Reporting
1401 Reporting
1402 Follow-Up Activities
S-1
FEATURED PUBLICATIONS
CISA Review Manual, 27th Edition CISA Review Questions, Answers & Explanations
This manual is an extensive reference guide designed to help Database—12-Month Subscription
individuals prep for the CISA exam and understand the roles and This online database subscription is a comprehensive
responsibilities of an information systems (IS) auditor. The CISA 1,000-question pool of items that contains the questions & answers
Review Manual, 27th Edition is the most current, comprehensive from the CISA Review Questions, Answers & Explanations Manual,
and peer-reviewed IS audit, assurance, security and control 12th Edition. CISA exam candidates can prep for the exam on
resource available worldwide. With an easy-to-navigate format their schedule and at their own pace with this online study tool.
designed to assist candidates in understanding essential Utilize the interactive planner to build a custom study plan. The
concepts and studying the new 2019 CISA job practice areas. personalized dashboard then serves as the primary method to
Also includes definitions of terms most commonly found on navigate candidate’s studies and track progress.
the exam.
Take sample exams with randomly selected questions and view the
Print Product Code: CRM27ED
Updated for
2019
results by job practice domain, this allows for concentrated study
eBook Product Code: EPUB_CRM27ED
CISA
Job Practice
Exam Prep
by ISACA
Print and eBook available in which gives them the ability to customize and focus their study
additional languages! efforts even further.
Non-member: $349
CISA
3701 Algonquin Road | Suite 1010
Rolling Meadows, IL 60008 | USA ®
Updated
with additional
and are presented by the five CISA job practice areas as well as
in a 150-question sample exam. The questions, answers and
explanations are intended to introduce the CISA candidate to the
types of questions that appear on the CISA exam. The practice
test included helps individuals determine their strengths and
weaknesses to identify any areas that require further study. This
publication is ideal to use in conjunction with the CISA Review
Manual, 27th Edition. Also includes definitions of terms most
commonly found on the exam.
Non-member: $159
Updated
with additional
questions!
CISA
®
Updated
with additional
questions!
Member: $795
Non-member: $895
Member Price: $60.00 infrastructure. This publication also includes detailed information
FRAMEWORK
Introduction and
Methodology Non-member Price: $75.00 about each of the components relevant to each governance and
management objective.
Web Download Product Code: WCB19FIM
Member price: Free
Print Product Code: CB19FGM
Non-member price: Free
COBIT® 2019 FRAMEWORK: Governance and Management Objectives
Governance and
1700 E. Golf Road, Suite 400
Schaumburg, IL 60173, USA
P: +1.847.660.5505
F: +1.847.253.1755
Management Objectives Non-member Price: $75.00
Support: support.isaca.org
Website: www.isaca.org
Designing an Information over time. To an important extent, it works in conjunction with the
COBIT® 2019 DESIGN GUIDE
and Technology
Non-member Price: $100.00
Governance Solution
COBIT 2019 Design Guide, which helps every enterprise to identify
Web Download Product Code: WCB19DGD and apply its own specific plan or road map.
Member price: Free COBIT2019_ImplementGuide.pdf 1 10/1/18 10:53 AM
Implementing and
Optimizing an Information
Non-member Price: $75.00
1700 E. Golf Road, Suite 400
and Technology
Schaumburg, IL 60173, USA
P: +1.847.660.5505
Governance Solution
F: +1.847.253.1755
Support: support.isaca.org
Website: www.isaca.org
MY
CY
CMY
S E E W H AT’S N E X T N O W A N D R E G I S T E R AT
w w w. i s a c a . o r g / t r a i n i n g 2 019jv4
*Please see website for pricing and registration details. Information is subject to change.
INTRODUCING
COBIT 2019
The globally recognized COBIT® Framework has been updated
with new information and guidance—COBIT 2019 extends its
leading role in implementing and ensuring effective enterprise
governance of information and technology (EGIT).
C O B I T 2 0 1 9 C O R E P U B L I C AT I O N S
LEVERAGE COBIT 2019 TO GENERATE TREMENDOUS VALUE FOR YOUR ENTIRE ENTERPRISE BY
CUSTOMIZING AND RIGHT-SIZING THE GOVERNANCE OF INFORMATION AND TECHNOLOGY.