Embed Size (px)
Citation preview
1
UPCOMING MEETING
March 2014
Newsletter
Wednesday Evening, March 26, 2014
5:30 P.M. to 7:30 P.M.
@ Owens-Illinois at Levis Commons in Perrysburg
March Meeting – PwC to Speak on Leveraging Data Analytics
The ISACA Northwest Ohio Chapter welcomes you to our March meeting. Members enjoy an opportunity to network with fel-
low professionals and members of our Northwest Ohio Chapter. Register today at www.nwohio-isaca.org.
A light meal is provided at a cost of $20 for professionals or $10 for students. Prospective new member guests receive one com-
plimentary registration to a meeting. Professional non-member meal charges are $30 and student non-member meal charges are
$15. You may prepay for your meal with any major credit card, or by check or cash at the door the night of the meeting.
Dinner will be followed by a presentation by Shane Kenney, PricewaterhouseCoopers, on Leveraging Data Analytics. Shane
recently presented at the Northwest Ohio IIA and due to the popularity of the topic, we will provide another chance to hear it.
Speaker’s Profile
Shane Kenney is a manager in PwC's Data Assurance practice. Mr. Kenney has 12
years of experience in Computer Assisted Audit Techniques, ETL and data ana-
lytics. He has supported clients in the Automotive, Financial Services and Govern-
ment in more effectively leveraging data in support of their operational and regula-
tory needs.
Newsletter Content
Upcoming Meeting ................ 1
Chapter News ........................ 1-4
President’s Letter................... 2
Committee Updates ............... 3
Previous Meeting................... 4
Knowledge Center ................. 5
ISACA National News .......... 6-9
Information and
Communication ..................... 10
ISACA Certification and
Training Information ............. 11
Newsletter Staff
Director: Paul Nelson, University of Toledo Thank you for taking the time to read our
chapter newsletter! We are always looking
for ways to improve and encourage your
suggestions and comments.
Publisher: Joe Marita, PricewaterhouseCoopers
Student Contributors: Amrutha (“Pooja”) Muthyala, University of Toledo
Steve Kalinic, Bowling Green State University
2
Chapter Officers
President
Mike Gerber
Fluid Routing Solutions
Vice President
Jim Krieger, CISA
PricewaterhouseCoopers
Treasurer
Pascal Bizarro, CISA
Bowling Green State University
Past President
Laurie Ryan, CISA, CPA
Dana Holding Corporation
Secretary
Kate Van Jura, CISA
Owens-Illinois
Board Members
Glen Brass, CISA
The Andersons, Inc.
David Cutri, CISA, CIA, CPA
University of Toledo
Mike Gallagher, CISA
Ernst & Young
Greg Hussey, CISA
Benefits Edge
Mike Kelley, CISA
Dana Holding Corporation
Zack Kramp, CISA
PricewaterhouseCoopers
Paul Nelson
University of Toledo
President’s Letter
The issue of cybercrime continues to grow and impact our lives
both personal and professional. Looking at the most recent FBI
statistics, violent and property crimes continue to decline despite
headlines to the contrary by our news hungry media. In reality, it
is cybercrime that continues to rise and many times is committed
by people that are out of reach by U.S. or local law enforcement.
The details are starting to come out of the much publicized breach
of a major retailer in December last year that exposed over 100-
million credit cards and personal information. The most recent reports point to a suc-
cessful phishing campaign against a supplier to the retailer. The retailer itself appears to
have been compliant with PCI (payment card industry) standards for security, so com-
pliance alone was not enough to prevent this cybercrime.
We must learn from techniques used in recent attacks such as this to assess the risks of
future occurrences. Small weaknesses in “compliant” business partners can be consoli-
dated and used against one of them to commit cybercrime. An interesting bit of infor-
mation I ran across was that the metadata in files on public facing websites for the previ-
ously mentioned retailer contained information potentially useful in the cyber-attack.
The goal of ISACA is not to just teach compliance to standards, but to connect a net-
work of professionals committed to learning about IT risks and sharing knowledge on
ways to protect against them. Please get involved in ISACA and our chapter by attend-
ing an upcoming meeting. Join the fight against cyber-criminals and terrorists that
threaten our community, family, and country.
Regarding other matters, the results of the program survey last month indicate four top-
ics of interest to the chapter with SAP GRC (governance, risk and compliance) leading
the pack. The other three are cloud computing security and risk, data visualization, and
auditing IT applications. We are still organizing an SAP GRC 2-day training program
this spring and hope to announce more details soon.
The next chapter meeting is going to be at O-I in Perrysburg Wednesday, March 26th.
We begin with informal networking at 5:30pm followed by food at 6:00pm and our fea-
tured speaker presentation at 6:45. Register now at www.nwohio-isaca.org! We en-
courage you to invite a guest and introduce them to our chapter and ISACA. Guests are
free for their first meeting if a member sponsors them when registering on the website.
If you have ideas or questions about the chapter please contact me directly at
[email protected] or call me at 419-351-3359.
Mike Gerber
President, ISACA Northwest Ohio Chapter
PRESIDENT’S LETTER
3
NAME YOUR NEWSLETTER!
Committee: Chair:
Audit Zach Kramp
Certification Laurie Ryan
Communication and Web Design Kate Van Jura
Education Jim Krieger
Meetings Facilitation David Cutri
Membership / Marketing Glen Brass
Newsletter Paul Nelson
Programs Mike Kelley
COMMITTEE CONTACTS
Newsletter Name Survey:
Last chance to get your suggestion in for a new newsletter name!
We will be accepting name suggestions until April 1st.
https://www.surveymonkey.com/s/HNHKBR3
In early April another survey with suggested names will be
presented to the chapter to vote on their favorite.
Our May newsletter will reveal the new title selected.
4
PREVIOUS MEETING
January Meeting
Thank you for Attending our January Meeting!
ParkOhio
Mike Gerber
PricewaterhouseCoopers
Lori McColl (Speaker)
Nicole Plodger (Speaker)
Mark Walrod (Speaker)
Rehmann
Brian Kennedy
The University of
Toledo
David Cutri
Paul Nelson
Benefit Concepts
Greg Hussey
Bowling Green State
University
Mohammed Alqasir
Pascal Bizarro
Clay Brahier
Itunu Dacosta
Steve Kalinic
London Miller
Jessie Ye
Dana Holding Corp.
Laurie Ryan
Ernst and Young
Jaimie Morsillo
HCR Manor Care
Doug Crail
Marathon Petroleum Co.
Dave Amann
Ida Beran
Joseph Hooker
Lawrence Kinkaid
Robert Krupp
Allison Quinlan
Jeff Shadle
John Sims
Owens-Illinois
Gregory Cornelius
Eric DeVaul
Rodrigo Figueroa
Joe Miller
Matt Preston
Kate Van Jura
P.J. Wolf
Our speakers at the January chapter meeting
were Lori McColl, Nicole Plodger, and Mark
Walrod from PricewaterhouseCoopers. Their
presentation on SAP GRC was found to be a hot
topic by members.
Photo by Paul Nelson
5
KNOWLEDGE CENTER
A Case for a Process-based Approach to GRC By S. Ramanatham, CISA, CISSP
Analysis (FMEA),2 popular in engi-neering design and analysis, to the IT domain, except that FMEA does not recommend an asset-based ap-proach. Though the International Or-ganization for Standardization (ISO) does not recommend any specific method for information security as-sessment, consultants and practitio-ners have been using this method for ISO 27001 implementation.3 The Op-erationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) method, developed by the Software Engineering Institute (SEI), is another asset-based method.4, 5
Incident-based—Another approach that is recommended for risk manage-ment and audit is to look at the past deviations, using incident reports, error reports, system failure reports, etc. Using loss-event data collection as a measure of operations risk expo-sure, as recommended by Basel II,6 is an example of an incident-based ap-proach.7
This article is available for our
members in its entirety at:
http://www.isaca.org/Journal/Past-
Issues/2010/Volume-5/Pages/A-Case-
for-a-Process-based-Approach-to-
GRC.aspx
A number of corporate accounting
scandals, such as Enron, created a
need for regulations, such as the US
Sarbanes-Oxley Act. The need for
sound corporate governance principles
was actively debated in this context,
and the concept of governance, risk
management and compliance (GRC)
resulted. The concept has wide cover-
age now, encompassing enterprise risk
management (ERM), operational risk
management, incident management
and other related areas. As with many
popular concepts and practices, there
are myths surrounding GRC, too.
Some of these myths include:
GRC is for the board to worry
about; day-to-day management is not concerned with GRC.
GRC is for big companies only.
GRC is for listed companies to
worry about.
GRC is a pain organizations have
to live with because government wants it.
GRC is about documentation and
reporting.
GRC implementation interferes
with the business.
Irrespective of size and pattern of own-
ership, organizations need to recog-
nize that governance is the superordi-
nate requirement to sustain ongoing
activities, and risk management and
compliance are necessary prerequi-
sites for ensuring good governance.
Thus, GRC needs to be a critical con-
cern for all organizations, and its focus
should be much larger than statutory
compliance.
A narrow focus has made GRC a reac-
tive and piecemeal exercise in organi-
zations. Even larger organizations with
a better vision of GRC take up statutory
compliance as the first step, and the
larger exercise of holistic implementa-
tion and maintenance of GRC is placed
at a lower priority. Consultants who are
engaged in these assignments are
forced to cater to the immediate needs
of management and, thus, fail to pre-
sent a comprehensive approach of
ERM as part of GRC.
The subject of this article is to present a
more fundamental approach to GRC
and to suggest the most appropriate
methodology to make the exercise sus-
tainable. Such an approach puts addi-
tional responsibilities on information
systems (IS) auditors as well (this is
addressed toward the end of the arti-
cle).
Typical GRC implementation ap-proaches include:
Checklist-based—For reasons cited previously, organizations implement GRC as a reporting exercise. Imple-menters and auditors adopt the check-list approach1 for testing compliance to a list of requirements.
Asset-based—In this method, informa-tion assets and their vulnerabilities are identified. Threats that could compro-mise confidentiality, integrity and avail-ability of these assets are then identi-fied. Based on the probability of threats exploiting these vulnerabilities and the consequential impact, the risk exposure is computed. Risk mitigation measures are suggested for vulnerabilities with risk exposures higher than the risk tol-erance limit. The methodology is the application of Failure Mode and Effects
6
ISACA NATIONAL NEWS
Calendar of Events and Deadlines:
March 2014:
18 Virtual Conference: Cybersecurity: Collaborate, Comply and
Conquer
20 ISACA Journal vol. 4, 2014, article submission deadline
April 2014:
11 June certification exams final registration deadline
14 - 17 Training Week: Cloud Computing: Seeing Through the Clouds
- What the IT Auditor Needs to Know, Houston, Texas, USA
21 - 24 Training Week: Information Security Essentials for IT
Auditors, New York, New York, USA
26 - 27 Global Leadership Conference, Las Vegas, Nevada, USA
28 - 30 North America CACS, Las Vegas, Nevada, USA
30 2014 membership renewal grace period expires
7
ISACA NATIONAL NEWS
Calendar of Events and Deadlines:
May 2014:
5 - 8 Training Week: Health Care Information Technology, San
Diego, California, USA
19 - 22 Training Week: Taking the Next Step: Advancing Your IT
Auditing Skills, Atlanta, Georgia, USA
June 2014:
2 - 5 Training Week: Fundamentals of IS Audit and Assurance,
Governance of Enterprise IT, Information Security
Management, Foundations of IT Risk Management, Atlanta,
Georgia, USA
14 June certification exam administration
16 - 19 Training Week: Information Security Essentials for IT
Auditors, Seattle, Washington, USA
23 - 26 Training Week: Information Security Essentials for IT
Auditors, Mexico City, Mexico (course will be offered in
Spanish)
8
ISACA NATIONAL NEWS
2013 certifications—In 2013, ISACA certified more than 6,900 CISAs, 2,600 CISMs, 450 CGEITs and
650 CRISCs.
June 2014 exam registration—The final registration date for the June 2014 exam is 11 April. Registra-
tion can be completed on the Exam Registration page of the ISACA web site. Please make note that in
2014, the German-, Hebrew- and Italian-language offerings of the CISA exam are available only at the
June exam administration.
2014 candidate’s guide—Details about the 2014 certification exams can be found in the ISACA Exam
Candidate Information Guide 2014.
Certification recognition—A recent report by Global Knowledge lists CRISC, CISM and CISA as being
among the top paying certifications in 2014, with each finishing first second and third, respectively.
Certification Update
ISACA has issued the audit/assurance programs for the CO-
BIT 5 Evaluate, Direct and Monitor (EDM) domain, and
chapter leaders are invited to use them as topics for future
chapter meetings.
ISACA has created audit/assurance programs for COBIT 5
processes based on the generic structure developed in CO-
BIT 5 for Assurance. These audit/assurance programs are
fully aligned with COBIT 5 and reference all 7 enablers.
While the programs for the EDM domain are the first to be
issued, audit/assurance programs for other domains are
planned. These customizable Microsoft Word downloads are
available for complimentary download by ISACA members
and are also available for purchase in the ISACA Bookstore.
Information on recent and upcoming research projects is
posted on the Current Projects page of the ISACA web site.
New COBIT-related Audit Programs
Available
9
New Big Data White Paper Available
ISACA has issued the Generating Value From Big Data Analytics white paper and chapter leaders are invited
to use it as a topic for future chapter meetings.
The newly released white paper presents how organizations are starting to use big data to be more competitive
and how organizations are adapting concepts from traditional business intelligence to leverage new sources of
data previously out of reach. Generating Value From Big Data Analytics also predicts future patterns of adop-
tion as the technology becomes more widely used and increases in maturity.
Information on current research projects is posted on the Current Projects page of the ISACA web site.
ISACA NATIONAL NEWS
ISACA to Offer Open Badges for All Certification Holders
ISACA is pleased to announce a new benefit for those who hold one of its four certifications. Beginning in
February 2014, ISACA will commence distribution of an open badge for each certification held. The rollout is
estimated to be completed by the end of the first quarter of 2014. This program will help both validate the cre-
dentials and raise awareness of those who have earned them. In partnership with Pearson, the world’s leading
learning company, this program will provide CISA, CISM, CGEIT and CRISC certification holders badges
(digital web-enabled versions of their certifications) that can be used on social networking sites, in emails and
on personal web sites. These free, secure open badges give employers, client prospects and anyone viewing
your networking page, 1-click access to verify a badge holder’s credentials. The badges will also allow IS-
ACA credential holders to announce their achievements on several social platforms.
The open badges will be issued to all ISACA certification holders incrementally over a short period of time.
Certification holders will receive an email announcing the program as well as a separate email containing all
of the information needed to claim the open badge. To receive an open badge, a profile must be created on the
Acclaim web site (hosted by Pearson) and then the certification holder would claim each ISACA badge issued
by ISACA (which should take no more than 5 minutes).
Visit the Open Badges page to learn more about this new program. Badges for additional achievements are
being considered for the future.
10
INFORMATION AND COMMUNICATIONS
Certification Update ISACA Membership Benefits
June 2014 Exam Registration
The exam will take place on June 14,
2014. The early registration deadline
has passed, but there is still time to
sign up to take the exam!
Certification Revocation Alert
A minimum of 20 CPE hours are re-
quired annually, and 120 CPE hours
are required every three years. Indi-
viduals can update their CPE hours in
their certification profile. Renewal
payments can be made online through
the renewal process.
Certification Recognition
Although certification may not be
mandatory for you at this time, a grow-
ing number of organizations are rec-
ommending that employees become
certified. To help ensure success in the
global marketplace, it is vital to select
a certification program based on uni-
versally accepted technical practices.
Professional Development
Access to My ISACA to update your
profile and CPE hours
CISA®, CISM®, CGEIT® and
CRISC® certification - Member dis-
counts for exam study aids, registration
and maintenance fees
To learn more about certification
specifics, please visit:
www.isaca.org/certification
Research and Knowledge
@ISACA - A biweekly newsletter,
conveniently delivering ISACA and
professional news
electronically
COBIT Online - Discounted sub-
scription and complimentary base-
line functionality
COBIT Quickstart - Complimentary
member download - $55 value
Downloads - Members-only re-
search discounts or preferred access
to COBIT 5, Risk IT: Based on CO-
BIT, Val IT and many other
publications from ITGI
Knowledge Center - Exclusive ac-
cess to one convenient online loca-
tion where members can access
professional knowledge. Network,
learn and exchange ideas globally
with peers through communities,
shared interest groups, discussions
and document sharing. Get a holis-
tic view into all ISACA resources.
Standards - Easy access to ISACA’s
IS Auditing Standards, Guidelines
and Procedures
Audit Programs and Internal Con-
trol Questionnaires (ICQs) - Guid-
ance tools for best practices
Research Opportunities - Support
the work of the IT Governance In-
stitute in developing products for IT
governance control
Conferences and Training - Mem-
ber discounts on more than 25
ISACA® events annually
Webcasts and e-Symposia - Mem-
bers obtain up to 3 free CPE hours
monthly!
Bookstore - Member discounts on
ISACA® Bookstore publications
and research
Career Center Enhancements -
Access more jobs, including those
posted on other job boards, more
robust tools for job seekers and,
coming soon—a free job board for
freelancers.
Community and Leadership
Join a Discussion Forum on pro-
fessional topics including Sar-
banes-Oxley, IT governance, CO-
BIT and information security
management.
Leadership Opportunities - Serve
on ISACA boards and commit-
tees, help author or review ISACA
research publications, write certi-
fication exam questions or be-
come a local chapter leader.
Local Chapters - Get involved
with one of ISACA’s more than
180 chapters worldwide, giving
you access to affordable CPE pro-
grams and information exchange
in your local area.
11
ISACA CERTIFICATIONS
CISA®, CISM®, CGEIT®, CRISC®.
Certification exams will take place June 14, 2014
CISA is to Audit what CPA and CA are to Accounting
CISAs are recognized internationally as professionals with the knowledge, skills,
experience and credibility to leverage standards, manage vulnerabilities, ensure com-
pliance, offer solutions, institute controls and deliver value to the enterprise.
Enhance your competitive advantage
Demonstrate your information security management expertise. The uniquely
management-focused CISM certification promotes international security practices and
recognizes the individual who manages designs, and oversees and assesses an
enterprise’s information security.
Achieve a broader impact on your enterprise and your career
CGEIT recognizes a wide range of professionals for their knowledge and application of
enterprise IT governance principles and practices. As a CGEIT certified professional, you
demonstrate that you are capable of bringing IT governance into an organization—that you
grasp the complex subject holistically, and therefore, enhance value to the enterprise.
ISACA® Conferences and Trainings
ISACA is dedicated to offering the most dynamic and inclusive
conferences and Training Courses. These exciting events, held
around the world, keep you abreast of the latest advances in the IT
profession and provide valuable networking opportunities. ISACA
conferences are where new technology and practical application
converge.
To learn more please visit: www.isaca.org/education
Become a CRISC and defend, protect and future-proof your enterprise
CRISC is the only certification that prepares and enables IT professionals for the unique
challenges of IT and enterprise risk management, and positions them to become strategic
partners to the enterprise.
