Professional Documents
Culture Documents
Journal-Volume-2-2017 The Evolution of Audit
Journal-Volume-2-2017 The Evolution of Audit
THE EVOLUTION
OF AUDIT
How Analytics Will Transform Internal Audit
02
www.isaca.org
hiscox.com/impossible | 866-941-2565
The ISACA® Journal
Journal
seeks to enhance
the proficiency and
competitive advantage of
its international readership
by providing managerial
and technical guidance
from experienced global
3 27 authors. The Journal’s
Information Security Matters: Do You Need Agile Audit noncommercial,
a Disaster Recovery Plan…? Spiros Alexiou, Ph.D., CISA
Steven J. Ross, CISA, CISSP, MBCP peer-reviewed articles
36
6 Dealing With Difficult Data focus on topics critical to
IS Audit Basics: The Auditors, IS/IT Policies Michael T. Hoesing, CISA, ACDA, CDP, CFSA, CIA,
and Compliance CISSP, CMA, CPA professionals involved
Ed Gelbstein, Ph.D. in IT audit, governance,
45
10 Standardized Scoring for Security and security and assurance.
The Network Risk Metrics
Shan Senanayake, CISA, CRISC, CISSP Mukul Pareek, CISA, ACA, ACMA, PRM
12 54
The Practical Aspect: Third-party Tools: Tools You May Already Have
Risk Management That Add Assurance Value
Vasant Raval, DBA, CISA, ACMA, and Samir Shah, Ed Moyle
CISA, CA, CFE, CIA, CISSP
PLUS
FEATURES
56
18 Crossword Puzzle
How Analytics Will Transform Internal Audit Myles Mellor
Robert E. (Bob) Kress and Dave M. Hildebrand,
CPA, CFE 57
( 亦有中文简体译本) CPE Quiz
Smita Totade, Ph.D., CISA, CRISC, CISM, CGEIT
24
Creating Assurance in Blockchain 59
A. Michael Smith Standards, Guidelines, Tools and Techniques Read more from
( 亦有中文简体译本) these Journal
S1-S4 authors...
ISACA Bookstore Supplement
Online-exclusive
www.isaca.org/journal/
Features
blog. Visit the ISACA
Journal blog, Practically
Speaking, to gain
practical knowledge
Do not miss out on the Journal’s online-exclusive content. With new content weekly through feature articles from colleagues and to
and blogs, the Journal is more than a static print publication. Use your unique member login credentials to participate in the growing
access these articles at www.isaca.org/journal.
ISACA® community.
Online Features
The following is a sample of the upcoming features planned for March and April 2017.
Auditing Social Media Audit Transparency in Risk-based Audit Planning
Paul Phillips, CISA, CISM Action for Beginners
Danny M. Goldberg, CISA, Ed Gelbstein, Ph.D.
CRISC, CGEIT, CCSA,
CGMA, CIA, CPA, CRMA
3701 Algonquin Road,
Suite 1010
Rolling Meadows, Illinois
60008 USA
FPO Discuss topics in the ISACA® Knowledge Center: www.isaca.org/knowledgecenter
Telephone
Follow ISACA on Twitter: http://twitter.com/isacanews; Hashtag: #ISACA +1.847.253.1545
Follow ISACA on LinkedIn: www.linkedin.com/company/isaca
Like ISACA on Facebook: www.facebook.com/ISACAHQ
Fax +1.847.253.1443
www.isaca.org
information Do You Need a Disaster
security
matters Recovery Plan…?
It is those three dots that save me from accusations No, You Do Not Need a Plan
of rank lunacy. (Oh, well, from accusations based Do you have
on this subject.) What follows the dots is “as Why buy a dog and bark yourself? something
disaster recovery moves into the cloud.” Even more to say about
specifically, I am speaking of utilization of Disaster Engaging in a relationship with a DRaaS vendor this article?
Recovery as a Service (DRaaS), the commercial means assigning to that company the responsibility Visit the Journal
relationship in which a third-party company receives for recovering the buyer’s systems. Implicitly, the pages of the ISACA®
vendor asserts that it knows how to carry out its website (www.isaca.
and stores replicated and backed-up data and
org/journal), find the
provides servers for testing disaster recovery with contractual obligations and that can be proven (or
article and click on
an expanded number of them in an actual disaster. disproven) by testing. Perhaps the organization
the Comments link to
Most critically, a DRaaS provider carries out the acquiring DRaaS support had detailed procedures share your thoughts.
recovery when requested, according to specified for how it was going to recover X, Y and Z systems
service level agreements (SLAs). A business can, from Point A to Point B. Those plans become
therefore, buy (rent, really) recoverability in one- irrelevant when the very paradigm of system
hour, four-hour, one-day increments or at whatever recoverability is overturned. I am hardly the first to
service levels a given vendor is willing to offer. note that the cloud changes everything.
Finally, the DRP needs a section on how to restore This leaves the acquiring organization with the odd
normal operations once the disaster is over. If responsibility to plan for recovery from a production
that means a return to an organization’s own data environment that faces a potential disaster to a
center, this will be tricky. DRaaS vendors are a fount data center that does not exist. With recovery
The intensive, 5-day CSX Practitioner Boot Camp training from ISACA®’s Cybersecurity Nexus™ (CSX) will
elevate your skills to the level of an experienced, in-demand cyber security first responder—and prep you
for the SC Magazine award-winning† CSX Practitioner Certification—at the pace you need for success.
Seats are limited. Act now to secure this invaluable 2017 training.
Visit cyberbootcamp.com to learn more.
• Information security
Auditors’ Focus #1
Assess the scope of policies issued and review their
key parameters. These should include:
Ed Gelbstein, Ph.D., 1940-2015
Worked in IS/IT in the private and public sectors in various countries for more • Whether there are policy guidelines defining
than 50 years. Gelbstein did analog and digital development in the 1960s, requirements such as readability and
incorporated digital computers in the control systems for continuous process
understandability, use of version control, need (or
in the late ‘60s and early ‘70s, and managed projects of increasing size and
not) for the acknowledgment of each policy by
complexity until the early 1990s. In the ‘90s, he became an executive at the
preprivatized British Railways and then the United Nations global computing individuals, etc.
and data communications provider. Following his (semi)retirement from the • Extent of the portfolio against assessed risk
UN, he joined the audit teams of the UN Board of Auditors and the French
impacting the availability, confidentiality and
National Audit Office. Thanks to his generous spirit and prolific writing, his
integrity of SSD, and identification of other topics
column will continue to be published in the ISACA® Journal posthumously.
that would merit a policy
This was then sent to legal counsel. Their review The assumption that policies are matters of
took several months and resulted in a nearly common sense is questionable. A quotation
incomprehensible 11-page document written in attributed to Albert Einstein states, “Only two things
legal jargon with many clauses, subclauses and are infinite, the universe and human stupidity, and
footnotes. I’m not sure about the former.”1
A year after the first draft was produced, the policy During an audit a few years ago, an auditor came
was printed and distributed together with a bundle across the emergency exit shown in figure 1. The
of assorted circulars and administrative trivia. obstruction had been there for some time and was
Employees were not required to acknowledge receipt. too heavy to be moved by one person. The notice on
During a subsequent independent audit, few were the left of the door was noted and ignored.
able to produce their copy and many claimed they
“never got it.” This policy was also not part of the In any case, it is not unusual to find a cleaner’s
documentation issued to new recruits. bucket propping open a secure door, passwords
1
What is the biggest security
challenge that will be faced
in 2017? How should it be
addressed?
Resisting the push toward “exceptional access”—
mandated back doors for law enforcement (think US
Federal Bureau of Investigation [FBI] vs. San Bernadino
security methodologies. sustained all the way value of ordered chaos, iPhone).
Not enough IT through college. which all networks are, in
professionals understand
how to do this and it I think lowering the
essence.
2
What are your three goals
for 2017?
• Run a 10k
is a huge professional barriers to entry and Q: What has been your
advantage to be able to raising the visibility of biggest workplace or • Paint outdoors
• Read 52 books (I try this every year and have never
do so. women in the profession career challenge and
made it to 52.)
would go a long way. how did you face it?
Q: What do you think Women in information
are the most effective
ways to address the
security need to be
normalized and there
A: When I was an
itinerant consultant, I
3
What is on your desk
right now?
• Stickerless Rubik’s Cubes in various stages of solved
lack of women in the needs to be guidance. was having so much fun • A stack of purring network switches
information security Many of the younger with my great customers, • A bowl of coral bits that washed up on the beach,
workspace? women whom I have interesting projects bleached white from the sun
met in the information and an endless parade
A: Ever hear the saying
“No one becomes an
astronaut by mistake”?
security community have
been mentored or have
followed a structured
of new technology to
play with that I did not
want to admit to myself
4
What is your number-one piece
of advice for other information
security professionals?
The same is true educational path to get that I had hit a glass Do not be deterred by an unfamiliar or unwelcoming
for many terrestrial here. Very few became ceiling at the consulting culture. You are an ambassador for whatever you are
aspirations such as Infonauts by mistake. firm. This had a hugely representing or advocating, and you have to be able
information security. detrimental effect on my to walk into a room full of strangers and evangelize
There needs to be a road Q: How did you career progression and information security.
map and the impetus arrive at a career in it was an obstacle that
to follow it. I think
ISACA’s CSX initiative
information security? could not be removed,
countered or mitigated. 5
What is your favorite benefit of
your ISACA membership?
The worldwide ISACA community. I love getting to meet
for students—to lower A: I started out as a
the barriers to entry to techie in Silicon Valley In hindsight, what makes other IT security and audit professionals and talking to
a career in information during the boom years, this incident stand out them about what they do.
security—is exactly what when there were not for me is that I expended
is needed. A career in
information security
a whole lot of rules
about how you had
so much effort trying to
change the culture that 6
What do you do when you are
not at work?
Take advantage of all the wonderful things and
must be a visible, viable to use technology in I had become inured to
technologies to which I have access. My two best
option. the enterprise. So you the extra effort. As soon
friends are adventurers, always chivvying me to try
figure out how to do as I moved to a more something new. It is oddly relaxing.
Regardless of gender, things when there is no progressive environment,
we are looking at an guidance. You hack the I was able to accomplish
industrywide supply infrastructure together much more. It is a very
chain issue. We do not and roll your own important realization
have nearly enough kernels, because vendor to have—that the
information security interoperability is still a environment should
professionals, and ways off. In retrospect, be actively helping you
this is not something it was a hugely useful achieve your goals.
that can be corrected way to start out in the That experience forever
overnight. We need a industry, because you impressed upon me the
groundswell, a revolution learn very early on to be importance of culture
of participation, and curious and adaptable, change with the end
it needs to begin in or you perish. You also goal of a achieving a
early education and be learn to appreciate the meritocracy.
• Share risk and rewards with the vendor1 from efficiency to enhancement to transformation.2
Depending on the criticality of the relationship in
Specifically in the software services area, the value creation and its attendant risk, the third party,
relationship complexity increased as the expected for all practical purposes, became an integral driver
business value from the services grew in focus, of the host company’s destiny. Such relationships
sometimes are categorized in terms of structure
(e.g., collaboration, alliance, partnership, joint
venture) and, in other instances, they emphasize
the nature of products or services (e.g., facilities
management, human resource services, software
maintenance, telecommunications, logistics/
warehousing/distribution).
Vasant Raval, DBA, CISA, ACMA Samir Shah, CISA, CA, CFE, CIA, CISSP
Is a professor of accountancy at Creighton Is an executive director at Ernst & Young LLP. He
University (Omaha, Nebraska, USA). The has many years of experience in the IT risk, audit
coauthor of two books on information systems and governance-related practice areas. He can be
and security, his areas of teaching and research reached at samirnshahca@gmail.com.
interest include information security and
corporate governance. He can be reached at
vraval@creighton.edu.
opportunity for the host’s risk to be exposed by favorably impacting data breach consequences,
the vendor increases as well. When this happens, lowering risk of operational failures in a supply Enjoying
the emphasis on the third party diminishes greatly, chain, continuously monitoring vendor financial
this article?
for the hosts see the relationship as far more stability, and assessing the risk of governance and
closely tied to their own destiny than anticipated. regulatory disclosure.
• Read Vendor
It is as if a crucial part of the business’s success
Management Using
now resides in the vendor organization, making TPRM Methodology
COBIT® 5.
the vendor more of an “insider.” If some risk
Broadly, any risk management program is three- www.isaca.org/
materializes at the vendor level, depending on the
dimensional. It incorporates people (organization), vendor-management
nature of the relationship, cascading effects of the
compromise could engulf the host as well. This is process (operations) and technology (information
systems). Each is important to the TPRM goals • Learn more about,
considered a form of yet unaddressed or unknown
and plays a significant role in achieving the desired discuss and
“vulnerability inheritance,” triggering heightened
outcome.5 The TPRM methodology discussed here collaborate on risk
risk awareness at the host level.4 Risk in third-party
incorporates all three dimensions. management in the
arrangements of any form have always existed,
Knowledge Center.
but the mix, in terms of types and severity of risk,
To address risk exposures in TPRM environments, www.isaca.org/risk-
has been changing, leading to a reexamination
host companies consider the vendor as the target management
of the host-vendor relationship primarily from the
risk management perspective. Hence, the term of evaluation at the time of onboarding and on
“third-party management” is now more clearly an ongoing basis as well. For this, the host
emphasized as third-party risk management company should:
(TPRM). 1. Set up contract provisions (typically, in the
service level agreement [SLA]) to address risk-
related commitments
The focus of 2. Combine the vendor risk profile with the risk
profile of the engagement
multifaceted
3. Prepare for dynamic monitoring and risk
outsourcing assessment based on internal/external events
converges heavily on 4. Implement and use both traditional and
managing the risk innovative monitoring approaches for continuous
monitoring of the identified risk factors
exposures of the 5. Leverage technology solutions to integrate
relationship. procurement, performance and risk management
on a unified platform6
effectively manage. often do not quite fit the old templates. A mishap
at the third-party provider may spell new risk to
the seeker of services. To address dynamically
the changing risk scenario, an integrated risk
TPRM and Information Technology management platform is necessary. While
standards help guide the implementation of such
The rise of TPRM as a challenge probably took platforms, Statement on Standards for Attestation
place due to the now well-known hack of Target. Engagements (SSAE) 16/International Standard
While the IT-based Target compromise elevated on Assurance Engagements (ISAE) 3402 (the
TPRM to new heights in the information security revised standards for the earlier SAS 70) have
domain, many additional areas (e.g., supply chain known challenges with the coverage of a large
and logistics) are also managed through TPRM.7 And population of third parties and efficiency from
this, therefore, leads to the need for trust between time and cost perspectives. No matter how robust
the host organization and its stakeholders, including these assurance standards are, interorganizational
vendors. Presumably, the greater the criticality of dependencies are unique, and uniquely granular,
the service, the higher the need for trust, much as to a point where the solution requires customized
in the authentication of people or devices. Without due diligence. A contractual shared solution across
trust, not much can be considered in equilibrium in all vendors may not be enough, for “nothing in
the relationship. When Amazon cannot find enough business operations remains in a steady state….”9
digital streaming capacity between 11:00 p.m. and A force majeure clause in the SLA does not save
2:00 a.m. to serve Netflix customers, would Netflix either party from disasters.
Third Party
Host Dependencies
Vendor
Vendor Risk Vendor Engagement Preparedness for
Profile Risk Risk Response
Potential Vulnerability
Inheritance
Capability Maturity
Trust Level
Models
Enabler Technologies
(e.g., TPRM utility platforms)
Contract
Monitoring
Review, Evaluation
High
Transformative
Data Analytics Maturity
Established
Exploratory
But throughout this early stage and even after one-off activities become repeatable processes and
analytics is more firmly established, the focus metrics are introduced to measure performance.
typically remains on using analytics to improve the In short order, analytics becomes embedded
conduct and execution of internal audits. across organizational and business unit audits,
methodologies for improvement are implemented, by drilling deeper into the data, increasing scope
and metrics are closely monitored. in higher-risk areas and reducing scope in sectors
where analytics suggests the risk may be less.
At full maturity, analytics-based risk models are The overall result is a more dynamic audit plan
adopted by the business, and the power of analytics based on continuous, just-in-time risk assessment;
begins to change auditor behaviors and new value more efficient audits that are aligned with areas of
propositions begin to emerge. risk; more effective results from audits that
are focused on those areas of high risk; and
The impact of moving upstream and leveraging automated reporting.
analytics from the very beginning of the audit
process right through to its conclusion can be seen Watching Analytics Work: Data
in figure 2. Visualization
Applied consistently in this way, analytics introduces As an internal audit function matures in its use of
the ability to continuously measure risk across analytics, dashboards and other data visualization
a broad set of business units, geographies and techniques provide insight into the risk factors
functional areas to identify the areas of higher risk. identified through analytics. By displaying data
Additionally, access to the full breadth of data points and combining the analytics with key
enables the use of analytics to drive risk assessment performance indicators, auditors have the ability to
and audit planning and full population testing vs. drill down, looking both vertically and horizontally
sampling. By mining the data, it is possible to across risk areas to identify individual audits, scope
determine which countries, business units, and and key testing procedures. Providing business unit
business processes or other areas hide outliers that and process risk assessments through dashboards
could represent increased risk or compliance issues. also empowers internal audit teams by giving them
Once a business unit or geography is identified, the a self-service model to assess risk on a regular or
scope of the engagement can be further refined real-time basis.
Teams request and will test entire inventory of Increase horizontal review across all teams.
analytics for a review (without consideration of
results).
Visualization/ Dashboards are used on a limited basis. Review dashboards periodically and make changes
Reporting to the audit plan, as needed.
Data Focus is on global sources. Expand data mart to large regional data (e.g., India
payroll and recruiting systems).
An extensive data mart exists, which is leveraged
only after scope is defined in an audit.
Use in Execution Custom analytics are requested late in the process. Encourage disruption using innovative analytic
of an Audit approach through custom analytics.
There is a lack of standard testing procedures for
specific analytics. Develop standard testing procedures to have more
predictable results.
There is a lack of innovation at the audit level to
develop new ways of testing. Train auditors on basics of data interpretation and
how to read analytic results.
Analytic Detective-focused analytics are used. Expand to include detective, predictive, statistical
Capability and regression analysis.
Source: Accenture. Reprinted with permission.
many additional layers of administration in an effort cryptography, key management and security
to “prove” it? around the blockchain engine is the recommended
first step. The actual nature and extent of the
To take that idea a step further, the technology procedures to be performed will be determined
also creates an irrefutable transaction record and by the characteristics of the business use case,
irrefutable transaction integrity. Those are two the needs of the anticipated assurance-related
more of the characteristics of assurance that are stakeholders (e.g., internal audit, tax, compliance),
traditionally produced by the audit process—meaning and the version of blockchain being used.
that in the absence of blockchain, the integrity of a
transaction’s historical record and the validity of the That is an important point to make with regard to
transaction itself come from extensive processes what blockchain really is. The term “blockchain”
and controls. In financial services, this might occur refers to a form of applied cryptography that is
via administration-heavy activities such as corporate open-sourced and available to anyone. Because
trust, asset servicing and global custody; however, that is the case, there are many blockchain
in any industry, there might be such controls as vendors, each of which has unique performance
reconciliations, confirmations, identity and access characteristics and add-ons (some even have
management. It is important to remember that this reporting capabilities), which underscores the
represents just the first step in the assurance process, importance of understanding that what is being
because those processes and controls have to be solved is a change in philosophy and not a
“proven” by audit, which traditionally is performed specific, one-size-fits-all solution. Once it has
in the form of forensic, point-in-time analysis (by been confirmed that the technology is functioning
sample) of historical transaction activity. Once that as intended, it is then a simple matter of creating
has been completed satisfactorily, the concept of the necessary reporting to meet stakeholders’
assurance has been created, which enables the use transparency and optics expectations.
of the data for purposes of tax reporting, compliance
reporting, risk analysis and so on.
The fact that blockchain technology creates this The term ‘blockchain’ refers
concept of assurance by its nature significantly to a form of applied cryptography
reduces the need for those processes and controls.
However, it is still necessary to prove that it is, in that is open-sourced and available
fact, creating the needed assurance, and optics—or
transparency into the technology—are needed to
to anyone.
demonstrate that it is. This is where one can begin
to see the need to transform the way of thinking
about audit and assurance: Instead of creating Ongoing review to ensure the sustainability of the
assurance through a burdensome administrative assurance solution will also be necessary, but the
process, it is possible to now prove assurance and nature, timing and extent of that review work will
provide transparency to reflect it. Some might view again be determined by the technology used, the
that as a challenge, but it is, rather, an opportunity business-use case and the evolving ecosystem
to fully embed audit and assurance into technology in which the instance is deployed. There are also
and make them by-products of each transaction’s fantastic opportunities for audit to provide add-on
inherent nature. value once transaction-level assurance has been
confirmed and implemented. The reason is that
In other words, to enable assurance on a blockchain doing it properly requires a higher-than-average
instance, one must begin with the technology understanding of the overall business process or
itself. An exhaustive assessment of the underlying processes that affect the individual-use case for
The CISA Online Review Course is a self-paced course, meaning you can view course content on your
own schedule; pause and return to modules as necessary; and return to content to review and refresh
your understanding of key concepts.
Time constraints are an integral part of every personalized web-based services that had been
auditor's work. Audits must finish on time. Using going on for three years had an extremely negative Do you have
the allotted time efficiently is a major concern. Agile review a month before the deadline, since nothing something
audit is primarily about increasing the efficiency had been developed. A new team of four people, to say about
mainly of complex audits by parallelizing tasks, including a new leader, was asked to take over and this article?
eliminating or mitigating bottlenecks, and assigning they were able to meet the deadline with impressive Visit the Journal
time to various tasks that is proportional to each results. The new team focused on immediately pages of the ISACA®
task’s importance. developing a working system without bothering website (www.isaca.
with long meetings, documentation and formal org/journal), find the
The term “Agile” usually refers to software reviews. They conducted thorough internal trials article and click on
the Comments link to
development and emphasizes individuals and to identify and immediately correct any issues
share your thoughts.
interactions over processes and tools, working and created documentation after the system was
software over comprehensive documentation, working and stable.
customer collaboration over contract negotiation,
and responding to change over following a plan.1 Audit, on the other hand, has traditionally used fairly
strict standards and frameworks, resulting in rather
rigid audit engagement constraints that, essentially,
represented projects. IT projects have similarly
In Agile models, inflexible models. However, they have evolved
from the formal waterfall model, which has strict
design and steps, to less formal, but very often more efficient,
specification models. These more efficient models are usually
collectively known as Agile. In the rigid models,
documentation are proportionally much more effort is put into design
is created at the The documentation effort for the waterfall and Agile
methods is illustrated in figure 1. The steep slope in
operations and the beginning of the project for the waterfall method
support levels. is due to project overhead, such as project planning
as well as specifications (both high-level and detailed)
and design. After the design is completed, relatively
little documentation is required until near the end,
Its appropriateness to complex systems is also
stressed in the Certified Information Systems
Spiros Alexiou, Ph.D., CISA
Auditor® (CISA®) reference manual: “The
Is an IT auditor who has been with a large company for nine years. He
term ‘agile development’ refers to a family of has more than 20 years of experience in IT systems and has participated
similar development processes that espouse and led both projects and audits employing Agile methods. He can be
a nontraditional way of developing complex reached at spiralexiou@gmail.com.
systems.”2 As an example, a project to develop
Waterfall
The term “Agile audit” has been used before
this article, and with more or less different
meanings.4, 5, 6, 7, 8 It is necessary to briefly review
these meanings to distinguish them from the
Agile meaning “Agile audit” is given in this article.
Time->
unaware of the priorities of the done other work based on assumptions about the
data they had never seen, such as writing software
ultimate findings. The main goal to analyze the data while waiting for the data. Audit
inefficiencies are often a strong factor resulting in
is to discover and evaluate risk drive-by audits. Because time frames and deadlines
and propose controls for these must be respected, if time is spent inefficiently, it
means that auditors will be tempted to perform the
areas of risk. trivial tests that are sure to be completed on time
rather than the more involved or complex tests
dealing with many important risk factors.
• Getting all information before starting any fieldwork, During an audit, the auditor is unaware of the
even if one had enough information to carry out priorities of the ultimate findings. The main goal is to
some steps from the very first day, creates a discover and evaluate risk and propose controls for
temporal bottleneck. In addition, when data are these areas of risk. Audit programs often essentially
finally requested, getting the data involves further assume the outcome is already known and try to
delays because the auditees who must provide the specify not only the risk areas, but also how each
data may have other, higher-priority tasks or simply step is to be carried out. As a result, audit programs
because extracting the necessary data as requested are quite suitable for compliance or drive-by audits.
by the auditors may take time. Operational people tend to dislike such audits as
they very rarely tell them anything useful. These
• Because planning involves limited information,
types of audits tend to take up a lot of time and
risk may be over- or underestimated or missed
usually result in proposals that will mean more
• Learn more about, Audit quality Generally better, as more time can More challenging, especially for
be devoted to material issues complex audits
discuss and
collaborate on Audit complexity Generally needs more highly Can be executed by less qualified
audit tools and qualified auditors auditors who get a list of detailed
techniques in the steps
Knowledge Center. Audit flexibility Easier to adapt to changes in risk Needs a formal audit program
www.isaca.org/ evaluation revision
it-audit-tools-and- Leadership Generally more important, at least More democratic, as all team
techniques during the initial stages members participate more or less
equally (in principle) to planning
Interference with auditees’ time In principle, may involve more In principle, fewer, but longer
short meetings with auditees meetings assuming all goes well
Source: S. Alexiou. Reprinted with permission.
perceived as less well planned, may result in more within the audit team. For instance, what needs
interference. Although experience does not seem to be checked and what will be needed? This
to justify this presumption—indeed Agile audits dissemination can be in the form of a simple email
seem to focus much more on material issues—the and need not be formal.
bottom line is that management and auditees
• Request data known to be necessary
usually reply positively to success. If Agile audits
straightaway, without waiting for team meetings.
result in more timely and material results, they will
If getting all data is time-consuming, focus on
probably not only be accepted, but also preferred.
a sample of the data. For instance, if extracting
As discussed earlier, the potential is there because
a large quantity of data is both necessary for
Agile audits can save time and, hence, afford more
the audit and time-consuming, request a few
time for material issues. A great deal depends, of
lines immediately and set a time frame for the
course, on the actual execution, which supports the
remaining data. Communicate data as they come
importance of a competent team and leadership.
in to the audit team. This and the previous task will
This, however, is no different from traditional audit
normally be done by the lead auditor.
management.
• Hold informal meetings with the team and
Figure 2 compares Agile and non-Agile audits. auditees to discuss the issues, ensure that
important risk areas identified by the team or the
Of course, whatever audit methodology is selected auditees are not left out, verify that all necessary
must be approved by the enterprise. data have been collected or requested, and assign
tasks. Keep track of work done, work assigned,
Agile Audit Guidelines points discussed, etc., but not in a formal
document.
Although each audit may have its own unique
characteristics, some of the Agile audit guidelines • Discuss findings as they are gathered. Once they
include: are accepted, document them and, if possible,
verify with the auditees. There is no need to wait
• Strive to gain an early understanding of the key for all the findings to verify a single, documented
audit issues and disseminate this information finding. Auditees are often more likely to
to contain the column titles in only row 1; titles or File Size Is Too Large
other narratives involving more than the first row of It is valuable to review data natively, using either the
the sheet can make importing to analysis software software with which the data were created (e.g.,
difficult. Recipients of analysis output may have Excel) or using editors (e.g., Notepad++), before
limitations on the types of files they may further using the data in analysis tools. Some DA software
process. The ability to change the type (e.g., CSV, tries to load an entire file for processing into memory.
XML) of the Excel content broadens the audience A very large file may exceed the memory limitations of
for the results. For example, when processing the machine. If the data file is consistent in structure,
multiple Excel workbooks for different subsidiaries, reviewing a subset of records can help to confirm
inconsistent sheet names may hinder automated structure, such as delimiters and character qualifiers.
processes to import multiple files. Changing the
sheet name within a workbook to a standard naming
convention can facilitate automated loading of data.
If an Excel sheet uses cell color to indicate content, It is valuable to review data
that color cannot be interpreted or processed by
analysis tools. Converting Excel cell colors into text
natively, using either the software
strings can enable further processing. with which the data were created
Other source file issues that may need to be or using editors, before using the
overcome before analysis can continue include: data in analysis tools.
• Device control characters such as tabs and line
feed may cause interpretation issues during
import for other file types, not just Excel.
Microsoft PowerShell is a Windows automation
• Report files deserve their own treatise, but a and scripting platform that is built on the .NET
general approach, such as that discussed in Framework.6 The following PowerShell script
this article, will provide help on many varieties of streams in a file, regardless of its total size, and
differently structured report files. then extracts a subset of 100 records:
• Compressed data usually need to be uncompressed Get-Content “\\path\sourcefile.txt” | Select
using tools and software that may be part of the -First 100
original compression process before being analyzed
|Out-File –FilePath “\\path\sourcefile_
with other downstream analysis software.
first_100_records.txt” -Encoding ASCII
This article elaborates on these data quality issues
The script commandlets and parameters work
and suggests techniques to overcome them.
as follows:
TYPE:
The text editor Notepad++ can be used to create a Figure 1—Using Notepad++ to Remove All Line Feeds
revised copy of the data after the source file backups
are made. First, change the line feeds (figure 1):
2. S
elect the Search menu, then select Replace.
3. In the Find what box, enter \n. This specifies that
the line feeds are to be located.
5. S
elect the Extended radio button to enable
working with the device-control character
symbols (\n for line feed (LF) and \r for carriage
return (CR)) rather than the literals. Source: M. Hoesing. Reprinted with permission.
Excel is a popular and affordable desktop tool, and 2. Copy the formula down column C for every row of
many applications that auditors wish to analyze column B.
have capabilities to export their data to Excel. 3. Select the data needed in the worksheet, including
The Excel file structure is a convenient way to the new column and excluding the damaged
gather audit evidence; however, it is important to column (column B, which contains line feeds).
understand the challenges this format can present
to enable correction. 4. Paste special values to a new worksheet.
Device-control Formatting in Character Fields The new worksheet will not have the device-control
Device-control characters, such as line feeds in an characters (e.g., tab, CR and LF) embedded within
Excel worksheet within a text cell, may cause analysis the cell content; therefore, downstream analysis
software to break an Excel line into multiple records. software will not try to break a single record into
In most cases, a line in an Excel sheet represents a multiple records during an import step, because
complete record; breaking an Excel line in the middle the Excel structure will identify the termination of a
can cause misinterpretation during import to an record utilizing its proprietary line numbering rather
analysis tool. Also, device control characters inside than CRLF.
• $Workbook = $xl.Workbooks.open($filepath)
Source: M. Hoesing. Reprinted with permission.
to open the current Excel workbook
The second commandlet defines the new name of Device-control Characters Outside of Excel
the loaded worksheet, the final commandlet saves Hex editors can reveal and rectify some character
the Excel workbook and the revised worksheet codes within a file before they cause trouble.
name is saved as part of the workbook. American Standard Code for Information Interchange
(ASCII) codes x01 through x1F (1 through 31 decimal)
Turning Excel Cell Colors Into Data are generally used to control devices and are
Color added to worksheet cells may contain normally not data. Replacing these device-control
meaning and be visually appealing, but that characters with a blank space (ASCII code x20, i.e.,
meaning or context is not able to be interpreted decimal 32) usually does not harm the data content
during import into most analysis software. Usually, and may be necessary for the file to properly process
DISCOVER FIND
SOLUTIONS
INTELLIGENT
AND PRE-EMPT
PROBLEMS
DEFENCE
FIND NEW
OPPORTUNITIES
TO FURTHER
YOUR
CAREER
Mark Shutt
IT Security and Assurance
@infosecurity
Manager, Secure Trust Bank
REGISTER YOUR
INTEREST AT
www.infosecurityeurope.com
feature
feature
Standardized Scoring for
Security and Risk Metrics
With breaches and hacks in the news every simpler approach—an admission that operational
day, information security is now firmly on risk, of which technology risk is a component, is Do you have
the board’s agenda. While certainly difficult structurally different from financial risk. something
to do, measuring security is fundamental to to say about
understanding it. Technology risk metrics monitor Most security metrics and risk quantification this article?
the accomplishment of goals and objectives by programs have, therefore, ended up focusing on Visit the Journal
quantifying the implementation, efficiency and building dashboards and scorecards that cast a pages of the ISACA®
effectiveness of security controls; analyzing the wide net, mostly looking at control compliance. website (www.isaca.
adequacy of information security program activities; Technology risk reporting at most organizations org/journal), find the
and identifying possible improvement actions.1 Most almost always consists of tables of security metrics, article and click on
the Comments link to
security metrics programs are typically based on often highlighted using a traffic-light convention.
share your thoughts.
two assumptions: There is a secure way to manage
any system, and the task of security management is Metrics relating to different information security
to maintain that state.2 areas use a diverse set of units of measure, and the
numbers often need an interpretation unique to a
Measuring Security given measure. For a senior executive who may not
be well versed in the technical details of what each
The quantification of technology risk is an idea metric represents, the interpretation of how good
that continues to captivate. Parallels are drawn or bad a number is can be a challenge. This article
with credit and market risk, both of which allow proposes an approach to assess and interpret
currency-based means of risk quantification. There security and risk metrics using standardized scores.
have been many attempts (including some that
have been regulator prodded) where the concept Interpreting Security Metrics
of value-at-risk has been sought to be applied
to operational risk, of which technology risk is a Security metrics for any corporation generally
subset. tend to be numerous, often numbering in the
dozens, if not the hundreds. The sheer quantity of
The measurement of information security risk is metrics often overwhelms the task of messaging.
challenging. Realized outcomes for IT risk tend to To confound matters, metrics come in different
be clustered toward the extremes, and the most forms. Some metrics are absolute numbers, e.g.,
likely outcome for a company is generally no losses, the number of vulnerabilities discovered in an
with a tiny probability of very high losses. Efforts application. Some metrics are averages, e.g., the
at quantification have involved either black-box mean time to repair. Others may be percentages (or
logic, such as modeling loss distributions based ratios of some sort in a generalized form), e.g., the
on extreme-value theory,3 or the combination of percentage of workstations not patched. Metrics
various security metrics (often using weighted may also be ranked statistics, such as league tables
averages) as a composite metric. No approach comparing divisions or regions.
has been successful enough to win any level of
widespread adoption, and nearly all have failed Mukul Pareek, CISA, ACA, ACMA, PRM
to create a measure that correlates with and is Is a risk management professional based in New York, USA. He is
predictive of realized operational losses. In fact, the copublisher of the Index of Cybersecurity (www.cybersecurityindex.org)
Advanced Measurement Approach for operational and the author of the risk education website www.riskprep.com. He has
risk,4 which requires modeling operational risk using more than 25 years of experience in audit, IT and information security
and has been published on multiple topics relating to risk measurement
mathematical models akin to those used for market
in the ISACA® Journal.
and credit risk, will soon be scrapped in favor of a
June 420
Theoretically, even with all the possible data that
July 60 could be identified, it would probably still be
August 321 necessary to know how long it takes to remediate
September 331 each of these exceptions. For example, if the
average time required to fix each exception is
October 260
one man-day, it could be said that there are,
November 318 theoretically speaking, 89 man-days of work
December 189 needed to get to the desired good state. This
Source: M. Pareek. Reprinted with permission. could then be considered in the scoring of the
metric as the distance-to-controlled state (similar
Converting Metrics to a Score to the concept of distance-to-default used for
credit risk). But such data are difficult to come
Interpreting a metric, i.e., deciding whether the metric by and are subject to individual perspectives
represents a good state or a bad state, generally and debate. If credible time-to-repair data
requires the consideration of a number of factors are available, they could be used in a fairly
based on the metric, the context, and the intuition straightforward way, but for the moment, this line
and judgment of the risk analyst. Much of this human of thinking will not be pursued.
interpretation is actually quite straightforward. Metrics,
3. What is the extent of persistence over time in the
whether expressed as a number or a percentage,
unfavorable elements represented by the metric?
require the following considerations:
This represents the extent of churn or turnover in
1. What was the number in the periods prior, i.e.,
the constituents of the metric. Persistence relates
what is the rate of change in the metric compared
to the aging of the security attribute measured by
to the past?
the metric. When 189 machines are reported as
The first consideration represents the rate missing patches in December, it is probably also
of change, or the first derivative. A person useful to know if these were the same machines
mean that the state For the month of December in the hypothetical
of their controls is metric, the value of the distance measure is -0.89.
For the purposes of this article, 34 percent will Converting the Interim Calculations
be the simple representation of the persistence to an Absolute Score
measure. Alternatively, the proportion for more than
90 days could have been used as the measure if Now that the interim score has been calculated, the
it were more relevant. In that case, since a higher scaled score can be calculated. Such a conversion
number represents a worse situation, the number can be performed using a mathematical function
Function Value
0.6
The remaining part of this article uses the logistic
function5 (also called the inverse logit function) to
convert these measures to a number that varies 0.4
between 0 and 10. The logistic function has the
property that for a given input, it provides a result
that varies between 0 and 1 and is very linear for 0.2
a range around 0, except around the extremes
where it gets close to 0 or 1. Once a scored number
between 0 and 1 is found, it can be scaled to a -3 -2 -1 0 1 2 3
range, e.g., 0-10, by multiplying the result by 10. Input Provided
Source: M. Pareek. Reprinted with permission.
Logistic function-based score
Exp(average of velocity, distance and persistence scores)
= 10 *
Exp(average of velocity, distance and persistence scores) +1
Figure 4—Inverse Logit Function
of the Range -10 to +10
Inverse logit function over the range -10 to +10
Figures 3 and 4 show the behavior of the logistic
function. The function is near linear for small 1.00
numbers and gets close to a maximum or minimum
value fairly quickly as the departure from 0 becomes
large. This is desirable for security metrics, so if a 0.75
metric depicts a very unfavorable or a very desirable
Function Value
The values of the z-scores for the example used Figure 7 shows a comparison of the two approaches:
earlier are shown in figure 6. the standardized scores calculated according to the
Figure 7—Scaled Metric Values for Missing Patches Using Both Approaches
10.00
8.00
6.00
4.00
2.00
0.00
Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
COBIT Focus
News and Case Studies About COBIT 5
Conclusion
These are, of course. only a few examples of
situations where existing tools can be retargeted
Ed Moyle to assist in assurance activities. Many more tools
Is director of thought leadership and research at ISACA®. Prior to joining can provide value to the assessor. By evaluating
ISACA, Moyle was senior security strategist with Savvis and a founding how tools already fielded in the organization can
partner of the analyst firm Security Curve. In his nearly 20 years in be leveraged to assist in assurance activities, the
information security, he has held numerous positions including senior
audit team can squeeze additional value from
manager with CTG’s global security practice, vice president and information
investments already made; moreover, as new needs
security officer for Merrill Lynch Investment Managers, and senior security
analyst with Trintech. Moyle is coauthor of Cryptographic Libraries for are identified and the audit team becomes more
Developers and a frequent contributor to the information security industry as accustomed to partnering with other teams on tool
an author, public speaker and analyst. use, opportunities to collaboratively partner and
bring in additional tools might also arise.
1
Configuration
Management
Tools
Most organizations—at least those larger
than a few dozen employees—have
some methodology and supporting
application footprint to support creating
and maintaining an inventory of fielded
systems, components and equipment.
This might be one central, integrated
system or it might be multiple smaller Business
2 3
and disparate ones spread throughout
the organization (e.g., in a situation where Continuity
each business unit maintains its own and Disaster Data Loss
separate inventory).
Recovery Prevention
In fact, assurance teams oftentimes
interact with these systems in the
Environments
course of doing their work. For example, One additional tool that can be potentially
they might review reports from asset One of the hardest things to analyze valuable to the assessor is data loss
management databases to ensure can be the role of—and interactions prevention (DLP) tools. Typically deployed
that specific goals are met (e.g., between—systems in the environment. as a security mechanism, the purpose
decommissioning of systems no longer Specifically, this refers to assessing of these tools is to analyze data and flag
in use, correlation of system information what role a given system (or set of situations where potentially sensitive data
to business purpose). However, use of systems) plays in a business process are in a location where they should not be
these tools can extend well beyond the and understanding what else with which (e.g., an outbound email, a public
simple viewing of reports or interaction it might interact and on what it depends. file share).
on a particular assessment to a broader Determining those things can often
one that can help to streamline the audit entail numerous interviews with business Should an organization already have
process in the future. subject matter experts and often can a tool along these lines, it can prove
involve quite a bit of investigation to get to invaluable for assurance teams. Why?
First and foremost, the automation a reliable answer. Because it can help assurance teams
functionality of many of these tools can evaluate the presence or absence of
be directly leveraged. In cases where One way to potentially streamline this data in a particular locality that might
configuration information is collected process is to look for information that be relevant to an audit. For example, an
in automated fashion via the tool (e.g., might already be collected that can help auditor might wish to assess whether a
via a remote agent or over the network), shine light on those relationships. One control designed to limit the exposure of
that information can be adapted to source of information that can assist here information (e.g., encryption) is working as
help streamline configuration review is in the business continuity planning intended. That can be challenging to do
across the board. Rather than fighting (BCP)/disaster recovery (DR) space. leveraging manual methods; leveraging a
to get budget for a special-purpose Specifically, processes such as business DLP tool, should there already be one in
configuration reviewing tool (or, worse yet, impact analysis (BIA) that support the environment that can be adapted for
reviewing those configurations manually), identification of critical systems for a this purpose, can streamline that process
can the asset management tool enable given business process can help identify and more readily alert the assessor to the
automation of that review process? In critical systems and relationships. So the presence or absence of that information.
many cases, the answer is yes. data from a BIA can immediately provide In other words, it can verify the effective
valuable information to the assurance operation of the control.
Alternatively, if an organization employs team. Beyond this, though, there can
automated configuration management be valuable information that can be It bears saying that it is less likely that
(e.g., Puppet [https://puppet.com] cleaned from a DR or business continuity an enterprise will have a DLP in place
Chef [https://www.chef.io/chef]) either (BC) environment that is otherwise compared to the prior tools outlined; in
for rapid development or as a security challenging to collect on its own, e.g., fact, only a subset will have DLP at the
control, this information can directly traffic patterns that are indicative of ready to employ to enable audit. In this
feed into an assurance activity. Not only active communications. In many cases, case, free alternatives may be investigated
can it be a repository of information a DR environment is less “noisy” than such as OpenDLP (https://code.google.
about configuration, but it can also be the production environment it reflects, so com/archive/p/opendlp), MyDLP (https://
leveraged in many cases to help evaluate analysis of traffic patterns (to determine www.mydlp.com), or special-purpose
a given configuration relative to a known what talks to what) can be easier to command-line tools such as ccsrch
benchmark. accomplish. (https://adamcaudill.com/ccsrch).
ACROSS
1 2 3 4 5 6 7 8
DOWN
1 The D in DRaaS
2 Type of contract between a vendor and end
user 21 Include
3 Clients on a system 23 EU country, for short
4 Complete confidence 26 Data structure with a group of elements
5 Celebrity 27 Kept on a hard drive or a cloud perhaps
7 Perfect example 28 ___command
8 Scheduled 29 Visual aid showing statistics, performance, etc.
9 Critical aspect relating to the implementation 30 Visual function
of an employee handbook 32 Usage of a personal phone or laptop or use on
14 Credo company business, abbr.
15 It’s often a hacker’s target, abbr. 35 Inquire
17 Innovative talks 36 In support of
18 Acquire a debt 37 Link
20 Critical remark
Answers on page 58
TRUE OR FALSE
CPE
BAKSHI ARTICLE
quiz
KABANOV ARTICLE
TRUE OR FALSE
BAKSHI ARTICLE KABANOV ARTICLE Name
PLEASE PRINT OR TYPE
1. 9.
2. 10.
3. Address
11.
4. 12.
5. 13.
6. 14.
Answers: Crossword by Myles Mellor
7. 15. See page 56 for the puzzle.
8. 16. 1 2 3 4 5 6 7 8
D I S R U P T I V E S P O T
9
I L S R I C A I
10 11
S C A L E U P R O G R A M
12
A R I S C M A E
13 14 15
S I T E S T I M P E D E D
T E D L I
16 17 18 19 20
E I N S T E I N W I D G E T
21 22
R E E N A A I M
23 24 25 26
I T D E C O D I N G M A
27
Please confirm with other designation-granting professional bodies for their CPE qualification acceptance criteria. R U D C S R
Quizzes may be submitted for grading only by current Journal subscribers. An electronic version of the quiz is 28 29 30 31
R E C O V E R Y M E N T O R
available at www.isaca.org/cpequiz; it is graded online and is available to all interested parties. If choosing to submit 32
using this print copy, please email, fax or mail your answers for grading. Return your answers and contact information U H I B O A
by email to info@isaca.org or by fax to +1.847.253.1443. If you prefer to mail your quiz, in the US, send your CPE 33 34 35 36 37
N D A D I A R Y P A R T Y
Quiz along with a stamped, self-addressed envelope, to ISACA International Headquarters, 3701 Algonquin Rd., 38 39
#1010, Rolling Meadows, IL 60008 USA. Outside the US, ISACA will pay the postage to return your graded quiz. You R E S O U R E I
40 41
need only to include an envelope with your address. You will be responsible for submitting your credit hours at year- N E T W O R K E D O R D E R
end for CPE credits. A passing score of 75 percent will earn one hour of CISA, CRISC, CISM or CGEIT CPE credit.
Get Noticed!
Advertise in the ISACA® Journal
Journal
For more information, contact media@isaca.org
Please note that the guidelines are effective 1 September 2014. An online glossary of terms used in ITAF is provided at www.isaca.org/glossary.
General
1001 Audit Charter Prior to issuing any new standard or guideline, an exposure draft is
1002 Organizational Independence issued internationally for general public comment.
1003 Professional Independence
Comments may also be submitted to the attention of the Director,
1004 Reasonable Expectation
Thought Leadership and Research via email (standards@isaca.org);
1005 Due Professional Care fax (+1.847.253.1443) or postal mail (ISACA International Headquarters,
1006 Proficiency 3701 Algonquin Road, Suite 1010, Rolling Meadows, IL 60008-3105,
1007 Assertions USA).
1008 Criteria
Links to current and exposed ISACA Standards, Guidelines, and Tools
and Techniques are posted at www.isaca.org/standards.
Performance
1201 Engagement Planning Disclaimer: ISACA has designed this guidance as the minimum
1202 Risk Assessment in Planning level of acceptable performance required to meet the professional
1203 Performance and Supervision responsibilities set out in the ISACA Code of Professional Ethics.
1204 Materiality ISACA makes no claim that use of these products will assure a
1205 Evidence successful outcome. The guidance should not be considered inclusive
1206 Using the Work of Other Experts of any proper procedures and tests or exclusive of other procedures
1207 Irregularity and Illegal Acts and tests that are reasonably directed to obtaining the same results. In
determining the propriety of any specific procedure or test, the control
professionals should apply their own professional judgment to the
Reporting specific control circumstances presented by the particular systems or
1401 Reporting IS environment.
1402 Follow-up Activities
supporters
leaders and
from policies and official
statements of ISACA and/or
the IT Governance Institute
and their committees, and from
opinions endorsed by authors,
employers or the editors of the
Journal. ISACA Journal does
not attest to the originality of
authors’ content. Editor Tushar Gokhale, CISA, CISM, CISSP, CGEIT, PMP
ISO 27001 LA Smita Totade, Ph.D., CISA, CRISC,
Jennifer Hajigeorgiou Tanja Grivicic CISM, CGEIT
© 2017 ISACA. All rights publication@isaca.org Manish Gupta, Ph.D., CISA, CRISC, Jose Urbaez, CISA, CISM, CSXF, ITIL
reserved. CISM, CISSP Ilija Vadjon, CISA
Managing Editor Mike Hansen, CISA, CFE Sadir Vanderloot Sr., CISA, CISM, CCNA,
Instructors are permitted to Jeffrey Hare, CISA, CPA, CIA CCSA, NCSA
Maurita Jasper
photocopy isolated articles for
Sherry G. Holland Anthony Wallis, CISA, CRISC, CBCP, CIA
Jocelyn Howard, CISA, CISMP, CISSP Kevin Wegryn, PMP, Security+, PfMP
noncommercial classroom use Contributing Editors Francisco Igual, CISA, CGEIT, CISSP Tashi Williamson
without fee. For other copying, Jennifer Inserro, CISA, CISSP Ellis Wong, CISA, CRISC, CFE, CISSP
Sunil Bakshi, CISA, CRISC, CISM, CGEIT,
reprint or republication, ABCI, AMIIB, BS 25999 LI, CEH, Khawaja Faisal Javed, CISA, CRISC, CBCP,
permission must be obtained CISSP, ISO 27001 LA, MCA, PMP ISMS LA ISACA Board of Directors
in writing from the association. Sally Chan, CGEIT, CPA, CMA Mohammed Khan, CISA, CRISC, CIPM (2016–2017)
Where necessary, permission Ed Gelbstein, Ph.D. Farzan Kolini, GIAC
Kamal Khan, CISA, CISSP, CITP, MBCS Abbas Kudrati, CISA, CISM, CGEIT, CEH, Chair
is granted by the copyright
Vasant Raval, DBA, CISA CHFI, EDRP, ISMS Christos Dimitriadis, Ph.D., CISA, CRISC
owners for those registered CISM, ISO 20000 LA
Steven J. Ross, CISA, CBCP, CISSP Shruti Kulkarni, CISA, CRISC, CCSK, ITIL
with the Copyright Clearance Bhanu Kumar
Smita Totade, Ph.D., CISA, CRISC, CISM, Vice-chair
Center (CCC) (www.copyright. CGEIT Hiu Sing (Vincent) Lam, CISA, CPIT(BA), Theresa Grafenstine, CISA, CRISC, CGEIT,
com), 27 Congress St., Salem, ITIL, PMP CGAP, CGMA, CIA, CPA
MA 01970, to photocopy Advertising Edward A. Lane, CISA, CCP, PMP
Director
articles owned by ISACA, Romulo Lomparte, CISA, CRISC, CISM,
media@isaca.org CGEIT, CRMA, ISO 27002, IRCA Zubin Chagpar, CISA, CISM, PMP
for a flat fee of US $2.50 per
Juan Macias, CISA, CRISC Director
article plus 25¢ per page.
Send payment to the CCC
Media Relations Larry Marks, CISA, CRISC, CGEIT Rob Clyde, CISM
Norman Marks Director and Chief Executive Officer
stating the ISSN (1944-1967), news@isaca.org
Tamer Marzouk, CISA, ABCP, CBAP Matthew S. Loeb, CGEIT, CAE
date, volume, and first and Krysten McCabe, CISA
last page number of each Reviewers Brian McLaughlin, CISA, CRISC, CISM, Director
article. Copying for other Matt Altman, CISA, CRISC, CISM, CGEIT CIA, CISSP, CPA Leonard Ong, CISA, CRISC, CISM, CGEIT,
than personal use or internal Sanjiv Agarwala, CISA, CISM, CGEIT, Brian McSweeney COBIT 5 Implementer and Assessor,
CISSP, ITIL, MBCI Irina Medvinskaya, CISM, FINRA, Series 99 CFE, CFP, CGFA, CIPM, CIPT, CISSP
reference, or of articles or
Vikrant Arora, CISM, CISSP David Earl Mills, CISA, CRISC, CGEIT, ISSMP-ISSAA, CITBCM, CPP, CSSLP,
columns not owned by the GCIA, GCIH, GSNA, PMP
Cheolin Bae, CISA, CCIE MCSE
association without express
Sunil Bakshi, CISA, CRISC, CISM, CGEIT, Robert Moeller, CISA, CISSP, CPA, CSQE Director
permission of the association David Moffatt, CISA, PCI-P
ABCI, AMIIB, BS 25999 LI, CEH, Andre Pitkowski, CRISC, CGEIT,
or the copyright owner is CISSP, ISO 27001 LA, MCA, PMP Ramu Muthiah, CISM, CRVPM, GSLC, COBIT 5 Foundation, CRMA, ISO
expressly prohibited. Brian Barnier, CRISC, CGEIT ITIL, PMP 27kLA, ISO 31000 kLA
Pascal A. Bizarro, CISA Ezekiel Demetrio J. Navarro, CPA
Jonathan Neel, CISA Director
ISSN 1944-1967 Jerome Capirossi, CISA R.V. Raghu, CISA, CRISC
Joyce Chua, CISA, CISM, PMP, ITILv3 Nnamdi Nwosu, CISA, CRISC, CISM,
Ashwin K. Chaudary, CISA, CRISC, CISM, CGEIT, PfMP, PMP Director
CGEIT Anas Olateju Oyewole, CISA, CRISC, CISM, Edward Schwartz, CISA, CISM, CAP,
Burhan Cimen, CISA, COBIT Foundation, CISSP, CSOE, ITIL CISSP, ISSEP, NSA-IAM, PMP, SSCP
ISO 27001 LA, ITIL, PRINCE2 David Paula, CISA, CRISC, CISSP, PMP Director
Ian Cooke, CISA, CRISC, CGEIT, COBIT Pak Lok Poon, Ph.D., CISA, CSQA, MIEEE Jeff Spivey, CRISC
Foundation, CFE, CPTS, DipFM, ITIL John Pouey, CISA, CRISC, CISM, CIA
Foundation, Six Sigma Green Belt Steve Primost, CISM Director
Ken Doughty, CISA, CRISC, CBCP Parvathi Ramesh, CISA, CA Jo Stewart-Rattray, CISA, CRISC,
Nikesh L. Dubey, CISA, CRISC, Antonio Ramos Garcia, CISA, CRISC, CISM, CISM, CGEIT
Subscription Rates: CISM, CISSP CDPP, ITIL Director
Ross Dworman, CISM, GSLC Michael Ratemo, CISA, CRISC, CISM, Tichaona Zororo, CISA, CRISC, CISM,
Robert Findlay CSXF, ACDA, CIA, CISSP, CRMA CGEIT, COBIT Assessor and Trainer,
US: John Flowers Ron Roy, CISA, CRP CIA, CRMA
one year (6 issues) $75.00 Jack Freund, CISA, CRISC, CISM, Louisa Saunier, CISSP, PMP, Six Sigma
Past Chair
CIPP, CISSP, PMP Green Belt
Robert E Stroud, CRISC, CGEIT
All international orders: Sailesh Gadia, CISA Daniel Schindler, CISA, CIA
one year (6 issues) $90.00. Amgad Gamal, CISA, COBIT Foundation, Nrupak D. Shah, CISM, CCSK, CEH, Past Chair
CEH, CHFI, CISSP, ECSA, ISO 2000 ECSA ITIL Tony Hayes, CGEIT, AFCHSE, CHE, FACS,
LA/LP, ISO 27000 LA, MCDBA, MCITP, Shaharyak Shaikh FCPA, FIIA
Remittance must be made
MCP, MCSE, MCT, PRINCE2 Sandeep Sharma Past Chair
in US funds. Catherine Stevens, ITIL
Robin Generous, CISA, CPA Greg Grocholski, CISA
Anuj Goel, Ph.D., CISA, CRISC, Johannes Tekle, CISA, CFSA, CIA
CGEIT, CISSP Robert W. Theriot Jr., CISA, CRISC
Nancy Thompson, CISA, CISM,
ISACA BOOKSTORE
RESOURCES FOR YOUR
PROFESSIONAL DEVELOPMENT
www.isaca.org/bookstore
NE
ISACA Privacy Principles and Program Management Guide by ISACA W!
PRINT The main purpose of ISACA Privacy Principles and Program Management Guide is to provide
Product Code: IPP readers with a harmonized privacy framework. The book offers a set of privacy principles that
Member / Nonmember: align with the most commonly used privacy standards, frameworks and good practices, as well
$35.00 / $70.00 as fill in the gaps that exist among these different standards. This practical guide can support
WEB DOWNLOAD or be used in conjunction with other privacy frameworks, good practices, and standards to
Product Code: WIPP create, improve and evaluate a privacy program specific to the practitioner’s enterprise. Special
Member / Nonmember: guidance on how to use the COBIT 5 framework to implement a more robust privacy program
$35.00 / $70.00
is included in this publication.
Getting Started With GEIT: A Primer for Implementing Governance of Enterprise IT by ISACA
How do organizations know they are effectively utilizing enterprise technology resources to best realize business goals?
Do organizations know the extent to which their business goals are dependent on technology? How do they know the
technology they have in place is providing value and realizing the expected return on investment?
Governance of enterprise IT (GEIT) is the systematic process of answering these and other related questions.
Implementing a GEIT system can bring many benefits to an organization, including lower costs, greater control, more
efficient and effective use of resources, and overall better strategic alignment and risk management. The primary
purpose of adopting and using a GEIT system is to deliver value to stakeholders. This guide provides the necessary
steps to implement GEIT to help the enterprise achieve its goals and demonstrate value delivery.
This guide is intended for people who are new to GEIT or have recently been tasked with implementing a GEIT structure.
Whether the enterprise is already familiar with GEIT concepts and practices or is exploring the possibilities, this guide
WEB DOWNLOAD will help provide an understanding of the steps to implement GEIT and examples of the benefits of GEIT, so that buy-in
Member / Nonmember: from senior leadership can be obtained and a framework to guide implementation efforts can be used.
FREE / $15
Browse a variety of publications featuring the latest research and expert thinking on standards,
best practices, emerging trends and more at https://support.isaca.org S-1
FEATURED BOOKS
COBIT® 5
COBIT 5 is the overarching business and management framework for governance and management of enterprise IT.
This volume documents the five principles of COBIT 5 and defines the 7 supporting enablers that form the
framework.
COBIT 5 is the only business framework for the governance and management of enterprise IT. This evolutionary
version incorporates the latest thinking in enterprise governance and management techniques, and provides
globally accepted principles, analytical tools and models to help increase the trust in, and value from, information
systems. COBIT 5 builds and expands on COBIT 4.1 by integrating other major frameworks, standards and
resources, including:
• ISACA’s Val IT and Risk IT
• Information Technology Infrastructure Library (ITIL)
PRINT • Related standards from the International Organization for Standardization (ISO)
Product Code: CB5
Member / Nonmember: COBIT 5 helps enterprises of all sizes:
$35.00 / $40.00 • Maintain high-quality information to support business decisions
Please note that COBIT 5 • Achieve strategic goals and realize business benefits through the effective and innovative use of IT
is also available as a • Achieve operational excellence through reliable, efficient application of technology
complimentary web
download to both ISACA
• Maintain IT-related risk at an acceptable level
members and nonmembers. • Optimize the cost of IT services and technology
• Support compliance with relevant laws, regulations, contractual agreements and policies
This guide and COBIT 5 recognize that information technologies are pervasive in enterprises and that it is neither
possible nor good practice to separate business and IT-related activities. The governance and management of
enterprise IT should therefore be implemented as an integral part of enterprise governance, covering the full
end-to-end business and IT functional areas of responsibility.
This publication provides a good-practice approach for implementing governance of enterprise IT (GEIT) based
on a continual improvement life cycle that should be tailored to suit the enterprise's specific needs. It covers the
following subjects:
• Positioning GEIT within an enterprise
• Taking the first steps towards improving GEIT
• Implementation challenges and success factors
PRINT • Enabling GEIT-related organisational and behavioural change
Product Code: CB5IG
Member / Nonmember: • Implementing continual improvement that includes change enablement and programme management
$35.00 / $55.00 • Using COBIT 5 and its components
Please note that COBIT 5
Implementation Guide is also
available as a complimentary
web download to both ISACA
members and nonmembers.
With information and technology at the heart of creating value for enterprises, it is more important than ever for
organizations to optimize their IT assurance approach in order to effectively identify related risks and opportunities.
Created with today’s increasingly complex business and technology landscape in mind, COBIT 5 for Assurance can be
used for many different purposes including:
• Obtaining a view (based on COBIT 5 concepts such as the enablers) on current good practices on assurance
• Learning how to use different COBIT 5 components and related concepts for planning, scoping, executing
and reporting on various types of IT assurance initiatives
• Obtaining a view of the extent to which the value objective of the enterprise-delivering benefits while
optimizing risk and resource use-is achieved
PRINT
Unified Approach—COBIT 5 for Assurance lets assurance professionals leverage COBIT 5 when planning and
Product Code: CB5A performing assurance reviews, which unifies an organization's business, IT and assurance professionals around a
Member / Nonmember: common framework, objectives and vocabulary making it easier to reach consensus on any needed control
$35.00 / $80.00 improvements.
WEB DOWNLOAD
Product Code: WCB5A Easy-to-Follow—COBIT 5 for Assurance provides a roadmap built from well-accepted assurance approaches that
Member / Nonmember: enable assurance professionals to effectively plan, scope and execute IT assurance initiatives, navigate increasing
$35.00 / $75.00 technology complexity, and demonstrate strategic value to IT and business stakeholders.
Comprehensive Guidance—COBIT 5 for Assurance brings the unmatched rigor and scope of COBIT 5 to the audit
function, enabling the audit team to significantly improve their current approaches and ensure that they are
addressing all aspects of IT assurance.
S-3
COBIT® 5: Enabling Processes
This publication complements COBIT 5 and contains a detailed reference guide to the processes defined in the
COBIT 5 process reference model.
DISCOUNTS ON ISACA
PUBLICATIONS AND RESEARCH
UP
TO 30% DISCOUNT
on exam preparation materials
UP
TO 25% DISCOUNT
on hotel and travel
US
$45 SAVINGS
on select audit/assurance programs
UP
TO 40% DISCOUNT
on shipping
Discounts to ISACA’s
20 TRAINING
WEEK options
DISCOUNTS ON ONLINE
COURSES
CONFERENCE AND
WORKSHOP DISCOUNTS
ASK about the value of ISACA membership, and you’ll learn about the ever-growing
Access, Savings and Knowledge ISACA members receive. As an ISACA member,
you’ll be a key part of a global professional organization dedicated to advancing your career,
helping your organization innovate, and advocating for your profession.
&
!
"#$%
!"
"
!"
&'$()*+,"-,
.+/* 00