ISACA Research Initiatives
Presented by
Shannon Donahue, PhD, CISM
sdonahue@isaca.org
Practical & Pragmatic
Guidance
2
GPC
The Guidance & Practices Committee
(GPC) is responsible for developing
practical and pragmatic guidance for
ISACA’s constituents related to ISACA’s
frameworks, emerging technologies and
other issues that are relevant to members.
3
GPC Deliverables
• Creating a Culture of
Security
– Builds upon ISACA’s
Business Model for
Information Security
(BMIS) to examine
how culture impacts
information security
– Provides practical
advice on how to
influence an enterprise
culture
4
GPC Deliverables
• IT Control Objectives
for Cloud Computing
– Explores security, risk
and assurance issues
in Cloud
– Provides mapping to
Cloud Computing to
COBIT 4.1
5
GPC Whitepapers
• Cloud Computing:
Business Benefits with
Security, Assurance and
Governance Perspectives
– Available at www.isaca.org
– Also available is a webcast
focusing on the whitepaper
6
White Papers Issued in 2011-2012
1.
2.
3.
4.
5.
6.
7.
Electronic Discovery
Sustainability
Leveraging XBRL for Value
Data Analytics – A Practical Approach
Geolocation: Risk, Issues and Strategies
Mobile Payments: Risk, Security & Assurance Issues
Guiding Principles for Cloud Computing Adoption and
Use
8. Incident Management and Response
9. Virtualized Desktop Infrastructure (VDI)
10. Calculating Cloud ROI
Currently there are 19 white papers available at
www.isaca.org/research
7
Guidance and Practices
Cloud Projects
 IT Control Objectives for Cloud Computing
– Issued July 2011
 Guiding Principles for Cloud Computing –
Issued March 2012
 Governance of IT for Cloud Computing – in
development
 Cloud Vision Series
 Security in the Cloud – September 11, 2012
 ROI in the Cloud –July 2012
 Vendor Management in the Cloud Q2 2013 8
Audit Programs
The GPC is responsible for creating audit
programs. There are over 30 audit
programs which are free for members.
Some topics include:
–IPv6 Security Audit / Assurance Audit Program
–VOIP Audit / Assurance Program
–Microsoft Exchange Server 2010 Audit / Assurance Program
–Microsoft SharePoint 2010 Audit / Assurance Program
–VMware Server Virtualization Audit / Assurance Program
–Social Media Audit / Assurance Program
9
Security, Audit &
Control Features Series
 Security, Audit and Control Features PeopleSoft,
3rd Edition
 focuses on the attributes and incremental
functionality in the most recent version of PeopleSoft
 Audit / assurance program and internal control
questionnaire available as a download to members
 www.isaca.org/research
 Others in series include:
 Oracle Database 3rd Edition
 SAP ERP 3rd Edition
 Oracle E-Business Suite 3rd Edition
10
Guidance and Practices
Future Projects
11
Questions For You
• What topics would be on your list?
• Can you/your staff/your chapter provide
resources (SMEs) to help?
• Do you know about the Chapter Research
Directors?
What other questions do you have?
12
2012 Europe/Africa Leadership Conference,
Munich, Germany, 8-9 September
Successful Delivery of the Basic
Membership Benefits
Sue Milton, President, London Chapter
2012/13 Benefits Strategy
• Objective: to engage with the wider ISACA
London Chapter membership through
benefit provision, thereby encouraging
greater membership retention.
4th September 2012 (8th):
• Membership total: 2641 (2661)
• CISA: 1391 (1401)
Demographics
• CISM: 484 (488)
• CGEIT: 80 (81)
• CRISC: 320 (323)
• Events attract 100 – 120.
• Exam revision: 6 -12 people at each
session.
Proposal for 2012/13 Events
• Stream 1: Monthly Thursday events.
Longer sessions for 1.5 CPEs so minimum
requirement of 20 CPEs more easily
achievable.
• Stream 2: introduce a series of events at
Canary Wharf, London’s 2nd financial
centre now employing more staff than the
City.
Introduction to the GRA – SC
Government Regulatory Advocacy
Sub-Committee
What is ISACA?
Vision and Mission
ISACA’s vision (to aspire to as an organization)
“Trust in, and value from, information and information systems”
ISACA’s mission (to guide decision making and investments)
“For professionals and organizations
be the leading global provider of knowledge, certifications, community,
advocacy and education
on information systems assurance and security,
enterprise governance of IT, and IT-related risk and compliance”
What does ISACA do?
Respected Professional Credentials
70,000+ CISAs certified since inception in 1978
4,000+ CGEITs certified since inception in 2007
12,000+ CISMs certified since inception in 2003
10,000+ CRISCs certified since inception in 2010
ISACA Member Benefits
Professional
Development
Increasing your value
advancing your career
• E-Library
• E-Symposia and Virtual
Trade Shows (VTS) (free
CPE quizzes) and
Webcasts
• Career Centre
• CISA, CISM, CGEIT,
CRISC discounts
• Mentoring (free CPE)
• Reduced certification
maintenance fees
• Conference/training
discounts
• Bookstore discounts
Research and
Knowledge
Opening the door to
thought leadership,
research and
knowledge
Journal (free
CPE)
Research publications
(many free to members!)
COBIT 4.1
Val IT
Risk IT
ITAF
BMIS
COBIT mappings
COBIT Security
Baseline 2nd Ed.
Interactive Web site
Audit programs and ICQs
Community &
Leadership
Connecting you with
a global community
of nearly 100,000
• Networking
• Leadership
opportunities at local
and global level
• Enhanced online
communities
via new ISACA web
site
Local Chapters
Providing a local
network of
professionals
• Low-cost education
• In person training
• Exam preparation
• Business and social
events
• Engage with people
who understand your
professional needs
• Key Responsibilities
 Increase ISACA’s visibility by promoting ISACA member’s credibility and
capability, value of ISACA’s certifications, and robustness of COBIT and
all knowledge products, including professional development
 On behalf of ISACA, monitor, coordinate and potentially respond to
regulatory and/or legislative issues that may impact ISACA members
and certification holders professionally.
What does the GRA do?
 2012 Focus
 National Audit Bodies
 Reserve banks and financial services regulators
 Agencies focused on Cyber Security, Privacy and Forensics
 National Workforce and IT Skill Development
 Communicate Subcommittee activities and opportunities for regulatory
and legislative advocacy to ISACA Chapter leaders and members
IT Audit Regulation in Turkey
Kaya Kazmirci, CISA, CISM
Chapter President
Assoc. Prof. Dr. İzzet Gökhan Özbilgin, CRISC
Government Relations Director
Leadership Conference
Munich, 8.9.2012
IT Audit Regulation
• Banking Regulatory and Supervision Agency
• Capital Markets Board of Turkey
• Turkish Court of Accounts
• Information Technology and Communication Agency
• Republic of Turkey Prime Ministry Undersecretariat of
Treasury
Banking Regulatory and
Supervision Agency
• www.bddk.org.tr
• Regulation on IS Audit to be made in banks by
independent audit institutions (published in the Offical
Gazette dated December 5, 2006)
– Comminique on the report format of IS Audit
• Mandates statutory CobiT compliance for banks (1st in
Europe, maybe in the world)
Banking Regulatory and
Supervision Agency
• Article 19 says
¨each control object realized in the scope of articles
written in regulation is evaluated in compliance with
the methods in the framework of CobiT ¨
Capital Markets Board of Turkey
• www.spk.gov.tr
• Regulations based on CobiT, ISO 27001.
• IT Audit is implemented periodically in organizations
regulated by CMB (i.e. İstanbul Stock Exchange,
Central Registry Agancy)
• Regulation on IS Audit for the brokerage houses
implementing foreign exchange
Other institutions
• Turkish Court of Accounts
– www.sayistay.gov.tr
• Information Technology and Communication Agency
– www.btk.gov.tr
• Republic of Turkey Prime Ministry Undersecretariat of
Treasury
– www.treasury.gov.tr
Communities Committee
and Knowledge Center
Overview
2012 Europe/Africa Leadership Conference
Miroslaw Kalinski,
CC member, ISACA Warsaw chapter
Communities Committee
Charge: Identify and support activities to encourage the development of
ISACA communities.
• Analyze community characteristics
of all visitors to the web site to
identify community interests or
opportunities to develop
communities based on
characteristics such as language,
geography, etc.
• Assist boards, committees and
task forces to identify
communities that may support
project or program initiatives.
• Identify online communities
outside website and determine
response.
• Develop criteria to evaluate
Communities Committee
program activities and report
progress to the Relations
Board.
• Develop programs to create
and support communities.
The Knowledge Center
The Objective is Participation….
How do you
secure the
cloud?
I need an
audit program
…the Goal is Community
Total and Unique Members
As of 1 September 2012
25000
20000
18208
13990 14624 14941
15882
18941
20089
20908
21383
22202
22993
23448
16875
15000
10000
Unique
7041
5000
0
0
0
0
7832
8108
8149
8557
7891
9131
9842
10106
Total
0
© 2012 ISACA. All rights reserved
- Confidential
31
The Knowledge Center houses all of
ISACA’s research deliverables as well as
topic-based communities.
Resources and Collaboration
Knowledge Center Topics
2000
Top 10 Communities
As of 1 September 2012
1800
1600
1400
1200
1000
1746
800
1479
1401
600
1024
400
780
750
743
720
720
638
200
0
© 2012 ISACA. All rights reserved
- Confidential
34
THANK YOU!!!!!