Volume 19, 15 September 2010
In This Issue:




Nominations Are Open!
10 Tips to Managing Privacy
Support Cyber Security Awareness Month
AICPA/CICA Releases Exposure of Privacy Maturity Model for
Comment
 CRISC Domains, COBIT Processes and ISACA Certifications
Established Worldwide
 Virtual Seminar and Tradeshow Will Address Enterprise Risk
 Book Review: Outsourcing IT: A Governance Guide
Nominations Are Open!
Nominations for the ISACA® Board of Directors for the 2011-2012 term are now open.
Members may submit nominations for themselves or for others (or both).
Read More
10 Tips to Managing Privacy
By Victor Chapela
Managing privacy is managing trust. The following are important to keep in mind when
working toward managing privacy:
1. To correctly manage privacy, you need to recognize each person as the owner of his/her
personal data. Therefore, you need to communicate to and ask permission from each
individual data owner before using his/her data.
Read More
Support Cyber Security Awareness Month
Held each October since 2001, National Cyber Security Awareness Month (NCSAM) is an
annual US public awareness campaign that encourages knowledgeable IT professionals to
reach out to their communities and teach them how to be safe and secure online. As an
official endorser of this program, ISACA® is urging its US-based members to support this
effort within their own communities.
Read More
AICPA/CICA Releases Exposure of Privacy Maturity
Model for Comment
The Joint Privacy Task Force of the American Institute of Certified Public Accountants
(AICPA) and the Canadian Institute of Chartered Accountants (CICA) has released an
exposure of the newly developed Privacy Maturity Model (PMM) and is inviting comments on
the model.
Read More
CRISC Domains, COBIT Processes and ISACA
Certifications Established Worldwide
The Government and Regulatory Agencies (GRA) subcommittees (ISACA® has one for each
of its five regions worldwide) have provided the following updates on relevant regulations
worldwide:

The Allahabad Bank, a leading public-sector bank in Kolkata, India, issued a request for
proposal (RFP) for an IT audit firm to conduct a comprehensive information systems
audit of its IT infrastructure and to make recommendations. Certified Information
Systems Auditor™ (CISA®) and Certified in the Governance of Enterprise IT® (CGEIT®)
were specified as eligibility criteria for bidders….
Read More
Virtual Seminar and Tradeshow Will Address
Enterprise Risk
The speakers at ISACA’s upcoming Virtual Seminar and Tradeshow, “Managing IT
Enterprise Risk,” will take a practical approach toward risk by examining three perspectives.
Join us Tuesday, 19 October 2010, for this online, all-day event, to participate in live
educational sessions presented by knowledgeable presenters, to ask questions and have
conversations with speakers and sponsors, and to connect one-on-one with other ISACA®
members and staff.
Read More
Book Review: Outsourcing IT: A Governance Guide
Reviewed by Vishnu Kanhere, Ph.D., CISA, CISM, AICWA, CFE, FCA
Outsourcing IT: A Governance Guide, by Rupert Kendrick, is useful as a reference or howto book. It provides a board-level view of the criteria and governing principles in an IT
outsourcing environment. It also provides an executive-level road map and guidance on
useful strategies, processes and procedures for implementation of outsourcing IT.
Read More
Nominations Are Open!
Nominations for the ISACA® Board of Directors for the 2011-2012 term are now open. Visit the
Volunteering page of the ISACA web site for information about serving on the board, the
attributes for office (both international president and vice president) and the nomination form.
Members may submit nominations for themselves or for others (or both). All nominations will
be acknowledged and all candidates will be required to complete a candidate profile form that
serves to confirm the candidate’s willingness to serve if selected and provides the Nominating
Committee information on which to evaluate the candidate. Information on candidates will be
gathered in other ways as well, including review of public web sites (e.g., Google, Facebook,
LinkedIn) and interviews with the candidates.
Nominations for the Board of Directors close on 7 January 2011.
10 Tips to Managing Privacy
By Victor Chapela
Managing privacy is managing trust. The following are important to keep in mind when working
toward managing privacy:
1. To correctly manage privacy, you need to recognize each person as the owner of his/her
personal data. Therefore, you need to communicate to and ask permission from each
individual data owner before using his/her data.
2. Each person should be able to determine and limit the storage, processing and usage of
data in which he/she is personally identifiable.
3. Different countries have different approaches to enforcing privacy. But, in most cases,
sensitive information is defined as that which may be used for discrimination. Examples
of this are racial or ethnic origin; health records; religious, philosophical or moral beliefs;
political affiliation; and sexual preferences.
4. Intimacy data, such as the examples just mentioned, are, in general, well regulated.
However, identity data are not as closely guarded by regulation and may have similar or
even greater risk for companies and individuals alike. Identity data include governmentissued identification numbers, logins and passwords, and credit and debit card numbers.
5. Identity data are highly valued and actively sought by organized crime to commit fraud.
This type of data should be classified based on the threat level (i.e., the value of the data
for criminals or competition) and not based on the internal value of the information
(which could be, in some cases, almost zero).
6. By managing data privacy correctly, information security requirements may also be
solved. Both security and privacy can be better handled by classifying and managing
data based on risk levels.
7. Classification should take into account two very different aspects: a privacy impact
analysis (compliance with applicable laws and regulations) and a data threat analysis
(determining risk levels based on the data’s external value).
8. For each risk classification level, the full data life cycle must be analyzed from reception
or generation of the data through the destruction process. A privacy policy and standards
for each data risk level’s life cycle must be defined based on the analysis.
9. Legal, organizational and technical controls must be considered for each classification
level and then implemented based on information assets and groups.
10. Privacy is not only about compliance. Through privacy, you guarantee each person’s
rights and, by doing so, you increase your stakeholder’s trust.
Victor Chapela is founder and chief executive officer of Sm4rt Security Services. He is
coauthoring a book on the evolution of risk and is a frequent speaker at conferences around
the world.
Support Cyber Security Awareness Month
Held each October since 2001, National Cyber Security Awareness Month (NCSAM) is an
annual US public awareness campaign that encourages knowledgeable IT professionals to
reach out to their communities and teach them how to be safe and secure online. This event,
made possible through the collaboration of the US Department of Homeland Security (DHS),
the National Cyber Security Alliance (NCSA), and the Multi-State Information Sharing and
Analysis Center (MS-ISAC), chooses the month of October to shed a brighter light on what
home users, schools, businesses and governments need to do to better protect their
computers, children and data from the hazards of online activities.
As an official endorser of this program, ISACA® is urging its US-based members to support this
effort within their own communities. Below are a few examples of what can be done to support
NCSAM:
 Volunteer to teach basic cybersecurity practices in your community (e.g., at local schools,
PTA meetings, scouting organizations, rotary clubs or other community forums).
 Write an article about safe online practices for your local newspaper, community web site
or company newsletter.
 Show your support for National Cyber Security Awareness Month by displaying NCSAM
banners on your personal web site in October. Encourage your employer to do the same.
 Download free security white papers from ISACA and share them with your employer
and colleagues.
Visit StaySafeOnline.org for more information regarding the program, suggested support
activities and support materials. Note that in addition to providing a valuable service to your
community, those holding any ISACA certification can earn valuable continuing professional
education (CPE) hours1 by giving presentations and publishing articles that promote safe
online practices.
1 To earn CPE, certification holders should ensure that they have third-party verification (by chapter leadership
or the organization that hosted the presentation) that the presentation was conducted.
AICPA/CICA Releases Exposure of Privacy Maturity
Model for Comment
The Joint Privacy Task Force of the American Institute of Certified Public Accountants (AICPA)
and the Canadian Institute of Chartered Accountants (CICA) has released an exposure of the
newly developed Privacy Maturity Model (PMM) and is inviting comments on the model.
The PMM, based on Generally Accepted Privacy Principles (GAPP), outlines the expectations
on each of the six levels of maturity in the Capability Maturity Model to the criteria in GAPP.
Comments from ISACA® members are encouraged and welcome. To be considered, all
comments must be submitted by 1 October 2010.
Visit the AICPA web site for a complimentary PDF version of the privacy model and
instructions on how to comment.
CRISC Domains, COBIT Processes and ISACA
Certifications Established Worldwide
The government and regulatory agencies (GRA) subcommittees (ISACA® has one for each of
its five regions worldwide) have provided the following updates on relevant regulations
worldwide:
 The Allahabad Bank, a leading public-sector bank in Kolkata, India, issued a request for
proposal (RFP) for an IT audit firm to conduct a comprehensive information systems audit
of its IT infrastructure and to make recommendations. Two of ISACA’s globally recognized
certifications—Certified Information Systems Auditor™ (CISA®) and Certified in the
Governance of Enterprise IT® (CGEIT®)—were specified as eligibility criteria for bidders. It
was also required that at least one of the two lead auditors be CISA-certified.
 In Costa Rica, the Superintendencia General de Entidades Financieras (SUGEF), the
country’s financial regulator, required that COBIT’s 34 processes be implemented within
the local financial institutions and that all evaluations be done by a CISA.
 In Costa Rica, the ISACA chapter has been working with the Technical Secretariat for
Digital Government on an agreement to support it in strategic planning for its portfolio
initiatives, to support the implementation of IT governance among participant institutions
and to identify the need for training in ISACA tools and frameworks.
 The Indian Navy, a branch of the armed forces of India, issued a tender offer for
vulnerability assessment and penetration testing. Bidders must have a pool of
professionals with international accreditation, including CISA and CGEIT.
 The State of West Virginia Office of Information Security and Controls (USA) is using the
five Certified in Risk and Information Systems Control™ (CRISC™) domains and task
statements to develop a checklist for use in risk assessments for Health Insurance
Portability and Accountability Act (HIPAA) compliance. The task statements will be
mapped to National Institute of Standards and Technology (NIST) standards. This checklist
will be used by the West Virginia state government and its business associates who are
handling protected health information (PHI) collected by the state.
Virtual Seminar and Tradeshow Will Address
Enterprise Risk
The speakers at ISACA’s upcoming Virtual Seminar and Tradeshow, “Managing IT Enterprise
Risk,” will take a practical approach toward risk by examining three perspectives. First, they
will look at the enterprise to determine how best to manage security risks within and, perhaps
more important, outside the enterprise. Next, they will consider how to assess risk and the
unique problems inherent with the human factor. Finally, they will discuss the strategic issues
associated with risk and the balance between meeting business goals and minimizing potential
loss and unintended consequences.
Join us Tuesday, 19 October 2010, for this online, all-day event, to participate in live
educational sessions presented by knowledgeable presenters, to ask questions and have
conversations with speakers and sponsors, and to connect one-on-one with other ISACA®
members and staff.
Between educational sessions, you will be free to visit exhibitor booths and interact with
sponsors and ISACA staff in the exhibit hall. The networking lounge, in which ISACA members
can connect and discuss the event topic, will be open throughout the event. A resource center,
complete with additional information and materials including white papers and ISACA® Journal
articles, will also be available.
Visit the Virtual Seminar & Tradeshows page of the ISACA web site to learn more about
and to register for the event.
Book Review: Outsourcing IT: A Governance Guide
Reviewed by Vishnu Kanhere, Ph.D., CISA, CISM, AICWA, CFE, FCA
Outsourcing IT: A Governance Guide, by Rupert Kendrick, is useful as a reference or how-to
book. IT is an enabler, a medium of interaction, and provides the tools and technology for
business, industry, and governance. Modern business and industry is highly technology
intensive and IT-dependent. Given this situation, IT departments in all organizations are under
increasing pressure to meet work requirements, deadlines and demands of the various
stakeholders—shareholders, directors, owners, business associates, government, customers,
end users and the public at large.
Increasing competition, cost pressures, technology changes, customer requirements,
legislative changes and growing risks mean that businesses have to operate within thin
margins, work under intense time and resource constraints, and deliver quality and value at all
times. In such a situation, IT services can be outsourced only if these sources and service
providers are agile, give the required quality, assure safety and integrity, and are competitive
with regard to costs.
There is a growing trend of outsourcing IT, whether as part of business process outsourcing,
near-shoring or far-shoring. Outsourcing IT provides a board-level view of the criteria and
governing principles in an IT outsourcing environment. It also provides an executive-level road
map and guidance on useful strategies, processes and procedures for implementation of
outsourcing IT. The book offers insight into the governance structure and provides
methodologies, tools and techniques for this type of outsourcing.
Outsourcing IT is useful, primarily for organizations’ boards, key managerial personnel and IT
department staff. It provides a good understanding of governance issues in outsourcing IT for
anyone interested or engaged in using computers, ranging from IT professionals and auditors
to common employees and end users. Although this book focuses on the private sector, it is
not industry-specific and addresses all areas of business and industry.
The author refers to relevant legislation that supports the text. While lacking tables and
illustrations, the book does provide strong resources and references.
Outsourcing IT: A Governance Guide is available from the ISACA Bookstore. For
information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal,
visit the ISACA Bookstore or e-mail bookstore@isaca.org.
Vishnu Kanhere, Ph.D., CISA, CISM, AICWA, CFE, FCA, is an expert in software valuation, IS
security and IS audit.
©2010 ISACA. All rights reserved.