Volume 19, 15 September 2010 In This Issue: Nominations Are Open! 10 Tips to Managing Privacy Support Cyber Security Awareness Month AICPA/CICA Releases Exposure of Privacy Maturity Model for Comment CRISC Domains, COBIT Processes and ISACA Certifications Established Worldwide Virtual Seminar and Tradeshow Will Address Enterprise Risk Book Review: Outsourcing IT: A Governance Guide Nominations Are Open! Nominations for the ISACA® Board of Directors for the 2011-2012 term are now open. Members may submit nominations for themselves or for others (or both). Read More 10 Tips to Managing Privacy By Victor Chapela Managing privacy is managing trust. The following are important to keep in mind when working toward managing privacy: 1. To correctly manage privacy, you need to recognize each person as the owner of his/her personal data. Therefore, you need to communicate to and ask permission from each individual data owner before using his/her data. Read More Support Cyber Security Awareness Month Held each October since 2001, National Cyber Security Awareness Month (NCSAM) is an annual US public awareness campaign that encourages knowledgeable IT professionals to reach out to their communities and teach them how to be safe and secure online. As an official endorser of this program, ISACA® is urging its US-based members to support this effort within their own communities. Read More AICPA/CICA Releases Exposure of Privacy Maturity Model for Comment The Joint Privacy Task Force of the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) has released an exposure of the newly developed Privacy Maturity Model (PMM) and is inviting comments on the model. Read More CRISC Domains, COBIT Processes and ISACA Certifications Established Worldwide The Government and Regulatory Agencies (GRA) subcommittees (ISACA® has one for each of its five regions worldwide) have provided the following updates on relevant regulations worldwide: The Allahabad Bank, a leading public-sector bank in Kolkata, India, issued a request for proposal (RFP) for an IT audit firm to conduct a comprehensive information systems audit of its IT infrastructure and to make recommendations. Certified Information Systems Auditor™ (CISA®) and Certified in the Governance of Enterprise IT® (CGEIT®) were specified as eligibility criteria for bidders…. Read More Virtual Seminar and Tradeshow Will Address Enterprise Risk The speakers at ISACA’s upcoming Virtual Seminar and Tradeshow, “Managing IT Enterprise Risk,” will take a practical approach toward risk by examining three perspectives. Join us Tuesday, 19 October 2010, for this online, all-day event, to participate in live educational sessions presented by knowledgeable presenters, to ask questions and have conversations with speakers and sponsors, and to connect one-on-one with other ISACA® members and staff. Read More Book Review: Outsourcing IT: A Governance Guide Reviewed by Vishnu Kanhere, Ph.D., CISA, CISM, AICWA, CFE, FCA Outsourcing IT: A Governance Guide, by Rupert Kendrick, is useful as a reference or howto book. It provides a board-level view of the criteria and governing principles in an IT outsourcing environment. It also provides an executive-level road map and guidance on useful strategies, processes and procedures for implementation of outsourcing IT. Read More Nominations Are Open! Nominations for the ISACA® Board of Directors for the 2011-2012 term are now open. Visit the Volunteering page of the ISACA web site for information about serving on the board, the attributes for office (both international president and vice president) and the nomination form. Members may submit nominations for themselves or for others (or both). All nominations will be acknowledged and all candidates will be required to complete a candidate profile form that serves to confirm the candidate’s willingness to serve if selected and provides the Nominating Committee information on which to evaluate the candidate. Information on candidates will be gathered in other ways as well, including review of public web sites (e.g., Google, Facebook, LinkedIn) and interviews with the candidates. Nominations for the Board of Directors close on 7 January 2011. 10 Tips to Managing Privacy By Victor Chapela Managing privacy is managing trust. The following are important to keep in mind when working toward managing privacy: 1. To correctly manage privacy, you need to recognize each person as the owner of his/her personal data. Therefore, you need to communicate to and ask permission from each individual data owner before using his/her data. 2. Each person should be able to determine and limit the storage, processing and usage of data in which he/she is personally identifiable. 3. Different countries have different approaches to enforcing privacy. But, in most cases, sensitive information is defined as that which may be used for discrimination. Examples of this are racial or ethnic origin; health records; religious, philosophical or moral beliefs; political affiliation; and sexual preferences. 4. Intimacy data, such as the examples just mentioned, are, in general, well regulated. However, identity data are not as closely guarded by regulation and may have similar or even greater risk for companies and individuals alike. Identity data include governmentissued identification numbers, logins and passwords, and credit and debit card numbers. 5. Identity data are highly valued and actively sought by organized crime to commit fraud. This type of data should be classified based on the threat level (i.e., the value of the data for criminals or competition) and not based on the internal value of the information (which could be, in some cases, almost zero). 6. By managing data privacy correctly, information security requirements may also be solved. Both security and privacy can be better handled by classifying and managing data based on risk levels. 7. Classification should take into account two very different aspects: a privacy impact analysis (compliance with applicable laws and regulations) and a data threat analysis (determining risk levels based on the data’s external value). 8. For each risk classification level, the full data life cycle must be analyzed from reception or generation of the data through the destruction process. A privacy policy and standards for each data risk level’s life cycle must be defined based on the analysis. 9. Legal, organizational and technical controls must be considered for each classification level and then implemented based on information assets and groups. 10. Privacy is not only about compliance. Through privacy, you guarantee each person’s rights and, by doing so, you increase your stakeholder’s trust. Victor Chapela is founder and chief executive officer of Sm4rt Security Services. He is coauthoring a book on the evolution of risk and is a frequent speaker at conferences around the world. Support Cyber Security Awareness Month Held each October since 2001, National Cyber Security Awareness Month (NCSAM) is an annual US public awareness campaign that encourages knowledgeable IT professionals to reach out to their communities and teach them how to be safe and secure online. This event, made possible through the collaboration of the US Department of Homeland Security (DHS), the National Cyber Security Alliance (NCSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), chooses the month of October to shed a brighter light on what home users, schools, businesses and governments need to do to better protect their computers, children and data from the hazards of online activities. As an official endorser of this program, ISACA® is urging its US-based members to support this effort within their own communities. Below are a few examples of what can be done to support NCSAM: Volunteer to teach basic cybersecurity practices in your community (e.g., at local schools, PTA meetings, scouting organizations, rotary clubs or other community forums). Write an article about safe online practices for your local newspaper, community web site or company newsletter. Show your support for National Cyber Security Awareness Month by displaying NCSAM banners on your personal web site in October. Encourage your employer to do the same. Download free security white papers from ISACA and share them with your employer and colleagues. Visit StaySafeOnline.org for more information regarding the program, suggested support activities and support materials. Note that in addition to providing a valuable service to your community, those holding any ISACA certification can earn valuable continuing professional education (CPE) hours1 by giving presentations and publishing articles that promote safe online practices. 1 To earn CPE, certification holders should ensure that they have third-party verification (by chapter leadership or the organization that hosted the presentation) that the presentation was conducted. AICPA/CICA Releases Exposure of Privacy Maturity Model for Comment The Joint Privacy Task Force of the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) has released an exposure of the newly developed Privacy Maturity Model (PMM) and is inviting comments on the model. The PMM, based on Generally Accepted Privacy Principles (GAPP), outlines the expectations on each of the six levels of maturity in the Capability Maturity Model to the criteria in GAPP. Comments from ISACA® members are encouraged and welcome. To be considered, all comments must be submitted by 1 October 2010. Visit the AICPA web site for a complimentary PDF version of the privacy model and instructions on how to comment. CRISC Domains, COBIT Processes and ISACA Certifications Established Worldwide The government and regulatory agencies (GRA) subcommittees (ISACA® has one for each of its five regions worldwide) have provided the following updates on relevant regulations worldwide: The Allahabad Bank, a leading public-sector bank in Kolkata, India, issued a request for proposal (RFP) for an IT audit firm to conduct a comprehensive information systems audit of its IT infrastructure and to make recommendations. Two of ISACA’s globally recognized certifications—Certified Information Systems Auditor™ (CISA®) and Certified in the Governance of Enterprise IT® (CGEIT®)—were specified as eligibility criteria for bidders. It was also required that at least one of the two lead auditors be CISA-certified. In Costa Rica, the Superintendencia General de Entidades Financieras (SUGEF), the country’s financial regulator, required that COBIT’s 34 processes be implemented within the local financial institutions and that all evaluations be done by a CISA. In Costa Rica, the ISACA chapter has been working with the Technical Secretariat for Digital Government on an agreement to support it in strategic planning for its portfolio initiatives, to support the implementation of IT governance among participant institutions and to identify the need for training in ISACA tools and frameworks. The Indian Navy, a branch of the armed forces of India, issued a tender offer for vulnerability assessment and penetration testing. Bidders must have a pool of professionals with international accreditation, including CISA and CGEIT. The State of West Virginia Office of Information Security and Controls (USA) is using the five Certified in Risk and Information Systems Control™ (CRISC™) domains and task statements to develop a checklist for use in risk assessments for Health Insurance Portability and Accountability Act (HIPAA) compliance. The task statements will be mapped to National Institute of Standards and Technology (NIST) standards. This checklist will be used by the West Virginia state government and its business associates who are handling protected health information (PHI) collected by the state. Virtual Seminar and Tradeshow Will Address Enterprise Risk The speakers at ISACA’s upcoming Virtual Seminar and Tradeshow, “Managing IT Enterprise Risk,” will take a practical approach toward risk by examining three perspectives. First, they will look at the enterprise to determine how best to manage security risks within and, perhaps more important, outside the enterprise. Next, they will consider how to assess risk and the unique problems inherent with the human factor. Finally, they will discuss the strategic issues associated with risk and the balance between meeting business goals and minimizing potential loss and unintended consequences. Join us Tuesday, 19 October 2010, for this online, all-day event, to participate in live educational sessions presented by knowledgeable presenters, to ask questions and have conversations with speakers and sponsors, and to connect one-on-one with other ISACA® members and staff. Between educational sessions, you will be free to visit exhibitor booths and interact with sponsors and ISACA staff in the exhibit hall. The networking lounge, in which ISACA members can connect and discuss the event topic, will be open throughout the event. A resource center, complete with additional information and materials including white papers and ISACA® Journal articles, will also be available. Visit the Virtual Seminar & Tradeshows page of the ISACA web site to learn more about and to register for the event. Book Review: Outsourcing IT: A Governance Guide Reviewed by Vishnu Kanhere, Ph.D., CISA, CISM, AICWA, CFE, FCA Outsourcing IT: A Governance Guide, by Rupert Kendrick, is useful as a reference or how-to book. IT is an enabler, a medium of interaction, and provides the tools and technology for business, industry, and governance. Modern business and industry is highly technology intensive and IT-dependent. Given this situation, IT departments in all organizations are under increasing pressure to meet work requirements, deadlines and demands of the various stakeholders—shareholders, directors, owners, business associates, government, customers, end users and the public at large. Increasing competition, cost pressures, technology changes, customer requirements, legislative changes and growing risks mean that businesses have to operate within thin margins, work under intense time and resource constraints, and deliver quality and value at all times. In such a situation, IT services can be outsourced only if these sources and service providers are agile, give the required quality, assure safety and integrity, and are competitive with regard to costs. There is a growing trend of outsourcing IT, whether as part of business process outsourcing, near-shoring or far-shoring. Outsourcing IT provides a board-level view of the criteria and governing principles in an IT outsourcing environment. It also provides an executive-level road map and guidance on useful strategies, processes and procedures for implementation of outsourcing IT. The book offers insight into the governance structure and provides methodologies, tools and techniques for this type of outsourcing. Outsourcing IT is useful, primarily for organizations’ boards, key managerial personnel and IT department staff. It provides a good understanding of governance issues in outsourcing IT for anyone interested or engaged in using computers, ranging from IT professionals and auditors to common employees and end users. Although this book focuses on the private sector, it is not industry-specific and addresses all areas of business and industry. The author refers to relevant legislation that supports the text. While lacking tables and illustrations, the book does provide strong resources and references. Outsourcing IT: A Governance Guide is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore or e-mail bookstore@isaca.org. Vishnu Kanhere, Ph.D., CISA, CISM, AICWA, CFE, FCA, is an expert in software valuation, IS security and IS audit. ©2010 ISACA. All rights reserved.