3 February 2010

In This Issue:
• The “Plaid-ing” of Business and IT
• ISACA Announces New CRISC Certification
• Conference to Offer Real-life, Hands-on Content
• Six Tips for Incident Response
• Volunteer Opportunities Closing Soon
• Global Industry Leaders to Share IT Audit Solutions

The “Plaid-ing” of Business and IT

Emil D’Angelo, CISA, CISM, 2009-2010 ISACA International President
IT was often considered as an afterthought and as separate from business strategy.
Over the last years, though, this has changed dramatically. Business and IT objectives
are now more like plaid—with many intersections and reliance on each other for the
complete picture.

Read More

ISACA Announces New CRISC Certification

The Certified in Risk and Information Systems Control™ (CRISC™) designation is
designed for IT professionals who identify and manage risks through the
development, implementation and maintenance of appropriate information systems
(IS) controls. A grandfathering program will open in April, and the first CRISC
(pronounced see-risk) exam will be held in 2011.

Read More

Conference to Offer Real-life, Hands-on Content

North America CACS • Chicago, Illinois, USA • 18-22 April 2010
Jeff Krull, CISA, CPA, North America CACS program selection committee chair and
senior manager with PricewaterhouseCoopers, offers his thoughts on this year’s
conference.
“Based on the feedback we have received in prior years, we are really striving this
year to include more case studies and real-life examples in the sessions. Presenters
have been requested to provide sessions that are practical and interactive. There are
many interactive panel discussions and case studies.”

Read More

Six Tips for Incident Response

By Leighton Johnson, CISA, CISM, CISSP, CIFI
1. Be prepared for incident response. You must have tools, techniques, team
members, and training all completed before you respond to the computer incident.
Also, corporate policies, procedures and guidelines for response need to be in
place.

Read More

Volunteer Opportunities Closing Soon

Do not miss your chance to volunteer to work with ISACA on one of the
subcommittees, committees or boards during the 2010-2011 term. The Invitation to
Participate will close on 25 February 2010.

Read More

Global Industry Leaders to Share IT Audit Solutions

Asia-Pacific CACS • Mumbai, India • 22-23 February 2010
Attendees at the 2010 Asia-Pacific Computer Audit, Control and Security (CACSSM)
conference will learn about traps IT governance professionals should avoid and how to
make IT audit more relevant for the enterprise. Sessions will discuss auditing wireless
networks as well as preserving digital evidence. Presenters will share their experiences
with service-oriented architecture, cyberwarfare and digital rights management.

Read More
The “Plaid-ing” of Business and IT
Emil D’Angelo, CISA, CISM, 2009-2010 ISACA International President
My daughter recently showed me a new clothing purchase and told me that “plaid is the
new black.” When I looked blankly at her, she further explained that her phrase means
that plaid—which has become the general term for cloth with crisscrossed lines of
different colors—is now “cool” and has become a staple in her wardrobe.

Looking at her purchase made me think of how business objectives and IT objectives in
the past often operated as parallel lines. IT was often considered as an afterthought and
as separate from business strategy. Over the last years, though, this has changed
dramatically. Business and IT objectives are now more like plaid—with many
intersections and reliance on each other for the complete picture.

The material for plaid can be used anywhere that cloth is needed, just as the COBIT®, Val
IT™: Based on COBIT® and Risk IT: Based on COBIT® frameworks can be customized for
any enterprise, regardless of size, industry, geographic location or other factors. ISACA
has long been a leader in this area, especially starting with the introduction of COBIT
nearly 15 years ago.

As we continually revise and update all three frameworks, I would like to send a sincere
thank you to the thousands of professionals around the world who have contributed to
these frameworks and all of their related materials. I may never understand the inner
workings of fashion, but I do know that ISACA knows how to keep up with—and more
often be a leader in—the “plaid-ing” of business and IT.

ISACA Announces New CRISC Certification

ISACA will be offering a new risk-related certification in April 2010. The Certified in Risk
and Information Systems Control™ (CRISC™) designation is designed for IT
professionals who identify and manage risks through the development, implementation
and maintenance of appropriate information systems (IS) controls to help enterprises
accomplish business objectives, such as effective and efficient operations, reliable
financial reporting, and compliance with relevant regulatory and legislative
requirements.

The CRISC (pronounced see-risk) certification focuses on:

• Risk identification, assessment and evaluation
• Risk response
• Risk monitoring
• IS control design and implementation
• IS control monitoring and maintenance

The new credential complements ISACA’s existing certifications:

• While CISA is designed for IT professionals who perform independent reviews of
control design and operational effectiveness, CRISC is for IT and business
professionals who design, implement and maintain IS controls.
• While CISM is for individuals who manage, design, oversee and/or assess an
enterprise’s information security, including the identification and management of
information security risks, CRISC is for IT professionals whose roles also
encompass operational and compliance considerations.
• While CGEIT is for IT and business professionals who have a significant
management, advisory or assurance role relating to the governance of IT, including
risk management, CRISC is for the IT and business professionals who are engaged
at an operational level to mitigate risk.

A grandfathering program, through which experienced professionals can obtain the

certification without taking the exam, will open in April. The first CRISC exam will be
held in 2011.

Click here to learn more about this latest certification from ISACA.

Conference to Offer Real-life, Hands-on Content

North America CACS • Chicago, Illinois, USA • 18-22 April 2010
Jeff Krull, CISA, CPA, North America CACS program selection committee chair and
senior manager with PricewaterhouseCoopers, offers his thoughts on this year’s
conference.

Q: What industry trend(s) will be addressed at the conference?

A: The North America Computer Audit, Control and Security (CACSSM) conference is a
unique conference in that the size and attendance levels allow it to cover core topics
that would be of interest to newer professionals, emerging topics that those in the
middle of their career would find valuable and interesting, and more executive topics,
such as governance, that senior management and executives would find useful. This
year, we have sessions covering everything from auditing databases to enterprise
resource planning (ERP) security to fraud and governance.

Q: Will any new sessions or products be introduced at the conference?

A: The selection committee is always looking for topics that would be interesting and
new. In addition to the audit tracks (which remain the same), many of this year’s track
themes have been revised. Two new tracks have been developed:
• Track 3, Techniques for Evaluating Business Practices and for Evaluating
Professional Development, will guide the IT auditor to translate IT risk and issues
into overall business risk and exposures that the organization’s management and
audit committees can understand and address.
• Track 4, Emerging Issues and ISACA Research, will explore the concepts and
terminology of emerging issues related to IT governance, IT frameworks and IT risk
management. Sessions include discussions of ISACA’s new models and
frameworks, such as the Business Model for Information Security (BMIS) and Risk
IT: Based on COBIT®. Each session in this track combines practical business
knowledge, using examples and cases to illustrate best practices for today’s IT
assurance professional.

Q: What is an example of practical content available at the conference that attendees

will be able to implement when they get back to the office?

A: Based on the feedback we have received in prior years, we are really striving this
year to include more case studies and real-life examples in the sessions. Presenters
have been requested to provide sessions that are practical and interactive. There are
many interactive panel discussions and case studies.

The IT Audit Core Competencies track will provide participants real and hands-on ways
to audit different technologies and platforms, including Active Directory, UNIX, and
Linux. Through the other tracks, we cover topics such as auditing SAP and Oracle.

Q: Is there any notable topic of industry or regional significance that might come up
during the conference?

A: Some sessions will focus on the hot topics of the health care industry and related
privacy issues as well as social media privacy concerns.

Q: Tell us about the keynote speaker?

A: This year’s keynote speaker, Cynthia Cooper, is well known for unraveling the fraud
at WorldCom in 2002, one of the largest corporate frauds in history. She is an
internationally recognized speaker on ethical leadership, the current economic crises
and recent scandals. One of Time Magazine’s 2002
Persons of the Year, she is also a recipient, along with US
Senator Sarbanes and Representative Oxley, of the Maria
& Sidney E. Rolfe Award for contributions to educating
the public about economics, business and finance. She
was inducted into the AICPA Hall of Fame in 2004 and is
the first woman to receive this distinction. We are looking
forward to her unique presentation, titled Ethical
Leadership in the 21st Century.

Click here for more information and to register for the upcoming North America CACS.

Six Tips for Incident Response

By Leighton Johnson, CISA, CISM, CISSP, CIFI
1. Be prepared for incident response. You must have tools, techniques, team
members and training all completed before you respond to the computer incident.
Also, corporate policies, procedures and guidelines for response need to be in
place.

2. Properly identify the incident. Is the event simply an unusual activity, or can you
identify it as suspicious? If so, what are the surrounding activities? Are there
multiple reports of issues on the network, or is it confined to one machine or
location? Some of the areas to check include suspicious entries in system or
network accounting, unexplained new user accounts and unexplained new files.

3. Contain the incident and its effects. Change passwords for elevated privilege
accounts and review computer trust relationships as fast as possible when an
incident is identified. Protect and, where possible, keep the critical information
resources available to the primary users.

4. Remove the issue as soon as is realistically possible. Possibly ensure and run
your antivirus and antispamware programs. Review and potentially rebuild the
operating system software. Remove the infected software utilizing approved
removal software.

5. Return the infected system to operational use as soon as feasible. Remember

there are two areas of focus for incident response: recovery and, potentially,
prosecution.
6. Follow up with responders for improvements to the process. Check with the
operational staff in areas where data or information was compromised.

Leighton Johnson, CISA, CISM, CISSP, CIFI, is a senior security consultant for the
Information Security & Forensics Management Team.

Volunteer Opportunities Closing Soon

Do not miss your chance to volunteer to work with ISACA on one of the
subcommittees, committees or boards during the 2010-2011 term. The Invitation to
Participate will close on 25 February 2010 and ISACA leadership is eager to have
members involved.

Volunteering with ISACA offers many rewards, including networking opportunities and
a chance to learn more about ISACA operations. Furthermore, volunteerism is looked
upon favorably by many employers, as it provides hands-on experience and job-related
skills training for current and future industry leaders, including communication and
interpersonal skills.

To become an ISACA volunteer, click here to download the application form.

Global Industry Leaders to Share IT Audit Solutions

Asia-Pacific CACS • Mumbai, India • 22-23 February 2010
The Asia-Pacific Computer Audit, Control and Security (CACSSM) conference is
returning to Mumbai, India, with a host of industry leaders from around the world as
featured presenters. The ISACA chapters in India are renowned for their active
education calendar. The 2010 Asia-Pacific CACS complements local efforts by bringing
an international perspective on universal issues.

The event offers real-world examples and practical solutions presented in a

collaborative environment where the presenters engage the audience with case studies,
group exercises and open discussions. The presenters are from companies and
organizations recognized around the world as leaders in information technology, audit,
security and governance; companies such as Citigroup, Chevron and eBay.

Attendees will learn about traps IT governance professionals should avoid and how to
make IT audit more relevant for the enterprise. Sessions will discuss auditing wireless
networks as well as preserving digital evidence. Presenters will share their experiences
with service-oriented architecture, cyberwarfare and digital rights management.

The conference hotel is near the airport to avoid the congestion of Mumbai’s financial
district and to make it as easy as possible for those traveling from abroad.

Attend the 2010 Asia-Pacific CACS conference on 21 and 22 February in Mumbai. Click
here for additional information and to register.

©2010 ISACA. All rights reserved.