© 2007 ISACA ® All Rights Reserved DAMA-NCR Chapter Meeting March 11, 2008
© 2007 ISACA ® All Rights Reserved Recognized Global Leaders in IT Governance, Control, Security and Assurance. International founded in 1969, as the EDP Auditors Association More than 65,000 members in over 140 countries More than 170 chapters in over 70 countries worldwide Expanding focus to include Risk Management One of three leading international security associations that formed the Alliance for Enterprise Security Risk Management (AESRM), the other two associations are ASIS International and Information Systems Security Association (ISSA).
© 2007 ISACA ® All Rights Reserved NCAC founded in th Largest Chapter in the World With More than 2000 members Award Winning Chapter Web Site ®Worldwide CISM ® Growth Award for 2004 and 2006 K Wayne Snipes Award for Best Chapter 3 of last 5 years
© 2007 ISACA ® All Rights Reserved Certifications –Certified Information System Auditor (CISA) –Certified Information Security Manager (CISM) –Certified in the Governance of Enterprise IT (CGEIT)
© 2007 ISACA ® All Rights Reserved Who is the CISA Certification Intended for: IT audit and assurance services Assurance that: –the organization can achieve corporate governance of IT –systems and infrastructure life cycle management meets the organization’s objectives –IT service management practices meet the organization’s objectives –an organization’s security architecture ensures confidentiality, integrity and availability of information assets –disaster recovery and business continuity plans will ensure timely resumption of IT services while minimizing the business impact
© 2007 ISACA ® All Rights Reserved CISA Certification Current Facts: –More than 50,000 CISAs worldwide –Exam offered in 11 languages, in 220+ locations –June 2007, over 15,000 individuals registered for the exam
© 2007 ISACA ® All Rights Reserved A current profile of CISAs demonstrates the increasing managerial influence and authority achieved by CISAs within their organizations: More than 1,000 CISAs are now employed in organizations as the chief executive officer, chief financial officer or an equivalent executive position. More than 2,300 serve as chief audit executives, audit partners or audit heads. More than 2,700 serve as chief information officers, chief information security officers, security directors, security managers or consultants. More than 4,000 serve as audit directors, managers or consultants. Nearly 8,000 additional CISAs are currently employed in managerial or consulting positions in IT operations or compliance.
CISM Certification Intended for individuals who design, implement and manage an enterprise’s information security program. Security managers Security directors Security officers Security consultants
© 2007 ISACA ® All Rights Reserved A profile of CISMs at the end of 2005 demonstrates the increasing managerial influence and authority achieved by CISMs:
© 2007 ISACA ® All Rights Reserved Certified in the Governance of Enterprise IT The CGEIT certification –recognizes a wide range of professionals for their knowledge and application of IT governance principles and practices. –is designed for professionals who have management, advisory, and/or assurance responsibilities relating to the governance of IT.
© 2007 ISACA ® All Rights Reserved Information Systems Control Journal /journal JournalOnline articles /jonline Discounts on ISACA conferences /conferences Global Communiqué online /globalcommunique Membership Benefits
© 2007 ISACA ® All Rights Reserved Standards, Guidelines & Procedures Career Centre K-NET (over 5,200 links) Discounts on CISA ®, CISM ®, &CGEIT ™ exams & materials Membership Benefits
© 2007 ISACA ® All Rights Reserved Membership Benefits Research publication downloads /research Discounts on IT Governance Institute (ITGI) research publications Discounted registration fee for Protiviti’s KnowledgeLeader site Audit programs & Internal Control Questionnaires /auditprograms /icq Peer-reviewed bookstore /bookstore
© 2007 ISACA ® All Rights Reserved The Liaison to Professional Organizations Committee goal is to partner with other organizations in the greater Washington DC area to provide networking opportunities. Examples of networking opportunities are - joint special seminars, meeting, publications, social events, workshops, electronic forums and certification training sessions. Member benefits for all include: Opportunity to attend alternate training and networking events Meet professionals from other disciplines, providing different perspectives Leveraging resources to provide extended member benefits (job fairs, roundtables, etc.) Knowledge sharing
© 2007 ISACA ® All Rights Reserved
“Process of risk management is an ongoing iterative process, repeated indefinitely. The business environment is constantly changing and new threats and vulnerabilities emerge every day. Choice of countermeasures (controls) used to manage risks must strike a balance between productivity, cost, effectiveness of the countermeasure, and the value of the informational asset being protected. Risk is the likelihood that something bad will happen that causes harm to an informational asset (or the loss of the asset). A vulnerability is a weakness that could be used to endanger or cause harm to an informational asset. A threat is anything (man made or act of nature) that has the potential to cause harm.” (1) (1)
© 2007 ISACA ® All Rights Reserved “Increasingly internationally accepted set of guidance materials for IT governance” First organization to provide guidance for Sarbanes-Oxley Controls Control Objectives for Information and related Technology (CoBIT)
© 2007 ISACA ® All Rights Reserved Process Controls PC Process Controls Plan and Organise PO1 Define a Strategic IT Plan PO2 Define the Information Architecture PO3 Determine Technological Direction PO4 Define the IT Processes, Organisation and Relationships PO5 Manage the IT Investment PO6 Communicate Management Aims and Direction PO7 Manage IT Human Resources PO8 Manage Quality PO9 Assess and Manage IT Risks PO10 Manage Projects CoBIT Contents
© 2007 ISACA ® All Rights Reserved Acquire and Implement AI1 Identify Automated Solutions AI2 Acquire and Maintain Application Software AI3 Acquire and Maintain Technology Infrastructure AI4 Enable Operation and Use AI5 Procure IT Resources AI6 Manage Changes AI7 Install and Accredit Solutions and Changes CoBIT Contents
© 2007 ISACA ® All Rights Reserved Deliver and Support DS1 Define and Manage Service Levels DS2 Manage Third-party Services DS3 Manage Performance and Capacity DS4 Ensure Continuous Service DS5 Ensure Systems Security DS6 Identify and Allocate Costs DS7 Educate and Train Users DS8 Manage Service Desk and Incidents DS9 Manage the Configuration DS10 Manage Problems DS11 Manage Data DS12 Manage the Physical Environment DS13 Manage Operations CoBIT Contents
© 2007 ISACA ® All Rights Reserved Monitor and Evaluate ME1 Monitor and Evaluate IT Performance ME2 Monitor and Evaluate Internal Control ME3 Ensure Compliance With External Requirements ME4 Provide IT Governance Application Controls AC Application Controls CoBIT Contents
© 2007 ISACA ® All Rights Reserved Mapping of CoBIT to Other Guidance and Best Practices (Partial Listing) Aligning COBIT, ITIL and ISO for Business Benefit COBIT Mapping ISO/IEC :2000 With COBIT, 2nd Edition COBIT Mapping: Mapping ISO/IES 17799:2005 With COBIT 4.0 Critical Elements of Information Security Program Success Customer Relationship Management e-Commerce Security: Securing the Network Perimeter Electronic and Digital Signatures: A Global Status Report Information Security Governance: Guidance for Boards of Directors and Executive Management 2nd EditionInformation Security Governance: Guidance for Boards of Directors and Executive Management 2nd Edition Information Security Governance: Guidance for Boards of Directors and Executive Management, 2nd Edition (Japanese Supplement)Information Security Governance: Guidance for Boards of Directors and Executive Management, 2nd Edition (Japanese Supplement)
© 2007 ISACA ® All Rights Reserved Contact Information Linda Kostic, CPA, CISA, CISSP Past President, National Capital Area Chapter, ISACA Website: