Month: March 2015

I decided to pursue an ISACA membership and Certified in Risk and Information Systems Control (CRISC) certification because of ISACA’s reputation for offering industry-recognized and globally accepted professional certifications for more than four decades.

Based on my professional background and industry experience, I specifically chose to pursue the CRISC certification for two main reasons. The first reason is due to the extensive coverage of the concepts and principles described in the CRISC body of knowledge for effectively designing, developing, implementing and maintaining risk management processes across the organization in an effort to substantially contribute toward achieving business objectives.  Second, and most important, the CRISC certification is completely vendor-neutral.

To all of those with the aspirations of joining the prestigious profession of business and technology risk management—and those who are already working in the profession—I strongly recommend the following steps:

• Pursue CRISC certification, because CRISC is by far one of the most relevant, recognized and respected credentials for you to pursue in your career in the business and technology risk management industry.
• Gain a thorough familiarity with a wide variety of risk management publications (e.g., The Risk IT Framework, The Risk IT Practitioner Guide, the COBIT framework, and the ISO 31000 International Risk Management Standard) to better understand the concepts and principles used in effectively managing business and technology risks across the organization.
• Join a graduate recruitment program that focuses on risk management-related functions/roles.
• Keep your CRISC certification current by enjoying the convenience of online opportunities provided by ISACA to earn continuing professional education (CPE) credits. As during the past few years, ISACA has been very active in devising new and convenient options to assist its certified members in accumulating CPE credits .

Regardless of the industry you are working in, the risk and compliance management function/role is and most likely will continue to be a reasonably fun, challenging and exciting area in which to work. It truly feels great to discover that you and your team have assisted your organization in managing organizational IT and business risks in an effective manner and have brought it one step closer to achieving its business objectives.

As I’m sure you do, I have a busy and hectic lifestyle, but I have personally adopted most of the above mentioned recommendations and I have greatly benefited from them, I am sure you will too!

Raees Khan, CRISC
Manager at Strategic Project, Pricestern

[ISACA]

When I was installed as ISACA’s international president, I made three promises. I said we’d continue to effectively serve our members who work in audit and assurance, we would drive adoption and use of COBIT 5, and we would make cybersecurity a top focus. Cybersecurity has climbed its way to the top of many of our priority lists. And we at ISACA have listened. To best serve our members and the profession, we are committed to doing for cybersecurity what we have done—and continue to do—for assurance and governance.

This is a pivotal moment—an exciting time in our industry. The tremendous global impact that cybersecurity issues and threats are having is creating many new challenges and opportunities for all of us. These challenges and opportunities bring with them an urgent need for skilled professionals who can protect and defend enterprises worldwide. Experienced security professionals are key to the success of fighting against cyberadversaries. We learned a lot about that from the Cybersecurity Credentials Collaborative (C3), including CompTIA, GIAC, ISACA, (ISC) 2, and ISSA, who met at our North America ISRM conference in November. They discussed what organizations need from cybersecurity professionals and how to develop candidates to effectively fulfill these roles. As panel members pointed out, we are in era of cybersecurity, and security is everyone’s responsibility. The only way to win the battle is to inspire the whole society to work together and get things done effectively.

As cybersecurity challenges and opportunities are transforming the way in which we all live and work, ISACA is also expanding to better serve you. We want to help you protect what you have built. We will do that by providing the education, guidance and solutions you are seeking—and by helping you develop your teams with the right people and the right skills.

In April, ISACA launched Cybersecurity Nexus (CSX). Through CSX, we are connecting enterprises and skilled professionals to help close the dramatic skills gap.

Now, as part of that mission, we are announcing CSX 2015 North America—a brand-new conference experience. It will deliver the risk management guidance that so many of you find valuable at ISRM, but it will also dive deeper than ever into the cybersecurity approaches and solutions that are demanded by professionals and organizations around the world.

Cybersecurity is everyone’s responsibility, and ISACA takes this responsibility very seriously. We developed CSX for you, and we will deliver it with you, to best serve you and your industries. We will give you the tools, credentials, community and education you need to meet cybersecurity challenges head on. CSX 2015 is one way we will accomplish that.

This brand-new conference features more than 70 cybersecurity sessions tailored to different levels of expertise. Attendees will explore cybersecurity trends and threats, exchange ideas and innovations, and learn how to excel at protecting and defending against cyber threats and attacks. From start to finish, CSX 2015 will focus on real-world solutions explained step by step by recognized industry leaders.

Be sure to mark your calendars now for CSX North America 2015 in Washington DC. I promise you—this is an event you won’t want to miss! North America is just the first step. We’ll be introducing CSX events throughout the world in 2016 and 2017.

Cybersecurity challenges will continue to advance and grow. Rest assured that ISACA will be there for you every step of the way.

Robert E Stroud, CGEIT, CRISC
2014-2015 ISACA International President

[ISACA]

Accomplishing a secure business environment—meaning a work culture backing proactive risk management and accurate risk decision making—is the stepping stone toward reaching the risk management goals of an organization. To achieve it, you need an efficient enterprise risk management (ERM) software system, which looks into your business intricacies.

There are many ERM software products available in the market, but you need to pick out the one solution that facilitates the ERM requirements of your enterprise. The ERM software you choose should enable you to convert risk intelligence to support the development of your decisions.

Here are the crucial features you should be looking for in your ERM software:

Absolute integration
Risk management architecture plays a major role in integration. There is plenty of data pertaining to risk identification, assessment and management, documentation, operations and execution, testing, audit management, report generation, controls and solutions, and IT support. They have to be synchronized under one platform. An application that provides a central source for risk documentation, which includes risks, processes, entities, controls, tests and results, is ideal for a well-coordinated work setting. Boards and management largely rely on these reports to make business decisions. Only an integrated ERM platform can provide accurate data to support decision-making practices.

Software that embraces plan and strategy
Adopt an ERM tool that is designed to embrace business goals and objectives, regulatory norms, workflow, specific industry functions, and the best practices of your organization. The design should be equipped with automated monitoring and compliance report generation, as you need to be prompt in identifying, analysing and responding to risks.

Event tracking and point of origination
Event tracking wins a significant brownie point for ERM applications. You can use loss event tracking to track loss incidents and near misses, record amounts, and identify root causes and ownership. It helps in validating the risk profiles of business units.

An ERM platform should be capable of taking you through the event sequences and timeframes, and should independently detect the source of risk origination. It should be programmed to expose the vulnerable areas of an organization and pinpoint risk triggers and catalysts. That enables you to carry out risk mitigation treatments with a definitive approach.

Scenario analysis
ERM software should be programmed to examine the business environment, from eminent past events to changes in the current market, for an extensive record of scenario analysis. Impending risks based on real-time events should be charted for analysis and mitigated.

Loss prediction
The platform should empower you with information on expected future losses for individuals, each business unit, a group of entities, as well as the entire organization.

Risk and control self-assessment
The ERM platform should enable all business units to participate in risk and control self-assessment processes. A comprehensive operational risk profile of the enterprise can be derived using this approach. Identifying and evaluating risks and assessing the controls are important for risk management. The solutions should follow up on control measures and evaluate their success or failure rate. Thus, a risk and control self-assessment feature helps you enhance the control environment.

Risk library
Having a risk library facilitates future efforts for risk identification.

Key risk indicators (KRIs)
Your ERM application should have the ability to set KRIs taking into account the risk appetite and risk threshold of the enterprise.

Flexible configuration
Risk landscapes are changing constantly. New risks are emerging out of the latest tools and technology used by enterprises. This means there will be fluctuations in risk profiles, risk appetite, KRIs and other disciplines. A flexible ERM solution is indispensable in the current business scenario. Moreover, the deluge of more and more regulatory reforms and policies can also be incorporated if the software solution is built with a flexible approach.

Purchasing the most expensive or the best brand’s ERM software solution may not help your risk management objectives. Look at features in detail and check how they fit with your risk management framework and assessment techniques.

Mohammed Nasser Barakat
Partner at CAREWeb and BRS Service Line Leader for the ME region

[ISACA]