Year: 2015

People often ask me about the best way to prepare for a successful CISA, CISM, CGEIT or CRISC examination. They are usually surprised to hear my advice: Do not study for the exam at all—study for the knowledge!

As to my opinion, what sets ISACA’s certifications apart from many other credentials on the market is that ISACA exams actually test your professional experience and not your exam cramming skills. Many exam items are mini scenarios that require you to apply your knowledge to typical issues arising in your daily work. You will hardly find any items that are definitional.

I recommend adapting your studying strategy and following a long-term learning approach. Using this process, try to avoid subjectivity in the sense of the idiosyncrasies of your organisation. Companies, both large and small, tend to become blind to the shortcomings in their methods and processes. And, particularly within SMEs, the number of staff in information security, risk management, IT audit or governance with whom to share insights is often limited.

To avoid these pitfalls, implement some means for acquiring and exchanging knowledge in your professional life. For example:

• Follow your professional colleagues on social media sites such as Twitter or LinkedIn. Look at who they follow to identify the thought leaders within your domain.
• Read or contribute articles for blogs and periodicals, e.g. the ISACA Journal or ISACA Now blog.
• Follow a massive open online course (MOOC). Many universities offer free online courses and classes.
• Visit professional conferences or seminars as a delegate or speaker. There are events for every budget, and speakers are often invited for free. Use the occasion to network with peers from other organisations or industry sectors.
• Join or found a professional community. Meet with other colleagues from your region or vertical. This is also a good opportunity to receive hints from successful exam takers or find peers who are also preparing for the exam.
• Volunteer at ISACA or another association. See who has an active chapter in your geographic area.

In addition to the tips above, regularly review for the exam using the study materials by ISACA including the review manual and the review questions. Keep in mind that the review manuals do not comprise a complete body of knowledge. Relate to the job practice areas (specifically the task and knowledge statements) that provide the basis for the exam. Identify your weak spots and adapt your focus of studying if necessary.

Once you are well prepared, register for the exam. During the exam, if you are unsure of the right answer, take a business perspective on the question. Ask yourself, ‘If this was my organisation, how would I like the issue to be solved?’

This approach to learning will not only help you to become certified, but also will benefit your professional skills in general. As a side note, it also allows you to easily and almost automatically earn your CPE hours and maintain your certification.

Tim Sattler, CISA, CISM, CGEIT, CRISC, CISSP, CCSK
IT Compliance Manager, Group Information Security Officer at Jungheinrich AG, Germany

[ISACA]

Internal security audits are a valuable source of information and highlight the areas that require attention, but do not be overly driven by their findings and recommendations.

Excessively strengthened security controls can impact business negatively. Security-related audit findings must be viewed in context of the relationship between business goals, the threat profile and the security controls. Security management and internal audit are two separate streams, but are driven by similar goals and fundamentally can be two sides of the same coin.

Sometimes, security controls are relevant to/appropriate for the infrastructure, but not relevant for the business itself. This results in the organization’s internal audit team finding weaker security controls within the infrastructure. In such situations, collaboration between security management, internal auditors and business must resolve the trade-off between compliance and noncompliance to the organizational security policies. Security management must be able to explain the business rationale for weaker controls to the auditors and simultaneously communicate the risks clearly to the enterprise’s management of not being compliant to the strengthened security policies. By doing so, security management ensures that the risk is understood and accepted by management.

Utilizing a risk-based approach to security management practice and internal audit can enable both streams to add value to the organization. It can help security management to identify and prioritize the more vulnerable components of the infrastructure and address those exposures appropriately. Similarly, a risk-based audit approach can help auditors to perform audits on the more critical parts of the infrastructure, understand the business requirements properly, and, reduce time and cost by conducting a more focused audit.

Enterprises’ organizational data centers increasingly are being managed by outsourcing partners. When it comes to partners’ compliance with an organization’s security policies, outsourced contracts that are poorly defined with regards to security can raise financial and fulfillment issues, putting the whole business at risk. Therefore, security management must be involved in every stage of the outsourcing lifecycle—from initial negotiations through to sign-off and maintenance of the contract. Additionally, security management must convince management, internal auditors and outsourcing partners to reach an agreement on the best solution and the way forward for the organization while mitigating the risks highlighted by the audit team.

Well-defined security management practices and their alignment with the business and internal security audit ensure the protection of organization’s information, data and IT services, and helps the organization to meet its objectives. As larger organizations increasingly adopt outsourcing strategies, the onus on the security management practitioner is growing too. With new threats emerging and technologies evolving, ensuring overall security of the organization can become a challenge from cost, process and effort standpoints if outsourcing contracts do not accommodate security policy updates too. Hence, it is critical that business management involves its security management practice when outsourcing its infrastructure.

Depending on organization’s business goals, resources and threat profile, security management can take a risk-based approach to advise which components of the infrastructure should be outsourced and yet be compliant with policies while mitigating the findings of the internal audit team. Security management and internal audit must work hand in hand to effectively secure the business. Otherwise, the two streams can become counterproductive to the cause.

Muhammad Waheed Qureshi, CISA, CIPP/IT, CISSP, ITIL V3 Foundation
IT Security Analyst, Accenture -Sweden

[ISACA]

I decided to pursue an ISACA membership and Certified in Risk and Information Systems Control (CRISC) certification because of ISACA’s reputation for offering industry-recognized and globally accepted professional certifications for more than four decades.

Based on my professional background and industry experience, I specifically chose to pursue the CRISC certification for two main reasons. The first reason is due to the extensive coverage of the concepts and principles described in the CRISC body of knowledge for effectively designing, developing, implementing and maintaining risk management processes across the organization in an effort to substantially contribute toward achieving business objectives.  Second, and most important, the CRISC certification is completely vendor-neutral.

To all of those with the aspirations of joining the prestigious profession of business and technology risk management—and those who are already working in the profession—I strongly recommend the following steps:

• Pursue CRISC certification, because CRISC is by far one of the most relevant, recognized and respected credentials for you to pursue in your career in the business and technology risk management industry.
• Gain a thorough familiarity with a wide variety of risk management publications (e.g., The Risk IT Framework, The Risk IT Practitioner Guide, the COBIT framework, and the ISO 31000 International Risk Management Standard) to better understand the concepts and principles used in effectively managing business and technology risks across the organization.
• Join a graduate recruitment program that focuses on risk management-related functions/roles.
• Keep your CRISC certification current by enjoying the convenience of online opportunities provided by ISACA to earn continuing professional education (CPE) credits. As during the past few years, ISACA has been very active in devising new and convenient options to assist its certified members in accumulating CPE credits .

Regardless of the industry you are working in, the risk and compliance management function/role is and most likely will continue to be a reasonably fun, challenging and exciting area in which to work. It truly feels great to discover that you and your team have assisted your organization in managing organizational IT and business risks in an effective manner and have brought it one step closer to achieving its business objectives.

As I’m sure you do, I have a busy and hectic lifestyle, but I have personally adopted most of the above mentioned recommendations and I have greatly benefited from them, I am sure you will too!

Raees Khan, CRISC
Manager at Strategic Project, Pricestern

[ISACA]

When I was installed as ISACA’s international president, I made three promises. I said we’d continue to effectively serve our members who work in audit and assurance, we would drive adoption and use of COBIT 5, and we would make cybersecurity a top focus. Cybersecurity has climbed its way to the top of many of our priority lists. And we at ISACA have listened. To best serve our members and the profession, we are committed to doing for cybersecurity what we have done—and continue to do—for assurance and governance.

This is a pivotal moment—an exciting time in our industry. The tremendous global impact that cybersecurity issues and threats are having is creating many new challenges and opportunities for all of us. These challenges and opportunities bring with them an urgent need for skilled professionals who can protect and defend enterprises worldwide. Experienced security professionals are key to the success of fighting against cyberadversaries. We learned a lot about that from the Cybersecurity Credentials Collaborative (C3), including CompTIA, GIAC, ISACA, (ISC) 2, and ISSA, who met at our North America ISRM conference in November. They discussed what organizations need from cybersecurity professionals and how to develop candidates to effectively fulfill these roles. As panel members pointed out, we are in era of cybersecurity, and security is everyone’s responsibility. The only way to win the battle is to inspire the whole society to work together and get things done effectively.

As cybersecurity challenges and opportunities are transforming the way in which we all live and work, ISACA is also expanding to better serve you. We want to help you protect what you have built. We will do that by providing the education, guidance and solutions you are seeking—and by helping you develop your teams with the right people and the right skills.

In April, ISACA launched Cybersecurity Nexus (CSX). Through CSX, we are connecting enterprises and skilled professionals to help close the dramatic skills gap.

Now, as part of that mission, we are announcing CSX 2015 North America—a brand-new conference experience. It will deliver the risk management guidance that so many of you find valuable at ISRM, but it will also dive deeper than ever into the cybersecurity approaches and solutions that are demanded by professionals and organizations around the world.

Cybersecurity is everyone’s responsibility, and ISACA takes this responsibility very seriously. We developed CSX for you, and we will deliver it with you, to best serve you and your industries. We will give you the tools, credentials, community and education you need to meet cybersecurity challenges head on. CSX 2015 is one way we will accomplish that.

This brand-new conference features more than 70 cybersecurity sessions tailored to different levels of expertise. Attendees will explore cybersecurity trends and threats, exchange ideas and innovations, and learn how to excel at protecting and defending against cyber threats and attacks. From start to finish, CSX 2015 will focus on real-world solutions explained step by step by recognized industry leaders.

Be sure to mark your calendars now for CSX North America 2015 in Washington DC. I promise you—this is an event you won’t want to miss! North America is just the first step. We’ll be introducing CSX events throughout the world in 2016 and 2017.

Cybersecurity challenges will continue to advance and grow. Rest assured that ISACA will be there for you every step of the way.

Robert E Stroud, CGEIT, CRISC
2014-2015 ISACA International President

[ISACA]