©2009 isaca bangalore chapter. all rights...

1©2009 ISACA Bangalore Chapter. All rights reserved.

March, 2011

2

InfocITy Auditor

©2009 ISACA Bangalore Chapter. All rights reserved.


March, 2011

From the Desk of the PresidentDear Readers,

Let me, at the outset, remind you of the recentcommunication from ISACA.

• Last date for registration to CISA/CISM/CRISC/CGEI, June 2011, exams is extended to 15thApril 2011

Through this message, I would like to high light onone more Security Certification – CCSK, being offeredby CSA.

These days it is common to hear about Cloud, CloudServices and Cloud Security. Cloud Security Alliance– a nonprofit Organization, started in the year 2008in USA, is formed to serve the security practitionersin the cloud space. ISACA is the only FoundingAffiliate Member of this organization and continue tobe one of the Affiliate Members. The objectives ofCSA is to promote the use of best practices forproviding security assurance within Cloud Computing,and provide education on the uses of CloudComputing to help secure all other forms ofcomputing.

CLOUD SECURITY CERTIFICATION - CCSK

Few pointers to the examination:

! CSA conducts a examination based on CloudSecurity called “CCSK” - Certificate of CloudSecurity Knowledge

! CCSK certification was launched in September2010.

! The CCSK is a web-based, multiple choiceexamination of individual competency in keycloud security issues. The test is a 50 question,timed multiple choice examination which must becompleted within 60 minutes.

! The CCSK is available online at https://ccsk.cloudsecurityalliance.org/. The test isavailable online on demand from any Internet-connected computer, it is not necessary toschedule your test.

March 2011

! The CCSK costs $295USD.

! There is no time expirationfor the CCSKexamination, you maypurchase the test in 2010and take it in 2011 if youdesire

! The body of knowledge that the first version ofthe CCSK examination covers is the CSAGuidance V2.1, English language version andENISA’s report “Cloud Computing: Benefits,Risks and Recommendations for InformationSecurity”.

• CSA Guidance: http://cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf

• ENISA: http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment

• CCSK Study Guide:http://cloudsecurityalliance.org/CCSK-prep.pdf

! The CCSK is strongly supported by a broadcoalition of experts and organizations fromaround the world. The collaboration with ENISAmeans that the world’s two leading organizationsfor vendor neutral cloud security research areproviding the foundation for the industry’s firstcloud security certification. CSA’s breadth ofindustry participation and strategic alliances arebeing leveraged to communicate the need andvalue of this certification to employers withincloud providers, cloud consumers, consultantsand variety of other stakeholders.

Please do visit their website, https://cloudsecurityalliance.org for more details.

With warm greetings!!Natarajan K R CGEIT, CISAHon. President

4

InfocITy Auditor


MMMMMessage from Vice Presidentessage from Vice Presidentessage from Vice Presidentessage from Vice Presidentessage from Vice PresidentIt is the time to communicate with you again through our newsletter. During thefirst quarter of 2011, there was a busy schedule of monthly CPE meets, chap-ter events and supported events. The CPE meets have been on importanttopics, the leaders were eminent proponents and the participants were veryactive. The attendance also is higher than previous years' numbers in general.Our programs director has been striving to have two sessions per month when-ever possible for the knowledge enrichment of the members as well as easy fulfillment of CPErequirements of certifications. We request members to suggest topics of their interest for the CPEsessions. We also invite members to come forward and lead sessions on subjects of interest andshare their success in GRC initiatives as case studies.

The chapter sponsored training programs are attracting encouraging response and are providingopportunity to members to equip themselves with skills at a discounted cost.

I would like to make special mention of two events supported by ISACA Bangalore.

Nullcon was conducted by Null Foundation, a voluntary body of ethical hackers in Goa in the lastweek of February 2011. This was second edition of the conference and information security pro-fessionals and experts from India and all over the world have made lucid presentations. Therewere infosec enthusiasts from universities, industry, government and defence attending in goodnumber and actively participating. Our GRA / Membership Director is also a co-founder of NullFoundation. Apart from him, our representation in Nullcon was by our Secretary, treasurer and me.Our takeaway from the event was that the flavour of infosec, cyber security and cyber forensics isessential to evoke greater interest in our chapter events including our annual conference.

The second event supported by us held in this quarter is the prestigious Bangalore Cyber SecuritySummit (BCSS) held by Department of IT, Government of Karnataka in mid March 2011. Ourpresident and me were on the advisory committee for this summit and gave some specific andactionable advice. One was to create a session for Governance, Risk and Compliance (GRC) andsuggest speakers for the same. The other was to suggest an eminent speaker for cloud security.The summit went on to be a grand success and the sessions suggested by us were well receivedby the participants. The Principal IT Secretary, Government of Karnataka has acknowledged thechapter's contribution for the success of the summit ad thanked me personally for the same.

As a twinkle at the end of the quarter, as I write this message to you, team India has won the cricketworld cup 2011 for the second time after 28 years to give joy, pride and tears to a country that isunimaginably passionate about cricket. The learning from that win to us, professionals and also toan incredibly large youth population of India is that perseverance yields much more than the sumtotal of skill, strategy, resources and luck put together.

We have been receiving feedback from members that the newsletter content and layout are good.We also look forward to specific suggestions to improve the newsletter.

Please continue to interact with us and let us know what activities you expect from the chapter andhow have been the past activities.

Sarat C CheguVice President


March, 2011

From the Secretary’s Desk.....From the Secretary’s Desk.....From the Secretary’s Desk.....From the Secretary’s Desk.....From the Secretary’s Desk.....'With Great power comes great responsibility'- or so said one of thecharacters from Stan Lee's famous creation Spiderman; With the recentevents that have been happening around us, I think this is phrase takes onsurreal importance. One man Anna Hazare has been able to rally the generalpopulation like never before all by the simple act of declaring war on one ofthe biggest evils to plague modern India- corruption. But the story doesn'tend there; what has been unique about this crusade if I am may call it thathas been the fact that people from all walks of life have poured in support like never before.What is different this time one wonders? The answer lies in the use of social media and theinternet to propagate the message and to spread the message quickly to millions of people.Emails have been doing the rounds to pledge support, sign petitions, facebook pages have beenset-up etc. Twitter is being used to organize protests and rallies and bring togetherinstantaneously (almost flash mobs!). As IS professionals, we look at the internet and morerecently social media with suspicion and believe that controls need to be exercised to reducethreats; A key problem that exists is that the understanding about these innovations is limited-companies are quickly adopting and setting up a 'tiwtter' accounts for their CEO or brandambassador, but with very little understanding of the true potential of such an account and evenmore reduced understand on how to control/direct what they are doing. Minor indiscretions havecaused embarrassment and damage. But organizations worldwide are waking up to the power ofthe internet especially social media to connect to all their 'constituents'- employees, businesspartners, customers etc. and are realizing that the potential is boundless. However as Stan Lee'scharacter spouts the words 'With great power…' it is imperative to realize that the same internetand social media can have devastating effects on life as we know it if controls are not exercised.There have been several cases where organizations have lost millions, have suffered publichumiliation and have been at receiving end of public ridicule and shame because of poorcontrols being exercised especially on the use of social media. A simple short message on one ofthe popular networking and microblogging sites can mean that information can reach millionssimultaneously and spread like wildfire. In today's information economy (to use a clichéd phrase),a small slip can have a disastrous effect; A key person in an organization quitting is public newseven before the organization knows it because this person choose to 'tweet' about it or somebrand ambassador 'tweeted' his/her dislike for a certain section of the population which is thetarget audience for the company he/she is representing. While it is astounding that someone orsome organization can have a million followers on a popular social media site, it also means thatthat many people get first-hand accounts of all information instantaneously. Is the solution alockdown?; In the white paper "Social Media: Business Benefits With Security, Governance andAssurance Perspectives," published by ISACA in 2010, several aspects are stressed key beingthe requirement to understand the purpose and need to use these innovations and take anapproach that doesn't hinge on denying access as being the key control.

As IS professionals it is imperative that we understand this new 'animal' as much as possible andbe able to support its full positive utilization while also guarding against possible threats.

R V RaghuSecretary

6

InfocITy Auditor


How to Leverage Best Practices to Build Effective IT Audit PlansKolathur Srini, MBA, CISSP, CISA,CISM

Why best practices?

Process practices are improved every day. “Bestpractices” are recognized as the preferred methods forsaving time and building efficiency within a process orgroup of processes. IT auditors should leverage bestpractices to build collaborative and effective technicalaudit plans, improve efficiency, and address risks.

What are best practices?

Wikipedia defines best practices as:

“…a technique, method, process, activity,incentive, or reward which conventional wisdomregards as more effective at delivering a particularoutcome than any other technique, method,process, etc. when applied to a particular conditionor circumstance. The idea is that with properprocesses, checks, and testing, a desiredoutcome can be delivered with fewer problems andunforeseen complications. Best practices can alsobe defined as the most efficient (least amount ofeffort) and effective (best results) way ofaccomplishing a task, based on repeatableprocedures that have proven themselves over timefor large numbers of people.”

Best practices evolve over time. Best practices used inthe appropriate situation should consistently producethe best possible results.

Don’t reinvent the wheel

Everyone—regardless of their profession—wants toaccomplish tasks using the minimum availableresources. Best practices can be leveraged effectivelyto design, implement, support, and audit a giventechnology area. This becomes increasingly importantin fast-paced and complex sectors like IT wheretechnology is constantly changing and processes mustbe able to efficiently adapt.

In addition, the IT industry is dominated by major vendorssuch as Microsoft, Oracle, SAP, and Google. Similaritiesof servers, databases, network peripherals, andfunctionality requirements make building a collection ofbest practices a major attraction for the IT community.

There are several key advantages of utilizing bestpractices in IT:

• Benchmarking operations with industry peers cancalculate a true return on investment (ROI)

• Leveraging collective human capital to cut downon the time and expense of individual “trial anderror” process development

• Reducing the total cost of operations (TCO) forindividual organizations by using the combinedknowledge of leading resources across multipleorganizations

• Identifying and targeting well-known gaps orvulnerabilities

Building a collaborative platform of best practices, basedon the input from a diverse group of domain experts,vendors, and authoritative organizations, serves thelarger community and help share community knowledge.

How to build multi-dimensional and up-to-datebest practices

Best practices, when captured, must be associated withrelevant task scenarios and organized so that thecommunity can apply and use them as required by theirspecific situation. This organization can be achievedusing “tags”, or metadata, within the structure of theinformation. Tags, in Web 2.0 terminology, are keywordsor terms assigned to practices, and topics that enableefficient organization or information and rapid searchingacross large information sets.

As the availability of best practices increase within agiven field of technology, massive repositories willcontain best practices for every conceivable taskscenario. To reduce the time required to find the specificbest practice, or groups of practices, needed for a giventask, each practice is tagged for multiple contexts anduser requirements. As new task scenarios develop tosupport evolving compliance and businessrequirements, existing practices can be tagged forassociation with the new scenarios.

In addition to clear associations and organization, it isessential to ensure that best practices are kept up-to-date in the fast-changing technology world. Theincredible amount of information in the form ofwhitepaper, blogs, books, presentations etc., is isolatedand lacks the framework to be updated frequently.Referencing a best practice published several years ago


March, 2011

might yield undesirable results. These best practicesare continuously kept up-to-date on the easy-to-use webplatform with dedicated contributors and a review andcomments section for the public.

Who builds best practices and why?

In our increasingly ‘connected’ world, the best ideas andpractices can come from anywhere. The key toleveraging best practices is to get up-to-date details ofpractices that have similar dependency factors and thenshare them globally.

A physician in India might operate on ten (10) to twenty(20) patients per day. But best practices that apply to aphysician working with a large population, such as inIndia, might not be ideal for a physician in a small, ruralhospital in the United States. By collecting best practicesfrom experts with varying demographics and organizingthem to be easily accessed by others in similarsituations, we can substantially reduce the total timerequired to develop efficient processes in any given fieldand with any specific set of criteria.

For example, best practices collaboratively developedby physicians who operate on many patients mightenable more rapid deployment of successful triage andtreatment processes during a natural disaster in an areathat typically does not service large patient populations.

Why use best practices for IT audit planning?

IT Audit is the process of collecting and evaluatingevidences to determine if an organization's informationsystems are:

• Designed to maintain data integrity and safeguardassets

• Positioned to achieve current and futureorganizational goals effectively

• Designed to use resources efficiently

An effective and efficient information system leads theorganization to achieve its objectives and uses minimumresources in achieving the required objectives. ITauditors must know the characteristics of informationsystems in the organization while evaluating theeffectiveness of any system since IT governance andstrategy are critical to an organization’s success. ITauditors play a major role in identifying risks and gapsin the system.

Controls in an information system reflect the practicesdesigned to provide reasonable assurance that businessobjectives will be achieved. IT controls also ensureeffectiveness and efficiency of operations, reliability offinancial reporting, and compliance with rules andregulations using a global best practice knowledge base,organizations can learn from others who haveexperienced the same or similar issues and quicklyemploy controls to mitigate risks.

To develop an effective risk assessment and audit plan,it is essential to break down the IT universe into smallerand more manageable components. Typically, IT sub-components are defined as infrastructure andapplications systems

Infrastructure systems consist of hardware systems thatinclude servers, routers, communications devices,desktops, etc. The hardware infrastructure controls theflow and processing of information throughout theorganization.

Applications systems are typically the software used torecord and store business transactions. Examples wouldbe databases, enterprise resource planning systems,cloud-hosted applications, and business intelligencesoftware.

The hardware infrastructure and applications areaudited to ensure security, effectiveness, continuity,maintenance, and cost. The IT controls that monitorthese elements are generally contained in security andrisk management documents, business continuity plans,and service level agreements (SLAs). By leveragingthe best practices developed at the component level,an IT auditor can quickly build an audit plan based onspecific criteria and provide a risk assessment report ofthe IT environment.

Why Checklist 2.0?

Checklist 2.0 is building the premier repository of bestpractices for creating effective and comprehensive ITaudit plans. Our global collaborative knowledge base isorganized for easy access and rapid deployment. Ourdedicated contributors and online community update andvalidate practices every day to ensure they remain up-to-date for changing business requirements. Wewelcome your thoughts and inputs. To contribute to ourglobal IT Audit Best Practices, please register at http://www.checklist20.com

8

InfocITy Auditor


ISACA Bangalore Chapter was one of the KeySupporting Organizations for the National Conferenceon Cyber Security organized by Department of IT, BTand S&T, Government of Karnataka held on 17th and18th March 2011 at Nimhans Convention Centre,Bangalore. Our Vice-President Sarat Chegu attendedthe conference in large number.

Cyber Security Conference Photos:

National Conference on Cyber Security


March, 2011

Letter from Mr. M.N.Vidyashankar, PrincipalSecretary, Department of

IT, Biotechnology, S&T to our Vice-PresidentSarat Chegu acknowledging our support.

Dear Mr. Sarat Chegu,

Greetings from the Department of IT, BT and S & T ande-Governance, Government of Karnataka.

The 2nd edition of the Bangalore Cyber Security Summit,2011, held on 17th and 18th March, 2011, at NimhansConvention Center, Bangalore, received an overwhelmingresponse. The excellent feedback received about thestructure and contents of the event has been encouraging.

Credit for the success of the event goes to you, in largemeasure. Your valuable inputs as a member of the ProgramAdvisory Committee were truly useful in structuring theevent. Please accept my heartfelt thanks for your supportto the event.

Thank you, once again, and looking forward to your supportand cooperation in all our endeavors of the Department.

I am sure our association and interaction will be a longstanding one.

With best regards,

Sincerely,

M N VidyashankarPrincipal Secretary to Government

Dept. of IT, Biotechnology, S & TGovt. of Karnataka6th Floor, 5th Stage, MS Building,Ambedkar Veedhi, Bangalore-560001Phone: 080-2228 0562/ 080-2203 2434 /080-22374314 Fax: 080-2228 8340Please visit www.bangaloreitbt.ine-mail: [email protected]

Bangalore ISACA Awareness Seminar22-Jan-2011

NULLCONIndia's largest open security community conducted nullcon dwitiya - India's No. 1International Security & Hacking conference at The Retreat, by Zuri, Uttor Doxi, Salcete,Goa on 25th & 26th Feb 2011. A large number of people including our members and officebearers participated in the conference.

10

InfocITy Auditor


List of Directors of ISACABangalore Chapter

1. Mr.K.R.Natarajan, President.

2. Mr.Sarat C. Chegu, Vice-President.

3. Mr.Raghu R V, Secretary.

4. Mr.Suresh G. Patankar, Treasurer.

5. Mr.Jose Koshy Samuel,Immediate Past President.

6. Mr.Satish Kini, CISA Co- ordinator &Director Academic Relations.

7. Mr.R.Ravi, CISM/CGEIT Co-ordinator.

8. Mr.Meda Satish, Education Chair.

9. Mr.C.N.Shashidhar, DirectorMembership and GRA Services.

10. Mr.Sundaram Sridhar, Director- Newsletter.

11. Mr.C.Rajaraman, Director-Programme.

12. Ms.Preeti Khosla, Director-Publicity.

13. Mr.Murugappan. K. Director-Research.

ISACA Bangalore is privileged to invite nominations forthe 2011 GRC Achievement Awards.

The awards recognize the great strides that many ISprofessionals have made in improving and integratingthe approaches of their organizations to governance,risk management and compliance (GRC) to achieveexemplary performance.

This is the inaugural effort of the initiative and ISACABangalore hopes to make it a regular feature of itsactivities to honor the IS professionals of the IT capitalof India.

NOMINATION AND AWARD PROCESS

Submit a nomination for a successful project withinyour own organization or another organization in yourown name or nominate another IS professional. Thenominations should reach ISACA Bangalore on orbefore May 31, 2011. The Awards will be presented at14th Annual Conference, July 22-23, 2011, inBangalore.

Awards will be presented to IS professionals whodemonstrate achievements in one or more of thefollowing areas: (Illustrative list)

" Structure: Establishing a strong GRCorganizational structure to ensure adequateoversight and coordination of efforts;

" Information: Improving management, use andtransparency of GRC relevant information;

" Effectiveness: Gaining greater confidence in theeffectiveness of compliance controls;

" Processes: Coordinating risk assessmentprocesses to develop a clearer enterprise view ofrisk;

" Performance: Streamlining aspects of GRCcapability to reduce cost and improveperformance.

To apply simply send a document (attached to anemail) entitled GRC Achievement Award Nominationto [email protected]. The nominationshould include the following sections:

1. Name of the IS professional

2. Name of the nominee IS professional (if not selfnominated)

GRC Achievement Awards3. Position

4. Name of Project/Achievement

5. Name of Organization

6. Primary Contact Name / email / phone number

7. Nominee's contact email / phone number

8. Brief Description of Project (50-150 words persection below); should include:

a) Challenge addressed

b) Desired outcome(s)

c) Process undertaken and roles involved

d) Outcome(s) achieved, which may beoperational, financial and/or other

e) Planned next steps

DEADLINES and PROCESS

Nominations must be submitted by May 31, 2011, forconsideration.

Award winners will be notified by June 30, 2011 andwill be asked to submit a treatise for presenting in 14thAnnual Conference at The Matthan Hotel in Bangalore,July 22-23, 2011.


March, 2011

CPE Topic : The Dodd-Frank Wall StreetReform and Consumer ProtectionAct

CPE Speakers : (1) Mr.Ravi Raman, Chief RiskOfficer, Butterfield Fulcrum,Bangalore

(2) Mr. Swami AVP & Head -Internal Audits in ButterfieldFulcrum, Bangalore

Date : 22-Jan-2011

Venue : Chapter Office

Time : 6.30 - 8.30 PM

The Dodd-Frank Wall Street Reform and ConsumerProtection Act was signed into law on July 2010 in theUnited States. There have been sweeping changes inthe realms of corporate governance / investorprotection / disclosures and 3rd party service providers'responsibilities. Many of these changes are now

mandated and it is beginning to have a significantinfluence in the functioning of IT/IS leaders with focuson 'CIA' triad and in developing tools to contain systemicrisk. The enhanced disclosure requirements havecreated a growing need for improved availabilitystandards for applications and information. There arehuge opportunities in analytics including datawarehousing and Business Intelligence not to mentionthe ever growing need for control assessments andassurance reviews. Similar opportunities are emergingwith the imminent adoption of Solvency 2 in Europeand Basel 3 globally.

The presentation was focused on the key aspects ofthe act and its relevance to the BFSI / risk managementcommunity where IS/IT have evolved to play insignificant role over the last decade. Twenty membersattended the meeting and had good discussion withthe speakers.

CPE Meet -1 Event Photos:

CPE MEET -1

12

InfocITy Auditor


CPE Topic : Cyber Crime

CPE Speakers : (1) Mr C N Shashidhar &Dr K Rama Subramaniam

Date : 29-Jan-2011


Time : 6.30 - 8.30 PM

Cyber Crime is the No. 1 crime in the US and manyother parts of the world from 2009 onwards. Thedangers of Cyber crime and its implications are beingfaced by law enforcement agencies, IT Security

Professionals, Corporates, Banks, Financialinstitutions as well as the lay IT user. Cyber crimecan only be ignored at our peril.

The presentations were focused on the backgroundto Cyber Crime, the latest developments andtechnology of Cyber crime and also showcase the highcosts of cyber crime to business and corporationsbased on independent surveys and research. A goodnumber of twenty eight participants attended themeeting.

CPE MEET -2

CPE Topic : Insider Threat, Fraud & decline inCorporate trust - Idiots guide toexploits using Technology, Tools &Social Engineering techniques

CPE Speakers : Mr Tamaghna Basu & Mr SimranGambhir

Date : 5-Feb-2011


Time : 6.30 - 8.30 PM

Insider Threat poses the biggest risk to any corporationor organization. While network perimeter security &

other measures receive a lot of management focusand effort, tackling the Insider threat is often ignored.Recent incidents like Wikileaks serve to highlight theincreased trend of Insider Threats.

Using a variety of technologies, tools and socialengineering techniques the speakers demonstrated &highlighted the extent of damage that could be causedby a determined and malicious insider. They alsocovered the technical controls that could be put inplace to avoid such attacks. A record number of 37members attended the meeting with great enthusiasm.

CPE MEET -3

Date : 5-Feb-2011

CPE Topic : Information Security Challengesfaced in Enterprises Globally

CPE Speakers : Mr Shashanko Roy

Date : 26-Feb-2011


Time : 6.30 - 8.30 PM

Globally organizations are challenged withmanagement of information security practices toensure confidentiality, integrity and availability of data

(internal and external). This topic shall touch somebasic challenges faced by organizations globally,irrespective of the industry segment they represent.

Highlights of the discussions included solutions thatare available and methodologies which areimplemented by global leaders to tackle each challengethat is faced by organizations. Some Primarychallenges discussed were Managing RegulatoryCompliance requirements, Managing Patches,Antivirus solution and Endpoint Security for enterprises,Governance issues, Security Awareness programsetc. Twenty members participated in the discussions.

CPE MEET -4


March, 2011

CPE Topic : Standardization of informationsecurity across enterpriseapplications

CPE Speakers : Mr Prakash Bhaskaran

Date : 19-Mar-2011


Time : 6.30 - 8.30 PM

Today enterprise applications do not uniformly extendsecurity for the information that come out of theseapplications at the hands of trusted users. The reasonsare plenty. These applications come from variety ofvendors, some are home grown, some are placed onthe clouds, the users can be internal and they may beauthenticated from multiple sources. Typically

organizations had the tight coupling between theauthentication sources, key manager, policy managersand hence the security availability was extended to onlyin few business cases and to only few businessconstituents.

Mr Prakash Bhaskaran discussed about how thelimitations could be overcome so security would beextended for all applications in an organizationsuniformly and in a standardized format by removingthe tight coupling between authentication sources, keymanager, policy managers and the file formats. Thespeaker also discussed how removing the tightcoupling helps extend the security at the content leveland have complete control over information originatingfrom enterprise applications for its life time.

CPE MEET -5

ITEM WRITINGWORKSHOP

Date : 19.2.2011 - Saturday

Time : 5:00 PM to 8:00 PM (with a lightRefreshment Break)

Venue : Chapter Offic e

Speaker : Mr.Srinivasan S K, President,SKS Consulting

Annual ITEM Writing Work shop was held on 19.2.2011at our Chapter premises.

The objective of the workshop was to familiarize theparticipants as to the modalities, expectations andapproach to writing CISA, CISM and CGEIT Items, andlearn the attributes of a Good Question.

The workshop consisted of the following three ses-sions of one hour duration each:

" Presentation of Item Writing

" Hands on Item Writing (

" Open House on the Items Written

Fifteen members attended the workshop to learn thetricks of item writing and to fine tune Questions, to besubmitted to ISACA.

ISACA BANGALORECHAPTER ANNOUNCES

14TH ANNUAL KARNATAKACONFERENCE

Theme:Trust in, Value fromInformation Systems

Place: Hotel Matthan, Bangalore

Dates:22-23 July 2011

For Details: Contact Chapter Office

ISACA Bangalore Chapter, was one ofthe supporting organizations for the oneday conference "CSI Risk Summit-2011",organized by Computer Society of India,Bangalore on 29.1.2011 at Hotel ATRIA -Bengaluru . The program topic was"Leveraging Technology for EnterpriseRisk Management". A good number ofmembers attended the programme.

14

InfocITy Auditor


News from the Head Quarters:ISACA Approves ICWAI's Use of Standards, Guidelines, and Tools and Techniques

ISACA® has signed an agreement with the Institute of Cost and Works Accountants of India (ICWAI) givingICWAI approval to use ISACA's IT Audit and Assurance Standards, Guidelines, and Tools and Techniques.

The standards inform IT auditors of the minimum level of acceptable performance required to meet theprofessional responsibilities set out in ISACA's Code of Professional Ethics for IS auditors, the profession'sexpectations concerning the work of practitioners and the requirements for IS audit practitioners.

The guidelines are considered when the IS auditor is determining how to achieve implementation of standards,to use professional judgment in their application and to be prepared to justify any departure from the guidelines.The guidelines provide further information on how to comply with the IT Audit and Assurance Standards.

The IT Audit and Assurance Tools and Techniques provide examples of how an IT auditor might follow an auditprocess and information on how to meet the standards when performing IT auditing work.

ISACA is excited to work with ICWAI and values the use of ISACA's Standards, Guidelines, and Tools andTechniques by IS professionals the world over.

Action Steps for Responding to Computer IncidentsBy Leighton Johnson, CISA, CISM, CIFI, CISSP

To understand what actions are necessary when responding to an incident, you must be able to relate theevent to the system under investigation. To accomplish this understanding, first identify the actual risk of adverseimpacts to the system. Risk, itself, can be defined as "the function of the likelihood of a given threat-sourceexercising a particular potential vulnerability, and the resultant impact of that adverse event on the organization,"according to the NIST Special Publication SP 800-37, rev. 1. There are five steps to any evaluation process forthese events:

1. Identify the threat itself. What is the source? What attack location does it come from? If possible, whoinitiated the threat?

2. Identify and define the vulnerability of the system. What operating system is in use? What application,network device or server is involved? Has the manufacturer created and issued a patch for this vulnerability?

3. Determine the likelihood of this vulnerability being exploited. What is the probability of this happening inyour environment? Are you open to this issue?

4. Determine the kind of harm this threat can create. What is or could be the impact on your system or data?Does this threat create a potential data breach? Is there a regulatory or statutory requirement for reportinghere? How can the impact hurt the business?

5. Always look for the larger impact areas from the threat event. Does the company have to report the eventto the authorities or other outside agencies? Look at the full effect of the event when responding to theincident.

Leighton Johnson, CISA, CISM, CIFI, CISSP, is a senior security consultant for the Information Security &Forensics Management Team (ISFMT) of Bath, South Carolina, USA.


March, 2011

Become a Certification Mentor - Earn Free CPE

As an ISACA® certified professional you are committed to excellence.

Mentor an aspiring information systems professional, advance the profession and earn FREE CPE.

Some ways you can mentor and earn CPE credits are to:

" Share your certification and career path experience.

" Encourage certification.

" Coach an exam candidate.

" Recommend review materials.

" Coordinate peer discussions

How and When to Report CPE Hours

ISACA® International Headquarters is frequently asked: "When is it time to enter continuing professional education(CPE) hours into my profile?" CPE hours are reported annually during the renewal process-you can reportCPE hours at the same time you pay the annual maintenance fees. You may also update CPE hours at anytime after the renewal process begins. (Note: You cannot report hours and do not need to report hours duringthe year in which you obtain certification.)

To update CPE hours through the ISACA web site, log on using your personalized login credentials and followthe steps below.

1. Click on the My ISACA tab at the top of the page.

2. Click on the myCERTIFICATIONS tab.

16

InfocITy Auditor


3. Click the Edit My CPE Hours link.

4. CPE reporting is located in the My Demographic, Certification CPE and Other Information tab. Scroll tothe bottom of the page to view and edit the appropriate CPE fields. If you do not see a CPE section, CPEhours are not being accepted or you are not required to report CPEs yet.

5. Enter CPE hours. Then, click Save at the bottom of the page.

You may also use this form to easily update personal contact, demographic and professional information.


March, 2011

18

InfocITy Auditor


Send mail to Home Business

MEMBERSHIP APPLICATIONJoin online and save US $20.00

www.isaca.org/join

□ MR. □ MS. □ MRS. □ MISS □ OTHER _______________ Date ___________________________ MONTH/DAY/YEAR

Name ______________________________________________________________________________________________________ FIRST MIDDLE LAST/FAMILY

____________________________________________________________________________________________________________PRINT NAME AS YOU WANT IT TO APPEAR ON MEMBERSHIP CERTIFICATE

Residence address ____________________________________________________________________________________________ STREET ____________________________________________________________________________________________ CITY STATE/PROVINCE/COUNTRY POSTAL CODE/ZIP

Residence phone ____________________________________ Residence facsimile ____________________________________ AREA/COUNTRY CODE AND NUMBER AREA/COUNTRY CODE AND NUMBER

Company name ____________________________________________________________________________________________

Title ____________________________________________________________________________________________

Business address ____________________________________________________________________________________________ STREET ____________________________________________________________________________________________ CITY STATE/PROVINCE/COUNTRY POSTAL CODE/ZIP

Business phone ____________________________________ Business facsimile _____________________________________ AREA/COUNTRY CODE AND NUMBER AREA/COUNTRY CODE AND NUMBER

E-mail _______________________________________________________

Please complete both sidesU.S. Federal I.D. No. [email protected]

Chapter Affiliation Chapter Number (see reverse)______________

or

Member at large (no chapter within 50 miles/80 km)

How did you hear about ISACA?1 Friend/Coworker2 Employer3 Internet Search4 Information Systems Control Journal5 Other Publication

6 Local Chapter7 Certification Programs8 Direct Mail9 Educational Event

I do not want to be included on a mailing list, other than that for Association mailings.

Please note: Membership in the association requires you to belong to a chapter when you live or work within 50 miles/80 km of a chapter territory. The name of the chapter is indicative of its territory. If you live farther than 50 miles/80 km from a chapter territory, select member at large. Chapter selection is subject to verification by ISACA International Headquarters. Cities listed in parentheses are a reference to where the majority of chapter meetings are held. Please contact your local chapter at www.isaca.org/chapters for other meeting locations.

Current field of employment (check one) 1 Financial/Banking 2 Insurance 3 Public Accounting 4 Transportation 5 Aerospace 6 Retail/Wholesale/Distribution 7 Government/Military—National/State/Local 8 Technology Services/Consulting 9 Manufacturing/Engineering 10 Telecommunications/

Communications 11 Mining/Construction/Petroleum/

Agriculture 12 Utilities 13 Legal/Law/Real Estate 14 Health Care/Medical 15 Pharmaceutical 16 Advertising/Marketing/Media 17 Education/Student 99 Other ___________________

Level of education achieved (indicate degree achieved, or number of years of university education if degree not obtained) 1 One year or less 7 AS 2 Two years 8 BS/BA 3 Three years 9 MS/MBA/Masters 4 Four years 10 PhD 5 Five years 99 Other 6 Six years or more _____________

Work experience(check the number of years of information systems related work experience) 1 No experience 4 8-9 years 2 1-3 years 5 10-13 years 3 4-7 years 6 14 years or more

Current professional activity (If not your title, please select the BEST match)

1 CEO, President, Owner, General/Executive Manager 2 CAE, General Auditor, Partner, Audit Head/VP/EVP 3 CISO/CSO, Security Executive/VP/EVP 4 CIO/CTO, Info Systems/Technology Executive/VP/EVP 5 CFO, Controller, Treasurer, Finance Executive/VP/EVP 6 Chief Compliance/Risk/Privacy Officer, VP/EVP 7 IT Audit Director/Manager/Consultant 8 Security Director/Manager/Consultant 9 IT Director/Manager/Consultant 10 Compliance/Risk/Privacy Director/Manager/Consultant 11 IT Senior Auditor (External/Internal) 12 IT Auditor (External/Internal Staff) 13 Non-IT Auditor (External/Internal) 14 Security Staff 15 IT Staff 16 Professor/Teacher 17 Student 99 Other ______________________________________

Date of Birth __________________________________ MONTH/DAY/YEAR

Certifications obtained (other than CISA, CISM, CGEIT) 1 CPA 5 CPP 2 CA 6 GIAC 3 CIA 7 CFE 4 CISSP 99 Other __________

Payment due Å Association dues = $ 130.00 (US)Å Chapter dues (see reverse) $ (US)Å New member processing fee $ 30.00 (US)*

PLEASE PAY THIS TOTAL $ (US)

= For student membership information please visit www.isaca.org/student

* Membership dues consist of Association dues, chapter dues and new member processing fee. Join online and save US $20.00.

Membership dues are nonrefundable and nontransferable.

Method of payment Check payable in US dollars, drawn on US bank Send invoice (Applications cannot be processed until dues payment is received.) MasterCard VISA American Express Diners Club

All payments by credit card will be processed in US dollars

ACCT # ____________________________________________

Print name of cardholder _______________________________

Expiration date _______________________________________ MONTH/YEAR

Signature ___________________________________________

Cardholder billing address if different than address provided above:

___________________________________________________

___________________________________________________

By applying for membership in ISACA, members agree to hold the association and its chapters, and the IT Governance Institute, and their respective officers, directors, members, trustees, employees and agents, harmless for all acts or failures to act while carrying out the purposes of the association and the institute as set forth in their respective bylaws, and they certify that they will abide by the association’s Code of Professional Ethics (www.isaca.org/ethics).

Full payment entitles new members to membership from the date payment is processed by International Headquarters through 31 December 2009. No rebate of dues is available upon early resignation of membership.

Contributions, dues or gifts to ISACA are not tax deductible as charitable contributions in the United States. However, they may be tax deductible as ordinary and necessary business expenses.

Make checks payable to:ISACA

Mail your application and check to:ISACA1055 Paysphere CircleChicago, IL 60674 USAPhone: +1.847.253.1545Fax: +1.847.253.1443

The dues amounts on this application are valid 7 August 2008 through 31 May 2009.


March, 2011

US dollar amounts listed below are for local chapter dues. While correct at the time of printing, chapter dues are subject to change without notice. Please include the appropriate chapter dues amount with your remittance.

For current chapter dues, or if the amount is not listed below, please visit the web site, www.isaca.org/chapdues, or contact your local chapter at www.isaca.

org/chapters.

ASIAHong Kong 64 $60Bangalore, India 138 $20Cochin, India 176 $15Coimbatore, India 155 $20Hyderabad, India 164 $20Kolkata, India 165 $20Chennai, India 99 $10Mumbai, India 145 $35New Delhi, India 140 $15Pune, India 159 $17Vijayawada, India 200 $20Indonesia 123 $45Nagoya, Japan 118 $60Osaka, Japan 103 $85Tokyo, Japan 89 $80Korea 107 $40Lebanon 181 $35Macao 190 $0Malaysia 93 $10Muscat, Oman 168 $40Karachi, Pakistan 148 $20Lahore, Pakistan 196 $30Manila, Philippines 136 $20Jeddah, Saudi Arabia 163 $70Riyadh, Saudi Arabia 154 $0Singapore 70 $10Sri Lanka 141 $15Taiwan 142 $50Bangkok, Thailand 109 $10UAE 150 $10

CENTRAL/SOUTH AMERICABuenos Aires, Argentina 124 SMendoza, Argentina 144 SLaPaz, Bolivia 173 $25Brasília, Brazil 202 $10Rio de Janeiro, Brazil 203 $10São Paulo, Brazil 166 $20Santiago, Chile 135 $40Bogotá, Colombia 126 $25San José, Costa Rica 31 $33Quito, Ecuador 179 $15Guadalajara, México 201 $40Mérida, Yucatán, México 101 $50Mexico City, México 14 $65Monterrey, México 80 $50Panamá 94 $30Asunción, Paraguay 184 $40Lima, Perú 146 $15Puerto Rico 86 $40Montevideo, Uruguay 133 SVenezuela 113 $20

EUROPE/AFRICAAustria 157 $45Belgium 143 $70Sofia, Bulgaria 189 $40Croatia 170 $50Czech Republic 153 $130Denmark 96 $50Estonia 162 $30Finland 115 $15France (Paris) 75 $140

Germany 104 $80Athens, Greece 134 $30Budapest, Hungary 125 $65Ireland 156 $40Tel-Aviv, Israel 40 $50Milan, Italy 43 $53Rome, Italy 178 $26Kenya 158 $40Latvia 139 $20Lithuania 180 $40Luxembourg 198 $85Malta 186 $25Netherlands 97 $50Abuja, Nigeria 185 $40Lagos, Nigeria 149 $20Norway 74 $55Warsaw, Poland 151 $40Moscow, Russia 167 $10Romania 172 $50Slovenia 137 $50Slovak Republic 160 $65South Africa 130 $49Barcelona, Spain 171 $110Madrid, Spain 183 $85Valencia, Spain 182 $45Sweden 88 $45Switzerland 116 $45Tanzania 174 $50Kampala, Uganda 199 $0London, UK 60 $40Central UK 132 $55Northern England, UK 111 $75Scotland, UK 175 $80

NORTH AMERICACanadaCalgary, AB 121 $25Edmonton, AB 131 $25Vancouver, BC 25 $20Victoria, BC 100 $0Winnipeg, MB 72 $20Nova Scotia 105 $0Ottawa Valley, ON 32 $16Toronto, ON 21 $25Montreal, PQ 36 $25Quebec City, PQ 91 $45

IslandsBermuda 147 $0Trinidad & Tobago 106 $25

Midwestern United StatesChicago, IL 02 $50Illini (Springfield, IL) 77 $30Central Indiana 56 $30 (Indianapolis)

Iowa (Des Moines) 110 $25Kentuckiana (Louisville, KY) 37 $35Detroit, MI 08 $40Western Michigan 38 $30 Minnesota 07 $35Omaha, NE 23 $30Central Ohio (Columbus) 27 $35Greater Cincinnati, OH 03 $30

Northeast Ohio (Cleveland) 26 $30Northwest Ohio 188 $25Kettle Moraine, WI 57 $35 (Milwaukee)

Quad Cities 169 $25

Northeastern United StatesGreater Hartford, CT 28 $40 Central Maryland 24 $25 (Baltimore)

New England 18 $30New Jersey 30 $40Central New York 29 $15 (Syracuse)

Hudson Valley, NY 120 $0 (Albany)

New York Metropolitan 10 $50Western New York 46 $30 (Buffalo)

Harrisburg, PA 45 $25Philadelphia, PA 06 $40Pittsburgh, PA 13 $20Rhode Island 197 $25National Capital Area, DC 05 $40

Southeastern United StatesNorth Alabama (Birmingham) 65 $30Jacksonville, FL 58 $30Central Florida (Orlando) 67 $35South Florida 33 $40West Florida (Tampa) 41 $35Atlanta, GA 39 $40Charlotte, NC 51 $35Research Triangle 59 $25 (Raleigh, NC)

South Carolina Midlands 54 $30 (Columbia, SC)

Memphis, TN 48 $45Middle Tennessee 102 $45 (Nashville)

Virginia 22 $30

Southwestern United StatesCentral Arkansas 82 $60 (Little Rock)

Denver, CO 16 $40Baton Rouge, LA 85 $25Greater New Orleans, LA 61 $25Greater Kansas City, MO 87 $0St. Louis, MO 11 $25New Mexico (Albuquerque) 83 $25Central Oklahoma (OK City) 49 $30Tulsa, OK 34 $30Austin, TX 20 $25Greater Houston Area, TX 09 $40North Texas (Dallas) 12 $30San Antonio/So. Texas 81 $25

Western United StatesAnchorage, AK 177 $20Phoenix, AZ 53 $30Los Angeles, CA 01 $25Orange County, CA 79 $30 (Anaheim)

Sacramento, CA 76 $25San Francisco, CA 15 $45San Diego, CA 19 $40Silicon Valley, CA 62 $30 (Sunnyvale)

Hawaii (Honolulu) 71 $40Boise, ID 42 $40Las Vegas, NV 187 $35Willamette Valley, OR 50 $30 (Portland)

Utah (Salt Lake City) 04 $30Mt. Rainier, WA (Olympia) 129 $20Puget Sound, WA (Seattle) 35 $25

OCEANIAAdelaide, Australia 68 $0Brisbane, Australia 44 $16Canberra, Australia 92 $15Melbourne, Australia 47 $15Perth, Australia 63 $10Sydney, Australia 17 $30Auckland, New Zealand 84 $40Wellington, New Zealand 73 $28Papua New Guinea 152 $10

To receive your copy of the Information Systems Control Journal, please complete the following subscriber information:

Size of ENTIRE organizationj Fewer than 50 employeesk 50 – 149 employeesl 150 – 499 employeesm 500 – 1,499 employeesn 1,500 – 4,999 employeeso 5,000 – 9,999 employeesp 10,000 – 14,999 employeesq 15,000 or more employees

Size of IT audit staff (local office)j 0 individualsk 1 individuall 2-5 individualsm 6-10 individualsn 11-25 individualso More than 25 individuals

Size of information security staff (local office)j 0 individualsk 1 individuall 2-5 individualsm 6-10 individualsn 11-25 individualso More than 25 individuals

Your level of purchasing authorityj Recommend products/servicesk Approve purchasel Recommend and approve

purchase

Chapter ChapterName Number Dues




SCall chapter for information

20

InfocITy Auditor


� MR. � MS . � MRS . � MISS � OTHER _______________ Date ______________MONTH/DAY/YEAR

Name_______________________________________________________________________________________________________FIRST MIDDLE LAST/FAMILY

Address at school ____________________________________________________________________________________________STREET

____________________________________________________________________________________________CITY STATE/PROVINCE/COUNTRY POSTAL CODE/ZIP

Phone at school _____________________________________ Facsimile at school _____________________________________AREA/COUNTRY CODE AND NUMBER AREA/COUNTRY CODE AND NUMBER

University Name ____________________________________________________________________________________________

Field of study/major of concentration _______________________ Expected date of graduation______________________________

Home address ____________________________________________________________________________________________STREET

____________________________________________________________________________________________CITY STATE/PROVINCE/COUNTRY POSTAL CODE/ZIP

Home phone _____________________________________ Home facsimile _______________________________________AREA/COUNTRY CODE AND NUMBER AREA/COUNTRY CODE AND NUMBER

E-mail ________________________________________________________

Send mail to� Home

� School

Degree Program� Undergraduate

� Graduate

STUDENTMEMBERSHIP APPLICATION

Payment due • Association dues for students $ 25.00 (US)• Chapter dues #____ (see following page) $ (US)

PLEASE PAY THIS TOTAL* $ (US)

* Membership dues consist of Association dues and chapter dues.

Membership dues are non-refundable and non-transferable.

Method of payment� Check payable in US dollars, drawn on US bank� MasterCard � VISA � American Express � Diners Club

All payments by credit card will be processed in US dollars

Account #___________________________________________

Print name of cardholder _______________________________

Expiration date_______________________________________MONTH/YEAR

Signature ___________________________________________Cardholder billing address if different than address provided above:___________________________________________________

___________________________________________________

By applying for membership in ISACA, members agree to hold theAssociation and its chapters, and the IT Governance Institute, and theirrespective officers, directors, members, trustees, employees and agents,harmless for all acts or failures to act while carrying out the purposes ofthe Association and the Institute as set forth in their respective bylaws,and they certify that they will abide by the Association's Code ofProfessional Ethics (www.isaca.org/ethics).

Full payment entitles new members to membership from the date payment is processed by International Headquarters through 31 December 2009. No rebate of dues is available upon early resignation of membership.

Contributions, dues or gifts to the Information Systems Audit andControl Association are not tax deductible as charitable contributions inthe United States. However, they may be tax deductible as ordinaryand necessary business expenses.

Make checks payable to:ISACA

Mail your application and check to:ISACA1055 Paysphere CircleChicago, IL 60674 USAPhone: +1.847.253.1545 x5595Fax: +1.847.253.1652

U.S. Federal I.D. No. [email protected]

How did you hear about ISACA?1 � Friend/Coworker

2 � Employer

3 � Internet Search

4 � IS Control Journal

5 � Other Publication

6 � Local Chapter

7 � Certification Program

8 � Direct Mail

9 � Educational Event

10 � Professor/University

� I do not want to be included on

a mailing list, other than that for

Association mailings.

To become a student member, you must be a full-time student (undergraduate or graduate) and attach one of the following:• a current transcript with the name of the institution and name of the student• a current class schedule provided by the university with the name of the institution and name of student.

All international Association benefits will be provided electronically.


March, 2011

22

InfocITy Auditor



March, 2011

24

InfocITy Auditor


©2009 isaca bangalore chapter. all rights...

Documents