2
• Steve Sizemore, CISA, CIA, CGAP • Texas Health and Human Services
Commission – Internal Audit Division• IIA Austin Chapter• ISACA
• Past President of Austin Chapter • Government and Regulatory Agencies
Subcommittee – North America• Professional Standards Committee
3
Professional Standards Committee - Charge
• Develop, maintain, and support professional ethics, standards, and guidelines for the IT assurance, security and control professions.
4
Standards Board Members 2010/11• John Ho Chi, CISA, CISM, CBCP, CFE, Ernst & Young LLP,
Singapore, Chair• Manuel Aceves, CISSP, CGEIT,CISM,CISA, Cerberian Consulting,
Mexico• Rick De Young, CISA,MBA,CISSP, USA • Murari Kalyanaramani, CISM,CISA,CISSP, British American
Tobacco GSD, Malaysia• Edward J. Pelcher, CGEIT,CISA, Office of the Auditor General,
South Africa• Rao Hulgeri Raghavendra, CISA,CQA,PGDIM, Oracle Financial
Services Software Ltd., India• Steven E. Sizemore, CISA,CIA,CGAP, Texas HHSC, USA• Meera Venkatesh, CISA, CISM, CISSP, CWA, ACS, Microsoft
Corp., USA
5
Professional Standards Committee Objectives1. Refresh, consolidate, and retire IS
auditing guidance issued by ISACA to ensure consistency with other material issued by ISACA and ITGI, such as COBIT 4.1 and the Information Technology Assurance Framework (ITAF).
6
Professional Standards Committee Objectives
2. Continue development of security principles and the Business Model for Information Security (BMIS).
7
Professional Standards Committee Objectives3. IT Assurance Framework
(ITAF)• Ensure all current ISACA guidance is
reflected. • Identify Gaps with our current
guidance. • Develop guidance as determined to
be a priority by the gap analysis.
8
IS Auditing Guidance
• Code of Professional Ethics is a mandatory requirement
• Standards are mandatory requirements
• Guidelines are guidance in applying standards
• Procedures are examples
10
ITAF (cont)
• Standards – 3 categories• General standards are the guiding principles
under which the IT assurance profession operates
• Performance standards establish baseline expectations in the conduct of IT assurance engagements
• Reporting standards address the types of reports, the means of communication, and the information to be communicated
11
COBIT
• COBIT 4.1 • COBIT 5
• In development• Will consolidate and integrate COBIT 4.1,
Val IT 2.0 and Risk IT frameworks• Draw significantly from the Business Model
for Information Security (BMIS) and ITAF.
13
Val IT – A Governance FrameworkIT-enabled investments will:
1. Be managed as a portfolio of investments2. Include the full scope of activities required to achieve
business value3. Be managed through their full economic life cycle
Value delivery practices will:4. Recognize different categories of investments to be
evaluated and managed differently5. Define and monitor key metrics and respond quickly
to any changes or deviations6. Engage all stakeholders and assign appropriate
accountability for delivery of capabilities and realisation of business benefits
7. Be continually monitored, evaluated and improved
14
Risk IT – Risk Management Framework• Risk Governance
• Establish and Maintain a Common Risk View• Integrate with Enterprise Risk Management (ERM)• Make Risk-aware Business Decisions
• Risk Evaluation• Collect Data• Analyze Risk• Maintain Risk Profile
• Risk Response• Articulate Risk• Manage Risk• React to Events
15
Information Security Principles
• Partnership of • ISACA• Information Security Forum (ISF)• International Information Systems
Security Certification Consortium (ISC)2
16
Business Model for Information Security (BMIS)
• Uses a business-oriented approach• Can be used regardless of an enterprise’s size or the
information security framework it has in place• Focuses on people and processes in addition to
technology.• Is independent of any particular technology and is
applicable across all industries, countries, and regulatory and legal systems.
• Includes traditional information security, as well as links to privacy, risk, physical security and compliance.
• Enables information security professionals to align the security program with business objectives by helping to widen the view to the enterprise
18
How is IS auditing guidance developed?
Standards Board
Chapter Presidents
Area Rep
General publicOther standard setting
bodies
Members and CISAs
19
How is IS auditing guidance issued?
StandardsBoard
General public(through the internet)
Members and CISAs(through the Internet )
Selected professionalsOther standard setting bodies
(through the exposure process)
Copies of all Standards are available on
the ISACA web sitewww.isaca.org
20
Working with Other Organisations• Work with other
international standard setting bodies (IIA, IFAC, AICPA, etc.)
• Comment on Exposure Drafts
22
Guidelines to be Refreshed in 2011
G23 SDLC
G24 Internet Banking
G25 Review of VPNs
G26 Business Process Reengineering
G27 Mobile Computing
23
Guidelines to be Refreshed in 2011
G28 Computer Forensics
G29 Post Implementation Reviews
G30 Competencies
G31 Privacy
G32 Business Continuity Planning
24
Gap Analysis
• Identified gaps between ITAF and the Standards and Guidelines
• Plan to address gaps through development of new standards and guidelines, and consolidation and reorginization of existing standards and guidelines.