LES
EMIRATES AIRLINES HONOURS TOP SCORERS IN CISA & CISM EXAMINATION
ED
TUR A E F
IC ART
CS NSI ute E R FO ttrib
ITAL ernance
DIG An
IT
Gov
-
A
F
O ENT M E SUR oach
A ME ew Appr AN
– GE
ERA
EV IT L and
m
...
ore.
m any
VOL. 1 ISSUE 1
CONTENTS
MEASUREMENT OF IT LEVERAGE – A New Approach....................................... 5
7
4
THE IMPORTANCE OF HOST ACCESS CONTROL............................................. 8
DIGITAL FORENSICS – An IT Governance Attribute........................................... 10
EMIRATES AIRLINE HONOURS TOP SCORERS............................................... 12
8
NEWS & EVENTS - Leadership Conference....................................................... 13
ENTERPRISE RISK MANAGEMENT – Audit Prospective & Role........................ 15
ISAFE 2008 ....................................................................................................... 18
BUSINESS CONTINUITY MANAGEMENT – A rapidly maturing discipline.......... 20
11
POEMS AND ACRONYMS ON IT GOVERNANCE............................................. 22
CISA REVIEW CLASSES – 2008....................................................................... 24
16
ISACA UAE
THE MAGAZINE FROM ISACA UAE CHAPTER w w w. i s a c a u a e . o r g
Page 1
WELCOME TO “IN-CONTROL”
VOL. 1 ISSUE 1
Editorial
Welcome to the first issue of “In-Control” Magazine from the ISACA UAE Chapter. Our new publication aims to provide all its members a platform to share, discuss knowledge and experiences. We will focus on to discuss and bring to you strategic and tactical articles on IT Governance, Audit and Security. With this publication, our members will have access to wealth of Information and ideas by drawing on the experience and expertise of the people within the vast UAE Chapter member base. Harnessing this knowledge and leveraging on each other’s experience is an intelligent way (especially in these times) to learn new concepts, methodologies and achieve one’s goals. This initiative from the UAE chapter will enhance member-member information exchange, members will get an opportunity to learn, share and network with other members. As soon as we announced to our members to submit articles, experiences for the first issue of “In-Control” magazine, there was downpour of articles to our editorial mailbox. I would like to take this opportunity to thank all our members who submitted their articles and would urge all members to submit their experiences/expertise in the form of articles for the upcoming issues. With your support and guidance we would be able to make this publication a success. In this issue of “In-Control”, we have interesting articles such as “Measurement of IT leverage – the author examines the IT expenses and leverage measures” and in another article, an author relates “Digital Forensics” to an IT governance attribute. The “In-Control” editorial board invites you to provide your feedback regarding the Magazine and its contents. We would love to hear from all of you so that we could better serve you and have the relevant contents/ sections added in the next issue. Please email me at gurpreet_k@yahoo.com for any feedback. Regards, Gurpreet Kochar Chief Editor
Chief Editor - GURPREET KOCHAR Associate Editor – HARI PRASAD CHEDE In-Control magazine is designed to provide UAE chapter members with information related to IT governance, audit & security. The opinions, viewpoints published in this magazine are not necessarily those of the ISACA UAE Chapter or its chapter officers. The editorial board of the chapter officers of the ISACA UAE Chapter do not take any responsibility or liability for any losses or damages incurred as a result of reliance on any information provided in this magazine. The editorial board takes care for ensuring that articles are relevant and original but does not take any responsibility for any errors that may appear herein.
ISACA UAE
THE MAGAZINE FROM ISACA UAE CHAPTER w w w. i s a c a u a e . o r g
Page 2
CHAPTER BOARD MEMBERS 2009
VOL. 1 ISSUE 1
PRESIDENT
VICE PRESIDENT
Bharat Raigangar Head Information Security - India, Pakistan & UAE ABN Amro Bank Dubai, UAE Tel: +971-50-6229854 Email: vicepresident@isacauae.org raigangarbharat@yahoo.com
Avinash Totade Senior Manager- Internal Audit Dubai Aluminium Company (DUBAL) Dubai, UAE Mob: +971-50-6533852 Email: vpadh@isacauae.org avinash.totade@gmail.com
SECRETARY
TREASURER
DIRECTOR - PROGRAMS
DIRECTOR - MEMBERSHIP
DIRECTOR -CERTIFICATIONS
DIRECTOR - ACADEMIC RELATIONS
DIRECTOR -GOVERNMENT RELATIONS
JOINT DIRECTOR CERTIFICATIONS - ABU DHABI
JOINT DIRECTOR GOVERNMENT RELATIONS - ABU DHABI
Nalin Wijetilleke Manager-Business Continuity RAK Bank Dubai, UAE Tel: +971-50-6598824 Email: president@isacauae.org nalindw2000@yahoo.com
Raghu Rao RAK Bank Dubai, UAE Tel: +971-50-5500864 Email: secretary@isacauae.org raork123@eim.ae
Manjunath R Manager Internal Audit (IT & Process) Dubai Aluminium Company Limited P.O.Box 3627 Dubai, UAE Mob: +971-50-9523015 Email: rmnath@gmail.com
Hari Prasad Chede Senior IT Risk & Security Officer Union National Bank Abu Dhabi, UAE Mob: +971-50-6841501 Email: hchede@gmail.com
Shabbir Barkat Ali Vice President ABN Amro Bank Dubai, UAE Mob: +971-50-4948351 Email: shabbirbarkatali@hotmail.com
Sayed Ahmed Al-Moosawi Senior Auditor - IT Audit, Internal Audit Dubai Bank Dubai, UAE Mob: +971-50-4559114 Email: sayedalmoosawi@dubaibank.ae
Murshed Saoud IT Senior Security Officer National bank of Abu Dhabi Abu Dhabi, UAE Mob: +971-50-8181547 Email: murshed.saoud@nbad.com
IMMEDIATE PAST PRESIDENT
Saji P. Oommen General Manager-Group IT Al Batha Group P.O.Box 1145 Sharjah, UAE Mob: +971-6-5728882 Email: ppresident@isacauae.org saji@albatha.ae
VICE PRESIDENT (ABU DHABI)
Gurpreet Kochar Manager - Information Systems Audit Emirates Airline Dubai, UAE Email: gurpreet_k@yahoo.com
Alok Tuteja Head IT Audit ADNOC Abu Dhabi, UAE Mob: +971-50-3453890 Email: aloktuteja@gmail.com
Wafa N. Abu Sadah AVP & Principal IT Auditor Union National Bank Abu Dhabi, UAE Email: +971-50-5721813 Email: wafanasouh@yahoo.com
JOINT DIRECTOR - CERTIFICATIONS - DUBAI Ashish Mahal Project Officer RAK Bank PO Box 1531, Dubai,UAE Mob: +971-50-7149908 Email: ashishmahal@hotmail.com
Board Members Page 3
THE MAGAZINE FROM ISACA UAE CHAPTER w w w. i s a c a u a e . o r g
ISACA UAE
VOL. 1 ISSUE 1
President’s Message
COMING TOGETHER f
irst ever magazine of the ISACA UAE Chapter is another milestone. The UAE chapter has come a long way since it’s birth in June 1997. Creating opportunities for growth of the chapter and fulfilling the professional aspirations of our members is our primary aim. This magazine will form another communication vehicle, bringing related knowledge, know-how and experiences of eminent practitioners to the attention of the prospective reader. As a leading professional body in the UAE, we also have a responsibility to serve the community in creating the awareness of IT Governance, Assurance and Security among the business, public sector and professional community and put our collective knowledge for their best use. It is imperative that the demand for professional skills and expertise such as ours will be more, in times such as now. Problems will need to be looked from different perspectives and new standards of governance will soon emerge. New business models may emerge and only through the concerted efforts of the world leaders, the crisis we are experiencing today could put to an end. The new board of the ISACA UAE Chapter will be committed to do its best in whatever way possible to encourage practice of information and IT Governance both in the public and private sector. As a leading professional body in the UAE, we have been facilitating several high quality events and response hade being very encouraging. I must also touch upon the two day regional conference I-SAFE 08 which was hosted by ISACA UAE chapter and concluded on October 30th2008. This perhaps, was one of our best events of the UAE chapter. The participation was unprecedented and moreover the responses we received from the participants as well as from the speakers were overwhelming. A total of 250 delegates from more than 6 countries attended and the conference which took a different flavor this year, deviating from the traditional style. This point out that change is always welcome provided there is visible overall improvement in the quality of the program. Ultimately the participant who attends is the best judge. Such success is memorable and the team headed by Gurpreet Kochar (director - programs) who painstakingly looked into every minor detail deserves a big applause. There are always many lessons to learn in organizing such projects – some of which are good practices and some where further improvement is possible. Some of the key success factors that comes to my mind are; working together and the team spirit, starting to plan well ahead, at least six months before and assigning clear responsibilities to different team members with constant two-way communication with the project leader. Thinking out of the box in a non conventional way and always aiming for the best, is another plus. The UAE Chapter continues to deliver the best for our key stakeholders i.e. our membership. We may face challenges in the process and some would take longer time to resolve. But I can assure every board member of the UAE chapter always aims to exceed the member expectations. We have lined up many other initiatives as a part of the UAE chapter strategic plan. Meanwhile we need your support, which gives us the motivation and the sense of fulfillment when we see more and more members attend our events. Those who want to support us in volunteering in many of our projects, you are most welcome and my colleague, the chapter membership director – Harprasad will be person who should be contacted if any member wishes to do so. We are also planning to revamp our services toward those living and working in Abu Dhabi. As I mentioned at the AGM 2009, the need for newer governance and regulatory regimen across the globe is imminent. This would be the next big wave for major demand of CISA, CISM & CGEIT qualifiers, the first being when big giants such as Enron went in to deep trouble and extinction. New compliant requirements came into force. The certifications issued by ISACA, were much in demand. While the global leaders want a speedy recovery, restoration and re-bounce, from the current financial crisis, good practices and assurance in information becomes essential.. As ISACA members it is our obligation to convey this message to the respective top management that the skill-sets our certified members posses would be the answer to strengthen the organizational resilience and support future growth. The UAE chapter also facilitated an Information Governance Forum in May 2008, inviting the top decision makers, C-level executives from all sectors of business and industry in the UAE. This was a very interactive event with some of the best business leaders of the UAE held at the prestigious ‘Madinat Jumeirah’. This event helped in showcasing the specilized skills and competencies of the ISACA professionals. This was a strategic move in fast tracking the awareness creation among the leaders of business. During 2008 we also worked closely with some of our partners such as ITGAF of the H H Rulers’ Court, Dubai, in bringing mutual value addition to some of the professional development initiatives. We look forward for greater involvement in 2009. I thank the editorial committee for their efforts to bring out this high quality Triannual Magazine of the ISACA UAE Chapter and wish continued success! Warm regards. NALIN WIJETILLEKE MBA, CISA, CGEIT, PMP, CBCP, MBCI President – ISACA UAE Chapter
ISACA UAE
THE MAGAZINE FROM ISACA UAE CHAPTER w w w. i s a c a u a e . o r g
Page 4
VOL. 1 ISSUE 1
D RE TU LE A FE RTIC A
MEASUREMENT OF IT LEVERAGE – A NEW APPROACH By A.V.Rameshkumar (CISM, CISA)
Introduction
Leverage as per dictionary, is influence, power, force, control, pull or weight. Leverage in general parlance denotes ability of someone or something to derive a greater benefit from a changed situation by using his or its existing capability. Let us start our journey on the leverage calculation for IT by considering IT related income and expenses.
Business benefits of IT
Business benefits arising on account of investment in IT can be direct or indirect. Direct benefit includes cost reduction and/or enhanced revenue. Soft benefits include enhanced reputation, enhanced staff morale and improved customer retention.
IT Expenses
Expenses on account of IT facility can be:
Transactional Leverage
Hardware support Application support Operating system support Cost of IT resources Cost of upgrade – hardware, software and operating system Annual cost of capital expenses for software, hardware and OS Support expenses Training Cost
Classification of IT investment and Leverage measures
By classifying Investment in IT in to: Transactional Investment- IT investment in transactional applications Informational Investment – IT investment in management and control systems Strategic Investment – IT investment in strategic business applications, the leverage measures can be classified as: Transactional Leverage Informational Leverage Strategic Leverage Total Leverage The individual component of all the above expenses have to be categorized either as fixed or variable. The revenue and expenses that are identified are again segregated in to: Transactional fixed expenses Transactional variable expenses Transactional income Informational fixed expenses Informational variable expenses Informational income Strategic fixed expenses Strategic variable expenses Strategic income
Page 5
For calculating transactional leverage consider the following: Applications for processing basic and repetitive transactions Calculate annual maintenance cost as per above Classify maintenance cost in to fixed and variable components Calculate annual savings on account of cost reduction Calculate annual indirect benefits of the applications Calculate annual cost of control measures Classify control measures cost in to fixed and variable components The formula for calculating the above leverage is: Degree of Transactional Leverage (DTL) = Saving on account of cost reduction(A) and Indirect benefits(B) Variable cost of maintenance of system(C)- variable cost of control systems (D) ---------------------------------------------------------------------------Saving on account of cost reduction(A) and Indirect benefits(B) Variable cost of maintenance of system(C)- variable cost of control systems (D) –Fixed Cost of maintenance of system(E) – Fixed cost of control systems(F) To illustrate the calculation of DTL, A = 500,000 B = 200,000 C = 50,000 D = 30,000 E = 60,000 F =30,000 A+B – C- D ----------------- A+B – C- D-E –F 700,000- 50,000- 30,000 ------------------------------ 700,000- 50,000- 30,000-60,000-30,000
THE MAGAZINE FROM ISACA UAE CHAPTER w w w. i s a c a u a e . o r g
ISACA UAE
VOL. 1 ISSUE 1
= 620,000 ---------530,000 = 1.17
DIL is undefined at the break even point DIL is positive beyond the breakeven point. However the value of DIL declines as the level savings and benefits increase. In the limit it reaches the value of 1.
Characteristics of DTL coefficient
Uses of DIL coefficient
There will be unique DTL for each level of savings and benefits DTL is negative below the break even point DTL is undefined at the break even point DTL is positive beyond the breakeven point. However the value of DTL declines as the level of savings and benefits increase. In the limit it reaches the value of 1.
DIL enables us to understand how changes in cost savings and benefits affects DIL and measures informational risk. The larger the DIL, the greater the variability around the forecasted value of cost savings and benefits.
Strategic leverage
Uses of DTL coefficient
DTL enables us to understand how changes in cost savings and benefits affects DTL and measures transactional risk. The larger the DTL, the greater the variability around the calculated value of cost savings and benefits.
Informational leverage
For calculating informational leverage consider the following: Applications for managing and controlling the organization Calculate annual maintenance cost of the related hardware and software for those applications Classify maintenance cost in to fixed and variable components Calculate annual savings on account of cost reduction Calculate annual enhanced revenue on account of the applications Calculate annual indirect benefits of the system Calculate annual cost of control measures Classify control measures cost in to fixed and variable components
Degree of Strategic Leverage(DSL) =
Benefits from new channel(A) and indirect benefits(B) - Variable cost of maintenance of system(C)- variable cost of control system(D) ------------------------------------------------------------------------------Benefits from new channel(A) and indirect benefits(B) - Variable cost of maintenance of system(C)- variable cost of control system(D)– Fixed Cost of maintenance of system(E) – Fixed cost of control systems(F)
To illustrate the calculation of DSL,
Degree of Informational Leverage (DIL) = Saving on account of cost reduction and enhanced revenue(A) and indirect benefits(B) - Variable cost of maintenance of system(C)- variable cost of control system(D) ---------------------------------------------------------------------------Saving on account of cot reduction and enhanced revenue (A)and indirect benefits(B) - Variable cost of maintenance of system (C)variable cost of control system(D) – Fixed Cost of maintenance of system(E) – Fixed cost of control systems(F)
To illustrate the calculation of DIL,
A = 800,000 B = 300,000 C = 70,000 D = 40,000 E = 100,000 F =30,000
= 990,000 ---------860,000 = 1.15
A+B – C- D -----------------A+B – C- D-E –F
A = 300,000 B = 100,000 C = 70,000 D = 40,000 E = 50,000 F =40,000
A+B – C- D -----------------A+B – C- D-E –F
= 290,000 ---------200,000
400,000- 70,000- 40,000 ------------------------------400,000- 70,000- 40,000-50,000-40,000
= 1.45
There will be unique DSL for each level of savings and benefits DSL is negative below the break even point DSL is undefined at the break even point DSL is positive beyond the breakeven point. However the value of DSL declines as the level savings and benefits increase. In the limit it reaches the value of 1.
Uses of DSL coefficient
There will be unique DIL for each level of savings and benefits DIL is negative below the break even point
ISACA UAE
Characteristics of DSL coefficient
1,100,000- 70,000- 40,000 ------------------------------1,100,000- 70,000- 40,000-100,000-30,000
Characteristics of DIL coefficient
For calculating strategic leverage consider the following: Applications for strategic direction in to new business or new channels of existing business Calculate annual maintenance cost of the related hardware and software for those applications Classify maintenance cost in to fixed and variable components Calculate annual benefits form the new channel Calculate annual indirect benefits of the system Calculate annual cost of control measures Classify control measures cost in to fixed and variable components
DSL enables us to understand how changes in cost savings and benefits affects DSL and measures strategic risk. The larger the DSL, the greater the variability around the forecasted value of cost savings and benefits.
THE MAGAZINE FROM ISACA UAE CHAPTER w w w. i s a c a u a e . o r g
Page 6
VOL. 1 ISSUE 1
Total Leverage
The degree of total leverage can be defined as the product of DTL,DIL and DSL.
The collection and classification of expenses and income and the calculation methods and inference for the above leverages can be done as per the methodology that have been followed earlier
To illustrate the calculation of DTL,
Conclusion
DTL = 1.17 DIL = 1.15 DSL = 1.45 DTL = 1.17*1.15*1.45 DTL = 1.95
Characteristics of DTL coefficient
There will be unique DTL for each level of savings and benefits DTL is negative below the break even point DTL is undefined at the break even point DTL is positive beyond the breakeven point. However the value of DTL declines as the level savings and benefits increase. In the limit it reaches the value of 1.
IT governance is all about delivering value and managing risk. By calculating leverage measures, the management could focus attention on the factors governing leverage measures. The calculative measures are in tune with financial calculation measures which can be readily accepted by the management. These calculative measures impart a sense of governance culture that provides effective procedures for a greater trust, team work and confidence in the use of IT and IT services. The calculation measures will enable the management to find out whether IT Transactional investments, informational investments and strategic investments have breakeven and produces the expected value.
Uses of DTL coefficient
DTL enables us to understand how changes in cost savings and benefits affects DTL and measures total risk. The larger the DTL, the greater the variability around the forecasted value of cost savings and benefits. Another method of classification of IT investment and Leverage measures By classifying Investment in IT in to: Run the business – IT investments to run the business Grow the business – IT investments to reduce cost and increase competitiveness Transform the business – IT investments in the new areas of business, the leverage measures can be classified as: Operating Leverage Expansionary Leverage Transformational Leverage Total Leverage
The editorial commitee adjudged this article the Best and awarded Mr. Ramesh with an entry ticket to The ISACA leadership conference held in Japan.
Brief Note about the author
By A.V.Rameshkumar (CISM, CISA) OCP(ORACLE FINANCIALS), OCP (APPLICATION DEVELOPER),AICWA, ACS, CPM is at present the HEAD OF IT for AL AQILI GROUP Dubai. He has specialized in finance, corporate laws, ERP Implementations, Solution architecture and Enterprise IT. E-mai: official : avramesh@aqilidistribution.com Personal: rameshkumar25@gmail.com
Page 7
THE MAGAZINE FROM ISACA UAE CHAPTER w w w. i s a c a u a e . o r g
ISACA UAE
VOL. 1 ISSUE 1
THE IMPORTANCE OF
HOST ACCESS CONTROL FOR ANY ORGANIZATION By Ganesan Lakshmanan CISM,CISSP ples of gaining access to the server resources both from externally and internally. Also the purpose of the above paragraph is not to say about when you have Access Control Solution you can avoid these exploits in totality, but to say after exploiting these devices and land on to the business critical server as Administrator or root or any other power users and try to replace the file, Host Access Control Solution prevent these changes (in this case replacing the file) happens. On top of it the Administrator and/or Auditor will get alert even if is 3am in the morning.
What features you need to look for in Host Access Control
Host Access Control needs to be looked at as a complete Server Security Solution not the bits and pieces to cover specific areas such as tcp wrappers, tripwire functionality, access control etc. In this regard a true and complete server security solution should be comprise of the following features to the minimum.
The moment the name Access Control means any one will refer to the Physical Access Control (entry to the doors, key access points to the data centers etc using bio-metrics etc.) . But there is another Access Control which is also called Technical or logical Access Control. In this article I am going to describe about what this Logical Access Control really mean and emphasize the importance of the Host Access Control solution in the overall Information Security Framework of the organization.
What is Host Access Control
To put it simply Host Access Control on the servers means allow access to the authorized user and deny access to unauthorized user. This includes controlling superuser (root, Administrator) access to the critical file resources, task delegation, sensitive programs security and control access to network (incoming / outgoing) resources and secure auditing. So Host Access Control is often referred as Server Security.
Why it is very important
Many people think the organization security depends on best of breed firewalls, intrusion Prevention and Detection devices and if they deploy these in a proper manner they can achieve the complete security. Of course these are very important for any organization to provide the perimeter level security and one must have to prevent any attacks or intrusions against their networks, servers, applications etc. But this alone is not enough. Where is the business critical data reside, it is not residing in firewalls, intrusion prevention and detection devices, it is residing in the servers, so unless and until you protect theses servers from any kind of unauthorized access (both internal and external) one can never be secure. Consider this scenario. We are often hearing the website defacement on the specific organization, do you think these organization have not deployed firewalls etc, in fact these organizations deployed best of breed firewalls, ids and ips devices, even then the website defacement happens. The simple reason being there are vulnerabilities identified every day and public utilities are available to exploit these vulnerabilities. Once these utilities are used and exploited the firewall, ids and ips will allow the connections and finally land-up in the server with Administrator or root privileges. (I am not explaining here in detail on these exploits and gaining access to root Administrator in the system). The moment you gain the root or Administrator access replace the index.html (or what ever page may be) with the attacker’s page (may be for fun as well or some time seriously to reveal a specific message). Operating system on its own with its access control permissions can not achieve to prevent these change(s) simply because they always evolve around the super user (Administrator or root) concept. The above scenario is only an example similarly we can site several examISACA UAE
1) 2) 3) 4) 5) 6) 7) 8)
Super User such as Administrator, root and other user protection and controlling their access. Unauthorized access for both internal and external users (complete Access Control functionality irrespective of operating system permissions) Task delegation functionality for the Administrator and root users can login their own id and do the activities which can be done by root or Administrator thus establishing Accountability Maintain the integrity of critical programs and thus avoid any kind of backdoor entries or Trojans gets executed Controlling access to both incoming as well as outgoing connections Intrusion Prevention functionality for the server Simple and robust policy Management functionality covering all the major platforms such as Linux / Unix / Windows (LUW) Last but not least Secure Auditing capability
Conclusion
The organization who uses their full effort to build their business(es) will definitely know the value of how critical is the data residing in their server(s). So it is imperative that these business critical data is protected from any kind of unauthorized access (both internal and external). Host Access Control with the proper and continuous policy definitions will make sure that the server(s) are adequately protected and thus Security and other business departments can make sure that establishing of server security means the complete integration towards meeting their Information security needs. About Author Ganesan Lakshmanan CISM, CISSP: Working as Principal Consultant for Security Management with CA in the META Region, Ganesan is responsible for understanding customer / partner requirements and providing suitable security solutions based on CA technology through consulting and solution architecting. Ganesan has more than 15 years of work experience in the IT Industry as well as with Research Institute. He specializes in IT security and focusing on Identity and Access Management. In the last 10 years, he worked with many major organizations in the Government, Banking and Telecom sectors in the Middle East region. Before joining CA, Ganesan worked for the Department of Space in India, the Saudi American Bank in Riyadh, Platinum Technology and Computer Associates Middle East in various capacities. Ganesan holds CISM and CISSP certifications. References
WHITEPAPERS: “http://whitepapers.windowsnetworking.com/whitepaper2139/” HOST ACCESS MANAGEMENT – BUSINESS IMPERATIVES: “https://www.ca.com/us/register/form.aspx?collat_id=85345&cid=167020”
THE MAGAZINE FROM ISACA UAE CHAPTER w w w. i s a c a u a e . o r g
Page 8
CISM,CGEIT BOOTCAMP & CISA EXAM REVIEW CLASSES Attend the bootcamp & the review classes to excel in exams and get a edge in your professional career.
For more details, please visit www.isacauae.org
VOL. 1 ISSUE 1
D RE TU LE A FE RTIC A
DIGITAL FORENSICS –
an IT Governance Attribute By Dr. K. Rama Subramaniam Chairman- ISCCRF
Digital Forensics has come of age; at least it is considered in most thought processes where risks to information assets are considered. The traditional understanding of risk management of information assets stopped at creating and implementing a comprehensive and relevant control mechanism.i Security professionals stopped short of going a step beyond implementing controlsii and ask if they had a clearly defined role to play when the control mechanism failed or was found to have not performed effectively. Some of the most talked about control frameworks and their protagonists fitted into the model that the role of information security is to put in place effective control systems and to ensure that it works the way it was designed to workiii. This approach was quite correct when the role of information security was focused on the CIA triad. Later, when security domain encompassed consideration of source authentication of messages and a possible fit into a legal framework, this approach appeared inadequate. Stakeholders started asking if there is something beyond strengthening security settings after an attack had been successfully launched on enterprise IPF. Corporate mangers no longer looked at security violations as another technology issue but started seeing it as a business issue; albeit, a governance issue. Different set of questions were asked: What happens after a security violation? Do we claim to have good governance by simply stating that we have revisited the control systems and have improved it after an attack? If the attack on information assets resulted in a loss, have we taken steps to recover lost assets and / or reset the distorted parametersiv? If a loss has occasioned, have we found the perpetrator of the act and taken steps to bring him/her to book and seek appropriate punitive or other penalties? How can we treat loss of corporate information assets any differently than loss of other classes of corporate assets?
the post-damage part of the cycle, there are no traditional roles and models to provide an in-built mechanism. A quick look at most enterprise information network architecture will reveal that they were built for functionality, performance, scalability, cost-effectiveness and availability; not necessarily to meet digital forensics requirements. This translates to our taking a good re-look at most of the information networks and adding the digital evidence dimension to the existing networks and also add it as a parameter while conceptualizing, designing and implementing future networks. No enterprise can claim to have built a good forensic capability unless they can gather acceptable class of digital evidence. Digital evidence begs an academically rigorous definition. On the one hand, SWGDE defines it as “information of probative value that is stored and transmitted in binary form”vi while another equally popular definition by IOCE says it is “information stored or transmitted in binary format that may be relied upon in court.”vii A well adopted approach to building digital forensic capability is to ensure that the following basic principles of digital evidence management are adhered to. The principles discussed here are based on what have been developed by IOCE:viii
These questions have resulted in a critical process that has come to the attention of those evangelizing extension of information security cycles to cover issues arising from what is loosely called cyber crimes.v This involves creation and management of a digital evidence mechanism as part of a digital forensic process.
Consistency with all legal systems
Even when the transaction per se does not cross national borders and are carried out by one or more organizational units within the same country, the nature of IP networks are such that data packets may cross multiple countries. Evidence, therefore, will be lodged and available at multiple locations across the world.
Allowance for the use of a common language A common platform or language is required especially when issues like time stamp comparisons and digital notarization are to be assessed as part of evidence evaluation.
In comparison to the growing need to build a digital evidence process, evidence and forensic processes have already been built to cover traditional corporate assets like buildings, vehicles, lab equipment, hard copies of documents, etc. This process has not come about as a result of conscious corporate action or driven by governance requirements. It has come about due to a societal process that has been built over centuries and includes policing, crime response as an inherent human trait to protect owned or custodial assets. All enterprise action to protect tangible or non-information assets are reinforcement of this societal process. When it comes to the protection cycle for information assets, particularly
Durability Evidence that has been gathered has to stand the test of time. If evidence is only available on a volatile storage, there is a strong need to get it transferred to a stable media and at the same time be able to ensure that its integrity is not questioned.
Ability to cross international boundaries
Firstly the technology used to launch an attack on information system is highly distributed as in the case of layers of zombies being
Page 10
ISACA UAE w w w. i s a c a u a e . o r g
VOL. 1 ISSUE 1
used. Secondly, the ability to masquerade identifiers (like IP and MAC addresses) has created virtual cross border presence. Thirdly, attackers are looking to launch their attacks form safe havens. However, with more countries passing legislations modeled on the recommendations of UNCITRALix there will be less availability of such safe havens in the years to come.
Ability to instill confidence in the integrity of evidence
Most countries that have modeled their e-commerce law on UNCITRAL recommendations have also ensured that the digital evidence mechanism is in line with the traditional evidence system of the jurisdiction. One of the most important factors that will govern the acceptability of digital evidence is that it should be proven to have been generated in the “ordinary course of activities”x and have not changed ever since, till presentation in a court of law.
Applicability to all forensic evidence
SOPs should be so developed and implementation gone through without having to change any part of the forensic cycle based on the “type” of evidenced being gathered. Having said that, what has to be established is that there has not been any deviation from or dilution of an otherwise rigorous forensic collection and interpretation process.
Applicability at every level, including that of individual, specific organizational unit and the organization
The process of managing digital forensic trail including
proper handling of digital evidence should be ubiquitous, across the organization. Care should be taken to ensure that the process or the SOPs are not different for different entities involved in the organization. If network monitoring or permitted sniffing happens on a network, it cannot be done selectively; for instance on only one subnet. If such selective evidence gathering has to be implemented, it should be transparent and should have formal approval at a policy level from executive management. As part of good Information Technology Governance,xi there is a strong need to build a comprehensive forensic capability in the organization. Good forensic processes in an organization will also contribute favorably in determining if top management has adequately addressed the requirements of Value Governance, Portfolio Management and Investment Management, as conceptualized in Val IT Frameworkxii No discussion on IT Governance can be complete without reference to a measurement mechanism and metrics for measuring the degree of IT Governance implementation in the organization. As of now, digital forensics processes do not fit into any formal measurement or assessment mechanism. All that has happened today is to ask whether or not the digital evidence gathered as part of the forensic process is acceptable in internal disciplinary process and external legal proceedings. Metrics to measure digital forensic capability should go well beyond it. Any process of evolving a set of metrics for measuring the relevance and efficacy of digital forensic processes should address the seven basic principles addressed earlier. This is a fertile area for further empirical research.
Endnotes: 1)
See for instance, the approach to risk management found in ISO/DIS 31000: Risk Management – Principles and Guidelines on Implementation. 2) Some contemporary authors on risk management question even this process. See for instance, Matthew Leitch: Intelligent Internal Control and Risk Management-Designing High-Performance Risk Control Systems, Gower, May 2008 where he says “In the last two decades increasing attention has been paid to using perceptions of risk as an input to design of control systems. … but of course risk is not the only consideration. We also care about costs, the time needed to implement controls, and even strategic and cultural fit. Moreover, most risk assessments are unavoidably unreliable.” P.57 3) TCSEC and ITSEC, two of the most authoritative and well architected computer security evaluation criteria do not go beyond seeking to determine if the controls are appropriate and if they continue to work as designed. 4) Not all information security violations will result in an asset loss. There can be violations that have simply reset values of key parameters resulting in loss of integrity or availability. A newer version of this issue is the possibility that parts of the enterprise network have been used as a zombie and consequential losses could be quite disastrous though it would not count as a loss under the conventional interpretation. 5) A comprehensive taxonomy of Cyber Crimes is still evolving. Many researchers have pointed to this issue and also to the need to evolve a precise definition of cyber crime from multiple perspectives. For instance, see Rama Subramaniam: Cyber Crimes – A criminological, Victimological and Legal Perspective, Unpublished Doctoral Dissertation, University of Madras, Sep 2006. 6) SWGDE and SWGIT: Digital and Multimedia Evidence Glossary ver 2.0 Jan 2006 - www.swgde.org 7) International Organization on Computer Evidence (IOCE): G8 Principles for the Procedures relating to Digital Evidence – March 2000 - www. ioce.org 8) US Dept of Justice–FBI: Forensic Science Communications Vol. 2, No. 2, April 2000 9) United Nations: UNCITRAL Model Law on Electronic Commerce, New York, 1999 10) As a sample, look at Sec 92 of the Information Technology Act, 2000 of India that amended the Indian Evidence Act (Act 1 of 1872) to add digital or electronic evidence within the ambit of ‘evidence.’ The amendment, inter alia, added Sec 65(B)(2)(d) to the Indian Evidence Act, which specifically seeks to ask if the evidence adduced “is created in the regular course of events” and presented as such in the court. 11) IT Governance Institute: IT Governance Implementation Guide: Using COBIT® and Val IT™, 2nd Edition Illinois, 2007. 12) op. cit p. 23
Brief Note about the author Dr. K. Rama Subramaniam Chairman- ISCCRF He has been an information security consultant, trainer and educator for over two decades. Dr. K. Rama serves as India’s country representative at International Federation of Information Processing (IFIP), serving on their technical Committee TC-11 dealing with information security. He is currently chairman of ISCCRF a non profit trust carrying out reaserch in Cyber Crime management.
ISACA UAE
THE MAGAZINE FROM ISACA UAE CHAPTER w w w. i s a c a u a e . o r g
Page 11
VOL. 1 ISSUE 1
EMIRATES AIRLINE HONOURS TOP SCORERS IN CISA & CISM EXAMINTATION
Mr. Raza Abdulla, Vice President, Internal Audit Emirates Group presenting award to one of the Top Scorer
The Emirates Crystal Awards for excellence in the fields of Information Systems Auditing and Information Systems Security have been awarded to candidates achieving the highest scores from the UAE in the Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) examinations.
‘‘
More than 300 UAE-based candidates from the fields of finance, Information Technology, auditing, Information System consultancy and Information System security took the CISA and CISM examinations. The exams are conducted globally by ISACA (US based) bi-annually, in which a pass score of 75% is required.
This is the tenth consecutive year that Emirates has presented the award to the UAE’s top scorers in the examinations, conducted by ISACA.
The awards were presented by Mr. Raza Abdulla, Vice President Internal Audit, Emirates Airline, at a ceremony during the annual general meeting of the UAE chapter of ISACA held on 28th January 09. The Emirates Crystal Awards were won by Stephen Hanlon, Jerajani Yatri Chandrakant, Romanas Kuruthukulangara Raphael, Joe Bastian and Illyas Kooliyankal. Mr. Abdulla said: “Emirates Group was instrumental in forming the UAE Chapter on 25th June 1997. None of us at that point of time realized that the chapter would grow leaps & bound at such a quick pace, it is quite heartening to see that the chapter is now having a strong membership of 1000 + and being showered with awards last year for ‘The Regional Best Very Large Chapter Award’ & ‘The Global Best Very Large Chapter Award’. Over the years, CISA & CISM professionals are recognized globally and have become an integral part of Audit, Security and Quality departments in organizations. They bring along with them wealth of knowledge and facilitate in risk mitigation and providing assurance to the management. Therefore I am delighted to present the Emirates Crystal Award for excellence in information Systems audit and security. Based in Chicago, ISACA was established in 1969 and now represents over 50.000 members in more than 140 countries. In the area of IT governance, control and assurance, ISACA plays a key role through its CISA, CISM and CGEIT certification programme and by establishing international standards and code of professional ethics to guide and govern the profession.
‘‘
The Internal Audit department of Emirates spearheaded the formation of the UAE chapter as the Association’s 150th chapter in 1997, and continues to support the chapter.
ISACA UAE
THE MAGAZINE FROM ISACA UAE CHAPTER w w w. i s a c a u a e . o r g
Page 12
VOL. 1 ISSUE 1
NEWS & EVENTS
Leadership Conference
The Leadership Conference held in Westin Miyako Hotel in Kyoto, Japan on 21 & 22 Feb 2009 was attended by the UAE Chapter Predident, Nalin Wijetilleke and the Vice President, Bharat Raigangar. Concerns such as Chapter develpment strategies & Leadership, Membership services, Certifications etc were dealt in detail.
ISACA UAE
THE MAGAZINE FROM ISACA UAE CHAPTER w w w. i s a c a u a e . o r g
PPaaggee 173
IS
R ARTICLES O F FO LL A R C
A C A
AGAZINE. M E A U
Submission deadline for the next issue is June 4 2009. Email your articles to Associate Editor at: hchede@gmail.com
VOL. 1 ISSUE 1
Enterprise Risk Management – Audit Prospective & Role By Alok Tuteja
Introduction:
Most of us will agree that many corporate have been thrashed out by an event. Many governments have bowed out due to an event. Recent recession is a good example where many businesses such as Lehman Brothers were impacted due to an event. Many regulations such as Sarbanes Oxley (SOX) were promulgated in response to these events. The process of managing these events is popularly known as Risk Management. Risk has been defined differently by various organisations and authors, one definition of risk is the combination of probability of an event occurs and its consequences (ISO/IEC Guide 73) or in simple terms an event that hinders achievement of organisational objectives. Every organisation regardless of size/industry/market it manoeuvres is subject to events that could bring opportunity (positive risk) and threat (negative risk). Risk Management is a popularly accepted method to deal with both types of risks positive and negative.
Role of Auditor in Enterprise wide Risk Management (ERM):
Risk Management is a management function hence should be performed by executive management on behalf of stakeholders. Various organisations have inducted specialised Risk Management Function operating centrally in organisation, whereas in some other organisations risk management is performed at operating levels in different business functions. Latter model has disadvantage due to the fact that a central risk database does not exist and similar corporate risk are dealt in their own way in various business functions and risk appetite are set differently. Some organisations delegate the Risk Management function to Audit functions. However this approach is completely wide of the mark as it impairs the independence of the Audit Function and further the risk appetite should be set by organisation’s executive management and not by Audit Function. Having said that Audit Function is not responsible for performing Risk Management Function does not relieve them from participating in Risk Management Model. Auditor has greater role to play in Risk Management by reviewing the adequacy and effectiveness of the ERM, reviewing internal control systems, providing consultation on the design and improvement of control systems and risk treatment strategies in addition to implementing a risk-based audit approach to plan and executing the internal audit process to achieve efficient resource utilisation. Auditor need to be careful while participating in Risk Management activities in order to maintain Independence. The exhibit in annexure 1 describes to what extent an auditor can be involved in the Risk Management activity.
ISACA UAE
THE MAGAZINE FROM ISACA UAE CHAPTER w w w. i s a c a u a e . o r g
Page 15
VOL. 1 ISSUE 1
There have been many arguments in relation to auditor’s action depending on the maturity of the risk management function in an organisation. The table below shows the different levels of risk maturity in an organisation and auditors action there on:
Risk Maturity
Description
Auditor’s Action
Risk Naive
No formal approach for risk management.
Promote risk management and rely on audit risk assessment.
Risk Aware
Scattered Silo-Based approach to risk management
Promote enterprise-wide approach to risk management and rely on audit risk assessment.
Risk Defined
Strategy and policies in place and communicated Risk appetite defined.
Facilitate risk management /Coordinate with risk management and use management assessment of risk where appropriate.
Risk Managed
Enterprise wide approach to risk management developed and communicated.
Review risk management processes and use management assessment of risk as appropriate.
Risk Enabled
Risk Management and internal control fully embedded into the operation.
Review risk management processes and use management assessment of risk as appropriate.
Risk Alleviation:
An organisation need to address the risk it faces. Risk can be addressed in the following ways: Accept:
No controls are implemented and risk is accepted as it is. This response is used where benefit of implementing the control can not override the cost of risk being exploited. Board should formally accept this risk.
Terminate: Can remove the conditions that induces the risk such as closing out operations of some business which are risky. Mitigate:
Implementation of Internal Controls in order to mitigate or reduce the risk to acceptable level.
Transfer:
Pass the risk to third party, for example by taking insurance or outsourcing. One should be mindful that outsourcing does not automatically in all circumstances transfer risk. In addition, Insurance does not transfer all the risk, only some or most of the cost of impact.
Performing Risk Assessment:
Auditors use two types of risk assessment in order to perform their work, first one is called Business Risk Assessment, which is used to gauge and identify the priority of each audit assignment within the complete audit universe. The other type is used to identify risk within the business activity and controls there on. We will discuss the second type of risk assessment. 1st Step:
In risk assessment is to identify a uniform risk assessment scoring template which has been attached in annexure 2 as a model template.
2nd Step
is to describe business process in a step by step manner where the activities and responsibilities are defined in one place.
3rd Step
Is to identify the risk a business may face assuming that no controls are existing, though some controls may exist, and this type of risk is called inherent risk.
4th Step
Is to identify the controls, which will treat the risk identified previously.
5th Step
Is to test these controls, which have been identified previously for each risk.
6th Step
Is to calculate residual risk and report them to audit committee/board.
One example would be, while reviewing Business Continuity, We assume the inherent risk of non-existence of BCP, so a relative score may come up to 9, where as we identify during control identification and testing, a formal BCP exists, which is reviewed and tested in a timely manner and this brings the residual score between 1-3.
Conclusion
The ERM is ultimately the responsibility of Executive Management though Auditor can play advisory role to promote risk management and review or recommend on existing risk management function. In addition, auditor can utilise risk based audit to utilise resources efficiently and place more reliance on management’s effort to place controls based on risk priority. Risk Based Audit helps auditor to get more support from Audit Committee and Board as reporting on residual risk will be more useful for Audit Committees as they need to sign on health of Internal Controls in current regulatory circumstances. In addition, control failure should be reported to operating management or in exceptional circumstances to executive management. This rationalize audit reporting to relevant parties hence audit get more recognition. Further, a follow up program developed will help auditor to ensure that management monitors residual risk and control failures in timely manner.
Page 16
THE MAGAZINE FROM ISACA UAE CHAPTER w w w. i s a c a u a e . o r g
ISACA UAE
VOL. 1 ISSUE 1
ANNEXURE 2 LIKELIHOOD
I
m
p
a
c
t
Disastrous (3)
Significant (2)
Insignificant (1)
Certain (3)
9
8
6
Possible (2)
7
5
3
Unlikely (1)
4
2
1
Read Area:
High Risk
Amber Area:
Medium Risk
Green Area:
Low Risk
Endnotes Auditor’s role graphic in annexure 1, is taken from Institute of Internal Auditors UK Ireland (www.iia.org.uk). Brief Note about the author Alok Tuteja, is head of IT audit function in Audit Department at Abu Dhabi National Oil Company for distribution and board member of ISACA UAE chapter. He is an MBA, a CISA, a CISSP, a CIA, a CFE and a Certified Lead Auditor for BS7799. He has experience in development and review of a number of DRPs/BCPs and ISMS’s. Additionally, He is key Instructor for ISACA’s CISA review course in UAE and key facilitator for training programs in the arena of Risk Based Audit, IS Security, IS Audit & uses of CAATS, ITSM, CobiT. He has extensive hands-on experience and has carried out security reviews, E-business Risk Management review including Internet Security Controls Review, Internet Penetration Testing, and Website Reviews. Member No 134105, Email aloktuteja@gmail.com
ISACA UAE
THE MAGAZINE FROM ISACA UAE CHAPTER w w w. i s a c a u a e . o r g
Page 17
VOL. 1 ISSUE 1
ER PT TS A CH LIGH R H A HIG ST YE A L
I-SAFE 2008
The acronym I-SAFE stands for
I NFORMATION: Information is a key asset used for organizations in achieving business objectives. S ECURITY: It is imperative in this e-world to maintain the confidentiality, integrity & availability of information. A UDIT & ASSURANCE: It is critical to provide an independent audit & assurance to strategically manage the information risks in the organization.
F ORENSICS: Determine the process & new ways in investigating information resources. E MERGING TECHNOLOGIES: Use new technologies to better manage your information and information resources. Information is an asset and is essential to an organization’s business. In other words, information propels business. ISACA UAE Chapter put together its second integrated two-day regional conference covering various aspects for managing the most important asset of an organization – “INFORMATION”. Nearly 240 delegates attended regional conference on the theme ‘Corporate Challenges in Information Governance’ held on 29th & 30th October 2008, at Sheraton Dubai Creek Hotel.
Alexander Kornburst addressing the audience
Nalin Wijetilleke, President of ISACA UAE Chapter said, “the theme of this conference is most timely as the entire world is experiencing a financial crisis and the manner information is handled ensuring greater value delivery, opportunity and success is vital for the continuity of organizations. Information is the life blood of any organization and if well managed, will provide the strength and ensure resilience, restoration and re-bounce. The Keynote speaker was Bill Foster – Managing Director, Mudara – Institute of Directors, Dubai, UAE. He emphasized the important role of Corporate Governance and how information governance forms a critical part of it. The other key speakers at the conference included Justin Clarke: Principle Consultant, Gotham Digital Science, UK, Dr. K Rama Subramaniam: Chairman ISCCRF, Alexander Kornbrust: Founder and CEO, Red Database Security, GmbH, Larry Lam: Managing Director, McGuire Asia Pte Ltd, Lyndon Bird: Technical Director, Business Continuity Institute, Adil Buhariwalla: Vice President, Internal Audit, Emirates Group, Senthil Kumar: Regional Managing Director for Technology Risk Services, Protiviti Member Firm (Middle East) Ltd. and Mark Hammond: Practice Manager, Advisory Services, Symantec.
Adil Buhariwalla making a point
The conference also included two highly interactive panel discussions namely, ‘How does IT audit add value to the organization’ and ‘Information Security – its responsibilities, measurement & challenges’. Esteemed Panel Experts stressed the need for IT Auditors to keep updated with changing technologies and use specialized tools in a controlled manner to add value to the organization.
Bharat Raigangar giving away a token of appreciation to Adil Buhariwalla Vice President Internal Audit Emirates Group
Page 18
Experts on the information security panel discussed that everyone’s perspective of Information Security is evolving and enhancing - from its stereotyped image of being a technology focused problem managed by IT into a larger business issue. The panel experts concluded that Information Security extends beyond the IT department and responsibility of managing the same should lie with Corporate Risk and not the IT department.
THE MAGAZINE FROM ISACA UAE CHAPTER w w w. i s a c a u a e . o r g
ISACA UAE
VOL. 1 ISSUE 1
Hari Prasad Chede giving a prize during a rapid question answer session
Avinash Totade giving a token of appreciation to a speaker
Members Networking
Sayed Ahmed giving a token of appreciation to Senthil Kumar Regional Managing Director for Technology Risk Services, Protiviti Member Firm (Middle East) Ltd
Members Networking
Members Networking
Members Networking
Members having lunch
ISACA UAE
THE MAGAZINE FROM ISACA UAE CHAPTER w w w. i s a c a u a e . o r g
Page 19
VOL. 1 ISSUE 1
Business Continuity Management – a rapidly maturing discipline
Why we are seeing level of interest is a good question and one that is not very easy to answer. Perhaps part of the explanation is that the topic can no longer be avoided, with ever increasing legislation and regulation being forced upon organisations. It is easy to imagine what the press could do to the Directors of a company that had gone out of business leaving employees, pensioners, customers and shareholders stranded and publicly admitted they had inadequate BCM provisions. Imagine in the future regulated firms that had their licence revoked as a result of not having adequate internal controls or weak corporate governance. It is difficult to defend not having BCM in place when you talk about control or governance but until now it has been relatively vague about what you need to do. After BS25999 failure will be much harder to justify, to your auditors, insurers or (after a disaster) to the court of public opinion.
To many observers of the general business scene, the attention now being given to Business Continuity Management (BCM) might seem surprising. Until comparatively recently, Business Continuity was often confused with Information Security or Risk Management. For the non-BCM specialist, it appeared to have no unique selling point to help distinguished it from other management disciplines. The launch of BS25999 certainly changed that perception. A new standard rarely generates excessive enthusiasm in the business community, often being perceived as worthy rather than exciting, more “red-tape” than entrepreneurial. Nevertheless the British Standards Institution’s (BSi) latest foray into the world of Management Systems - BS 25999 - seems to be creating much debate and concern amongst real-life managers in a range of industries. Not since the emergence of ISO 9001 has a formal standards based approach to a management discipline made such an impact. To put it in perspective when the initial draft of the Code of Practice was released for public consultation there were 5000 downloads from all around the world. Previously the BSi in its 100 plus year history had never had more than a few hundred. There were enormous volumes of comment to absorb and incorporate before it could be released. Much of the feedback was positive but some of it was violently opposed to any form of standard in this field.
Page 20
However there are other reasons that BCM has come to the foreground in recent times. The early years of the 21st Century have proven to be exceptionally challenging for all those involved with disasters, emergencies and security issues of all types. The world has experienced a seemingly endless stream of catastrophic incidents, both from the forces of nature and from man made design. Hurricanes, earthquakes, and global terrorism have rarely been out of the news. The impression often given was that, despite our technological sophistication, we were effectively powerless to prevent acts of God and only marginally better prepared to deal with those deliberately wishing to wreak havoc on our lives and businesses. However, in reality, many of those global human catastrophes were less damaging to the continuity of business than other less newsworthy events. Technology dependency creates great opportunity for chaos and mayhem. The growth of online business offers the potential for a better response to certain threats than normal traditional but it creates other problems and difficulties. Public health scares, such as flu pandemics, are obviously best contained by people not going out and infecting each other, so working from home seems to be an obvious solution. However, increasing the number of home workers by providing enhanced technical capability for them to work online is a seductive but often impractical solution. Just look what happened to the mobile network after the London bombings. Contrary to popular mythology, only 1 of the 4 network providers shut down services at all and that was a miscommunication with police command. Yet demand so outstripped supply that few calls could be connected for most of that day. Infrastructure is build for business as normal workload plus a little contingency. It is not build for a ten-fold increase in demand at short-notice. Imagine what would happen if ten times the normal volume of cars all arrived on the M25 at approximately the same time, there would be total grid-lock and the same happens with technology services in disaster situations. I think finally business has begun to realise that it cannot plan for and cope with every single different type of problem it faces. It needs to address the issue of business interruption (for whatever reason) as a single problem which needs a single management approach - hence the emergence of BCM on the Board agenda.
THE MAGAZINE FROM ISACA UAE CHAPTER w w w. i s a c a u a e . o r g
ISACA UAE
VOL. 1 ISSUE 1
Many people ask what the connection is between all these diverse types of risks; natural disasters, terrorism, fire, accidents, computer failures and health scares. The answer is that although they arise from entirely different sources, the management of the consequences relies on a set of principles that are largely the same regardless of cause. This set of principles is now generally accepted to be defined by the overall subject name Business Continuity Management (BCM). In fact although it might surprise some newcomers, BCM is far from a new subject. Specialist consultants have worked in this field since the early 1980’s and although the name Business Continuity took some time to be accepted, the Business Continuity Institute (a professional membership organisation for BCM practitioners) has been in existence since 1994. The Business Continuity Institute is the world’s premier Institute offering professional accreditation in the discipline of business continuity with over 4,000 members and a presence in more than 85 countries. In 2002, the Institute issued its first “Good Practice Guidelines” written in conjunction with many industry experts. This formed the basic framework for the original BSi activities in the BCM field, leading to a publicly available specification for BCM called PAS 56. BS25999 replaced PAS56, but the link between the standard and the BCI Guidelines has been maintained. Apart from the work of the BCI and the BSI much work is currently being undertaken around the world to get clearer and more standardised acceptance for BCM. This is difficult because what is applicable in one sector or country might not be the acceptable in another. In the United States, the National Fire Protection Association (NFPA) have a standard for emergency management, and disaster response. It is not, however, a specification standard and so organisations cannot get the coveted certification. Despite this limitation, I think it all standards and guidelines do help because the primary driver for BCM should always be that it is undertaken because it adds value to an organisation – not just for compliance, governance or regulatory reasons. I think we have to recognise that BCM is no longer an optional activity in major organisations. The increased perceived level of threat, the documented consequences of not planning and the pressure put on management by corporate governance compliance has pushed BCM well up the business agenda. The main purpose of BCM is to ensure that the organisation has a response to major disruptions that threaten its survival. Whilst this must be worthwhile in itself, there are other benefits that can be gained by embracing BCM as a management discipline. Some organisations have statutory and regulatory requirements either specifically for BCM or, more generally, for ‘risk management’ as part of their statutory
requirements. An appropriate BCM plan will satisfy the many of these specific requirements and contribute to achievement of corporate social responsibilities goals. What this is all really leading to is more control on how organisations operate and how they guarantee continuity of business operations. In particular we see much stricter regulatory control in the financial sector. In the UK for example, the FSA (Financial Services Authority) have for some years been moving their regulated firms towards BCM standards, which although not very specific are still required for compliance. In the United States the Federal Reserve have taken a similar but more powerful approach with some mandatory elements. Other powerful if not legally enforced directives have been issued in many areas of the world including Singapore, Korea and Australia. There is clear evidence that there is a coming together of BCM thinking amongst the various financial regulators, which is likely to be a strong driver for more consistency. The Basel Committee on Banking Supervision, Joint Forum has issued a 7 high-level principles document for BCM that individual country regulators will look to enforce. The countries represented were: USA, UK, Canada, France, Netherlands, Hong Kong, and Japan, so although not universal it does represents most of the major players in financial markets. Governments have also started to become engaged in the BCM debate. The Sarbannes Oxley Act (SOX) in the US has created a situation in which Directors and Officers of companies are personally responsible for control failures within their organisations. This Act not only applies to US companies but also to non-US companies operating within US markets, and of course to the foreign subsidiaries of US domiciled corporations. There is now a Japanese version of SOX and talk of a European SOX. The UK Government has linked its support for Business Continuity as part of its general strategy to upgrade its Public Protection capability. The Civil Contingencies Act has defined a group of Category 1 Responders (Police, Emergency Services, Local Authorities, Hospitals) and Category 2 Responders (Government Agencies, and utility providers). All of these organisations must have full BCM capability in place. From May 2006, the law also put a duty of care on local authorities to promote the concept of BCM to firms in their locality Perhaps the real benefit of a formal rigorous approach to BCM is demonstrated by the old adage “If you can’t measure it, you can’t manage it”. Standards do give the ability to measure business continuity capabilities between regions, countries, sectors and companies. They will not guarantee that you have get in right always but it will give you a good route map, a way of monitoring your progress and an understanding of when you have arrived.
About the Author Widely regarded as one of the founders of Business Continuity in Europe, Lyndon has a First Class Honors Degree in Chemistry and a Masters Degree in Management Sciences from the University of Manchester. He was an elected Board Member of the BCI for 6 years including nearly 3 years as Chairman. He is a member of the British Standards Institution Technical Committee that developed and oversees BS25999.
ISACA UAE
THE MAGAZINE FROM ISACA UAE CHAPTER w w w. i s a c a u a e . o r g
Page 21
VOL. 1 ISSUE 1
POEMS AND ACRONYMS ON IT GOVERNANCE By A.V.RAMESHKUMAR CISM, CISA, Align IT to the business needs to become Ally to the business performance
Bridge the communication gap and provide transparency Through key performance measures
All pervasive is IT to the business strategy and All critical is its role in corporate governance
A vital sign as it is, performance measures indicate Wellbeing and wholeness of IT organization
Scarce, costly and vital the IT resources become Organize it for proficient usage
Understand the requirements of stakeholders and set the Meaningful metrics for performance measurements
A new culture to the enterprise, IT governance requires Structure, methods, rules and regulations
Ongoing and routine is the IT Governance, Implementation is for Safe going and roadmap is for initial phase
That which sustains and extends enterprise objectives, IT Governance Is about Leadership, structure and processes
Having major effect in the organization, IT governance requires Supporting and active involvement of key stakeholders
Whole is greater than the sum of individual parts is What the chemistry of Alignment is. Focus, management awareness and corporate scandals leads IT governance contemporary and topical Competent individuals, team work, harmony and leadership Are what the four pillars of alignment Dwelling deep, it leads to lack of accountability and improper communication as Pointers for IT Governance initiative In vain is your search if you are looking for an universally Applicable IT alignment solution Do not desert IT as they become complex but make it Subservient to the business
Identifying quick wins and showing results is the Convincing way of making IT governance successful Having set the goals and gained support Planning and implementation are the next steps for IT governance Just as effective communication is an enabler Poor communication is a constraint Change is the mantra of IT governance and for Change, promote positive attitude Improve maturity of IT capability to Improve efficiency and reduce risks Optimal investment, proper allocation of resources is The key to successful of IT performance Measure IT capability AS-IS and TO-BE and Plan to improve and reduce gaps
Think IT strategy while developing business strategy As both are Inseparable twins Not new the principles of IT governance but New are the methods of implementation
Adhoc, intuitive, qualitative, quantitative and improved feed back are the characteristics of initial, repeatable, defined, managed and optimized maturity scale
Flow of activities at different layers, IT governance is The responsibility of the board
Manage IT risks at board level to avoid IT failure risk
Ever increasing cost and ever unclear the value, the IT Phenomenon leads to IT black hole
Break the value chain for outsourcing for not To get broken by the global competition
How aligned is IT to the enterprise goals that requires Performance measurement tools
Outsource non core activities to a third party whose Core activity is the outsourced activity
Know thy Ability, agility, creativity and security of IT systems Through performance measurement tools
Doing badly and failing to grab opportunity Are the twin broad highways to risk
Page 22
THE MAGAZINE FROM ISACA UAE CHAPTER w w w. i s a c a u a e . o r g
ISACA UAE
VOL. 1 ISSUE 1
PARRY is acronym for key areas of IT governance as it constitutes
Performance measurement, Alignment, Risk and Resource management and Value deliverY
EUROPE is acronym for IT governance benefits as it gives External compliance, Accountability, ROI, Opportunities, Performance Improvement and Enterprise partnership EARTH is acronym for critical success factors as it requires Enterprise wide approach Accountability and commitment Return measurement Trust for the selected control frame work and In House trust on the IT function AVERT is acronym for key element support of PM as it supports Alignment Value delivery Enterprise Risk management IT Resource management FOCUS is acronym for performance measurement system’s aims as it helps to Focus on the customer satisfaction Operational processes improvement Cost reduction Undertaking current and future state and the gap Set realistic benchmark for comparison POGO is the acronym for two aspects of performance measurement (PM) metrics as it addresses Process Oriented – KPIs – key process indicators Goal Oriented – KGIs – key goal indicators FIRM ACTION is the acronym for requirements of PM for being successful as it denotes Flexible and responsive to the changing situation Interpretation is easier Resourceful enough for backward and forward integration Metrics to support benchmarking Approved by stakeholders Culturally oriented to the organization Targets based on IT objectives Inclusion of both positive and negative measures Objective and subjective measures
ISACA UAE
Numbers of metrics limited and focused
MASON is the acronym for board responsibilities for it denotes Managing risks Allocating resources Setting strategy Orienting structure for value delivery and Setting Numbers for performance measurement ASCEND is the acronym for enablers of PM for it is influenced by Approved by the stakeholders Support by the stakeholders Critical process focus Easy measures Numbers based on balanced scorecard technique Design automated performance measurement measures DESCEND is the acronym for inhibitors of PM for it is getting affected by Design with too much focus on technical measures Not Straight forward to interpret Collection of data is expensive Encourages counter productive behavior Delegation without proper accountability DEMOSTRATE is the acronym for objectives of IT governance implementation Define the meaning of IT governance in your organization Enumerate the expected ROI of implementation Monitor and identify organizational cultural constraints and enablers Obtain broad understanding of benefits of implementation Name IT governance framework, tools and gain acceptance Spell out initial gap analysis Time scale estimation and resource implications Render project initiation document Alignment of IT Governance initiative with business strategy Terms of reference Enumerate KPI and CSF for the ITG project
PAIR is acronym for different risks: Project ownership risk Access, Availability risks Integrity, Infrastructure, Investment risks Relevance risks SOAP is the acronym for levels of IT risks Strategic level – Topmost layer Operational level – lowest layer Action or Programme level – higher layer Project level – lower layer ATM is the acronym for management of risks for it denotes Accept the risks – risk existence and monitoring Transfer the risk by taking insurance Mitigate the risk by implementing controls DIFFIDENT is the acronym for risk management framework as it denotes Define a framework Identify the risks Find the probable risk owners Figure out or evaluate the risks Identify or set acceptable level of risk Develop suitable responses to risk Execute or implement responses Notice effectiveness of responses Reevaluate TOME is the acronym for success factors for IT governance Treat IT governance as a project Obtain top management buy in Manage expectations Enable and motivate cultural change COP is the acronym for value discipline as it constitutes Customer Intimacy Operational Excellence Product innovation
ABIDE is the acronym for management of IT risks by the Board Ascertaining about the transparency of risks, risk taking and risk avoidance Being aware that final responsibility rests with the management Insisting that risk management is embedded with the operations Delegate to the executive management but not the responsibility
THE MAGAZINE FROM ISACA UAE CHAPTER w w w. i s a c a u a e . o r g
Ensure that the system of internal control is in place to manage risks
Brief Note about the author A.V.RAMESHKUMAR CISM, CISA, OCP(ORACLE FINANCIALS), OCP (APPLICATION DEVELOPER),AICWA, ACS, CPM is at present the HEAD OF IT for AL AQILI GROUP Dubai. He has specialized in finance, corporate laws, ERP Implementations, Solution architecture and Enterprise IT.
Page 23
VOL. 1 ISSUE 1
CISA REVIEW CLASSES – 2008 By R.K.Rao, CISA Coordinator, Dubai
The ISACA UAE Chapter conducts Review Classes twice a yearfor CISA aspirants. Enrollment is restricted to a maximum of 35 students and the fees charged are merely to cover the rent for the venue and the cost of reading materials. These Classes are conducted with the objective of assisting the aspirants in concentrating on key topics, clarifying their concepts and, providing a platform for interaction among the attendees. During the 6 weeks, every attempt is made by the Faculty to extract positives that have remained dormant for a long time among the students. On the other hand, the students are constantly encouraged to draw out the best from the Faculty who are practising CISAs. Concerted efforts are made to ensure that the aforesaid objectives are met in terms of the syllabus covered, practice questions, practical tips for cracking the examination, etc. Feedback is sought after each session as part of our endeavour to incorporate changes beneficial to the students, into the subsequent sessions. For instance, while Mohammad Saleh, from Dubai Islamic Bank, has strongly urged the Chapter to increase the number of sessions as well as get more experienced Teachers as Faculty; Srinivasa Desikan, from Noor Islamic Bank,has earnestly requested for more practice questions. Both, like most of the students, were, however, satisfied with the overall conduct of the Classes. A considerable amount of planning goes into conducting the Classes. Finalizing the Venue and Time-Table are just two of the many challenges faced; not to mention the competing factors of time and syllabus! However, combined with the Students’ commitment to put in hours of hard work; what makes the Review Classes a memorable experience is the Faculty’s passion and the desire to serve the local community by sacrificing their personal time for a cause that does not yield them any material returns!
Page 24
THE MAGAZINE FROM ISACA UAE CHAPTER w w w. i s a c a u a e . o r g
ISACA UAE
Get Certified (CISA,CISM,CGEIT)
Elevate your Professional Stature Earn an ISACA Certification Get Certified
Get Certified
Get Certified
ASSURANCE
SECURITY
GOVERNANCE
Two Day Hands on
Date : 6th & 7th May 2009
Oracle Database Security Workshop
Venue : Etisalat Academy, Dubai
In today’s digital world, a growing concern has been database security – Databases store are the most valuable servers in an organization as they store critical information such as client details, financial information, human resource details etc. All data that keeps an organization in business which needs to be protected. Databases are the target of regular attacks by attackers that exploit control weaknesses or vulnerabilities in databases. In this dynamically changing scenario it is important to understand new threats that emerge in order to build constructive strategies to protect corporate assets.
ISACA UAE CHAPTER BRINGS TO YOU A 2 DAY HANDS ON ORACLE DATABASE SECURITY WORKSHOP.
3PEAKER Alexander Kornburst
!LEXANDER IS RESPONSIBLE FOR /RACLE SECURITY AUDITS AND /RACLE ANTIHACKER TRAINING AND HAS GIVEN VARIOUS PRESENTATIONS ON SECURITY CONFERENCES LIKE "LACK (AT $EFCON "LUE (AT )4 5NDERGROUND AND 3YSCAN (E HAS WORKED WITH /RACLE PRODUCTS AS AN /RACLE $"! AND /RACLE DEVELOPER SINCE AND WITH )"- 'LOBAL 3ERVICES AS A CONSULTANT $URING THE LAST SIX YEARS HE HAS REPORTED OVER SECURITY BUGS IN DIFFERENT /RACLE PRODUCTS $!9 /2!#,% 3%#52)49 7/2+3(/0
/RACLE "ASIS FOR AUDITORS
HOURS
/RACLE HARDENING SETTINGS AND TOOLS
HOURS
/RACLE PENTESTING 31, )NJECTION AND MORE
HOURS
/RACLE FORENSICS OR HOW TO FIND THE BAD BOYS HOURS
Day 1: Registration: 8:30am - 9:00am Oracle Basics: 9:00 – 1:00 pm s ,ICENSE CONCEPT s DIFFERENCES TO -Y31, 31, 3ERVER s $IFFERENCE 31, 0,31, s /RACLE 4OOLS s 3ECURITY 4OOLS FOR /RACLE s 31, VS 0,31, s #OMMON !RCHITECTURE 2!# (! Lunch: 1:00 pm – 2:00pm Oracle hardening: 2:00 pm – 6:00pm s 0ATCHING /RACLE s (ARDENING ,ISTENER s 0ASSWORDS s !UDITING s 2EVOKING 0RIVILEGES s (ARDENING THE ARCHITECURE s RD PARTY SOFTWARE
Day 2: Oracle pentesting: 9:00 – 1:00 pm s 5SER %NUMERATION s 3)$ %NUMERATION s 0ASSWORD %NUMERATION s 31, )NJECTION IN WEBAPPS s 31, )NJECTION IN 0,31, CODE s 0RIVILEGES AND WHAT YOU COULD DO WITH THEM Lunch: 1:00 pm – 2:00pm Oracle forensics: 2:00 pm – 6:00pm s /VERVIEW s (OW TO START s !TTACKERS THEIR TRACES s 4OOLS s !NALYZE MEMORY s !NALYZE AUDIT LOGS s !NALYZE DATA BLOCKS s !NTI &ORENSICS
EARN
WORKSHOP FEE
CREDITS
)3!#! -EMBERS AED 1000/-
16 CPE PREREQUISITES The delegates are expected of the below s 5NDERSTANDING OF $ATABASE 4ECHNOLOGIES s 5NDERSTANDING OF /RACLE DATABASE 3ERVERS s 5NDERSTANDING OF 31,
.ON )3!#! -EMBERS AED 1600/-
VENUE MAP: http://ea.ae/content/location.htm
For more details & registration visit www.isacauae.org
Easy steps to Register 6ISIT WWW ISACAUAE ORG download the form 2. Print the registration form. !TTACH A CHEQUE #HEQUE should be payable to “DNATA)3!#!v AND SEND IT TO Manjunath R, Dubai Aluminium Company Limited, Internal Audit Department P. O. Box 3627 Dubai, UAE. Mob: 0509523015. Email: rmnath@gmail.com
ORACLE DATABASE SECURITY WORKSHOP 6TH & 7TH MAY 2009
It is important that this form is submitted before 30th April 2009
Name: Position: Company name and address: Country: Telephone (with area code): Fax: Email: REGISTRATION: ( Please tick whether member or non-member) Membership Number: ISACA, IIA, ACFE Member AED 1000 Non-ISACA Member AED 1600 PAYMENT INFORMATION All payments to be made in favour of DNATA-ISACA. Payments can be made by cheque or demand draft and should be couriered to Manjunath R, Dubai Aluminium Company Limited, Internal Audit Department, P. O. Box 3627 Dubai, UAE, Ph: 0509523015. email: rmnath@gmail.com s !LL 0AYMENTS SHOULD BE MADE IN FAVOUR OF $.ATA-ISACA s 2EGISTRATION FORMS AND PROOF OF PAYMENT TO BE SCANNED AND EMAILED TO rmnath@gmail.com or manjunath_r@dubal.ae s Please note full payment must be received by the 1st May 2009 CONTACT Manjunath R related to registration & payment Ph: 0509523015 EMAIL RMNATH GMAIL COM OR MANJUNATH?R DUBAL AE It is important that this form is submitted before 30th April 2009.
REGISTRATION FORM
PERSONAL DETAILS: (Please complete one form per attendee. For multiple booking copy this form):
Place your Ad highlighting your services/products in this magazine to reach an focussed IT governance, Security & Audit Community - Contact for more details hchede@gmail.com