CISM Certification Overview

The Certified Information Security Manager® (CISM®) certification program is developed specifically for experienced information security managers and those who have information security management responsibilities. The CISM certification is for the individual who manages, designs, oversees and/or assesses an enterprise’s information security (IS). The CISM certification promotes international practices and provides executive management with assurance that those earning the designation have the required experience and knowledge to provide effective security management and consulting services. Individuals earning the CISM certification become part of an elite peer network, attaining a one-of-a-kind credential. The CISM job practice also defines a global job description for the information security manager and a method to measure existing staff or compare prospective new hires.

Worldwide Recognition

Although certification may not be mandatory for you at this time, a growing number of organizations are requiring or recommending that employees become certified. To help ensure success in the global marketplace, it is vital to select a certification program based on universally accepted information security management practices. CISM delivers such a program.

1.1 Why the CAE Must Be Involved in Controlling Change and Patch Management You may be wondering why you should read a guide on the subject of information technology (IT) change and patch management. After all, isn’t this something you can completely delegate to your technical IT audit staff? And isn’t there sufficiently thorough guidance on this topic that goes back to managing the mainframe environment? The short answer to both of these questions is “no.”
While the primary role of chief audit executives (CAEs) does not include being experts on technology, significant risks
exist around virtually all business uses of technology. It is important to understand that you do not need to be an expert
to help people manage technology and its associated risks.
The goal of this guide is to help CAEs, their executive peers, and staff enhance their knowledge associated with technology management, and help them counsel management on governing these processes effectively.
For the intended audience of this guide, issues related to IT change control rarely have been as important as they are
now. CAEs are being held accountable by audit committees and are expected to comply with regulations such as the U.S.
Sarbanes-Oxley Act of 2002 Section 404. Having the knowledge to effectively challenge IT management is not only useful, but essential.
After reading this guide, you will:
• Have a working knowledge of IT change management processes.
• Be able to distinguish quickly great change management processes from ineffective ones.
• Be able to recognize quickly red flags and indicators that IT environments are having control issues related to change management.
• Understand that effective change management hinges on implementing preventive, detective, and corrective controls to enforce segregation of duties and ensuring adequate management supervision.
• Be in a position to recommend the best known practices for addressing these issues, both for assurance on risks (including controls attestations), as well as increasing effectiveness and efficiency.
• Be able to sell your recommendations more effectively to your chief information officer (CIO), chief executive officer (CFO), and/or chief financial officer (CFO).
Because every “IT risk” creates some degree of business risk, it is important that CAEs thoroughly understand change
management issues.
Change and patch management is defined here as the set of processes executed within the organization’s IT department
designed to manage the enhancements, updates, incremental fixes and patches to production systems, which include:
• Application code revisions.
• System upgrades (applications, operating systems, databases).
• Infrastructure changes (servers, cabling, routers, firewalls, etc.).
Collectively, we refer to these as “IT changes.” All organizations have to deal with IT changes effectively, because virtually every business decision requires one or more changes to assets. When changes fail or are poorly controlled, the impact on the business can range from minor inconvenience to events that hinder the achievement of business objectives, including the ability to comply with the growing body of regulation.
1.2 Poor Change Management Can Be Identified Quickly
This guide was developed to help CAEs ask the right questions of the IT organization to assess its change management
capability. To help you quickly assess the overall level of process risk and determine whether a more detailed process
review may be necessary, this guide also provides expected answers to these questions.
Top Five Risk Indicators of Poor Change Management:
• Unauthorized changes (above zero is unacceptable).
• Unplanned outages.
• Low change success rate.
• High number of emergency changes.
• Delayed project implementations.
This guide includes field-tested metrics to help you assess the health of the change management process quantitatively, as well as suggested management metrics to guide your organization to achieve and sustain higher levels of control and
performance. In this way, internal auditors can assist management by identifying the sources of risk to the organization
and assessing the effectiveness of risk management, governance, and control processes.
Easily recognizable symptoms and indicators of control failures due to poorly controlled IT changes include:
• Unavailability of critical services and functions, even for short periods of time.
• Unplanned system or network downtime, halting execution of critical business processes such as coordinating schedules with suppliers and responding to customer orders.
• Downtime on critical application, database, or Web servers, preventing users from performing their critical tasks.
• Negative publicity and unwanted board attention.
At an organizational level, indicators that IT organizations may have systemic change management control issues include:
• Majority of the IT organization’s time is spent on operations and maintenance (>70 percent) instead of helping the business in deploying new capability.
• Failure to complete projects and planned work (due to high amounts of firefighting and unplanned work).

• IT management is being awakened in the middle of the night regarding problems.
• High IT staff turnover.
• Adversarial relationships between IT support staff, developers, and business customers (internal or external), usually over poor service quality or late delivery of functionality.
• High amounts of time required for IT management to prepare for IT audits and to remediate the resulting findings.
Many organizations are just one change away from being a poor performer.

1.3 Understanding How IT Change Is Managed
Effectively Change management is sometimes difficult for organizations to master because so many stakeholders are involved (e.g., business managers, application system developers, IT operations staff, auditors). However, this is not a reason for organizations to be complacent about inadequate controls or low performance.
Stable and managed production environments require that implementation of changes be predictable and repeatable,
following a controlled process that is defined, monitored, and enforced. The necessary IT controls to achieve this are analogous to the controls used in financial processes to reduce the risk of fraud and errors: segregation of duty controls (which are preventive in nature) and supervisory controls (which are preventive and detective in nature).

CAEs will be very familiar with these controls: Only the minimal staff required to implement IT production changes should have access to the production environment (preventive).
Authorization processes should involve stakeholders to assess and mitigate risks associated with proposed changes (preventive). Supervisory processes should encourage IT management and staff to undertake their duties responsibly
(preventive), and be able to detect errant performance (detective).
Donna Scott, vice president and research director, Gartner, notes that “80 percent of unplanned [IT] downtime is caused by people and process issues, including change management practices.” These issues arise in the absence of automated preventive, detective, and corrective controls that enable good risk-based decisions around change and effective monitoring and enforcement of the change management process.
High-performing IT organizations also have reached this conclusion, which is supported by extensive work performed by the Software Engineering Institute (SEI) and the IT Process Institute (ITPI).
What do all high-performing IT organizations have in common? They have a culture of change management that prevents and deters unauthorized change. They also “trust but verify” by using independent detective controls to reconcile production changes with authorized changes, and by ruling out change first in the repair cycle during outages. Finally, they also have the lowest mean time to repair (MTTR).
Auditors will appreciate that in these high-performing IT organizations, change management is not viewed as bureaucratic, but is instead the only safety net preventing them from becoming a low-performer. In other words, IT management owns the controls to achieve its own business objectives, efficiently and effectively.
Achieving a change success rate over 70 percent is possible only with preventive and detective controls.
Internal auditors, together with management, want to ensure change management-related risks have been identified and are being measured and managed properly. The key point to remember is that change management requires focusing on process with a managerial and human focus, and is supported with technical and automated controls.

1.3.1 Regulatory Considerations
Effective change management processes can assist the organization in maintaining ongoing compliance with new and expanding regulations. Particular care must be exercised when implementing changes to technology that supports the financial reporting process. Such changes can impact organizational compliance with Sarbanes-Oxley, the European Union privacy directives, and State of California Senate Bill (SB) 1386 requirements. Uncontrolled changes in production can lead to errors that, if pervasive or critical, could be considered significant deficiencies. Where key financial controls are impacted or the organization has failed to correct significant IT general control deficiencies identified in the prior year (such as in change management), management may face the possibility of having to deal with material weaknesses.
When Failure Is Not an Option By managing changes, you manage much of the potential risk that changes can introduce.
1.4 The Top Five Steps to Reduce IT Change Risks In this guide, we have framed the observed best known practices of change management processes that reduce business risk and increase IT efficiency and effectiveness. In summary, five prescriptive steps that can be taken immediately by most organizations to improve their change management processes are:
• Create tone at the top motivating the need for a culture of change management across the enterprise, supported by a declaration from IT management that the only acceptable number of unauthorized changes is zero. Preventive and detective controls can then be put in place to help achieve and sustain this objective, ensuring that all production changes can be reconciled with authorized work orders.
• Continually monitor the number of unplanned outages, which is an excellent indicator of unauthorized change and failures in change control.
• Reduce the number of risky changes by specifying well-defined and enforced change freeze and maintenance windows. This maximizes stability and productivity during production hours. Unplanned outages serve as effective indicators that this change process is being circumvented.
• Use change success rate as a key IT management performance indicator. Where changes are unmanaged, unmonitored, and uncontrolled, change success rates are typically less than 70 percent. Each failed change creates potential downtime, unplanned and emergency work, variance from plans, and business risk.
Increasing the change success rate requires effective preventive, detective, and corrective controls.
• Use unplanned work as an indicator of effectiveness of IT management processes and controls. High performing IT organizations spend less than 5 percent of their time on unplanned work, while average organizations often spend 45 percent to 55 percent of their time on unplanned (and urgent) activities.

1.5 The Internal Auditor’s Role
The audit committee wants to ensure that management has identified and assessed risks that could impede achievement
of business objectives. Robust processes must be in place to mitigate, manage, accept, or transfer the risks effectively.
Internal auditors serve as the eyes and ears of management and the audit committee, seeking out areas that require strengthening. To this end, the importance of an effective change management process cannot be underestimated, and
internal auditors should consider conducting reviews of it on a regular basis.

For more details and to join, visit www.theiia.org

GTAG Information Technology Controls describes the knowledge needed by members of governing bodies, executives, IT professionals, and internal auditors to address technology control issues and their impact on business. Other professionals may find the guidance useful and relevant. The guide provides information on available frameworks for assessing IT controls and describes how to establish the right framework for an organization. Moreover, it sets the stage for future GTAGs that will cover specific IT topics and associated business roles and responsibilities in greater detail.
The objectives of the IT Controls guide are to:
• Explain IT controls from an executive perspective.
• Explain the importance of IT controls within the overall system of internal controls.
• Describe the organizational roles and responsibilities for ensuring IT controls are addressed adequately within the overall system of internal controls.
• Describe the concepts of risk inherent in the use and management of technology by any organization.
• Describe the basic knowledge and understanding of IT controls needed by the CAE to ensure effective internal audit assessments of IT controls.
• Describe the relevant elements of the IT controls assessment process as provided by the internal audit function.

2.1 Introduction to IT Controls
IT controls do not exist in isolation. They form an interdependent continuum of protection, but they may also be subject
to compromise due to a weak link. They are subject to error and management override, may range from simple to highly technical, and may exist in a dynamic environment.
IT controls have two significant elements: the automation of business controls and control of IT. Thus, IT controls support business management and governance as well as provide general and technical controls over IT infrastructures.
The internal auditor’s role in IT controls begins with a sound conceptual understanding and culminates in providing the results of risk and control assessments. Internal auditing involves significant interaction with the people in positions of responsibility for controls and requires continuous learning and reassessment as new technologies emerge and the organization’s opportunities, uses, dependencies, strategies, risks, and requirements change.

2.2 Understanding IT Controls
IT controls provide for assurance related to the reliability of information and information services. IT controls help mitigate the risks associated with an organization’s use of technology. They range from corporate policies to their physical implementation within coded instructions; from physical access protection through the ability to trace actions and transactions to responsible individuals; and from automatic edits to reasonability analysis for large bodies of data.

You don’t need to “everything” about IT controls, but remember two key control concepts:
• Assurance must be provided by the IT controls within the system of internal controls. This assurance must be continuous and provide a reliable and continuous trail of evidence.
• The auditor’s assurance is an independent and objective assessment of the first assurance. Auditor assurance is based on understanding, examining, and assessing the key controls related to the risks they manage, and performing sufficient testing to ensure the controls are designed appropriately and functioning effectively and continuously.
Many frameworks exist for categorizing IT controls and their objectives. This guide recommends that each organization use the applicable components of existing frameworks to categorize and assess IT controls, and to provide and document its own framework for:
• Compliance with applicable regulations and legislation.
• Consistency with the organization’s goals and objectives.
• Reliable evidence (reasonable assurance) that activities comply with management’s governance policies and are consistent with the organization’s risk appetite.

2.3 Importance of IT Controls
Many issues drive the need for IT controls, ranging from the need to control costs and remain competitive through the need for compliance with internal and external governance. IT controls promote reliability and efficiency and allow the organization to adapt to changing risk environments. Any control that mitigates or detects fraud or cyber attacks enhances the organization’s resiliency because it helps the organization uncover the risk and manage its impact.
Resiliency is a result of a strong system of internal controls because a well-controlled organization has the ability to manage challenges or disruptions seamlessly.
Key indicators of effective IT controls include:
• The ability to execute and plan new work such as IT infrastructure upgrades required to support new products and services.
• Development projects that are delivered on time and within budget, resulting in cost-effective and better product and service offerings compared to competitors.
• Ability to allocate resources predictably.
• Consistent availability and reliability of information and IT services across the organization and for customers, business partners, and other external interfaces.
• Clear communication to management of key indicators of effective controls.
• The ability to protect against new vulnerabilities and threats and to recover from any disruption of IT services quickly and efficiently.
• The efficient use of a customer support center or help desk.
• Heightened security awareness on the part of the users and a security-conscious culture throughout the organization.

2.4 IT Roles and Responsibilities
Many different roles have emerged in recent years for positions within the organization with IT control responsibilities and ownership. Each position within the governance, management, operational, and technical levels should have a clear description of its roles, responsibilities, and ownership for IT controls to ensure accountability for specific issues. This section addresses the various IT control roles and responsibilities within the organization and allocates them to specific positions within a hypothetical organizational structure.

2.5 Analyzing Risk
IT controls are selected and implemented on the basis of the risks they are designed to manage. As risks are identified, suitable risk responses are determined, ranging from doing nothing and accepting the risk as a cost of doing business to applying a wide range of specific controls, including insurance. This section explains the concepts of when to apply IT controls.

2.6 Monitoring and Techniques
The implementation of a formal control framework facilitates the process of identifying and assessing the IT controls necessary to address specific risks. A control framework is a structured way of categorizing controls to ensure the whole spectrum of control is covered adequately. The framework can be informal or formal. A formal approach will more readily satisfy the various regulatory or statutory requirements for organizations subject to them. The process of choosing or constructing a control framework should involve all positions in the organization with direct responsibility for controls. The control framework should apply to, and be used by, the whole organization — not just internal auditing.

2.7 IT Control Assessment
Assessing IT controls is a continuous process. Business processes are changing constantly as technology continues to evolve. Threats emerge as new vulnerabilities are discovered. Audit methods improve as auditors adopt an approach where IT control issues in support of the business objectives are near the top of the agenda.
Management provides IT control metrics and reporting. Auditors attest to their validity and opine on their value. The auditor should liaise with management at all levels and with the audit committee to agree on the validity and effectiveness of the metrics and assurances for reporting.

For more details and to join, visit www.theiia.org

CISA Certification Overview

The mark of excellence for a professional certification program is the value and recognition it bestows on the individual who achieves it. Since 1978, the Certified Information Systems Auditor (CISA) program, sponsored by ISACA®, has been the globally accepted standard of achievement among information systems (IS) audit, control and security professionals.

The technical skills and practices that CISA promotes and evaluates are the building blocks of success in the field. Possessing the CISA designation demonstrates proficiency and is the basis for measurement in the profession. With a growing demand for professionals possessing IS audit, control and security skills, CISA has become a preferred certification program by individuals and organizations around the world. CISA certification signifies commitment to serving an organization and the IS audit, control and security industry with distinction. In addition, it presents a number of professional and personal benefits.

Worldwide Recognition

Although certification may not be mandatory for you at this time, a growing number of organizations are recommending that employees become certified. To help ensure success in the global marketplace, it is vital to select a certification program based on universally accepted technical practices. CISA delivers such a program. CISA is recognized worldwide, by all industries, as the preferred designation for IS audit, control and security professionals. More than 60,000 professionals have earned the CISA since inception, so clearly many people agree: earning the CISA is a good career move.